While the method below works, it has been superseded by easier to use methods to patch the radio. Check out https://rennlist.com/forums/718-gts-4-0 ... st18231744 and https://github.com/Mr-MIBonk/M.I.B._Mor ... pported%3F
Your Goal
This guide will give you methods to add or access Android Auto, Navigation, Carplay, the Track Precision app or change a region or map pack on your PCM 4 equipped car. (latest 718's for example)
The goal of this guide is to give you some background knowledge and process of PCM hacking. It can be a primer for you to perform your own research or just to modify your vehicle. Because of the differences in vehicles and layers of knowledge required to troubleshoot vehicle hacking, this guide is not a comprehensive walkthrough for ‘your’ car.
Overview of this guide
- Terminology
- Prerequisites
- Connecting to the car
- Launching MIB
- Enabling GEM
- Patching the PCM
- Enabling features
PCM - Porsche Communication Management. This is the hardware and software making up the stereo, display panel, various antenna and radios, and available software features in a car. The standard PCM features are documented in the vehicle manual that comes with the car. Support and warranty is provided by your dealer and by Porsche.
MMX - the Multi Media Controller. A sub-component of the PCM system. Configurable over telnet on port 23
GEM - Green Engineering Menu. This is a ‘developer’ interface to the PCM which is initially locked out on Porsche vehicles. We will use GEM to gather information about the PCM beyond what is available in the standard interface. GEM is unsupported by Porsche. It is accessed by pressing specific buttons on your radio once the feature is unlocked by MIB.
MIB - More Incredible Bash. (Bash is ‘Bourne Again Shell’, a software interface native to many Unix/Linux operating systems). MIB provides an interface with predefined actions you can take on a PCM to modify its existing software features. This software is supported by a community of MHI2 hackers, and appears to be extensively documented in various forums.
MHI2 - This is the model PCM installed in the MY20 / 21 718’s. This model is made by Harman Automotive group. Harman is used by the Volkswagen Automotive Group in many vehicle lines including Bentley, Audi, Skoda, Volkswagen, Porsche. In laymens terms this is the 'radio' system in the car.
MY## - Model Year (## the year). MY21 is a 2021 year model car, MY20 is a 2020 year car etc.
FEC - Feature Enablement Code. These are numbers representing software features enabled in the PCM. Using GEM and MIB, you can query and export your car’s existing FEC’s and identify which features your car has (features represented on your build sheet, and features not represented on your build sheet but that are still configurable in the car). When modifying FEC’s in the PCM, a software license signing process must take place to activate the FEC feature. This signing process is done using tools possessed by authorized service centers. This process is circumvented by hackers by patching software running in the PCM.
File systems on the PCM - I'll come back to this and why patching your PCM isn't that difficult or dangerous.
Prerequisites
You need a usb to ethernet adapter with chipset ASIX AX88772. Amazon sells a compatible one UGREEN Ethernet Adapter USB 2.0
Get a FAT32 formatted SD card, 16GB > if you are planning to upload maps, otherwise 1 and 2GB cards work.
Download MIB (215MB or so) from https://mibsolution.one/#/1/18 (login guest / guest). Unzip the contents of the MIB file into the SD card.
You need linux utilities ‘lsusb’, ‘ethtool’ and ‘ifconfig’ installed on a linux/unix computer that you can physically plug the usb->ethernet adapter into. There are many ways to install these utilities if you don’t have them already, use google.
Configure the ethernet adapter settings to imitate one Porsche allows.
Plug your usb->ethernet adapter into your linux/unix computer
Identify the USB->ethernet adapter plugged into your linux/unix system
From a terminal on your linux system
Code: Select all
bradlee@watchtower:~$ ifconfig -s
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 0 0 0 0 0 0 0 0 BMU
enx000ec6728c57 0 0 0 0 0 0 0 0 0 0 BMPOU
lo 65536 0 184803277 0 0 0 184803277 0 0 0 LRUCode: Select all
bradlee@watchtower:$ lshw -class network -short
WARNING: you should run this program as super-user.
H/W path Device Class Description
=====================================================
/0/100/4/0.1 eth6 network I350 Gigabit Network Connection
/1 enx0469f8ed33b3 network Ethernet interface
/2 enx000ec6728c57 network Ethernet interface
enx000ec6728c57 is our adapter. If you’re not sure which adapter is the right one, disconnect it, run ifconfig again and see which device ‘Iface’ is missing from the list.
Confirm the default pid/vid of the DUB-E100 usb->ethernet adapter. This is how the adapter appears to my linux machine before modifying it.
Code: Select all
bradlee@watchtower:~$ lsusb | grep ASIX
Bus 001 Device 007: ID 0b95:7720 ASIX Electronics Corp. AX88772
Flash the USB Adapter pid/vid
Code: Select all
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x0088 value 0x01
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x0089 value 0x20
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x008A value 0x05
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x008B value 0x3c
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x0048 value 0x01
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x0049 value 0x20
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x004A value 0x05
bradlee@watchtower:~$ sudo ethtool -E enx000ec6728c57 magic 0xdeadbeef offset 0x004B value 0x3c
Unplug the usb->ethernet adapter. Plug it back in.
Check the output of lsusb to confirm our ethernet adapter represents the new pid/vid
Code: Select all
bradlee@watchtower:~$ lsusb | grep ASIX
Bus 001 Device 008: ID 2001:3c05 D-Link Corp. DUB-E100 Fast Ethernet Adapter(rev.B1) [ASIX AX88772]
Connecting to the car
Plug the ethernet adapter into your car (glove box USB port)
Connect your laptop ethernet port with an ethernet cable to the usb->ethernet adapter plugged into the car (you should see lights on your adapter light up now)
Configure your laptop ethernet port with a static IP address, 172.16.250.250, subnet mask 255.255.255.0
Turn the car on but don’t start the engine.
Telnet to the PCM RCC on port 123
Code: Select all
bradlee@watchtower:~$telnet 172.16.250.248 123
Login name: root
Password: look this up ahead of time, at https://mibsolution.one/
(You will need to lookup your model PCM’s login credentials. A list of possible credentials is in the MIB zip file, 'date_MHI2_Password_List_V##.pdf')
On a US model MY21 718 PCM, root / CeaCCDmi were the credentials to login. Other model PCM credentials are in a pdf in the MIB download you put on the SD card.
Launching MIB
Put SD card in slot 1 - (driver side for US models)
Mount SD card in slot SD1
Code: Select all
mount -uw /net/mmx/fs/sda0/Code: Select all
/net/mmx/fs/sda0/startIf you got this far, now is a good time to turn off your car, and re-turn the key so that power does not turn off during next steps. You will telnet back to your PCM again and re-launch MIB to resume.
Backing up PCM
FIRST THING before you start changing settings in MIB. Run ‘Advanced Backup’.
You want a full backup of your PCM so if anything happens you have a place to restore from.
Full backup takes 5-10 minutes to write all data to SD card.
Enabling GEM
Look for the menu, ‘Developer Menu activation’. Run that. Your PCM will restart after dev mode is enabled. You may need to reconnect to your PCM over telnet from your laptop.
Install MIB in GEM
Reconnect via telnet and find the option to 'install MIB into GEM' in the MIB menu. Run that. This allows you to launch MIB without the need for your laptop. The SD card with MIB copied to it must be in the PCM to run MIB from GEM directly from the PCM.
Launch GEM using PCM buttons
Once you have enabled GEM and installed MIB into GEM, you can disconnect your laptop from the car.
Press and hold ‘Car’ + ‘Tuner’ buttons on the PCM for 5 seconds to launch GEM. You should see a menu which says ‘starting up’ in green text. This is how you'll get into MIB in the future without your laptop.
You can browse GEM using the PCM dial knobs, you should be able to go forward in a menu or execute an action by pressing the dial button on your selection, to go back a menu roll the dial to the ‘..’ and press the dial button or use the back button on the PCM.
Patching the PCM
Launch GEM, open MIB - select ‘IFS-ROOT-Stage2 flash patched image’ and select a patch file that appears. (It will be the same version name ‘MHI2_US_POG11_P5177_MUA1453_PATCH’ as whatever you PCM displayed )
This patch enables several features like Nav, AA, Carplay, USB support, Sport chrono and some others which most people desire. *new features will not work properly without the patch applied*
Once patched, the PCM will reboot. You can now run NAV and AA/Carplay, wifi, track app and so on.
Enabling features
WLAN menu - this is used to access the car’s hotspot and required for the lap time app use in Porsche.
- WLAN Screenshot.png (31.03 KiB) Viewed 17407 times
- NAV Screenshot.png (26.13 KiB) Viewed 17407 times
- GPS Screenshot.png (24.86 KiB) Viewed 17407 times
I've done THAT in other circumstances too...