Hacking the GM HMI 2.5 module.

[Troy]

I'm on a quest for hacking the GM HMI 2.5 module to figure out and understand more about its functionality.

This article is a place holder for future findings and experiments.

GM HMI 2.5 EMMC Chip Pinouts for dumping the HMI 2.5 Emmc Micro Chip

For dumping the contents of the HMI 2.5 module's EMMC chip, which stores the Sat-Nav maps, calibration files and other operating files.

 

To be continued 

 

View full article

[16Craz]

Very nice job!

[Cadiblaster]

What are you looking to "hack"? We might have similar ideas...

[Troy]

On 7/17/2021 at 7:28 PM, Cadiblaster said:

What are you looking to "hack"? We might have similar ideas...

I want to active video in motion, reverse camera on, turn off onstar and so forth. Do you have any knowledge for it?

[Cadiblaster]

Don't know about those functions yet, but maybe in time I'll have that sorted. I'll keep you posted.

[HMI_Guy]

Have you discovered the serial console yet?  Once you have this and some knowledge of the OS configuration scripts, full jailbreak is easy. 

[justin101714]

Have you any more information on this console? 

[justin101714]

On 8/17/2021 at 11:02 PM, HMI_Guy said:

Have you discovered the serial console yet?  Once you have this and some knowledge of the OS configuration scripts, full jailbreak is easy. 

Information on this console? 

[HMI_Guy]

Connect to the pins shown to see the Linux console.  You do not need to have the whole system (radio, BCM, etc) hooked up to do this.  You only need power, GND, and communication enable signal on connector X1.   You will see system boot events on console, and then it will go to sleep.  If you have the whole system hooked up, you will see full boot, but will not get a login prompt. 

 

To force system into UBoot, tap reset (pin 2) to GND four times, about one second apart.   After system fails to boot four times, it will drop into UBoot for recovery. 

 

The system has a good firewall, but we can walk right around it with the serial console. From UBoot you enable normal mode serial login.  Once in normal mode serial console,  you can enable SSH login over ethernet using scripts and drivers Bosch included with the system.  There are even tools for changing individual calibration values.  No SPS or DPS needed.

[TROLL-PIG Raimiui Tam]

Have You pinout for HMI 2.0?

[Troy]

On 8/26/2021 at 4:54 AM, HMI_Guy said:

Connect to the pins shown to see the Linux console.  You do not need to have the whole system (radio, BCM, etc) hooked up to do this.  You only need power, GND, and communication enable signal on connector X1.   You will see system boot events on console, and then it will go to sleep.  If you have the whole system hooked up, you will see full boot, but will not get a login prompt. 

 

To force system into UBoot, tap reset (pin 2) to GND four times, about one second apart.   After system fails to boot four times, it will drop into UBoot for recovery. 

 

The system has a good firewall, but we can walk right around it with the serial console. From UBoot you enable normal mode serial login.  Once in normal mode serial console,  you can enable SSH login over ethernet using scripts and drivers Bosch included with the system.  There are even tools for changing individual calibration values.  No SPS or DPS needed.

Great info. Thanks 

[TROLL-PIG Raimiui Tam]

I found inside:

[Shavkat]

On 26.08.2021 at 08:54, HMI_Guy said:

Подключитесь к показанным контактам, чтобы увидеть консоль Linux. Для этого не обязательно подключать всю систему (радио, BCM и т. Д.). Вам нужно только питание, заземление и сигнал разрешения связи на разъеме X1. Вы увидите события загрузки системы на консоли, а затем она перейдет в спящий режим. Если у вас подключена вся система, вы увидите полную загрузку, но не получите приглашения для входа в систему. 

 

Чтобы принудительно запустить систему в UBoot, нажмите сброс (контакт 2) на GND четыре раза с интервалом примерно в одну секунду. После того, как система не загрузится четыре раза, она перейдет в UBoot для восстановления. 

 

В системе есть хороший межсетевой экран, но мы можем обойти его с помощью последовательной консоли. Из UBoot вы включаете последовательный вход в нормальном режиме. Находясь в обычном режиме последовательной консоли, вы можете включить SSH-вход через Ethernet, используя скрипты и драйверы Bosch, включенные в систему. Есть даже инструменты для изменения индивидуальных значений калибровки. Никаких SPS или DPS не требуется.

Hello there.
My question is, where should I connect the pins in the picture to the monitor or computer?

[Shavkat]

On 19.07.2021 at 14:55, Troy said:

Я хочу активировать видео в движении, включить камеру заднего вида, выключить onstar и так далее. У вас есть какие-нибудь знания об этом?

you can activate the video in motion by calibrating it, as well as the rear camera

[Shavkat]

On 7/19/2021 at 10:55 AM, Troy said:

Я хочу активировать видео в движении, включить камеру заднего вида, выключить onstar и так далее. У вас есть какие-нибудь знания об этом?

[asav]

On 8/26/2021 at 6:54 AM, HMI_Guy said:

Connect to the pins shown to see the Linux console. 

Hello. Have you pinout or same useful information for navi 950? How to enter to the uboot, connet the linux console.

[+PLSA]

@Troy notice how you attack people in different forums about not giving free helps or anything, but in the same time people here are begging for the EMMC read pinouts and you are not giving it
i like the work and effort you provide but sometimes you are vague

[Troy]

1 minute ago, PLSA said:

@Troy notice how you attack people in different forums about not giving free helps or anything, but in the same time people here are begging for the EMMC read pinouts and you are not giving it
i like the work and effort you provide but sometimes you are vague

Well if you read on the other forums you will see no one really gave me any free information.

The majority of the information I publish are info I figure out on my own.

Everyone on that forum were selfish towards me except 2 people.

Why should I be kind and offer everything free to this world full of selfish people.

"Vague", call it what you will, I'm only reflecting back what was reflected at me.=Peolple were selfish to me so I too be selfish back to people.

EMMC pin outs can be figured out using a logic analyser.

Regards 

 

 

 

[+PLSA]

Just now, Troy said:

Well if you read on the other forums you will see no one really gave me any free information.

The majority of the information I publish are info I figure out on my own.

Everyone on that forum were selfish towards me except 2 people.

Why should I be kind and offer everything free to this world full of selfish people.

"Vague", call it what you will, I'm only reflecting back what was reflected at me.=Peolple were selfish to me so I too be selfish back to people.

EMMC pin outs can be figured out using a logic analyser.

Regards 

 

 

 

ok, so i wish you don't start calling people out for their actions while you are as you stated (copying their actions)
anyway i am also against their way of selfishness, and about the pinouts i really need those cause i tried to get them but no hope, i am not an electrician

[Troy]

3 minutes ago, PLSA said:

ok, so i wish you don't start calling people out for their actions while you are as you stated (copying their actions)
anyway i am also against their way of selfishness, and about the pinouts i really need those cause i tried to get them but no hope, i am not an electrician

No I'm not copying their, or anyone's actions. Look I've publish many tutorials on this site with loads of free information that is no where else on the web.

I've shared a lot of free files.

I've helped a lot of folks in PM-land with lots of information.

Selfish people share nothing 😀

 

For the pinouts unfortunately I won't be sharing those, not yet.

Maybe when I figure out some more things about the HMI.

For now the Pin outs are only useful for dumping and flashing the EMMC.

 

 

 

 

 

 

[+PLSA]

2 minutes ago, Troy said:

No I'm not copying their, or anyone's actions. Look I've publish many tutorials on this site with loads of free information that is no where else on the web.

I've shared a lot of free files.

I've helped a lot of folks in PM-land with lots of information.

Selfish people share nothing 😀

 

For the pinouts unfortunately I won't be sharing those, not yet.

Maybe when I figure out some more things about the HMI.

For now the Pin outs are only useful for dumping and flashing the EMMC.

 

 

 

 

 

 

i am also working on that, but dumping and flashing the emmc could help copying maps (for me at least)

[Troy]

5 minutes ago, PLSA said:

i am also working on that, but dumping and flashing the emmc could help copying maps (for me at least)

Yep, that could work, however, after you dump the EMMC you will have an issue with mounting and extracting the EMMC image for files inspection. 

The EMMC image is coded with a none standard priority disc partition format.

I think attacking the EMMC via jailbreaking would be the best route.

[+Miragui]

On 7/19/2021 at 11:55 AM, Troy said:

I want to active video in motion, reverse camera on, turn off onstar and so forth. Do you have any knowledge for it?

I have an HMI 2.5 EMMC image with reverse camera turned on, I actually want to turn it off, so maybe we can help each other out.

[+Miragui]

On 9/25/2021 at 8:39 PM, Troy said:

Yep, that could work, however, after you dump the EMMC you will have an issue with mounting and extracting the EMMC image for files inspection. 

The EMMC image is coded with a none standard priority disc partition format.

I think attacking the EMMC via jailbreaking would be the best route.

 

The EMMC uses MBR and has a total of 6 partitions. 3 primary partitions and 1 extended partition with 3 partitions, all  formatted in EXT4.

[Troy]

13 hours ago, Miragui said:

 

The EMMC uses MBR and has a total of 6 partitions. 3 primary partitions and 1 extended partition with 3 partitions, all  formatted in EXT4.

I'm able to dump the EMMC but not able to mount it.

Can you share how you mount the image for file inspection?

Which OS and which software are you using to mount the EMMC image?