Thread Rating:
  • 89 Vote(s) - 3.03 Average
  • 1
  • 2
  • 3
  • 4
  • 5

BMW CIC FTP How to

1
I found a solution for cic ftp connection. I don't try it, please try and report!
Don't forget thanks + rep if u like it!

Attached Files
.txt

cic ftp.txt

2,228
1.55 KB
[Image: 79.gif]- VVDI BMW IN SPECIAL PRICE -[Image: 79.gif]
2
not work on new cic, NBT, only cic prior to flashing to ISTA 2.44 may work Smile and to make manipulation you need root password Smile
Thanks given by:
3
(03-17-2014, 11:17 PM)andrius1989 Wrote: not work on new cic, NBT, only cic prior to flashing to ISTA 2.44 may work Smile and to make manipulation you need root password Smile

Thanks for info
[Image: 79.gif]- VVDI BMW IN SPECIAL PRICE -[Image: 79.gif]
Thanks given by:
4
I have the old pass. Looking for a new password. Please help Cheer2Tup653
You like please click [Image: 5hkRR] or [Image: jdCbU].
Thanks given by:
5
resolved.Cheer2
You like please click [Image: 5hkRR] or [Image: jdCbU].
Thanks given by:
6
(09-29-2014, 09:35 PM)etechnic Wrote: resolved.Cheer2

Can U share how to can be resolve?
[Image: 79.gif]- VVDI BMW IN SPECIAL PRICE -[Image: 79.gif]
Thanks given by:
7
(09-29-2014, 06:03 PM)etechnic Wrote: I have the old pass. Looking for a new password. Please help Cheer2Tup653
CIC root
login: root
pass: old: cic0803 New: Hm83stN)

Start Tool32, load CICR.PRG and start the Job "status_get_ipconfig" to find out the IP Address the CIC got from your DHCP server (you need a DHCP Server in your network!).

In this case, with the adapter, the CIC has a fixed IP address of: 160.48.199.99/255.255.255.128
So set your PC/Notebook to e.g. 160.48.199.98/255.255.255.128

Hint:
I don't know why, but I'm not able to directly download files from the read-only Filesystem in /etc via FTP, but you can get them if you first copy a file via Telnet Console to an other location. (e.g. /tmp or /mnt/hbuser) and retrieve it via FTP from there.

Let's start!
A summary of that I know so far...

You can activate all FSC-locked functions by issuing the following commands:
Code:
echo "" > /mnt/persistency/00170001.swt
echo "" > /mnt/persistency/00180001.swt
echo "" > /mnt/persistency/00190001.swt
echo "" > /mnt/persistency/001A0001.swt
echo "" > /mnt/persistency/001B0001.swt
There is even a ready made script already on the CIC:
/mnt/persistency/activate_swt.sh
This script does nothing else than creating the stated, empty files.
Then reset/restart the CIC and all functions are unlocked (navigation, the map, speech recognition, BMW Apps)
You can also issue the following command to restart the headunit:

Code:
slay HmiMain
BUT, before you start jumping around: this "hack" only last for 1 restart!
After activation by these files, the files get deleted, so after a further reboot, navigation, etc. are locked again.

Flash
There are 8 partitions in Flash: 0-7
/dev/fs0p0 ... fs0p7
1,3,5 and 6 are mounted:

Code:
/dev/fs0p1 on /mnt/equalizing
/dev/fs0p3 on /mnt/EFS_RO
/dev/fs0p5 on /mnt/HBpersistence
/dev/fs0p6 on /mnt/logistics
hint:
to get the options of a command, just google e.g. "qnx mount" or "qnx flashctl"

Flash Dump
At least the CIC does not know the "dd" command, but dumping the flash is still quite easy, just use the "cp" command.
e.g.:
Code:
cp /dev/fs0p6 /mnt/hbuser/tmp/fs0p6_dump.img
This also works the other way round, so writing a dump back to the flash.
But please be bloody careful(!!!) with this command, as it can totally brick the CIC if you e.g. overwrite the bootloader!

Code:
cp /mnt/hbuser/tmp/fs0p6_dump.img /dev/fs0p6
HBpersistence
if /mnt/HBpersistence is missing, it will be recreated from Flash Partition #0.
see:
/bin/checkpersistency.sh
and
/bin/createHBpersistence.sh

createHBpersistence.sh:

Code:
#!/bin/ksh

if test ! -d /mnt/HBpersistence || test ! -e /mnt/logistics/v.6 ; then
if test -e /dev/starter/status ; then
flashctl -vvvv -p /dev/fs0p0 -F -o 117504K -l 12288K -e -f -n /mnt/HBpersistence
slay devf-generic
/sbin/devf-generic -t4 -p400,32 -r -b9 -s0x0,128m,,,,,,1000,20
waitfor /mnt/HBpersistence 2
mkdir /mnt/HBpersistence/early
mkdir /mnt/HBpersistence/normal
echo "HBpersistence recovery on startup" > /mnt/logistics/v.6 ;
else
echo "HBpersistence could not created in Bootloader.";
fi
else
echo "HBpersistence already exists."
fi
FSCs and Certificates:
FSCs are stored in:
/mnt/HBpersistence/normal/generalPersistencyData_DiagnosticSWTController
Certs in: /mnt/HBpersistence
rcert.swt root certificate
scert.swt FSCS certificate
fcert.swt SigS certificate

Backups of the certificates are located in
/mnt/hbdebug/data01
/mnt/hbdebug/data02
/mnt/hbdebug/data03
(these are overwritten during each SWT activation)
8
Hi alex5012,

Pleaase for a password for the archive?

best regards,
matigdy
Thanks given by:
9
(05-17-2015, 03:54 AM)alex5012 Wrote:
(09-29-2014, 06:03 PM)etechnic Wrote: I have the old pass. Looking for a new password. Please help Cheer2Tup653
CIC root
login: root
pass: old: cic0803 New: Hm83stN)

Start Tool32, load CICR.PRG and start the Job "status_get_ipconfig" to find out the IP Address the CIC got from your DHCP server (you need a DHCP Server in your network!).

In this case, with the adapter, the CIC has a fixed IP address of: 160.48.199.99/255.255.255.128
So set your PC/Notebook to e.g. 160.48.199.98/255.255.255.128

Hint:
I don't know why, but I'm not able to directly download files from the read-only Filesystem in /etc via FTP, but you can get them if you first copy a file via Telnet Console to an other location. (e.g. /tmp or /mnt/hbuser) and retrieve it via FTP from there.

Let's start!
A summary of that I know so far...

You can activate all FSC-locked functions by issuing the following commands:
Code:
echo "" > /mnt/persistency/00170001.swt
echo "" > /mnt/persistency/00180001.swt
echo "" > /mnt/persistency/00190001.swt
echo "" > /mnt/persistency/001A0001.swt
echo "" > /mnt/persistency/001B0001.swt
There is even a ready made script already on the CIC:
/mnt/persistency/activate_swt.sh
This script does nothing else than creating the stated, empty files.
Then reset/restart the CIC and all functions are unlocked (navigation, the map, speech recognition, BMW Apps)
You can also issue the following command to restart the headunit:

Code:
slay HmiMain
BUT, before you start jumping around: this "hack" only last for 1 restart!
After activation by these files, the files get deleted, so after a further reboot, navigation, etc. are locked again.

Flash
There are 8 partitions in Flash: 0-7
/dev/fs0p0 ... fs0p7
1,3,5 and 6 are mounted:

Code:
/dev/fs0p1 on /mnt/equalizing
/dev/fs0p3 on /mnt/EFS_RO
/dev/fs0p5 on /mnt/HBpersistence
/dev/fs0p6 on /mnt/logistics
hint:
to get the options of a command, just google e.g. "qnx mount" or "qnx flashctl"

Flash Dump
At least the CIC does not know the "dd" command, but dumping the flash is still quite easy, just use the "cp" command.
e.g.:
Code:
cp /dev/fs0p6 /mnt/hbuser/tmp/fs0p6_dump.img
This also works the other way round, so writing a dump back to the flash.
But please be bloody careful(!!!) with this command, as it can totally brick the CIC if you e.g. overwrite the bootloader!

Code:
cp /mnt/hbuser/tmp/fs0p6_dump.img /dev/fs0p6
HBpersistence
if /mnt/HBpersistence is missing, it will be recreated from Flash Partition #0.
see:
/bin/checkpersistency.sh
and
/bin/createHBpersistence.sh

createHBpersistence.sh:

Code:
#!/bin/ksh

if test ! -d /mnt/HBpersistence || test ! -e /mnt/logistics/v.6 ; then
if test -e /dev/starter/status ; then
flashctl -vvvv -p /dev/fs0p0 -F -o 117504K -l 12288K -e -f -n /mnt/HBpersistence
slay devf-generic
/sbin/devf-generic -t4 -p400,32 -r -b9 -s0x0,128m,,,,,,1000,20
waitfor /mnt/HBpersistence 2
mkdir /mnt/HBpersistence/early
mkdir /mnt/HBpersistence/normal
echo "HBpersistence recovery on startup" > /mnt/logistics/v.6 ;
else
echo "HBpersistence could not created in Bootloader.";
fi
else
echo "HBpersistence already exists."
fi
FSCs and Certificates:
FSCs are stored in:
/mnt/HBpersistence/normal/generalPersistencyData_DiagnosticSWTController
Certs in: /mnt/HBpersistence
rcert.swt root certificate
scert.swt FSCS certificate
fcert.swt SigS certificate

Backups of the certificates are located in
/mnt/hbdebug/data01
/mnt/hbdebug/data02
/mnt/hbdebug/data03
(these are overwritten during each SWT activation)

Sorry for reviving this thread but i'm currently exploring a CIC MID (Business, Motion maps) from a 2010 e90.

Dude, your knowledge is blowing my mind Big Grin
Thanks a million times for sharing it Tup

I have a few questions for you..

First off, how did you get to know this stuff?
From experimenting or from info gathered around on the interwebs? Pc

So just to be clear, if i copy the diagnosticSWTcontroller file to my computer over telnet or ftp it does contains all my FSC's for nav enabler, bmw apps,... ?
And if i copy the r, s, and fcert over i have the certificate for importing and activating those fsc's, right?

How would i import them back into the headunit and get them activated properly in case something gets messed up from playing around with it ( which i totally plan on doing)? Big Grin

I'm very comfortable with tools like esys and tool32, i do a lot of coding on Fxx cars and have activated some FSC's on them too. Thing is E-Sys doesn't work on Exx CIC HU's, or does it?

I already extracted the 1B FSC from it for a nav update, went fine though.
Now i would like to know what the other possible FSC AppID's are that may live inside one of these CIC's and how to import and activate them without using ISTA/P (Since i don't have an ICOM yet + the DiagnosticSWTcontroller file isn't exactly a .FSC file ready to be imported Wink )

Also some of the earlier Business CIC's had an 8gb NAND and no HDD.
That's the whole reason why so many people got into a disaster when updating their nav's to 2015-2 back then.
The update would exceed the maximum available free space on the NAND and your CIC would be screwed up after first reboot.

This was fixed in 2016 though, or so i believe, by reducing the update size.
Anyway some people back then were reporting that if you wiped the old nav map data off of the nand, and then install the "problematic" 2015-2 update, it would have enough free space by using this method, thus not permanently crashing.
So since the "how to do just that" was never mentioned somewhere on the internet that i could find myself, my question to you is how do you wipe the map data completely off of the nand and perform a 'clean install' after the wipe?

Also, if you've got any other info other then what you already provided could you please share it here?
I love tinkering with this kind of stuff Kolo
Your help is sooooooo much appreciated man!Big Grin
Thanks!
Thanks given by:

Possibly Related Threads…

 
Replies: 10
Views: 432
06-03-2021, 04:33 AM
BMW
Replies: 2
Views: 129
05-29-2021, 12:54 AM
 
Replies: 6
Views: 1,351
05-25-2021, 03:46 PM
BMW
Replies: 8
Views: 4,009
05-25-2021, 12:02 PM
Users browsing this thread: 2 Guest(s)