Loading.kwi – Analyzing (patching?) the Denso Navigation firmware…
I purchased a used Lexus not terribly long ago with Factory navigation. I also had a Mitsubishi which had it. And both apparently used the same Navigation software, done by Denso. The lockouts and nag screen have finally pushed me to the edge of starting to dig into the mechanisms by which these work. I will update this posting with new details as I find them, so feel free to watch this post if interested.
First off I did my due diligence and Googled around. There have been a few hacks on this over the years, but no major advancements into how it works that are openly disclosed. On the Misubishi front the most successful of these attempts actually accomplishes all my objective goals, however the author sells his exploit and thus I suspect I might not get much information from him. Regardless I have sent an email requesting some pushes in the right direction.
The primary target file which these units use is the file “loading.kwi” which appears to contain firmware for the hardware of the various cars. In most cases this file seems to include multiple similar firmware modules (embedded) for slightly different hardware that would utilize the same Nav DVD. I’ve found the original python script by Bert (http://biot.com/blog/navigation-dvd-hacking) and with a small bug fix it properly parses these newer files.
So far I have now identified that the U25 (10.1) and U27 (12.1) releases have identical firmware modules for the 4 hardware iterations embedded in them:
foglem@sixcore:~/kiwi/U25 10.1/out$ md5sum *
0a61788053d3bc32c47e1043a4428d1e AC08
f3fa006e5d35bd754d1bcd462166b721 AC10
8071072c0a53048ef5713b612e864546 AC12
a10a9240c2bb94c447b691c2f8db8d09 TY00
foglem@sixcore:~/kiwi/U27 12.1/out$ md5sum *
0a61788053d3bc32c47e1043a4428d1e AC08
f3fa006e5d35bd754d1bcd462166b721 AC10
8071072c0a53048ef5713b612e864546 AC12
a10a9240c2bb94c447b691c2f8db8d09 TY00
This of course indicates the hybrid discs (Google if you don’t understand what this is) for release 12.1 are just as effective as the 10.1. I’d be curious about testing previous releases of loading.kwi if anyone has them to split into these files. I wonder when the changes (if any) actually occured.
Next up is looking for the loading address and entry points to load this up in IDA and start working out what is what.
In addition I’ve seen references to indicate the firmware files are most likely checksum’d or hashed so that the Nav can validate the software. I’ll have to perform some tests to confirm.