I have RNS315 radio/navigation/media system (I will call it
unit) in my car. I bought it with maps from 2014 which are hugely outdated so I started to research how to update the maps.
The obvious way is to go to the dealer and buy map update but that costs some higher tens of Euros so I started researching other options.
The update comes on an SD card which is unreadable in PC – this is because the card is locked with CMD42 and most operating systems cannot deal with this lock. There is a very nice technical note where you can read about the mechanism.
The way how the map update works is, that first the unit checks if the card is locked and reads the SD card CID (unique card ID). If the card is not locked but contains updates, it will show that there is a card with updates but it is not genuine. If it is locked, the unit will generate a password based on the CID and try to unlock the card with CMD42. If it cannot unlock, it will show an error.
There are two ways how people deal with this problem:
– cards with changeable CIDs
– online password generators for your specific card CID
You can buy a very rare SD card with changeable CID (card ID) but these are really hard to get and their price is not worth it. If you have it, you change the CID and lock the card with a know public password.
Next option is to use an online password generator (e.g. this one) where you enter your cards CID and it will give you a password. But this also costs money so I started thinking about some other way.
The update data can be found on the Internet by searching “map update RNS315”. For Europe, there are two packages – Eastern Europe (EE) or Western Europe (WE). For the time of writing, the latest version is V12. You need to copy this data to your SD card before making any magic with locking.
Getting the password
As I was thinking about it, I thought there is actually no hashing or obfuscation mechanism in the unlocking sequence for CMD42 – the host will simply send the password “as is” so you should be able to capture it. So I just took a card, locked it with random password and put it in my unit with a logic analyzer attached (basic FT2232H and PulseView) .
You can see in the background displayed: “Error: SD card” because the card is locked with a different password.
I started to analyze the captured data. PulseView has a SD card protocol decoder so it was quite easy and I was able to find CMD42 quickly:
You can see I captured it with 10Mhz sample rate and it was enough. It probably switches to higher speeds (20MHz?) only after initializing the card (I didn’t check this). You can also see there is data only on single DAT line. This is probably also the reason why copying the data from card may take up to 2hours (16GB / 20MHz 1-bit SD mode = 6872sec)
PulseView doesn’t have data decoding for SD card in SD mode so I had to improvise to get the password data. I have used SPI decoder, and since we don’t have chip-select signal here to properly align bits into bytes, I extended it with an option to skip bits on start. So I was able to get the password bytes decoded:
I have aligned it in a way, that the first 1 belongs to the previous byte 0xFE (it’s start bit) and then it continues with 0x00 0x10 which for the CMD42 means unlock command with password length 0x10 (16 bytes). Next 16 bytes (0xBB, 0x37, 0x3D,…) are the password followed by a checksum. So we have the password now!
Locking/unlocking the card
In previous paragraph I skipped the way how to lock/unlock the card. When you insert a locked card into PC, it won’t be able to read it:
To get control of the card, I used Arduino on ESP32 with SD library which I modified to work with ESP32 and applied a mod to support CMD42. The complete project is here. It can initialize card, list files, display CID, detect locked card, lock/unlock with CMD42 and delete
- Copy navigation data to card
- Lock the card with any password
- Capture the password using logic analyzer
- Unlock the card with original password
- Lock the card with correct password
When you insert the card you will be asked to assign the card with the unit.
Once you do this, it will create a file called
devid with following contents (probably some serial number of the unit):
$ hd deviceid
00000000 9a 04 8b 6b 13 02 61 f8 00 00 ff bf ff ff fe ff |…k..a………|
But since we know the password, we can always delete it. Either after unlocking in a computer or using my esp32 firmware (function delete_devid()). After this, it can be used in another car.
Next, you are asked what to do with the update – install or use the maps from the card:
This really takes more than a hour, so do this during a long journey or with your car connected to a battery charger. After this, you are ready to use the updated maps.
For the purpose of sniffing I created a microSD card sniffer. If you want one, you can buy it in my e-shop at Lectronz.
I also wonder if the online password generation services know the password algorithm or they communicate with some unit and emulate a card with your CID to capture the password. I was also thinking about building such system but decided it’s not worth the investment but it is definitely doable.
And that’s it, if you have any questions or comments, feel free to comment.
2 thoughts on “Updating RNS315 maps for fun and profit”
Out of curiosity: is any FT2232H dev board compatible with sigrok, or just specific ones?
For instance, this one: https://www.aliexpress.com/item/32806818411.html
Or can you suggest another entry-level logic analyzer for sigrok?
I think anyone should be ok, you could also possibly use FT232H or FX2LP but I haven’t tested them in this setup.