Pajero 4WD Club of Victoria Public Forum Pajero 4WD Club of Victoria Public Forum

Go Back   Pajero 4WD Club of Victoria Public Forum > Vehicles > Generation 4-2 Pajero

Generation 4-2 Pajero NT model 2009 - 2011

Reply
 
Thread Tools Display Modes
  #1  
Old 23-02-10
NathanNT NathanNT is offline
Member
 
Join Date: Feb 2010
Posts: 59
Default Disecting the Aussie MMCS

Summary: This thread is intended to assist in our efforts to dissect the Aussie version of the MMCS found in the Pajero. While assistance is welcome, please avoid bringing up things like - "can you disable such-n-such for me?" and "can you add feature-x or support for y?". The simple fact is we are not up to that stage yet.

WHAT WE KNOW

1. The Australian Pajero MMCS has no hard-drive (overseas versions have a hard drive).

2. The unit appears to be an Eclipse system as a whole (possibly an AVN119M or some such). This is based on:
2a. The string "FUJITSU TEN LIMITED" contained in loading.kwi
2b. The following site contains the fit guides for the Pajero. http://www.fujitsu-ten.co.jp/eclipse...s/m000261.html
2c. You can use google to translate the following page to find other relevant fit guides for various models: http://www.fujitsu-ten.co.jp/eclipse...itsubishi.html (The pajero is in the middle - the link with the H18.10 is the latest information).

3. A very _similar_ loading.kwi file is used in the Mazda CX-9. The following link contains several pages with useful information: http://denso.wikispaces.com/
3a. According to this site, internal chips used include the "Naviem Denso", and various other sources cite this as a multi-OS supporting chip. It appears to be used in the Toyota Prius.
3b. It is based on a Toshiba TX49 cpu. According to Toshiba it appears to be MIPS based. This is consistent with observations of the code found in loading.kwi

4. Can not find the link right now, but someone did post a link to the schematic of the MMCS. It looks fairly close to the unit we have, and is consistent with the contents of loading.kwi.

HIDDEN MENUS

Two codes are currently known to work:
1-3-1-3-1-3-4-2
4-2-4-2-4-2

We do not know where these codes are stored, and as such can not currently identify any other codes. However we do know where the strings are that are used in the menus, and as such can work backwards to figure out where the menus are generated.

DISASSEMBLY OF THE KWI

We currently have a simple bit of C code that can pull the loading.kwi file apart into individual segments. The first 0x50 bytes contain basic information, including the "magic" string "MIUT", some sort of short name, some sort of type, a longer string / discription.

Following the header, are 4 byte memory offsets. The first four bytes are most likely where the segment is loaded into memory. Remaining four bytes appear to be entry points of some sort.

We can confirm the CPU is NOT an m32c, sh4, or for that matter anything with a variable instruction length. The machine language instructions are fixed length, 4 bytes each. It is a little endian, and MIPS instructions appear correct.

Disassembly can be done via several methods, however the most efficient method is currently being worked on. For those who have done this before, download binutils, configure with "--target=mips-elf". Use "as" and "objdump" as you require.

OPERATING SYSTEM

It is not WinCE. Note: The Naviem appears to have something called the "Windows Automotive" as a possible operating system. This appears to be used in non-Australian systems, and is probably a light-weight WinCE type version (assuming MS could do something that light weight!).

ITRON, muTRON, TRON etc are _specifications_, NOT operating systems. As such you can have an OS that complies with these specifications.



Hopefully I have covered the key points here. If I have missed _relevant_ links, please add as required.

Last edited by NathanNT; 25-02-10 at 05:16 PM.
Reply With Quote
  #2  
Old 23-02-10
NathanNT NathanNT is offline
Member
 
Join Date: Feb 2010
Posts: 59
Default

See page 6 of the following PDF. Note reference to "Naviem":
http://www.t-engine.org/english/arch...213_u11_en.pdf

We might be able to get the source code:
http://www.t-engine.org/
Reply With Quote
  #3  
Old 24-02-10
Black_NS's Avatar
Black_NS Black_NS is offline
Junior Member
 
Join Date: Jul 2008
Posts: 47
Default

Quote:
Originally Posted by NathanNT View Post

2. The unit appears to be an Eclipse system as a whole (possibly an AVN119M or some such).
Manufactured by Kenwood (?under licence?). note model number on the photos by jasonw on this post.
Reply With Quote
  #4  
Old 24-02-10
NathanNT NathanNT is offline
Member
 
Join Date: Feb 2010
Posts: 59
Default

I should mention, if anyone has corrections for the summary above, let me know.

On a second note, I have spent quite some time messing around with objdump and parts of the code. To cut a long story short, objdump will work, but will not make our life easy. So I am going to write something something myself (a good few hours work) which will take the required short-cuts to make the long term job much faster (and should they change the loading.kwi in the future, a very simple job to rework any changes).
Reply With Quote
  #5  
Old 24-02-10
grobinson grobinson is offline
Member
 
Join Date: Jan 2010
Posts: 51
Default

Quote:
Originally Posted by NathanNT View Post
if anyone has corrections for the summary above, let me know...

HIDDEN MENUS

Two codes are currently known to work:
1-3-1-3-1-3-2-4
4-2-4-2-4-2
The first code is 1-3-1-3-1-3-4-2.

Grant
Reply With Quote
  #6  
Old 25-02-10
NathanNT NathanNT is offline
Member
 
Join Date: Feb 2010
Posts: 59
Default

Code has been corrected in the first post.

Now, for those playing at home - During the weekend the disassembler should be ready for use. But to give a glimpse...

Quote:
func_0x190:
190: 27bdffd0 addiu sp,sp,0xffd0
194: afbf002c sw ra,0x2c(sp)
198: 0dd000c5 jal 0x314
19c: 00000000 nop
1a0: afa0001c sw zero,0x1c(sp)
1a4: 3c013740 lui at,0x3740
1a8: afa00024 sw zero,0x24(sp)
1ac: 242105a8 addiu at,at,0x5a8 ;0x374005a8
1b0: afa00020 sw zero,0x20(sp)
1b4: 3404015e ori a0,zero,0x15e
1b8: 0020f809 jalr xxx
1bc: 27a5001c addiu a1,sp,0x1c
This is part of the function from "BLK.OSG - BlockOutScreen". So the best guess it either clears the screen, or it turns the power to the screen off. Several features:

1. addiu and sw are messing with the stack pointer and the return address (ra). This is a clear indicator of the start of a function.

2. jalr and addiu (the last two lines) are same sort of thing (xxx is some disassembler code I have to finish off) - except a clear indicator of a function exit.

3. The code is optimised. See the alternation between sw and lui (line 1a0 onwards). sw is a "store word", which uses memory, and thus is slow. So this is interspersed with code that manipulates the CPU only.

4. Points 1,2 and 3 are suggestive of a compiler / high level language in use (expected, but helps confirm it).

5. the lui and addiu instruction are setting up a memory access to location 0x374005a8. Given the BLK.OSG module is loaded at offset 0x374005a8, we can find offset 0x05a8 within the file. This sort of thing is critical for working out strings and variables. Once complete, the disassembler should for the most part identify the variable / string. This makes life easier later.

There is still some stuff I am reading up on (never touched mips before, so some of this is a learning experience for me too) - such as how the CPU talks to other chips etc.
Reply With Quote
  #7  
Old 25-02-10
NathanNT NathanNT is offline
Member
 
Join Date: Feb 2010
Posts: 59
Default

Slow progress... but none-the-less... After many profound brain thingys inside my head, I have found the first part of how the service menu is displayed. First you need to pull out BPE.FILE (using a tool I wrote earlier in the week). Next, we find "S e r v i c e" at offset 7de2c0 in that file. Dump the 7d, and we have e2c0 as a memory offset.

Now, search for c0 e2 in BPE.FILE and go cross-eyed looking for it. I was expecting to see a whole bunch of code, but as it turns out, we end up with a "map" of sorts... At offset 7d8220, we find the following:

c0 e2 69 4c 04 00 00 00 08 00 00 00
08 e3 69 4c 04 00 00 00 3e 00 00 00
10 e3 69 4c 04 00 00 00 0b 00 00 00

So, the first 4 bytes contain the offset in some fashion. The next 8 bytes contain the location to display the string on the screen (I think) in X,Y coordinates. I think it only does 8 bytes at a time. Hmmm... looking at it, the X,Y coords may come first...

From this would should be able to find something that actually displays the menu and waits for input. This should also allow reconstructing each screen, and thus how various service information is obtained in order to display it.

Can someone tell me the nag screen prompt (ie what is the actual text displayed on the screen)?
Reply With Quote
  #8  
Old 26-02-10
apsilon's Avatar
apsilon apsilon is offline
Valued Member
 
Join Date: Feb 2008
Location: Hills District NSW
Posts: 2,027
Default

Quote:
Originally Posted by NathanNT View Post
Can someone tell me the nag screen prompt (ie what is the actual text displayed on the screen)?
How about a pic so you can even see the layout?



I'd love to get rid of this screen.
__________________
MY09 NT Pajero X shortie diesel
Mods - No longer fit in my sig so see here
Reply With Quote
  #9  
Old 26-02-10
The Commodore's Avatar
The Commodore The Commodore is offline
Valued Member
 
Join Date: Nov 2009
Location: Macarthur Region NSW.
Posts: 601
Smile

Bloody oath!!!

That would be worth more than a case of Crownies!!!

Regards......
Reply With Quote
  #10  
Old 27-02-10
NathanNT NathanNT is offline
Member
 
Join Date: Feb 2010
Posts: 59
Default

This looks like a promising OS... It has all the right phrases...
Denso, Fujitsu Ten, TKernel, ECLIPSE (AVN7406HD), supports TX9 processor.

http://www.esol.co.jp/english/embedd...tml#denso_ften

This is the best guess of what we have. Now we just need technical information. We may be able to get away with the TKernel base as ESol seems to be an extension.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 11:40 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.