Carminat Live Navcore 9.844 patching and map activation

no,,,,, nothing yet

Links to other forums are not allowed.

tendriver
Super Mod

Except that the Carminat also has an internal memory with some information, including an ID.
When loading it will see that the map is not signed to its ID and the map will be disabled. The signature present will be to the ID of the original owner.

GOOG

Hi all,

I want to share my progress on hacking TT Carminat Live.

There is an UART with Linux root console:

To do a backup you need 3 Gb of free space on sd-card and three hours of time(+/-):

Hidden Content

This board requires you to be registered and logged-in to view hidden content.

There is 2Gb emmc memory in my device, but i have seen device with 1 Gb.
eMMC contain 6 partitions on userdata flash:

Code:

# fdisk -l /dev/mmcblk0

Disk /dev/mmcblk0: 2000 MB, 2000683008 bytes
1 heads, 16 sectors/track, 244224 cylinders
Units = cylinders of 16 * 512 = 8192 bytes

        Device Boot      Start         End      Blocks  Id System
/dev/mmcblk0p1               1        4481       35840+ 83 Linux
Partition 1 does not end on cylinder boundary
/dev/mmcblk0p2            4481        4489          64+ da Unknown
Partition 2 does not end on cylinder boundary
/dev/mmcblk0p3            4489        5769       10240+ 83 Linux
Partition 3 does not end on cylinder boundary
/dev/mmcblk0p4            5769      244224     1907646   5 Extended
Partition 4 does not end on cylinder boundary
/dev/mmcblk0p5   *        5769      243968     1905597  83 Linux
/dev/mmcblk0p6          243969      244224        2047+ df Unknown

p1: Recovery partition with linux kernel and root. Device boot to it in case of update or fails. DO NOT MOUNT IT!!!! After mount it will become unbootable.
p2: FDT. As i understand this partition contain some config for the device. Include serial number.
p3: Config partition. Looks like config of main tt tool.
p4: extended
p5: /content/. The biggest partition of the device. It contain two main files: zImage and root.img.
p6: U-Boot partition. Can't be modified. Device will not boot in case of modify.

Boot process(as i understand it):
1. CPU load bootloader stage 1 from boot part of emmc(it is not p6)
2. Stage 1 verifying Stage 2(p6) and if checksum match - boot it.
3. Stage 2 read uboot.conf from p5.
4. Stage 2 read zImage from p5 and if it is exist and check sum is ok - boot it with next parameters: root=/dev/mmcblk0p5 ro loop_file=/content/rootfs.img console=ttySAC0,115200 sysboot_mode=watchdog snd-soc-core.pmdown_time=-1 lpj=1327104 bricknum=0
The main parameters are root and loopfile. They tells kernel to mount /content/rootfs.img(from p5) as a root partition.
Before mount of rootfs.img kernel will verify checksum.
4a. If p5: zImage does not exist U-Boot will try to boot p1: zImage. p1 will be mounted and verified with the same algorithm as root.img.

Description of root.img verifying algorithm:


Description of zImage verifying algorithm:


I got the direct access to emmc userdata partiton and have pinout to access it without unsoldering, but i can't do that yet, maybe the is some mistake in pinout. Will check later.


I tried to get uboot console, but fails. Looks like it is completely locked.

I tried to run some other binary, but it is blocked with noexec mount option. All mount points except root are mounted with noexec and can't be remounted with exec option.

* In addition, post_mount() and post_remount() security handlers are installed
* that force the nodev, nosuid and noexec options on any mounted file system
* that does not reside on a loop device that uses this driver.

There is some kind of eeprom memory: "/sys/class/i2c-adapter/i2c-0/0-0050/eeprom". It contains p2 and something more. This memory is writable. Can be modified with dd.

There is interesting tool "chfdt". It allows to change serial number of device. Maybe it is possible to clone device and use it maps on another device. If somebody is ready to try this - ping me in PM. I will share my serial and maps. But it can be dangerous and can break your device.

It is possible to downgrade device to any version of 9 navcore. I successfully downgraded my device from 9.884 to 9.844 including bootloader. Ping me if you want to know how to do that.

Some useful commands:

Hidden Content

This board requires you to be registered and logged-in to view hidden content.

Useful links and data:

Hidden Content

This board requires you to be registered and logged-in to view hidden content.

Currently i'm trying to find jtag pins and some special pins which should allow me to load bootloader from sd-card.
Also i'm looking for dump of device with navcore 9.842. I need bootloader from this version.
In case you know how to jtag arm - ping me. Have no experience with that.

P.S. Sorry for my bad English.

The bootloader, if updated should be withing the Cab file, if I am not mistaken in one of the image files.

Yes, you are right. uboot_partition(part of ttsystem file) is a bootloader dump. Update procedure is a simple dd.
But, I can't find ttsystem of 9.842.

@sspeaker: Do you think it's possible to unlock bootloader this way (connect to uart, and replace the images)? (To install additional software like tomplayer)

@Sapd1: No. Replacing of image(p6) will break device(tested ). But, connection to eMMC and replacing boot0/1 partitions should help.

Hi

still no luck with a patch for Carminat live versions? latest is 9.884 I believe (and not 9.844 as I used to think)

good luck and thanks for your work

You can be sure that if someone would have cracked it we would have posted it

Hi all,

I was checking back for updates, there's a link on the first post about map sharing between carminat live users. the link is dead. Is this still possible? I can't seem to find anything related to that.

thanks

Hi for all.
I need help my Carminate Live.
I have version 9.884.Do you possible install version 9.844 Navcore patch?

Thxxxx

Hi all,
Did someone find the way to crack the tomtom carminat live navcore 9.844?
Does exist the way to run navcore from an SD?

Regards!

No.