From 6886ed6e1779080dbf69deb8c6496394b61f909e Mon Sep 17 00:00:00 2001 From: bass_rock Date: Mon, 27 Jul 2015 22:36:14 -0700 Subject: [PATCH] Initial commit of forum data dump. --- Firmware/AVIC.sh | 365 +++++++++++++++++++++++++++++++++++++++++++++ README.md | 277 +++++++++++++++++++++++++++++++++- TestKeys/decode.pl | 45 ++++++ TestKeys/encode.pl | 31 ++++ 4 files changed, 717 insertions(+), 1 deletion(-) create mode 100755 Firmware/AVIC.sh create mode 100644 TestKeys/decode.pl create mode 100755 TestKeys/encode.pl diff --git a/Firmware/AVIC.sh b/Firmware/AVIC.sh new file mode 100755 index 0000000..a709dc4 --- /dev/null +++ b/Firmware/AVIC.sh @@ -0,0 +1,365 @@ +#! /bin/bash +# AVIC.sh - Unpacks SYSTEM.img from the AVIC firmware for modification, waits for an input, then repackages. + +# THIS FILE AND DERRIVITIVE WORKS ARE SUBJECT TO ALL TERMS OF LICENSING BELOW! +# License: +# Term 0: If you modify this file, you must share any changes with the file creators and/or publicly on AVIC411.com +# Term 1: If you find a new use, share changes on AVIC411.com +# Term 2: If it worked say thanks. +# Term 3: IF anyone claims this is black magic, I'm going to flip. + +# By bass_rock http://avic411.com/index.php?/user/116652-bass-rock/ +# Heavily modified by AdamOutler adamoutler@gmail.com +# http://avic411.com/index.php?/topic/80945-upgrading-nex4000-to-nex4100-work-in-progress/page-19#entry332704 +# Heavily modified by bass_rock yet again @bass_rock + + +#this function is called when system is not Linux, user is not root, or user did not specify a file +function usage() { + echo "usage:" + echo " AVIC.sh /path_to/firmware.zip [AVIC Model] [AVIC firmware version]" + echo "where AVIC Model = 5000, or 8100" + echo "where AVIC firmware version = 140 or 150" + echo "make sure that mkboot is in a folder mkbootimg_tools next to this script" + exit +} + + +function generateVERFile() { + originalVerFile=$1 + prgFile=$2 + + dd if="$originalVerFile" of="$originalVerFile.part1" bs=176 skip=0 count=1 + + SIZE="$(stat -c%s $prgFile)" + echo "$prgFile size is: $SIZE" + UNSWAPPEDHEXSIZE="$(printf '%x\n' $SIZE)" + vSIZE="$UNSWAPPEDHEXSIZE" + SWAPPEDHEXSIZE="${vSIZE:6:2}${vSIZE:4:2}${vSIZE:2:2}${vSIZE:0:2}" + LEN=$(echo ${#SWAPPEDHEXSIZE}) + if [ $LEN -eq 6 ]; then + SWAPPEDHEXSIZE=${SWAPPEDHEXSIZE}00 + fi + UNSWAPPEDHEXCRC="$(crc32 $prgFile)" + vCRC="$UNSWAPPEDHEXCRC" + SWAPPEDHEXCRC="${vCRC:6:2}${vCRC:4:2}${vCRC:2:2}${vCRC:0:2}" + + echo "$prgFile Unswapped prg size hex is: $UNSWAPPEDHEXSIZE" + echo "$prgFile Swapped prg size hex is: $SWAPPEDHEXSIZE" + echo "$prgFile Unswapped prg crc hex is: $UNSWAPPEDHEXCRC" + echo "$prgFile Swapped prg crc hex is: $SWAPPEDHEXCRC" + + #perl -e "print pack 'H*', '${defaultheaderver}${SWAPPEDHEXSIZE}${SWAPPEDHEXCRC}A55A5AA5'" > PJ${version}PLT.VERSTART + + + perl -e "print pack 'H*', '${SWAPPEDHEXSIZE}${SWAPPEDHEXCRC}A55A5AA5'" > "$originalVerFile.part2" + + cat "$originalVerFile.part1" "$originalVerFile.part2" > "$originalVerFile.combined" + + rm -rf "$originalVerFile.part1" + rm -rf "$originalVerFile.part2" + + UNSWAPPEDHEXCRC="$(crc32 $originalVerFile.combined)" + vCRC="$UNSWAPPEDHEXCRC" + SWAPPEDHEXCRC="${vCRC:6:2}${vCRC:4:2}${vCRC:2:2}${vCRC:0:2}" + echo "$originalVerFile.combined Unswapped verstart crc hex is: $UNSWAPPEDHEXCRC" + echo "$originalVerFile.combined Swapped verstart crc hex is: $SWAPPEDHEXCRC" + + perl -e "print pack 'H*', '${SWAPPEDHEXCRC}'" > "$originalVerFile.combined1" + + cat "$originalVerFile.combined" "$originalVerFile.combined1" > "$originalVerFile.new" + + rm -rf "$originalVerFile.combined" + rm -rf "$originalVerFile.combined1" + + rm -rf "$originalVerFile" + + mv "$originalVerFile.new" "$originalVerFile" +} + +function generatePRGFile() { + originalPRGFile=$1 + imgToMakePRG=$2 + + dd if=$originalPRGFile of=originalPRGFile.header bs=4 skip=3 count=125 + #get image size + # for mac + # SIZE="$(stat -f%z PJ${version}PLT.IMG)" + #for linux + SIZE="$(stat -c%s ${imgToMakePRG})" + echo "${imgToMakePRG} size is: $SIZE" + + #We have to swap the hex values from big endian to little endian cause the NEX is arm. + UNSWAPPEDHEXSIZE="$(printf '%x\n' $SIZE)" + vSIZE="$UNSWAPPEDHEXSIZE" + SWAPPEDHEXSIZE="${vSIZE:6:2}${vSIZE:4:2}${vSIZE:2:2}${vSIZE:0:2}" + LEN=$(echo ${#SWAPPEDHEXSIZE}) + if [ $LEN -eq 6 ]; then + SWAPPEDHEXSIZE=${SWAPPEDHEXSIZE}00 + fi + UNSWAPPEDHEXCRC="$(crc32 ${imgToMakePRG})" + vCRC="$UNSWAPPEDHEXCRC" + SWAPPEDHEXCRC="${vCRC:6:2}${vCRC:4:2}${vCRC:2:2}${vCRC:0:2}" + + echo "${imgToMakePRG} Unswapped size hex is: $UNSWAPPEDHEXSIZE" + echo "${imgToMakePRG} Swapped size hex is: $SWAPPEDHEXSIZE" + echo "${imgToMakePRG} Unswapped crc hex is: $UNSWAPPEDHEXCRC" + echo "${imgToMakePRG} Swapped crc hex is: $SWAPPEDHEXCRC" + + #create new header + perl -e "print pack 'H*', 'A55A5AA5${SWAPPEDHEXSIZE}${SWAPPEDHEXCRC}'" > firstheaderhalf.header + cat firstheaderhalf.header originalPRGFile.header "$imgToMakePRG" > "$originalPRGFile.new" + rm -rf firstheaderhalf.header + rm -rf originalPRGFile.header + + rm -rf "$originalPRGFile" + rm -rf "$imgToMakePRG" + mv "$originalPRGFile.new" "$originalPRGFile" +} + +function createImgFile() { + prgFile=$1 + newImgFile=$2 + dd if="$prgFile" of="$newImgFile" bs=512 skip=1 +} + + +function openupBOOTStyleImage() { + directory=$1 + imageToOpen=$2 + workdir=$3 + + cd "$directory" + + abootimg -x "$imageToOpen" + + "$workdir/../mkbootimg_tools/mkboot" "$imageToOpen" ./newUnpack + + cd "$workDir" +} + +function closeupBOOTStyleImage() { + directory=$1 + imageToSave=$2 + workdir=$3 + + cd "$directory" + + "$workdir/../mkbootimg_tools/mkboot" ./newUnpack "$imageToSave.NEW" + + rm -rf "$imageToSave" + + mv "$imageToSave.NEW" "$imageToSave" + + rm -rf bootimg.cfg + rm -rf initrd.img + rm -rf zImage + rm -rf newUnpack + + cd "$workdir" +} + +#exit on any error +set -e + +#verify system is Linux and user is root and specifed a file +test "$(uname)" = "Linux" || $(echo "this only works on linux" && usage) +test $(id -u) -eq "0" || $(echo "you must run as root" && usage) +test -z "$1" && $(echo "you must specify a file" && usage) + +#set variables for use (default AVIC-5000NEX, Version 140) +AVICZIP="$1" +m=$2 +model=${m:="5000"} +v=$3 +version=${v:="140"} + +#SETUP +workdir=$(pwd)"/work" +mkdir -p $workdir/ +unzip -o "$AVICZIP" -d $workdir/ +cd "$imageDir" + + +#PLATFORM Files +SYSTEMmount="$workdir/AVIC${model}NEX/PLATFORM/SYSTEM" +PLTimgFile="$workdir/AVIC${model}NEX/PLATFORM/PJ${version}PLT.IMG" +PLTprgFile="$workdir/AVIC${model}NEX/PLATFORM/PJ${version}PLT.PRG" +PLTverFile="$workdir/AVIC${model}NEX/PJ${version}PLT.VER" +PLTdirectory="$workdir/AVIC${model}NEX/PLATFORM" + +#USERDATA Files +SYSTEMUSERDATAmount="$workdir/AVIC${model}NEX/USERDATA/SYSTEM" +DATimgFile="$workdir/AVIC${model}NEX/USERDATA/PJ${version}DAT.IMG" +DATprgFile="$workdir/AVIC${model}NEX/USERDATA/PJ${version}DAT.PRG" +DATverFile="$workdir/AVIC${model}NEX/PJ${version}DAT.VER" +DATdirectory="$workdir/AVIC${model}NEX/USERDATA" + +#SNAPSHOT Files +SYSTEMSNAPSHOTmount="$workdir/AVIC${model}NEX/SNAPSHOT/SYSTEM" +SNAPSHOTimgFile="$workdir/AVIC${model}NEX/SNAPSHOT/SNAPSHOT.IMG" +SNAPSHOTprgFile="$workdir/AVIC${model}NEX/SNAPSHOT/SNAPSHOT.PRG" +SNAPSHOTverFile="$workdir/AVIC${model}NEX/SNAPSHOT.PRG.VER" +SNAPSHOTdirectory="$workdir/AVIC${model}NEX/SNAPSHOT" + +#HIBENDIR Files +SYSTEMHIBENDIRmount="$workdir/AVIC${model}NEX/HIBENDIR/SYSTEM" +HIBENDIRimgFile="$workdir/AVIC${model}NEX/HIBENDIR/HIBENDIR.IMG" +HIBENDIRprgFile="$workdir/AVIC${model}NEX/HIBENDIR/HIBENDIR.PRG" +HIBENDIRverFile="$workdir/AVIC${model}NEX/HIBENDIR.PRG.VER" +HIBENDIRdirectory="$workdir/AVIC${model}NEX/HIBENDIR" + +#BOOT Files +BOTimgFile="$workdir/AVIC${model}NEX/BOOT/PJ${version}BOT.IMG" +BOTprgFile="$workdir/AVIC${model}NEX/BOOT/PJ${version}BOT.PRG" +BOTverFile="$workdir/AVIC${model}NEX/PJ${version}BOT.VER" +BOTdirectory="$workdir/AVIC${model}NEX/BOOT" + +#RECOVERY Files +RECimgFile="$workdir/AVIC${model}NEX/RECOVERY/PJ${version}REC.IMG" +RECprgFile="$workdir/AVIC${model}NEX/RECOVERY/PJ${version}REC.PRG" +RECverFile="$workdir/AVIC${model}NEX/PJ${version}REC.VER" +RECdirectory="$workdir/AVIC${model}NEX/RECOVERY" + +#EASYRECOVERY Files +ERYimgFile="$workdir/AVIC${model}NEX/RECOVERYEASY/PJ${version}ERY.IMG" +ERYprgFile="$workdir/AVIC${model}NEX/RECOVERYEASY/PJ${version}ERY.PRG" +ERYverFile="$workdir/AVIC${model}NEX/PJ${version}ERY.VER" +ERYdirectory="$workdir/AVIC${model}NEX/RECOVERYEASY" + +#READY THE PLATFORM + +#create img file of the system image. +createImgFile "$PLTprgFile" "$PLTimgFile" + +#ignore errors while we create a new folder for working with image +set +e +umount "$SYSTEMmount" 2>&1 +test -e "$SYSTEMmount" && rm -rf "$SYSTEMmount" +mkdir $SYSTEMmount +set -e + +#mount the image +mount "$PLTimgFile" "$SYSTEMmount" + + +#READY THE USERDATA + +#create img file of the system image. +createImgFile "$DATprgFile" "$DATimgFile" + +#ignore errors while we create a new folder for working with image +set +e +umount "$SYSTEMUSERDATAmount" 2>&1 +test -e "$SYSTEMUSERDATAmount" && rm -rf "$SYSTEMUSERDATAmount" +mkdir $SYSTEMUSERDATAmount +set -e + +#mount the image +mount "$DATimgFile" "$SYSTEMUSERDATAmount" + +#READY THE SNAPSHOT + +#create img file of the system image. +createImgFile "$SNAPSHOTprgFile" "$SNAPSHOTimgFile" + +# #ignore errors while we create a new folder for working with image +# set +e +# umount "$SYSTEMSNAPSHOTmount" 2>&1 +# test -e "$SYSTEMSNAPSHOTmount" && rm -rf "$SYSTEMSNAPSHOTmount" +# mkdir $SYSTEMSNAPSHOTmount +# set -e +# +# #mount the image +# mount "$SNAPSHOTimgFile" "$SYSTEMSNAPSHOTmount" || echo "failed" +# +# +# #READY THE HIBENDIR +# +# #create img file of the system image. +# createImgFile "$HIBENDIRprgFile" "$HIBENDIRimgFile" +# +# #ignore errors while we create a new folder for working with image +# set +e +# umount "$SYSTEMHIBENDIRmount" 2>&1 +# test -e "$SYSTEMHIBENDIRmount" && rm -rf "$SYSTEMHIBENDIRmount" +# mkdir $SYSTEMHIBENDIRmount +# set -e +# +# #mount the image +# mount "$HIBENDIRimgFile" "$SYSTEMHIBENDIRmount" || echo "failed" + +#READY THE BOOT +createImgFile "$BOTprgFile" "$BOTimgFile" + +openupBOOTStyleImage "$BOTdirectory" "$BOTimgFile" "$workdir" + +#READY THE RECOVERY +createImgFile "$RECprgFile" "$RECimgFile" + +openupBOOTStyleImage "$RECdirectory" "$RECimgFile" "$workdir" + +#READY THE EASYRECOVERY +createImgFile "$ERYprgFile" "$ERYimgFile" + +openupBOOTStyleImage "$ERYdirectory" "$ERYimgFile" "$workdir" + +#WAIT FOR USER TO FINISH + + +echo "You can now modify all the open folders" +read -n 1 -p "Press any key to continue" isdone + +sync #ensure all changes are written to disk + + +#TIME TO CLOSE UP + + +#CLOSE UP PLATFORM + +umount "$SYSTEMmount" +test -e "$SYSTEMmount" && rm -rf "$SYSTEMmount" + +generatePRGFile "$PLTprgFile" "$PLTimgFile" +generateVERFile "$PLTverFile" "$PLTprgFile" + +#CLOSE UP USERDATA + +umount "$SYSTEMUSERDATAmount" +test -e "$SYSTEMUSERDATAmount" && rm -rf "$SYSTEMUSERDATAmount" + +generatePRGFile "$DATprgFile" "$DATimgFile" +generateVERFile "$DATverFile" "$DATprgFile" + +# #CLOSE UP SNAPSHOT +# +# umount "$SYSTEMSNAPSHOTmount" +# test -e "$SYSTEMSNAPSHOTmount" && rm -rf "$SYSTEMSNAPSHOTmount" +# +# generatePRGFile "$SNAPSHOTprgFile" "$SNAPSHOTimgFile" +# generateVERFile "$SNAPSHOTverFile" "$SNAPSHOTprgFile" + +#CLOSE UP BOOT + +closeupBOOTStyleImage "$BOTdirectory" "$BOTimgFile" "$workdir" + +generatePRGFile "$BOTprgFile" "$BOTimgFile" +generateVERFile "$BOTverFile" "$BOTprgFile" + +#CLOSE UP RECOVERY + +closeupBOOTStyleImage "$RECdirectory" "$RECimgFile" "$workdir" + +generatePRGFile "$RECprgFile" "$RECimgFile" +generateVERFile "$RECverFile" "$RECprgFile" + + +#CLOSE UP EASY RECOVERY + +closeupBOOTStyleImage "$ERYdirectory" "$ERYimgFile" "$workdir" + +generatePRGFile "$ERYprgFile" "$ERYimgFile" +generateVERFile "$ERYverFile" "$ERYprgFile" + +echo "WOOO! Your custom ROM is backed and ready!" \ No newline at end of file diff --git a/README.md b/README.md index a7af324..60181ee 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,277 @@ # AVIC-NEX -A repo for modding the AVIC NEX +A guide and discussion place for modding the AVIC NEX + + +**The contributors to this repository take no liabilty to any damage you may cause to your AVIC NEX by performing methods described here.** + + +#Testmodes +Test modes allow you to access many of the internal functions to perform various testing operations and some copying and writing functions. + +##Structure +The strings for the Testmode contain 3 fields and some optional fileds in the structure: + +1. 3 digit character count of 1st field +2. 1st field sting +3. 3 digit character count of 2nd field +4. 2nd field which is the model name or ALL: + * ALL + * KM500 + * NX263 + * NX263A + * NX264A + * NX264 + * NX264D +5. 3 digit character count of 3rd field +6. 3rd field +7. Unknown string of: 0082013010100820201230000 + +##Generation +To generate a Testmode file use the following: + +``` +perl TestKeys/encode.pl SOME_STRING_DEFINED_BELOW OUTPUTFILE.KEY +``` + +##Booting + +To boot a Testmode, place a file with the encrypted contents and a name of TESTMODE_A.KEY in the root directory of a USB stick, changing the last letter to match the headers defined below. + +## Check Order + +TestModes are checked in the following order: + +1. TESTMODE_A +2. TESTMODE_N +3. TESTMODE_S + +## Testmodes +The following are all the known testmodes. + +###TESTMODE_A +Testmode A launches after the deck has fully booted into the Testmode.apk on the device. The settings differ based on the encrypted contents within the TESTMODE_A files. + +The following modes are currently known to exist, (but not all of them have booted): + +Mode Name | Booted |Contents To Encrypt +---------------------- |-----------------| ------------- +SERVICE | Yes |007SERVICE003ALL00833333333007SERVICE0082013010100820201230000 +XXTECHNICALXX | Yes |013XXTECHNICALXX003ALL00833333333013XXTECHNICALXX0082013010100820201230000 +PRODUCT | Yes |007PRODUCT003ALL00833333333007PRODUCT0082013010100820201230000 +NORMAL | No |006NORMAL003ALL00833333333006NORMAL0082013010100820201230000 +DIRECT | No |006DIRECT003ALL00833333333006DIRECT0082013010100820201230000 +AUTO | No |004AUTO003ALL00833333333004AUTO0082013010100820201230000 + + +Known functions in each mode: + +1. Direct Mode + * ProgramFunction + * ModeChngFunction + * InitFactoryDefFunction + * BluetoothFunction + * VersionInfoFunction + * ProdInfoFunction + * GraphicsFunction + * UsbFunction +2. Normal Mode + * VersionInfoFunction + * ProgramFunction + * LogFunction + * FileMaintenanceFunction + * DriveMaintenceFun + * InitFactoryDefFunction + * InitUserArea + * GyroSensorFunction + * SelfCheckFunction + * TouchPanelFunction + * WirRemoteCtrFunction + * LearningWiredCtrlFunction + * PioFunction + * AsyncSerilPrtFunction + * RGBIllumiFunction + * MonitorFunction + * GraphicsFunction + * GpsInfoFunction + * GpsPositionFunction + * SensorFunction + * GPSModuleFunction + * TimeFunction + * ExtConnInfoFunction + * TmprtrSnsrFunction + * FanContFunction + * FlshRomFunction + * SdFunction + * StrgeSdFunction + * BluetoothFunction + * BtLineTest + * TelFunction + * EchoLSIFunction + * AVTestFunction + * IPODTest + * IpodCertificationFunction + * AppModeMixFunction + * SXIFunction + * HDRadioFunction + * RdsTmcFunction + * AudioFunction + * ProdAudioFunction + * VideoFunction + * AutoEQFunction + * UsbFunction + * UsbComFunction + * SystemFunction + * FlapFunction + * BackCameraFunction + * ModeChngFunction + * ProdInfoFunction + * WrProInfFunction + * CCIDWriteFunction + * TestResult + * ChngFlgDbgSrilFunction + * DCDCConverterSynchronization + * RGBIllumiPWMRegulation + * RGBIllumiFunction + * MmoryChckFunction + * CopyDeviceFun + + +###TESTMODE_N +Testmode N boots from the NORFlash or Recovery. The modes differ based on the encrypted contents within the TESTMODE_N files. + + +The following boot types and command combinations are known to exist: + +Boot Type | Command | Tested | Booted |Contents To Encrypt +------------|----------------|-------------|----------------| ------------- +Recovery | AllUpdate | Yes | Yes | 008Recovery003ALL00833333333009AllUpdate0082013010100820201230000 +NORFLASH | COPYDEVICE | No | Yes | 008NORFLASH003ALL00833333333010COPYDEVICE0082013010100820201230000 +NORFLASH | MODECHANGE | Yes | Yes | 008NORFLASH003ALL00833333333010MODECHANGE0082013010100820201230000 + + +The following boot types are known to exist: + +Boot Type | Tested | Booted | What it does +---------------------|--------------|--------------------- +Recovery | Yes | Yes |Boots the recovery partion on the Internal SD Card +NORFLASH | Yes | Yes |Boots the EasyRecovery Partition stored on the NorFlash (UBoot) + + +The following commands are known to exist: + +Command | Tested | Booted |What it does +------------|----------|-----------------|----------------------- +AllUpdate | Yes | Yes | Enables you to force an update like a regular NEX Update +COPYDEVICE | Yes | No | Copies an external device directly to the Internal Sd Card **(Unsure)** +MODECHANGE | Yes | Yes | Changes a mode of somesort **(Unsure)** + + +###TESTMODE_S +We are unsure what this does except that it reads 1 byte, subtracts 0x31 and then saves that value into the BSP SubMode. + +##Known TESTMODE BSP Information +The following is a data dump of what the TestMode files do with the BSP. + +### BSP Side Information +``` + Magic Number :0x%08lx(a55a5aa5:Valid, other:Invalid) +0: Boot Mode :0x%08lx(0:Normal, 1:Recovery, 2:EasyRecovery, 3:Re-EasyRecovery, default:Normal) +1: Launch Mode :0x%08lx(0:APL, 1:TestMode.apk, 2:Slave TestMode, 3:Boot Error, default:APL) +2: TestMode Sub-Mode:0x%08lx(0:TextMode_A.key,1:Serv Mode,2:Tech Mode,default:TechMode) +3? Bootimage Side :0x%08lx(0:Side A, 1:Side B, default:Side A) +4? Recoveryimg Side :0x%08lx(0:Side A, 1:Side B, default:Side A) +5? Debug Switch :0x%08lx(0:OFF, 1:ON, default:OFF) +6? Usb OTG Switch :0x%08lx(0:Host, 1:Device, default:Host) +7? Memchk flag :0x%08lx(0:No, 1:Yes, default:No) +8: Warp boot :0x%08lx(0:Side A, 1:Side B, default:Side A) +8? Boot Sub-Mode :0x%08lx(0:Normal, 1:Catch snapshot,2:Warp,default:Normal) +A: Update flag :0x%08lx(0:Recovery-Update, 1:uboot update, 2:boot.img update, + 3:recovery.img update, 4:system.img update, + 5:opening data update, 6:UI update, 7:All image update, + 8:TESTMODE_N.KEY, 9:easyrecovery copy, + a:easyrecovery copy&verify, b:password key copy&verify, + c:easyrecovery mode change, + default:Recovery-Update) +B: Update sub-flag :0x%08lx(0:SD Card, 1:USB1, 2:USB2 default:SD Card) +UI Update flag :0x%08lx(0:non-updating, 1:updating, default:non-updating) +Reserved1 flag :0x%08lx(default:0xFFFFFFFF) +Reserved2 flag :0x%08lx(default:0xFFFFFFFF) +``` +###TESTMODE_A + +``` +write +1, 1 +2, 0 +LMode (1, 1, 4 = sizeof) = TestMode.apk +SubMode (2, 0, 4 = sizeof) = TextMode_A.key +``` + +###TESTMODE_N + +###RecoveryAllUpdate + +``` +BMode (0, 1, 4 = sizeof) = BootMode = recovery +SetUpdateFlag (10, 0, 4) = Update flag = 0:Recovery-Update +SetSubUpdateFlag (11, 2, 4) = 0:SD Card +``` +###NORFLASH CopyDevice + +``` +BMode (0, 2, 4) = Boot Mode = EasyRecovery +SetUpdateFlag (10, 8, 4) = Update flag = a:easyrecovery copy&verify +SetSubUpdateFlag (11, x, 4) x = device where testfile found +``` + +###NORFLASH ChangeMode + +``` +BMode (0, 2, 4) = Boot Mode = EasyRecovery +SetUpdateFlag (10, 12, 4) = Update flag = c:easyrecovery mode change +``` + +###TESTMODE_S +``` +LMode = 2 (slave testmode) +LMode (1, 2, 4 = sizeof) +SubMode (2, [3,4,5,6 by table], 4 = sizeof) +``` + +#Update File Modification +The following describes how to modify the update files for your own use. + +**It is currently unkonwn if the AVIC NEX truely boots the modifications** + +**Any modifications made to the BOOT.img kernel/prg cause the deck to not boot. There is a checksum that we have not yet figured out on the Boot partiton.** + + +##Usage +To open up a AVIC NEX Update zip for modificiation perform the following on a Ubuntu Based System: + +**AVIC x100 Based:** + +``` +./Firmwares/AVIC.sh firmware.zip 5100 150 +``` + +**AVIC x000 Based:** + +``` +./Firmwares/AVIC.sh firmware.zip 5000 140 +``` + + +#Cross Update x000 to a x100 +The following is how to cross update your x000 AVIC to a x100. + +1. Download the x100 update relating to your model. +2. Rename all the 150's to 140 +3. Change the root folder from 5100 to 5000 +4. Flash the update + +The deck will now belive it is a x100. From now on you will need to use x100 update files without having to do the rename. + +If you wish to go back to the x000 do the reverse of the above. + +**All bluetooth audio is known not to work with this method currently** diff --git a/TestKeys/decode.pl b/TestKeys/decode.pl new file mode 100644 index 0000000..071ff99 --- /dev/null +++ b/TestKeys/decode.pl @@ -0,0 +1,45 @@ +#!/usr/bin/perl +# usage perl decode.pl TEST.KEY + +my $filename = (shift); + +open(my $fh, $filename) or die $!; + +binmode($fh); + +my $cnt = 0; + +my $encodeString = ""; +my $otherString = ""; + +while (read($fh, my $byte, 1)) +{ + if ($cnt % 2 == 1) + { + if (ord($byte) > 51) + { + $byte = ord($byte) - 20; + } + else + { + $byte = ord($byte) + 76; + } + $encodeString = $encodeString.chr($byte); + } else { + if (ord($byte) > 51) + { + $byte = ord($byte) - 20; + } + else + { + $byte = ord($byte) + 76; + } + $otherString = chr($byte).$otherString; + } + $cnt++; +} + +print $encodeString.$otherString; +print "\n"; + +close $fh; \ No newline at end of file diff --git a/TestKeys/encode.pl b/TestKeys/encode.pl new file mode 100755 index 0000000..4a17a38 --- /dev/null +++ b/TestKeys/encode.pl @@ -0,0 +1,31 @@ +#!/usr/bin/perl +# Usage perl encode.pl 008Recovery003ALL00833333333009AllUpdate0082013010100820201230000 OUT.KEY +my $string = shift; +my $outfile = shift; +open(my $ofh, ">", $outfile) or die $!; +binmode($ofh); + +my $stringLength = length($string); + +$stringHalfLength = ($stringLength/2); + +$string1 = substr($string, 0, $stringHalfLength); +$string2 = substr($string, $stringHalfLength, $stringHalfLength+1); + +$string2 = reverse $string2; + +for (my $i=0; $i < length($string2); $i++) { + my $string1Byte = ord(substr($string1, $i, 1)) + 0x14; + my $string2Byte = ord(substr($string2, $i, 1)) + 0x14; + + if($i > length($string1)-1) { + print $ofh chr($string2Byte); + } else { + print $ofh chr($string2Byte), chr($string1Byte); + } + +} + +print "\n"; + +close $ofh;