Gee it makes my head spin all this "pointers to tables of pointers to memory locations of text ....". You're doing a great job Nathan! Keep up the good work.

Grant

A new fun game...

So you all want a fun game to play?

*Warning* I have no idea what the following may or may not do - so proceed at your own risk. I have theories... and will explain below.

Stage 1: Access the Error Log.
a. Turn the car to "ACC" and hit "Agree"
b. Press the Audio button, then Power to turn the audio off.
c. Enter the magic code 1-3-1-3-1-3-4-2 (top, bot, top, bot, top, bot, left, right)
d. You should now see the service menu. Select "Error Log" from the left.

Stage 2: About the Error Log screen
a. On the top left you will see the current memory location being displayed. On mine this seems to default to A 0 1 4 0 2 0 0.
b. To the right of this is three buttons (1, 2 and 4). Press these - they change the byte order being displayed (1 is the same format as loading.kwi, 4 is the complete reverse).
c. Next to those buttons is the X button thing. This is what I call the "goto" button. When you enter a new memory location, press this button to take you to that location.
d. Below the memory location are arrow buttons. You can use these to slowly change the memory location. (Then press the goto button).
e. On the far right are the page up/page down buttons.
f. At the bottom you will see "write" - you can safely press this button and the bottom of the screen will now have more buttons you can press.
g. Use the 0-9 and A-F buttons combined with the arrow buttons to change the memory locations. Don't forget the "goto" button once you have entered the memory location.
h. Try and avoid the Output and Output Charge button. These have something to do with modifying ROM/RAM. If you hit "Output", select RAM - if you really fluff something up at least disconnecting the battery should fix it.
i. Press the "Back" button to return to the full screen memory display.

Why is this important? First up we can confirm what things look like in the memory of the MMCS (I have already confirmed a couple of assumptions).

Next, we may be able to change RAM values on the fly to test theories - rather than having to burn a DVD and "flash" the system every time. I have yet to test, but we may also be able to monitor memory locations while the car is being driven. I will try a few tests of this tomorrow.

For example, if you page up to location A0140000 and select "1" as the byte ordering, you will see a whole bunch of dates on the right hand side. For example, mine showed 2010 0503 ???? - where the ???? are clearly times. Given that is the date today, the times appear to be UTC/GMT (a quick guess). So this may be some form of log information and may change while driving (guess what I will check tomorrow).

Enjoy...

Post Script: I may have a potential solution that is very simple...

While searching for other information, I found that apparently the Eclipse units installed have a wire connecting to the park brake sensor. Apparently by grounding this wire, everything that is normally disabled during movement will become enabled.

Just do a search for: eclipse "parking brake" ground

I may try it when I have a movement... does anyone know where the connector from the MMCS to the park brake sits?

I'm not sure its that simple, at least with the Kenwood MMCS, as you don't need the handbrake on to play DVDs. It may however explain why Keith's speed pulse generator does not enable you to play DVDs when moving but allows satnav programming etc. Perhaps to allow the playing DVDs on the move the MMCS looks for a low speed pulse AND some other indication of lack of motion such as handbrake on (or maybe from the GPS). You could test the handbrake theory simply by disabling the switch on the handbrake lever.

After messing around trying all sorts of things, the "parking brake" trick does not work.

Another thing I was thinking was the dealers may have a special version of the DVD which can be loaded to override the defaults.

(My main motivation is not so much DVD in motion stuff, more the AUX input and the nag screen - I actually require the AUX video input enabled during forward motion to receive a signal from a wireless camera. Ironically it is far safer for me to have the AUX input rather than twist and turn in the drivers seat... so back to disecting the code).

VERY GOOD NEWS...

So here is a clue... first, we have the Pajero NT ACC file:
00002250 cc 19 00 00 cc 1f 00 00 53 74 61 72 74 00 00 00 |........Start...|
00002260 52 65 53 74 61 72 74 00 48 64 64 53 74 6f 70 00 |ReStart.HddStop.|

Next we have the Toyota v5.1 ACC file:
00002200 53 74 61 72 74 00 00 00 52 65 53 74 61 72 74 00 |Start...ReStart.|
00002210 48 64 64 53 74 6f 70 00 4d 53 74 69 63 6b 53 74 |HddStop.MStickSt|

It turns out ALL the loading.kwi files I have got are all based on MIPS code, and there is virtually no difference between the code. Which means we can simply plug and play with different modules till we get what we want.

So, the theory is the Toyota v5.1 still had the "Override" option in the hidden service menus. Someone also was able to patch some earlier model Mitsubishi sat nav systems as well. All I need to do is find which module, what code was patched, and apply the same to the Pajero code... at least I think that will do...

Good work dude! looking forward to the steps. I am happy to be a guinea pig! If you can also get fuel consumption working (like the manual states) i'll give you beer money!

Just be warned that you will need a PAL wireless camera, as despite the wiring diagram saying PAL or NTSC input the AUX input won't accept NTSC (at least not on my NT Activ). I couldn't find anywhere in the Satnav menus or the hidden menus to change this.

I had no problems... When you have an input connected to the AUX feed, touch the screen, select settings, and you can switch from PAL to NTSC.

Thanks mate! Nothing in the manual of course.

Just looking through what the differences are between the Toyota v5.1 and MMCS... Large chunks of the code are exactly the same, but then again, other large chunks are different. I am going to try a few "nasty" little tricks first (kinda like open heart surgery with a pair of bolt cutters) such as creating a mutant Loading KWI file with most of the MMCS kwi file, but the v5.1 stuff that contains the "Override" option.

If that does not work, I will have to pull things apart in a more refined manner until I find the "Override" option. Eventually I will have to do this anyway - once we have the code we could simply add a menu option elsewhere to enable it (rather than through the service menus).

Right... where is that chainsaw...!!!!

You're a brave man Nathan.
I remember reading that you cannot downgrade the firmware to a lower number. Unless there a way to clear the roms you will be stuck using a disk with a hacked version number. ie: to revert back to the v15 disk you will have to hack the version number of the code on the standard v15 disk.

Absolute cods-wallop (always wanted to say that).

Right... good news is the MMCS unit has been well thought out by Fujitsu-Ten / Eclipse - it will be hard to brick the unit (basically this means it is hard to make the unit into a useless paperweight by "playing" around like I am).

The bad news is the first triple heart bypass has failed. So... lets see what we now know...

Updating the software: This is easy - enter the diagnostics menu (13131342) and select "Loading". Hit "yes". CAUTION: This will reload the software from your disk (however it seems to keep your settings such as radio stations).

If the built-in "boot loader" is not happy with the new software, it will lock up telling you not to turn off the power. Unfortunately I had no choice at that stage as I was trying every option to get the stoopid DVD to eject.

Ejecting a disk when the system is suck in the "boot loader" process: This took me 45mins to figure out... Pressing the tilt button still works, and indeed, many of the radio functions also work. The trick to get the Map DVD to eject has something to do with the touch screen. I tried several sequences, but suspect the method is this:
1. Push the tilt button to "open" the unit.
2. Press the touch screen in the center until you hear the DVD being ejected. If that does not work, try something like (top left, bot right, TL, BR, TL, BR, TR, BL then center).

My system is back to the way it was now. Later on the weekend I will try something a little more graceful in the way of melding the two Loading.kwi files together. For those who want to know what I did this time:

Download the v5.1 Toyota loading.kwi file.

The following three (unix) commands basically take the start of the MMCS file including the Program Block, and the rest from the Toyota file, and mash them together.

dd if=MITSU.KWI of=start.bin bs=1024 count=312
dd if=TOYOTA.KWI of=end.bin bs=1024 skip=312
cat start.bin end.bin > LOADING.KWI

Then burn new CD (as per many instructions on the net) using the new Loading.kwi file and your original map cd.

I found this also. I did find another option in one of the service menus called initialise memory. It then gave a warning about don't turn the system off until told to do so. Once turned off and on again it reloaded everything off disk and wiped all setting, inc radio stations, phone book, user settings etc. Back to a blank canvas.

Hope it helps
Steve

Just a quick update... I have tried bypass operations number 3 and 4 today (#2 was late last night). #3 I managed to convince most of the first stage of the boot loader to start, and in #4 I got the boot loader to at least be a little happier and take another step along the road to a modified bit of code.

On ejecting the DVD if it gets stuck / fails... Press "tilt" button to Open the unit. Then press the top right of the touch screen. The dvd will eject.

The next operation will probably be next weekend - I have to write a special program to reconstruct a KWI file so it loads correctly.