Possible "software" nav hack

[dougdude9]

Ok, so I don't want to get anyone's hopes up nor do I want to get kicked off this board as it as well as it's members have been very beneficial. So, I'm going to be careful here...

Long story somewhat short, I'm too chicken to try the dvd/nav hack where you have to cut some wires and install a switch. So, I started looking for other solutions... maybe it is because I'm an IT guy and I'm convinced their is a software hack. Anyway, I started looking for hours and when I was about to give up, I found that the navteq software for jeeps was indeed hacked. Unfortunately, this is not the same version we use in our M's. I have version 7.4 for my '06 M and the software patch I found is for version "AE." However, this means there might be hope. I will post the details of the hack below without naming where I found because I'm not sure I'm allowed to. Anyway, the forum I found this on has detailed instructions on how to apply the patch. What I'm posting is the manual instructions for modifying the code. ------------------------------

Here are the details of what the patch actually does. You can use a simple binary editor to make these changes to the MAIN.APN file instead of using the patch program. These are edits to version 2.04 of MAIN.APN. They will not be correct for any other version.

At offset 24:3280h in MAIN.APN file- change [41 c1 ca 0f] to [40 41 40 41]- The assembly code changes from [ld.b 4042[r1],r10] to [mov 0, r10 ; mov 0, r10 ]- This is at address 0x78e01a0 in the compiled code, if you want to follow along in a decompiled version- This is in function <_INM_getInMotionZoneFlag>- It forces the return value to 0, which tells a number of other routines that the car is not moving.- Result is several menu commands are enabled that would otherwise be disabled

At offset 31:29aeh in file- change [41 b5 ff 00 ] to [40 41 40 41]- The assembly code changes from [andi 255, r1, r10] to [mov 0, r10 ; mov 0, r10]- At 0x79af8ce in code, function <_MOP_GetNaviMenuStat>- This is one of two edits required to disable the popups when the car reaches the trigger speed- A side effect of this plus the next edit is also enabling many menu items that would otherwise be disabled- As above, this just forces the function to return 0

At offset 31:2A16 in file- change [41 b5 ff 00] to [40 41 40 41]- The assembly code changes [andi 255, r1, r10] to [mov 0, r10 ; mov 0, r10]- 0x79af936 in code, function <_MOP_GetIsInMotion>- The second edit, along with above, to disable popups when the car reaches the trigger speed

At offset 43:1B2E in file- changed [4a 49] to [41 41]- Note, this is a 16 bit instruction, vs. the prior three which converted a 32bit instruction to two 16 bit opcodes- code change is [setf nz, r10] to [mov 1, r10]- address 0x7acea4e in code, <US_MOP_IsInMotionSetting> function- This function normally returns flags for which menu options to enable under different conditions.- Always returning 1 will generally enable everything.- This edit appears to be unessessary with above mods in place, but because I didn't read all 40MB of thedecompiled code I figured better safe than sorry.

Once these adjustments are made to MAIN.APN the checksums at the end of the file must also be corrected to reflect the changes. The C source program to produce new checksums can be picked up from this link.

My binary editor of choice is 010 Editor.

If you choose to do these manually, be sure you know what you're doing. If you corrupt the MAIN.APN file and manage to load it into your Nav you could end up with a disabled unit. Make sure your editor is in overwrite mode, not insert mode. And when you adjust the checksums there should only be one that changes. (#8) If you see several or all of them reported as changed then you did something bad to the file. Or you edited the wrong version.

For those that would like to actually peruse the disassembled machine code, see the other threads on this forum for code disassembly tools

-------------------------If I get the go ahead from a moderator, I will post the link to what I found that has much more detail. Again, this patch is only for version AE which I can tell you will not run on our systems.

One more bit of detail... Apparently the navteq discs are the ones that update the software... it is not just maps on the disc. I've seen several discussions where people thought there was a separate disc to update our nav systems. I don't think this is the case as they stated if the navteq disc has a software update on it, you will see screen prompts to update the software.

This is enough for now. Hopefully I didn't start a long topic. I'm just thinking if this one navteq software is patchable, why can't out navteq software be?

Doug