Scribd
Upload
268 views

Tutorial

This document provides instructions for gaining root shell access on a vehicle unit via two methods: 1) desoldering and modifying the EMMC, and 2) updating the firmware to change the challenge public key. It then describes how to convert the region/language settings to European versions by modifying system files and updating firmware. Finally, it lists some other common commands like backing up files, patching SWaP and component protection, installing maps and engdefs files.

Uploaded by

gieycmpylqfdbtozdo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
268 views

Tutorial

This document provides instructions for gaining root shell access on a vehicle unit via two methods: 1) desoldering and modifying the EMMC, and 2) updating the firmware to change the challenge public key. It then describes how to convert the region/language settings to European versions by modifying system files and updating firmware. Finally, it lists some other common commands like backing up files, patching SWaP and component protection, installing maps and engdefs files.

Uploaded by

gieycmpylqfdbtozdo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

1.

Shell access via soldering


Disassembly unit and desolder EMMC. Do a full Backup of EMMC (optionally), but it is always a good idea to have a
full backup.

Open dump file with any HEX Editor and replace values in HEX! (Values will repeat 2 times, you need to change
both.)

Find: 726F6F743A2A3A303A300A6E6F626F64793A2A3A303A300A736C6F673A2A3A30
Replace: 726F6F743A 48 53 69 70 48 42 62 76 68 68 53 72 49 3A 30 3A 30 0A 0A736C6F673A2A3A30
Solder EMMC back to unit.
2. Shell access via challenge method
Update with “Special firmware” which changes public key of challenge. To do that. Hold two fingers in top right
corner to enter SWUP (RED) Mode.

Press + Update
Everything should say N/A except ExceptionList. It is normal, just scroll down and press Start update.

After update finished, press + Resume

NOTE: ALL CHANGES ON UNIT SHOULD BE DONE IN RED MENU !!! HOLD 2 FINGERS IN TOP RIGHT
CORNER, UNIT WILL GO TO RED MENU, ONLY THEN YOU CAN CONTINUE WITH FECS/CONVERSION.

When unit is in red menu, connection to unit can be done via D-Link DUB-E100. You need to change IPv4 address
and mask to same as Harman uses.
Challenge is on telnet 172.16.250.2.48:22111

Copy CHALLENGE KEY and ask for a RESPONSE (Use generator, or ask somebody who provides you access via
tokens..)

Paste response back to putty and press Enter. Putty should close. Now you have opened telnet access and can
connect with port 23.
MMX console Telnet: 172.16.250.248:23
Challenge Telnet: 172.16.250.248:22111

Note: If you can’t login, you are probably in normal, not in red menu. Go to red menu, and try to login then.

If you used EMMC method, password for root will be: harman_f, if you used challenge method, there will be no
password, but only for one time! After reboot unit will ask again for a password. To disable password you need to
run these commands: (RUN ALL COMMANDS ONLY FROM RED MENU !!)

mount -t qnx6 /dev/mnanda0t177.2 /mnt/swup


cp /mnt/swup/etc/nopasswd /mnt/swup/etc/passwd
sync

Now, even after reboot, your unit will have no password.


3. Region conversion
Login to unit with telnet 172.16.250.248:23 and execute next commands:

touch /mnt/persist_new/swup/skipCheckMetaChecksumPROD
touch /mnt/persist_new/swup/skipCheckVariantPROD
touch /mnt/persist_new/swup/skipCheckInstallerChecksumPROD
touch /mnt/persist_new/swup/checkAllUpdatesPROD
touch /mnt/persist_new/swup/allowUserDefinedUpdate

Reboot unit by long press power button. Extract patched firmware to SD Card.

Press + User Defined > All > Remove selection from AMP* and DUC2H* > Start software update

After update finished, you must perform parametrization with VCP. Go to Can Procedures > Apps > Data Container

Check 5F module and load file: A6_mib_4k0035165b.zdc

In data container check VISIBLE_LANGUAGES_EU or AVAIBLE_LANGUAGES_EU push Load Data. Restart unit, EU
languages list will be present on MENU now.

Go to Coding and change to:


COUNTRY NAVIGATION – EU
BAND SETTINGS FM TUNER – EU_RdW
BAND SETTINGS AM TUNER – EU_RdW
NAVIGATION SYSTEM: enable

Go to Adaptation:

VEHICLE CONFIGURATION: SDS_Region_F: REGION_EU

NOTE: If you don‘t have sound in tuner after conversion, change PI_ignore to active in coding.
Installing gracenote

Put Gracenote2 and RadioStationDB folder to root of SD Card, and execute following commands:

cd / && mount -uw /fs/sdb0

mount -t qnx6 /dev/mnanda0t177.9 /mnt/gracenotedb && mount -uw /mnt/gracenotedb/

cp -Vrf /fs/sdb0/Gracenote2/Database/0/EU/* /mnt/gracenotedb/database && cp -Vrf


/fs/sdb0/Gracenote2/InfoFile/0/EU/Update.txt /mnt/gracenotedb/Update.txt && cp -Vrf
/fs/sdb0/Gracenote2/Version/0/EU/gracenote.json /mnt/gracenotedb/config/gracenote.json && umount
/mnt/gracenotedb

mount -uw /mnt/misc1 && cp -Vrf /fs/sdb0/RadioStationDB/VW_STL_DB.sqlite


/mnt/misc1/rsdb/VW_STL_DB.sqlite

4. Do a backup before modifying or patching any files!


mount -uw /fs/sdb0/
cat /dev/fs0 > /fs/sdb0/fs0_mib2p
cat /eso/bin/apps/fecmanager > /fs/sdb0/fecmanager
cat /eso/bin/apps/componentprotection > /fs/sdb0/componentprotection

mkdir /fs/sdb0/fec_backup/
cp -f /mnt/persist_new/fec/* /fs/sdb0/fec_backup/
5. Patch SWaP and Component Protection
Put patched fecmanager according to the version and ExceptionList.txt to root of SD Card. Enter to red menu, login
with telnet to 172.16.250.248:23 console and execute following commands to replace fecmanager:

mount -uw /fs/sdb0/


mount -t qnx6 /dev/mnanda0t177.1 /mnt/app
cp /fs/sdb0/fecmanager /mnt/app/eso/bin/apps/
chmod 777 /mnt/app/eso/bin/apps/fecmanager
mount -t qnx6 /dev/mnanda0t177.2 /mnt/swup
cp /fs/sdb0/fecmanager /mnt/swup/eso/bin/apps/
chmod 777 /mnt/swup/eso/bin/apps/fecmanager

And these to change ExceptionList.txt:

mount -uw /fs/sdb0/


rm /mnt/persist_new/fec/*
cp /fs/sdb0/ExceptionList.txt /mnt/persist_new/fec
chmod 777 /mnt/persist_new/fec/ExceptionList.txt

Optionally you can also do CP-OFF. Put patched componentprotection file on SD and replace with
following commands:
mount -uw /fs/sdb0/
cp /fs/sdb0/componentprotection /eso/bin/apps/componentprotection
chmod 777 fecmanager
6. Maps
Latest maps can be downloaded from https://app-connect.volkswagen.com/mapupdates/en/car/

Write navigation data to root of SD Card. Boot into normal mode,


insert SD, and start update.
7. Other commands:
Emergency mode:

echo active > /dev/rmgr/swup && echo swup-start > /dev/ooc/system && echo swup-emr-reset >
/dev/ooc/system

SWUP mode (RED MENU):

echo active > /dev/rmgr/swup && echo swup-start > /dev/ooc/system && echo swup-reset > /dev/ooc/system

touch /mnt/persist_new/swup/developmentflag
mount -uw /mnt/system && touch /mnt/system/etc/startup_test_mode && mount -ur /mnt/system

Copying engdefs (GREEN MENU) from unit to SD:

mount -uw /fs/sdb0/


mkdir /fs/sdb0/engdefs_backup/
cp -r /mnt/app/eso/hmi/engdefs/* /fs/sdb0/engdefs_backup

Installing engdefs (GREEN MENU) from SD to unit:

mount -uw /fs/sdb0/


mount -t qnx6 /dev/mnanda0t177.1 /mnt/app
cp -r /fs/sdb0/engdefs /mnt/app/eso/hmi/engdefs/

You might also like