After this, you are ready to use the updated maps.įor the purpose of sniffing I created a microSD card sniffer. This really takes more than a hour, so do this during a long journey or with your car connected to a battery charger. Next, you are asked what to do with the update – install or use the maps from the card: After this, it can be used in another car. Either after unlocking in a computer or using my esp32 firmware (function delete_devid()). Once you do this, it will create a file called devid with following contents (probably some serial number of the unit): $ hd deviceidĠ0000000 9a 04 8b 6b 13 02 61 f8 00 00 ff bf ff ff fe ff |…k.a………|īut since we know the password, we can always delete it. When you insert the card you will be asked to assign the card with the unit. Capture the password using logic analyzer.It can initialize card, list files, display CID, detect locked card, lock/unlock with CMD42 and delete devid file. To get control of the card, I used Arduino on ESP32 with SD library which I modified to work with ESP32 and applied a mod to support CMD42. This is probably also the reason why copying the data from card may take up to 2hours (16GB / 20MHz 1-bit SD mode = 6872sec) You can also see there is data only on single DAT line. It probably switches to higher speeds (20MHz?) only after initializing the card (I didn’t check this). You can see I captured it with 10Mhz sample rate and it was enough. PulseView has a SD card protocol decoder so it was quite easy and I was able to find CMD42 quickly: You can see in the background displayed: “Error: SD card” because the card is locked with a different password. So I just took a card, locked it with random password and put it in my unit with a logic analyzer attached (basic FT2232H and PulseView). Getting the passwordĪs I was thinking about it, I thought there is actually no hashing or obfuscation mechanism in the unlocking sequence for CMD42 – the host will simply send the password “as is” so you should be able to capture it. You need to copy this data to your SD card before making any magic with locking. For the time of writing, the latest version is V12. For Europe, there are two packages – Eastern Europe (EE) or Western Europe (WE). The update data can be found on the Internet by searching “map update RNS315”. But this also costs money so I started thinking about some other way. this one) where you enter your cards CID and it will give you a password. Next option is to use an online password generator (e.g. If you have it, you change the CID and lock the card with a know public password. You can buy a very rare SD card with changeable CID (card ID) but these are really hard to get and their price is not worth it. – online password generators for your specific card CID There are two ways how people deal with this problem: If it cannot unlock, it will show an error. If it is locked, the unit will generate a password based on the CID and try to unlock the card with CMD42. If the card is not locked but contains updates, it will show that there is a card with updates but it is not genuine. The way how the map update works is, that first the unit checks if the card is locked and reads the SD card CID (unique card ID). There is a very nice technical note where you can read about the mechanism. The update comes on an SD card which is unreadable in PC – this is because the card is locked with CMD42 and most operating systems cannot deal with this lock. The obvious way is to go to the dealer and buy map update but that costs some higher tens of Euros so I started researching other options. I bought it with maps from 2014 which are hugely outdated so I started to research how to update the maps. I have RNS315 radio/navigation/media system (I will call it unit) in my car.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |