Difference between revisions of "MIB2"

From Automotive Wiki from mr-fix
Jump to: navigation, search
(Uploading FeC with OBDeleven)
(9 intermediate revisions by the same user not shown)
Line 33: Line 33:
  
 
</div>
 
</div>
 +
 +
== Firmware update ==
 +
=== Packages ===
 +
Links found on the web. They come and go. Most likely these listed below will soon be unavailable.
 +
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 +
==== Audi ====
 +
???
 +
 +
==== Seat ====
 +
* [https://mega.nz/file/7cQCyK5Z#NGpgXKh6pc93SwcRTJO9KvzXGRVu8tVYGEkLWINlf_s MST2_EU_SE_ZR_P0346T]
 +
 +
==== Skoda ====
 +
???
 +
 +
==== Volkswagen ====
 +
* [https://drive.google.com/file/d/1XUcUv-b0giMd_Gfx6HHRMVBupN9RgZ_8/view?usp=sharing MHIG_EU_VW_K0344_1]
 +
* [https://drive.google.com/file/d/1iY4Q9x82q3YWuNvB7vD8fWaKwJVr1lpm/view?usp=sharing MHIG_EU_VW_K1540_1]
 +
* [https://drive.google.com/file/d/1VxwluI64XIg8IiS6jCzgPad1TYIeMb0Z/view?usp=sharing MHIG_EU_VW_K1550]
 +
 +
</div>
 +
 +
=== Fixing B201A fault ===
 +
After software update there's a B201A fault stored in the 5F module. You can fix it using the [http://mib-helper.com/im-so-xory/ I'm So XORy] tool.
  
 
== USB ports ==
 
== USB ports ==
Line 70: Line 93:
 
* 00060300 Mirror Link
 
* 00060300 Mirror Link
 
* 00060400 Sport HMI / Performence Monitor
 
* 00060400 Sport HMI / Performence Monitor
* 00060500 Sport Chrono
+
* 00060500 Sport Chrono / Lap Timer
 
* 00060600 Logbook
 
* 00060600 Logbook
 
* 00060700 Online services
 
* 00060700 Online services
Line 88: Line 111:
 
* MIB2_FEC_Generator.sh <ref>https://github.com/askac/PorschePCMStuff</ref>
 
* MIB2_FEC_Generator.sh <ref>https://github.com/askac/PorschePCMStuff</ref>
 
* [[WhatTheFec.exe]] <ref>http://bit.ly/whatthefec2020</ref>
 
* [[WhatTheFec.exe]] <ref>http://bit.ly/whatthefec2020</ref>
 +
 +
=== Uploading FeC with OBDeleven ===
 +
If you have generated FeC for a feature that is supported by the unit, you can use [[OBDeleven]] to upload it to the main unit. Procedure below was tested with OBDeleven nextGen device and OBDeleven application running on iPhone.
 +
 +
# Prepare the code, OBDeleven device, iPhone.
 +
# Start the main unit and wait for it to boot fully
 +
# Connect with module 5F and perform actions listed below in the 5F module.
 +
# Change Service → End of assembly line mode (EOL)
 +
# Security Access → 20103
 +
# Adaptation → Transfer of release code for a SWaP function → Paste the code → Slide to write
 +
# Basic Settings → Release of SWaP function → Slide to start → Wait for "basic setting ended" status message → Slide to stop
 +
# Disconnect from the car.
 +
# Press and hold MENU button to enter hidden menu, navigate to FEC/SWaP installed codes list to confirm that the code is installed and if it's valid.
  
 
== Hacking ==
 
== Hacking ==
Line 96: Line 132:
 
# Replacing [[FecContainer.fec]] file with custom one
 
# Replacing [[FecContainer.fec]] file with custom one
  
=== Fileststem access methods ===
+
=== Filesystem access methods ===
 
There are several methods to access MIB2 filesystem. After establishing network connection you can telnet into the device and use log in using one of the [[MIB2 root passwords]] that matches your device.
 
There are several methods to access MIB2 filesystem. After establishing network connection you can telnet into the device and use log in using one of the [[MIB2 root passwords]] that matches your device.
  
Line 153: Line 189:
  
 
== non-Hacking feature activation ==
 
== non-Hacking feature activation ==
MIB software has an option to override .fec file for software testing purposes. Presence of a special file with SWaP codes listed in it will cause those codes to be visible in system a valid.
+
MIB software has an option to override .fec file for software testing purposes. Presence of a special [[MIB2 Exception List file|exception list file]] with SWaP codes listed in it will cause those codes to be visible in system a valid. To insert this file there's no root access required. It's copied to the system via standard update procedure from Sd-card.
To insert this file there's no root access required. It's copied to the system via SD-card update procedure. File contains information about [[VCRN]] to ensure that it's used on a test unit.
+
 
 +
=== How it works ===
 +
Process '''tsd.mibstd2.system.swap'''<ref>https://www.digital-kaos.co.uk/forums/showthread.php/724735-Mib-STD2-PQ-NAV-need-help?p=3506433&viewfull=1#post3506433</ref> is looking for the file, checkes if signature is correct, then checks list of FECs inside, and use these codes as valid.
 +
 
 +
Below an example of logs with failed parsing process due to syntax error.
 +
 
 +
<code>[iMX6.Swap.tsd.mibstd2.system.swap]    processing exception list /tsd/etc/slist/signed_exception_list.txt
 +
[iMX6.Swap.tsd.mibstd2.system.swap]   parsing exception list failed: syntax error (line 1)</code>
 +
 
 +
=== Files ===
 +
Where files are located and how are they named in various systems:
 +
<ref>https://mhhauto.com/Thread-MIB2-vcrn</ref>
 +
<ref>https://rennlist.com/forums/991/1049794-porsche-pcm-upgrade-hack-for-android-auto-is-this-real-9.html#post16124795</ref>
 +
<ref>https://turbo-quattro.com/archive/index.php/t-24737.html</ref>
 +
<ref>https://github.com/askac/PorschePCMStuff/blob/master/MIB2_FEC_Generator.sh</ref>
 +
<ref>https://www.digital-eliteboard.com/threads/audi-mmi-mib2-mhi2-firmware-3634-3663-update-und-asi-apple-carplay-android-auto.480571/post-3810164</ref>
 +
 
 +
* /tsd/etc/slist/'''signed_exception_list.txt'''
 +
* /HBpersistence/FEC/'''Exceptionlist.txt'''
 +
* efs-persist/etc/'''prodEL.txt'''
 +
 
 +
=== Update removes activation ===
 +
System update procedure at its end executes <code>/common/tools/0/default/finalScriptSequence.sh</code> which makes the ExceptionList.txt file overwritten with one that does not contain any FEC codes. Line of code responsible for that is:
 +
 
 +
<code>cp -v ${2}/common/tools/0/default/ExceptionList.txt /HBpersistence/FEC</code>

Revision as of 12:58, 19 January 2021

Cars and Devices

Audi

Volkswagen

Composition Media MIB2, Discover Media MIB2, Discover Pro MIB2.

  • VW Golf MK7 (5G)
  • VW Passat B8
  • VW Tiguan MK2
  • VW Polo

Skoda

  • Skoda Karoq (NU)
  • Skoda Kodiaq (NS)
  • Skoda Octavia (5E)
  • Skoda Yeti (5L)
  • Skoda Superb (3V)

Seat

  • Seat Leon (5F)
  • Seat Ibiza (5P)
  • Seat Arona
  • Seat Ateca
  • Seat Toledo
  • Seat Alhambra

Porsche

PCM4.0 Infotainment system

Bentley

MAN

Firmware update

Packages

Links found on the web. They come and go. Most likely these listed below will soon be unavailable.

Audi

???

Seat

Skoda

???

Volkswagen

Fixing B201A fault

After software update there's a B201A fault stored in the 5F module. You can fix it using the I'm So XORy tool.

USB ports

There are many types of USB ports with different functionality.

5G0 035 222 E

  • AUX support
  • USB iOS (UI4) support
  • Standard Infotainment Unit (I8E) support
  • High Infotainment Unit (I8H) support
  • Android/MirrorLink support

5G0 035 222 F

  • AUX support
  • limited USB (UE4) support
  • Standard radio Gen2 (I8E) support
  • High Infotainment Unit (I8H) support
  • Android/MirrorLink support

5G0 035 222 H

  • AUX support
  • USB iOS (UI4) support
  • Standard radio Gen2 (I8E) support
  • Android/MirrorLink support

FEC / SWaP Codes

SWaP is short for SoftWare as a Product. This is a strategy to sell and protect optional features and functionality for Audi, Volkswagen, Seat, Skoda, and Porsche infotainment units as if it was an actual material product. Most likely it's cheaper to manufacture an infotainment headunit that is equipped with hardware supporting all features and the lock out these that were not play for, than to have separate hardware configurations designed for each variant of optional equipment. This method gives also chance to cross sell additional features later on.
Here's where the FEC comes in. It's short for Function Enabling Code, and this is exactly what it does. After buying such code for feature that you are interested in having, dealer is installing it in your cars infotainment headunit and from now on desired feature is available for you.

List of SWaP Codes

  • 00030000 AMI (USB Enable)
  • 00030001 Gracenote
  • 00040100 Navigation
  • 00050000 Bluetooth
  • 00060100 Vehicle Data Interface
  • 00060200 Infotaiment Control
  • 00060300 Mirror Link
  • 00060400 Sport HMI / Performence Monitor
  • 00060500 Sport Chrono / Lap Timer
  • 00060600 Logbook
  • 00060700 Online services
  • 00060800 Apple Carplay
  • 00060900 Google Automotive Link / Android Auto
  • 00070100 SDS
  • 00070200 SDS for Nav
  • 00070400 Electronic Voice Amplifier

Legal activation

You can buy at the dealership activation codes to enable some of the SWaP features. Order it by FEC part number.

Generating FecContainer.fec

File named FecContainer.fec stores information about which codes are valid and which features should be enabled for end user. You can make your own FecContainer.fec file and replace the original one but it will be detected as invalid since it will not be signed with proper certificate. You can bypass this by patching the system.

Uploading FeC with OBDeleven

If you have generated FeC for a feature that is supported by the unit, you can use OBDeleven to upload it to the main unit. Procedure below was tested with OBDeleven nextGen device and OBDeleven application running on iPhone.

  1. Prepare the code, OBDeleven device, iPhone.
  2. Start the main unit and wait for it to boot fully
  3. Connect with module 5F and perform actions listed below in the 5F module.
  4. Change Service → End of assembly line mode (EOL)
  5. Security Access → 20103
  6. Adaptation → Transfer of release code for a SWaP function → Paste the code → Slide to write
  7. Basic Settings → Release of SWaP function → Slide to start → Wait for "basic setting ended" status message → Slide to stop
  8. Disconnect from the car.
  9. Press and hold MENU button to enter hidden menu, navigate to FEC/SWaP installed codes list to confirm that the code is installed and if it's valid.

Hacking

In some cases hacking is the only way to enable some features in some cars. For example Porsche PCM4.0 was not available from factory with Android Auto support. Also there is no FEC for Performance Monitor if it was not enabled from the factory.
Hacking MIB2 is basically 3-step process:

  1. Access filesystem
  2. Replacing ifs-root.ifs with patched one
  3. Replacing FecContainer.fec file with custom one

Filesystem access methods

There are several methods to access MIB2 filesystem. After establishing network connection you can telnet into the device and use log in using one of the MIB2 root passwords that matches your device.

USB to RJ45

By enabling Developer Mode and connecting UBS to Ethernet adapter. [3]

  • D-Link DUB-E100 (0x2001, 0x3c05)
  • D-Link DUB-E100 (0x2001, 0x1a02)
  • SMSC9500 (0x0424, 0x9500)
  • Germaneers LAN9514 (0x2721, 0xec00)
  • Cinterion AH6A 3G (0x1e2d, 0x0055)
  • Cinterion ALS1/ALS6 (0x1e2d, 0x0060)

Some sources indicate that USB connection will only work if empty file /var/dataoverdlink is present.

Quadlock Rx/Tx

  1. Adapter GND to car GND
  2. Adapter RX to J5_TX
  3. Adapter TX to J5_RX [4]

WLAN

  1. Create access point with your phone (or any other device)
  2. Connect your MIB2 device to this access point
  3. MIB2 will get a local IP - connect to this IP using telnet on port 23

POI update via SD card / USB

Custom update files that will inject additional custom hidden green menu screens with options to copy and replace system files. [5].
POI update file must be prepared with correct structure and checksums. [6][7]

autorun script

In Discover Pro firmware 388 it is possible to execute a script named autorun placed on USB stick [8]

custom firmware update via SD card / USB

If you just want to replace some file with patched ones, then you really don't need filesystem access. You can prepare custom firmware update file that will replace said file for you.

Patching system and replacing FEC file

by custom firmware update [9]

  1. Prepare SD card with custom firmware on it.
  2. Enable hidden green menu to adjust developer-level options (production -> rcc_prod -> swdl_prod).
  3. Initiate update procedure.
  4. Device will reboot couple times which is normal in any firmware update procedure.

by replacing files with patched [10]

  1. Connect with MIB2-PCM4 via UART
  2. Launch a serial connection - 115200, 8, N, 1
  3. Login with root / oaIQOqkW (check MIB2 root passwords)
  4. Download Root-IFS
  5. Unpack Root-IFS (if using downloaded image from PCM4) [11]
  6. Patch out FEC checks and Component Protection
  7. Rebuild IFS image
  8. Create your new FEC file
  9. Load new files to head unit
  10. Change adaptation values as needed

After this you should be able to use SWaP code / FEC protected features.

non-Hacking feature activation

MIB software has an option to override .fec file for software testing purposes. Presence of a special exception list file with SWaP codes listed in it will cause those codes to be visible in system a valid. To insert this file there's no root access required. It's copied to the system via standard update procedure from Sd-card.

How it works

Process tsd.mibstd2.system.swap[12] is looking for the file, checkes if signature is correct, then checks list of FECs inside, and use these codes as valid.

Below an example of logs with failed parsing process due to syntax error.

[iMX6.Swap.tsd.mibstd2.system.swap] processing exception list /tsd/etc/slist/signed_exception_list.txt [iMX6.Swap.tsd.mibstd2.system.swap] parsing exception list failed: syntax error (line 1)

Files

Where files are located and how are they named in various systems: [13] [14] [15] [16] [17]

  • /tsd/etc/slist/signed_exception_list.txt
  • /HBpersistence/FEC/Exceptionlist.txt
  • efs-persist/etc/prodEL.txt

Update removes activation

System update procedure at its end executes /common/tools/0/default/finalScriptSequence.sh which makes the ExceptionList.txt file overwritten with one that does not contain any FEC codes. Line of code responsible for that is:

cp -v ${2}/common/tools/0/default/ExceptionList.txt /HBpersistence/FEC
  1. https://github.com/askac/PorschePCMStuff
  2. http://bit.ly/whatthefec2020
  3. https://www.speakev.com/threads/who-wants-to-share-his-her-discover-pro-mib2-vcds-controller-channel-map.22361/page-2#post-1241153
  4. https://rennlist.com/forums/991/1049794-porsche-pcm-upgrade-hack-for-android-auto-is-this-real.html
  5. https://github.com/jilleb/mib2-toolbox
  6. https://github.com/jimmyH/mypois
  7. https://github.com/mcaddy/audipoi
  8. https://turbo-quattro.com/archive/index.php/t-23041.html
  9. https://www.audizine.com/forum/showthread.php/860600-C7-5-2016-A6-(and-others)-CarPlay-Android-Auto-Activation-DIY-Guide
  10. https://cartechnology.co.uk/showthread.php?tid=56065&page=2&fbclid=IwAR1NYi3njsAcjZbXAgBVeB6gRet2VpxQHdusMtOqLtDs6Ev7o0ssbL4L-qQ
  11. https://github.com/unbe/mmi-ifs
  12. https://www.digital-kaos.co.uk/forums/showthread.php/724735-Mib-STD2-PQ-NAV-need-help?p=3506433&viewfull=1#post3506433
  13. https://mhhauto.com/Thread-MIB2-vcrn
  14. https://rennlist.com/forums/991/1049794-porsche-pcm-upgrade-hack-for-android-auto-is-this-real-9.html#post16124795
  15. https://turbo-quattro.com/archive/index.php/t-24737.html
  16. https://github.com/askac/PorschePCMStuff/blob/master/MIB2_FEC_Generator.sh
  17. https://www.digital-eliteboard.com/threads/audi-mmi-mib2-mhi2-firmware-3634-3663-update-und-asi-apple-carplay-android-auto.480571/post-3810164