Rooted Jeep Cherokee '14 uConnect

What do you wanna see most on a uconnect system

  • Total voters
    193
Search This thread
By:
Advanced…
markkpatel

markkpatel

Member
Apr 20, 2018
31
14
willzyliu said:
ORP Update
Managed to source an 18.45.01 update ISO for a MY18 TH.
1. DRM.jar - I am now using the DRM.jar from the KIM24 xlets directory, which has DRM exceptions for both ORP and Performance pages! My Performance pages now also work. Woohoo
2. Sensor_properties.json - the json file contains a few new entries for YAW data, Terrain Status LED (1-5, which I assume represents the five different selec-terrain statuses auto/snow/sand/mud/rock), and GlobalDriveModeStatus.
This is where things get super confusing to me. GlobalDriveModeStatus defines itself as an INT data type, with values being 0 or 1. ORP uses GlobalDriveModeStatus and expects the value to be either of {4, 13, 1, 12, 6}. I must be missing something, but I can't seem to work out how the selec-terrain page could possibly work with this sensor mapping. There must be some form of data transformation layer between the received sensor data, and other inputs.

As a test, I reloaded the original ORP app, and updated my own sensor_properties file with all mappings present in the 18.45.01 update. Selec-terrain page doesn't work even though I have defined GlobalDriveModeStatus and all other terrain-related sensor mappings. Changed it back to Mark's version as it overrides the terrain mode status to TerMdStat which is supported for earlier WK2 (MY14-MY16?)

3. Now that I have this ISO, I will commence the grueling task of searching for the holy grail CAN PPS definition for Pitch and Roll degrees. Will update if/when I find something.

Navigation update
I have tried to load the Squithy ROW 2019 and 2016 nav content and licenses, but always comes back with a prompt for my navigation activation code, despite the fact I already have a VP4 model.
Strangely the 'Original ROW' upload licenses pass the nav activation detection.
Have already switched over the NaviServer2.
I suppose Squithy's license files arent pre-activated?
Next step will be to pull my finger out and actually buy an iGo license and load the Aus content/license. Will provide an update - but if anyone has encountered the same issue it would be great to get some guidance. Potentially there's something very very obvious that I've missed.
Click to expand...
Click to collapse
Drive Mode and Drive Mode sub menus is an actual thing like Terrain Mode Module that can be selected by alfaOBD. Look at the swf files and you will see many menu screens for Drive Mode stuff. Things like Drive Mode Launch Control etc., but not relevant to most of our cars. Terrain status LED (the LED that lights up when you select AUTO, SAND, MUD etc) is on our cars, but like yaw is not mapped from CAN to PPS files.

The directory list from page 1: https://pastebin.com/BKfSptbH
The IPC stuff looks like it could be relevant.
/dev/ipc/ch2 thru /dev/ipc/ch28
These channels appear to be used to send and maybe recieve data.

From boot.sh
echo "**********Resetting the hardware********************"
echo -n "\\0021" > /dev/ipc/ch4

Hopefully the CAN to PPS file conversion is not hardcoded in a compiled bin or lib.
 
Last edited:
  • Like
Reactions: willzyliu
D

devmihkel

Member
Apr 10, 2018
49
9
markkpatel said:
Hopefully the CAN to PPS file conversion is not hardcoded in a compiled bin or lib.
Click to expand...
Click to collapse
For what I understand from the original (IOActive) research - yes it is hardcoded... in hardware 😇 because Uconnect (QNX) is not directly connected on CAN and PPS messages are proxied by so called IOC (V850) chip. And its firmware (cmcioc.bin) has predefined CAN messages and values hard-coded, so you might never see CAN messages and stuff like AlfaOBD does 🤷‍♂️
 
  • Like
Reactions: willzyliu
markkpatel

markkpatel

Member
Apr 20, 2018
31
14
devmihkel said:
For what I understand from the original (IOActive) research - yes it is hardcoded... in hardware 😇 because Uconnect (QNX) is not directly connected on CAN and PPS messages are proxied by so called IOC (V850) chip. And its firmware (cmcioc.bin) has predefined CAN messages and values hard-coded, so you might never see CAN messages and stuff like AlfaOBD does 🤷‍♂️
Click to expand...
Click to collapse
Page 48 onwards of the original whitepaper hacking report talks about the V850 chip and how to reprogram it from the Uconnect. So in theory it is possible to do, but in practical terms for me its a HELL NO, just looks too difficult for me. But I was kind of right about the IPC stuff, it uses /dev/ipc/ch4 to upload the new/modified cmcioc.bin file to the V850 chip from the Uconnect. Also uses other ipc channels to read and write stuff between V850 and Uconnect.

From the whitepaper:
The IOC application code is pushed to the V850 from the Uconnect system via the ‘iocupdate’ executable, which can be seen being called from ‘ioc.lua’.
iocupdate -c 4 -p usr/share/V850/cmcioc.bin

It now looks like the CAN to PPS file conversion is done via the V850 chip.
So good luck to anyone that wants to try to decode and make sense of the cmcioc.bin file(s). ;)

Here's the link to the whitepaper ( autoloads to page 48 )

** Update **
I don't think we need to change the V850 cmcioc.bin file, we can just replace it with a V850 cmcioc.bin file from a newer Uconnect swdl.upd that has the pitch and roll working/showing in the PPS files. The V850 firmware should be similar to the CAN data, i.e. it does not really get updated/changed each year but rather new stuff gets added to it while the existing stuff remains where it is. Therefore new versions will work on older cars.
Example: I can signon to alfaOBD with my 2015 JGC and override alfaOBD to use the 2021 body computer to correctly make changes to existing stuff on my car because all the old existing CANids remain the same. They do not move existing stuff in the CAN data, they put new stuff into empty slots.
Uconnect update 18.45.01 is the latest one I have files for and in that update I can see that the V850 chip is the same as the one used on my 2015 Jeep version 16.16.13, so those files should work for me. But I am not sure if that update is too early for the pitch and roll stuff to be working.

*** Another Update ***
In alfaOBD from Body computer:MY2018 thru Body computerMY2021
there is the following option CBC Features-Pitch and Roll Present
Therefore we need to get a V850 cmcioc.bin file from a swdl.upd that includes MY2018 or later.
Prefer MY2019 onwards as year 2018 is tricky because there is also a Body computerMY2017-18 that does not have that option present.
 
Last edited:
  • Like
Reactions: picasso2489 and willzyliu
W

willzyliu

Member
Aug 23, 2023
9
2
Agree with you both @devmihkel , @markkpatel

Definitely looks like the journey to attaining pitch and roll data is steering us towards the very real possibility of potentially bricking the uConnect via forced firmware update haha.

I, too, found the whitepaper, and have been trying to understand more about how CAN data is logged through to uConnect. Summary ordered by proximity to user:
1. uConnect apps refer to sensor_properties for sensor definitions
2. Sensor_properties refers to logged CAN attributes
3. CAN attributes log through IPC channels
4. The type of CAN attributes that are logged through IPC channels is defined at the firmware level

can_utils in /USR can also retrieve CAN data via IPC, using attributes defined in can_utils_matrix. Not much help if the firmware indeed does not feed the CAN data we're after into the IPC channels for uConnect to utilise.

Looking at the ISOs I have available:
MY14 14.05.03 - cmc v850 app version is 14.2.0
MY14 16.13.13 - cmc v850 app version is 16.01.00
MY15 14.32.3 - cmc v850 app version is 14.28.01
MY13-17 18.45.01 - cmc v850 app version is 17.31.90 **EDIT actually theres a number of versions here - 14.2.0, 17.31.90, 14.15.91, 17.41.81
All processor type = V850ES/FJ3, and all OS name = uC/OS-II, so in theory it would just take a firmware update. The whitepaper does tell us the other .bin files that would be updated outside of cmcioc.bin, as well as the scripts that support the firmware upgrade, and the general process guide for doing so. But certainly still a real risk.


Outside of the pitch/roll discussion, I have updated my kona.jar to the 18.45.01 version, which supports sensor_properties json file instead of xml, so I've loaded the 18.45.01 json file in as well. Obviously no change to the ORP app, however there's some interesting references to a new 'ecoDrive' reports app which there are files present for in the base directory (not KIM directories) of this ISO.
Trying to work out how to get this going currently. I believe the below youtube video demos this functionality.

**EDIT - eco Drive only works for vehicles with OTA/uConnect live. Mine being in Australia, I do not have this so it will not work.
 
Last edited:
GeorgeK91

GeorgeK91

New member
Sep 12, 2023
2
0
Hello Gents,

Trying to get ORP for MY14 having 18.45.01 uconnect. I downloaded Mark's files and tried to follow instructions but no success... :(


Could you please write step by step the actions to install ORP ?

I have a backup and i tried to modify existing files and with Mark's files (overwriting some files) and trying to update system. Also tried to instal swld.iso - no success.
For sure I miss some things but unable to find my mistake, so please if someone can write step by step actions from scratch would be very kind from you.


Best regards,
George
 
W

willzyliu

Member
Aug 23, 2023
9
2
GeorgeK91 said:
Hello Gents,

Trying to get ORP for MY14 having 18.45.01 uconnect. I downloaded Mark's files and tried to follow instructions but no success... :(


Could you please write step by step the actions to install ORP ?

I have a backup and i tried to modify existing files and with Mark's files (overwriting some files) and trying to update system. Also tried to instal swld.iso - no success.
For sure I miss some things but unable to find my mistake, so please if someone can write step by step actions from scratch would be very kind from you.


Best regards,
George
Click to expand...
Click to collapse
Step 1: Enable apps/Off Road Pages
Ignition on
With your ODB2 scanner and JScan/AlphaODB app, enable apps and Off Road Pages
Reset radio/power cycle the car
*If the Off Road Pages app appears at this point, DO NOT PROCEED. You don’t need to. Congrats, your uConnect came preloaded with the OffRoad Pages.jar app and you simply needed to enable it via config*
For the rest of us unfortunate souls, keep going.

Step 2: Prepare your USB for executing code/pushing/pulling files
Download https://1drv.ms/f/s!AiQ9OEEV4cpnnmg6Ci79mhciMI_6?e=payavC
Format a USB to FAT32 file system. Make sure USB is greater than 8GB.
Load the files straight onto the USB.
Essentially the script999.lua file will be your script executor.
You can use notepad to edit the file. Notepad++ or VScode would be better.
Familiarise yourself with cp (copy), chmod (permissions), rm (remove) commands and get to understand the file.
Always start the file with #!/usr/bin/lua followed by mount mmc0 and mmc1 read/write. Always end the file with mount mmc0 and mmc1 read only followed by localpopwin.
Everything in between is your playground.
Any time you load this usb, it will always execute the code you’ve put within script999.lua
To execute script via USB to uConnect:
1. Ignition to On. Wait for uConnect to spin up
2. Insert USB
3. Wait
4. Once finished executing, a prompt will come up asking if you want to upgrade to v14.05 SELECT NO
5. Eject USB. You’re done

Step 3: Backup files.
Modify script999 to copy files from /fs/mmc1 to your usb
Execute to uConnect
Save this backup on your computer somewhere safe

Step 4: Load Off Road Pages app
Download Mark's files from https://1drv.ms/f/s!AiQ9OEEV4cpnmQWPFYob8QEEI1f7?e=14gnFL
Use either the modified or non modified f1de6bac-9876-3250-8dc2-c729b755a600 folder.
The modified version hard codes your terrain status to Rock, in case your app doesn’t receive terrain status data (rock, auto, sand, etc).
Off-road config file simply enables pitch and roll page within the app.
COPY the following to the USB
1. f1de6bac-9876-3250-8dc2-c729b755a600 Folder
2. Offroad_config file
Update your script:
1. Copy the f1de6bac-9876-3250-8dc2-c729b755a600 folder to /fs/mmc1/xletsdir/xlets folder and /fs/mmc1/kona/preload/xlets/
2. Copy the OffRoad_config file to /fs/etfs folder.
3. Put also command os.execute("touch /fs/etfs/disableDRM"). his creates an empty file at /fs/etfs/disableDRM this is to stop the app subscription expired message coming up
Execute to uConnect
Reset radio/power cycle car.
Congrats you now should see the Off Road Pages app
Try run the app. If it runs all good - congratulations!
You may notice that the pitch/roll page doesn’t work. A few of us are still searching for the answer. Join us.
If the app launch comes up with “No Active Subscription” error, proceed to step 5

Step 5: Override Active Subscription check
From above, there is a DRM.jar file. This file is responsible for setting app level exemptions from the uConnect app subscriptions check.
The DRM.jar file inside the og version1.7.1 folder is the one that has an exemption for Off Road Pages.
N.B this file doesn’t have exemption for SRT performance pages, so you will lose that app functionality if you had it before. If anyone has a DRM.jar that has both app exemptions within, please share it!
Copy DRM.jar to USB
Modify usb with:
os.execute("cp -R /fs/usb0/DRM.jar /fs/mmc1/kona/preload/DRM.jar")
Set permissions to the file to 755 via chmod command
Execute to uConnect
Reset radio/power cycle car
You should now have working Off Road Pages
 
markkpatel

markkpatel

Member
Apr 20, 2018
31
14
GeorgeK91 said:
Hello Gents,

Trying to get ORP for MY14 having 18.45.01 uconnect. I downloaded Mark's files and tried to follow instructions but no success... :(


Could you please write step by step the actions to install ORP ?

I have a backup and i tried to modify existing files and with Mark's files (overwriting some files) and trying to update system. Also tried to instal swld.iso - no success.
For sure I miss some things but unable to find my mistake, so please if someone can write step by step actions from scratch would be very kind from you.


Best regards,
George
Click to expand...
Click to collapse
Sorry it will not work with version 18.45.01
swdl.iso does not work on your version
The iso hacking only works up to a certain version number.

Version 18.45.01 update installs Off Road Pages app depending on your ECU number, but you may also need to activate it using a OBD2 scanner app such as AlfaOBD.
Using AlfaOBD: Body computer > Car configuration change > VehConfig 5-Off-Road Pages Present

To see which KIM package apps were installed for your Uconnect 18.45.01 (based on your ECU number) look at file:
swdl.upd > secondary.iso > usr > share > XLETS > kim_packages > kim_pkg_map.lua
Get the KIM file number based on your ECU number, then check if the ORP app is in that KIM file.
The selected KIM file contains the apps that the update will load onto your Uconnect.
 
Last edited:
GeorgeK91

GeorgeK91

New member
Sep 12, 2023
2
0
Many thanks, Gentlemen, @willzyliu, markkpatel for your updates.

So, I believe I can get the app.
I checked And my car's ECU is managed by kim19 folder - There is no ORP included.
What I need to do is to include in my kim19 folder the OPR subfolder with related components.
Should be done through lua file? still not clear but will try to find the solution.

I will keep you posted.


Best regards,
George
 
C

congar58

Member
Aug 10, 2023
23
8
devmihkel said:
I think you are absolutely good to go and try jailbreaking 16.x version; the following based on 16.33.29:
- the "commercial" Install-One-Jailbreaker- images use manifest.lua to inject/execute any script right before Do you want to upgrade prompt
- you just answer No to the upgrade prompt, because by that time you have already gained root access and job done
- boot.sh cannot be modified on 16.x (read only fs), but you can do pretty cool and early execution from inside other scripts called from boot.sh at startup. E.g. enum_devices.lua gets fired on time for some neat "overlay" links, say
Code: 
os.execute("ln -sP /fs/mmc0/nav/bak/custom/NaviServer /bin/NaviServer")
- the jailbreak works perfectly using new modified 17.x installation ISO on 16.x system (the explanation being that you first need to bypass "on-system"/ head unit ISO check and then you skip "on-iso" UPD integrity check and this still works fine as confirmed on 8.4 system using 16.33.x and 17.11.x here previously - newer versions than these listed for 6.5 uconnect above...). So I think you have pretty good 50:60 chances of gaining root access by staying on 16.x version and using 17.x to brake your way in. PS if you manage to get wifi on, you can tinker with the QNX firewall and sshd_config to use your own keys for ssh (so you don't care about root password, really ;)
Click to expand...
Click to collapse
Nice Idea,

what if I say "lua -s /fs/usb0/script.lua" instead of your "ln -sP /fs/mmc0/nav/bak/custom/NaviServer /bin/NaviServer" ?
Would it execute this command before it checks the checksum of iso or upd file ?
My current uConnect Version is 17.09.*. For me that means I can only use the new iso files called .upd files.
And I couldn't find any solutions for this file to start a script on usb.
Could you or anyone help me for this?
 
markkpatel

markkpatel

Member
Apr 20, 2018
31
14
And now for something completely (slightly) different.
FRONT CAMERA (cargo cam) Install:
Why: Because I can, also the car washes in the UK are much narrower than in the USA so hopefully will mean I do not have to get out of the car to check my wheel placement when using a car wash in the UK.

A: You will need this https://www.zautomotive.com/product/z_vid/ (female rca video cable with correct terminal pins) Note: postage to the UK is 82 dollars (they do not ask or tell you this before hand). Or save money and make your own cable - correct terminal pins link is below.
B: You will need a camera kit. My Uconnect is 480i only. https://www.amazon.co.uk/dp/B0BZTX3XV7 (It is my understanding that using 720p will not work on my Uconnect, So be carefully with camera settings)
C: I used a micro 2 fuse tap to provide power to the camera from the engine fuse box. https://www.amazon.co.uk/dp/B09VYQGPZZ
D: You will need plastic trim removal tools (These are a must, bigger sturdy ones are best)

1. Remove the Uconnect bezel. Open lower door (not part of bezel). pull bottom of bezel (not door) until clips release. 1/4 to 1/2 inch gap only. Work your way around with trim removal tool. Do top last. All clips must be released. Disconnect wire harness and set aside bezel. Use brute force at your own risk, safer to use the trim tool to release all clips.
2. Undo the four 7mm bolts to realease the Uconnect radio. Do not drop the bolts. Store bolts in cup holder.
3. Put microfibre cloth on lower door to prevent scratches. Pull out radio, so you can see cables. Take photo (not really necessary, as cables are colour coded).
4. Release cables, push flat tab down and pull cable connector out (can use screw driver to push tab down)
5. Release the 52 pin harness (pull the locking handle up first (push in then pull up) [see big yellow arrow in photos] ), Photo of released 52 pin connector is with locking handle removed for easier access to pin holes, The locking handle can go on either way round, Set the Uconnect aside on a towel.
6. Use a thin but wide flathead screw driver to loosen the red locking plate from the 52 pin connector. Start at center of short sides and work all way round. Do not need to completely remove it from connector. (1/2 inch should do)
7. Install the female RCA video cable. Black into pin 25 first then Yellow into pin 24. The pins must go in the correct way. The flat side (uncrimped side) goes in along the center ridge (see picture with big red arrows). Push in untill you hear a click. I used a pin removal tool to push down on the pin from the top. These pins are very small (less than 1.5mm). This is the most important part to get right, so do not rush this step. I used needle nose pliers to hold the wire to correctly guide the pin into the right hole. Push the red locking plate back into place.
8. Use electrical tape to tape the RCA video cable to the main wire bundle. (prevents it from being pulled)
9. Connect the camera male connector to the female RCA connector, Use eletrical tape to tape the camera cable to the main wrie bundle.
10. Feed the camera cable to the passenger side and pull cable through into footwell.
11. Reinstall Uconnect. When reinstalling 52 pin connector make sure locking handle is up for easy install.
12. Use alfaOBD to select "VehConfig 1-CHMSL Camera" present. (This step can be done before)
13. Lucky 13 - Before routing cable to engine bay, test that your CargoCam setup actually works. Connect camera and temp power source. Also check everything else works (did you forget to reattach a cable to the Uconnect).
14. If all is good. Route camera cable to engine bay via passenger side grommet, then cross over to driver/fusebox side in engine bay. On my 2015 JGC Summit all grommets are already fully used. Remove footwell side plastic trim then remove soft trim below glove box, you should now have access to firewall grommet.
15. Install front camera and route wire as close to fusebox as it will go. The front grill holes are large so I used M8 x 30mm stainless steel washers, https://www.amazon.co.uk/dp/B0BJZ2W6CH
16. Route and connect initial cable to front camera cable near fusebox.
17. Drill hole in back of fusebox, install rubber grommet (this is for the camera power wire)
18. Install micro 2 fuse tap with 5amp fuse (I used fuse F40 -Daytime running lights), connect positive wire to fuse tap.
19. Connect negative wire (My car had a bolt near the fusebox)
20. Test and Adjust your camera position. (still need to adjust camera on mine)
21. Reinstall the Uconnect bezel, remember to reconnect the wire harness first.

All done.

The CargoCam screen has 2 icons on the left top of the screen, these select CargoCam (front camera) or standard reverse camera.
Also when you engage reverse gear the standard reverse camera comes on, but also has 2 icons so you can select CargoCam while reversing.
CargoCam will stay on until you reach a speed of 10 mph.

You can also add a camera on pins 21/22. On alfaOBD select "ECUConfig 3-DTV front camera" or "ECUConfig 3-DTV side camera". In addition to the CargoCam icon you will also see an additional normal camera icon. However, I do not know how the DTV camera behaves (i.e. does it stay on while driving?)

It is relatively easy to identify the required pin holes since pin holes 21 thru 26 are empty (no wires in them)

SAVE MONEY make your own cable, this is the correct terminal pin:
UK: https://www.digikey.co.uk/en/products/detail/te-connectivity-amp-connectors/638551-3/10478563
USA: https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/638551-3/10478563
( Multiple countries - Select USA link on this page then Press on flag to select your country - then Select USA link on this page again )

www.ebay.co.uk

Rca Male/Female Audio Cable Av Single-head Video Stereo Connect Extension Wire | eBay

1PCS Cable RCA female or male for choose.
www.ebay.co.uk
 

Attachments

  • 20230922_115723.jpg
    20230922_115723.jpg
    2.1 MB · Views: 78
  • 20230922_115804.jpg
    20230922_115804.jpg
    2.5 MB · Views: 66
  • 20230922_115856.jpg
    20230922_115856.jpg
    1.1 MB · Views: 58
  • 20230922_120850.jpg
    20230922_120850.jpg
    1.2 MB · Views: 60
  • 20230922_121500.jpg
    20230922_121500.jpg
    1.3 MB · Views: 67
  • abcd.png
    abcd.png
    541.9 KB · Views: 68
  • 20230930_105306.jpg
    20230930_105306.jpg
    1.9 MB · Views: 70
  • 20230930_105333.jpg
    20230930_105333.jpg
    1.6 MB · Views: 67
  • 20230930_105126.jpg
    20230930_105126.jpg
    1.2 MB · Views: 69
  • 20230930_105145.jpg
    20230930_105145.jpg
    958.8 KB · Views: 96
  • 20230930_105444.jpg
    20230930_105444.jpg
    1.3 MB · Views: 106
  • 20230930_105455.jpg
    20230930_105455.jpg
    1.5 MB · Views: 103
  • 20230930_105521.jpg
    20230930_105521.jpg
    1.5 MB · Views: 98
  • 20230922_121054.jpg
    20230922_121054.jpg
    1.7 MB · Views: 85
  • connector.jpg
    connector.jpg
    99.5 KB · Views: 59
Last edited:
  • Like
Reactions: picasso2489, devmihkel and willzyliu
markkpatel

markkpatel

Member
Apr 20, 2018
31
14
Would like to hack the SWDL.UPD version so it will bypass the ISO integrity checks (equevalent of entering "S" on the swdl.iso versions).
To do this we need to turn on the so called manufacterers mode (UPD versions only).
Turning on manufacterers mode will create a file /dev/fram/mfg on the Uconnect with contents MS.
When the update is run the code isochk.lua already on the Uconnect (UPD versions) will bypass the ISO integrity check if the file /dev/fram/mfg exists and contains MS.

I am assumming it is possible to turm on the manufacterers mode using the knobs/buttons under the Uconnect screen.
Can anyone with a Uconnect 8.4 screen already using the UPD version please try different combinations of these knobs/buttons (press for 5 seconds) and report any new findings.
Here is what I found so far:

"Volume Mute" + "Browse/Enter" = Reboots Uconnect
"Left Temp Up" + "Left Temp Down" = Engineering Menu
"Left Temp Up" + "Left Temp Down" + "Front Defrost" = Dealer Menu
"Left Temp Up" + "Left Temp Down" + "Rear Defrost" = ScreenShot to USB
"Left Temp Up" + "Left Temp Down" + "Browse/Enter" = Screen Calibration
"Hazard Warning Lights ON" then press "Steering Wheel Up Arrow" for 5 secs = toggle Shipping Mode / Customer Mode (EVIC not Uconnect)

* Update *
Could be combination of buttons on the steering wheel - But only buttons that are present in all/most Jeep cherokee vehicles. Front 4 arrow and ok buttons, back 6 radio buttons.
 
Last edited:
L

labidas

New member
Apr 13, 2024
1
0
Hi! For the fun of it, I'm trying to update navigation maps on 8.4 17.46.01 MY14 EU using the ones found here: https://xdaforums.com/t/uconnect-6-5-alfa-fiat-root-access.3828426/post-89297987

I have gone through both of these threads a couple of times but I'm still unsure and could use some help for clarification here:

1. I tried the 18.45.01 MY13-MY17 update, but the uConnect rejected it because of the market difference. Is it possible to hex edit the NA UPD to at least run the map update script.lua on a EU uConnect?
2. If that doesn't work - is the only way to run that map update script.lua off a USB stick with the exact same hex edited EU 17.46.01 UPD? I actually managed to find one, but it is twice as large.
3. Has anyone yet edited UPD successfully - to run a custom .lua off the USB at least?
 
Last edited:
You must log in or register to reply here.

Similar threads

S
uConnect 6.5 (Alfa / Fiat) Root Access
Replies
1K
Views
368K
G
gciuruk
I
Uconnect 8.4 ver 17.11.07 trying to "root"
Replies
43
Views
35K
Ozzoman30
Ozzoman30
404-Not Found
[Q] Stream Music from phone to car using Uconnect
Replies
1
Views
39K
R
rpaulin
T
Carperformance.se Uconnect Android system help.
Replies
35
Views
21K
D
Diabollon
Upgreydd
Uconnect 8.4 hacking
Replies
33
Views
15K
C
CrookedMosquito

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 10
    C
    cm0002
    DISCLAIMER:
    Doing anything i describe in this thread is at YOUR OWN RISK, if your Jeep suddenly dies on the highway im not responsible, but if your jeep magically gets 200 MPG or limitless fuel i take full credit :)

    So studying the white paper from those security researchers that hacked the jeep over the sprint network and about a half a days worth of tinkering with the uconnect iso update file, i was finally able to get it to take the modifications, changing root password and editing boot script to run commands from script on USB flash drive, but now I'm at a loss not really sure what to do now.
    I just finished dumping the entire file system to the flash drive for analysis but other than that I don't know, I'm not familiar at all with qnx or even any embedded Linux for that matter so I'm just posting here to see what you guys can come up with.

    One goal of mine is to bring up the hotspot manually without having to pay for it so I can establish a proper ssh terminal, but im dreaming of either running android over top of the jeeps interface or replacing it entirely (maybe someday)

    Here's the link to the whitepaper
    ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf

    Ok so i decieded to do a quick run down of what i did,

    First, using a hex editor on the 14.05.03 iso update file, at offset 0x80 insert an 'S' 0x53, on 14.05.03 ONLY this will bypass the initial ISO integrity on anything later the white paper describes a way to 'trick' the check. It involves 2 usb one with a modified ISO and one with a legit ISO. i have never done it this way, but i will describe it anyways: insert the USB with legit ISO, click yes on the pop-up, when the screen turns completely off immediately remove the USB and insert the one with the modified ISO

    9jf8n9o.png


    Second i changed the root password at offset 0x5dd34b4 to 8CNGLiYvSaCbg which is "root"

    Rwq3RCQ.png


    And lastly i inserted the code that will run scripts contained in 'cmds.sh' located on a usb flash drive, now this is tricky, orginially theres this line:
    ''# Start Image Rot Fixer, currently started with high verbosity"
    make it look like this before you insert the line of code:
    "######rently started with high verbosity"
    now after the "-d -p 2000 .." insert "sh /fs/usb0/cmds.sh &" and make sure that after the '&' and before the first '#' there is a line termination hex code 0x0a

    LwjQ109.png


    And that's it, type up a script called 'cmds.sh' and put it on a FAT32 formatted flash drive and your good to go

    The directory list:
    pastebin.com/BKfSptbH

    and a list of available commands
    pastebin.com/jLTaEEge
    Would it be a good idea to upload the actual dump from the file system?

    for ****s and giggles, live long and prosper:
    11951258_10206545819517048_5296661244309759410_n.jpg


    Last thing, most of the credit goes to Chris Valasek and Chris Miller the security researchers that paved the way and published the white paper, i just studied it and put the actual rooting process in an easier format.
    View
    4
    L
    Leighm0
    Andy276 said:
    Sounds exiting Leighm0 ! Any chance you could draft a step by step ' how to' for someone like me, who is a little tech savvy but not smart enough to figure our how to do this himself?
    Click to expand...
    Click to collapse

    Sorry - have been away / busy with work... only just remembered about this thread. I have written some very basic instructions below, you will need to work out the rest / where to get the files from properly, etc. And as always, do this at your own risk, if you don't know what you're doing and end up missing files or bricking your cars radio, then its your own fault (dealer wont help ya out of this mess)... however on this note - if you do get in a sticky situation I have found its not very hard to reset and start over with fresh firmware, I created a self-updating FW iso by modifying an older ISO which can be patched to auto-start on USB plugin.

    You will need to patch the files based on your given Firmware Level and Model Year / uConnect type... for example FW 15.26.1 MY14 RJ3/RJ4 files differ to FW 16.13.13 MY15 RJ3/RJ4, etc.

    You will also need to buy an iGO map license (~$30AU on Android for Australia - other locations cost more) and grab the files (.lyc) and the map files (requires rooted Android to access the license file, the rest are in the SDCard storage).

    Put the following files onto a USB in the root directory:
    - A patched swdl.iso modified to run "script.lua" instead of the upgrades
    - A patched NaviServer file enabled to allow ANY device License for iGO navigation map licenses. I call mine NaviServer2 so it doesn't conflict with the onboard one. You will need to grab this file off the uconnect from the /bin dir and then patch it using IDA Pro.
    - A copy of the nav.sh and navRestart.sh files from the uconnect /fs/mmc0/app/bin folder (or from the Firmware Update DVD iso file), modified to run NaviServer2 command instead of NaviServer - i.e. patched naviserver, with unlocked device licensing.
    - A RABCDAsm modified main.swf to "Push True" for SRT and Navigation options (if you want SRT backgrounds and startup logos/app logo, and if you don't have Navigation enabled by default i.e. Jeep Laredo model).
    - The map files into a folder called "content", with all your map files (3dc, 3dl, fbl, fda, fjw, fpa, fsp, ftr, hnr, ph, poi, spc), they need to sit in the correct subfolders based on iGO map file locations. (see screenshots)
    - For activating the SRT Apps, patch the xlet files to allow them to run without "conditions" in the xlet_properties files, stick them into a "xlets" directory on usb stick.
    - script.lua LUA script (contents shown below)

    script.lua contains following content, note: I am using Australia maps, obviously you need to change it for your own maps, and also for your own NaviServer file (if you want to call it different).

    NOTE: If you don't want to modify your XLETs (apps) or are unsure, then remove the lines about xlets below in the script.
    Code: 
    #!/usr/bin/lua
local os            = os
-- copy patched main.swf, nav.sh, navRestart.sh, NaviServer2
os.execute("cp -f /fs/usb0/main.swf /fs/mmc0/app/share/hmi")
os.execute("cp -f /fs/usb0/nav.sh /fs/mmc0/app/bin")
os.execute("cp -f /fs/usb0/NaviServer2 /fs/mmc0/app/bin")
os.execute("cp -f /fs/usb0/navRestart.sh /fs/mmc0/app/bin")
-- remove old maps, copy new map files from usb0 content folder
os.execute("rm -rf /fs/mmc0/nav/NNG/content/building/Australia*")
os.execute("rm -rf /fs/mmc0/nav/NNG/content/map/Australia*")
os.execute("rm -rf /fs/mmc0/nav/NNG/content/phoneme/Australia.ph*")
os.execute("rm -rf /fs/mmc0/nav/NNG/content/poi/Australia*")
os.execute("rm -rf /fs/mmc0/nav/NNG/content/speedcam/Australia*")
os.execute("cp -rf /fs/usb0/content /fs/mmc0/nav/NNG")
-- copy map license files
os.execute("cp -f /fs/usb0/*.lyc /fs/mmc0/nav/NNG/license")
-- !!!!! remove old XLETS and copy patched xlets to mmc1  ( OPTIONAL : Remove the following 5 LINES if you dont have modified XLETS to copy over ) !!!!!
os.execute("mount -uw /fs/mmc1/")
os.execute("rm -rf /fs/mmc1/kona/preload/xlets/*")
os.execute("rm -rf /fs/mmc1/xletsdir/xlets/*")
os.execute("cp -rf /fs/usb0/xlets/* /fs/mmc1/kona/preload/xlets")
os.execute("cp -rf /fs/usb0/xlets/* /fs/mmc1/xletsdir/xlets")
-- change permissions for new files copied
os.execute("chmod 555 /fs/mmc0/app/share/hmi/main.swf")
os.execute("chmod 755 /fs/mmc0/app/bin/nav.sh")
os.execute("chmod 755 /fs/mmc0/app/bin/NaviServer2")
os.execute("chmod 755 /fs/mmc0/app/bin/navRestart.sh")
os.execute("chmod 555 /fs/mmc0/nav/NNG/content/building/Australia*")
os.execute("chmod 555 /fs/mmc0/nav/NNG/content/map/Australia*")
os.execute("chmod 555 /fs/mmc0/nav/NNG/content/phoneme/Australia*")
os.execute("chmod 555 /fs/mmc0/nav/NNG/content/poi/Australia*")
os.execute("chmod 555 /fs/mmc0/nav/NNG/content/speedcam/Australia*")
os.execute("chmod 555 /fs/mmc0/nav/NNG/license/*.lyc")
os.execute("chmod 555 -R /fs/mmc1/kona/preload/xlets")
os.execute("chmod 555 -R /fs/mmc1/xletsdir/xlets")
-- remount mmc0/1 as read-only mode
os.execute("mount -ur /fs/mmc1/")
os.execute("mount -ur /fs/mmc0/")
-- stop mmc mount and end script
os.execute(mountpath.."/usr/share/scripts/mmc.sh stop")

    Screenshot of the full USB folder/file tree once prepared:
    - Highlighted Yellow files have been modified from Originals.
    - Highlighted Green files are completely new files replacing Originals if exist.
    - Highlighted Blue file is custom LUA script file for above code content.
    - Non-Highlighted files are untouched Originals.

    Screenshot by Lightshot

    And here is what it looks like on the actual USB stick in Explorer:

    Screenshot by Lightshot
    View
    3
    L
    Leighm0
    fuzzyy@ said:
    Leighm0 said:
    Just adding a DisableDRM file does not actually enable the Wifi App, you need to enable it first - this is just to bypass DRM checks... which are only valid on older firmware now days.. you will need to hack SWF files to ignore DRM checks now days.

    ---------- Post added at 02:07 PM ---------- Previous post was at 02:06 PM ----------



    YES many Thanks Leighm0, the Wifi button is activ! :eek:
    But... which swf needs to be changed to disable the DRM?

    Edit:
    now i have the wifi button , but no gps signal!
    my oiginal /dev/fram/productid "VP4_EU_MY14_REVA_N_D_N" to change "VP4_EU_MY14_REVA_E_D_N" After Change, no GPS Signal.
    itś not an easy job
    Click to expand...
    Click to collapse

    Here are my hacks, i cant remember which one got the Ecell GPS disabled (to use the normal GPS.. possibly the last one lol). These need to be executed when car is running, which i do from booter.lua which i get called from a modified media.sh on bootup. I believe i also use flexgps_ndr.sh to allow GPS.. cant recall what i modified in the file, dont have the original on hand to compare.
    Code: 
    os.execute("touch /fs/etfs/DISABLE_SPEED_LOCKOUT")
os.execute("touch /fs/etfs/NAV_SECRETS")
os.execute("touch /fs/etfs/enableEngMenu")
os.execute("touch /fs/etfs/enableDlrMenu")
os.execute("touch /fs/etfs/enableDealerMenu")
os.execute("touch /fs/etfs/disableDRM")
os.execute("touch /fs/etfs/disable_DRM")
os.execute("touch /fs/etfs/disable_SpeedLockout")
os.execute("touch /fs/etfs/useWLAN4QXDM")
os.execute("touch /tmp/networkingpossible")
os.execute("touch /tmp/ECELL_GPS_DISABLED")

    Here is a link to all the files ive modified and uploaded to my head unit, they are for v16.13.13 MY14 car, suggest you either use them on the exact same firmware version, or decompile and compare to your firmwares SWF files and modify on your specific firmware.

    https://mega.nz/#!9gkQhTiR!6anymlEx7ik2zl-Df_Rg3_ls70PgxQOy2JjpDodcBJk

    I've also included all my hacked .sh and .lua files i run on the unit, and a "script.lua" which i use on the firmware update hack to push files to and from the unit, i have commented out all the commands - i usually just uncomment the ones i need to run off the usb upgrade, then go put it in my car and run it..

    Enjoy.

    ---------- Post added at 07:04 AM ---------- Previous post was at 07:03 AM ----------
    devmihkel said:
    Hi Leighm0, absolutely interested to check some of these links of yours, if it would be possible to try out ready-made NaviServer2 binary for testing. Have you managed to try this combination (custom binary + fresh iGo maps) on 16.x software version as well?
    Click to expand...
    Click to collapse

    attached file above should help you out. Yes I run 2017 iGO maps with valid license on my car.. just need to get the license and map files..
    Click to expand...
    Click to collapse
    View
    3
    markkpatel
    markkpatel
    And now for something completely (slightly) different.
    FRONT CAMERA (cargo cam) Install:
    Why: Because I can, also the car washes in the UK are much narrower than in the USA so hopefully will mean I do not have to get out of the car to check my wheel placement when using a car wash in the UK.

    A: You will need this https://www.zautomotive.com/product/z_vid/ (female rca video cable with correct terminal pins) Note: postage to the UK is 82 dollars (they do not ask or tell you this before hand). Or save money and make your own cable - correct terminal pins link is below.
    B: You will need a camera kit. My Uconnect is 480i only. https://www.amazon.co.uk/dp/B0BZTX3XV7 (It is my understanding that using 720p will not work on my Uconnect, So be carefully with camera settings)
    C: I used a micro 2 fuse tap to provide power to the camera from the engine fuse box. https://www.amazon.co.uk/dp/B09VYQGPZZ
    D: You will need plastic trim removal tools (These are a must, bigger sturdy ones are best)

    1. Remove the Uconnect bezel. Open lower door (not part of bezel). pull bottom of bezel (not door) until clips release. 1/4 to 1/2 inch gap only. Work your way around with trim removal tool. Do top last. All clips must be released. Disconnect wire harness and set aside bezel. Use brute force at your own risk, safer to use the trim tool to release all clips.
    2. Undo the four 7mm bolts to realease the Uconnect radio. Do not drop the bolts. Store bolts in cup holder.
    3. Put microfibre cloth on lower door to prevent scratches. Pull out radio, so you can see cables. Take photo (not really necessary, as cables are colour coded).
    4. Release cables, push flat tab down and pull cable connector out (can use screw driver to push tab down)
    5. Release the 52 pin harness (pull the locking handle up first (push in then pull up) [see big yellow arrow in photos] ), Photo of released 52 pin connector is with locking handle removed for easier access to pin holes, The locking handle can go on either way round, Set the Uconnect aside on a towel.
    6. Use a thin but wide flathead screw driver to loosen the red locking plate from the 52 pin connector. Start at center of short sides and work all way round. Do not need to completely remove it from connector. (1/2 inch should do)
    7. Install the female RCA video cable. Black into pin 25 first then Yellow into pin 24. The pins must go in the correct way. The flat side (uncrimped side) goes in along the center ridge (see picture with big red arrows). Push in untill you hear a click. I used a pin removal tool to push down on the pin from the top. These pins are very small (less than 1.5mm). This is the most important part to get right, so do not rush this step. I used needle nose pliers to hold the wire to correctly guide the pin into the right hole. Push the red locking plate back into place.
    8. Use electrical tape to tape the RCA video cable to the main wire bundle. (prevents it from being pulled)
    9. Connect the camera male connector to the female RCA connector, Use eletrical tape to tape the camera cable to the main wrie bundle.
    10. Feed the camera cable to the passenger side and pull cable through into footwell.
    11. Reinstall Uconnect. When reinstalling 52 pin connector make sure locking handle is up for easy install.
    12. Use alfaOBD to select "VehConfig 1-CHMSL Camera" present. (This step can be done before)
    13. Lucky 13 - Before routing cable to engine bay, test that your CargoCam setup actually works. Connect camera and temp power source. Also check everything else works (did you forget to reattach a cable to the Uconnect).
    14. If all is good. Route camera cable to engine bay via passenger side grommet, then cross over to driver/fusebox side in engine bay. On my 2015 JGC Summit all grommets are already fully used. Remove footwell side plastic trim then remove soft trim below glove box, you should now have access to firewall grommet.
    15. Install front camera and route wire as close to fusebox as it will go. The front grill holes are large so I used M8 x 30mm stainless steel washers, https://www.amazon.co.uk/dp/B0BJZ2W6CH
    16. Route and connect initial cable to front camera cable near fusebox.
    17. Drill hole in back of fusebox, install rubber grommet (this is for the camera power wire)
    18. Install micro 2 fuse tap with 5amp fuse (I used fuse F40 -Daytime running lights), connect positive wire to fuse tap.
    19. Connect negative wire (My car had a bolt near the fusebox)
    20. Test and Adjust your camera position. (still need to adjust camera on mine)
    21. Reinstall the Uconnect bezel, remember to reconnect the wire harness first.

    All done.

    The CargoCam screen has 2 icons on the left top of the screen, these select CargoCam (front camera) or standard reverse camera.
    Also when you engage reverse gear the standard reverse camera comes on, but also has 2 icons so you can select CargoCam while reversing.
    CargoCam will stay on until you reach a speed of 10 mph.

    You can also add a camera on pins 21/22. On alfaOBD select "ECUConfig 3-DTV front camera" or "ECUConfig 3-DTV side camera". In addition to the CargoCam icon you will also see an additional normal camera icon. However, I do not know how the DTV camera behaves (i.e. does it stay on while driving?)

    It is relatively easy to identify the required pin holes since pin holes 21 thru 26 are empty (no wires in them)

    SAVE MONEY make your own cable, this is the correct terminal pin:
    UK: https://www.digikey.co.uk/en/products/detail/te-connectivity-amp-connectors/638551-3/10478563
    USA: https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/638551-3/10478563
    ( Multiple countries - Select USA link on this page then Press on flag to select your country - then Select USA link on this page again )

    Rca Male/Female Audio Cable Av Single-head Video Stereo Connect Extension Wire | eBay

    1PCS Cable RCA female or male for choose.
    www.ebay.co.uk
    View
    2
    C
    cm0002
    huh i thought there would be more interest? i mean this could be the key to getting rid of the crappy uconnect software and run android.
    Android has already been made to run on the same SoC TI DM3730 here http://elinux.org/Android_on_OMAP
    View

New posts