SID communication finally hacked. Now only analysis and implementation left. On the ICM side - I got compiler, busted mine DVD drive and managed to get internet connection in ICM working with some remote directory to transmit files to internet and to icm ;-)
Senast redigerat av Moderator den 2022-12-15 klockan 23:15.
Anledning: Ingen idé att citera hela texten när inlägget kommer direkt efter det som citeras
Could you provide some more information ? Did you manage to display custom messages on SID ?
I am also interested in hacking & playing a bit with qnx. I have a c++/unix background but not so good embedded development knowledge. So as a saab owner spending some free time on ICM3 sounds great.
For beginning did you find a way to have terminal access without dismantling the icm ? The .sh file that can be run from cd on boot sounds that it could make life much easier for any modification.
The biggest problem would be that there are few other interfaces to the ICM than the serial port. Possibly, if one could hack the internet connection and use that as a way in, no hardware mod should be necessary.
Enabling a telnet daemon (if available) and modifying system for internet access (over GPRS TEL2 ?) would be a very good start ! Making possible the above using a cd startup shell script would be the way to go !
Senast redigerat av sfotis den 2014-12-03 klockan 19:56.
Here in Poland GPRS connections have all ports blocked. TELNET daemon is available and it is possible to start it using CD .sh file. To do this you need to start inetd and that's all. Serial terminal connection is cheapest solution. If you have SIM slot in trunk, you can setup GPRS connection and connect to NFSv2 share - you will be able to transfer files (on icm) from remote directory and to remote directory. Speed is not that great, stability too, but it works and is most reliable way of extracting ICM files.
I have knowledge of how ICM-SID communication works, what hardware layer it uses etc. I'm now checking and analyzing single data packets. Really soon it should be possible to display custom text on SID.
My knowledge on ICM so far is somehow like this:
It uses customized, embedded QNX version 6.0. GUI uses Photon libraries, Q2SD driver for video signal.
There're two major revisions (i know of) of OS. They have different Main Menu layout. one with "Office" position is older. They identify themselves as:
QNX QNX-R4CP 6.00 2002/04/16-07:44:15EDT SAABOCP shle
QNX OCP-32M 6.00 2003/09/22-13:17:27EDT SAABOCP shle
Every "module" (Radio, Phone, CD, etc.) is separate process in this system. I think they communicate using nodes in /dev and appear as "devices"
Processes such as procmgr,systemmgr communicate with "outside world", probably through EEM which have serial connection (/dev/ser1 or ser2 IIRC) with the chip on top board.
It is possible to enable more verbose working of such processes using verbose command.
verbose -n systemmgr -v 0 -> silent work of systemmgr
verbose -n systemmgr -v 3 -> most verbose work of systemmgr
As far as Video parts go:
OCP board generates RGB signal with separate Sync. Older units have SAA7118 chip with round connector on back of unit. It is Video input controlled by "phantomnav" process.
SAA switches icm and external inputs and is controlled by i2c bus.
Units with SAA chip produce composite sync signal and units without this chip generate two separate sync signals - horizontal and vertical.
Video signal is transfered on ribbon cable directly to faceplate board (with buttons and LCD).
obd tool is available only in newer software. I have not found any good use for this. hd tool displays binary data on serial terminal - I used it to extract single files from ICM such as original logo. Not very reliable, but usefull.
QNX equivalent of gnu ps is pidin. kill is slay in QNX.
There's probably more, but I think this are most important information on ICM which I gathered.
I will have to check the GPRS solution since I have a TEL2 installation ! I will drop a .sh file on CD to start inetd and I will afterwards check on how things work. BTW should the name of the .sh file have a specific name ? Or it will run any .sh file ?
If I remember well there used to be a CD, which with the help of TECH II, would SPS the ICM3 unit ? Ever heard of it ? Maybe this could provide a means of installing a modified image (provided that they did not use any exotic encryption or coding for the image), or even bring back from the dead a bricked ICM3. What do you think ? Could we get a hold of this CD somehow ?
My ICM3 unit is the old version, which has the video input connector and the Office menu (2004 model). I tried in the past to enable ES4 features (advanced avr) but it was impossible. Do you know any means of enabling ES4 on pre-2005 models ? SPS maybe ?
Sh file needs to be ba__door.sh I don't remember what kind of line endings - i think that would be just \n. Inetd should be in /bin so it is in %path%.
CD you're talking about is refered to as TIS2000- ICM3 UPDATE. It should contain one or more spc/spx files. I would love to get hold of this cd. Maybe you will have more luck in sweden? So far I have only photo of how it looks ;-) filesystem image on this cd is probably only gzipped file refered to in sp file. Tech2 sps starts minimalistic version of icm software to read file from dvd and start flash process. It does not need proper firmware to exist on icm. If you have right file on dvd and working system, update will start automatically without tech2.
On my videoin unit there were no files responsible for avr so I guess you will need to update it with this inaccessible disc to get adv. Avr ;-)
Also reporting progress on SID protocol analysis. It looks like sid gets most texts on power on and displays them as "layers" :-) that way if they want to display some characters, icm sends only layer id to display ;-)
The name ba__door.sh sounds like a deliberate left over from the developers
I will try to ask some technicians from SAAB here in Greece (I am not in Sweden) and see if I can get a hold of this CD (hopefully they have a copy somewhere ...) !
I think that if it will be possible to display custom text & icons on SID or ICM3 screen (the later would require a working SDK of the system and libraries in use), the possibilites are countless ! For example one could replace the navigation executable with a custom executable, which in turn will allow access to newly implemented features, and also provide access to the original (now renamed) navigation executable.
Edit:
I downloaded two directories from ICM3: /etc with config files and /sbin with utility scripts.
Packaged files download: http://saab.z90.pl/data/public/06db21.php
Senast redigerat av bojer den 2015-02-02 klockan 16:15.
Anledning: add download url
Bojer, I've been searching around the Internet and haven't found a decent way to download (or upload) files to the ICM 3. How did you manage to get those files that you linked?
What you need is terminal software with zmodem capabilities for your operating system, HyperTerminal works perfectly fine in Windows (pre-7 but you can install HyperTerm in 7). You then connect to the ICM, choose the file and type something like (can't remember exact syntax, just type the command and it should give some hints): qtalk "file" at which time it will send some special commandos over the serial line and HyperTerminal will activate the zmodem download mechanism and offer you to save the file it's recieving.
Another thing about ICM:
If you disable (or slay navigation software hard enough) you can display all sort of icons on SID!
You just have to put info to /dev/navhpd
echo -e "a-X{distance}"
where X is icon symbol and {distance} is: Uabcd, abcd being four letters/digits and U:
\0000 m
\0001 km
\0002 yd
\0003 mi
For example:
echo -e "a-B\0001650" > /dev/navhpd
Will display Washer fluid icon with 650km text below icon.
Behörigheter för att posta
Svara med citat
