Everything You Should Know About the Porsche CarPlay Fullscreen on PCM5 MH2p, and how to Activate Porsche CarPlay Fullscreen on PCM5 MH2p, everything you should know before you start this activation.
To avoid confusion this time, this time we will post the project that we have been working on for the last two years on the PCM5 MH2p.
As we all know, most of the Porsche PCM5 Car Owners felt really annoyed when using the CarPlay half screen after 2019 models. It was really suppressed that Porsche only developed an 800×600 resolution on a 12” screen for CarPlay, and looks silly that only half screen can be used when in CarPlay mode. So we set up the testing bench and started this project, just trying to enlarge the CarPlay entire screen to use.
Well, things didn’t go really well as the gain root access to the system is the first problem we need to overcome before starting any analyzing work can be carried out. The hardware is made by Alpine. And we have found the multimedia board is called MMX which is based on Tegra K1 soc which holds QNX6.6 embedded system. And for start-up, it runs from a Nor flash which is integrated with soc and ram
There is no way we can take that Nor flash out to modify the data for root access, then we have found that the system also has software update mode, you can get into this mode by using two fingers to tap on the right top corner of the screen and hold for few secs, the system will boot into the software update mode
This is for updating factory firmware and this is boot from the EMMC on the board, this EMMC can be removed for data reading and changing, although it is really hard for removing the BGA chip and placing 0.3mm size of soldering ball on EMMC scared the hell out of me in the beginning, but still possible, so we tried to take the risk removed the chip.
To gain access via EMMC removal is not secret anymore, people post this on the internet a long time ago. So after the chip is removed, we have modified the data to allow login, now we can log into the system with root under software update mode
After we can log into the system, we had found that is very similar to the PCM4 MHI2 system (QNX6.5). However, all apps are signed so there is not easy as before that you can patch any app in PCM4 MHI2.
But still the way you can bypass the checking and we made android auto work by patching the app. For fullscreen CarPlay, it is not too easy as the UI design has locked the resolution. Even there is a testing script that allows customizing the resolution but the UI frame is locked so need to reverse engineer the UI design to change the whole layout for the CarPlay display.
After a few months of try and error, we have made the full screen but only by stretching the image larger, the icon size still stays, compare with PCM6, it looks quite different and the resolution is not normal and not optimized for a lot of apps. Before the new PCM6 was announced, we didn’t know the CarPlay screen can be so much better and the CarPlay icon on PCM6 is optimized as well for full-screen display.
So we were happy with it until the day that PCM6 is announced, the CarPlay screen in PCM6 looks much better optimized, especially the icon size is optimized for full-screen display
Then we have to restart the project again and found a way to change the whole layout to utilize the whole screen and then we can see everything looks better and the screen image looks exactly the same as PCM6.
Searching the way to gain access through USB LAN.
Now the problem is by doing all of that requires more skill and experience on-chip soldering which makes it not practical and it is impossible to do remotely.
After a few months of research, we have found there are some ways to gain root access without taking the EMMC off-board, one of them is by using the vulnerability that K1 has which is the same vulnerability on X1 on Nintendo switch.
It uses the buffer overflow to run arbitrary code via the boot room of the K1 chip.
have more study and learn more about Bare mental programming, after 1-month learning and Nintendo switch heck source code, I have found:
sourcecode for T124 code injection on GitHub
but we have to modify it to run on K1 VID and change the iRAM addressing map to allow it to work on PCM5, Modified the code and successfully injected my code in and can run hello world on it.
Later on, we also added a serial driver to the output log.
However, it is a mission to write the driver for EMMC so that we can access EMMC via RCM mode of the PCM5.
The downside is that when the PCM5 is in RCM mode, it will keep rebooting every 2 mins because the watchdog on the RCC board keeps scanning the availability of the MMX Nvidia Board.
Since the MMX board is in RCM mode, RCC will trigger a reboot.
Also, the vulnerability has been patched by Nvidia in 2020 chip production, all PCM5 produced after that won’t have this back door anymore.
Then, some clever guy in Europe has developed an SD tool that can use the challenge-response algorithm to enable root access, we have approached him and tested that works. Because the PCM5 has this by default but we don’t have the private key to generate response code, someone used firmware update to replace the public key in the system so that can generate its own response code for root access.
This has made access more practical and can be done remotely. And because of that, we put the post here to let others know that now enable full-screen Apple CarPlay and Android Auto activation can be done remotely by our SmartPCM toolkit.
the whole thing took me two years with our time and we’re glad that all worked out nicely and we don’t really consider upgrading my car at least in the next 2 years with this PCM6.0 entire CarPlay screen solution.