Hello. I am new here and the first thing I do is bring a dead topic up to the top. Not a good way to start, but here we are.
I don't have a Qashqai (too big for me), but I have information. All I wanted to find out is why LCN2kai (internal name of satnav unit) in Nissan Note E12 will do DAB radio and same LCN2kai in Nissan Micra K13 will not do DAB radio. It is
exactly the same hardware, so it is just a stupid and needless Limitation by Nissan executives.
And thereby started the exploration of firmware.
TLDR: There is a lot of potential in this, but I fear there are so few interested Nissan drivers that nobody will care.
So...
Nissan Connect LCN2kai FW D502 is based on Linux 2.6.34.13. It uses Monta Vista Linux 6. You basically have an entire Linux system at your disposal in your car, waiting to be discovered!
You can connect a USB Ethernet adapter (e.g. TP-LINK UE300 worked) and it will be available to you on IP 172.17.0.1.
It expects your PC to be at 172.17.0.5 and configures itself for a gateway at 172.17.0.6 (unused).
There is a Bosch virtio driver compiled into the Linux kernel. It makes that available at 172.17.0.136. Would be interesting to extract it from the Kernel image to see what exactly is supposed to happen on that IP.
USB Ethernet must be available at startup or the init scripts will not load the drivers for it. Long press POWER button to force a reboot.
Do not bother to portscan the LCN2kai. All ports are firewalled except 22. Port 22 is always open but it seems sshd is not running by default, so it is useless. All other ports are closed by iptables. Also portscans are slowed down by iptables rate limiting.
There are provisions to boot the LCN2kai into developer mode but I do not know how to trigger it. It must be done using Fastboot from what I understand.
Going by the startup scripts, booting into developer mode will enable sshd and you will get a shell after logging in as root. root user has no password.
There are rx and tx scripts leftover from Bosch developers to send/receive files using netcat, but if you have ssh you can just probably use scp or sftp.
LCN2kai system is based on ARM CPU. Do not know what type at this point.
User interface is written in C++. All binaries are unstripped.
The entire user-facing GUI lives in a huge 50MB binary called "prochmi_out.out" There are other binaries for navigation, phone, SXM (USA radio system), etc. It seems only one can run at a time; e.g. you can't see map while talking on phone handsfree.
I disassemble prochmi_out with IDA Pro but my ARM assembly skill is not that high. Also it is C++ so the disassembly is a giant mess.
So far I have D502 unmodified firmware image, but the updater refuses to flash it on my 2017 Micra K13. It tells me to reinsert USB stick and reboots after 60s. Firmware image can be extracted and all the info is there (no encryption), but it is digitally signed update, so if you modify it, the updater will just refuse to flash it by default. There may be bypass though.
It seems if you have D502, you cannot reflash D502. Updater expects a higher version number. But that is my speculation only so far...
The question is how to get into the developer mode. There is probably a JTAG header if you open up the LCN2kai, but that goes too far for me. I don't have that great soldering iron skills and lack required parts.
The road forks basically two ways from here:
1. Get LCN2kai into developer mode and then go nuts using SSH
2. Get LCN2kai to accept unsigned firmware images and then just patch the startup of sshd into the firmware directly
Who has the skill to help? Would be happy to collaborate with people who have the required reverse engineering skills.
Tried reaching out to Black_Rojer, but email bounced. Also I think his main interest is selling Navi SD cards at acceptable prices.
Would be great to get more hardware knowledge though.
PS:
Can someone who has a LCN2kai with working DAB+ send me picture of the antenna connector in the back? I wonder if DAB+ will just magically work if the antenna is connected in a certain way. Also I am trying to find out why the Micra K13 will show me a clock in the top right of the screen but the E12 Note will not. No luck so far.
Also it seems there are actually more service menu options than that are shown by default.
Anyway, that is all I know.
Peace!