GOLFMK8
GOLFMK7
GOLFMK6
GOLFMKV

Possible (?) MIB2 DIY retrofit (including CP bypass and Fec's enabling)

Setam

New member
Hello everybody,

First of all I want to say that this is my first post on GolfMK7 so please go easy on me.

[Intro]

As most of you guys know, retrofitting an MIB2 unit on a MIB1 mk7 was always a problem because of CP and Fec's (especially if you are on a budget). As of now, there are a few people on the internet that can remotely remove CP and enable all Fec's for a substantial sum of money (aprox. 250-300 euros) either by ODIS online or by hacking the unit. The later one caught my attention so I did some research on my own. Recently some Porsche owners have been upset that PCM4 (equivalent to MIB2) units only support CarPlay and no AndroidAuto so they did their own research and managed to enable this function on their units using some programming and reverse engineering skills. This opens a lot of possibilities for MIB users too. They managed to do this by dumping the PCM's firmware on a SD card, modifying it and then flashing back the firmware into the unit. Unfortunately this involves some advanced programming skills. Luckily for us, one Porsche owner has managed to do a step by step guide on how to do this, except for one step. This is where we need to work together in order to make this work.

Since my programming skills are limited (next to nothing), I ask you, my fellow MK7 owners, for help.

I will attach the instructions that explain this process step by step and the links to the topics where this has been discussed. I highly recommend taking the time to read these.

Together we might be able to do this retrofit without ever stepping into a VW dealership.

Enjoy

[Instructions]

Enabling Android Auto on PCM4

Step 1. Required Components

  1. ⁃ UART -> USB Adapter (Setam's eddit: From what I understood, this might be done using a d-link dub-e100)
  2. ⁃ PuTTY or similar terminal app
  3. ⁃ IDA Pro ($$$$$), Ghidra (free), or similar ARM V7-A compatible disassembler
  4. ⁃ SD Card
  5. ⁃ Linux computer to unpack + repack filesystem
  6. ⁃ dumpifs and mkxfs from QNX SDP / OpenQNX. Build these from source on your linux machine to ensure proper compatibility. (available at https://github.com/ibreakifix/PorschePCMStuff pre-built for Ubuntu 19.04 x64)
  7. ⁃ mkxfs attributes file from https://github.com/ibreakifix/PorschePCMStuff
Step 2. Connect to PCM4 via UART

  1. ⁃ Connect GND to GND (PCM4 chassis works), RX on adapter to J5_TX on PCM4, TX to J5_RX on PCM4; pins B3 and B9.
    📷
  2. ⁃ To connect, you can remove the connector block from the quad-lock, then route your TX/RX/GND pigtails through the opening.
  3. ⁃ Open PuTTY, launch a serial connection to your COM port (see devmgmt.msc) - 115200, 8, N, 1
  4. ⁃ Login with root / oaIQOqkW
Step 3. Download Root-IFS

  1. ⁃ Issue the "stfu" command to stop verbose logging to the terminal.
  2. ⁃ Insert SD card into PCM4, left slot
  3. ⁃ Issue the following command to download your filesystem: "dd if=/dev/fs0 of=/net/mmx/fs/sda0/PCM4_NOR.bin".
  4. ⁃ Issue the following command to copy your existing FEC file: "cp /mnt/efs-persist/FecContainer.fec /net/mmx/fs/sda0/orig_FecContainer.fec"
  5. ⁃ Remove SD card and insert into your PC.
  6. ⁃ You can also pull this image from an update SD card at ./RCC/ifs-root/*/default/ifs-root.ifs **Note: The desired image is the second ifs contained within this update file, use ctrl+f and find the second instance of file magic "EB 7E FF", your IFS image begins at this location and ends at the end of the file. If you do this, you can skip steps 4.1 to 4.3**
Step 4. Unpack Root-IFS (if using downloaded image from PCM4)

  1. ⁃ Open downloaded RCC NOR image (PCM4_NOR.bin) in your favorite hex editor
  2. ⁃ Jump to offset 0xBA0000, ensure IFS magic of "EB 7E FF" is present. If not, issue "flashlock" on PCM4 shell to obtain correct offset, target IFS is ~15.6mb. See screenshot.
    📷
  3. ⁃ Select from 0xBA0000 to the end of the IFS, which is indicated by a block of padding "FF FF FF FF FF". In my case, this data was 15,639,040 bytes. See screenshot.
    📷
  4. ⁃ Cut and paste this block of data into a new file, name it ifsroot_stage2_orig.ifs
  5. ⁃ Move to a linux computer with dumpifs binary (available from QNX SDP)
  6. ⁃ Copy ifsroot_stage2_orig.ifs to some folder, open your terminal and CD to that folder.
  7. ⁃ Copy dumpifs_helper.sh to this same folder. Chmod it to 755
  8. ⁃ Issue "./dumpifs_helper.sh ifsroot_stage2_orig.ifs" to extract the IFS, your files will be in ./ifs_extracted. Ensure files are present as shown in the terminal output
  9. ⁃ Place a copy of /usr/apps/MIBRoot so it can be patched with IDA, Ghidra or similar
Step 5. Patch out the FEC checks.

  1. 📷
Step 6. Rebuild IFS image

  1. ⁃ Place your patched MIBRoot into your extracted IFS location, overwriting the old MIBRoot. It should be located at ./ifs_extracted/apps/bin/
  2. ⁃ Open terminal. Issue command: EXPORT QNX_TARGET="/"
  3. - cd to whatever the parent directory is to the ifs_extracted folder we made earlier
  4. ⁃ Download mkifs_attributes.txt from github repo. Place it in your current working directory
  5. ⁃ Build the new IFS with mkxfs, issue command "mkxfs -t ifs -nn -o ./ -r / ./mkifs_attributes.txt ./ifs_extracted ./patched_ifs.ifs"
  6. ⁃ Place patched_ifs.ifs back onto your SD card
Step 7. Create your new FEC file

  1. ⁃ Open the FEC container (orig_FecContainer.fec) from earlier in your favorite hex editor
  2. ⁃ Copy VIN from file. This should match your car's VIN, unless component protection is enabled, then it would be the VIN from the donor car
  3. ⁃ Copy down VCRN (hex values of bytes 16-20 in file). Write it down as shown in the blue highlighted text in the screenshot. The VCRN may be obtained through measurement channels on PIWIS if you only have a 4 byte empty FEC file.
    📷
  4. ⁃ Make a comma separated list of your existing FECs, from offset 0x43 until the checksum begins. Use hex values, add commas at every 4 bytes (8 digits), for example, from screenshot it would be 00030000,00030001,(...),06310099
    📷
  5. ⁃ Add one last FEC to the end of that list, which will enable Android Auto: 00060900
  6. ⁃ You can also add other FECs to your PCM4 at this time, see below. Additional coding / adaptations may be required.
  7. ⁃ Download MIB2_FEC_Generator.sh from Github, chmod it to 755
  8. ⁃ Issue command to generate FEC Container "MIB2_FEC_Generator.sh -f {YOUR_FEC_LIST_CSV} -n {YOUR_VCRN} -v {YOUR_VIN} -d {Output_Directory}"
  9. ⁃ Output file is FecContainer.fec, copy this new file to your SD card
Step 8. Load new files to head unit

  1. ⁃ Insert SD card into PCM4, left slot
  2. ⁃ Login with root / oaIQOqkW
  3. ⁃ Issue the "stfu" command to stop verbose logging to the terminal.
  4. ⁃ Remount efs-persist as r/w with command "mount -uw /mnt/efs-persist/"
  5. ⁃ Copy your new FECs with command "mv /mnt/efs-persist/FEC/FecContainer.fec /mnt/efs-persist/FEC/FecContainer.fec.orig; cp /net/mmx/fs/sda0/FecContainer.fec /mnt/efs-persist/FEC/FecContainer.fec"
  6. ⁃ Issue commands to flash your stage2 ifs-root... THIS CAN BRICK YOUR HEAD UNIT, SO BE CAREFUL! Important note: "flash.it" is actually one word, but RL censors it, so remove the period otherwise the command won't work.
  7. ⁃ flashunlock
  8. ⁃ /usr/bin/flash.it -v -x -d -a0x00BA0000 -f/net/mmx/fs/sda0/patched_ifs.ifs
  9. ⁃ flashlock
  10. ⁃ Reboot unit by holding down power button for 30s.
  11. ⁃ Cross fingers and hope your patch worked 📷
Step 9. Adaptations

  1. With PIWIS II / PIWIS III, or VCDS
  2. ⁃ If using PIWIS II, place it into engineering mode via Settings -> Diagnostics Configuration -> 911, 918s, etc... -> Mode -> Select "E". Save + Exit
  3. ⁃ In PIWIS, Open Diagnostics -> 911 -> 991, scan car (F12) to obtain installed modules, select head unit (Named MIB2...). In VCDS open module 5F
  4. ⁃ Select "Manuelle Codierung ohne MCR-Regeln" -> Vehicle_configuration
  5. ⁃ Set Bitfield (3) Google_GAL -> "on"
  6. ⁃ Save coding, wait for system to reboot
  7. Alternate method coding through PCM4 shell:
  8. export LD_LIBRARY_PATH=/mnt/app/root/lib-target:/eso/lib:/mnt/app/usr/lib:/mnt/app/armle/lib:/mnt/app/armle/lib/dll:/mnt/app/armle/usr/lib
  9. export IPL_CONFIG_DIR=/etc/eso/production
  10. on -f mmx /eso/bin/apps/pc b:0:3221356628:7.7 1
Step 10. Done!

  1. ⁃ Plug in your phone. You should now have Android Auto 📷
It is important to note that this hack will be overwritten if you ever decide to perform a software update on your PCM4. You'll then have to re-complete these steps with your new version of software. Given that there are no PCM4 updates available, this will probably be a non-issue.

What if I flash a bad ifs image to my head unit?
⁃ If this happens, MIBRoot will fail to start and you will not be able to interface with PCM4. it will appear to boot from the LCD panel, but touch and audio will not work. However, it will still boot into QNX for recovery since we are only flashing the stage2 image.
⁃ To recover, log into QNX with root / oaIQOqkW
⁃ Copy your original IFS root file (ifsroot_stage2_orig.ifs) to your SD card and install to left slot of PCM4.
⁃ Issue commands:
⁃ flashunlock
⁃ flash.it -v -x -d -a0x00BA0000 -f/net/mmx/fs/sda0/ifsroot_stage2_orig.ifs
⁃ flashlock
⁃ Note: If stage2 ifs flashing fails, flash.it, flashlock and flashunlock may no longer be present on your system. Copy them to your SD card from your extracted ifs directory and run them from the SD card, for example /net/mmx/fs/sda0/flashunlock.

What if my firmware flash works but I still don't have Android Auto?
⁃ Your VIN, VCRN, or FECs may need to be corrected, review step 7. Cars without CarPlay may need to add FECs 00030000, or 00060700 and 00060800
⁃ If your FECs are being removed from FecContainer.fec and being placed into IllegalFecContainer.fec, then your FECs are failing the signature check. Your patch is wrong and you need to review step 5 again.
⁃ If you did not have CarPlay or Android Auto previously, you may also need to code USB media player functionality within PIWIS II.

What if I want to return to stock?
⁃ Connect to PCM4 via UART
⁃ Log into QNX with root / oaIQOqkW
⁃ Copy your original IFS root file (ifsroot_stage2_orig.ifs) to your SD card and install to left slot of PCM4.
⁃ Issue commands:
⁃ flashunlock
⁃ flash.it -v -x -d -a0x00BA0000 -f/net/mmx/fs/sda0/ifsroot_stage2_orig.ifs
⁃ flashlock
⁃ mount -uw /mnt/efs-persist
⁃ rm /mnt/efs-persist/FEC/FecContainer.fec
⁃ mv /mnt/efs-persist/FEC/FecContainer.fec.orig /mnt/efs-persist/FEC/FecContainer.fec
⁃ Done. Reboot by holding power button for 30s




[Links]

https://rennlist.com/forums/991/1142493-retrofitting-pcm4-in-a-991-1-a-3.html

https://rennlist.com/forums/991/1049794-porsche-pcm-upgrade-hack-for-android-auto-is-this-real.html

https://github.com/herrfrei/PorschePCMStuff
 

Setam

New member
This plan falls apart on Step 4 of Step 2. The password changes with each firmware update.

I agree but also found out this:
"The password HASH can be found in the uncompressed EFS image in the MMX directory of the SD card with the same version of firmware as your MIB2 (or a train close to it). With the HASH you then need a truck load of GPUs and run John The Ripper to brute-force the hash to get the clear text password. "

source: https://cartechnology.co.uk/showthread.php?tid=34635&page=2
 

2018gti

Drag Racing Champion
Location
Massachusetts, USA
Car(s)
Golf GTI Autobahn MT
Even though we might not know the password for a given firmware, this is a ton of interesting and useful info! Good find.. There’s always a way to figure stuff out or a workaround in this area.
 

Sc629

Go Kart Newbie
Location
IN
I remember looking in to this a few months back but similarly, this is out of my knowledge. Would be great if it were to be figured out one day
 

vag.flashdaten

New member
Location
EU
Car(s)
A4
I can make all activations in MIB 1/2 remotely. I have full solutions for Harman, Delphi and Technisat/Prech.

I have big collection of telnet passwords I can share if someone need it

More details on PM
 

vag.flashdaten

New member
Location
EU
Car(s)
A4
Good evening , Vag.flashdaten , do you know how to gain access to mib2std zr technisat unit please

TIA
Hi.
I know how to access Technisat units... But there is no need for that for activation or unlocking.
 

big_i_m

New member
Location
england
Car(s)
mk7 golf
I used to have mib1 installed into my car I changed it for mib2std , took car to dealer to remove cp now most of my functions dont work now , how can I fix this , please help I have been trying for about 2 years getting them back , with no luck :(
 

vag.flashdaten

New member
Location
EU
Car(s)
A4
What functions are you talking about?
 

Wils120

New member
Location
south Africa
Car(s)
Golf 5
Can anyone assist me? I have a VW Caddy panel van and want to retrofit a MIB STD2 pq + nav but I have CP that is not allowing me to make use of sound or features. Is this fit possible and if so how?
 

vag.flashdaten

New member
Location
EU
Car(s)
A4
I can help remotely.
 
Top