Map data

[sapphire-bt]

Hi there,

Thanks for the writeup; it's made for a very interesting read today.

I was wondering if anyone has attempted to reverse engineer any of the map data that comes with certain models.

Some context: I bought a 2018 Nissan Pulsar (Tekna trim) which comes with the following head unit:

The firmware version is D554 (accessing the service menu is slightly different - I followed this video).

Note the SD card slot on the top right. Mine came with a "V5" map data SD card, similar to the following:

The SD card contains a folder called "CRYPTNAV" which contains around 15,800 files, roughly 5.7GB in total. Most of the files are binary formats - some are known file types such as SQLite but most appear to be proprietary. Some plain text files exist such as XML, CFG, and TXT files.

Specifically I'm interested in decoding what I assume are icon/graphics files used by the navigation system. The files are contained within a folder called "3D_PICT". There appear to be four versions of each file. For example, the file name "JUG00378" appears as:

• JUG00378.phd
• JUG00378.phn
• JUG00378.pnd
• JUG00378.pnn

My first guess would be that the final "d" and "n" in the file extensions could stand for "day" and "night", i.e. a different colour depending on the display mode of the navigation system. Perhaps the "h" in .phd / .phn is "high [res]" as these always appear to be larger than the .pn* files.

Looking at the files in a hex editor quickly reveals they're using PNG format, however the chunk data appears to be partially compressed/encrypted.

For example, a typical PNG IHDR chunk contains the chunk length (13 bytes), chunk name (IHDR), chunk data (width, height, etc.), and CRC. In JUG00378.pnn, however, despite indicating the IHDR chunk is 13 bytes, only 10 bytes of data follows until the next chunk name is reached. There is also a custom file header before the PNG header which appears to contain encrypted/compressed data.

Apologies this is so rambly - just thought I'd share what I've observed so far and wondering if anyone has had any success in decoding any map data.

[ea]

I've intentionally steered clear of looking at navigation data and those SD cards. Since they are selling them and those are probably subject of piracy... The whole thing smells of DRM and I'm sort of allergic to it, don't want to deal with potential DMCA takedown requests.

In short, I can't really help with that.

[ea]

On the other hand, that head unit looks remarkably similar to the ones where the exploit has worked. If you do get around to testing it, please let me know of the results!

[sapphire-bt]

I've intentionally steered clear of looking at navigation data and those SD cards. Since they are selling them and those are probably subject of piracy... The whole thing smells of DRM and I'm sort of allergic to it, don't want to deal with potential DMCA takedown requests.

In short, I can't really help with that.

No worries - just thought I'd ask. I'd love to be able to create some custom icons and update the navigation data with the latest geodata from OpenStreetMap, but even if the formats were known that would still be a pretty ambitious project anyway.

On the other hand, that head unit looks remarkably similar to the ones where the exploit has worked. If you do get around to testing it, please let me know of the results!

I actually tried it last night but unfortunately no luck! It just said something like "No audio files found" and didn't reboot. Hardware version 037, by the way.

[raburton]

I have a Connect 3 in my Pulsar and it worked on that when running D554 and since I've updated to D605 it still works. Mine is hardware version 31 and has a different facia but I wouldn't expect that to matter. I have seen references to a Connect 3 with no sd card slot (also referred to as Connect 4 in other places), but you have an SD slot so a proper Connect 3. I'm not aware there are different firmwares for different real Connect 3s. Do you have access to a copy of the D554 firmware for yours or D605? Before I installed D605 I unzipped it and checked all the relevent files and mount.sh to make sure the hack would still work. If you have the firmware update you can check the same, but I'm sure it'll be the same firmware as I have where it does work for me. Interestingly I don't get a no audio files message, for me the media player has always refused to look at the ext2 partition despite the fact Linux has mounted it. Instead I get an error about unsupported filesystem type but it works regardless. I wonder if the fs has been created / written to the usb stick correctly?

As for editing the maps, I'm interested in that too, to fix the wrong speed limits around my house. If you edit the maps they probably won't work, because the maps are signed. But that can be worked around if you can get the hack working on your device, see my blog linked on my profile and one of my GitHub repos... However, I haven't got anywhere on understanding the format yet.

[sapphire-bt]

Do you have access to a copy of the D554 firmware for yours or D605?

Unfortunately not. The D554 firmware was pre-installed, and I haven't yet been able to find any firmware updates available online (although admittedly I wasn't very thorough in my searching).

I wonder if the fs has been created / written to the usb stick correctly?

It could well be that I didn't prepare my flash drive correctly, although I ran the script/command as per the how-to… I might try again later, though, just in case.

I actually came across your blog posts the other day and wondered where you managed to obtain the firmware archive - did you have to go to a Nissan dealership? I also wondered what you used to create your patch - IDA or something similar?

Side note… it's such a shame to think of the countless hours of dev time wasted on car sat nav systems. Ask anyone if they use the built-in sat nav and the answer is always "It's crap; I just use Google Maps instead". I think there's a lot of potential for these systems, if only they weren't kept under lock and key and already outdated by the time the cars hit the market.

[raburton]

I can point you to a link, but don't want to post it here. Drop me an email at richardaburton@gmail.com

[ea]

for what's it worth, i've been reversing the binaries using Ghidra ...

[sapphire-bt]

To (kind of) answer my own question, the files appear to be compressed using a custom algorithm; the binary responsible for decompression can be found at /var/opt/bosch/dynamic/processes/DAPIAPP.OUT. Fortunately the symbols are included, so we know the method is called cpr_tclDecompressAlgorithm::bDecompressData and begins at offset 0x0091A32C.

Unsurprisingly it looks complex. If I have any success I'll create my own repo. Thanks all.

[sapphire-bt]

Not managed to figure it out yet, but I think I'm getting close - created a repo with my current progress at https://github.com/sapphire-bt/lcn2kai-decompress

[ea]

Thanks for the update. I'll keep an eye out on your repo and will add a link to it.

Does that mean you got the exploit to work on your car as well?

[sapphire-bt]

Does that mean you got the exploit to work on your car as well?

I've actually been using the binary from a firmware download I found online. I just tried the exploit again paying closer attention to your instructions and, lo and behold, it worked! I must have missed something the first time.

That's confirmed working for Nissan Pulsar 2018, D554 software, 037 hardware.

[duncho1]

Is there any way to add TMC tables that are missing for some countries?

[sapphire-bt]

I'm pleased to report that I've been successful in figuring out the unpacking routine. It currently only works for small files but I hope to figure out larger files in the coming days. For anyone interested, check my repo linked above. 🥳

[ea]

I'll reopen this issue so it's more visible and add a pointer to your project to the main page. Cheers!

[sapphire-bt]

Another update: I think I've pretty much figured out the compression format now as it's working with every file I've thrown at it. I've updated my repo a few times this week and will probably make one or two more edits just to clean things up, then it should be totally finished.

A couple of interesting files I've decompressed so far:

• \DATA\LID\CCP\GBI\GLOB_POI.DAT - SQLite DB containing all the system default points of interest.
• \DATA\RNW\CCP\GBI\NAV00001.DAT - appears to contain a Bash config file with many export variables, including CHINA_MODE=FALSE. I wonder what happens when that's enabled…

[ilikenwf]

For what it is worth it looks like basically all HMIs use the same company for all this data, I have a GM and cryptnav looks more or less the same, problem is all the 2023 maps for USA are sold out/out of stock....secondary sellers use them to profit quite a bit by selling the update as a service...

I'd pay if they'd let me just download a USB imaging tool...other than some proprietary POI data I'm guessing the rest is probably some proprietary format that builds from openstreetmap anyway.

[smolinde]

I can point you to a link, but don't want to post it here. Drop me an email at richardaburton@gmail.com

Hello raburton,

thank you for the amazing project! I would like to share the following information to update the list of compatible adapters and car models: I own a Nissan Juke Bose Personal Edition (2019), I had originally the D602 firmware on the LCN2kai module but I upgraded it to D605 yesterday. It was a very tricky process. Important to mention is that the patches work with both firmware versions. Further I tested another Ethernet adapter, it is a no-name RT8152B RJ45 to USB-A adapter. I was able to SSH into the system. I have two questions; Could you send me the "link" for the map updates and tell what can I do in the SSH when everything is read-only? I would be very grateful for your help! 😃

[ea]

Thank you for letting me know it worked on your car! Glad to hear. This project is about the head unit system itself, I specifically avoided looking into map data, but you might have better luck contacting raburton directly. Cheers!