Difference between revisions of "2010 Chevy Equinox"

From Hack Sphere Labs Wiki
Jump to: navigation, search
(Copying the Hard Drive)
(Copying the Hard Drive)
Line 144: Line 144:
 
*I ended up using cardboard, painters tape, 2x laptop IDE to standard IDE, 2x male to male laptop connectors, an IDE cable, and some cardboard.  It was a pain to get the male connector to plug into the back of the radio with it, the adapter, and the cable taped to some cardboard.  I initially lined it up to the left side, but I think there are pin holes there for the cable select jumpers.  I found it was easier to align to the right with someone holding the flashlight.  There were a few times while I was doing it that I thought I would fry the radio, as part of the IDE connector on a laptop disk servs power....the radio would not turn on if I plugged the cable in wrong, but once I unplugged the cable, it would work just fine.
 
*I ended up using cardboard, painters tape, 2x laptop IDE to standard IDE, 2x male to male laptop connectors, an IDE cable, and some cardboard.  It was a pain to get the male connector to plug into the back of the radio with it, the adapter, and the cable taped to some cardboard.  I initially lined it up to the left side, but I think there are pin holes there for the cable select jumpers.  I found it was easier to align to the right with someone holding the flashlight.  There were a few times while I was doing it that I thought I would fry the radio, as part of the IDE connector on a laptop disk servs power....the radio would not turn on if I plugged the cable in wrong, but once I unplugged the cable, it would work just fine.
 
*I think if I need to do this again, I am going to make a fake laptop drive with my adapter in and cable out the other side it so it fits in just like a reg hard drive.  Unplug and plug, simple.....
 
*I think if I need to do this again, I am going to make a fake laptop drive with my adapter in and cable out the other side it so it fits in just like a reg hard drive.  Unplug and plug, simple.....
 +
 +
==Information about the Data on the Drive==
 +
<pre>
 +
gdisk -l /dev/loop0
 +
GPT fdisk (gdisk) version 0.8.10
 +
 +
Partition table scan:
 +
  MBR: MBR only
 +
  BSD: not present
 +
  APM: not present
 +
  GPT: not present
 +
 +
 +
***************************************************************
 +
Found invalid GPT and valid MBR; converting MBR to GPT format
 +
in memory.
 +
***************************************************************
 +
 +
Disk /dev/loop0: 78140160 sectors, 37.3 GiB
 +
Logical sector size: 512 bytes
 +
Disk identifier (GUID): 6CFB583D-488D-44F5-B5AB-4A9DC39E26D1
 +
Partition table holds up to 128 entries
 +
First usable sector is 34, last usable sector is 78140126
 +
Partitions will be aligned on 1-sector boundaries
 +
Total free space is 16376 sectors (8.0 MiB)
 +
 +
Number  Start (sector)    End (sector)  Size      Code  Name
 +
  1              63        48821534  23.3 GiB    0700  Microsoft basic data
 +
  5        48821598        53705294  2.3 GiB    0700  Microsoft basic data
 +
  6        53705358        55456379  855.0 MiB  0700  Microsoft basic data
 +
  7        55456443        57416309  957.0 MiB  0700  Microsoft basic data
 +
  8        57416373        76951349  9.3 GiB    0700  Microsoft basic data
 +
  9        76951413        78124094  572.6 MiB  0700  Microsoft basic data
 +
</pre>
  
 
=Misc=
 
=Misc=

Revision as of 18:35, 22 November 2014

General Car Hacking

University of Washington study proves that all modern cars equipped with anti-lock brakes sold in the U.S. can be hacked via remote control. The cars can be completely controlled, even when the car is in park with the key out of the ignition. All driver input can be easily disabled.


Hitch Cap

Class II - 3500 lbs - 250-350 tongue weight


My Posts


I broke the side mirrors and they have the heated glass you can buy OEM.

USB Stick Format

  • USB MP3 Player and USB Drives
    • The USB MP3 players and USB drives connected must comply with the USB Mass Storage Class specification (USB MSC).
    • Only USB MP3 players and USB drives with a sector size or 512 bytes and a cluster size smaller or equal to 32 kbytes in the FAT32 file system are supported.
    • Hard disk drives are not supported.
    • The following restrictions apply for the data stored on a USB MP3 player or USB device:
      • Maximum folder structure depth: 11 levels.
      • Maximum number of MP3/WMA files that can be displayed: 1,000
  • WMA with Digital Rights Management (DRM) from online music shops cannot be played. WMA files can only be played back safely if they were created with Windows Media Player version 8 or later.
    • Applicable playlist extensions are: .m3u, .pls.
    • Playlist entries must be in the form of relative paths.
    • The system attribute for folders/files that contain audio data must not be set

Bluetooth A2DP Mod

http://www.equinoxforum.net/index.php?topic=5839.0

http://www.terrainforum.net/index.php?topic=4522.0

http://www.amazon.com/ACDelco-22797218-Player-Interface-Assembly/dp/B0055B0QUS

http://www.terrainforum.net/index.php?topic=3769.msg50083#msg50083

Lockpick 2010 Equinox


Notes

GM BUS

Looks Like I have: 44-pin 29-bit GM LAN radio

Talking to some folks they call it: 29Bit v2

General Motors GMLAN

What is GMLAN? It is General Motors new Serial Communication Protocol that has been introduced in a couple of 2004 vehicles. These vehicles still use the Class2 protocol for engine management and will have a gate way between it and GMLAN. The next couple of years Class2 protocol will be replaced by GMLAN. The GMLAN is based off the Controller Area Network (CAN) protocol. GMLAN is a reliable and cost effective way to send data between different Electronic Control Units (ECU’s) in the vehicle.

GMLAN supports 3 different speed buses:

   Low Speed - Uses Single Wire (refered to as Single Wire CAN or SWCAN). Used in security, doorlocks/windows and other low speed non-Real Time data.
   Mid Speed -
   High Speed - Uses Two Wire twisted pair. Primarily used for Powertrain and Chassis Devices as well as Anti Lock Brakes.


Let’s Chime In: GM 29 bit CAN Chime Control

For those of you who like to leave there car keys in the ignition while the driver door is open or who don’t where a seat belt, you’ve heard the Chime and have probably cursed it many, many times. Well I can help you defeat it or embrace it.

First you need to gear up. You will need to connect to the GM Single Wire CAN bus. This is on PIN 1 of the DLC (OBD II port). SW CAN runs at 33,333 bps (standard rate). So once you hooked up your device (see earlier posts for info on these), you should be able to communicate with the vehicle over SW CAN.

So now you just need to know the message, but first a crash course in GMLAN 29 bit ID.

The 29 bit ID is broken into three pieces. The Priority, Parameter ID, and Source Address. The priority is the first 3 bits of the ID. Priority allows for more important messages to get greater access to the network in the case of high network congestion. This leaves 26 bits reaming of the 29 bits. These are divided evenly amongst the Parameter ID and the Source Address (i.e. 13 bits each).

The Parameter ID is essentially the ID for what will be sent in the data portion of the frame. The Source Address is the node that sent the message. So messages from the address 040 all come from the same node. Cool huh!?

So let’s get to CHIME already…

Chime has a parameter ID of 0x0F. This means that if you want to send Chime you must put 0x0F starting at the 26th most signifigant bit. For example 0x1001E060 would be a chime command (0xF) with priority 4 (0 is highest priority) and send from node 0x60. Its easier to explain when we see this in binary. 0x0F is #b0:0000 0000:1111. So we put the whole ID together by taking the priority then parameter ID then source address. This will give us #b1:0000 0000:0001 1110:0000 0110:0000 (where the parameter ID is in bold).

Ok now that we’ve finished with the ID, let’s look at the data. The data portion is what is defining all of the characteristics of the Chime. In other words will this be a long chime or a short one, a click sound or a ding sound, a one-time sound or multiple times? There are 5 bytes that define all of these characteristics. So you will see that you can do a lot.

The first four bits of the first byte (the most signifigant nible) defines the speaker that this sound will come out of. For the front left speaker it is the most signifigant bit (or bit 7 of the byte). Next is the passenger (bit 6), then the rear driver side (bit 5), then rear passenger side (bit 4). So if you wanted to make the sound in only the driver speaker then you would send 0x8X in the first byte (where X is irrelivent).

The second nibble of the first byte describes the type of sound it will be. Either a beep or a click. Experiment to find out what these are.

The second byte describes the intonation of the chime. So you can adjust this on your own as well.

The third byte is the amound of repetitions you would like the sound to make. So if you want the chime to happen three times. This should be set to 3.

The fourth byte describes the duty of the chime. Experiment with this on your own.

Last byte is unknown currently. But if you know send me an email, I’ll update this entry.

So if you would like to send chimes to your car, here you go. If you want to cancel a chime, it should be good enough to have your software wait for a chime command and simply send one of its own with a really fast chime and a 0% duty cycle. That should end the last chime command.

Good luck and as always click on the contact link above if you have questions! Left Shift << 2

NU-GM3

  • The NU-GM3 is a Navigation Unlock integration interface that allows the factory Navigation & Bluetooth Features of your 44-pin 29-bit GM LAN radio to be used by the passenger at anytime.
  • Installed unit in vehicle. Unlocked DVD video while driving, address navigation/input is unlocked, etc. I did not hook up the unit to the backup DVD camera as I did not have the time to run the wire to power the reverse camera.
  • When you unlock the nav/vid/etc features while driving the software on the GPS thinks you are in park and the GPS does not update the navigation as fast, sometimes the car gps does not think that it is moving.

Bypass

Lockpick Sites

Hard Drive

The hard drive is IDE and like the one pictured here: http://www.hgst.com/internal-drives/enterprise/endurastar/endurastar-j4k50

HITACHI Endurastar 40GB Hard Drive FOR AUTOMOTIVE GPS HEJ425040F9AT00

Copying the Hard Drive

People use MHDD to dump the host protected area but I do not have a system to do that with right now and there is a great chance that the drive does not store its password in the HPA. Some exploits can be stored in HPA too as a reminder.

The drive is security locked so I need to get it unlocked before I can use it. I think the simplest method is going to be to do some man in the middle stuff on it. Here is someone doing something more complicated:

I think I am just going to boot the car up, let the unit unlock the hard drive, shut the car off, keeping the HD powered and copy it that way.

  • Got an image of the drive. Initially I had to take the drive back into the house after the car unlocked it because I had not power outside but the UPS I had with me, but I think the drive would figure out that it was not connected anymore. I had to quickly swap the drive to a USB adapter in the car, checks if it was accessible, and then I then carried it in.
  • I did not have much trouble with disconnecting the drive while the car was running, sometimes the radio would error out about cannot access map data, but after that, if I plugged the drive in correctly, it would work just fine.
  • I ended up using cardboard, painters tape, 2x laptop IDE to standard IDE, 2x male to male laptop connectors, an IDE cable, and some cardboard. It was a pain to get the male connector to plug into the back of the radio with it, the adapter, and the cable taped to some cardboard. I initially lined it up to the left side, but I think there are pin holes there for the cable select jumpers. I found it was easier to align to the right with someone holding the flashlight. There were a few times while I was doing it that I thought I would fry the radio, as part of the IDE connector on a laptop disk servs power....the radio would not turn on if I plugged the cable in wrong, but once I unplugged the cable, it would work just fine.
  • I think if I need to do this again, I am going to make a fake laptop drive with my adapter in and cable out the other side it so it fits in just like a reg hard drive. Unplug and plug, simple.....

Information about the Data on the Drive

gdisk -l /dev/loop0
GPT fdisk (gdisk) version 0.8.10

Partition table scan:
  MBR: MBR only
  BSD: not present
  APM: not present
  GPT: not present


***************************************************************
Found invalid GPT and valid MBR; converting MBR to GPT format
in memory. 
***************************************************************

Disk /dev/loop0: 78140160 sectors, 37.3 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 6CFB583D-488D-44F5-B5AB-4A9DC39E26D1
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 78140126
Partitions will be aligned on 1-sector boundaries
Total free space is 16376 sectors (8.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              63        48821534   23.3 GiB    0700  Microsoft basic data
   5        48821598        53705294   2.3 GiB     0700  Microsoft basic data
   6        53705358        55456379   855.0 MiB   0700  Microsoft basic data
   7        55456443        57416309   957.0 MiB   0700  Microsoft basic data
   8        57416373        76951349   9.3 GiB     0700  Microsoft basic data
   9        76951413        78124094   572.6 MiB   0700  Microsoft basic data

Misc

  • www.navigation.com/is-bin/INTERSHOP.enfinity/WFS/Navteq-NavteqNorthAmerica-Site/en_US/-/USD/ViewStandardCatalog-Browse?CatalogCategoryID=hlUKCghBzhoAAAE6OjZpoJOe&ShowAllProducts=YES

NAV UPDATE

22744758 - RADIO


  • Global A Radio

I read a site that stated that Global A was an connecting architecture and not the type of radio.


First, you do not have a color touch radio; they were not introduced until this year. What you have is what is called the High Feature Nav unit.


19212052

Pictures:

Bluetooth Mod:

  • Has to do with a PCIM replacement (ACDelco 22797218 Multi Media Player Interface Module Assembly) that has extended functionality to support phone streaming. One of the primary concerns of doing this is (besides if it will work) that will the radio need to be refreshed or something of that nature.
  • It looks like from this post (http://www.terrainforum.net/index.php?topic=2759.0) that a user stated: No security code is needed, the radio is registered to the car's BCM.


Add Hard Drive:

Steering Wheel Control Interface

Rear Camera Info and Powering a Device from mirrors

DIVX

From what I have read it looks like for divx videos to play you have to first register the car at the website using the code and url in the radio. You will then download a video and burn it or copy it to usb and play it in the car. This will unlock divx functionality.

  • I have reports that user coded rips will play after this. You can also rip dvds I think and also download drm video files from the divx portal.

Notes