Dismiss Notice
Hi Guest, stickers are available from our online store.

Navigation System Updates

Discussion in 'Leon Mk3 (2012-2020)' started by metomurti, Sep 29, 2013.

  1. springerFR

    springerFR Active Member

    Joined:
    Jan 22, 2014
    Messages:
    25
    Likes Received:
    0
    Hi I been following the threads and some of it is a little over my head.
    but as Keithjeb suggests wouldn't imageing software image the data
    from one sd card to another giving an exact duplicate (clone)?
     
  2. CyberGene

    CyberGene Active Member

    Joined:
    Apr 26, 2008
    Messages:
    306
    Likes Received:
    1
    Unfortunately not. There is a protected area which is read only and can't be overwritten on another SD. Well, almost ;) There might be ways which would require quite some hacking though.
     
  3. phil750

    phil750 Active Member

    Joined:
    Jul 24, 2012
    Messages:
    213
    Likes Received:
    1
    hey got my leon last week so been reading through,

    i have some forensic imaging software used by law enforcement (i have a degree in forensic computing)

    so when i have a spare 10 mins il give imaging ago, should just do a bit by bit image including the hidden parts.

    If that dont work il see if i can have a look at the files and see what i can come up with!
     
  4. keithjeb

    keithjeb Active Member

    Joined:
    Nov 1, 2013
    Messages:
    187
    Likes Received:
    1
    Have you tried it? DD will copy various bits of data that aren't visible to the OS, but are still on the disk.

    A CID lock should be breakable, it was on the garmin maps. obvious way would be to do a scan for it. I'll grab an 8gb card from asda tomorrow and give it a crack with DD, then seeing if I can locate the CID anywhere.
     
  5. Taff

    Taff Full Member

    Joined:
    Jun 10, 2002
    Messages:
    82
    Likes Received:
    0
    Just sharing some information about my 5F0.919.866.C SD card with everyone. I can reading the CID using (cat /sys/block/mmcblk0/device/cid), and I get:

    09 4150 4D49425354 10 73C41437 0 0CC 00

    Breaking down the fields I have:

    Manufacturer ID: 09 h (assigned by SD card association)
    OEM/Application ID: 4150 h (Assigned by the SD-3C LLC)
    Product Name: 4D49425354 h
    Product Revision: 10 h
    Product Serial Number: 73C41437h
    Manufacturing Date: 0CC h

    Date: 12/2012
    Name: MIBST

    USing (cat /sys/block/mmcblk0/size), it returns 16152576

    So Size of my card = 16152576 x 512 = 8270118912 bytes

    Using Gparted, I can confirm it reads the following info:

    Cylinders 1005 Heads 255 Sectors/track 63

    Total sectors: 16152576
    Sector size: 512

    Existing partitions:

    File System: unallocated
    Size: 4.00 MiB
    First sector: 0
    Last sector: 8191
    Total sectors: 8192

    Files System: fat32
    Size: 7.70GiB
    First sector: 8192
    Last sector: 16152575
    Total sectors: 16144385


    As I mentioned earlier this appears to be a special SD card in that it actually holds more than the usual 8GB. If I compare this with aa TDK 8GB SDCARD you can buy off the shelf.

    Name: SD08G, but printed on the back is SD-K08G
    /sys/block/mmcblk0/device/cid: 2750485344303847307ceecef300b900
    /sys/block/mmcblk0/size: 15564800 (7969177600 bytes)

    Cylinders 968 Heads 255 Sectors/track 63

    Total sectors: 15564800
    Sector size 512


    I don't have or know of any tools to read/check the 'protected area' of the card. Not sure where else to look apart from using VCDS cable when it arrives.

    Taff
     
  6. CyberGene

    CyberGene Active Member

    Joined:
    Apr 26, 2008
    Messages:
    306
    Likes Received:
    1
    Taff, those are some quite interesting and useful discoveries, thanks for sharing it!

    May I ask what hardware/software/OS you are using to read the CID and have it mounted in /sys/block/mmcblk0/device/cid? Seems this is Linux but I am wondering if you use an additional software in order to read and mount it. I am using Mac OS X and seems I am able to only browse the Fat32 partition through /Volumes/..., but I guess there might be a way to use the software you are using.
     
  7. Taff

    Taff Full Member

    Joined:
    Jun 10, 2002
    Messages:
    82
    Likes Received:
    0
    I am using standard Linux Ubuntu 12.04 LTS distro.

    There is no SW needed to install to read back the CID. The laptop I am using has a built in SD card reader, don't know of the top of my head what SD card controller is used in the laptop. I can find out if needed.

    In fact I can also confirm, as a possibly easier option is to download and boot from USB/CD/DVD "partedmagic.com/". Once booted you can open up a terminal and get the same info without having to install Linux on your machine (ala live CD style).

    The added bonus is that you get a Partition editor (Gparted), and also (Clonezilla to make an exact image of your disc (partition and data info). It of course doesn't backup or write the "protected area" of a SD card. Which by definition is "SECURE". As far as I know, it has remained secure to this day.

    HTH

    PS. In case someone asks, I did use Clonezilla to image my 5F0.919.866.C SD card and restored it to a 16GB SD card, but the SatNav knows its not a valid SD even though the partition size and arrangement and data is exactly as on the original SD card.

    There must be more to this protected area or something. I was wondering about this odd capacity size of the original SD card 8.3 GB. Perhaps it simply checks the total sector capacity and if its not what it expects then it fails the first security check?

    I also honestly believe there are further checks in SatNav module for validating database versions etc. But this of course is pure speculation. However with some truth as valid SD card but different SW map/database still fails to work.

    Can someone else check the reported size of there SEAT satnav SD card to correlate data, please also list our SD card/map part number when doing so?
     
  8. keithjeb

    keithjeb Active Member

    Joined:
    Nov 1, 2013
    Messages:
    187
    Likes Received:
    1
    When using clonezilla did you set it to clone the partition or the device? Cloning the device should also have cloned the 4mb partition on to the new sd card.
     
  9. Taff

    Taff Full Member

    Joined:
    Jun 10, 2002
    Messages:
    82
    Likes Received:
    0
    I cloned the device as I remember.
     
  10. CyberGene

    CyberGene Active Member

    Joined:
    Apr 26, 2008
    Messages:
    306
    Likes Received:
    1
    Protected area cannot be cloned. You can read it but cannot overwrite it. Clonezilla won't help.
     
  11. keithjeb

    keithjeb Active Member

    Joined:
    Nov 1, 2013
    Messages:
    187
    Likes Received:
    1
    The protected area that stores the CID yes, I was wondering about the 4mb partition. It looks like I won't get chance to check mine out tonight, but I was hoping that may have data on there coding it to the car, sd card, or version.
     
  12. niggle

    niggle Rollin' on 17s, baby!

    Joined:
    Jan 28, 2014
    Messages:
    461
    Likes Received:
    2
    I have the SD card documentation and SPI libraries for the Raspberry Pi to hand. I am going to order an SD card breakout board and start writing some tools to snoop around the CID and other registers on the SD card.
     
  13. CyberGene

    CyberGene Active Member

    Joined:
    Apr 26, 2008
    Messages:
    306
    Likes Received:
    1
    Niggle, I am thinking of doing that too. My idea is to get a SD extension cable or SD-to-SDmini adapter to use as input to raspberry and program the latter to act as a slave, i.e. the raspberry will act as a proxy between the navigation unit and the actual SD card. When it detects read CID command it will return a predefined value, otherwise it will just transfer the communication to the actual SD card. What I am worried is if the raspberry can be programmed to act as a real time device to react fast enough to the clock sygnals from the navigation unit host. I've never really written any system software, I am a Java application developer but all this sounds exciting and the geek in me is thrilled to try it :)
     
    #73 CyberGene, Feb 11, 2014
    Last edited: Feb 11, 2014
  14. niggle

    niggle Rollin' on 17s, baby!

    Joined:
    Jan 28, 2014
    Messages:
    461
    Likes Received:
    2
    Wow, emulating the SD card firmware/hardware. That's certainly ambitious. A few challenges that I can foresee:

    1. The sat-nav will almost certainly expect to negotiate successfully for high-speed, 4-bit transfer mode.

    2. You may need to tri-state the MISO line so that the RPi can respond to the master.

    3. You will need to jump in and decouple the SD card's MISO output immediately before it has chance to reply to the GET_CID command. You will also need to watch for when the SD card thinks that it has finished replying and re-enable the MISO output.
     
  15. keithjeb

    keithjeb Active Member

    Joined:
    Nov 1, 2013
    Messages:
    187
    Likes Received:
    1
    Theres been a recent hack published in relation to MITM attacks on sd cards, so its certainly feasible, whether its practical is a different matter.

    This is the situation as I understand it so far:
    • Stock maps on new SD card doesn't work
    • New maps on stock SD card doesn't work
    • Theres a 4mb partition on the stock SD card we haven't read yet

    I'm without the car to test this week, but will be able to play around identifying if there is anything on that 4Mb partition.

    In terms of taking things forward there are a few scenarios:
    1. The 4MB partition contains a version reference, maybe the CID and the Map serial, possibly the VIN
    2. The 4mb partition contains the CID and some map reference, but no VIN
    3. The CID is coded into the car somewhere
    4. The CID is coded into the map files
    5. Theres something else we haven't thought of.

    I'll root around the partition this evening and see what I can identify, but it would be useful to know if people have tried swapping the SD card between cars, that rules out 1 and 3 entirely. 1, 2 are going to be solvable unless they've used some insane level of encryption. 3 would require a routine we can hopefully access through VCDS to get the CID in there. 4 would probably be breakable, but is certainly beyond my capability unless its in plaintext.

    Does this sound about right to people?
     
  16. CyberGene

    CyberGene Active Member

    Joined:
    Apr 26, 2008
    Messages:
    306
    Likes Received:
    1
    That sounds right to me.

    However, in regards to the 4MB partition, my theory is that it's the way protected area is shown to the OS. It is most probably a readable data, however it won't be copied over another card. I could be wrong though. SD cards were created with security in mind and I don't believe they would allow for easy moving of the partition in question between SD cards. Unless of course that's some regular partition created by the guys who created the maps :)

    I think that most probably the navigation unit reads the CID from the SD card and matches it against the dbinfo.txt file content. If they match, then "yes, this is genuine SD card with stock content". I have experimented by editing the dbinfo.txt (don't remember what exactly) and the unit have been showing some load progress for some time (minute or so) before telling me the content is not valid. So, even if the CID matches the dbinfo.txt info, the maps are probably parsed and a checksum is calculated and matched against the dbinfo.txt.

    In short, the theory again is: CID is read and compared to dbinfo.txt. Maps are loaded, checksum is calculated and compared against dbinfo.txt. Again, this is just a theory and I may be wrong.
     
    #76 CyberGene, Feb 11, 2014
    Last edited: Feb 11, 2014
  17. Taff

    Taff Full Member

    Joined:
    Jun 10, 2002
    Messages:
    82
    Likes Received:
    0
    Don't forget what's in the J794 module.

    Here's what's in mine when I did a scan.

    <CODE>
    -------------------------------------------------------------------------------
    Address 5F: Information Electr. (J794) Labels: None
    Part No SW: 5F0 035 858 A HW: 5F0 035 858 A
    Component: MU-S-ND-ER 040 0407
    Serial number: E5F00506132498
    Coding: 04730001FF0A000021111101000800002F0101060100010046
    Shop #: WSC 00049 770 00125
    ASAM Dataset: EV_MUStd6C3PASE 002029
    ROD: EV_MUStd6C3PASE_SE37.rod
    VCID: 29591B2F480CF956E3D-807C

    Media Player Position 1:
    Subsystem 1 - Part No SW: 5F0 919 603 A HW: 5F0 919 603 A
    Component: ABTmin_Std_Nv H45 0020
    Serial number: SEZ8Z9N5600NSR

    Engine Control Module 2:
    Subsystem 2 - Part No SW: 5F0 919 866 C HW: -----------
    Component: ECE 2013 --- 0021
    Serial number: --------------------

    No fault code found.

    -------------------------------------------------------------------------------
    </CODE>

    This matches what the SavNav sees when the SD Card is installed.
    "Navigation database: 5F0919866C 0021 ECE 2013". See Setup / System Information on the Media System Plus.
     
  18. keithjeb

    keithjeb Active Member

    Joined:
    Nov 1, 2013
    Messages:
    187
    Likes Received:
    1
    Thanks taff, can you check the CID on your card? You'd need a *nix/Linux/Mac based system to do it.
     
  19. Taff

    Taff Full Member

    Joined:
    Jun 10, 2002
    Messages:
    82
    Likes Received:
    0
  20. keithjeb

    keithjeb Active Member

    Joined:
    Nov 1, 2013
    Messages:
    187
    Likes Received:
    1

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice