Hello,
Do anyone know algo for Map Care FEC? 0230001E -> how long this FEC is valid for map update?
br,
mobista
Hello,
Do anyone know algo for Map Care FEC? 0230001E -> how long this FEC is valid for map update?
br,
mobista
1E already old, for latest maps need 22 or higher
Ok, but how to make FEC valid for example for 3 years? Lifetime will be like in BMW "FF"...
2F for unlimited
How to edit/import FEC?
Edit FeC with hexeditor, but need patched MIB or will be invalid
Is there any information about the FEC structure? And, what program I have to patch?
The FEC structure information Most is found here https://turbo-quattro.com/showthread...l=1#post600007
the FEC is signed with Audi private key.
Thanks, bedrock!
One more question about the signing: I read that the MIBroot app must be patched to accept the invalid FECs added to the container. Do you have any idea about doing that and how?
I found some interesting code from a Porsche forum that generates the FEC container and the keys: https://github.com/ibreakifix/PorschePCMStuff (see https://rennlist.com/forums/991/1142...991-1-a-2.html)!
Very interesting, I know people tried replacing keys, but not aware anyone succeed in this method. If this work, it would avoid patch
Is this tested on prod unit?
Why im asking is because of what i posted here
https://reverseengineering.stackexch...h-verification
After some research i came to conclusion that we cannot simply change the keys. As you already know they are all signed, and although the sign key looks to be the MIB-High_MI_public its actually a key that's in the NOR flash OTP area. In our case it happens to be the same is the public key but we cant change that. MIBRoot check this before it uses the keys found the the persist area. Unless you change the flash chip you cant use your own keys so it just not worth the effort
Regards.
I ask him the same question because of your stack exchange, he hasn't tested yet.
I don't have time to register in the other forum so i will quote something here
For OTP and NOR flash - ignore the S29 model it's just from that flash type pdfI believe the efs-system partition is the “OTP” area he is referring to, even though it is not OTP.
I have not found the key anywhere else, and I don’t even believe there is any one time programmable flash on the board. There are regions of the eeprom that are protected by the software, but those contain the fazit id and not keys, additionally the entire NOR is writeable from within QNX. Given that, he might have a MIB2 from Delphi which is apparently designed much differently than the Harman Becker unit
What Harman did is to put the pkey there, btw it's the same in old MMI. This have nothing to do with the EEPROM or the efs partition. Sad but true.The S29GL-S flash devices have 1024 bytes of one time programmable (OTP) memory. This Secure SiliconRegion (SSR) is divided into two areas, the lower 512B region, SSR Region 0, is Factory modifiable and the upper512B region, SSR Region 1, is Customer modifiable. SSR0 can be ordered Factory pre-programmed. SSR0 isFactory locked and cannot be Customer modified
You can read that region when chip is off with special reader or with custom code running on the mib.
Having said this i dont say it's impossible to use own keys but here are some important points to consider:
1. Still need to patch MIBRoot to ignore OTP
2. Dont touch the data keys only fec and/or metainfo as data key is used to verify other things
That's why i said it's not worth the effort because you still need to patch something in the unit.
Regards.
I bought new MIB2 Unit for my Q7 4M because I also want DAB+ - before i will fit this new MIB2 unit, i would like to hacktivate it after Update to newest Version (e.g. Map Lifetime, AndroidAuto/CarPlay all fecs, and remove CP) and want to learn how it is done
In my MIB2 from Q7 4M P Software there is a scripts folder, also with some files called - activate_AndroidAuto.sh activate_CarPlay.sh
There are also some Scripts to deactivate FEC, Activate FEC and activate FECSigOn.sh maybe from that it is possible to know where to deactivate FEC Signing over Telnet
look at fecSig_on.sh
so if we remove USE_FEC_SIG and touch a USE_FEC, maybe it works. But why is it in /navigation mount/folder...#!/bin/sh
/eso/hmi/engdefs/scripts/navpre.sh
rm -fv /navigation/USE_FEC
touch /navigation/USE_FEC_SIG
echo "created /navigation/USE_FEC_SIG"
sync
fec_off.sh
navpre.sh makes some mounts writablerm -fv /navigation/USE_FEC
rm -fv /navigation/USE_FEC_SIG
Can it be this easy? Don't want to kill one of my units ... so not tested yetmount -u /mnt/system/
mount -u /mnt/app/
touch /etc/mcd.writable
/eso/hmi/engdefs/scripts/remountSDCard.sh
Последний раз редактировалось PopDog; 29.06.2019 в 16:48.
No, this only applies to developer units that are looking for those files. The system looks for "/navigation/FSID_Navi_Enabled" "/navigation/FSID_Navi_Disabled" or but I don't know what effect it has, if any.
Yes, you are correct and thanks for the info. It looks like my flash programmer application could not access the OTP area, hence why I did not see what you were talking about. I'll have to find some way to download and analyze it through the bootloader or QNX. It also looks like there is a checksum inside of the mibroot application (5854ABE5FEDC157883AC01A8D4A3D5A0), I'm assuming this is a checksum of the OTP area but no clue yet.
Replacing the flash is not an issue, I just need to find a way to write the OTP area on a new flash chip. I don't have the ability to patch MIBRoot, because I've never worked with a disassembler, so I'll have to give this a shot.
Последний раз редактировалось chris2; 29.06.2019 в 21:51.
I think 30...
I so understand it is a Hexadecimal calculation
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
10
11
12
13
14
15
16
17
18
19
1a
1b
1c
1d
1e
1f
20
21
22
23
24
25
26
27
28
29
2a
2b
2c
2d
2e
2f
30
31
32
33
34
35
36
37
38
39
3a
3b
3c
3d
3e