2010 Chevy Equinox
Contents
General Car Hacking
University of Washington study proves that all modern cars equipped with anti-lock brakes sold in the U.S. can be hacked via remote control. The cars can be completely controlled, even when the car is in park with the key out of the ignition. All driver input can be easily disabled.
Hitch Cap
Class II - 3500 lbs - 250-350 tongue weight
My Posts
I broke the side mirrors and they have the heated glass you can buy OEM.
USB Stick Format
- USB MP3 Player and USB Drives
- The USB MP3 players and USB drives connected must comply with the USB Mass Storage Class specification (USB MSC).
- Only USB MP3 players and USB drives with a sector size or 512 bytes and a cluster size smaller or equal to 32 kbytes in the FAT32 file system are supported.
- Hard disk drives are not supported.
- The following restrictions apply for the data stored on a USB MP3 player or USB device:
- Maximum folder structure depth: 11 levels.
- Maximum number of MP3/WMA files that can be displayed: 1,000
- WMA with Digital Rights Management (DRM) from online music shops cannot be played. WMA files can only be played back safely if they were created with Windows Media Player version 8 or later.
- Applicable playlist extensions are: .m3u, .pls.
- Playlist entries must be in the form of relative paths.
- The system attribute for folders/files that contain audio data must not be set
Bluetooth A2DP Mod
http://www.equinoxforum.net/index.php?topic=5839.0
http://www.terrainforum.net/index.php?topic=4522.0
http://www.amazon.com/ACDelco-22797218-Player-Interface-Assembly/dp/B0055B0QUS
http://www.terrainforum.net/index.php?topic=3769.msg50083#msg50083
Lockpick 2010 Equinox
- http://www.buickforums.com/forums/showthread.php?t=19615
- http://s130.beta.photobucket.com/user/godzson35/media/VIDEO0009.mp4.html
- https://www.youtube.com/watch?v=QAtvOT35Ek4
- http://www.pac-audio.com/productDetails.aspx?ProductId=984&CategoryID=34
Notes
GM BUS
Looks Like I have: 44-pin 29-bit GM LAN radio
Talking to some folks they call it: 29Bit v2
General Motors GMLAN
What is GMLAN? It is General Motors new Serial Communication Protocol that has been introduced in a couple of 2004 vehicles. These vehicles still use the Class2 protocol for engine management and will have a gate way between it and GMLAN. The next couple of years Class2 protocol will be replaced by GMLAN. The GMLAN is based off the Controller Area Network (CAN) protocol. GMLAN is a reliable and cost effective way to send data between different Electronic Control Units (ECU’s) in the vehicle.
GMLAN supports 3 different speed buses:
Low Speed - Uses Single Wire (refered to as Single Wire CAN or SWCAN). Used in security, doorlocks/windows and other low speed non-Real Time data. Mid Speed - High Speed - Uses Two Wire twisted pair. Primarily used for Powertrain and Chassis Devices as well as Anti Lock Brakes.
Let’s Chime In: GM 29 bit CAN Chime Control
For those of you who like to leave there car keys in the ignition while the driver door is open or who don’t where a seat belt, you’ve heard the Chime and have probably cursed it many, many times. Well I can help you defeat it or embrace it.
First you need to gear up. You will need to connect to the GM Single Wire CAN bus. This is on PIN 1 of the DLC (OBD II port). SW CAN runs at 33,333 bps (standard rate). So once you hooked up your device (see earlier posts for info on these), you should be able to communicate with the vehicle over SW CAN.
So now you just need to know the message, but first a crash course in GMLAN 29 bit ID.
The 29 bit ID is broken into three pieces. The Priority, Parameter ID, and Source Address. The priority is the first 3 bits of the ID. Priority allows for more important messages to get greater access to the network in the case of high network congestion. This leaves 26 bits reaming of the 29 bits. These are divided evenly amongst the Parameter ID and the Source Address (i.e. 13 bits each).
The Parameter ID is essentially the ID for what will be sent in the data portion of the frame. The Source Address is the node that sent the message. So messages from the address 040 all come from the same node. Cool huh!?
So let’s get to CHIME already…
Chime has a parameter ID of 0x0F. This means that if you want to send Chime you must put 0x0F starting at the 26th most signifigant bit. For example 0x1001E060 would be a chime command (0xF) with priority 4 (0 is highest priority) and send from node 0x60. Its easier to explain when we see this in binary. 0x0F is #b0:0000 0000:1111. So we put the whole ID together by taking the priority then parameter ID then source address. This will give us #b1:0000 0000:0001 1110:0000 0110:0000 (where the parameter ID is in bold).
Ok now that we’ve finished with the ID, let’s look at the data. The data portion is what is defining all of the characteristics of the Chime. In other words will this be a long chime or a short one, a click sound or a ding sound, a one-time sound or multiple times? There are 5 bytes that define all of these characteristics. So you will see that you can do a lot.
The first four bits of the first byte (the most signifigant nible) defines the speaker that this sound will come out of. For the front left speaker it is the most signifigant bit (or bit 7 of the byte). Next is the passenger (bit 6), then the rear driver side (bit 5), then rear passenger side (bit 4). So if you wanted to make the sound in only the driver speaker then you would send 0x8X in the first byte (where X is irrelivent).
The second nibble of the first byte describes the type of sound it will be. Either a beep or a click. Experiment to find out what these are.
The second byte describes the intonation of the chime. So you can adjust this on your own as well.
The third byte is the amound of repetitions you would like the sound to make. So if you want the chime to happen three times. This should be set to 3.
The fourth byte describes the duty of the chime. Experiment with this on your own.
Last byte is unknown currently. But if you know send me an email, I’ll update this entry.
So if you would like to send chimes to your car, here you go. If you want to cancel a chime, it should be good enough to have your software wait for a chime command and simply send one of its own with a really fast chime and a 0% duty cycle. That should end the last chime command.
Good luck and as always click on the contact link above if you have questions! Left Shift << 2
NU-GM3
- The NU-GM3 is a Navigation Unlock integration interface that allows the factory Navigation & Bluetooth Features of your 44-pin 29-bit GM LAN radio to be used by the passenger at anytime.
- Installed unit in vehicle. Unlocked DVD video while driving, address navigation/input is unlocked, etc. I did not hook up the unit to the backup DVD camera as I did not have the time to run the wire to power the reverse camera.
- When you unlock the nav/vid/etc features while driving the software on the GPS thinks you are in park and the GPS does not update the navigation as fast, sometimes the car gps does not think that it is moving.
Bypass
- Connector:
Lockpick Sites
- pac-audio.com
- http://www.coastaletech.com/
Hard Drive
The hard drive is IDE and like the one pictured here: http://www.hgst.com/internal-drives/enterprise/endurastar/endurastar-j4k50
HITACHI Endurastar 40GB Hard Drive FOR AUTOMOTIVE GPS HEJ425040F9AT00
Copying the Hard Drive
People use MHDD to dump the host protected area but I do not have a system to do that with right now and there is a great chance that the drive does not store its password in the HPA. Some exploits can be stored in HPA too as a reminder.
The drive is security locked so I need to get it unlocked before I can use it. I think the simplest method is going to be to do some man in the middle stuff on it. Here is someone doing something more complicated:
I think I am just going to boot the car up, let the unit unlock the hard drive, shut the car off, keeping the HD powered and copy it that way.
- Got an image of the drive. Initially I had to take the drive back into the house after the car unlocked it because I had not power outside but the UPS I had with me, but I think the drive would figure out that it was not connected anymore. I had to quickly swap the drive to a USB adapter in the car, checks if it was accessible, and then I then carried it in.
- I did not have much trouble with disconnecting the drive while the car was running, sometimes the radio would error out about cannot access map data, but after that, if I plugged the drive in correctly, it would work just fine.
- I ended up using cardboard, painters tape, 2x laptop IDE to standard IDE, 2x male to male laptop connectors, an IDE cable, and some cardboard. It was a pain to get the male connector to plug into the back of the radio with it, the adapter, and the cable taped to some cardboard. I initially lined it up to the left side, but I think there are pin holes there for the cable select jumpers. I found it was easier to align to the right with someone holding the flashlight. There were a few times while I was doing it that I thought I would fry the radio, as part of the IDE connector on a laptop disk servs power....the radio would not turn on if I plugged the cable in wrong, but once I unplugged the cable, it would work just fine.
- I think if I need to do this again, I am going to make a fake laptop drive with my adapter in and cable out the other side it so it fits in just like a reg hard drive. Unplug and plug, simple.....
Misc
- www.navigation.com/is-bin/INTERSHOP.enfinity/WFS/Navteq-NavteqNorthAmerica-Site/en_US/-/USD/ViewStandardCatalog-Browse?CatalogCategoryID=hlUKCghBzhoAAAE6OjZpoJOe&ShowAllProducts=YES
NAV UPDATE
22744758 - RADIO
- http://www.gmpartsclub.com/oem-part/cadillac/srx/2011/performance/2-8l-v6-gas/body-hardware/sound-system/radio/22744758
- http://www.tonkinonlineparts.com/showAssembly.aspx?ukey_product=6196904&ukey_assembly=826629
- Global A Radio
I read a site that stated that Global A was an connecting architecture and not the type of radio.
- PI0285: Inconsistent Rear Back-Up Camera Operation, Bluetooth Delay, Intermittent Audio Concerns, Blank DVD Display, Various Additional Navigation Radio/Clock Concerns - (Nov 4, 2010)
- "I Agree" screen is displayed every ignition cycle.
- http://chevroletforum.com/forum/tahoe-suburban-25/2012-global-high-nav-disc-46447/page2/
First, you do not have a color touch radio; they were not introduced until this year. What you have is what is called the High Feature Nav unit.
19212052
Pictures:
Bluetooth Mod:
- Has to do with a PCIM replacement (ACDelco 22797218 Multi Media Player Interface Module Assembly) that has extended functionality to support phone streaming. One of the primary concerns of doing this is (besides if it will work) that will the radio need to be refreshed or something of that nature.
- It looks like from this post (http://www.terrainforum.net/index.php?topic=2759.0) that a user stated: No security code is needed, the radio is registered to the car's BCM.
Add Hard Drive:
Steering Wheel Control Interface
- Axxess Metra ASWC-1 Universal Steering Wheel Control Interface with New Micro B Connector (Black)
- http://www.amazon.com/Axxess-ASWC-1-Universal-Interface-Connector/dp/B00B4PJC9K
Rear Camera Info and Powering a Device from mirrors
DIVX
From what I have read it looks like for divx videos to play you have to first register the car at the website using the code and url in the radio. You will then download a video and burn it or copy it to usb and play it in the car. This will unlock divx functionality.
- I have reports that user coded rips will play after this. You can also rip dvds I think and also download drm video files from the divx portal.