Discover Pro MIB1 hacking

[Chillout]

Hi all,

I'm in the process of trying to get more out of the Discover Pro MIB1, like people did with it's close cousin, the Audi MMI 3G. My ultimate goal is to enable features like Mirror Link.

NOTE: If you're reading this because you found this topic while googling to have your illegaly obtained media devices unlocked or installed: Don't ask me. Instead of asking me: Get a job, get your own cables and software and develop your own skills, or buy an Original Discover Pro at Volkswagen, because I will not support anything that smells funky to me.
Everyone else: please read on and feel free to ask any question.

I went through several Russian forums about hacking the MMI device. They found out the infotainment unit can be reached by using a USB-RJ45 adapter, scripts can be run from SD, Google earth can be enabled, et cetera. So I invested into a VCP pro cable, an USB-to-RJ45 adapter, and got to work.

So far, I've unlocked the engineering/testing/development menu in the Discovery Pro:

From this menu, several items can be accessed (this is a summary, there's more. If I find out how to make screenshots from inside the device, I will post all the screens here):
- The "magical" green menu. It's not as advanced as the Audi green menu, but it's something. I might be able to set certain settings to open this menu op for more possibilities.
- All kinds of tracing to SD. Development/test functionality. It even includes saving all spoken voicecommands to SD.
- Google Earth status/prefetching settings, etc. I didn't enable Google Earth features through VCDS/VCP yet, so I haven't determined if this is actually possible.
- "Alternative view" toggle. This adds a "Contacts" button to the main menu. The button isn't functional yet.
- "Alternative view plate" toggle. I have no clue what this did. Both of these Alternative views are in the "only HMI Developer" section.
- Skin change from normal to sport (can be done through VCDS as well, but this is more user friendly )
- Mirrorlink toggle. It adds a Mirrorlink to the main menu, but so far, it's not functional yet.
- Test screens: Font tests for all kinds of fonts.
- Enable bluetooth network tethering. I enabled it (I read that a lot of people already had this enabled), but since I don't have any on-line services enabled yet, I couldn't really see if this actually works.
- A LOT of diagnostic details about FM radio, DAB radio, TMC, etc. Makes it easier to troubleshoot problems with radio reception.
- Sound delay settings.

I hope to be able to tell/show you more in the near future!
Until then, here are some more screens of these hidden menus.
The famed "Green engineering menu":

Some overlays I enabled by pressing some key combinations on the Discover Pro:

The mirrorlink button enabled in the main menu (not functional... yet):

More to come soon. Please feel free to join me in this journey on discovering the Discover Pro, sharing your ideas, et cetera.

 

[phope1]

Interesting - will follow

Do you have screens of what the skin change looks like?

 

[AlenSubasic]

Sent from my iPhone using Tapatalk

 

[Chillout]

I forgot to update you guys on this...

I made an album with all screenshots I took from the green menu.
http://imgur.com/a/Y4vAo

Here's a selection from the album:

Next up: trying to set it in a mode other than "production", hopefully this might give us more menus and settings to access.


The skin change only has to do with the carbon/non carbon skin/texture in the menu's of the Discover Pro.

 

[Alshamsi]

That's really awesome !
Was there an option to disable bass rolloff ? or any audio related options ?

 

[witsbusa]

I'm intrigued, but what you are up to is way over my head.. Can't wait to watch your progress and hopefully understand better what the heck you are digging through.. haha..

Good luck!

 

[Deviation01]

Mirror link will be pretty epic!

 

[xagico]

Excellent work!! !!
Thank you so much!!
Hopefully more news of job !!

Good luck!!

Cheers

 

[hal]

That would be epic if you could edit all the functions displayed in the screens!

Do you know if the Composition Media unit would have anything like this?

 

[Dario1]

will have a play with vcp and my disc pro

thnx for the info

 

[Blharry]

Very interested in following this. Especially for the blue tooth tethering

 

[robertstern1977]

I am extremely interested in the audio delay features you found, any more info or screens you can share?


Sent from my iPad using Tapatalk

 

[Chillout]

Thanks all for your positive replies.

Very interested in following this. Especially for the blue tooth tethering

I enabled it, but I guess my Phone is missing some bluetooth profiles, I haven't been able to test this properly.

I am extremely interested in the audio delay features you found, any more info or screens you can share?

See the album, it includes the delay settings.
http://imgur.com/a/Y4vAo

That would be epic if you could edit all the functions displayed in the screens!

Do you know if the Composition Media unit would have anything like this?

Not sure... I don't have anyone near me who has such a device.





Sidenote: I'm getting way too much messages here and on VW Vortex asking me (mostly in terrible English) if I can remove component protection. I'm not sure if I can, but I won't. I will not deal with anything that could possibly involve or support illegal actions.

 

[Chillout]

Taking this to a different level, OSI-model wise

Today, I enabled the WLAN access point feature (despite my device not having the Premium telephony feature). No, this does not give me magical online services, because stuff like this doesn't work perfectly when you don't have the Premium phone feature with sim for data connection.

Some nmap-magic tells me, there are some ports open:

53 - dnsmasq version 2.66
21001 - unknown (didn't show in all scans!)
49152 - unknown

dnsmasq seems to be an old version, with potential vulnerabilities.
Port 49152 gave me some hope. I froze my ass off in the car, so I didn't put more effort in this yet. I couldn't telnet/ssh into 49152, but nmap did find some info.
I'll paste the nmap output here so I can review it later.

PORT      STATE SERVICE VERSION

53/tcp    open  domain  dnsmasq 2.66

| dns-nsid: 

|_  bind.version: dnsmasq-2.66

49152/tcp open  unknown

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port49152-TCP:V=7.01%I=7%D=1/3%Time=56898954%P=i686-pc-windows-windows%

SF:r(FourOhFourRequest,B4,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCONNECTIO

SF:N:\x20close\r\nSERVER:\x20Audi-MIB/5\.21\x20DLNADOC/1\.50/1\r\nCONTENT-

SF:TYPE:\x20text/html\r\nCONTENT-LENGTH:\x2050\r\n\r\n<html><body><h1>400\

SF:x20Bad\x20Request</h1></body></html>")%r(GetRequest,B4,"HTTP/1\.1\x2040

SF:0\x20Bad\x20Request\r\nCONNECTION:\x20close\r\nSERVER:\x20Audi-MIB/5\.2

SF:1\x20DLNADOC/1\.50/1\r\nCONTENT-TYPE:\x20text/html\r\nCONTENT-LENGTH:\x

SF:2050\r\n\r\n<html><body><h1>400\x20Bad\x20Request</h1></body></html>")%

SF:r(HTTPOptions,B4,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCONNECTION:\x20

SF:close\r\nSERVER:\x20Audi-MIB/5\.21\x20DLNADOC/1\.50/1\r\nCONTENT-TYPE:\

SF:x20text/html\r\nCONTENT-LENGTH:\x2050\r\n\r\n<html><body><h1>400\x20Bad

SF:\x20Request</h1></body></html>")%r(RPCCheck,A1,"HTTP/1\.0\x20400\x20Bad

SF:\x20Request\r\nSERVER:\x20Audi-MIB/5\.21\x20DLNADOC/1\.50/1\r\nCONTENT-

SF:TYPE:\x20text/html\r\nCONTENT-LENGTH:\x2050\r\n\r\n<html><body><h1>400\

SF:x20Bad\x20Request</h1></body></html>")%r(kumo-server,A1,"HTTP/1\.0\x204

SF:00\x20Bad\x20Request\r\nSERVER:\x20Audi-MIB/5\.21\x20DLNADOC/1\.50/1\r\

SF:nCONTENT-TYPE:\x20text/html\r\nCONTENT-LENGTH:\x2050\r\n\r\n<html><body

SF:><h1>400\x20Bad\x20Request</h1></body></html>");

MAC Address: A8:54:B2:DF:C5:2C (Wistron Neweb)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (93%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (93%), Linux 2.4.18 (92%), OpenBSD 4.3 (92%), Apple AirPort Extreme WAP or Time Capsule NAS device (91%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), Comtrend CT536 wireless ADSL router (87%), Gemtek P360 WAP or Siemens Gigaset SE515dsl wireless broadband router (87%), Toshiba Magnia SG10 server appliance (Linux 2.4.18) (87%), OpenWrt (Linux 2.4.32) (87%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=204 (Good luck!)

IP ID Sequence Generation: Busy server or unknown class

 

[quality_sound]

Is the VCP Pro cable required or can I use my VCDS cable? What is the process for accessing the menu?

For people asking about the delays, it's not a signal delay, but turn-on/off delays for the MIB and the OEM amplifier. There is no channel-specific time alignment. There IS a loudness function you can disable and as soon as I can get into my MIB II, I'm going to disable it on mine.