Difference between revisions of "MIB2"
(→FEC / SWaP Codes) |
(→Uploading FeC with OBDeleven) |
||
Line 121: | Line 121: | ||
# Security Access → 20103 | # Security Access → 20103 | ||
# Adaptation → Transfer of release code for a SWaP function → Paste the code → Slide to write | # Adaptation → Transfer of release code for a SWaP function → Paste the code → Slide to write | ||
− | # Basic Settings → Release of SWaP function | + | # Basic Settings → Release of SWaP function → Slide to start → Wait for "basic setting ended" status message → Slide to stop |
# Disconnect from the car. | # Disconnect from the car. | ||
# Press and hold MENU button to enter hidden menu, navigate to FEC/SWaP installed codes list to confirm that the code is installed and if it's valid. | # Press and hold MENU button to enter hidden menu, navigate to FEC/SWaP installed codes list to confirm that the code is installed and if it's valid. |
Revision as of 12:58, 19 January 2021
Contents
Cars and Devices
Audi
Volkswagen
Composition Media MIB2, Discover Media MIB2, Discover Pro MIB2.
- VW Golf MK7 (5G)
- VW Passat B8
- VW Tiguan MK2
- VW Polo
Skoda
- Skoda Karoq (NU)
- Skoda Kodiaq (NS)
- Skoda Octavia (5E)
- Skoda Yeti (5L)
- Skoda Superb (3V)
Seat
- Seat Leon (5F)
- Seat Ibiza (5P)
- Seat Arona
- Seat Ateca
- Seat Toledo
- Seat Alhambra
Porsche
PCM4.0 Infotainment system
Bentley
MAN
Firmware update
Packages
Links found on the web. They come and go. Most likely these listed below will soon be unavailable.
Audi
???
Seat
Skoda
???
Volkswagen
Fixing B201A fault
After software update there's a B201A fault stored in the 5F module. You can fix it using the I'm So XORy tool.
USB ports
There are many types of USB ports with different functionality.
5G0 035 222 E
- AUX support
- USB iOS (UI4) support
- Standard Infotainment Unit (I8E) support
- High Infotainment Unit (I8H) support
- Android/MirrorLink support
5G0 035 222 F
- AUX support
- limited USB (UE4) support
- Standard radio Gen2 (I8E) support
- High Infotainment Unit (I8H) support
- Android/MirrorLink support
5G0 035 222 H
- AUX support
- USB iOS (UI4) support
- Standard radio Gen2 (I8E) support
- Android/MirrorLink support
FEC / SWaP Codes
SWaP is short for SoftWare as a Product. This is a strategy to sell and protect optional features and functionality for Audi, Volkswagen, Seat, Skoda, and Porsche infotainment units as if it was an actual material product. Most likely it's cheaper to manufacture an infotainment headunit that is equipped with hardware supporting all features and the lock out these that were not play for, than to have separate hardware configurations designed for each variant of optional equipment. This method gives also chance to cross sell additional features later on.
Here's where the FEC comes in. It's short for Function Enabling Code, and this is exactly what it does. After buying such code for feature that you are interested in having, dealer is installing it in your cars infotainment headunit and from now on desired feature is available for you.
List of SWaP Codes
- 00030000 AMI (USB Enable)
- 00030001 Gracenote
- 00040100 Navigation
- 00050000 Bluetooth
- 00060100 Vehicle Data Interface
- 00060200 Infotaiment Control
- 00060300 Mirror Link
- 00060400 Sport HMI / Performence Monitor
- 00060500 Sport Chrono / Lap Timer
- 00060600 Logbook
- 00060700 Online services
- 00060800 Apple Carplay
- 00060900 Google Automotive Link / Android Auto
- 00070100 SDS
- 00070200 SDS for Nav
- 00070400 Electronic Voice Amplifier
Legal activation
You can buy at the dealership activation codes to enable some of the SWaP features. Order it by FEC part number.
Generating FecContainer.fec
File named FecContainer.fec stores information about which codes are valid and which features should be enabled for end user. You can make your own FecContainer.fec file and replace the original one but it will be detected as invalid since it will not be signed with proper certificate. You can bypass this by patching the system.
- MIB2_FEC_Generator.sh [1]
- WhatTheFec.exe [2]
Uploading FeC with OBDeleven
If you have generated FeC for a feature that is supported by the unit, you can use OBDeleven to upload it to the main unit. Procedure below was tested with OBDeleven nextGen device and OBDeleven application running on iPhone.
- Prepare the code, OBDeleven device, iPhone.
- Start the main unit and wait for it to boot fully
- Connect with module 5F and perform actions listed below in the 5F module.
- Change Service → End of assembly line mode (EOL)
- Security Access → 20103
- Adaptation → Transfer of release code for a SWaP function → Paste the code → Slide to write
- Basic Settings → Release of SWaP function → Slide to start → Wait for "basic setting ended" status message → Slide to stop
- Disconnect from the car.
- Press and hold MENU button to enter hidden menu, navigate to FEC/SWaP installed codes list to confirm that the code is installed and if it's valid.
Hacking
In some cases hacking is the only way to enable some features in some cars. For example Porsche PCM4.0 was not available from factory with Android Auto support. Also there is no FEC for Performance Monitor if it was not enabled from the factory.
Hacking MIB2 is basically 3-step process:
- Access filesystem
- Replacing ifs-root.ifs with patched one
- Replacing FecContainer.fec file with custom one
Filesystem access methods
There are several methods to access MIB2 filesystem. After establishing network connection you can telnet into the device and use log in using one of the MIB2 root passwords that matches your device.
USB to RJ45
By enabling Developer Mode and connecting UBS to Ethernet adapter. [3]
- D-Link DUB-E100 (0x2001, 0x3c05)
- D-Link DUB-E100 (0x2001, 0x1a02)
- SMSC9500 (0x0424, 0x9500)
- Germaneers LAN9514 (0x2721, 0xec00)
- Cinterion AH6A 3G (0x1e2d, 0x0055)
- Cinterion ALS1/ALS6 (0x1e2d, 0x0060)
Some sources indicate that USB connection will only work if empty file /var/dataoverdlink
is present.
Quadlock Rx/Tx
- Adapter GND to car GND
- Adapter RX to J5_TX
- Adapter TX to J5_RX [4]
WLAN
- Create access point with your phone (or any other device)
- Connect your MIB2 device to this access point
- MIB2 will get a local IP - connect to this IP using telnet on port 23
POI update via SD card / USB
Custom update files that will inject additional custom hidden green menu screens with options to copy and replace system files. [5].
POI update file must be prepared with correct structure and checksums. [6][7]
autorun script
In Discover Pro firmware 388 it is possible to execute a script named autorun placed on USB stick [8]
custom firmware update via SD card / USB
If you just want to replace some file with patched ones, then you really don't need filesystem access. You can prepare custom firmware update file that will replace said file for you.
Patching system and replacing FEC file
by custom firmware update [9]
- Prepare SD card with custom firmware on it.
- Enable hidden green menu to adjust developer-level options (production -> rcc_prod -> swdl_prod).
- Initiate update procedure.
- Device will reboot couple times which is normal in any firmware update procedure.
by replacing files with patched [10]
- Connect with MIB2-PCM4 via UART
- Launch a serial connection - 115200, 8, N, 1
- Login with root / oaIQOqkW (check MIB2 root passwords)
- Download Root-IFS
- Unpack Root-IFS (if using downloaded image from PCM4) [11]
- Patch out FEC checks and Component Protection
- Rebuild IFS image
- Create your new FEC file
- Load new files to head unit
- Change adaptation values as needed
After this you should be able to use SWaP code / FEC protected features.
non-Hacking feature activation
MIB software has an option to override .fec file for software testing purposes. Presence of a special exception list file with SWaP codes listed in it will cause those codes to be visible in system a valid. To insert this file there's no root access required. It's copied to the system via standard update procedure from Sd-card.
How it works
Process tsd.mibstd2.system.swap[12] is looking for the file, checkes if signature is correct, then checks list of FECs inside, and use these codes as valid.
Below an example of logs with failed parsing process due to syntax error.
[iMX6.Swap.tsd.mibstd2.system.swap] processing exception list /tsd/etc/slist/signed_exception_list.txt
[iMX6.Swap.tsd.mibstd2.system.swap] parsing exception list failed: syntax error (line 1)
Files
Where files are located and how are they named in various systems: [13] [14] [15] [16] [17]
- /tsd/etc/slist/signed_exception_list.txt
- /HBpersistence/FEC/Exceptionlist.txt
- efs-persist/etc/prodEL.txt
Update removes activation
System update procedure at its end executes /common/tools/0/default/finalScriptSequence.sh
which makes the ExceptionList.txt file overwritten with one that does not contain any FEC codes. Line of code responsible for that is:
cp -v ${2}/common/tools/0/default/ExceptionList.txt /HBpersistence/FEC
- ↑ https://github.com/askac/PorschePCMStuff
- ↑ http://bit.ly/whatthefec2020
- ↑ https://www.speakev.com/threads/who-wants-to-share-his-her-discover-pro-mib2-vcds-controller-channel-map.22361/page-2#post-1241153
- ↑ https://rennlist.com/forums/991/1049794-porsche-pcm-upgrade-hack-for-android-auto-is-this-real.html
- ↑ https://github.com/jilleb/mib2-toolbox
- ↑ https://github.com/jimmyH/mypois
- ↑ https://github.com/mcaddy/audipoi
- ↑ https://turbo-quattro.com/archive/index.php/t-23041.html
- ↑ https://www.audizine.com/forum/showthread.php/860600-C7-5-2016-A6-(and-others)-CarPlay-Android-Auto-Activation-DIY-Guide
- ↑ https://cartechnology.co.uk/showthread.php?tid=56065&page=2&fbclid=IwAR1NYi3njsAcjZbXAgBVeB6gRet2VpxQHdusMtOqLtDs6Ev7o0ssbL4L-qQ
- ↑ https://github.com/unbe/mmi-ifs
- ↑ https://www.digital-kaos.co.uk/forums/showthread.php/724735-Mib-STD2-PQ-NAV-need-help?p=3506433&viewfull=1#post3506433
- ↑ https://mhhauto.com/Thread-MIB2-vcrn
- ↑ https://rennlist.com/forums/991/1049794-porsche-pcm-upgrade-hack-for-android-auto-is-this-real-9.html#post16124795
- ↑ https://turbo-quattro.com/archive/index.php/t-24737.html
- ↑ https://github.com/askac/PorschePCMStuff/blob/master/MIB2_FEC_Generator.sh
- ↑ https://www.digital-eliteboard.com/threads/audi-mmi-mib2-mhi2-firmware-3634-3663-update-und-asi-apple-carplay-android-auto.480571/post-3810164