DoosaiWolf

I apologize in advance if this is the wrong place for this post/thread.

We all hate that out precious navigation system is locked down, there are plenty of posts about it and what I would consider to be not so great workarounds that are either too costly or too cumbersome.

I have been extensively researching the system hardware and software for the past 6 months off and on in my free time with hopes of a patch that can be applied to the DVD to override the lockout functions. During this process I have learned more than I ever wanted to know about the Car Industry's Navigation Technology and how Toyota/Denso pretty much dominate this area across so many OEM and aftermarket brands.

I don't want to go into a lot of technical detail here but I will say that there is extensive documentation out there on the Kiwi file format and that the cpu being used is supposed to be the Hitachi SH3.

The biggest thing I have to say here is that apparently the Mitsubishi navigation shares the same software platform and base code as the factory Toyota/Lexus/Eclipse/(enter other brand names here). The only difference is each manufacturer can slightly modify the graphical appearance and button layout of the interface. What is important though is that a patch has been successfully made to the Mitsubishi navigation (it is an HDD system). The patch was performed on the loading.kwi file and basically it unlocks the system without any hidden menu options, wire hack/cut tricks, or plug and play options.

So what I don't get is why Mitsubishi owners have been the only people with any success in this area. I am hoping one day to round up enough people with interest in taking this damn thing apart and fixing it ourselves once and for all. I really like the navigation system when it is unlocked I even like my Gen 4 version, Gen 5 is nice but there is something about the Gen 4 that I still like even though the graphics don't look as good (has something to do with the colors and on screen button shapes, yes I am weird). Maybe its because its the version I am used to that I have installed in my MR2 Spyder.

Let me also say that my interest isn't just in Gen 4 only but rather all Gen systems if possible. I don't think Toyota/Denso are taking notice here on the lockout issue that people hate so much and if their software is seriously hacked it might be an eye opener to them that they should work with customers rather than against them.

TWong350

iTrader: (8)

Thanks for the post and welcome to CL. I agree with you and I'm sure there are folks on this forum with the technical knowledge (like yourself) to accomplish it. Surely we have some coders on this site!

I'm going to keep an eye on this thread in hopes of something coming out of it. I think it's time.

villemus

i guess it comes down to customer base,

Mitsubishi has a much bigger customer base compare to lexus.

i had a bmw e46 before, it uses ibus language, everything gets cracked~ hope someone can do it to the lexus.

DoosaiWolf

Great, at this point I am hoping others will bring what they know to the table. I will also try to contact the author of the patch for the Mitsubishi Denso based navi. Maybe we can get some support there.

Currently I have tried to decompile the code in the loading.kwi file based on the assumptions it was written for the SH3 cpu but I have so far been unsuccessful. The way the loading.kwi file is constructed seems to be part of it's protection mechanism. The binary is storing more than just code so it is almost like the file needs to be parsed before it can be decompiled.

I've used a utility written in python that is specifically written to parse the file and dismantle it into it's different pieces, it is supposed to also have the ability to repack the file but I haven't had any success breaking it apart as the python script was giving me errors when trying to execute. I have also used IDA Pro as this supports the decompilation of SH3 binary. What I have learned is the software has some C++ references but IDA is unsuccessful at the breakout as it cannot find the proper start point in the file.

If anyone has attempted this and had more success I would love to discuss.

ivanz

Probably a number of factors. First of all is age. Mitsubishi owners are quite younger than Lexus owners; and younger people often have jobs in software engineering and such that allows them to know what to do.
Second is ease of access. The Mitsubishi nav (at least on the Outlander/Lancer) takes 5 mins to remove basically and doesn't involve removing a large part of the dash/centre console.
The Mitsubishi NAV hack involved finding the key to use the hard drive (which took quite a bit of work) and then figuring out which file to modify to get it. Lexus has the HDD key most likely along with possible some extra protection in place.

I personally hope it doesn't get cracked soon, as I just had someone almost sideswipe me today programming their GPS (which is illegal here while in motion).

DoosaiWolf

The HDD key was just a factor in accessing the files, once accessed the contents of drive held a loading.kwi file just like the DVD based systems which is what was patched. Regardless of how easy it is for a Mitsubishi owners to remove their system in our case most users will be able to easily access their DVD drive. I am not sure about HDD access for Lexus owners but I am interested in discovering the secrets of the loading.kwi file regardless whether or not the media is HDD or DVD based.

I agree drivers should not use the navigation while in motion. I don't feel however that Lexus should be policing the use of paid for hardware and software. The responsibility should be on the driver and not the manufacturer.

Think about it this way, you can change CDs and the Radio while driving, you can mess with Bass/Med/Treble settings while driving, people mess with their phones while driving, you can even adjust your seat while driving. There are no mechanisms in place to prevent a driver from doing these and many other things while driving. I don't feel it would be appropriate for a manufacturer to decidedly lock down the car even more so in an attempt to make driving safer. The issue isn't the technology and its ability to be used, the issue is the user itself and their acknowledging the dangers when they take on the responsibility of driving.

If we dumb down the user experience of a car too much we are teaching drivers that they themselves are not responsible and need not be responsible. Its just like this crap about cars accelerating out of control because of throttle by wire technology. If the car is moving out of control then turn it off, I would. Drivers could even put the car in neutral and use other methods to slow down and bring the car to a stop. The issue here again is that the responsibility should be on the driver to know how to use their car properly before driving so that they can handle anything that comes their way.

In any event this is all open for debate but the goal here in this thread is merely the discussion of the possibility of the software patch.

DoosaiWolf

I finally had the time and went back and found the forum posts for the Mitsubishi software patch. I registered for the forum and sent the people involved a message asking for their assistance.

Unfortunately I hadn't done this sooner as I have been tied up with other things that have been going on. I did however want to take the time to let anyone interested know that I haven't given up yet on pursuing a patch to remove the vehicle in motion lockouts of the Lexus/Toyota, Eclipse, and other brand labeled navigation systems that use the loading.kwi KIWI format software.

As soon as I hear something back I will write another update.

EyeKutr

iTrader: (5)

Keep us posted, I would like to know how to do this !!!

DoosaiWolf

I'll do my best, thanks for the support!

villemus

for BMW, there is "navcoder". (can change heaps of things in the nav)

it'd be good to have a navcoder for Lexus.

nonetheless, keep up the good work and we are willing to be the test mule.

SNiiP3R

iTrader: (3)

You can pretty much contact any group of cr@ckers today, and they'll be more than happy to do it for free, just so they could slap their group name on the patch (cracked by ....) and claim they were the first.

The problem for them is obtaining the DVD disc and testing it. Well, even if they do get a copy of the disc, its still wont be easy to patch the thing, since as far as I know you cant run this software on neither PC/Mac. The software must be running so that they could see using a debugger which part of the code is responssible for locking/unlocking the features. Once they know the right offsets, its easy to write the patch.

You can probably do it yourself, if you can find where the 5mph value is stored. Using a Hexeditor program you can change that 5 to 150 and it will lock the features at 150mph instead. You must of course know what you are changing, since there could be 10s or even 100s values of 5 stored.

98OysterES

iTrader: (4)

any updates?

EyeKutr

iTrader: (5)

I would like to add a comment.....there is no 5MPH value anywhere. If you look into the secret menu accessed with the INFO button being pressed and headlights being turned on and off 3 times....you will see where there is a submenu where the "speed" clicks are seen....the faster the car is moving, the more clicks (if I recall) are recorded. In fact in the tundra forums, some guy had made a click generator that made the car think it was moving like 1mph when a switch is thrown.... this allowed the car to move smoothly AND always have the menu items available

Here is a link ...
http://www.coyotetruck.com/ct/NavMods.aspx

David M

I am keenly interested in this solution, too.
On some cars, the navi cpu is a derivative of the MIPS 4000 processor and is running in 64 bit version. It also appears that the "multi-Os" it's using is based upon Linux.

Ken300

Thank goodness someone is looking into fixing this once and for all. I can't bring much to the effort but certainly support the efforts of anyone to fix this horrible oversight.
I often drive with my wife or with a golfing partner... they should be able to access
the Nav system without me having to pull to the side of the road.

I can offer my car, my Nav DVDs or even some limited financial support if needed.
Someone fix this system once and for all... great
Ken