| Hardware | Part |
|---|---|
| Flash | Macronix 25L12835F (16MB) |
| SoC | Freescale i.MX6 UltraLite |
| CPU | ARM Cortex-A7 (ARMv7) - Fake ATMEL AT91SAM9260 marking - |
| RAM | Micron/SK Hynix 1Gb (64x16) |
| Wi-Fi/BT | RTL8822BS or RTL8822CS or RTL8733BS (Realtek) or Fn-Link L287B-SR (Marvell) or LGX4358 (Broadcom) or LGX8354S (Broadcom) |
Hardware base remains almost exactly the same since the beginning, only device case / design changed (Thermal pads on V4 / Holes for air flow on V5)
Wifi chip only seems to be changed depending on the stock of the manufacturer. Whatever Wifi chip is being used, is connected over SDIO Protocol (High Speed 4-Bit SD) at 50Mhz, for a maximum speed of 25MB/s (200 Mbps)
Carlinkit created its own segmentation mainly for marketing using different softwares:
- 1.0 / 2.0 / 3.0 = U2W : Only Carplay Wired OEM for Wireless Carplay
- 4.0 = U2AW : Only Carplay Wired OEM for Wireless Carplay + Wireless Android Auto
- 5.0 = U2AC : Carplay Wired OEM or Android Auto Wired OEM for both Wireless Carplay and Wireless Android Auto
This repository started when I gained root access by flashing a custom image back in 2020. Firmware images were just obfuscated tarball archives, building a dictionary was enough to unpack and repack firmware images.
Unfortunately, it didn't last long. Carlinkit has been made aware of this repo, they changed the firmware images packing in firmware 2021.03.06 with a new binary, they also hardened the kernel in next firmwares to block any usage of "strace" to reverse the new binary.
It is possible to gain root access from Carlinkit 1.0 / 2.0 (Realtek RTL8822BS Wifi chip only) without any hardware method by flashing any "ROLLBACK" firmware (packed with the new method and restoring old method) then flash any Custom Firmware available. It is not possible to gain root access from Carlinkit 3.0 (only due to Wifi drivers) or 4.0 or 5.0 without any hardware method.
Please note that packing method is different between 1.0 / 2.0 / 3.0 (U2W) and 4.0 (U2AW) and 5.0 (U2AC), this way Carlinkit ensures you stick with your original device functionalities.
It is possible to switch from one to another by rewriting the flash chip using a programmer (ASProgrammer, XGEcu devices, Raspberry Pi) Tested so far:
- 1.0 to U2AW ☑️
- Up to 2022.07.29.1635 for Realtek RTL8822BS Wifi chip
- 2.0 to U2AW ☑️
- Up to 2022.07.29.1635 for Realtek RTL8822BS Wifi chip
- Up to 2022.06.17.1439 for Broadcom LGX8354S Wifi chip
- Any firmware for Fn-Link L287B-SR (Marvell) Wifi chip
- 3.0 to U2AW ☑️
- From 2023.10.16.0952 for Realtek RTL8822CS Wifi chip
- Any firmware for Fn-Link L287B-SR (Marvell) Wifi chip
- 2.0 to U2AC ❌ (Not booting)
- 3.0 to U2AC ❓ (Might work with 2023.10.14.1711)
- 4.0 to U2W ☑️
- From 2023.10.31.1425 for Realtek RTL8822CS Wifi chip
- From 2022.07.29.1625 for Broadcom LGX4358 Wifi chip
- Any firmware for Realtek RTL8822BS Wifi chip *
- 4.0 to U2AW ❌ (Not booting)
- 5.0 to U2W ☑️
- From 2023.10.31.1425 for Realtek RTL8822CS Wifi chip
- From 2022.07.29.1625 for Broadcom LGX4358 Wifi chip
- ❌ Not possible for Realtek RTL8733BS Wifi chip
- 5.0 to U2AW ❌ (Not booting)
Please note that Carlinkit controls devices activation (via /etc/uuid_sign), your device will work but will be blocked in activation mode, new activations now require a login / password that nobody has, save your original flash in a safe place before trying this.
Successfully switched 2 Carlinkit 2.0 units to U2AW with new activation in 2021 / 2022.
Check https://github.com/ludwig-v/wireless-carplay-dongle-reverse-engineering/tree/master/Flash_Dump to dump the flash using a Raspberry Pi (you can also use any other programmer with a clip)
Check https://github.com/ludwig-v/wireless-carplay-dongle-reverse-engineering/tree/master/Flash_Dump/Tools for rootFS extraction
Once you restored Custom Firmware behavior you can install Dropbear (SSH) and gain root access to Carlinkit device
$ cat /proc/cmdline
console=ttyLogFile0 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=21e0000.qspi:256k(uboot),3328K(kernel),12800K(rootfs) rootwait quiet rw
$ cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00010000 "uboot"
mtd1: 00340000 00010000 "kernel"
mtd2: 00c80000 00010000 "rootfs"
$ df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/root jffs2 12800 10940 1860 85% /
devtmpfs devtmpfs 61632 0 61632 0% /dev
tmpfs tmpfs 61732 6324 55408 10% /tmp
/dev/sda1 vfat 62498880 42304 62456576 0% /mnt/UPANapt-get install device-tree-compiler gcc-arm-linux-gnueabihf
export ARCH=arm
export CROSS_COMPILE=arm-linux-gnueabihf-
git clone https://github.com/ARM-software/u-boot.git
make mx6ull_14x14_evk_defconfig
make all
The device can be seen as "SP Blank 6ULL" when powered by USB-OTG but it is not possible to flash a custom u-boot using imx_usb because it is signed
https://github.com/segfly/carlinkit-modding