Ya, doing a side-by-side comparison is not very helpful... But, you can see the override menu in both the old and new firmwares... So, the actual menu is still in there, but the key sequence to access it has either been changed or removed...

If someone really understood what was going on, they could figure out what bytes/characters in the old firmware represented "upper left, lower left, upper left, lower left" and then find if anything similar existed in the new firmware where the override has been changed/removed...

 

Ya, that's what I'm saying. I figured that the menu was still there. They either changed the sequence to get to it, or they disabled it all together. You'd think by now, in this day and age, that if someone knew the sequence it'd be leaked out by now. So it's possible that they simply disabled it.

But lets suppose they kept the logic to detect that same sequence, but instead of saying something like

"if 'key sequence' jump to override menu"

with something like

"if 'key sequence' do nothing"

The change from "jump to override menu" to "no operation" could be the change of just a few bytes. We might be able to change just these to enable going to that override menu. I have experience reverse-engineering ROM code, just by looking at the hex values.

Would anyone know what kind of microcontroller or microprocessor the NAV system uses to execute its code? That would help of course.

 

I agree... It could be simple to switch back...

In answer to your question, yes, we do know... It's a Hitachi SH-3 or SH-4 processor...

Details:
"CPU (IC201): Hitachi SH-3E, HD6417718R" (Credits to Sonartech)

And I bet I know your next question... And unfortunately, the answer is yes, we suspect the entire language/os is proprietary...

 

thanks. i'll have a look at my firmware today. Only thing is I can't find the stupid tools to remove the clock face. They don't seem to be with the tool kit in the trunk, and I just bought my car a few weeks ago!

 

There should be a flap in the center of the kit when you open it wide covering the two tools you need. Lift the flap, there they are.

 

I bet it's still a RISC based processor. I seriously doubt they'd build a completely proprietary platform. You need to develop too many tools in house to write and debug software to go that route. If the microcode is RISC, it can be disassembled. It just might not be pretty in C once it is pulled apart.

There are other ways to skin this cat. I doubt it is impossible to hack.

 

Thanks for the picture. Turns out I figured this out after looking in the tool kit again.

I got the DVD out and copied it to my computer. Now the fun begins. I'm really bent on trying to hack the loading file.

I've looked around and it appears that it uses a semi-standardized KIWI file format. This seems to be just a container file format. There's bound to be some executable code in certain parts. This can likely be disassembled.

Apparently there's documentation on this KIWI format out there, but the Japanese website for KIWI MapMaster doesn't seem to be loading. First thing is to figure out where the checksum(s) in the file are. This would allow me to make some basic hacks (picture and string edits).

So I want to keep it simple in the beginning, and write a patching program that would allow us to change/remove pictures or text.

Once that's accomplished I'll move on to execution flow to try and bypass the "I AGREE" screen and to enable a destination override.

 

I sure hope someone finds a hack for this before the another upgrade comes out.

 

Does anyone have the Kiwi documentation? Their website seems to be down.

http://kiwi-w.mapmaster.co.jp/documents_eng.html

OR

http://kiwi-a.mapmaster.co.jp/index_eng.html

This will be a big help to start with.

 

My 06 250 nav system has been losing it's current location and seems to just pick some other spot and try to direct me with all wrong directions.

Questions?
1. How do I tell how many satellites it's tracking? what screen?

2. Using the directions on this forum, I checked the version of the DVD in my nav system. It's V05.03.13. Is that good? bad?

3. I don't want to lose the option of inputing destinations while my car is moving so I don't think that I want the new DVD.

Now what?

 

I am looking forward to a smart person/persons figuring out the override for the new Nav disk. I have a 2006 IS350. The old override worked great. Other people could use the nav system while I drove. Now, I either have to stop, which I typically don't have time for, or have a friend look at a printed map and try to give me directions.

Lexus, please offer an override! I will be calling the 800-255-3987 number tomorrow.

 

Okay so did we get anywhere with hacking the kiwi file??? that wasovera month ago...

 

Nope... Nor will we ever unless someone is an assembly language genius or they can get us hitachi proprietary software... Or we find someone sympathetic at Denso...

 

so if i were to make a hybrid dvd, exactly what problems would i encounter??

 

Well Im pretty good with assembly, but reverse engineering code and trying to then apply it to a system we know little about would yes require a very resourceful individual.