success to hack Technisat MIB2 infotainment system

Search This thread

Amarton

Member
Dec 29, 2011
11
0
Hi I have some questions for clerifying the process:
For ZR unit with one SD-card socket:
- there is only one solution, need to read out the emmc IC via SD-card reader.
- online aprovel method is not working because nobody could rewrite CPU to CPUPLUS in metadata.
I am right?

Questions about reading emmc:
- VSS means GND or not?
- 3V and GND come from extarnal source not for SD-CARD reader supply?
- During this process need to power the all unit or not?
 

wlado93

Senior Member
Jul 18, 2010
176
100
@Amarton
- Yes, PLUS unit (without navi) could be done only by connecting EMMC to PC.
- It's not difficult to modify the approval script to work on plus unit (I did one), but after modifying metainfo signature won't be valid, and this is the hard part, create generic signature. So for using modified approval SD script you need to patch swdownload. But to patch swdownload you need to connect emmc to PC. For the first patch you need to have emmc connected to PC, after the 1st patch you can use modified SD approval, telnet, serial (depending on what everything you'll patch).

- on ZR pinout VSS mean +3.3V (VDD), someone who made pinout picture did mistake, because VSS is GND on SD pinout.
- you can use power from SD reader or external
- you cannot power unit during process, connecting emmc to PC is like you connect USB thumb drive
 

Amarton

Member
Dec 29, 2011
11
0
@Amarton
- Yes, PLUS unit (without navi) could be done only by connecting EMMC to PC.
- It's not difficult to modify the approval script to work on plus unit (I did one), but after modifying metainfo signature won't be valid, and this is the hard part, create generic signature. So for using modified approval SD script you need to patch swdownload. But to patch swdownload you need to connect emmc to PC. For the first patch you need to have emmc connected to PC, after the 1st patch you can use modified SD approval, telnet, serial (depending on what everything you'll patch).

- on ZR pinout VSS mean +3.3V (VDD), someone who made pinout picture did mistake, because VSS is GND on SD pinout.
- you can use power from SD reader or external
- you cannot power unit during process, connecting emmc to PC is like you connect USB thumb drive
So I can use from SDCARD reader this pins:
- CLK
- CMD
- DAT0-3
- VSS to GND
- VDD to 3.3V
In the ZR PCB I tie the VSS to 3.3V, becasue the pinout label is wrong, i am right?
 

czr_gabriel

New member
Jan 28, 2021
2
0
Hi,

This might be a really dumb question, but i'll ask anyway.

I have bought a MIB2 Technisat unit with CP hacked, so from what I've been told it will be plug and play to any car. ( 5QA035858A )

Is there any way of 'cloning' this unit (i.e. purchase another unit, and transfer all data from this hacked unit to that unit) so that I then have 2 'plug and play' units?

I presume it's not as simple as that, but I thought I'd ask.

Thanks!
 

wlado93

Senior Member
Jul 18, 2010
176
100
@Amarton
Yes, correct.

@czr_gabriel
If it's SW hack and if you have 2nd the same unit with the same HW version then yes, you can clone memory (patched system and user data) from one unit to second, but you cannot clone activated fec codes, these will remain from 2nd unit. So for example 1st unit has activated Full Link via FEC code and second don't have, after cloning second will still not have activated Full Link. But if you have 1st unit activated via exception list then second unit will be activated too.
 
  • Like
Reactions: czr_gabriel

czr_gabriel

New member
Jan 28, 2021
2
0
@Amarton
Yes, correct.

@czr_gabriel
If it's SW hack and if you have 2nd the same unit with the same HW version then yes, you can clone memory (patched system and user data) from one unit to second, but you cannot clone activated fec codes, these will remain from 2nd unit. So for example 1st unit has activated Full Link via FEC code and second don't have, after cloning second will still not have activated Full Link. But if you have 1st unit activated via exception list then second unit will be activated too.


Thanks for the quick reply!
What you are saying makes sense.
I don't know how the activation of features was done on the unit, I think there's only one way of finding out! :)
 

Skipson

Member
Dec 11, 2020
6
0
Is it possible to modify android auto-config files by changing them in an update file, then updating the unit with the firmware? I have a unit with both SD card readers and want to try and can't figure out how to read/modify EMMC, whilst also updating the system to a more current version from VW... Current version is 0247T, US.
 

danielbotez

Member
Mar 31, 2008
19
0
Botosani
Is it possible that a Technisat drive has a different configuration of the pins for reading emmc memory? Today I opened the unit and I expect it to be easy if I follow the steps From the tutorial. I was surprised not to be able to connect the card reder according to the scheme.
I attach the motherboard picture and maybe help me activate my android car on this platform.
The unit is:
MST2_EU_VW_ZR_P0359
CODE: 3Q0035819B

Thanks
 

Attachments

  • IMG_20210217_105827.jpg
    IMG_20210217_105827.jpg
    4.2 MB · Views: 52
  • IMG_20210302_123024.jpg
    13 MB · Views: 45
  • IMG_20210302_123048.jpg
    13.7 MB · Views: 41
Last edited:

wlado93

Senior Member
Jul 18, 2010
176
100
@danielbotez
Your unit is 819, these units (and 820 with DAB) were installed to cars in configuration without voice command / rearview camera / app-connect.
So yes the board is definitely different from tutorial.
You don't have app-connect in menu, and you don't have app-connect swap codes under supported codes.
By other words, on this unit is not possible to activate anything.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    Device: Technisat MIB STD2 PQ nav

    This device does not have serial shell .
    But I successfully hacked the emmc filesystem
    Now serial port has a shell

    Step1.
    Desolder the EMMC chip

    Step2.
    Dump EMMC chip via SD card reader

    Step3.
    qemu-img convert -f raw d:\682C_EMMC_DUMP.bin -O vmdk d:\682c.vmdk

    Step4.
    Start QNX x86 vmware machine to modify the 682c.vmdk

    Step5.
    modify the file /fs/hd1-qnx6/tsd/bin/system/startup
    add following line
    --------------------
    echo ser1 "/bin/login -f root" qansi-m on > /tmp/ttys
    /sbin/tinit -f /tmp/ttys &
    --------------------
    Save the file

    Step6.
    Shutdown QNX6 VM

    Step7.
    qemu-img convert -f vmdk d:\682c.vmdk -O raw C:\682C_EMMC_DUMP.bin

    Step8.
    write C:\682C_EMMC_DUMP.bin to EMMC via SD card reader

    Step9.
    Solder the EMMC chip back

    done.
    ;)
    2
    I can fully unlock all MIB units. If you need it free free to contact me.
    2
    [QUOTE = "nevergiveup3, post: 84106841, member: 11340019"]
    Привет, ребята, есть шанс, что кто-то снова сможет поделиться этими материалами, потому что ссылки выше не работают. Думаю, многие из нас это оценили бы.

    Заранее спасибо.
    [/ QUOTE]
    1
    reading MMC without desoldering

    Maybe somebody found a way to read eMMC without desoldering chip?
    1
    @Amarton
    Yes, correct.

    @czr_gabriel
    If it's SW hack and if you have 2nd the same unit with the same HW version then yes, you can clone memory (patched system and user data) from one unit to second, but you cannot clone activated fec codes, these will remain from 2nd unit. So for example 1st unit has activated Full Link via FEC code and second don't have, after cloning second will still not have activated Full Link. But if you have 1st unit activated via exception list then second unit will be activated too.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone