tsXgtp

I want to clarify what BitSetting means when writing DVD's (I didn't see a clear response in this thread). Sorry if this isn't new news but I'd like to try to help and I haven't visited this forum in a long time.

W\O BitSetting
1. You buy a DVD+R DL
2. You burn data on to the disc
3. The disc is still a DVD+R DL and many DVD players will not recognize the disc. Big problem for people using DL DVD's for home movies who don't have the newest dvd players (meaing all of their home made dvd's are useless).

W\ BitSetting
1. You buy a DVD+R DL
2. Find a program that will allow you to alter the BitSettings on your DVD DL burner. Not all drives allow this. I have an NEC 3500A and the firmware is open source which allows many people to freely edit at their own cost. Flashing the ROM on your DVD burner may also be necessary.
3. Change the Bitset for DVD+R DL discs from 'DVD+R' to 'DVD-ROM'.
4. Burn the disc
5. The DVD+R DL disk is now considered a 'DVD-ROM' disc and will be able to be read on all DVD players that can read DVD-ROM discs (standard data disc).

Check out DVD Decrypter and DVD Identifier. Decrypter can change the BitSet on some drives along with Nero 6.6.1.
Hope this helps.

John

jonnerd154

The nav distorts the image when it is displayed, you have to compensate by destorting it first.

And yes, if you paste the new image into the original image photoshop resamples the image do the new pallette...this might be a setting I turned on years ago.

TSXChef

Wha Chu Talk'n Bout Willis ~

Interesting... so does this mean with proper BitSetting we can burn NAVI disc onto a DVD+R DL that will work on our TSX DVD drive? or am I completely on wrong chapter of this discussion. Thanks!

tsXgtp

No, you are right. I tried to make it easy to understand but I probably muffed it up, lol. Maybe if someone could provide some modded files, I'll test it out. I don't want to waste a dvd dl on a normal version.

mikemav

FWIW, I tried to make a copy of my new Navi disc for my '04 TSX I ordered from Alpine a few months ago. In fact, I upgraded my burner to an NEC 3500A (DL) and bought a blank DL just for that purpose. Anyway, the disc burned fine & has no errors, but it will not work in the Navi. I did not know about bitset altering until now. Perhaps that is the key.

One of my friends used to be a car audio installer. He says Alpine is notorious for making loaders that do not read burned discs. He said many of the CD changers did not even read CD-Rs a while back. But perhaps changing the bitset for a DL burn would trick the loader into thinking this is a professionally mastered DVD-ROM. Interesting. The other thought I had was to change the loader. I know people w/ bleeding edge Asian DVD players such as Momitsu often have trouble w/ the DVD loader reading discs, and they have been able to change to newer or more forgiving loaders pretty easily. You gotta figure it is based on some common connector like ATA.

jeffreytchui

so where are we on the modules?

tabascojrc

bump

ak217

I am working... I am working... I am working...

The main problem is in emulating devices. I can't find documentation, so the only way is to investigate the OS kernel.

What I know now:

We deal with some CPU SH7750 or 7751.
Peripheral clock rate is 33MHz.
I think CPU clock rate is 166 or 200MHz. I can't determine it because we have no "BIOS" ROM image and I beleive that clock circuit is programed there.

I beleive that there is a some companion chip like HD64465 (not exactly this one but something very similar). It contains additional interrupt controller that used for cascading interrupts, PCMCIA controller, several serial controllers and general purpose I/O ports.

OS - Windows CE 3.0 build 126. I have disassembled the most part of nk.exe and some drivers.
My emulator starts OS, starts three processes but stops when it tries to initialize PCMCIA controller. By that time it have processed more than 30 million instructions with avarage speed about 7MIPS.

If somebody have Windows CE 3.0 Platform builder (or how it is called) please contact me a message - I need several files from there.
If somebody can disassemble navi unit and make high resolution picture of the board it will be greate too. I hope that I can read labels on chips and maybe it can help to find documentation on then. Yes, I saw the pictures on page that mentioned in page 3 of this thread - it is not enough, they show CPU chip only. BTW I still don't understand its label.

If somebody knows how to work with IDA (interactive disassembler), knows some assembler and want to learn another one, have free time and want to spend it, then I can provide required information.

e_lectro

I have a couple pf pics that I hope can help. None are high-res though, the camera I had back then was pretty sad...







-e_lectro

Those are off of sounddomain, if they start blocking the pics, let me know and I will move them to another host.

ak217

I saw these pictures and they are the pictures that I mentioned.
I see some suspicious dark spots on then that could be chips. I want to read their labels. Maybe they are just some logic but they may be some controllers.

juve021

So whats the deal...
If I just want to replace the boot up image, can it me done right now with a fairly simple process?

Also, will this process work on an 03 CL navi?

Thanks,

ak217

Yes. You can do it. Just burn CD with two files - your image (which must have the name than correspond to your car model) and BN2HHMLD.BIN from DVD.
Then load your image via Diag screen.

juve021

Same name as my car model? I don't understand...does anyone know what this would be for an 03 CL? Also, does this vary with different versions of the navi dvd?

ak217

Are you talking about ROM image?
DVD contains ROM images for all Honda/Acura that have navigation as option.
The name of your ROM image you can see on one of diag screen.

juve021

No I'm talking about the BMP image. How can I replace just the bootup BMP and keep all other functionality, databases, etc. the same?

ak217

It is possible to do using my tool.
But I have not released it to public yet.

tabascojrc

bump whats the status, i'll be glad to help out on this project I am just mising some of the tools.
-j

gfxdave99

I did a search on the term dumpnavi and nothing came up so i figured i would throw this link in

http://linuxkiddies.com/bysin/navi/ Link from http://www.hackaday.com/entry/1234000443040445

ak217

This is what I have now:

An utility that do operations with WinCE *.bin files:
http://home.earthlink.net/~akonshin/files/cebin.zip

SH-4 emulator. Don't expect much from this utility, it can be intresting only for expireinced software developers that want to understand how Windows CE works in navi. You also need bin file listed below. File AcuraTSX.vsh is included that describe that bin-image. The utility is almost useless without those files.
http://home.earthlink.net/~akonshin/...VirtualSH4.zip

This is the bin image that I am working with. It is image for TSX - BN2HN18B.BIN. I don't remember the exact version, the size of the file is 13624431, the image was build Aug, 8 2001 (you can find it in the top of the file using any hexeditor). If you have a different version of this file then you have must dowload it.
I put it on ed2k ( eDonkey2000/eMule) network because of its size:
ed2k://|file|BN2HN18B.zip|9490950|96DD60423A53CF2829BD939 D0FED3C62|h=MPZ6OHY66NKBUYXYODLOKL2OJGE3NCNN|/
To download it use any ed2k compatible software. I recommend eMule (it is OpenSource freeware): http://www.emule-project.net/

IDA 4.3 *.idb files for that bin image:
ed2k://|file|BN2HN18B_idb.zip|3543944|7407C68DDDB7B442F8E 6675121E34915|h=DWFMRYDE3CPSN6NJKV5HOCQZJBJHLSWO|/
If you have another version of IDA then you can try to import these *.idc files:
ed2k://|file|BN2HN18B_idc.zip|358619|3A98CE8A4446BA3B7B41 5758E6E4F152|h=47GCQSF7ZXY4JDTBNAN52P76K2KWJDOO|/

wakattack

What's going on AK?

Anything new..

slocko

Maybe what is needed is a hardware mod to get rid of the nag screen.

Look at this thread:

http://www.infinitifx.org/phpBB2/vie...er=asc&start=0

ak217

I am disassmbling and investigating navi.exe. I didn't want to do it because I understand difficulty of this task. But I hear too many requests about it from you so I decided to try. This module is huge and size does matter in this case. It is written on C++ and as result it has many small peices. I have an idea how it can be done but as I said it is very difficult and I can't promise anything.
Unfortunately I have too little time for this project because I am working hard at my workplace and usually come home after midnight. For example, right now is 5AM and I am just going to go to bed.

m8cca

Got a newer version in my TL and want to see if and can remove some regional maps and burn to DVD-5 and use in my ODY. I don't have DL burner.

csimo

Is this now a dead issue? Sure would like to see someone pick it up and run with it!

Merlin777

These are posts of mine from another board:

Started work on TL with complete understanding of software navigation and external OS workings. I also took pictures of every menu and submenu to give everyone a clear understanding of system navigation. I actually found one more sub-menu that no one else found listing program Exceptions (within History hold down menu for 5 secs). Anyone else finding any other system menus I am missing would be of great help. Here is the link to few the software photos. If you want a ZIP file of the photos PM me and I will send you the link.

Kodak PhotoShare


Slowly at work with the TL system. Took apart the Navigation System in the trunk to get a better idea of its inner workings. Took detailed, high-resolution, pictures with my digital camera. All component serial numbers and ID's are visible. I also took pictures while I was taking it apart to show everyone each step along the way. I put it back together and everything is working perfectly. The DVD player is standard but underneath player is the guts of the system. TL file name clearly printed on Front Panel PCB. Here is the link to the hardware photos. If you want a ZIP file of the photos PM me and I will send you the link.

Acura TL Hardware Photos

jlh8733

I'm like AK and Merlin, want to do this, but don't have a whole lot of time to devote to it. Finally picked up Aka's decompiler and emulator here, just need to find time to play with it.

Thanks guys....slow and steady wins the race.

Roman-dude

thx

Merlin777

Ok everyone... I spent about 10 hours on Saturday taking apart the entire dash of my '05 TL I even disassembled the electronics down to board level... I took all the high quality pictures you will need to understand the front end electrical systtem of the car ... Here's my problem.... I can take apart my car and put it back together again in a day but I cant figure out how to post the pictures for you all to see... lol... Give me some help and you will be rewarded with some great pics... later all...

spatel600

go to www.imageshack.us and host the pics...they will give you a link for forums...post that on this forum

bdturbo

its Maria!!!!!!!!!

ak217

FYI, Masha is the same name as Maria in Russia.

inca

I assume you've exhausted what you can find from http://www.renesas.com/ in terms of SH-4 hardware (detailed) and programming (condensed) manuals?

It's probably 200MHz, which would make it the SH7750S. I can confirm this once I get a portable scope and probe the system while it's running. Though I don't think it changes much for general usage of the processor.

I have Windows CE 5.0 Platform builder, which seems to be the same or similar. Maybe even backward compatible. If not I can root around and see if I can't pick up an old copy of 3.0.

As far as IDA goes, I'm a novice. I just got a copy and I'm loving/hating what I see. It seems like a very very powerful reverse engineering tool. I wish I had been introduced to it earlier on in life. In any case, I am willing to learn it, especially for this project. I've been reading all the info I could get my hands on and it seems we are stuck at an impasse. We need to be able to test our modules, whether they are hacked original navi modules or our own custom modules, in a more reasonable amount of time. There are generally two ways to go about this test setup: via hardware or software. ak217 chose software, which in the end, more or less ends up being just as complex as hardware because we have to know the hardware platform in order to make a soft representation. Emulators/simulators are hard core... ak217, props to you for writing one for the SH-4... you are hard core, man. =) Now, where are you in this? I think my most useful course of action would be to dismantle my Navi and build a hardware test setup in my home. Then maybe poke and prod until we can talk with the debugger and have a better electrical idea of what's going on? Let me know what you guys think. Until then I am going to play with Platform builder 5.0 and ak217's simulator. Cheers

ak217

I think it is 300MIPS CPU, I don't remember which one is it. I calculated it when I disassembled the OS core. As I remember a some system call does some delay using a loop and the duration of this delay is known from the description of this system call in Windows CE. As result I could calcuate CPU rate. BTW, the simulator has several time model modes and one of the mode is based on CPU rate. Of course I can be wrong and it can be checked only by measuring the real frequency on the device.

Yes, I think it is SH7750 family but I think it is a custom cheap because it contains some built in hardware that is not defined in SH7750 manuals. For example, it has two level interrupt controller (or maybe two, I don't remeber). It has built in PCMCIA controller. It has built in Q2 video controller (don't know which one). Maybe this cheap is not custom but just one of the cheap for auto industry and we don't have access to this part of Renesas site. At least I couldn't find the documentation for the cheap that exactly match to our cheap. And I know how to search, trust me. For example, I didn't find the PCMCIA controller that matches that built in controller. It is similar to description of controller from chip HD64465 but not exactly - protocols are slightly different and ports are different too.

So the main problem is a lack of documentation for hardware (not CPU itself but for controllers). And even if I have a good documentation for Q2 controller it is very difficult for simulation. I think now you understand that if I say that it is difficult then I really mean it . This controller is very powerful and has many (tens) special commands - graphic primitives.

Where I gave up? Simulator boot OS and start initialing devices. It "succesfully" initializes many controllers, starts several processes. It really does multitasking and virtual memory. Then it stuck because some of the "devices" does not "work" properly (I don't remember which one, I think it is about videocontroller). Oh, I found a some old logs: Stop after 9393.61ms. 54463368 instruction (54463368 totally) has been executed, average speed = 5.80MIPS (it is real time and the real speed, the virtual time is about 0.4sec). It stops in drf.dll - a some driver for flash memory. Actually it does not mean that the error is in simulation of this device.

I gave up because this project is too complicated and time consuming. And I don't have anything in return. I lost my interest. I know that I have done incomparably more then others but... Sorry.

Sorry for my English.

bysin

How convenient, you released a program that does the same thing mine did, just after my release, without giving away the source code... Seems like it was stolen.

bysin

Also I see in your ReplaceWakeupScreen.cebin you have the following note:
Theres nothing preventing someone from replacing files on the .BIN that are larger then the origional. The way _I_ implemented in _MY_ program, was using a system of block replacement, which is only one of the ways to do it (not the easiest way either). Its very unlikely that not only did you come out with your program a few days later after mine, but that you implemented the same system of file replacement as me.

ak217

First of all, my program was written before your program. I had several beta testers from this forum that can confirm it. If you read this thread you should know that. But seems like your are not a reader but writer only.

I didn't release it to public because I was going to do more and I considered this program as not finished. Actually it does more than your program. It can resize segments and rebuild the rom image. Changing of bmp file in rom image inplace is not a big deal and it was done in very first versions.

I sent messages to you when I found your thread with proposal to cooperate. I have never received any response from you. Now I know why. You are not such person. It is your way.

bysin

You can only prove your inocence if you release your program. I did read your entire post and saw you had something working before I completed my post, but it was never released until I released mine, which shows you might have used my work to fix whatever problem you had preventing you from releasing it sooner.

Your saying it can resize segments? Why is it then, that your program is limited to the size of the origional segment? Or is that a typo in the readme?

ak217

My program can resize blocks and reconstruct the image. It also can extract all file and even modules. But it is just utility. It wasn't my priority. Changing of background image is not a big deal. I knew that I can replace any file. The problem was that we had nothing (and still have nothing) to put on that ROM image. First of all we have to have environment for testing our binaries. It was my priority.

That message tells about any files, not just that bmp. It was inherited from another test file when resizing was not implemented.
Potentially resizing is a dangerous operation anyway. In general the new file can overlap the next block in memory (not in image). For example, modules can't be moved to another address because they are preloaded on a some address and does not have relocation table. To be safe you should check it in memory map (I don't remember for sure but I think my utility can print the memory map).

fast-tl

At least one of you guys is whining like a little girl. Either cooperate or do you own separate thing. It's not as if we're dealing with copyright infringement here.

ak217

If you look on dates of the files in that archive you can notice that they were created almost half year before your thread.
I don't know which readme you are talking about but in the file readme.txt form the cebin.zip that I just downloaded you can read this:
replaceFile <filename> <new_file_path> - replace file <filename> in ROM
image with file <new_file_path>. Be very careful with this command. Please
note that addresses in image must be recalculated if the sizes of files are
different. The utility does it but I can't garantee that it does everything.

Sorry if that explanation is not clear. I know that my English is not good.