Announcement

Collapse
No announcement yet.

AUDI CONCERT 3, MP3 OEM RADIO HACK. Help!!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AUDI CONCERT 3, MP3 OEM RADIO HACK. Help!!

    Hi all.

    I am trying to hack my AUDI CONCERT III, 2 DIN MP3 CD unit for my next project.

    EDIT : Picture of the AUDI CONCERT III, 2 DIN MP3 CD/RADIO :


    EDIT : Picture of the AUDI CONCERT III MP3 CD DRIVE BP7-VA :


    Chip_1 : 908292 / CU27RUG-6C74, PQF-64 PINS


    Seems to be a microcontroller with a custom firmware. This is this firmware I try to reverse engeneer.

    Chip_2 : TC94A54MFG, 100 PINS


    Material:

    I own an EASYPIC5 development board for my project.
    I am familiar with both C and BASIC programming (but would prefer BASIC).

    SCANS :

    Below, you will find the scan I made beetween the CD MP3 DRIVE and the mainboard of the radio unit :



    It is SPI protocol (Serial Peripheral Interface Bus). On the picture above, we can see 10 BYTEs :

    Byte0|Byte1|Byte2|Byte3|Byte4|Byte5 |Byte6|Byte7|Byte8|Byte9
    0xB0 | 0xB1 | 0xB2| 0xB3| 0xB4 | 0xB5 | 0xB6| 0xB7 | 0xB8 | 0xB9
    0x09 | 0x3A |0x31 | 0x01 | 0x01 | 0x00 | 0x00 | 0x0B | 0x00 | 0x01

    B0 : 0x09 ==> TOTAL_NUMBER_OF_BYTES to be sent (here 9)
    B1 : 0x3A ==> CHECKSUM
    B2 : 0x31 ==> COMMAND* ?

    B3 : 0x01 ==> FOLDER NUMBER (=1 for this example)
    B4 : 0x01 ==> TRACK NUMBER (=1 for this example)
    B5 : 0x00 ==> HOURS (=0 for this example)
    B6 : 0x00 ==> MINUTES (=0 for this example)
    B7 : 0x0B ==> SECONDS(=11 for this example/ Hex 0B = Dec 11)
    B8 : 0x00 ==> CONSTANT VALUE (always 0x00 STOP byte???)
    B9 : 0x01 ==> CONSTANT VALUE (always 0x01 STOP byte???))

    TOTAL_NUMBER_OF_BYTES | CHECSUM | 0x31 | FOLDER | TRACK | HRS | MIN | SEC | 0x00 | 0x01
    CONSTANTS

    CHECKSUM is the BINARY XOR ADDITION of the following values : 0x31, FOLDER, TRACK, HRS, MIN and SEC.

    *0x10=Track Time Info MCU request?
    0x12=?
    0x14=next track MCU request?
    0x31=Track Time Info
    0x41=File ID3 Tags Info
    0x53=File infos MCU request?

    I am trying to make a spy in SPI SLAVE MODE with a microchip PIC16F887 (or PIC18F4455/PIC18F4550) @ 20Mhz which would read these bytes and store them in an array of 10 values and display them on the graphic LCD of the development board every 1 second.

    This 8-bytes-word appears on the SPI bus each second.

    My problem is for the SPI read part. It doesn't work.

    Each second, instead of reading 10 values, it only read 1 which correspond to nothing.
    In SPI, the ENABLE PIN should be set to '0' beetween each byte. Here, this is not the case.

    In my scan, this is not the case. could it be a source of problem?

    I am looking for help.

    Thank you.

    Brice.
    Last edited by coucouillu; 09-20-2015, 11:47 AM.
    New prototype : 2DIN AUDI OEM-LIKE CARPC based on SYMPHONY II
    Motorized InDash Screen, Core 2 Duo 2.2Ghz, SSD

    Home Made In-Dash 7" Lilliput V1
    Home Made In-Dash 7" Lilliput V2 = LM-Lilliput Prototype

    First project in Peugeot 306

  • #2
    looks like you are well on the right track, you have worked out all the commands. Im wondering if you have set up the slave correctly, ie mode, frequency selection, either way I wonder if it would be easier to create your own routine if your only reading the data... just a thought.

    Comment


    • #3
      Hi,

      The PIC is in SLAVE mode, no frequency needed because it is in slave mode, this is the clock of the master which determine the frequency.

      I am trying to make my own routine because SPI librairies do not work.

      I need some ideas to make my program.
      New prototype : 2DIN AUDI OEM-LIKE CARPC based on SYMPHONY II
      Motorized InDash Screen, Core 2 Duo 2.2Ghz, SSD

      Home Made In-Dash 7" Lilliput V1
      Home Made In-Dash 7" Lilliput V2 = LM-Lilliput Prototype

      First project in Peugeot 306

      Comment


      • #4
        It shouldnt be that hard to make a simple routine. The routine will obviously start when the enable pin is low, and end when high. You would just have to get the state of the 'MISO' data on every 'CLOCK' cycle (low-to-high) and shift it into a buffer. When the enable line is high you can then proccess the 10 bytes received. The easiest was is to start with a flow chart.

        hope this helps.

        Comment


        • #5
          The problem is that the ENABLE pin should go high then low beetween each byte.

          This is not the case.
          New prototype : 2DIN AUDI OEM-LIKE CARPC based on SYMPHONY II
          Motorized InDash Screen, Core 2 Duo 2.2Ghz, SSD

          Home Made In-Dash 7" Lilliput V1
          Home Made In-Dash 7" Lilliput V2 = LM-Lilliput Prototype

          First project in Peugeot 306

          Comment


          • #6
            That's ok, you can use the low-to-high enable signal to tell you that all bytes have been received. With the PIC micros you can generate an interrupt on a low-to-high pin change on the CLOCK pin. Then every interrupt you get (1 CLOCK cycle) you then read the value of MISO then shift that bit into a buffer. When you fill up 10 8-bit buffers you will have your decoded bytes. Hop this makes sence

            I have attached a pdf showing you how to decode the data, this is as much help I could give without writing the code myself. The PDF is an exploded image of the 2nd byte sent from your device.

            this should help.

            Schematic Prints.pdf

            Comment


            • #7
              Pic configuration

              Thank you Civic Modz for your schematic. I understood how bytes are read.

              The problem is that is not that simple. It seems that it only scan 1 and only 1 byte instead of 10 bytes and the byte received seems corrupted.

              I actually use PIC16F887 @ 20MHz.

              I use EASYPIC5 from MikroElectronica with MicroBasic software.

              Here are parameters I used :

              SSPCON = %00110100
              SSPCON = %b7|b6|...|b0

              Bit 7, WCOL: Write Collision Detect bit. In Slave mode :
              1 = The SSPBUF register is written while it is still transmitting the previous word (must be cleared in software)
              0 = No collision

              Bit 6 SSPOV: Receive Overflow Indicator bit. In SPI mode :
              1 = A new byte is received while the SSPBUF register is still holding the previous data. In case of overflow, the data in SSPSR
              is lost. Overflow can only occur in Slave mode. In Slave mode, the user must read the SSPBUF, even if only transmitting
              data, to avoid setting overflow. In Master mode, the overflow bit is not set since each new reception (and transmission) is
              initiated by writing to the SSPBUF register (must be cleared in software).
              0 = No overflow

              Bit 5 SSPEN: Synchronous Serial Port Enable bit. In SPI mode:
              In both modes, when enabled, these pins must be properly configured as input or output
              1 = Enables serial port and configures SCK, SDO, SDI and SS as the source of the serial port pins
              0 = Disables serial port and configures these pins as I/O port pins

              Bit 4 CKP: Clock Polarity Select bit. In SPI mode :
              1 = Idle state for clock is a high level
              0 = Idle state for clock is a low level

              Bit 3-0 SSPM<3:0>: Synchronous Serial Port Mode Select bits
              0000 = SPI Master mode, clock = FOSC/4
              0001 = SPI Master mode, clock = FOSC/16
              0010 = SPI Master mode, clock = FOSC/64
              0011 = SPI Master mode, clock = TMR2 output/2
              0100 = SPI Slave mode, clock = SCK pin, SS pin control enabled
              0101 = SPI Slave mode, clock = SCK pin, SS pin control disabled, SS can be used as I/O pin


              I tried both mode, with or without SS enabled.


              SSPSTAT = %00000000
              SSPSTAT = %b7|b6|...|b0

              Bit 7 SMP: Sample bit. In SPI Slave mode:
              SMP must be cleared when SPI is used in Slave mode

              Bit 6 CKE: SPI Clock Edge Select bit
              CKP = 0:
              1 = Data transmitted on rising edge of SCK
              0 = Data transmitted on falling edge of SCK
              CKP = 1:
              1 = Data transmitted on falling edge of SCK
              0 = Data transmitted on rising edge of SCK

              Following in italic are only for I2C :

              Bit 5 D/A: Data/Address bit (I2C mode only)
              1 = Indicates that the last byte received or transmitted was data
              0 = Indicates that the last byte received or transmitted was address

              Bit 4 P: Stop bit
              (I2C mode only. This bit is cleared when the MSSP module is disabled, SSPEN is cleared.)
              1 = Indicates that a Stop bit has been detected last (this bit is 0 on Reset)
              0 = Stop bit was not detected last

              Bit 3 S: Start bit
              (I2C mode only. This bit is cleared when the MSSP module is disabled, SSPEN is cleared.)
              1 = Indicates that a Start bit has been detected last (this bit is 0 on Reset)
              0 = Start bit was not detected last

              Bit 2 R/W: Read/Write bit information (I2C mode only)
              This bit holds the R/W bit information following the last address match. This bit is only valid from the address match to
              the next Start bit, Stop bit, or not ACK bit.
              In I2 C Slave mode:
              1 = Read
              0 = Write
              In I2 C Master mode:
              1 = Transmit is in progress
              0 = Transmit is not in progress
              OR-ing this bit with SEN, RSEN, PEN, RCEN, or ACKEN will indicate if the MSSP is in Idle mode.
              bit 1 UA: Update Address bit (10-bit I2C mode only)
              1 = Indicates that the user needs to update the address in the SSPADD register
              0 = Address does not need to be updated
              bit 0 BF: Buffer Full Status bit
              Receive (SPI and I2 C modes):
              1 = Receive complete, SSPBUF is full
              0 = Receive not complete, SSPBUF is empty
              Transmit (I2 C mode only):
              1 = Data transmit in progress (does not include the ACK and Stop bits), SSPBUF is full
              0 = Data transmit complete (does not include the ACK and Stop bits), SSPBUF is empty


              PIE1 = %00001000
              PIE1 = %b7|b6|...|b0

              Bit 7 Unimplemented: Read as 0

              I have noticed that in PIC18F, this is implemented an means :
              SPPIE: Streaming Parallel Port Read/Write Interrupt Enable bit(1)
              1 = Enables the SPP read/write interrupt
              0 = Disables the SPP read/write interrupt


              Bit 6 ADIE: A/D Converter (ADC) Interrupt Enable bit
              1 = Enables the ADC interrupt
              0 = Disables the ADC interrupt


              Bit 5 RCIE: EUSART Receive Interrupt Enable bit
              1 = Enables the EUSART receive interrupt
              0 = Disables the EUSART receive interrupt


              Bit 4 TXIE: EUSART Transmit Interrupt Enable bit
              1 = Enables the EUSART transmit interrupt
              0 = Disables the EUSART transmit interrupt


              Bit 3 SSPIE: Master Synchronous Serial Port (MSSP) Interrupt Enable bit
              1 = Enables the MSSP interrupt
              0 = Disables the MSSP interrupt

              Bit 2 CCP1IE: CCP1 Interrupt Enable bit
              1 = Enables the CCP1 interrupt
              0 = Disables the CCP1 interrupt


              Bit 1 TMR2IE: Timer2 to PR2 Match Interrupt Enable bit
              1 = Enables the Timer2 to PR2 match interrupt
              0 = Disables the Timer2 to PR2 match interrupt

              bit 0 TMR1IE: Timer1 Overflow Interrupt Enable bit
              1 = Enables the Timer1 overflow interrupt
              0 = Disables the Timer1 overflow interrupt


              PIR1 = %00000000

              Bit 7 Unimplemented: Read as 0

              I have noticed that in PIC18F, this is implemented an means :
              SPPIF: Streaming Parallel Port Read/Write Interrupt Flag bit(1)
              1 = A read or a write operation has taken place (must be cleared in software)
              0 = No read or write has occurred


              Bit 6 ADIF: A/D Converter Interrupt Flag bit
              1 = A/D conversion complete (must be cleared in software)
              0 = A/D conversion has not completed or has not been started

              Bit 5 RCIF: EUSART Receive Interrupt Flag bit
              1 = The EUSART receive buffer is full (cleared by reading RCREG)
              0 = The EUSART receive buffer is not full

              Bit 4 TXIF: EUSART Transmit Interrupt Flag bit
              1 = The EUSART transmit buffer is empty (cleared by writing to TXREG)
              0 = The EUSART transmit buffer is full

              Bit 3 SSPIF: Master Synchronous Serial Port (MSSP) Interrupt Flag bit
              1 = The MSSP interrupt condition has occurred, and must be cleared in software before returning from the
              Interrupt Service Routine. In SPI mode :
              A transmission/reception has taken place
              0 = No MSSP interrupt condition has occurred

              Bit 2 CCP1IF: CCP1 Interrupt Flag bit
              Capture mode:
              1 = A TMR1 register capture occurred (must be cleared in software)
              0 = No TMR1 register capture occurred
              Compare mode:
              1 = A TMR1 register compare match occurred (must be cleared in software)
              0 = No TMR1 register compare match occurred
              PWM mode:
              Unused in this mode

              Bit 1 TMR2IF: Timer2 to PR2 Interrupt Flag bit
              1 = A Timer2 to PR2 match occurred (must be cleared in software)
              0 = No Timer2 to PR2 match occurred
              bit 0 TMR1IF: Timer1 Overflow Interrupt Flag bit
              1 = The TMR1 register overflowed (must be cleared in software)
              0 = The TMR1 register did not overflow


              INTCON = %11000000
              INTCON = %b7|b6|...|b0

              Bit 7 GIE: Global Interrupt Enable bit
              1 = Enables all unmasked interrupts
              0 = Disables all interrupts

              Bit 6 PEIE: Peripheral Interrupt Enable bit
              1 = Enables all unmasked peripheral interrupts
              0 = Disables all peripheral interrupts

              Bit 5 T0IE: Timer0 Overflow Interrupt Enable bit
              1 = Enables the Timer0 interrupt
              0 = Disables the Timer0 interrupt

              Bit 4 INTE: INT External Interrupt Enable bit
              1 = Enables the INT external interrupt
              0 = Disables the INT external interrupt

              Bit 3 RBIE: PORTB Change Interrupt Enable bit(1)
              1 = Enables the PORTB change interrupt
              0 = Disables the PORTB change interrupt

              Bit 2 T0IF: Timer0 Overflow Interrupt Flag bit(2)
              1 = TMR0 register has overflowed (must be cleared in software)
              0 = TMR0 register did not overflow

              Bit 1 INTF: INT External Interrupt Flag bit
              1 = The INT external interrupt occurred (must be cleared in software)
              0 = The INT external interrupt did not occur

              Bit 0 RBIF: PORTB Change Interrupt Flag bit
              1 = When at least one of the PORTB general purpose I/O pins changed state (must be cleared in software)
              0 = None of the PORTB general purpose I/O pins have changed state
              New prototype : 2DIN AUDI OEM-LIKE CARPC based on SYMPHONY II
              Motorized InDash Screen, Core 2 Duo 2.2Ghz, SSD

              Home Made In-Dash 7" Lilliput V1
              Home Made In-Dash 7" Lilliput V2 = LM-Lilliput Prototype

              First project in Peugeot 306

              Comment


              • #8
                My idea was to write it from scratch instead of using the SPI hardware in the pic.

                I assume the software IDE has some kind of simulator in it so you can step through code and set breakpoints etc, without the need of any hardware.

                Try,
                Enable the interrupt for the IRQ pin
                Set INTEDG in OPTION register to '1' (interrupt on rising edge)

                with your debugger/simulator your code should enter the interrupt routine on every low-to-high pin change. Then you can work from there.

                I haven't used easyPIC5 but i assume its the same as all those PICBASIC, BASICSTAMP, ARDUINO etc type PIC's with pre-written routines. So there might be a routine that utilizes the interrupt on pin change. Try looking at an IR receiver routine that might help.

                I had a look at the EASYPIC5, its that big development board right. I'd like to help more but not really keen to purchase the board. Though if you can send me a link for the Microbasic IDE and I will see if I can help further.

                Comment


                • #9
                  Hi,

                  Looks like a good project.

                  Just in case you haven't seen this one:

                  I have used the following solution for a previous project on my old Audi and head unit:
                  http://k9spud.com/vwcdpic/

                  Might be some useful background, and has a good developer area and forum.

                  Good luck

                  Comment


                  • #10
                    Originally posted by Tony G View Post
                    Hi,

                    Looks like a good project.

                    Just in case you haven't seen this one:

                    I have used the following solution for a previous project on my old Audi and head unit:
                    http://k9spud.com/vwcdpic/

                    Might be some useful background, and has a good developer area and forum.

                    Good luck
                    Hi Tony G,

                    Thank you for your link. I already know it. They use the CD Changer port to communicate with the radio unit (no CD TEXT support)

                    For my project, I try to emulate the MP3 CD Drive. But as you suggest, I will ask on their forum some advises.
                    New prototype : 2DIN AUDI OEM-LIKE CARPC based on SYMPHONY II
                    Motorized InDash Screen, Core 2 Duo 2.2Ghz, SSD

                    Home Made In-Dash 7" Lilliput V1
                    Home Made In-Dash 7" Lilliput V2 = LM-Lilliput Prototype

                    First project in Peugeot 306

                    Comment


                    • #11
                      Originally posted by coucouillu View Post
                      Thank you for your link. I already know it. They use the CD Changer port to communicate with the radio unit (no CD TEXT support)

                      For my project, I try to emulate the MP3 CD Drive. But as you suggest, I will ask on their forum some advises.
                      It's still not clear to me what you are trying to do.
                      Do you want to communicate with the CD Changer by emulating the head unit?
                      If so this has also already been been done here where they have emulated both the head unit and the CD Changer:
                      VAG CD Changer Simulator
                      VAG/Panasonic CD Changer Remote Control

                      Comment


                      • #12
                        Originally posted by Blues View Post
                        It's still not clear to me what you are trying to do.
                        Do you want to communicate with the CD Changer by emulating the head unit?
                        If so this has also already been been done here where they have emulated both the head unit and the CD Changer:
                        VAG CD Changer Simulator
                        VAG/Panasonic CD Changer Remote Control
                        Hi Blues,

                        I never talk about CD CHANGER. As I told, I want to remove the MP3 CD DRIVE in order to replace it buy a covertion circuit which will link the PC and the unit.

                        I would be like CD CHANGER but with CD TEXT support.
                        New prototype : 2DIN AUDI OEM-LIKE CARPC based on SYMPHONY II
                        Motorized InDash Screen, Core 2 Duo 2.2Ghz, SSD

                        Home Made In-Dash 7" Lilliput V1
                        Home Made In-Dash 7" Lilliput V2 = LM-Lilliput Prototype

                        First project in Peugeot 306

                        Comment


                        • #13
                          I still don't understand what you are trying to do. What does "removing MP3 CD DRIVE" mean? What is the "MP3 CD DRIVE"? Is it the headunit or a seperate device connected to he headunit? OR maybe just a part inside the headunit?

                          How do you expect to get help when you don't post the source code or schematic?
                          But wouldn't it be better toask for hel in a PIC BASIC forum (if that's what you use)?

                          Comment


                          • #14
                            here is the 2DIN AUDI concert III



                            It is a radio unit with MP3 capabilities (there is a CD DRIVE inside which read MP3's)

                            Is it clearer?

                            I would like to remove it and replace it by an adapter which will emulate PC playlist (Winamp, WMplayer, Centrafuse) to a virtual MP3 CD.
                            New prototype : 2DIN AUDI OEM-LIKE CARPC based on SYMPHONY II
                            Motorized InDash Screen, Core 2 Duo 2.2Ghz, SSD

                            Home Made In-Dash 7" Lilliput V1
                            Home Made In-Dash 7" Lilliput V2 = LM-Lilliput Prototype

                            First project in Peugeot 306

                            Comment


                            • #15
                              There must be a 2-way communication between the drive and the PCB. Maybe you are missing one of the SPI lines? Or maybe the data line is bi-directional?
                              What en generates the measure enale, cloc and data? The PCB or drive or maybe some lines aregenerated in one end and others in the orther end.

                              Comment

                              Working...
                              X