Related
QMAT - QC Mobile Analysis Tool
What is it ?
It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.
Who may need it ?
Mobile engineers / reverse engineers / cryptoanalysts / forensics
Crypto Functions :
- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)
- Calculate TEA/XTEA/DES/RSA in various modes (ECD,CBC,OFC, etc..)
- Generate RSA Private Key and create .pvk files
- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)
- Extract information from .pvk files
- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)
- Search for qc standard functions in binary files
JTAG Interface :
(soon via Segger J-Link)
Functions for QC mobiles :
1. Load binary files for :
Extraction of certificates
Extraction of BMPs,GIFs,PNGs, JPGs
2. Load Partition File to get overview about NAND/NOR structure
3. Send any String to a COM/USB Port and backup all your SMS !
4. Make usage of QCs Diag USB/COM Port Interface
(Useful for any QC mobile in the world)
5. Find SP and SPC and several other codes
6. CDMA Parameter Editor
Standard Features :
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (SRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone, codes ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
- Full Feature EFS Browser
Bootloader / DownloadMode Features :
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
Functions for BQS only :
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Check Firmware validity (signature)
3. Sim_Secure extraction/decryption (non-public)
4. Master-/Usercode/Unlock extraction and direct unlock (non-public)
Functions for HTC only :
1. Check validity of HTC firmware (signature check)
2. Cut out signatures from .nbh file
3. Split radio.nb into qualcomm files for analysis
4. Find HTC Public keys using Cryptosearch
5. Generate Security passwords (SPL + radio) for newer HTC
6. Generate NBH Files (you can add any device into devlist.xml)
7. Dump Files from NBH (you can add any type into nbhtype.xml)
8. Fix radio.nb checksum
9. Generic Bootloader / AT Command interface with logging functions
10. Generate goldcard for older and newer htc devices (newer one non-public)
Functions for Network Engineers - registered version
Network Calculators :
TDMA (GSM/UMTS) :
--------------------
IMEI
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync
CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask
and much more ....
Planned in future :
1. Bugfixes
2. EFS Restore to Zip File
3. QC Jtag interface using Segger J-Link ARM
4. LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
5. CDMA Write functions
6. Read out / Write back Addressbook
7. Restore backupped SMS to phone
8. much much more
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
Link to the project files :
------------------------
Version 4.21 (Major Release) Stable
QMAT Homepage
Cya and keep on reversing,
Viper BJK
==> Donate via PayPal <==
See older threads here :
http://forum.xda-developers.com/showthread.php?p=2519683
Small update :
--------------
New version 4.22 will feature :
- DECT DSAA algorithm
- OTA SMS Tools
Cya,
Viper BJK
New version 4.22 out
--------------------
What's new :
-------------
- Added DECT DSAA Algorithm to Network Calculators
- Fixed Bug in Security Password Retrival
Cya,
Viper BJK
I am going to implement Jtag to QMAT, so we need Beta Testers.
Are you :
1. Using Segger J-Link ARM or any clone (H-Link, JT-Link, etc..) ?
2. Experienced in Jtagging ?
3. Have a phone ready to jtag using a MSM Chipset (jtag pinouts etc. available) ?
Then join the QMAT Jtag beta team, mail your JTAG Serialnumber to [email protected].
Cya,
Viper BJK
Small update :
--------------
Right now we're doing a lot of bugfixes regarding spc / sp and usercode search, but also a lot of bugfixes for efs read. EFS read will now be done fully automatically. Of course, we take bugs serious and due to official support of lg ks20 in the next qmat release, we are also fixing all those nasty timeouts that messed up some extracted data.
So right now, it's bugfixing weeks. After that we will continue on jtag interface and all other feature requests you brave people sent us.
Cya,
Viper BJK
what about KU990 (which have MSM6280)?
I guess KU990 will also be fine
But I can only give official support for ks20, as it's the only lg mobile I got here to work with.
Cya,
Viper BJK
Right now we're doing some beta testing qmat 4.23.
After all issues are fixed, there will be another great release including a lot of improvements and features.
Cya,
Viper BJK
New version 4.23 out
--------------------
What's new :
-------------
- Complete Com Rewrite, fixing timeout issues
- Read Memory in Download Mode / Display Memory Partitions in Download Mode (even ones other tools cannot download )
- Find SP password in non standard QC AMSS Firmware
- CRC30 bugfixes
- Added SP function detection
- Automatic EFS read size detection
- Usercode search / Advanced SPC search
- Official LG KS20 support
- Load QC Bootloader in HEX and get address automatically
- EFS Backup to ZIP bugfixes
- EFS Read Factory Fixes
- Bootloader NAND read bugfixes
- a lot more ...
Cya,
Viper BJK
Small update on progress :
--------------------------
"Uhoh ... bad things happen and sometimes the world isn't perfect."
This message is intended for those who work with QC EFS and QMAT.
Several ways to read out EFS exist. And the one from QMAT wasn't perfect at all. Sometimes, sniffing usb data gets you nowhere ... we had to act professional. In fact, after some heavy researches and reversing of firmware, I can now confirm that there is not only "ONE" EFS read at all.
So next version to be released will hopefully introduce two-way-efs for efs explorer to be used with all known qc types. And of course I had to write a lot of fixes for efs RAW/Factory read that I didn't knew before ....
Expect the next version 4.24 to be not only a lot more stable than all versions before ... but will also feature REAL efs dump
Cya,
Viper BJK
Small update :
--------------
Boys and girls,
version 4.24 will be really new. I rewrote complete com/usb port stack and added a lot of new features, like a new command database, gui improvements, efs generic and subsystem browsing, safe factory efs, new bootloader interface, etc....
Trust me, this version will fix a lot of crashes and hangs
To prevent any bugs still being in it, we're doing severe bugtesting right now.
Cya,
Viper BJK
As we wish to make a good working and much better QMAT,
we start a Beta Tester Program.
What advantages do you get :
- Be the first to get unofficial versions
- Be productive and make QMAT more user-friendly
- Get a discount on special modules
- Get your phone working with QMAT
- Increase your knowledge regarding qc technology
Why it is important for us :
- Make more phones work with QMAT
- Fix any existing bug and make QMAT more stable
If you're interested, please write a PM to me, with subject "QMAT Beta Tester" and a short introduction of yourself
(where you are from, if you are a user / programmer / reverse engineer, why you want to be a beta tester, what phones with qc chipsets you have to test)
Thanks,
Viper BJK
QMAT Beta Tester
viperbjk said:
As we wish to make a good working and much better QMAT,
we start a Beta Tester Program.
What advantages do you get :
- Be the first to get unofficial versions
- Be productive and make QMAT more user-friendly
- Get a discount on special modules
- Get your phone working with QMAT
- Increase your knowledge regarding qc technology
Why it is important for us :
- Make more phones work with QMAT
- Fix any existing bug and make QMAT more stable
If you're interested, please write a PM to me, with subject "QMAT Beta Tester" and a short introduction of yourself
(where you are from, if you are a user / programmer / reverse engineer, why you want to be a beta tester, what phones with qc chipsets you have to test)
Thanks,
Viper BJK
Click to expand...
Click to collapse
I saw it in the original forum and to start i'm from Bulgaria (South-Eastern Europe), interested mostly in replacing/messing around with LG's AMSS system, the bootloaders will be great, but i'm realist so the illusions are out, i have KU990 not a real reverse-engineer, but i know basic stuff (i was developing in PHP about an year) for how system works.
ceckin said:
I saw it in the original forum and to start i'm from Bulgaria (South-Eastern Europe), interested mostly in replacing/messing around with LG's AMSS system, the bootloaders will be great, but i'm realist so the illusions are out, i have KU990 not a real reverse-engineer, but i know basic stuff (i was developing in PHP about an year) for how system works.
Click to expand...
Click to collapse
Well the more beta testers we have, the better
Small update :
--------------
Version 4.24 is almost done and about to be released at the end of the week approximately. It seems it is a lot more stable and works way better than any qmat version ever before.
Finally, we were able to reverse whole EFS read, add a new alternate EFS factory read for newer MSM >8xxx, add EFS Browsing not only for generic devices but also for devices with only subsys ... and of course added features like rename directory / change modes.
Also we did some gui changes for easy recognition of diag commands.
You can now even cancel running diag processes ! *thanks to adfree for the hint*
So expect Version 4.24 to bring you great new features and more stability
Cya,
Viper BJK
New version 4.24 out !
---------------------
What's new :
-------------
-Severe Com Port fixes
-EFS alterate read for newer MSM to be released
-GUI changes - EFS Browsing
-Severe bugfixes thanks to beta testing team
-Factory EFS read
-Improved speed of Usercode/SPC search (by 0x1000)
-Button to stop current com port function
Cya,
Viper BJK
New version 4.25 out !
----------------------
What's new ?
-------------
-EFS Browse Bugfixes
-PRL Read/Write
-GUI Improvements
-Bootloader Bugfixes
-SimSecure Bugfixes
-Byte Cutter Bugfixes
-Cmd Byte for different NVItem Read
-Signature Search / SP / SPC Search improved
-EFS Raw Read Fixes
-Added option to add vendor specific commands
-Added support for newer Samsung CDMA
-Added ECC Calculation (Hamming, Toshiba, Reed Solomon)
Cya,
Viper BJK
New version 4.26 out !
----------------------
What's new ?
-------------
- Added new goldcard generation to registered users
- Implemented new registration scheme
- Added rudimentary IDC Script generation for IDA with Function/Algorithm Search (put in output directory as results.idc)
- Function/Algorithm Search is now able to use "??" instead of "FF" as wildcards in .xml files function.xml and crypto.xml
- Added new ECC algorithms
- Several bugfixes
Cya,
Viper BJK
New version 4.27 out
............................
What's new ?
-------------
- Fixed QMAT not to start on several pcs.
Cya,
Viper BJK
New version 4.28 out
.............................
What's new ?
-------------
- JTAG fixes
- Fixed encap files speed
- CID is now called Country ID (GUI improvement)
- New functions added to function-database
Cya,
Viper BJK
Hi everyone,
I'm trying to port open-nfc 4.4.2 on the galaxy nexus.
I'm following the instructions of the porting guide bundled with open nfc for Android (MAN_NFC_1205-326), but i'm stuck at the step 2.9.3.2.
Here is the step :
e) open_nfc_custom.c
This file must be changed if OpenNFC is implemented in a real NFC device.
After doing the above step (c), you will find a template file open_nfc_custom.c under “<ANDROID_ROOT>/kernel/nfc”. This file must be modified according to the real Android NFC device/testing board.
The main adaptation consists in :
- definition of the 2 GPIOs (IRQOUT, and RST/WakeUP), and their initialization.
- the name of the I2C driver available for MicroRead ("MicroRead" in this example ).
Typically 4 lines should be modified according to the real Android NFC device/testing board: - Platform IRQ Number used with IRQOUT, if not dynamically allocated
- GPIO_NFC_IRQOUT definition (IRQOUT pin of MicroRead)
- GPIO_NFC_WAKEUP definition (RESETWAKE_UP pin of MicroRead)
- "struct i2c_device_id" line for I2C Slave definition for MicroRead and the initialization of the I2C bus (i2c_get_adapter, ...).
Click to expand...
Click to collapse
I don't know where to get those values for the galaxy nexus (the 2 GPIOs and the i2c driver), does anyone know where i can find it?
Thank you.
Ramwii said:
Hi everyone,
I'm trying to port open-nfc 4.4.2 on the galaxy nexus.
I'm following the instructions of the porting guide bundled with open nfc for Android (MAN_NFC_1205-326), but i'm stuck at the step 2.9.3.2.
Here is the step :
I don't know where to get those values for the galaxy nexus (the 2 GPIOs and the i2c driver), does anyone know where i can find it?
Thank you.
Click to expand...
Click to collapse
I've found the name of the i2c driver in the include linux/nfc/pn544.h .
#define PN544_DRIVER_NAME "pn544"
Click to expand...
Click to collapse
I'm still looking for the other values.
Hi! Ramwii
I too are compiling Open-NFC for android, you are compile a funtional ROM for your device?
Sorry my bad English
Have you found the necessary information yet? I'm currently stuck at the same problem :/
Does anyone still have the 1.0 apk?
I upgraded to 1.1 now it will not find my sprint modem and problems here and there.
Here you go..... [removed]
taqulic said:
Here you go..... http://db.tt/jnAqmyXk
Click to expand...
Click to collapse
Thank you so much, to bad I can only give you one thanks :laugh: , now everything is working again. I dont know what the dev changed on the update but something did dealing with the sprint modem..etc. and it all went down hill.
Seems like someone else had that problem too.... thought I read it in the reviews..
taulic,
please be so kind and remove the public access to the APK file.
The original package is fixed now.
Note that the program itself is free of cost but not free to copy. If people run into trouble I will provide older versions when asked.
Regards,
Author of PPP Widget
JFDee said:
taulic,
please be so kind and remove the public access to the APK file.
The original package is fixed now.
Note that the program itself is free of cost but not free to copy. If people run into trouble I will provide older versions when asked.
Regards,
Author of PPP Widget
Click to expand...
Click to collapse
Done.
PPP works once, then ned to re-installed
taqulic said:
Done.
Click to expand...
Click to collapse
Hi There,
The app works fine when I install it first, my dongle i being recognized no problem. However if I disconnect, and unplug the dongle and try to connect again, the widget shows "no modem found".
I have tried forcing the app to stop, uninstall stickmount as I thought there was clash between both apps and still it doesn't work. the only work around I v found is to re-install the app, which is not very convenient when on the go and needing internet in the first place to be able to access it.
Would you be willing to provide me the APK installer as I am quite happy to install the app whenever I need it, or maybe suggest a workaround?
you have done a fantastic job by the way
G
file is no longer available
Will you please re-upload the file (PPP wedget 1.00 APK) in drop box since the hyperlink says (The file you are looking for has been deleted or moved). Thank you very much
You should first, email the author of the app and see if he can help you with your problem.
I'm not sure I still have the app in backup... as I only save them for so long. (But I'll check).
For those people having problems with this app, there is a forum and active discussion
Here, click forum link at bottom of page.
http://www.draisberghof.de/android/pppwidget.html
Will you please email this file; thanks
Unknown Zone said:
Thank you so much, to bad I can only give you one thanks :laugh: , now everything is working again. I dont know what the dev changed on the update but something did dealing with the sprint modem..etc. and it all went down hill.
Click to expand...
Click to collapse
Dear "Unkown Zone", will you please email this file (PPP Widget 1.00); thanks
Please email link
Unknown Zone said:
Does anyone still have the 1.0 apk?
I upgraded to 1.1 now it will not find my sprint modem and problems here and there.
Click to expand...
Click to collapse
If you have older version of PPP Widget 1.00 (apk file), please post a link. I have tried many changer.bat options since your last post; both uberoid v11 and 12.1. Nothing seems to work so far to make the ZTE-MF190 work again since upgrade from stock ROM. Tried 2 look for this file however no success. Thank you.
Deleted.
samsung note i717 no drivers found
PPP Widget version 1.3.3
USB_ModeSwitch log from Tue Sep 24 21:36:19 IST 2013
Raw args from udev: 1-1/1-1:1.0
Using top device dir /sys/bus/usb/devices/1-1
----------------
USB values from sysfs:
manufacturer ZTE, Incorporated
product USB Storage
serial 000000000002
----------------
bNumConfigurations is 1 - don't check for active configuration
SCSI attributes not needed, moving on
checking config: /data/data/de.draisberghof.pppwidget/app_tmp/19d2.fff5
! matched. Reading config data
devList 1:
config: TargetVendor set to 19d2
config: TargetProductList set to fff1,fffe,ffff
Driver module is "option", ID path is /sys/bus/usb-serial/drivers/option1
Command to be run:
usb_modeswitch -I -W -D -s 20 -u -1 -b 1 -g 2 -v 19d2 -p fff5 -f $cB
Verbose debug output of usb_modeswitch and libusb follows
(Note that some USB errors are to be expected in the process)
--------------------------------
Reading long config from command line
* usb_modeswitch: handle USB devices with multiple modes
* Version 1.2.7 (C) Josua Dietze 2012
* Based on libusb0 (0.1.12 and above)
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x19d2
DefaultProduct= 0xfff5
TargetVendor= 0x19d2
TargetProduct= not set
TargetClass= not set
TargetProductList="fff1,fffe,ffff"
DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
QuantaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
BlackberryMode=0
PantechMode=0
MessageEndpoint= not set
MessageContent="5553424312345678c00000008000069f030000000000000000000000000000"
NeedResponse=0
ResponseEndpoint= not set
InquireDevice disabled
Success check enabled, max. wait time 20 seconds
System integration mode enabled
Use given bus/device number: 001/002 ...
Looking for default devices ...
bus/device number matched
searching devices, found USB ID 19d2:fff5
found matching vendor ID
found matching product ID
adding device
Found device in default mode, class or configuration (1)
Skipping the check for the current configuration
Using interface number 0
Using endpoints 0x0a (out) and 0x89 (in)
USB description data (for identification)
-------------------------
Manufacturer: ZTE, Incorporated
Product: USB Storage
Serial No.: 000000000002
-------------------------
Looking for active driver ...
OK, driver found; name unknown, limitation of libusb1
OK, driver "unkown" detached
Setting up communication with interface 0
Using endpoint 0x0a for message sending ...
Trying to send message 1 to endpoint 0x0a ...
Sending the message returned error -6. Trying to continue
Resetting response endpoint 0x89
Could not reset endpoint (probably harmless): -6
Resetting message endpoint 0x0a
Could not reset endpoint (probably harmless): -6
Device is gone, skipping any further commands
Bus/dev search active, referring success check to wrapper. Bye.
ok:busdev
--------------------------------
(end of usb_modeswitch output)
Checking success of mode switch for max. 20 seconds ...
Waiting for device file system (1 sec.) ...
Reading attributes ...
Mode switch has completed
Mode switching was successful, found 19d2:fff1 (ZTE, Incorporated: ZTE CDMA Tech)
Device class of first interface is ff
Now checking for bound driver ...
No driver has bound to interface 0 yet
Module loader is /system/bin/insmod
Trying to find and install main driver module "option"
Checking for active driver path: /sys/bus/usb-serial/drivers/option1
Driver not active, try to find module "option"
Can't find module "option"
Existing path found:
No way to use driver "option"
- try falling back to "usbserial"
Module "usb_serial" not found, can't do more here
Driver binding did not work for this device
All done, exiting
QUOTE=taqulic;34223799]Here.
http://www.filesend.net/download.php?f=4c6891af31cb635623fac53e094def52[/QUOTE]
Sir,
Using samsung note i717with official jb rom 4.1.2, ppp app says driver not found, device log is as above. Request you to help in this regard.
hello,
anyone can help me to find a way to unlock/hack the infotainment system on the new peugeot 3008/5008 ecc.
i've tried to hold note button for engineering mode but only for spy menu.
anyone have more differently code for unlock android setting? for example how the kia/hyundai cars?
please sorry for my english....
I found the code 1122 to access the radio monitor...
hi guys, I'm also looking for a way to get into the hidden menu of the NAC (3d Connect Nav) Peugeot. My car is a 2008, with CarPlay, Mirrorlink and Android Auto. Now compared to what I saw for the KIA, I would try to figure out if there is a chance to enter the system that is declared Linux, and find a gateway like an android virtual emulator, on which even turns android auto, to install other applications directly on the multimedia of the car. The only 2 codes we know are: 1111 1122, the first for spylogs, the second one gives us a series of info on the system, but apparently they are only legible and there is no way to get inside. In practice using the code 1122 the first time also gave me only info on the radio, but then typing in increasing order the following codes and typing 1122 again, for several times I have drawn many other info. I took pictures that I would like to share with you to find out if there is a chance to find a way.
umbeluxa said:
hi guys, I'm also looking for a way to get into the hidden menu of the NAC (3d Connect Nav) Peugeot. My car is a 2008, with CarPlay, Mirrorlink and Android Auto. Now compared to what I saw for the KIA, I would try to figure out if there is a chance to enter the system that is declared Linux, and find a gateway like an android virtual emulator, on which even turns android auto, to install other applications directly on the multimedia of the car. The only 2 codes we know are: 1111 1122, the first for spylogs, the second one gives us a series of info on the system, but apparently they are only legible and there is no way to get inside. In practice using the code 1122 the first time also gave me only info on the radio, but then typing in increasing order the following codes and typing 1122 again, for several times I have drawn many other info. I took pictures that I would like to share with you to find out if there is a chance to find a way.
Click to expand...
Click to collapse
First of all, does anyone know that LINUX can run Android within? Would it be possible to enter the NAC system to install Android apps?
Any progress here?
I'm also try to hack in the nac.
I scanned for open ports in Bluetooth and Wifi but all ports are closed.
Does anyone has another idea how i can get access to the system files?
The source code is published here.
https://www.groupe-psa.com/en/oss/
It's from the RCC, not the NAC.
RCC is from Bosch and the NAC from Continental.
And it's useless unless you have the login data or the schematics from the board because all ports are closed.
Maybe a secret code open the ports.
But so far only 1111 and 1122 are known.
Crunchy_Nuts said:
It's from the RCC, not the NAC.
RCC is from Bosch and the NAC from Continental.
And it's useless unless you have the login data or the schematics from the board because all ports are closed.
Maybe a secret code open the ports.
But so far only 1111 and 1122 are known.
Click to expand...
Click to collapse
According to information published on https://fccid.io/ZFW-NACEUR2. This should be the source of the NAC WAVE 2 and 3.
Excludes are sources of proprietary software.
It seems that the software developed for the RCC unit, is (partly?) used for the NAC.
The base of the OS is GENIVI. A linux based OS developed for in car systems.
https://events.static.linuxfound.or...tware updates for Linux-based IVI systems.pdf.
It is designed to prevent the hacking of the system in any way.
For those of you who want to analyze their spy logs after using code 1111, you need to install Qt (qt.io/download) and download the DLT Viewer project (github.com/GENIVI/dlt-viewer). You also need a tool to extract lz4 compressed files (e.g. github.com/lz4/lz4/releases). Once you configure everything you need to extract the .lz4 file (e.g. "1_startup_20190924_181656.dlt.lz4") which results in a .dlt file (e.g. "1_startup_20190924_181656.dlt"). You can then open this in DLT Viewer.
I assume that the Navi 5.0 is using a logger similar to the one described here: github.com/GENIVI/dlt-daemon] . Also based on the information in some of the crash reports, the Navi 5.0 seems to be using Qt apps/objects.
Unfornately I do not really know how to install all these programs.
I could install qt and visual.
But all other failed.
Can you maybe do a tutorial for that?
I would be verry thankful
Regards
i do not understand too how to install these programms , can you eplain , please?
step by step would be the best.
thanks
I'll try to detail the steps for Windows as soon as I get a chance.
I installed Qt 5.12.5 + Microsoft Visual Studio 2015. When configuring the Qt Kit, I selected no C compiler and "Microsoft Visual C++ Compiler 14.0 (x86_amd64)" as the C++ compiler. After that I was able to build and run the DLT Viewer project.
The lz4 command-line utility is pretty straight-forward. Simply run "lz4.exe <file name>.dlt.lz4" to extract the files.
That's a problem fo me, I could install qt and visual but that's all.
I do not have exe files for iz4 and for dlt I do not have too.
So if you could do a tutorial with links step by step it would be verry cool
Thanks
No answer
DLT Viewer - Step by Step for Windows
I have been busy, so it took me some time The output of DLT Viewer will probably make no sense to many people, but you can draw your own conclusion at the end. I uninstalled and re-installed everything from scratch to note down each step. This assumes that you have exported the spy logs using code 1111 and that you have placed them on your PC.
Download a tool to extract the lz4 compressed spy logs.
None of the 7-zip tools/plugins worked for me.
From the command-line you can use one of the binaries here: github.com/lz4/lz4/releases . Simply run "lz4.exe <file name>.dlt.lz4" from the command-line to extract the files.
For a GUI interface, see reboot.pro/topic/22062-lz4-compressor . Within the tool, in the VHD file field you need to select your lz4 file (e.g. "1_startup_20190924_181656.dlt.lz4"). Select the output folder in the Lz4 Folder field. Leave the LZ4 field empty. Click on the COMPRESS button to extract the file (I know, the name of the button doesn't make sense).
You should end up with a .dlt file.
Download and install Visual Studio Community Edition 2015: stackoverflow.com/questions/44290672/how-to-download-visual-studio-community-edition-2015-not-2017
During installation select Custom install and Programming Languages -> Visual C++
Download and unzip DLT Viewer: github.com/GENIVI/dlt-viewer/archive/master.zip
Download and install Qt 5.12.6: download.qt.io/official_releases/qt/5.12/5.12.6/qt-opensource-windows-x86-5.12.6.exe
During installation select the following component: Qt -> Qt 5.12.6 -> MSVC 2015 64-bit
Configure the compiler in Qt
Go to the Tools menu -> Options
Select Kits in the left pane -> Kits tab
Click on "Dekstop Qt 5.12.6 ..." under "Auto-detected"
Select for Compiler C: <No compiler>
Select for Compiler C++: Microsoft Visual C++ Compiler 14.0 (amd64)
Compile and run the DLT Viewer project
Within Qt click on Open Project and open the BuildDltViewer.pro project in the unzipped folder of DLT Viewer.
Qt will switch to the Projects page (otherwise click on Projects on the left)
For the Active Project, BuildDltViewer should be selected
Click on Configure Project on the right
Go to the Build menu -> Build Project ...
When the build is finished, go the Build menu -> Run
Go to File -> Open and open one of the .dlt files.
The DLT Viewer manual can be found here: at.projects.genivi.org/wiki/display/PROJ/DLT+Viewer+Manual
I haven't spent much time looking at the DLT Viewer output, so I cannot help anyone to decipher that. Obviously feel free to share any of your findings.
New Codes Found
Nice work, Bob.
I live in Brazil and my Citroen C4 Cactus seems to use this same unit.
I reached the "Expert Mode" pressing MENU for 10 seconds and the tried the 1111 and 1122 codes.
Here 1111 brings me up the "spy" files, that I extracted using a pendrive, lz4.exe and read with a simple text editor, that does not show the file in a structure but give a good idea that what is inside it.
1122 brings only radio information.
Some news, discovered in this interaction:
1144 disabled the system beep.
1155 enabled the system beep.
I´m just downloading the source code to have an idea on how it works.
I found some schematics at web a few months ago. I will try to recover it and post here.
It will be wondering if we can get Android Auto Wireless working with these units.
Regards,
Estefano
BobM2019 said:
I have been busy, so it took me some time The output of DLT Viewer will probably make no sense to many people, but you can draw your own conclusion at the end. I uninstalled and re-installed everything from scratch to note down each step. This assumes that you have exported the spy logs using code 1111 and that you have placed them on your PC.
Download a tool to extract the lz4 compressed spy logs.
None of the 7-zip tools/plugins worked for me.
From the command-line you can use one of the binaries here: github.com/lz4/lz4/releases . Simply run "lz4.exe <file name>.dlt.lz4" from the command-line to extract the files.
For a GUI interface, see reboot.pro/topic/22062-lz4-compressor . Within the tool, in the VHD file field you need to select your lz4 file (e.g. "1_startup_20190924_181656.dlt.lz4"). Select the output folder in the Lz4 Folder field. Leave the LZ4 field empty. Click on the COMPRESS button to extract the file (I know, the name of the button doesn't make sense).
You should end up with a .dlt file.
Download and install Visual Studio Community Edition 2015: stackoverflow.com/questions/44290672/how-to-download-visual-studio-community-edition-2015-not-2017
During installation select Custom install and Programming Languages -> Visual C++
Download and unzip DLT Viewer: github.com/GENIVI/dlt-viewer/archive/master.zip
Download and install Qt 5.12.6: download.qt.io/official_releases/qt/5.12/5.12.6/qt-opensource-windows-x86-5.12.6.exe
During installation select the following component: Qt -> Qt 5.12.6 -> MSVC 2015 64-bit
Configure the compiler in Qt
Go to the Tools menu -> Options
Select Kits in the left pane -> Kits tab
Click on "Dekstop Qt 5.12.6 ..." under "Auto-detected"
Select for Compiler C: <No compiler>
Select for Compiler C++: Microsoft Visual C++ Compiler 14.0 (amd64)
Compile and run the DLT Viewer project
Within Qt click on Open Project and open the BuildDltViewer.pro project in the unzipped folder of DLT Viewer.
Qt will switch to the Projects page (otherwise click on Projects on the left)
For the Active Project, BuildDltViewer should be selected
Click on Configure Project on the right
Go to the Build menu -> Build Project ...
When the build is finished, go the Build menu -> Run
Go to File -> Open and open one of the .dlt files.
The DLT Viewer manual can be found here: at.projects.genivi.org/wiki/display/PROJ/DLT+Viewer+Manual
I haven't spent much time looking at the DLT Viewer output, so I cannot help anyone to decipher that. Obviously feel free to share any of your findings.
Click to expand...
Click to collapse
NAC Wave 2 codes (from German PSA forum)
1111 Spy log generation
1122 Master mask
1130 Information about amplifier, battery etc
1133 Information about radio / received / freq
1134 Information on satellites and services
1135 TomTom version
1136 Information about WiFi devices
1137 current user status, temp.
1138 Linux, USB, processor utilization
1139 GPU memory load
1140 connection status WiFi, tethering, Bluetooth, rndis, ipadreesen and macadressen and much more.
1141 Connected USB devices
1142 ATB connection
1143 no information without serial connection
1144 tone becomes quieter
1145 Provider status, SMS status
1146 Download status
Hope this would help
Pretty Good work BobM2019!!!
Thank you, I will try it.
For the Swiss man:
What source is the German side for the codes?
When did they wrote these info?
MitchtheMitch said:
What source is the German side for the codes?
When did they wrote these info?
Click to expand...
Click to collapse
https://www.google.com/search?q=peugeot+nac+"1144"+"1155"
Peugeot Naceur wave 2Continental Serial Connection
With TX and Rx it is possible to get in the serial console of the head unit.
But it asks for a login and password.
Imx6x-std login:
Password:
Tried a lot of things, like root and pass.
Left pass empty but nothing works.
Anybody a clue?
Hi all,
New to Realme, I've only really dealt with more mainstream devices here in the UK (Samsung/Sony/Motorola etc)
I have a TIM Italy branded C21 - RMX3201 that I was hoping to remove the branding for a 'Global/EU' SIM free variant of firmware. First question does anyone know if its possible? or has done it? with it being a MTK chipset will it be a SP Tool flash as other devices with their chipsets (CAT, some Motos etc?)
Build - RMX3201_11_A.36
Baseband - M_V3_P10,M_V3_P10
Kernel 4.9.190
Color OS - V7
Android 10
Any help would be gratefully received
Laird_Attwood said:
Hi all,
New to Realme, I've only really dealt with more mainstream devices here in the UK (Samsung/Sony/Motorola etc)
I have a TIM Italy branded C21 - RMX3201 that I was hoping to remove the branding for a 'Global/EU' SIM free variant of firmware. First question does anyone know if its possible? or has done it? with it being a MTK chipset will it be a SP Tool flash as other devices with their chipsets (CAT, some Motos etc?)
Build - RMX3201_11_A.36
Baseband - M_V3_P10,M_V3_P10
Kernel 4.9.190
Color OS - V7
Android 10
Any help would be gratefully received
Click to expand...
Click to collapse
Hi, in fact i have no idea.
I believe you can get an aswer from realme community servers, i will sent you discord and reddit links of them.
Remember that, this community groups has no staff from realme.
Yes it can be done. Will be able to find details here in XDA, it is engineernetwork mode and I believe it's changing or unlocking country codes/network.
Is simple enough to do, will put a care package together and instructions. It's same process for all realme/oppo. Just not in front of my computer at moment
@Laird_Attwood
1 Activate developer mode
2 Enable usb debugging
3 Download Oppo_Free_Unlock_v1.0.zip file from xda
4 In Windows 10 device property management - NETWORK ADAPTER - THEN UNDER ADVANCED - "network Address" entered code: 3497F6990DEA7 - IF THIS DOES NOT WORK - THEN ADD NEW LEGACY HARDWARE - NETWORK ADAPATER - MICROSOFT - KM-TEST LOOPBACK AND THEN REEPEAT ABOVE NETWORK ADDRESS FOR KM-TEST ADAPTER
5 Connect Find X2 Pro is in MTP
6 Open file "Oppo_Free_Unlock_v1.0.zip"
7 Open Sec5.exe
8 Click unlock
9 Number on the left and ok on the right
10 Click Stop unlock
11Closed Windows Sec5.exe
12 Disconnect Oppo
13 Open dialer anc type * # 3954391 #
14 "Switch" appears for a moment
15 Enter * # 391 #
any troubles flick me a message or reply
smiley.raver said:
@Laird_Attwood
1 Activate developer mode
2 Enable usb debugging
3 Download Oppo_Free_Unlock_v1.0.zip file from xda
4 In Windows 10 device property management - NETWORK ADAPTER - THEN UNDER ADVANCED - "network Address" entered code: 3497F6990DEA7 - IF THIS DOES NOT WORK - THEN ADD NEW LEGACY HARDWARE - NETWORK ADAPATER - MICROSOFT - KM-TEST LOOPBACK AND THEN REEPEAT ABOVE NETWORK ADDRESS FOR KM-TEST ADAPTER
5 Connect Find X2 Pro is in MTP
6 Open file "Oppo_Free_Unlock_v1.0.zip"
7 Open Sec5.exe
8 Click unlock
9 Number on the left and ok on the right
10 Click Stop unlock
11Closed Windows Sec5.exe
12 Disconnect Oppo
13 Open dialer anc type * # 3954391 #
14 "Switch" appears for a moment
15 Enter * # 391 #
any troubles flick me a message or reply
Click to expand...
Click to collapse
I have tried this on the Oppo Find X3 Pro its found the digits in the left side of the program but wont unlock can you look in to this please ?
Disconnect your ethernet adaptor, then once km test loopback has connect as a network , then re enable the ethernet cable. Or use your mobile phone as a tethering to your computer or a wifi adpater and it will go through