Updating RNS315 maps for fun and profit

I have RNS315 radio/navigation/media system (I will call it unit) in my car. I bought it with maps from 2014 which are hugely outdated so I started to research how to update the maps.

The obvious way is to go to the dealer and buy map update but that costs some higher tens of Euros so I started researching other options.

The update comes on an SD card which is unreadable in PC – this is because the card is locked with CMD42 and most operating systems cannot deal with this lock. There is a very nice technical note where you can read about the mechanism.

The way how the map update works is, that first the unit checks if the card is locked and reads the SD card CID (unique card ID). If the card is not locked but contains updates, it will show that there is a card with updates but it is not genuine. If it is locked, the unit will generate a password based on the CID and try to unlock the card with CMD42. If it cannot unlock, it will show an error.

There are two ways how people deal with this problem:
– cards with changeable CIDs
– online password generators for your specific card CID

You can buy a very rare SD card with changeable CID (card ID) but these are really hard to get and their price is not worth it. If you have it, you change the CID and lock the card with a know public password.

Next option is to use an online password generator (e.g. this one) where you enter your cards CID and it will give you a password. But this also costs money so I started thinking about some other way.

The update data can be found on the Internet by searching “map update RNS315”. For Europe, there are two packages – Eastern Europe (EE) or Western Europe (WE). For the time of writing, the latest version is V12. You need to copy this data to your SD card before making any magic with locking.

Getting the password

As I was thinking about it, I thought there is actually no hashing or obfuscation mechanism in the unlocking sequence for CMD42 – the host will simply send the password “as is” so you should be able to capture it. So I just took a card, locked it with random password and put it in my unit with a logic analyzer attached (basic FT2232H and PulseView) .

You can see in the background displayed: “Error: SD card” because the card is locked with a different password.

I started to analyze the captured data. PulseView has a SD card protocol decoder so it was quite easy and I was able to find CMD42 quickly:

You can see I captured it with 10Mhz sample rate and it was enough. It probably switches to higher speeds (20MHz?) only after initializing the card (I didn’t check this). You can also see there is data only on single DAT line. This is probably also the reason why copying the data from card may take up to 2hours (16GB / 20MHz 1-bit SD mode = 6872sec)

PulseView doesn’t have data decoding for SD card in SD mode so I had to improvise to get the password data. I have used SPI decoder, and since we don’t have chip-select signal here to properly align bits into bytes, I extended it with an option to skip bits on start. So I was able to get the password bytes decoded:

I have aligned it in a way, that the first 1 belongs to the previous byte 0xFE (it’s start bit) and then it continues with 0x00 0x10 which for the CMD42 means unlock command with password length 0x10 (16 bytes). Next 16 bytes (0xBB, 0x37, 0x3D,…) are the password followed by a checksum. So we have the password now!

Locking/unlocking the card

In previous paragraph I skipped the way how to lock/unlock the card. When you insert a locked card into PC, it won’t be able to read it:

To get control of the card, I used Arduino on ESP32 with SD library which I modified to work with ESP32 and applied a mod to support CMD42. The complete project is here. It can initialize card, list files, display CID, detect locked card, lock/unlock with CMD42 and delete devid file.

Short Howto

  1. Copy navigation data to card
  2. Lock the card with any password
  3. Capture the password using logic analyzer
  4. Unlock the card with original password
  5. Lock the card with correct password
  6. Profit

When you insert the card you will be asked to assign the card with the unit.

Once you do this, it will create a file called devid with following contents (probably some serial number of the unit):

$ hd deviceid
00000000 9a 04 8b 6b 13 02 61 f8 00 00 ff bf ff ff fe ff |…k..a………|
00000010

But since we know the password, we can always delete it. Either after unlocking in a computer or using my esp32 firmware (function delete_devid()). After this, it can be used in another car.

Next, you are asked what to do with the update – install or use the maps from the card:

This really takes more than a hour, so do this during a long journey or with your car connected to a battery charger. After this, you are ready to use the updated maps.

For the purpose of sniffing I created a microSD card sniffer. If you want one, you can buy it in my e-shop at Lectronz.

I also wonder if the online password generation services know the password algorithm or they communicate with some unit and emulate a card with your CID to capture the password. I was also thinking about building such system but decided it’s not worth the investment but it is definitely doable.

And that’s it, if you have any questions or comments, feel free to comment.

16 thoughts on “Updating RNS315 maps for fun and profit”

    1. Hi Max,
      I think anyone should be ok, you could also possibly use FT232H or FX2LP but I haven’t tested them in this setup.

  1. You can lock/unlock the card with a pc. I remember doing this years ago with a modded Ubuntu image that I got from some Škoda forum and a laptop with a PCI card reader (has to be internally connected via PCI, then it has raw access to the SD, not via USB)

    1. Correct, there is a modded kernel module needed and rebooting and specific card reader so too complicated IMHO. Using Arduino is much more available and simple at least for me.

  2. Hi Danman !
    I’m Marco from Brazil. I bought a 2012 VW Jetta Variant and the unit is the RNS315 whose maps are still from 2012. I would like to update the gps, but the dealership here in Brazil says that there is no update for my gps. So I bought an original vw card from a seller on a local site like Amazon, the seller said it fits the 2012 Tiguan which also uses the RNS315. I just received the card and when I put it in my RNS315 to perform the update, it showed the message “SD Card error”. I put the card in my notebook and I see the folders with the map data and such, but I haven’t touched anything. Can you find a way to make it work?
    Thanks for attention.

    1. If you cannot proceed according to the article I cannot help you. I don’t think sending prepared card to Brazil from Europe makes sense.

    2. hi marco antonio, I’m from brazil too, and just bought my tiguan 2013 here in são paulo, but my RNS315 multimedia navigation system keeps saying that I’m in mexico, and does not deliver my actual map of brazil, although it keeps moving and navigating on the screen on ‘mexico streets’ — as if it where updating my compass in real-time.
      so here I am asking if you have a clue or can share a technical contact that would help me fix it, instead of going to a VW official seller…
      it would be great!!
      ; D
      thanks you all of the forum!
      alex

      https://drive.google.com/open?id=1etV1BLCLWzrJWPWgle5phkIXeSWn2h86&usp=drive_fs
      https://drive.google.com/open?id=1egSraGtZvI6Ka_qZl6vbgZrHihyD7YTi&usp=drive_fs
      https://drive.google.com/open?id=1e3fd6sXZv1j3w3UbdTQRHvsBboweF__J&usp=drive_fs
      https://drive.google.com/open?id=1egeCDf0F-vdfThlMpVE436t_FrlyYBEe&usp=drive_fs

  3. Are there card updates after 2020 ? It looks VW stopped cardupdates for rns315. Because i can not find it.

  4. Hi Daniel
    You said “You can also see there is data only on single DAT line. ” Which SD card pin did you get the password from? I guess you have either DAT0 or DAT3 on ADBUS4.

  5. Hey danman, great writeup.
    I never got a vw SD car with the 2014 passat I just bought – thats how I found your blog.

    however, for me, its easier to pay 5 euro for an unlock pwd than to buy an arduino and build your project!
    regarding the format of the navigation data to be copied onto the SD card, I just downloaded from VW the file “DiscoverMedia2_EU-DL2_2110_V18.7z” it contains a folder called “maps” containing various subfolders. Question, what should the folder in root of the SD be named? is it “maps”
    I have an old thinkpad with a built in SD slot and ubuntu installed so I am hoping I can use linux commands to read/manipulate the CID and PWD

    Thus, the sequence would be as follows:
    Copy navigation data to card (what folder name?)
    read CID using ubuntu
    buy correct password online
    lock the card then UnLock the card with correct password (is this step necessary)
    then install in head unit
    Does this seem correct to you ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.