Over the weekend, users noticed their Timelines went missing.
Google seems to have noticed, too, as The Register has seen multiple social media posts in which Timelines users share an email from the search and ads giant in which it admits βWe briefly experienced a technical issue that caused the deletion of Timeline data for some people.β
The email goes on to explain that most users that availed themselves of a feature that enables encrypted backups will be able to restore their Maps Timelines data.
Once again, Google provides no explanation for why it is incapable of reliably storing user data, and no customer support. Users are on their own.
I have RNS315 radio/navigation/media system (I will call it unit) in my car. I bought it with maps from 2014 which are hugely outdated so I started to research how to update the maps.
The obvious way is to go to the dealer and buy map update but that costs some higher tens of Euros so I started researching other options.
The update comes on an SD card which is unreadable in PC β this is because the card is locked with CMD42 and most operating systems cannot deal with this lock. There is a very nice technical note where you can read about the mechanism.
The way how the map update works is, that first the unit checks if the card is locked and reads the SD card CID (unique card ID). If the card is not locked but contains updates, it will show that there is a card with updates but it is not genuine. If it is locked, the unit will generate a password based on the CID and try to unlock the card with CMD42. If it cannot unlock, it will show an error.
There are two ways how people deal with this problem: β cards with changeable CIDs β online password generators for your specific card CID
You can buy a very rare SD card with changeable CID (card ID) but these are really hard to get and their price is not worth it. If you have it, you change the CID and lock the card with a know public password.
Next option is to use an online password generator (e.g. this one) where you enter your cards CID and it will give you a password. But this also costs money so I started thinking about some other way.
The update data can be found on the Internet by searching βmap update RNS315β. For Europe, there are two packages β Eastern Europe (EE) or Western Europe (WE). For the time of writing, the latest version is V12. You need to copy this data to your SD card before making any magic with locking.
Getting the password
As I was thinking about it, I thought there is actually no hashing or obfuscation mechanism in the unlocking sequence for CMD42 β the host will simply send the password βas isβ so you should be able to capture it. So I just took a card, locked it with random password and put it in my unit with a logic analyzer attached (basic FT2232H and PulseView) .
You can see in the background displayed: βError: SD cardβ because the card is locked with a different password.
I started to analyze the captured data. PulseView has a SD card protocol decoder so it was quite easy and I was able to find CMD42 quickly:
You can see I captured it with 10Mhz sample rate and it was enough. It probably switches to higher speeds (20MHz?) only after initializing the card (I didnβt check this). You can also see there is data only on single DAT line. This is probably also the reason why copying the data from card may take up to 2hours (16GB / 20MHz 1-bit SD mode = 6872sec)
PulseView doesnβt have data decoding for SD card in SD mode so I had to improvise to get the password data. I have used SPI decoder, and since we donβt have chip-select signal here to properly align bits into bytes, I extended it with an option to skip bits on start. So I was able to get the password bytes decoded:
I have aligned it in a way, that the first 1 belongs to the previous byte 0xFE (itβs start bit) and then it continues with 0x00 0x10 which for the CMD42 means unlock command with password length 0x10 (16 bytes). Next 16 bytes (0xBB, 0x37, 0x3D,β¦) are the password followed by a checksum. So we have the password now!
Locking/unlocking the card
In previous paragraph I skipped the way how to lock/unlock the card. When you insert a locked card into PC, it wonβt be able to read it:
To get control of the card, I used Arduino on ESP32 with SD library which I modified to work with ESP32 and applied a mod to support CMD42. The complete project is here. It can initialize card, list files, display CID, detect locked card, lock/unlock with CMD42 and delete devid file.
Short Howto
Copy navigation data to card
Lock the card with any password
Capture the password using logic analyzer
Unlock the card with original password
Lock the card with correct password
β¦
Profit
When you insert the card you will be asked to assign the card with the unit.
Once you do this, it will create a file called devid with following contents (probably some serial number of the unit):
But since we know the password, we can always delete it. Either after unlocking in a computer or using my esp32 firmware (function delete_devid()). After this, it can be used in another car.
Next, you are asked what to do with the update β install or use the maps from the card:
This really takes more than a hour, so do this during a long journey or with your car connected to a battery charger. After this, you are ready to use the updated maps.
I also wonder if the online password generation services know the password algorithm or they communicate with some unit and emulate a card with your CID to capture the password. I was also thinking about building such system but decided itβs not worth the investment but it is definitely doable.
And thatβs it, if you have any questions or comments, feel free to comment.
Login
