ihateu3

I think it was already on...

ILM-NC G37S

iTrader: (3)

Dumb question: Is the CAN BUS and the AV COM BUS one and the same network or are they two separate networks?

The key- at least as far as the G37 is concerned- lies in the preset switch panel (the clock one) as this is the only middleman/ "module" that communicates with the multifunction switch block and the AV COM bus. Remember, there are two types: NAV and non.

In looking at the GT-R FSM, the "Function" switch block communicates directly to the AV COM bus- there is no "middleman."

This: is practically identical to how the BCM communicates with the Light/Wiper switch.The BCM polls each set of input and output channels and reads the changes in transistor values. This is how I will be able to wire in my rear fog light- eventually. It would not surprise me if the AV switches operate in the same manner.

As I am trying to go into a different direction, I am not sure how helpful I can be here...

iCrap

iTrader: (8)

Ah yeah it wouldn't be in there then. It would just be a 1 time thing on the startup

They are not the same network. AV CAN and CAN are two separate networks. Correct that the preset switch communicates directly to the av unit, I have it wired directly to the AV unit through a breadboard (with the pi inbetween) and it works correctly. I think the key is just that the AV unit is negotiating with the switch panel on bootup and only enabling the buttons on the panel (and ignoring me sending the function press we got from the logs)

icecube45

Seconding what iCrap has been saying (I've been working with them behind the scenes). The switch panel and AV control unit do an initial handshake at car start, and then a continuous heartbeat. I've seen evidence of the handshake being different between panels (my test panel, versus the panel in my car), which leads me to believe that there's identification going on in terms of the panel capabilities. I just don't have enough data to decode things yet.
I just went through a move and the dust is still settling, but once things calm down on my end I'll continue poking around.

rotarymike

iTrader: (4)

So is the heartbeat data the same between panels?

I guess an eventual fix might be to have a ATTiny or similar super-small SBC intercept the CAN from the panel to the AV unit and substitutes out the ID packet - but passes through anything else. I don't think a slight delay would be an issue with AVCAN (as opposed to the regular CAN signals). BUT, we'd need what to watch for and what to substitute with first.

iCrap, if you can get this gelled into a working interface, I think you'll have a side biz LOL.

ILM-NC G37S

iTrader: (3)

Well that just threw a monkey wrench into my plans... Back to the drawing board... again...
Congratulations on the move!

On a side note- kinda related, found this module (cheap instructions attached) that deactivates the TPMS for the GT-R and gets rid of that damn idiot light.

I know Frank ( @MotorvateDIY ) was looking into something similar (turning off TPMS light) as part of his "Mini Dash" project.

icecube45

I believe it is - but it's been long enough since I've poked at things that I'd want to confirm this.

Another bit of evidence for the panels identifying themselves via handshake - the "button IDs" between my (non-nav) and iCrap's (nav?) panels are slightly different.

iCrap

iTrader: (8)

Yeah, the lower nav panel was very different, and the upper panel was actually exactly the same from nav/non-nav. The only difference was the "extra" buttons from the nav were just not soldered on. I've just been shorting them with a tweezers since I don't have a spare nav panel.

Whiterat

Greetings from R35 land =)

I came across this thread and got to say, I had no idea you guys were working on this....I went through a lot of this is 2020.
Bit of a brain dump:

Initially started because I made a harness for retrofitting 08-it units to 06-it cars because I wasn't willing to pay the crazy amount that "someone" wants, later this evolved into working out uart access so I could alter other Infiniti/Nissan 08-it units for use in the GTR along with the retrofit harness (and unlocking them so they don't throw a fit when the BCM doesn't match).

The 06-it equipped R35s shipped as "nav" or "non-nav" and I quickly discovered that the "non-nav" panels report a different ID and subsequently all button IDs are different - however you can advertise the correct panel ID (at any point) with the non-nav panel connected and the button IDs are then correct and understood on the 08-it unit. The main IC on the panels is a mask rom so no way to modify that - was hoping for some resistors denoting unit type...

Made a little panel emulator on an stm32 as well just to press buttons for me without the panel needing to be connected.

There's enough breakers here that it never became a big enough issue to need to work out a clean solution for this, however I did get it working (pretty much as you guys were thinking) with an stm32 sat in-between the panel on the AVCAN bus (tip: those cheap odometer filters sold on aliexpress for mercedes/bmw are perfect - stm32, dual can transceiver and 12v ldo)

Recently started looking at the touchscreen comm, got a reasonable understanding of the data format (also just uart) but not done anything with this yet.

Spent a lot of time reverse engineering the main vxworks blob so have quite a few functions documented, also worked out how to decrypt the nav disks and generate serials for map updates.

So if there's anything that's still a mystery that I might be able to help with, please ask!

MotorvateDIY

Wow, you sure have figured out quite a bit, well done!!
Could you share how to generate the serials for the map updates? I have an old update from 2017 that I would like to try on my 2011 G37.


Thanks in advance!

Whiterat

I'm a little 50/50 on sharing the full detail at the moment, with Nissan/Infiniti no longer providing updates at the end of this year that might push me to open the process.
Currently in the UK I am providing serials for the latest EU maps in return for a nominal donation (£10+) to charity which seemed like the decent thing to do.

The map data decryption and the serial generation is all based on the little known Hitachi MUGI pseudorandom number generator, which I've implemented in a python module (https://github.com/Wh1terat/pymugi)

With regard to panel IDs, they also differ for RHD and LHD for the GTR due to how the controls are mounted - so there's a total of 4 different panel IDs (although I do not have LHD panel ID to hand right now).
For RHD without nav it's 0x28, for RHD with nav it's 0x26.

For 0x26 the button messages are:
Where xx is a cycle from 0x00 to 0x70 in 0x10 increments.

With regard to the vxworks blob, couple of handy commands for those wishing to switch drives

There's a couple of commands that need a service password to execute; should you come across them this is "3721" ​​​​​​​
​​​​​​​

MotorvateDIY

No worries on the map update stuff... very few people use the built in Nav when they can use Apple/Google maps.
I've enabled AUX in on the 370/G37 AV units so folks can see their phone on the nav screen. It isn't hi-res, but it is usable.

(If you care) The LHD GTR panel ID is 0x25
-AND- all the button AV CAN data is the same as RHD.

As for unlocking the drive, I just used an old laptop with an 2.5" PATA/IDE drive that can boot to DOS from USB and then use zu to remove the password.
It is a nice one time activity! After this, the USB to IDE adapters work without any issues as well as the nav units.

Question:
For the map update serial number, I assume just the NAVID is required and it doesn't use/need the VIN.
Can you please confirm. Thank you!
​​​​​​​

Whiterat

Indeed, and that's a whole different project I've got simmering on the back burner at the moment
It's certainly better than nothing, and those screens are never going to be mind blowing - although not too shabby for '07 era!

I've got an LHD panel and when attached it flips some of the navigation panel controls (function, status, back, etc) as if they were lhd mounted.
(these are on a separate board that plugs into the panel on the gtr).

Unfortunately I haven't got anything old enough for a native PATA interface so had to find another method to unlock them.

Correct, just the nav unit id.

Annoyingly (or cleverly depending on which side of the table you sit) you do require a valid serial and unit id combo to derive the "master key" (for lack of a better term) for each release.
It's 8 bytes so not viable to brute force.

The AV units are pretty cool really, somewhat over-engineered but due to being in so many cars also a lot of flexibility.
I've retrofitted the "sonar" unit from a qx60; at some point (got one on my bench) going to have a play with the "around view monitor" too ​​​​​​​

MotorvateDIY

Understood... You need to be older than dirt to have those
I have a fairly large collection on old laptops from the 80s/90s/2000s and only ONE with PATA could boot from USB. It is one of those things that takes a day to figure out, then 5 seconds to use!

I agree!! It is VERY well designed and flexible.
It also has support for 2G/3G "Carwings" (google it) for remote access via cell, but looks like the cell hardware wasn't installed or ready at that time.

Anyways, in the next week or so, I will have the GTR gauges working with my G37 and will post a video on my YouTube channel.
I've made a bluetooth oil pressure sensor for ease of install (no wires between engine bay and interior) and will do the required CAN bus addition/conversion to feed all the MFD gauges.

Once that is done, I'm going to look into a GVIF converter for a hi-res (native 800 x 480) AUX in.

Whiterat

Oh I've owned *many* but about a decade ago I had a massive culling and decided to stop hoarding stuff.
That said, I've just remembered I actually did keep one thing that would have worked (Toshiba Libretto 30CTK)

Carwings (of that era) was never meant to be "built in" from what I'm aware, it was meant to work with a phone - my GTR is an early Japanese import and had the cable to connect to an old softbank phone of the era!
I believe looking through the app that there's still some limited functionality possible over bluetooth - but honestly not going down that rabbit hole!

Ah that's great work! I don't suppose you've made any dbc for all the messages in use on the MFD ?
I've got bits and pieces for some of the clusters below but not a perfect list.

• 0x002 - LWSOUT
• 0x180 - ECM_TorqueControl_RN1
• 0x280 - CLUSTER_BasicInfo_1
• 0x292 - VehicleDynamic02
• 0x2D5 - CLUSTER_MultiFunctionFastData1
• 0x2DE - METMSG1
• 0x354 - Brake_GeneralData
• 0x355 - CLUSTER_BasicInfo_2
• 0x36D - HEV_GenStat_ITM
• 0x551 - ECM_GeneralStatus
• 0x580 - ECM_to_ITM
• 0x59A - METER_MultiFunctionData1
• 0x5C5 - CLUSTER_GeneralStatus