Honda Africa Twin Forum banner
1 - 11 of 11 Posts

·
Registered
2023 Africa Twin 1100 manual (on backorder)
Joined
·
90 Posts
Discussion Starter · #1 · (Edited)
So, I've decided to dig my teeth into this as I now have a lot of time on my hands.
This thread will mostly be full of ramblings I will make while I try to reverse engineer and mess around as much as I can with the strands of the software I can grasp.
Feel free to chime in with any knowledge you have.

The software package (CRF1100_v3.10.update) appears to be a regular compressed archive, nothing wild here yet; I found this out by deciding to inspect it with a Hex Editor of choice..
Within are a few binaries and XL1 files.
The EXT4 file "gear-image-garmin-sta1295-lawrence-mksa.ext4" then found can also just be "unzipped" by 7zip, this almost spills all the beans. Now we have a file structure that looks like a *nix distro; apparently it's called STLinux, by ST Microelectronics (supplier of the ARM chip running the show).

Various other files in this whole archive are spewing out loads of interesting information, the most interesting files so far seem to denote how the CANbus interacts and where the configs for them are.

What can be changed is the bootscreen/shutdown animation; this is simply a .mov file. By replacing this file and recompressing you can change the file.
Product Font Screenshot Rectangle Software




The basics figured out so far:

Software:
There's a screen-test function somewhere:
CRF1100_v3.10\gear-image-garmin-sta1295-lawrence-mksa\opt\garmin\bin\HondaTestImages
Code:
// Set up a rectangle that covers the entire screen
Rectangle {

    property bool colorized: false;

    color: "black"

    MouseArea {
        anchors.fill: parent
        onClicked: colorized = !colorized;
    }

    // Rather than having a single Image item that dynamically changes its source
    // data on each click, preallocate two Image children and just toggle between
    // them. This will keep the latency of switching low.
    StackLayout {

        anchors.fill: parent
        currentIndex: colorized ? 0 : 1

        Image {
            source: "qrc:///SMPTE_Color_Bars_800x480.png"
            fillMode: Image.Pad
        }

        Image {
            source: "qrc:///BBC_Test_Card_C_800x480.jpg"
            fillMode: Image.Pad
        }
    }

}
What appears to be terminal (DOS like interface used) is allowed to log in

Code:
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console

# Standard serial ports
ttyS0
ttyS1
ttyS2
ttyS3

# ARM AMBA SoCs
ttyAM0
ttyAM1
ttyAM2
ttyAM3
ttyAMA0
ttyAMA1
ttyAMA2
ttyAMA3

# QCOM Socs
ttyHSL0
ttyHSL1
ttyHSL2
ttyHSL3
ttyMSM0
ttyMSM1
ttyMSM2

# Samsung ARM SoCs
ttySAC0
ttySAC1
ttySAC2
ttySAC3

# STM SoCs
ttyAS0
ttyAS1
ttyAS2
ttyAS3

# TI OMAP SoCs
ttyO0
ttyO1
ttyO2
ttyO3

# Xilinx Zynq SoC
ttyPS0
ttyPS1

# USB dongles
ttyUSB0
ttyUSB1
ttyUSB2

# USB serial gadget
ttyGS0

# PowerMac
ttyPZ0
ttyPZ1
ttyPZ2
ttyPZ3

# Embedded MPC platforms
ttyPSC0
ttyPSC1
ttyPSC2
ttyPSC3
ttyPSC4
ttyPSC5

# PA-RISC mux ports
ttyB0
ttyB1

# Standard hypervisor virtual console
hvc0

# Oldstyle Xen console
xvc0

# Standard consoles
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12
tty13
tty14
tty15
tty16
tty17
tty18
tty19
tty20
tty21
tty22
tty23
tty24
tty25
tty26
tty27
tty28
tty29
tty30
tty31
tty32
tty33
tty34
tty35
tty36
tty37
tty38
tty39
tty40
tty41
tty42
tty43
tty44
tty45
tty46
tty47
tty48
tty49
tty50
tty51
tty52
tty53
tty54
tty55
tty56
tty57
tty58
tty59
tty60
tty61
tty62
tty63

# Local X displays (allows empty passwords with pam_unix's nullok_secure)
pts/0
pts/1
pts/2
pts/3

# Embedded Freescale i.MX ports
ttymxc0
ttymxc1
ttymxc2
ttymxc3
ttymxc4
ttymxc5

# Freescale lpuart ports
ttyLP0
ttyLP1
ttyLP2
ttyLP3
ttyLP4
ttyLP5

# Standard serial ports, with devfs
tts/0
tts/1

# Standard consoles, with devfs
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
vc/12
vc/13
vc/14
vc/15
vc/16
vc/17
vc/18
vc/19
vc/20
vc/21
vc/22
vc/23
vc/24
vc/25
vc/26
vc/27
vc/28
vc/29
vc/30
vc/31
vc/32
vc/33
vc/34
vc/35
vc/36
vc/37
vc/38
vc/39
vc/40
vc/41
vc/42
vc/43
vc/44
vc/45
vc/46
vc/47
vc/48
vc/49
vc/50
vc/51
vc/52
vc/53
vc/54
vc/55
vc/56
vc/57
vc/58
vc/59
vc/60
vc/61
vc/62
vc/63
Hardware:
Seems to run on a STA1295 unit
ARM based

Which leads me to believe SDK for OpenSTLinux distribution - stm32mpu may contain a lot of useful stuff.
 

·
Registered
2023 Africa Twin 1100 manual (on backorder)
Joined
·
90 Posts
Discussion Starter · #3 · (Edited)
Fantastic. Keep up the good work. I will definitely be keeping tabs on your progress. Be cool to have the ability to change those .mov files to something of your choosing.
This should be possible by just rezipping the file and changing the extension to .update, just keep filenames the same. Within the folder "shutdown splash" can also be found, which is the Honda logo displayed on shutdown.
The shutdown sequence also shows some code that appears to sequence the shutdown, however I can not yet pinpoint what the power-down parameter is; I assume this is pulled from the canbus somewhere, for which I also haven't found the interface just yet.

It also appears that this software can not be emulated in a VM, so it would possibly require me to get my hands on a dev-board. Especially because I don't feel like risking a brick on my bike's head unit.

My main search right now is for the buttons/control I/O, which would allow remapping of all the cockpit/handlebar buttons and the general I/O of the Canbus; I assume this is where communication about the parameters from the head unit to the bike happens.
 

·
Registered
CRF1100 DCT 2021
Joined
·
368 Posts
Very interesting. I think you should be able to own what you pay for in order to improve it or fix it to your needs or idiosyncrasies. Understanding that this may implicate lossing the factory warranty.
User groups hacking the firmware of plenty other computerized artifacts have been very successful in bringing to the users what they want, way better than the manufacturers.
Many bricks on the way through.
But for example, extract the improved instructions for the DCT that may come in the 2022 models to patch the 2020-1 should be possible if there are not hardware changes. As reprogramming buttons, screens and such not hardware depending functions should be doable and desirable. Like shortening the boot up, taking out unnecessary startup video, automatic erasure or elimination of the nagging security screen, etc
 

·
Premium Member
2021 CRF1100 ATAS ES DCT
Joined
·
23 Posts
I see the manifest is signed, are you able to bypass that? From what I see, the manifest has a sha256 hash of each file, so if the Arm chip is only loading items from the signed manifest, isn’t it game over from a modification POV?
 

·
Registered
2023 Africa Twin 1100 manual (on backorder)
Joined
·
90 Posts
Discussion Starter · #9 ·
I see the manifest is signed, are you able to bypass that? From what I see, the manifest has a sha256 hash of each file, so if the Arm chip is only loading items from the signed manifest, isn’t it game over from a modification POV?
Good observation, and runtime is also partly encrypted/run in a safe environment on the chip; according to STM, the manufacturer of the chip not everything is run from the safe environment.

I hope something can be dumped from a runtime, but I highly doubt it. I've been scouring forums like XDA on AA/head unit related stuff but not finding too much.
After that the only option really becomes writing an entirely new firmware which seems unrealistic. However a lot of the firmware seems to consist of generic STLinux components with other openly available plugins tossed in. I haven't found many Honda/Africa Twin specific things yet.
 

·
Registered
2023 Africa Twin 1100 manual (on backorder)
Joined
·
90 Posts
Discussion Starter · #11 ·
Wait, XDA digs into AA hacking on things OTHER than phones? It's been way too long since I've tried rooting my phone. I need to take another peek over there and see what's new and exciting.
Someone over there has developed an app (paid) that can sideload various non-AA enabled apps. It does allow you to run Netflix on your bike if you really think that's a good idea.
 
1 - 11 of 11 Posts
Top