MIB2 WIKI - Mirror

Unofficial mirror of mibwiki.one
General information
General information
- Audi AID FPK KI VC VIS cluster version information and hidden menus
  Audi AID FPK KI VC VIS cluster version information and hidden menus
  - Most recent firmware versions
    
    Most recent firmware versions
- Audi MMI key combinations
  Audi MMI key combinations
- Beginner's Guide
  Beginner's Guide
  - Get support
    
    Get support
- Bench Setup & Tools
  Bench Setup & Tools
  - D Link DUB 100 Ver. D1 0x2001, 0x1a02
    
    D Link DUB 100 Ver. D1 0x2001, 0x1a02
    
    ASIX to be converted
    
    ASIX to be converted
    
    Convert cheap USB to Ethernet adapters
    
    Convert cheap USB to Ethernet adapters
    
    D Link alternatives same vid pid
    
    D Link alternatives same vid pid
  - MQB ignition emulator passthru
    
    MQB ignition emulator passthru
  - Quadlock pin layout
    
    Quadlock pin layout
    
    Cable Harness
    
    Cable Harness
    
    Power Supply
    
    Power Supply
    
    Simulate Ignition
    
    Simulate Ignition
    
    USB port CarPlay & Android Auto
    
    USB port CarPlay & Android Auto
    
    ZR Reset MU reboot signal
    
    ZR Reset MU reboot signal
  - SD card testing
    
    SD card testing
  - UART serial to USB
    
    UART serial to USB
    
    Cables and Breadboard
    
    Cables and Breadboard
  - USB extensions (ports and HUBs)
    
    USB extensions (ports and HUBs)
    
    USB port D Link & Android Auto only
    
    USB port D Link & Android Auto only
  - VAG Pins
    
    VAG Pins
  - VCDS Developer mode Key S12345 is Invalid!
    
    VCDS Developer mode Key S12345 is Invalid!
- Bentley key combinations
  Bentley key combinations
- Enhancements
  Enhancements
  - CarPlay common issues
    
    CarPlay common issues
  - ICC activation
    
    ICC activation
  - JAVA HMI Patches. Remove PDC ParkPilot Popup
    
    JAVA HMI Patches. Remove PDC ParkPilot Popup
  - JAVA HMI PatchesV2
    
    JAVA HMI PatchesV2
    
    Wireless CarPlay adapters
    
    Wireless CarPlay adapters
  - NAR MIB SiriusXM Live Traffic
    
    NAR MIB SiriusXM Live Traffic
  - PPOI Speed Camera
    
    PPOI Speed Camera
  - PR 9VD 9.1 sound system retrofit
    
    PR 9VD 9.1 sound system retrofit
  - TPMS profiles
    
    TPMS profiles
  - Video playback on MIB units
    
    Video playback on MIB units
  - YouTube via AndroidAuto
    
    YouTube via AndroidAuto
- Gracenote DB
  Gracenote DB
- Kessy & Updates
  Kessy & Updates
- Maps download links
  Maps download links
- Parameterization Study
  Parameterization Study
  - Parametrization with CarScanner
    
    Parametrization with CarScanner
- Porsche key combinations
  Porsche key combinations
- RadioStationLogo (RSDB)
  RadioStationLogo (RSDB)
  - How to mod Radio station logo database
    
    How to mod Radio station logo database
  - Parametrization with OBDeleven
    
    Parametrization with OBDeleven
- Train version
  Train version
- Useful documents
  Useful documents
  - Key combinations and shortcuts
    
    Key combinations and shortcuts
Instrument Clusters Virtual Cockpit FPK
Instrument Clusters Virtual Cockpit FPK
- Backup MMX NOR
  Backup MMX NOR
- Green Engineering Menu
  Green Engineering Menu
- MMX root passwords
  MMX root passwords
- Sport Layout on FPK1 and Rainbow Shiftlight
  Sport Layout on FPK1 and Rainbow Shiftlight
- Sport layouts on FPK2 VC AID of Audi A6 A7 A8 Q8
  Sport layouts on FPK2 VC AID of Audi A6 A7 A8 Q8
- TTL and USB connection
  TTL and USB connection
  - JTAG connection to MMX
    
    JTAG connection to MMX
MH2p Alpine
MH2p Alpine
- Conversion of AS CN US to ER
  Conversion of AS CN US to ER
- MH2p Wireless CarPlay
  MH2p Wireless CarPlay
- RS mode
  RS mode
- Telnet access
  Telnet access
- Toolbox
  Toolbox
- eMMC dump for learning purposes
  eMMC dump for learning purposes
MHI2 MHI2Q Harman Aisin
MHI2 MHI2Q Harman Aisin
- Conversion & Cross flashing
  Conversion & Cross flashing
  - Between Brands
    
    Between Brands
  - Coding and Adaptions
    
    Coding and Adaptions
    
    MHI2 Language Datasets
    
    MHI2 Language Datasets
    
    Persistence Datasets
    
    Persistence Datasets
  - Conversion of CN JP KR TW US to EU
    
    Conversion of CN JP KR TW US to EU
  - Copy of Conversion of CN JP KR TW US to EU
    
    Copy of Conversion of CN JP KR TW US to EU
  - EEPROM MAP MHI2
    
    EEPROM MAP MHI2
    
    E2PTool
    
    E2PTool
  - FW Update SWDL
    
    FW Update SWDL
    
    MHI2(Q) screens
    
    MHI2(Q) screens
    
    SWDLClient Error Code tables
    
    SWDLClient Error Code tables
    
    error MOST not available
    
    error MOST not available
    
    error Stuck or Freeze in (old) Bootscreen after update
    
    error Stuck or Freeze in (old) Bootscreen after update
  - MHI2 EU conversion
    
    MHI2 EU conversion
  - MIB2 (G11) to MIB2.5 (G13) conversion
    
    MIB2 (G11) to MIB2.5 (G13) conversion
  - Navigation
    
    Navigation
- Custom FW Updates
  Custom FW Updates
  - MHI2 ER AU57x K3663 1 MU1425 AIO
    
    MHI2 ER AU57x K3663 1 MU1425 AIO
  - MHI2 ER SEG11 P4709 1 MU1447 AIO
    
    MHI2 ER SEG11 P4709 1 MU1447 AIO
- ExceptionList BUG
  ExceptionList BUG
- Hardware MHI2
  Hardware MHI2
  - Aisin MHI2 MHI2Q units with AW7 hardware
    
    Aisin MHI2 MHI2Q units with AW7 hardware
  - MHI2Q Qualcomm
    
    MHI2Q Qualcomm
- M.I.B. More Incredible Bash
  M.I.B. More Incredible Bash
  - M.I.B 3.1.7 Menu structure
    
    M.I.B 3.1.7 Menu structure
  - POG24 & BYG24 AndroidAuto & CarPlay Widescreen Patch
    
    POG24 & BYG24 AndroidAuto & CarPlay Widescreen Patch
    
    MHI2(Q) M.I.B FEC List
    
    MHI2(Q) M.I.B FEC List
- MIB2 High toolbox
  MIB2 High toolbox
- Recovery
  Recovery
  - JTAG connection to RCC or MMX
    
    JTAG connection to RCC or MMX
  - Java Logging
    
    Java Logging
  - MMX
    
    MMX
    
    Emergency Flash Utility (EFU) via TTL cable
    
    Emergency Flash Utility (EFU) via TTL cable
    
    How to prepare mifs stage1.img and eifs.img for flashing
    
    How to prepare mifs stage1.img and eifs.img for flashing
    
    JTAG+USB recovery of wiped NOR chip
    
    JTAG+USB recovery of wiped NOR chip
    
    BCT Decoding
    
    BCT Decoding
    
    MMX Tegra Boot Process Details
    
    MMX Tegra Boot Process Details
    
    USB Recovery Boot mode of MMX
    
    USB Recovery Boot mode of MMX
  - Manual FW update 50 vs 70 folders
    
    Manual FW update 50 vs 70 folders
  - Manual IOC Update via telnet or TTL cable
    
    Manual IOC Update via telnet or TTL cable
  - RCC
    
    RCC
    
    Copy of Manual Firmware Restore
    
    Copy of Manual Firmware Restore
    
    Boot loop
    
    Boot loop
    
    Boot Loop after reboot M.I.B
    
    Boot Loop after reboot M.I.B
    
    Clean APG Unit (based on Harman F AiO Firmware (GitHub))
    
    Clean APG Unit (based on Harman F AiO Firmware (GitHub))
    
    Clean APG unit
    
    Clean APG unit
    
    How to boot ifs emergency.ifs (start blue emergency EFU)
    
    How to boot ifs emergency.ifs (start blue emergency EFU)
    
    How to boot ifs emergency.ifs via zmodem in CLI
    
    How to boot ifs emergency.ifs via zmodem in CLI
    
    How to mount RCC NOR (fs0)
    
    How to mount RCC NOR (fs0)
    
    How to stop IPL, enter CLI, boot ifs emergency.ifs and restore ifs.root stage2
    
    How to stop IPL, enter CLI, boot ifs emergency.ifs and restore ifs.root stage2
    
    Manual Firmware Restore
    
    Manual Firmware Restore
    
    Boot loop
    
    Boot loop
    
    Boot Loop after reboot M.I.B
    
    Boot Loop after reboot M.I.B
    
    ExceptionList BUG
    
    ExceptionList BUG
    
    Clean APG Unit (based on Harman F AiO Firmware (GitHub))
    
    Clean APG Unit (based on Harman F AiO Firmware (GitHub))
    
    Clean APG unit
    
    Clean APG unit
    
    Manually prevent shutdown by watchdog timer
    
    Manually prevent shutdown by watchdog timer
  - System log via telnet
    
    System log via telnet
  - V850 programming after chip replacement
    
    V850 programming after chip replacement
  - Shadow how to retrieve hash of root password from the unit
    
    Shadow how to retrieve hash of root password from the unit
  - update.txt FW update
    
    update.txt FW update
- Shell access via telnet and UART
  Shell access via telnet and UART
  - Connecting TTL adapter to UART on quadlock
    
    Connecting TTL adapter to UART on quadlock
  - Shell access
    
    Shell access
  - Telnet
    
    Telnet
    
    PC Laptop network settings
    
    PC Laptop network settings
    
    Telnet client Putty
    
    Telnet client Putty
- Unsorted testing only
  Unsorted testing only
  - AUDI TT stuck on blue EFU during FW update
    
    AUDI TT stuck on blue EFU during FW update
  - Audi GEM & Main screen background
    
    Audi GEM & Main screen background
  - Displaymanager dmdt
    
    Displaymanager dmdt
  - FecContainer.fec decoded
    
    FecContainer.fec decoded
  - GEM.jar AppDevelopment.jar
    
    GEM.jar AppDevelopment.jar
  - MIB FEC SWaP Code Generator
    
    MIB FEC SWaP Code Generator
  - Metainfo2.txt custom
    
    Metainfo2.txt custom
  - Packages
    
    Packages
  - SSH support LAN and WLAN
    
    SSH support LAN and WLAN
  - User manual for FW update and Patching MHI2
    
    User manual for FW update and Patching MHI2
  - VW48x G11 G13 mapping
    
    VW48x G11 G13 mapping
  - format nav db on MHI2Q
    
    format nav db on MHI2Q
    
    Audi R8 2015 ASI VC Update
    
    Audi R8 2015 ASI VC Update
  - Language dataset
    
    Language dataset
  - Metainfo2.txt commands
    
    Metainfo2.txt commands
  - Metainfo2.txt exploit
    
    Metainfo2.txt exploit
  - Mount app.img
    
    Mount app.img
MHIG Harman (MIB1 HIGH)
MHIG Harman (MIB1 HIGH)
- Conversion to EU
  Conversion to EU
- Flashing of the patched ifs root.ifs
  Flashing of the patched ifs root.ifs
  - Updating FW when the train is blocked
    
    Updating FW when the train is blocked
- Installing M.I.B
  Installing M.I.B
- NAND partitioning
  NAND partitioning
- Recovery when flashing of RCC ifs.root stage2 failed
  Recovery when flashing of RCC ifs.root stage2 failed
- Understanding of ifs root.ifs patching
  Understanding of ifs root.ifs patching
- Updating maps
  Updating maps
MHS2 Delphi
MHS2 Delphi
- Hardware and recovery via EFU
  Hardware and recovery via EFU
  - MHS2 activator by Congo
    
    MHS2 activator by Congo
- NavIgnore patch by NoLive
  NavIgnore patch by NoLive
- Passwords for telnet access via root user
  Passwords for telnet access via root user
  - Activation for CarPlay Android auto and making it wireless
    
    Activation for CarPlay Android auto and making it wireless
- Recovering US unit after AP ZR HIGH1 was reflashed to EU
  Recovering US unit after AP ZR HIGH1 was reflashed to EU
- SD card patch for MU0235
  SD card patch for MU0235
- US EU conversion
  US EU conversion
MIB3 (MEN3 MOI3 MHI3 MPR3)
MIB3 (MEN3 MOI3 MHI3 MPR3)
- Converting US EU
  Converting US EU
- MIB3 FoD Activator
  MIB3 FoD Activator
- MIB3 Matrix SSP.pdf
  MIB3 Matrix SSP.pdf
  - MIB3 USB HUBs
    
    MIB3 USB HUBs
- MIB3 Quadlock Pinout
  MIB3 Quadlock Pinout
- MOI3 (Preh) Root Access via Bluetooth (Research)
  MOI3 (Preh) Root Access via Bluetooth (Research)
- MOI3 Bypass Loading user profile
  MOI3 Bypass Loading user profile
- RS monitor
  RS monitor
MQB CODING
MQB CODING
- 09 Central Electric
  09 Central Electric
  - Alarme golf8
    
    Alarme golf8
- 5F Car Menu Options
  5F Car Menu Options
  - MQB Climate Touch Controls Basic Settings Procedure (duplicate)
    
    MQB Climate Touch Controls Basic Settings Procedure (duplicate)
- 5F Enabling Developer Mode and Hidden Menu
  5F Enabling Developer Mode and Hidden Menu
- 5F Fix B201A fault code
  5F Fix B201A fault code
- 5F Inserting FECs with OBDeleven
  5F Inserting FECs with OBDeleven
- 5F Rear View Camera (RVC HIGH) installation
  5F Rear View Camera (RVC HIGH) installation
- 5F Rear View Camera (RVC LOW) installation
  5F Rear View Camera (RVC LOW) installation
- 5F Vehicle Variants MIB2
  5F Vehicle Variants MIB2
- A5 Front Assistant Camera Coding
  A5 Front Assistant Camera Coding
  - Activate Lane Assist for New 2Q0 Cameras
    
    Activate Lane Assist for New 2Q0 Cameras
  - Lane Assist extension to 60 Seconds
    
    Lane Assist extension to 60 Seconds
  - ODIS Script for TSR on 5Q Camera
    
    ODIS Script for TSR on 5Q Camera
  - TSR for A4 B9
    
    TSR for A4 B9
  - Traffic Sign recognition
    
    Traffic Sign recognition
  - Trafic Sign Recognition for 5Q camera model
    
    Trafic Sign Recognition for 5Q camera model
- General MQB Coding List
  General MQB Coding List
  - 08 Auto HVAC Coding
    
    08 Auto HVAC Coding
    
    MQB Climate Touch Controls Basic Settings Procedure
    
    MQB Climate Touch Controls Basic Settings Procedure
- Security access codes
  Security access codes
- Start Stop System
  Start Stop System
MS2p Aptiv Delphi
MS2p Aptiv Delphi
- Conversion of US to EU
  Conversion of US to EU
- MS2p activator by Congo
  MS2p activator by Congo
MST2 Delphi
MST2 Delphi
- Copy of MIB2 Wrong CP Patch Recovery
  Copy of MIB2 Wrong CP Patch Recovery
  - Recovering delphibin.ifs via TTL cable
    
    Recovering delphibin.ifs via TTL cable
    
    MIB1 MIB2 Upgrade Tutorial Quick Overview
    
    MIB1 MIB2 Upgrade Tutorial Quick Overview
- D Link patch (FEC, SWaP, CP, CID)
  D Link patch (FEC, SWaP, CP, CID)
- Delphi 02xx to 08xx firmware upgrade
  Delphi 02xx to 08xx firmware upgrade
- Direct eMMC access
  Direct eMMC access
  - eMMC and NOR programmers
    
    eMMC and NOR programmers
    
    Extract apps folder from FW
    
    Extract apps folder from FW
  - eMMC connection points
    
    eMMC connection points
  - eMMC pinouts
    
    eMMC pinouts
- KSH shell script commands
  KSH shell script commands
  - SWDL commands
    
    SWDL commands
- MIB2 Wrong CP Patch Recovery
  MIB2 Wrong CP Patch Recovery
  - Recovering delphibin.ifs via TTL cable
    
    Recovering delphibin.ifs via TTL cable
    
    MIB1 MIB2 Upgrade Tutorial Quick Overview
    
    MIB1 MIB2 Upgrade Tutorial Quick Overview
- MST2 activator by Congo & Duke (Official Way)
  MST2 activator by Congo & Duke (Official Way)
- US to EU conversion
  US to EU conversion
MST2 TechniSat Preh
MST2 TechniSat Preh
- Live installation without Dump
  Live installation without Dump
- MIB STD2 PQ ZR Toolbox
  MIB STD2 PQ ZR Toolbox
  - CID patch to allow maps from any SD
    
    CID patch to allow maps from any SD
  - Copy of FW patch overview newest available FW, Online approval SD Patch possibility
    
    Copy of FW patch overview newest available FW, Online approval SD Patch possibility
    
    02xx to 04xx firmware update
    
    02xx to 04xx firmware update
  - Custom boot screen
    
    Custom boot screen
    
    How to create an SD patch
    
    How to create an SD patch
  - FW patch overview newest available FW, Online approval SD Patch possibility
    
    FW patch overview newest available FW, Online approval SD Patch possibility
    
    02xx to 04xx firmware update
    
    02xx to 04xx firmware update
  - Firmware installation
    
    Firmware installation
    
    Enabling Vehicle Menu for 04xx in a PQ Vehicle
    
    Enabling Vehicle Menu for 04xx in a PQ Vehicle
    
    PQ ZR units with firmwares 01xx
    
    PQ ZR units with firmwares 01xx
    
    Upgrade to different SW HW Train (LINUX)
    
    Upgrade to different SW HW Train (LINUX)
    
    Instructions
    
    Instructions
    
    Region conversion
    
    Region conversion
    
    MST2 EU PQ variant overview
    
    MST2 EU PQ variant overview
    
    Telnet Activation
    
    Telnet Activation
    
    Update firmware 01xx to higher version
    
    Update firmware 01xx to higher version
    
    Upgrade MIB2 STD ZR Firmware (without Navigation)
    
    Upgrade MIB2 STD ZR Firmware (without Navigation)
  - Installation via USB2HSD cable (aka solderless or OTG method)
    
    Installation via USB2HSD cable (aka solderless or OTG method)
  - Installation via eMMC dump (VM QNX .vmdk)
    
    Installation via eMMC dump (VM QNX .vmdk)
    
    Converting IMG to VMDK with QEMU
    
    Converting IMG to VMDK with QEMU
    
    Mounting VMDK in QNX VM
    
    Mounting VMDK in QNX VM
    
    SWaP patch
    
    SWaP patch
  - MIB STD2 Network and Logging
    
    MIB STD2 Network and Logging
    
    Recovery via Emergency Download
    
    Recovery via Emergency Download
  - Understanding of the patching process
    
    Understanding of the patching process
    
    Allow navigation maps from SD with any CID (aka CID patch)
    
    Allow navigation maps from SD with any CID (aka CID patch)
    
    Replacing files with the patched ones
    
    Replacing files with the patched ones
    
    Useful File locations
    
    Useful File locations
  - Update Approval SOP4 signed
    
    Update Approval SOP4 signed
- SD Card Readers (working not working)
  SD Card Readers (working not working)
MSTD Panasonic
MSTD Panasonic
- Conversion of US EU
  Conversion of US EU
- Hardware and software parts
  Hardware and software parts
- Some notes about the executable files
  Some notes about the executable files
- Supported FECs
  Supported FECs
- Telnet connection
  Telnet connection
- Updating maps
  Updating maps
Retrofit
Retrofit
- 5NA980611 Wireless Charger Retrofit PQ MQB
  5NA980611 Wireless Charger Retrofit PQ MQB
- Lane Assist Camera 3Q0980654H drive2 Blog
  Lane Assist Camera 3Q0980654H drive2 Blog
Mibsolution.one
Mibsolution.one
- Donations
  Donations
- Mibsolution.one fix download speed
  Mibsolution.one fix download speed
Mibwiki.one
Mibwiki.one
- Current issues
  Current issues

shadow - how to retrieve hash of root password from the unit

Despite the fact that m.i.b includes a comprehensive password list, it still lacks passwords for RCC, MMX, and/or RCC Emergency IFS for some trains/MUs.

Dump RCC and/or MMX NOR to find root password hashes

The most easy way is to check the RCC-fs0.bin and MMX-fs0.bin in the m.i.b. backup.

But if the backup is absent and you have no password for RCC/MMX and/or RCC Emergency IFS, then you can upload an emergency.ifs from a FW with a known root password via ZMODEM :)

After emergency.ifs is running and you logged in, and dump RCC & MMX NORs to SD card like:

mount -uw /net/mmx/fs/sda0/
cat /net/rcc/dev/fs0 >/net/mmx/fs/sda0/RCC_fs0.bin
cat /net/mmx/dev/fs0 >/net/mmx/fs/sda0/MMX_fs0.bin

MMX/RCC hash of root password

Extracting from FW update or MMX-fs0.bin

Open\MMX2\efs-sys\XX\default\efs-system.imgor MMX-fs0.bin in any hex editor like HxD and search forroot:

Hash is brWtVCU7RcmTw in this case.

RCC Emergency IFS root password hash

Extracting from FW update files

Use IFSTool to split and unpack\RCC\ifs-root\XX\default\ifs-root.ifsto find the hash in /etc/shadow_rcc file.

Extracting from RCC-fs0.bin

Hash is stored in shadow_rcc file that is compressed in ifs-root-stage1 partition that holds Emergency IFS.

To get ifs-root-stage1 you need to exctract IFS-root.ifs from the RCC-fs0.bin first:

start offset 0x0540000
end offset somewhere with PORSCHE, which is the end of ifs-root-stage2 image

Save selection from start offset till end offset as a new file and split it into stage1 and stage2 with IFSTool, then unpack ifs-root-stage2.ifs and get /etc/shadow_rcc file:

Alternatively you can find the hash in the unpacked image file using root: in HxD search

Brute force the hash to find password

QNX6.5 on MHI2 uses DES hashes with salt stored in the first two characters of the hash.

E.g. in hash: WmRI0ymbfbbUw the salt is: Wm

:::info Usually brute forcing can be done in 2 days.

Sometimes, with limiting the possible characters and their combinations used in other known password even in a couple of hours.

:::