Ideas for data to grab #1
Comments
|
cannot test it now but latest version should produce something as this: |
|
i keep receiving following error message other than that it is working :-)
|
|
maybe following data can be also loaded from some persistence channels? (maneuvr, destination dist) |
|
In the car right now, going through the green menu to see what other live data is displayed there. Dead reckoning has Speed and Heading In the past I wrote a persistence address scanner, that would go over a range of addresses to see whats there. I never used it while driving, or navigating/playing audio in Android Auto, so maybe there's more useful info there. If only we could get the exlap data from the console... Then we would have whatever data we want! Transmission temperature would be the most interesting. |
|
Can you specify which script it is using? Also please specify full path where you find this so i can try to replicate at my car. |
|
Yes, I'm in the office now so I can check the .esd files to see where they get their data. I'll get you a list of persistence addresses for these data elements in about an hour. |
|
The following elements are found in the green engineering menus (esd files), which all represent persistence coding addresses we can call with the pc command: speed: int per 0x01c500e6 108 road attributes: 0x01c500e6 111
map position: 0x01c500e6 110
About the AndroidSensors, address 1304 210 holds the update frequency.. If it's 0, the data isn't refreshed. So I think we need to set: During a persistence scan in 2020, I found the following addresses to be valid within this partition: And then there are some other data elements related to media, although I haven't checked them yet: And these could be useful for a proof of concept: I got data from these. I'll search some more elements. Driving state: String 0x01be00df 501 |
|
Did some more research, unfortunately i don't have access to the MIB2 at work, because that would make life easier. #!/bin/sh
. "/scripts/commonConfigExchange.sh"
setup_mmx()
{
${MOUNT} -uw "/mnt/system"
${MV} "${MMX_CFG_DIR}/rdiserver.json" "${MMX_CFG_DIR}/rdiserver_exlap.json"
${MV} "${MMX_CFG_DIR}/rdiserver_full.json" "${MMX_CFG_DIR}/rdiserver.json"
${MOUNT} -ur "/mnt/system"
${SYNC}
slay rdiserver
}
if [ -e "${MMX_CFG_DIR}/rdiserver_full.json" ] ; then
setup_mmx
${ECHO} "Done."
else
${ECHO} "Target is already configured for sdis communication."
fi
no idea what this does, but the contents of rdi_server_exlap.json is as follows: {
"baselibname" : "exlap_plugin",
"path" : "/eso/bin/apps/",
"ignore_plugin_errors" : true,
"supervision" : {
"queue_error_level" : 200,
"queue_warning_level" : 150,
"queue_stay_time_ms" :1000,
"update_cycle_ms" : 4000
},
"datastorage" : {
# location where to store the files
"location" : "/tmp/",
# maximum filesize for one file in kilobyte
"max_file_size_in_kb" : 2000
},
"connectivity" : {
"add_dlink" : false,
"add_local" : true,
"bind_retry_count" : 100,
"bind_retry_sleep_time" : 100,
"listener" : [
{
"name" : "uap0",
"type" : "wlan"
},
{
"name" : "ncm0",
"type" : "usb"
},
{
"name" : "mlan0",
"type" : "wlan"
}
]
}
}
Looks like it can write exlap data to /tmp, next to having it avialable on the local network. |
|
on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc b:28836065:40 this is working well for me but address 1304 there is nothing :-) EDIT: you been right first you need to write to update GREAT SUCCESS!!! road attributes: 0x01c500e6 111 && map position: 0x01c500e6 110 are for integrated navigation :-/ so that is no use for AA integration if we can only somehow find out this maneuvr position somewhere in the memory then it will be posible to render "next move" with proper arrow, distance and everything 😢 |
|
Awesome!!! Let's scan some more partitions and addresses to see what's there. There is a Car partition |
|
problem is if you need to write something somewhere before those data are visible... but based on android auto data i can make it auto-enable and auto-disable so when there is no android auto running VC will return to normal in-car navigation map :-) it will be so awesome also in case that we cannot use on -f mmx to read data from some part of memory we can still try to read GAL process memory from python (something like trainer for games) and get the data that way |
|
maybe we can also take next turn from GAL logs there should be
|
|
Sounds like a good idea!! |
|
now the question is where is the log file :-) and can we point it to /tmp folder to not kill internal memory? parsing log in python should be quite easy task |
|
maybe this? and where is the resulting file stored? |
|
If I remember it correctly, the file is written to a specific debug console, when you're connected to a specific port on the device. Check this script out, it can get info from persistence address (not my script) #!/bin/sh
revision="persistance v0.1.3 (2023-05-16 by MIBonk)"
# use --help for more info
export PATH=:/proc/boot:/sbin:/bin:/usr/bin:/usr/sbin:/net/mmx/bin:/net/mmx/usr/bin:/net/mmx/usr/sbin:/net/mmx/sbin:/net/mmx/mnt/app/armle/bin:/net/mmx/mnt/app/armle/sbin:/net/mmx/mnt/app/armle/usr/bin:/net/mmx/mnt/app/armle/usr/sbin
export LD_LIBRARY_PATH=/net/mmx/mnt/app/root/lib-target:/net/mmx/mnt/eso/lib:/net/mmx/eso/lib:/net/mmx/mnt/app/usr/lib:/net/mmx/mnt/app/armle/lib:/net/mmx/mnt/app/armle/lib/dll:/net/mmx/mnt/app/armle/usr/lib
export IPL_CONFIG_DIR=/etc/eso/production
thisname="$(basename $0)"
thisdir="$(dirname $0)"
if [ -z $LOG ]; then
. $thisdir/../config/GLOBALS 1> /dev/null
fi
if [ -f $TMP/reboot.mib ]; then
echo "Reboot running..."
return 2> /dev/null
fi
if [ ! -z $2 ]; then
VALUE=$1
else
VALUE=""
fi
case $VALUE in
-r) {
trap '' 2
PART=$2
START=$3
END=$4
if [ -z $END ]; then
END=$(echo $START + 1 | $BC)
else
if [[ $END -le $START ]]; then
END=$(echo $START+1 | $BC)
else
END=$(echo $END+1 | $BC)
fi
fi
echo -ne "part-dec,part-hex,a$DDr-dec,a$DDr-hex,data,object\n"
while [ $START -lt $END ]; do
VALUEHEX=0x$(echo "obase=16; $START" | $BC)
PARTHEX=0x$(echo "obase=16; $PART" | $BC)
echo -ne "$PART,$PARTHEX,$START,$VALUEHEX,"
OBJECT=",blob"
SUBJECT="$($PERSR $PART $START -t blob 2> /dev/null)"
if [ -z "$SUBJECT" ]; then
OBJECT=",int"
SUBJECT="$($PERSR $PART $START -t int 2> /dev/null)"
if [ -z "$SUBJECT" ]; then
OBJECT=",string"
SUBJECT="$($PERSR $PART $START -t string 2> /dev/null)"
if [ -z "$SUBJECT" ]; then
SUBJECT=""
OBJECT=",error"
fi
fi
fi
echo -ne $SUBJECT
echo -ne $OBJECT
echo -ne "\n"
START=$(echo $START +1 | $BC)
done
echo -ne "\n"
trap 2
return 2> /dev/null
};;
# help or unknown parameter ------------------------------
*) {
echo ""
echo $revision
echo ""
echo "Usage: "$thisname" [OPTION] <partition> <startadress> [endadress|"
echo ""
echo "Options:"
echo " -r read data"
echo " --help show this help"
echo ""
echo "Note: Backup will only work in RCC bash!"
echo ""
echo "This program is free software; you can redistribute it and/or"
echo "modify it under the terms of the GNU General Public License"
echo "as published by the Free Software Foundation; either version 2"
echo "of the License, or (at your option) any later version."
echo ""
echo "This program is distributed in the hope that it will be useful,"
echo "but WITHOUT ANY WARRANTY; without even the implied warranty of"
echo "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
echo "See the GNU General Public License for more details."
echo ""
echo "You should have received a copy of the GNU General Public License"
echo "along with this program; if not, write to the Free Software Foundation,"
echo "Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA."
echo ""
};;
esac
exit 0
|
|
Small addition to this, while I'm chatting with a friend about this... |
|
yes i seen that too before :-) i would expect that it is using the same channel as telephony or radio data |
|
That would be BAP or CAN |
|
if we can just find some example how to send one of those messages i think we can try to guess what AA message should look like :-) |
|
Forget about earlier script, I found one of my old ones #!/bin/sh
export LD_LIBRARY_PATH=/mnt/app/root/lib-target:/eso/lib:/mnt/app/usr/lib:/mnt/app/armle/lib:/mnt/app/armle/lib/dll:/mnt/app/armle/usr/lib
export IPL_CONFIG_DIR=/etc/eso/production
#info
DESCRIPTION="This script will get info from a lot of persistence addresses and puts it out to sda0"
#optional inputs:
# $1: partition
# $2: start address
# $3: max address to be scanned
#Firmware/unit info:
VERSION="$(cat /net/rcc/dev/shmem/version.txt | grep "Current train" | sed 's/Current train = //g' | sed -e 's|["'\'']||g' | sed 's/\r//')"
FAZIT=$(cat /tmp/fazit-id);
echo "---------------------------"
echo "$DESCRIPTION"
echo "FAZIT of this unit: $FAZIT"
echo "Firmware version: $VERSION"
echo "---------------------------"
sleep .5
#Is there any SD-card inserted?
if [ -d /net/mmx/fs/sda0 ]; then
echo SDA0 found
VOLUME=/net/mmx/fs/sda0
elif [ -d /net/mmx/fs/sdb0 ] ; then
echo SDB0 found
VOLUME=/net/mmx/fs/sdb0
else
echo No SD-cards found.
exit 1
fi
#sleep .5
echo Mounting SD-card at $VOLUME.
mount -uw $VOLUME
sleep .5
echo Creating Dump folder on $VOLUME
DUMPFOLDER=$VOLUME/DUMP/$VERSION/$FAZIT/Persistence/
mkdir -p $DUMPFOLDER
IDFILE=$DUMPFOLDER/id.txt
PARTITIONFILE=$DUMPFOLDER/partition.txt
NOW=$(date)
if [ "$3" != "" ]; then
MAXSCAN=$3;
else
MAXSCAN=100000000;
fi
echo "Scanning partition $PARTITION"
if [ "$2" != "" ]; then
ADDRESS=$2;
echo "Starting at $ADDRESS"
else
if test -f "$IDFILE"; then
echo "$IDFILE found"
#read last known address from id-file
read ADDRESS < $IDFILE
echo "Continuing at $ADDRESS"
else
echo "It looks like this is the first time scanning, starting at 0"
ADDRESS=0
fi
fi
if [ "$1" != "" ]; then
PARTITION=$1;
echo $PARTITION > $PARTITIONFILE
else
if read PARTITION < $PARTITIONFILE ; then #this if for session continuation
echo "Reading last used partition from SD"
else
exit 1
fi
fi
#sleep .5
#starting loop
while [ $ADDRESS -le $MAXSCAN ]
do
#echo "-----------------"
echo "Scanning $PARTITION:$ADDRESS"
#first check if ths address even exists or causes a time-out.
PERSISTENCEDATA="$(on -f mmx on -f mmx /net/mmx/mnt/app/eso/bin/dumb_persistence_reader $PARTITION $ADDRESS 2>&1)"
if [[ "$PERSISTENCEDATA" == *"PERS_STATUS_TIMEOUT"* ]] ; then
if echo $PARTITION";"$ADDRESS";TIMEOUT" >> $DUMPFOLDER/persistence.txt ; then
echo "Timeout, skipping address"
else
echo "Scan cancelled"
exit 1
fi
elif [[ "$PERSISTENCEDATA" == *" PERS_STATUS_TYPE_MISMATCH"* ]] ; then
echo "Type mismatch, trying integer"
PERSISTENCEDATAI="$(on -f mmx on -f mmx /net/mmx/mnt/app/eso/bin/dumb_persistence_reader $PARTITION $ADDRESS -t int 2>&1)"
if [[ "$PERSISTENCEDATAI" == *"PERS_STATUS_TYPE_MISMATCH"* ]] ; then
echo "Type mismatch, trying string"
PERSISTENCEDATAS="$(on -f mmx on -f mmx /net/mmx/mnt/app/eso/bin/dumb_persistence_reader $PARTITION $ADDRESS -t string 2>&1)"
if echo $PARTITION";"$ADDRESS";string;"$PERSISTENCEDATAS >> $DUMPFOLDER/persistence.txt ; then
echo "DATA FOUND:"
echo $PERSISTENCEDATAS
else
echo "!Scan cancelled"
exit 1
fi
elif [[ "$PERSISTENCEDATAI" != *"ERROR"* ]] ; then
if echo $PARTITION";"$ADDRESS";integer;"$PERSISTENCEDATAI >> $DUMPFOLDER/persistence.txt ; then
echo "DATA FOUND:"
echo $PERSISTENCEDATAI
else
echo "!Scan cancelled"
exit 1
fi
fi
elif [[ "$PERSISTENCEDATA" == *"PERS_STATUS_DOES_NOT_EXIST"* ]] ; then
:
#do nothing
else
if echo $PARTITION";"$ADDRESS";blob;"$PERSISTENCEDATA >> $DUMPFOLDER/persistence.txt ; then
echo "DATA FOUND:"
echo $PERSISTENCEDATA
else
echo ""
echo "!Scan cancelled"
exit 1
fi
fi
#only write the ID to the text once every 100 times, to speed up.
if (( $ADDRESS % 100 == 0 ))
then
if echo $ADDRESS > $IDFILE; then
echo "writing to id.txt to save scan session"
echo "Scanned $PARTITION until $ADDRESS at $NOW" > $DUMPFOLDER/scanlog.txt
else
echo ""
echo "!Scan cancelled"
exit 1
fi
fi
#increase the address with 1
ADDRESS=$(( $ADDRESS + 1 ))
done
# Make readonly again
mount -ur $VOLUME
echo "Persistence scan done"
exit 0I did some scanning of the persistence addresses while I was on the road, navigating in Android Auto and playing music. So far I have the following results from some partitions (nothing of real use here, and I just scanned the first 2000 addresses of each partition):
Here's an overview of all partitions that I currenly know about:
|
|
Finding some bigger data elements in the Smartphone integration partitions, in a format unknown to me. I'll paste it all here, maybe you have an idea. Edit: GZIPped data! I'll dive into it.
|
|
even after ungzipping i cannot tell what it could be :-/ |
|
Me neither.. probably something that's not of use. Could even be just the saved radiostations or something like that. |
|
smarphone integration field actually have some string inside it no idea what they mean î � �00a663f63b2ad7bb �2B071FDH3003YV c4904e74fcc85bd6618742b77853c5ee � |
|
Might be some kind of sessionkey, or identifier for the android auto session? |
|
I'll put my MIB2 on desk in the afternoon and do some more readings. |
|
do you know what is the cheapest MIB2 unit i can get my hands on which will still behave internally as my MIB2.5 discovery pro? If i can develop on bench i think i will be able to find out how to read DSI or exlap. |
|
Any MIB2High unit can become a MIB2.5 Discover Pro. |
|
Scan on desk is running.. which is a lot more confortable than in the car. |
|
Scanning continues today, working from home so I can keep my eye on the progress. I'm scanning each partition from 0 to 5000. Some partitions lead to timeouts all over the place. By the way, I get some log data on the console that looks like this:
I'll see if enabling more traces in the green menu will lead to more useful info. |
|
where you get this log from ? is it /var/log or where it is stored? |
|
It's on the MMX console, so written to stdout, |
|
which is /dev/stdout? |
|
yes, although I'm not sure if anything is communicated when nothing is connected to mmx or rcc console. |
|
dsi.debuginfo.B2.67.MIB_DSI_2016_KW28-16.28.0.xml.zip This could be useful |
|
DSI will contain all required data now just find a way how to tap into them :-D |
|
Driving state: String 0x01be00df 501 those are not available for me (using following for example) on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc s:29229279:501 any idea how to reach those? |
There are a few data elements you can grab from the persistance channels.
I know of the following:
These are used in the Android Auto Sensors green menu screen.
It should be possible to grab the Exlap data as well, but I never figured out how... would be lovely to be able to send the transmission temperature to the AID, since this data element isn't available anywhere else.
You can grab them with pc
The text was updated successfully, but these errors were encountered: