VIM hack or how can I break my RNS-E?

Discussion in 'RNS-E' started by AudiA4B6US, Apr 3, 2007.

    • Premium Supporter

    AudiA4B6US Super Moderator

    Thanks to Klaus and Brobble I'm proud to announce that the RNS-E VIM unlock tool actually works very well and can be quite useful for many things. If you haven't done so I would recommend to spend some time reading the Nav Hacks topic at http://www.navplus.us/forum/viewtopic.php?t=3056. You should also be familiar with creating an update CD, if not I would recommend to read the software update topic at http://www.navplus.us/forum/viewtopic.php?t=4098&postorder=asc&start=35.

    Since the tool can easily render your RNS-E useless I have to mention a couple of things before talking about the more interesting part.

    If you cannot answer all of the following questions with yes, this topic is not for you and you should use one of the many offerings out there to get video in motion.
    - I know what an RNS-E is.
    - I have a computer and can create a single session ISO 9660 CD.
    - I do have a VAG-COM and already changed the software coding and adaptation channels of the RNS-E.
    - I’m not afraid to render my RNS-E useless making an expensive repair or replacement necessary.
    - I do have access to the European 0080 software or the RNS-E DVD 8P0 919 884 B
    - I’m familiar with creating an update CD to change the region of the RNS-E or downgrade/upgrade the RNS-E software without a map DVD
    - I do not plan to sell update CDs that include the VIM hack and I do not plan to make money for unlocking VIM using the RNS-E mod tool
    - I'm not using a RNS-E with SDS (SDS may get removed when loading the hacked software)

    Since the software on the RNS-E is copyright as well as the map data, the tool does not include the software. For the same reason it is not possible to host an ISO with the modified files. What should be legal is to provide a software tool that allows you to modify certain files from the navigation DVD resulting in a custom update that unlocks video in motion.

    As side effect of removing the lock bit and allow coding for video in motion, the software coding and most adaptation channels will change and will need to be reset. All stored navigation destinations, names and radio presets will get lost as well.

    The process of creating the unlock update CD is the following:
    - Write down the software coding, all adaption channel values, all navigation destinations, names and other personal data as stored in your RNS-E
    - Take the five software update files from the European RNS-E DVD 8P0 919 884 B
    - Start the RNS-E mod tool and read the help text, it contains some important information
    - Modify loading.kwi using Klaus RNS-E mod tool
    - Save the changes
    - Create an update CD
    - Load the update
    - Load the current software
    - Restore the software coding and adaptation channel values as well as navigation destinations, names and presets

    The RNS-E mod tool and process works and has been confirmed by at least three people independent from each other. That’s as much as you get as guarantee that nothing will break. If you are still not scared and brave enough to give it a try, send me an email requesting the RNS-E mod tool that Klaus wrote. To confirm that you know what I’m talking about, include the file name of the mot file that is part of the Euro 0080 software. By requesting the RNS-E mod tool via email you also confirm that you take full responsibility for what happens with your RNS-E.

    [​IMG]

    Thanks again to Klaus and Brobble for figuring out this stuff and making the tool available for free.

    Have fun,
    Dirk

    *********************************
    Update: The VIM Hack and the SDS MOd tool can both be found on Klaus' home page at http://naviedit.de/.
  1. Google

  2. bjarne Member

    Dirk,

    Thank you for coordinating this in the US.

    I am very impressed with the work Klaus et al. has done to make this work, and commend him for making it available for free.

    Do you know if Klaus has a Paypal account that one could make a donation to? If he does, I would encourage anyone using his tool to make a small (or large) donation, I certainly will. I am sure this kind of hacking can get pretty expensive, if you manage to destroy an RNSE or two in the process.

    With this possible without a big hassle, I am actually getting interested in the CarPC project :D

    Bjarne
    • Premium Supporter

    AudiA4B6US Super Moderator

    No PayPal but Klaus loves Schokolade I heard :lol:

    [​IMG]
  3. bjarne Member

    So the only question is, how do we get the Schokolade to him?
  4. NSX JR New Member

    This is huge. Too bad I just spent $$$$ on the VIM unlock tool.
    • Premium Supporter

    PetrolDave Super Moderator

    Shame about this restriction - means I can't try it.

    Looks like I'll have to pay a visit to craigyb in Manchester.
    • Premium Supporter

    AudiA4B6US Super Moderator

    You are welcome to be the first to give it a try but there is the risk that you will lose the SDS flash when loading the 0080 software. So craigyb's method is the better way to go with an SDS unit.
  5. Haaggie Forum Supporter

    I will try it on a SDS unit next week, keep you informed

    Is it really necessary to wait the 12 hours before inserting the 'normal' update?
    • Premium Supporter

    AudiA4B6US Super Moderator

    We have done some tests and it looks like when loading the modified Euro 0080 software followed by loading any US real US software, the lock bit remains removed. But when loading the modified Euro 0080 software followed by any European software, the lock bit gets reset and enabling VIM is not possible. Individual results may vary and more testing is required before we can see exactly what works in which way.
  6. Haaggie Forum Supporter

    ok, just tried it and yes, after using the modified CD channel 005 is on 250.

    Recoding the RNS-E and inserting the 'normal' DVD for the update to the latest EU firmware changed the settings (back) to 0 for channel 005. No possibilty to change it to 250 anymore. Changed 097 again, and back to the modified 0080. Checked, and yes, again 005 on 250. Wait 1 night to go further...?
    • Premium Supporter

    AudiA4B6US Super Moderator

    yes, without any power connected to the RNS-E.
    • Premium Supporter

    PROXUS Super Moderator

    No worries, procedure is not really plug and play and many people don't want to risk unit damage.
    Great find either way ;)
    • Premium Supporter

    AudiA4B6US Super Moderator

    Agreed, the blackbox method is the easier way, especially in Europe where is works without loading the software form another region.
  7. bjarne Member

    I agree that there is always a risk trying something new like this. But as more people do it, we will find out what the risk level is, and hopefully nobody runs into trouble they can't correct.

    I think it is somewhat analogous to when Dirk originally found out how to get US software onto the EU unit. There certainly were no guarantee that we would not render the RNSE useless. Today, after it has been done many many times, it is considered routine, and I don't think anybody really consider it a risk. I think it will go the same way with this operation over time.

    Personally I think the biggest advantage is, that I don't have to send the unit off to somewhere and be without it for a while.

    Just for the record, I updated both my RNSE units successfully and with no problems. As my units are US, I did not have to leave them without power for any period of time. I did lose many of my channel setting and the soft coding, as Dirk mentioned, but I had noted them down before I started, so it was easy to restore.

    Great work Klaus, and thanks,

    Bjarne
  8. zx81-sp Member

    Great job, anyway I'm surprised for the way used, too complex (and dangerous) for just VIM unlocking, probably this is the first step of more stuffs, as you know I don't believe too much in this way to hack our navis unless it works with any firmware (0450, 0550, 0600...), but once again, I'm very impressed with the job.

    A new point of view: since we still need VagCom to use this tool to downgrade to 0080, and thinking just in VIM, probably is easier to develop a tool that use that cable and just modify directly the #05 to 250 like the new black-boxes does (with CAN commands). Old black boxes needs a specific firmware, like the tool of this thread, but new boxes works with every firmware, so we can log the CAN traffic to get the right sequence and after that we just need to use the Vag-Com cable. With a CAN sniffer we can see that traffic, and as you know (or not), every RNS-E uses a different CAN sequence based on his VIN number, but it's a very stupid code, for example, if VIN is AU.....98321 the magic code is 9321, if AU....76231, it's 7231... the rest commands are the same for all navis. You can see a lot of black boxes that only works for one RNS-E (or MMI), they use this method to protect their box, first time you unlock your navi, the box stores the VIN of your navi so if you connect to another RNS-E, the sequence does not works.

    Another way is to modify the firmware in two ways, the first one is rename the firmware from 0080 to 0999, so the navi, with #97 to 0 still will load it, and the new patched firmware must modify both channels, #05 and #97. We know that if we put #97 to 1, the RNS-E always load a new firmware, older o newer than installed, so with that way we does not need the Vag-Com anymore and this hack really will be PnP.

    About SDS, as far as I know a simple firmware upgrade (or downgrade) does not affect SDS, so there not sould be problems with that, with 0080 it does not works but when you return to 0550 (or any other "SDS-ready" firmware) it works again, I've done this tasks for other things and it worked in that way.

    Just some ideas, this is not an "attack"!!

    Regards
    • Premium Supporter

    AudiA4B6US Super Moderator

    The unlock process using a cable or black box is better, or at least safer, but not everybody has a CAN adapter for his PC and a bench test setup for the RNs-E. So unless someone develops an application that uses for example the VAG-COM Hex-CAN cable with a custom application, the costs for this setup will be close to what the personal VIM unlocker costs. Still, this would the ideal way though.

    The VIM hack Klaus and Brobble developed was born by the attempt to find the startup screens and modify those. Long term there might be more applications and eventually they may find a way to swap the pictures in loading.kwi (I know you think there are not in there but they have to be on the DVD since the R8 logo for example got introduced with the newest RNS-E firmware). For now the first application is to remove the lock bit and share that tool for free with the rest of the Audi comunity.

    The way the current VIM hack got developed is also the reason for the SDS warning. Until someone confirms that the SDS flash is not part of the area that gets overwritten by the hacked firmware, there is the risk that you lose SDS because 0080 doesn't contain any SDS code. Hopefully Haggie will be able to do some testing on this subject soon.

    You are correct in regards to not needing a VAG-COM cable to initiate the update process. In theory it is possible to create two update CDs (one for the hack and one for the clean, unmodified firmware) and load both without needing to use VAG-COM. But since the hacked firmware contains and sets adaptation channel values and software coding that are not suitable for your car, you will need the cable to correct those values. And if you don't read off the values from your RNS-E before you load the hacked firmware, you will never know what the correct values will be. I know that Klaus is still working on enhancements of the tool and one day it may be possible to create an update CD that not only contains the correct software coding but also the correct adaptaion channel values. And if we send him lots of Schokolade, who knows, maybe that application can use one day a KKL or CAN cable to read off the values from the RNS-E and compile a loading.kwi that doesn't require any cleanup work anymore.
  9. zx81-sp Member

    I'm talking about use the VagCom cable, not CAN adapter, really not sure if this is 100% possible, but some time ago I was playing with a sniffer and my cable and seems a possible way to do the job, in fact I was adapting TweakRNSE to use it and distribute the tool, but I didn't finish because I started to work with the DIS (graphical mode) and it was too much things at same time.

    About the SDS, if that tool just modify a original firmware to unlock #5, there is no problem. Really the SDS code is in the DVD, but we still don't know how to force the navi to load it, if you downgrade (or upgrade) a RNS-E in normal way, the SDS does not change, that would be also a good hack, in Debug Mode (not Engineering Mode) there is some interesant options, the problem is that we still don't know how to get that menu, sometimes we get it, sometimes not.

    Also I understand that we still need VagCom to restore some channels, for that reason I started talking about hack any firmware, not only 0080, so anybody can do this job with its own DVD, but also I know that firmwares after 0100 are more difficult to hack, as I said, this is just a brainstorm.

    If anybody wan try to play with VagCom cable I can publish the complete CAN sequence to change #97 to 1, just for testing pruposes.

    Now I can not work in anything (a new baby is coming in next weeks so if anybody knows how to hack her firmware to sleep all night, and cry as less as possible, it would be very appreciated :D )

    Regards
    • Premium Supporter

    AudiA4B6US Super Moderator

    Congratulations to the new baby, although that's no reason to not work on new RNS-E hacks :lol:

    If you have an application that can use a VAG-COM Hex-CAN cable to change certain adaptation channels, that would be another great development. So far I though you got it working only with the CANUSB adapter. I also seem to remember that unlocking channel 5 via CAN was only possible with the Euro 0100 firmware loaded, has this changed?

    Regarding the debug mode, do you think it's possible to post some more details about this here, idealy in a new topic. I think I read about this on Audi Iberica but Google trasnlated Spanish is not the best to understand, at least for me. Maybe with m,ore people playing with that we get to the bottom and figure out how to get into it on purpose.
  10. Klaus H. Member

    Hi zx81-sp,

    I agree to you that our procedure is'n the perfect way to enable the VIM function. It is as Dirk said, we are investigating for the boot screen.

    The reason that I only use sw 0080 ist, that in all newer versions the flash management was modified, so it is not possibe to override adaption channels via flash update. During update process, the adaption values will be stored in the ram memory and after cd-update they will be written back to flash and overwrite our own modifications.
    To sds: a regular update will not touch the sds system, but if you check the modified loading.kwi, you will find that t is much bigger than it was before. That is also the reason that a lot of settings will be touched. I can not force the update to write a module to an other offset, the only way is to stretch the module that is at the next offset possition to our target in flash.

    The adaption channel #97 isn't stored in flash, it is only stored in ram, so we can't set it to "1" via update.

    Greetngs
    Klaus
  11. zx81-sp Member

    Well, this is my second baby, if she is like first, believe me, you'll not see me here for a long time :lol:

    I was playing with VagCom cable but just to manage the K line and extract some values for my CarPC project, finally thoght that would be easy to read directly the K line from my own pcb, since I need to manage the CAN traffic between cluster and RNS-E, same pcb reads the K value that I want and send it to the PC, also the DIS was a very hard work so I decided not to spend more time in that way. Anyway when I was looking at the Vagcom cable traffic it seems that we can use for that kind of tasks.

    The unlocking via CAN can be done with 0100 ("old CAN mode") or with any firmware ("new CAN mode"), like MMI black boxes does. I don't have a new black box to log the CAN traffic, but it's a easy task for someone with time and one of that boxes, after that we can study the traffic and modify it to make it "universal". I only have the "old CAN mode" so that's not PnP because it still needs to downgrade to 0100 version, anyway it does not neet a Vag-Com because as you know the #97 changes also via CAN.

    We don't know too much about that, the screen appears sometimes when you touch, and touch, and touch... in EMode, in other threat I published a screenshot, and, for example, let's you force a update (like #97 to 1).

    Regards

Share Audi Forum with friends