MIB/MIB2 FEC edit - Map Care

**mobista** · 18.06.2019, 14:08

Hello,

Do anyone know algo for Map Care FEC? 0230001E -> how long this FEC is valid for map update?

br,
mobista

**bedrock** · 18.06.2019, 17:23

1E already old, for latest maps need 22 or higher

**mobista** · 18.06.2019, 19:38

Ok, but how to make FEC valid for example for 3 years? Lifetime will be like in BMW "FF"...

**Remington** · 19.06.2019, 17:08

2F for unlimited
How to edit/import FEC?

**bedrock** · 26.06.2019, 21:06

Edit FeC with hexeditor, but need patched MIB or will be invalid

**herr_frei** · 27.06.2019, 08:43

Is there any information about the FEC structure? And, what program I have to patch?

**bedrock** · 27.06.2019, 10:07

The FEC structure information Most is found here https://turbo-quattro.com/showthread...l=1#post600007

the FEC is signed with Audi private key.

**herr_frei** · 27.06.2019, 10:48

Thanks, bedrock!

One more question about the signing: I read that the MIBroot app must be patched to accept the invalid FECs added to the container. Do you have any idea about doing that and how?

**herr_frei** · 27.06.2019, 11:22

I found some interesting code from a Porsche forum that generates the FEC container and the keys: https://github.com/ibreakifix/PorschePCMStuff (see https://rennlist.com/forums/991/1142...991-1-a-2.html)!

**bedrock** · 27.06.2019, 12:07

Very interesting, I know people tried replacing keys, but not aware anyone succeed in this method. If this work, it would avoid patch

**congo** · 27.06.2019, 21:25

Is this tested on prod unit?
Why im asking is because of what i posted here
https://reverseengineering.stackexch...h-verification

After some research i came to conclusion that we cannot simply change the keys. As you already know they are all signed, and although the sign key looks to be the MIB-High_MI_public its actually a key that's in the NOR flash OTP area. In our case it happens to be the same is the public key but we cant change that. MIBRoot check this before it uses the keys found the the persist area. Unless you change the flash chip you cant use your own keys so it just not worth the effort

Regards.

**bedrock** · 27.06.2019, 21:43

I ask him the same question because of your stack exchange, he hasn't tested yet.

**congo** · 27.06.2019, 22:17

I don't have time to register in the other forum so i will quote something here

I believe the efs-system partition is the “OTP” area he is referring to, even though it is not OTP.

I have not found the key anywhere else, and I don’t even believe there is any one time programmable flash on the board. There are regions of the eeprom that are protected by the software, but those contain the fazit id and not keys, additionally the entire NOR is writeable from within QNX. Given that, he might have a MIB2 from Delphi which is apparently designed much differently than the Harman Becker unit

For OTP and NOR flash - ignore the S29 model it's just from that flash type pdf

The S29GL-S flash devices have 1024 bytes of one time programmable (OTP) memory. This Secure SiliconRegion (SSR) is divided into two areas, the lower 512B region, SSR Region 0, is Factory modifiable and the upper512B region, SSR Region 1, is Customer modifiable. SSR0 can be ordered Factory pre-programmed. SSR0 isFactory locked and cannot be Customer modified

What Harman did is to put the pkey there, btw it's the same in old MMI. This have nothing to do with the EEPROM or the efs partition. Sad but true.
You can read that region when chip is off with special reader or with custom code running on the mib.

Having said this i dont say it's impossible to use own keys but here are some important points to consider:
1. Still need to patch MIBRoot to ignore OTP
2. Dont touch the data keys only fec and/or metainfo as data key is used to verify other things

That's why i said it's not worth the effort because you still need to patch something in the unit.

Regards.

**PopDog** · 29.06.2019, 16:43

I bought new MIB2 Unit for my Q7 4M because I also want DAB+ - before i will fit this new MIB2 unit, i would like to hacktivate it after Update to newest Version (e.g. Map Lifetime, AndroidAuto/CarPlay all fecs, and remove CP) and want to learn how it is done

In my MIB2 from Q7 4M P Software there is a scripts folder, also with some files called - activate_AndroidAuto.sh activate_CarPlay.sh
There are also some Scripts to deactivate FEC, Activate FEC and activate FECSigOn.sh maybe from that it is possible to know where to deactivate FEC Signing over Telnet

look at fecSig_on.sh

#!/bin/sh

/eso/hmi/engdefs/scripts/navpre.sh
rm -fv /navigation/USE_FEC
touch /navigation/USE_FEC_SIG
echo "created /navigation/USE_FEC_SIG"
sync

so if we remove USE_FEC_SIG and touch a USE_FEC, maybe it works. But why is it in /navigation mount/folder...

fec_off.sh

rm -fv /navigation/USE_FEC
rm -fv /navigation/USE_FEC_SIG

navpre.sh makes some mounts writable

mount -u /mnt/system/
mount -u /mnt/app/
touch /etc/mcd.writable
/eso/hmi/engdefs/scripts/remountSDCard.sh

Can it be this easy? Don't want to kill one of my units ... so not tested yet

**chris2** · 29.06.2019, 21:37

Сообщение от PopDog

I bought new MIB2 Unit for my Q7 4M because I also want DAB+ - before i will fit this new MIB2 unit, i would like to hacktivate it after Update to newest Version (e.g. Map Lifetime, AndroidAuto/CarPlay all fecs, and remove CP) and want to learn how it is done

In my MIB2 from Q7 4M P Software there is a scripts folder, also with some files called - activate_AndroidAuto.sh activate_CarPlay.sh
There are also some Scripts to deactivate FEC, Activate FEC and activate FECSigOn.sh maybe from that it is possible to know where to deactivate FEC Signing over Telnet

look at fecSig_on.sh

so if we remove USE_FEC_SIG and touch a USE_FEC, maybe it works. But why is it in /navigation mount/folder...

fec_off.sh

navpre.sh makes some mounts writable
Can it be this easy? Don't want to kill one of my units ... so not tested yet

No, this only applies to developer units that are looking for those files. The system looks for "/navigation/FSID_Navi_Enabled" "/navigation/FSID_Navi_Disabled" or but I don't know what effect it has, if any.

Сообщение от congo

I don't have time to register in the other forum so i will quote something here

For OTP and NOR flash - ignore the S29 model it's just from that flash type pdf

What Harman did is to put the pkey there, btw it's the same in old MMI. This have nothing to do with the EEPROM or the efs partition. Sad but true.
You can read that region when chip is off with special reader or with custom code running on the mib.

Having said this i dont say it's impossible to use own keys but here are some important points to consider:
1. Still need to patch MIBRoot to ignore OTP
2. Dont touch the data keys only fec and/or metainfo as data key is used to verify other things

That's why i said it's not worth the effort because you still need to patch something in the unit.

Regards.

Yes, you are correct and thanks for the info. It looks like my flash programmer application could not access the OTP area, hence why I did not see what you were talking about. I'll have to find some way to download and analyze it through the bootloader or QNX. It also looks like there is a checksum inside of the mibroot application (5854ABE5FEDC157883AC01A8D4A3D5A0), I'm assuming this is a checksum of the OTP area but no clue yet.

Replacing the flash is not an issue, I just need to find a way to write the OTP area on a new flash chip. I don't have the ability to patch MIBRoot, because I've never worked with a disassembler, so I'll have to give this a shot.

**malec** · 13.07.2019, 19:22

Сообщение от mobista

Hello,

Do anyone know algo for Map Care FEC? 0230001E -> how long this FEC is valid for map update?

br,
mobista

0xxx0010 -> it is Q1 2014 and that means for each year you increment by 4.
Map update is usually released in Q1 and Q3
14 -> Q1 2015
18 -> Q1 2016
1C -> Q1 2017
1E -> Q3 2017
20 -> Q1 2018
24 -> Q1 2019
28 -> Q1 2020
2F -> Q4 2021
............

**mobista** · 13.07.2019, 21:39

Сообщение от malec

0xxx0010 -> it is Q1 2014 and that means for each year you increment by 4.
Map update is usually released in Q1 and Q3
14 -> Q1 2015
18 -> Q1 2016
1C -> Q1 2017
1E -> Q3 2017
20 -> Q1 2018
24 -> Q1 2019
28 -> Q1 2020
2F -> Q4 2021
............

Many thanks!

**romanesh** · 14.07.2019, 12:07

Сообщение от malec

0xxx0010 -> it is Q1 2014 and that means for each year you increment by 4.
Map update is usually released in Q1 and Q3
14 -> Q1 2015
18 -> Q1 2016
1C -> Q1 2017
1E -> Q3 2017
20 -> Q1 2018
24 -> Q1 2019
28 -> Q1 2020
2F -> Q4 2021
............

hi

Audi added +2 (
20 > 2019 map,
22 > 2019/2020 map)
24 > 2020
26 > 2020/2021
28 > 2021
?? > 2021/2022
?? > 2022
?? > 2022/2023
?? > 2023

What numbers will be after 28 and 2f ?

**mobista** · 14.07.2019, 12:12

I think 30...

**romanesh** · 14.07.2019, 18:47

I so understand it is a Hexadecimal calculation
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
10
11
12
13
14
15
16
17
18
19
1a
1b
1c
1d
1e
1f
20
21
22
23
24
25
26
27
28
29
2a
2b
2c
2d
2e
2f
30
31
32
33
34
35
36
37
38
39
3a
3b
3c
3d
3e

Тема: MIB/MIB2 FEC edit - Map Care

Опции темы

Отображение

MIB/MIB2 FEC edit - Map Care

Ваши права