Page 1 of 4

Source Code Here!

Posted: Tue Jan 03, 2017 3:45 pm
by duncho
I was wondering whether anyone from the forum would be able to modify the Linux base of Nissan Connect firmware if I provide the source code?

Here is the link to:
1. OSS license terms: http://oss.bosch-cm.com/download/Nissan ... CN2KAI.txt
2. Source code to D5xx firmware: http://oss.bosch-cm.com/download/Nissan ... t_D50x.zip

It would be nice to fix the bugs that BOSCH was unable to solve from 2014 as well as to add functionalities as is DVB-T2 tuner or video support to allow play video files from USB stick.

Re: Source Code Here!

Posted: Tue Jan 03, 2017 8:08 pm
by redqashqai
duncho wrote:add functionalities as is DVB-T2 tuner or video support to allow play video files from USB stick.
Nissan Connect modifications in the area of video streaming could have serious implications to say the very least. Who would sign off the mod for safety/insurance purposes?

Re: Source Code Here!

Posted: Tue Jan 03, 2017 8:53 pm
by rod9669
I'd have said it was just as safe as checking facebook when you're doing 56mph down the motorway

Re: Source Code Here!

Posted: Tue Jan 03, 2017 9:04 pm
by redqashqai
rod9669 wrote:I'd have said it was just as safe as checking facebook when you're doing 56mph down the motorway
If that is true then Nissan Connect is one dangerous piece of kit!

Glad I only use it for listening to my Doris Day collection. ;)

Re: Source Code Here!

Posted: Wed Jan 04, 2017 8:27 am
by Deleted User 759
duncho wrote:I was wondering whether anyone from the forum would be able to modify the Linux base of Nissan Connect firmware if I provide the source code?

Here is the link to:
1. OSS license terms: http://oss.bosch-cm.com/download/Nissan ... CN2KAI.txt
2. Source code to D5xx firmware: http://oss.bosch-cm.com/download/Nissan ... t_D50x.zip

It would be nice to fix the bugs that BOSCH was unable to solve from 2014 as well as to add functionalities as is DVB-T2 tuner or video support to allow play video files from USB stick.
Cant help you with the code side of things, however do you know the spec of the hardware behind the system? It may struggle if it does not have the CPU/GPU (or APU...) powerful enough to display more than, essentially text!

Re: Source Code Here!

Posted: Wed Jan 04, 2017 8:52 am
by duncho
No good news... So the "code" that BOSCH published is nothing else just formal abidance of Linux license. This source codes contain only open source codes that BOSCH used – Linux, some drivers for Linux, file system for Linux. But applications are missing. Other words to say it is absolutely useless. We would need a buddy in BOSCH to help with fix of bugs. Other than that is utopia.

Re: Source Code Here!

Posted: Wed Jan 04, 2017 8:54 am
by Deleted User 759
...OR..... could it be hacked around with enough to create a completely custom ROM and application?! Hard work maybe, but may get lucky that the legwork has already been done. Downside is probably the loss of maps due to encryption

Re: Source Code Here!

Posted: Wed Jan 04, 2017 9:29 am
by duncho
If could someone hack it, there is bilion of possibilities. I doubt someone would want to have old OE maps, but TomTom, iGo, Garmin or any other map which supports life traffic. But I'm strongly skeptical as hacking it is really tough job if possible at all.

Re: Source Code Here!

Posted: Sun Jul 23, 2017 10:28 am
by covfefe
Hello. I am new here and the first thing I do is bring a dead topic up to the top. Not a good way to start, but here we are. :oops:

I don't have a Qashqai (too big for me), but I have information. All I wanted to find out is why LCN2kai (internal name of satnav unit) in Nissan Note E12 will do DAB radio and same LCN2kai in Nissan Micra K13 will not do DAB radio. It is exactly the same hardware, so it is just a stupid and needless Limitation by Nissan executives.

And thereby started the exploration of firmware. :)

TLDR: There is a lot of potential in this, but I fear there are so few interested Nissan drivers that nobody will care.

So...

Nissan Connect LCN2kai FW D502 is based on Linux 2.6.34.13. It uses Monta Vista Linux 6. You basically have an entire Linux system at your disposal in your car, waiting to be discovered!

You can connect a USB Ethernet adapter (e.g. TP-LINK UE300 worked) and it will be available to you on IP 172.17.0.1.

It expects your PC to be at 172.17.0.5 and configures itself for a gateway at 172.17.0.6 (unused).

There is a Bosch virtio driver compiled into the Linux kernel. It makes that available at 172.17.0.136. Would be interesting to extract it from the Kernel image to see what exactly is supposed to happen on that IP.

USB Ethernet must be available at startup or the init scripts will not load the drivers for it. Long press POWER button to force a reboot.

Do not bother to portscan the LCN2kai. All ports are firewalled except 22. Port 22 is always open but it seems sshd is not running by default, so it is useless. All other ports are closed by iptables. Also portscans are slowed down by iptables rate limiting.

There are provisions to boot the LCN2kai into developer mode but I do not know how to trigger it. It must be done using Fastboot from what I understand.

Going by the startup scripts, booting into developer mode will enable sshd and you will get a shell after logging in as root. root user has no password.

There are rx and tx scripts leftover from Bosch developers to send/receive files using netcat, but if you have ssh you can just probably use scp or sftp.

LCN2kai system is based on ARM CPU. Do not know what type at this point.

User interface is written in C++. All binaries are unstripped.

The entire user-facing GUI lives in a huge 50MB binary called "prochmi_out.out" There are other binaries for navigation, phone, SXM (USA radio system), etc. It seems only one can run at a time; e.g. you can't see map while talking on phone handsfree.

I disassemble prochmi_out with IDA Pro but my ARM assembly skill is not that high. Also it is C++ so the disassembly is a giant mess.

So far I have D502 unmodified firmware image, but the updater refuses to flash it on my 2017 Micra K13. It tells me to reinsert USB stick and reboots after 60s. Firmware image can be extracted and all the info is there (no encryption), but it is digitally signed update, so if you modify it, the updater will just refuse to flash it by default. There may be bypass though.

It seems if you have D502, you cannot reflash D502. Updater expects a higher version number. But that is my speculation only so far...

The question is how to get into the developer mode. There is probably a JTAG header if you open up the LCN2kai, but that goes too far for me. I don't have that great soldering iron skills and lack required parts.

The road forks basically two ways from here:

1. Get LCN2kai into developer mode and then go nuts using SSH
2. Get LCN2kai to accept unsigned firmware images and then just patch the startup of sshd into the firmware directly

Who has the skill to help? Would be happy to collaborate with people who have the required reverse engineering skills.
Tried reaching out to Black_Rojer, but email bounced. Also I think his main interest is selling Navi SD cards at acceptable prices.
Would be great to get more hardware knowledge though. :(

PS:
Can someone who has a LCN2kai with working DAB+ send me picture of the antenna connector in the back? I wonder if DAB+ will just magically work if the antenna is connected in a certain way. Also I am trying to find out why the Micra K13 will show me a clock in the top right of the screen but the E12 Note will not. No luck so far.

Also it seems there are actually more service menu options than that are shown by default.

Anyway, that is all I know.

Peace!

Re: Source Code Here!

Posted: Sun Jul 23, 2017 11:07 am
by duncho
Hi Covfefe,
Im impressed, you made already a big step forward! I can ask one guy I know from RU forum whether he could help as to my experience he is pretty good in HW part.
DAB aerial is connected via brown Fakra connector to DAB tuner at back of the head unit. Blue Fakra connector is used for GPS. I have somewhere also the photos, will search and send it to you. Meanwhile I will ask RU forum members whether they could help.
Will come back to you soon!
Cheers