Tell

Updating the inbuilt Mib2 Satnav / Mib2 tricks and Mib1

springerFR

Active Member
Jan 22, 2014
25
0
South Wales
Hi I been following the threads and some of it is a little over my head.
but as Keithjeb suggests wouldn't imageing software image the data
from one sd card to another giving an exact duplicate (clone)?
 

CyberGene

Active Member
Apr 26, 2008
306
1
Sofia, Bulgaria
Unfortunately not. There is a protected area which is read only and can't be overwritten on another SD. Well, almost ;) There might be ways which would require quite some hacking though.
 

phil750

Active Member
Jul 24, 2012
213
1
hey got my leon last week so been reading through,

i have some forensic imaging software used by law enforcement (i have a degree in forensic computing)

so when i have a spare 10 mins il give imaging ago, should just do a bit by bit image including the hidden parts.

If that dont work il see if i can have a look at the files and see what i can come up with!
 

keithjeb

Active Member
Nov 1, 2013
187
1
Unfortunately not. There is a protected area which is read only and can't be overwritten on another SD. Well, almost ;) There might be ways which would require quite some hacking though.

Have you tried it? DD will copy various bits of data that aren't visible to the OS, but are still on the disk.

A CID lock should be breakable, it was on the garmin maps. obvious way would be to do a scan for it. I'll grab an 8gb card from asda tomorrow and give it a crack with DD, then seeing if I can locate the CID anywhere.
 

Taff

Full Member
Jun 10, 2002
82
0
South Wales
Just sharing some information about my 5F0.919.866.C SD card with everyone. I can reading the CID using (cat /sys/block/mmcblk0/device/cid), and I get:

09 4150 4D49425354 10 73C41437 0 0CC 00

Breaking down the fields I have:

Manufacturer ID: 09 h (assigned by SD card association)
OEM/Application ID: 4150 h (Assigned by the SD-3C LLC)
Product Name: 4D49425354 h
Product Revision: 10 h
Product Serial Number: 73C41437h
Manufacturing Date: 0CC h

Date: 12/2012
Name: MIBST

USing (cat /sys/block/mmcblk0/size), it returns 16152576

So Size of my card = 16152576 x 512 = 8270118912 bytes

Using Gparted, I can confirm it reads the following info:

Cylinders 1005 Heads 255 Sectors/track 63

Total sectors: 16152576
Sector size: 512

Existing partitions:

File System: unallocated
Size: 4.00 MiB
First sector: 0
Last sector: 8191
Total sectors: 8192

Files System: fat32
Size: 7.70GiB
First sector: 8192
Last sector: 16152575
Total sectors: 16144385


As I mentioned earlier this appears to be a special SD card in that it actually holds more than the usual 8GB. If I compare this with aa TDK 8GB SDCARD you can buy off the shelf.

Name: SD08G, but printed on the back is SD-K08G
/sys/block/mmcblk0/device/cid: 2750485344303847307ceecef300b900
/sys/block/mmcblk0/size: 15564800 (7969177600 bytes)

Cylinders 968 Heads 255 Sectors/track 63

Total sectors: 15564800
Sector size 512


I don't have or know of any tools to read/check the 'protected area' of the card. Not sure where else to look apart from using VCDS cable when it arrives.

Taff
 

CyberGene

Active Member
Apr 26, 2008
306
1
Sofia, Bulgaria
Taff, those are some quite interesting and useful discoveries, thanks for sharing it!

May I ask what hardware/software/OS you are using to read the CID and have it mounted in /sys/block/mmcblk0/device/cid? Seems this is Linux but I am wondering if you use an additional software in order to read and mount it. I am using Mac OS X and seems I am able to only browse the Fat32 partition through /Volumes/..., but I guess there might be a way to use the software you are using.
 

Taff

Full Member
Jun 10, 2002
82
0
South Wales
I am using standard Linux Ubuntu 12.04 LTS distro.

There is no SW needed to install to read back the CID. The laptop I am using has a built in SD card reader, don't know of the top of my head what SD card controller is used in the laptop. I can find out if needed.

In fact I can also confirm, as a possibly easier option is to download and boot from USB/CD/DVD "partedmagic.com/". Once booted you can open up a terminal and get the same info without having to install Linux on your machine (ala live CD style).

The added bonus is that you get a Partition editor (Gparted), and also (Clonezilla to make an exact image of your disc (partition and data info). It of course doesn't backup or write the "protected area" of a SD card. Which by definition is "SECURE". As far as I know, it has remained secure to this day.

HTH

PS. In case someone asks, I did use Clonezilla to image my 5F0.919.866.C SD card and restored it to a 16GB SD card, but the SatNav knows its not a valid SD even though the partition size and arrangement and data is exactly as on the original SD card.

There must be more to this protected area or something. I was wondering about this odd capacity size of the original SD card 8.3 GB. Perhaps it simply checks the total sector capacity and if its not what it expects then it fails the first security check?

I also honestly believe there are further checks in SatNav module for validating database versions etc. But this of course is pure speculation. However with some truth as valid SD card but different SW map/database still fails to work.

Can someone else check the reported size of there SEAT satnav SD card to correlate data, please also list our SD card/map part number when doing so?
 

keithjeb

Active Member
Nov 1, 2013
187
1
I am using standard Linux Ubuntu 12.04 LTS distro.

There is no SW needed to install to read back the CID. The laptop I am using has a built in SD card reader, don't know of the top of my head what SD card controller is used in the laptop. I can find out if needed.

In fact I can also confirm, as a possibly easier option is to download and boot from USB/CD/DVD "partedmagic.com/". Once booted you can open up a terminal and get the same info without having to install Linux on your machine (ala live CD style).

The added bonus is that you get a Partition editor (Gparted), and also (Clonezilla to make an exact image of your disc (partition and data info). It of course doesn't backup or write the "protected area" of a SD card. Which by definition is "SECURE". As far as I know, it has remained secure to this day.

HTH

PS. In case someone asks, I did use Clonezilla to image my 5F0.919.866.C SD card and restored it to a 16GB SD card, but the SatNav knows its not a valid SD even though the partition size and arrangement and data is exactly as on the original SD card.

There must be more to this protected area or something. I was wondering about this odd capacity size of the original SD card 8.3 GB. Perhaps it simply checks the total sector capacity and if its not what it expects then it fails the first security check?

I also honestly believe there are further checks in SatNav module for validating database versions etc. But this of course is pure speculation. However with some truth as valid SD card but different SW map/database still fails to work.

Can someone else check the reported size of there SEAT satnav SD card to correlate data, please also list our SD card/map part number when doing so?

When using clonezilla did you set it to clone the partition or the device? Cloning the device should also have cloned the 4mb partition on to the new sd card.
 

keithjeb

Active Member
Nov 1, 2013
187
1
Protected area cannot be cloned. You can read it but cannot overwrite it. Clonezilla won't help.

The protected area that stores the CID yes, I was wondering about the 4mb partition. It looks like I won't get chance to check mine out tonight, but I was hoping that may have data on there coding it to the car, sd card, or version.
 

niggle

Rollin' on 17s, baby!
Jan 28, 2014
459
4
Huddersfield, West Yorkshire
I have the SD card documentation and SPI libraries for the Raspberry Pi to hand. I am going to order an SD card breakout board and start writing some tools to snoop around the CID and other registers on the SD card.
 

CyberGene

Active Member
Apr 26, 2008
306
1
Sofia, Bulgaria
Niggle, I am thinking of doing that too. My idea is to get a SD extension cable or SD-to-SDmini adapter to use as input to raspberry and program the latter to act as a slave, i.e. the raspberry will act as a proxy between the navigation unit and the actual SD card. When it detects read CID command it will return a predefined value, otherwise it will just transfer the communication to the actual SD card. What I am worried is if the raspberry can be programmed to act as a real time device to react fast enough to the clock sygnals from the navigation unit host. I've never really written any system software, I am a Java application developer but all this sounds exciting and the geek in me is thrilled to try it :)
 
Last edited:

niggle

Rollin' on 17s, baby!
Jan 28, 2014
459
4
Huddersfield, West Yorkshire
Wow, emulating the SD card firmware/hardware. That's certainly ambitious. A few challenges that I can foresee:

1. The sat-nav will almost certainly expect to negotiate successfully for high-speed, 4-bit transfer mode.

2. You may need to tri-state the MISO line so that the RPi can respond to the master.

3. You will need to jump in and decouple the SD card's MISO output immediately before it has chance to reply to the GET_CID command. You will also need to watch for when the SD card thinks that it has finished replying and re-enable the MISO output.
 

keithjeb

Active Member
Nov 1, 2013
187
1
Theres been a recent hack published in relation to MITM attacks on sd cards, so its certainly feasible, whether its practical is a different matter.

This is the situation as I understand it so far:
  • Stock maps on new SD card doesn't work
  • New maps on stock SD card doesn't work
  • Theres a 4mb partition on the stock SD card we haven't read yet

I'm without the car to test this week, but will be able to play around identifying if there is anything on that 4Mb partition.

In terms of taking things forward there are a few scenarios:
  1. The 4MB partition contains a version reference, maybe the CID and the Map serial, possibly the VIN
  2. The 4mb partition contains the CID and some map reference, but no VIN
  3. The CID is coded into the car somewhere
  4. The CID is coded into the map files
  5. Theres something else we haven't thought of.

I'll root around the partition this evening and see what I can identify, but it would be useful to know if people have tried swapping the SD card between cars, that rules out 1 and 3 entirely. 1, 2 are going to be solvable unless they've used some insane level of encryption. 3 would require a routine we can hopefully access through VCDS to get the CID in there. 4 would probably be breakable, but is certainly beyond my capability unless its in plaintext.

Does this sound about right to people?
 

CyberGene

Active Member
Apr 26, 2008
306
1
Sofia, Bulgaria
That sounds right to me.

However, in regards to the 4MB partition, my theory is that it's the way protected area is shown to the OS. It is most probably a readable data, however it won't be copied over another card. I could be wrong though. SD cards were created with security in mind and I don't believe they would allow for easy moving of the partition in question between SD cards. Unless of course that's some regular partition created by the guys who created the maps :)

I think that most probably the navigation unit reads the CID from the SD card and matches it against the dbinfo.txt file content. If they match, then "yes, this is genuine SD card with stock content". I have experimented by editing the dbinfo.txt (don't remember what exactly) and the unit have been showing some load progress for some time (minute or so) before telling me the content is not valid. So, even if the CID matches the dbinfo.txt info, the maps are probably parsed and a checksum is calculated and matched against the dbinfo.txt.

In short, the theory again is: CID is read and compared to dbinfo.txt. Maps are loaded, checksum is calculated and compared against dbinfo.txt. Again, this is just a theory and I may be wrong.
 
Last edited:

Taff

Full Member
Jun 10, 2002
82
0
South Wales
Don't forget what's in the J794 module.

Here's what's in mine when I did a scan.

<CODE>
-------------------------------------------------------------------------------
Address 5F: Information Electr. (J794) Labels: None
Part No SW: 5F0 035 858 A HW: 5F0 035 858 A
Component: MU-S-ND-ER 040 0407
Serial number: E5F00506132498
Coding: 04730001FF0A000021111101000800002F0101060100010046
Shop #: WSC 00049 770 00125
ASAM Dataset: EV_MUStd6C3PASE 002029
ROD: EV_MUStd6C3PASE_SE37.rod
VCID: 29591B2F480CF956E3D-807C

Media Player Position 1:
Subsystem 1 - Part No SW: 5F0 919 603 A HW: 5F0 919 603 A
Component: ABTmin_Std_Nv H45 0020
Serial number: SEZ8Z9N5600NSR

Engine Control Module 2:
Subsystem 2 - Part No SW: 5F0 919 866 C HW: -----------
Component: ECE 2013 --- 0021
Serial number: --------------------

No fault code found.

-------------------------------------------------------------------------------
</CODE>

This matches what the SavNav sees when the SD Card is installed.
"Navigation database: 5F0919866C 0021 ECE 2013". See Setup / System Information on the Media System Plus.
 

keithjeb

Active Member
Nov 1, 2013
187
1
Don't forget what's in the J794 module.

Here's what's in mine when I did a scan.

<CODE>
-------------------------------------------------------------------------------
Address 5F: Information Electr. (J794) Labels: None
Part No SW: 5F0 035 858 A HW: 5F0 035 858 A
Component: MU-S-ND-ER 040 0407
Serial number: E5F00506132498
Coding: 04730001FF0A000021111101000800002F0101060100010046
Shop #: WSC 00049 770 00125
ASAM Dataset: EV_MUStd6C3PASE 002029
ROD: EV_MUStd6C3PASE_SE37.rod
VCID: 29591B2F480CF956E3D-807C

Media Player Position 1:
Subsystem 1 - Part No SW: 5F0 919 603 A HW: 5F0 919 603 A
Component: ABTmin_Std_Nv H45 0020
Serial number: SEZ8Z9N5600NSR

Engine Control Module 2:
Subsystem 2 - Part No SW: 5F0 919 866 C HW: -----------
Component: ECE 2013 --- 0021
Serial number: --------------------

No fault code found.

-------------------------------------------------------------------------------
</CODE>

This matches what the SavNav sees when the SD Card is installed.
"Navigation database: 5F0919866C 0021 ECE 2013". See Setup / System Information on the Media System Plus.

Thanks taff, can you check the CID on your card? You'd need a *nix/Linux/Mac based system to do it.
 
Nimbus hosting - Based solely in the UK.