Hi all.
I am trying to hack my AUDI CONCERT III, 2 DIN MP3 CD unit for my next project.
EDIT : Picture of the AUDI CONCERT III, 2 DIN MP3 CD/RADIO :
EDIT : Picture of the AUDI CONCERT III MP3 CD DRIVE BP7-VA :
Chip_1 : 908292 / CU27RUG-6C74, PQF-64 PINS
Seems to be a microcontroller with a custom firmware. This is this firmware I try to reverse engeneer.
Chip_2 : TC94A54MFG, 100 PINS
Material:
I own an EASYPIC5 development board for my project.
I am familiar with both C and BASIC programming (but would prefer BASIC).
SCANS :
Below, you will find the scan I made beetween the CD MP3 DRIVE and the mainboard of the radio unit :
It is SPI protocol (Serial Peripheral Interface Bus). On the picture above, we can see 10 BYTEs :
0xB0 | 0xB1 | 0xB2| 0xB3| 0xB4 | 0xB5 | 0xB6| 0xB7 | 0xB8 | 0xB9
0x09 | 0x3A |0x31 | 0x01 | 0x01 | 0x00 | 0x00 | 0x0B | 0x00 | 0x01
B0 : 0x09 ==> NUMBER OF BYTE (here 9)
B1 : 0x3A ==> CHECKSUM
B2 : 0x31 ==> COMMAND* ?
B3 : 0x01 ==> FOLDER NUMBER (=1 for this example)
B4 : 0x01 ==> TRACK NUMBER (=1 for this example)
B5 : 0x00 ==> HOURS (=0 for this example)
B6 : 0x00 ==> MINUTES (=0 for this example)
B7 : 0x0B ==> SECONDS(=11 for this example/ Hex 0B = Dec 11)
B8 : 0x00 ==> CONSTANT VALUE (always 0x00 STOP byte???)
B9 : 0x01 ==> CONSTANT VALUE (always 0x01 STOP byte???))
BYTES_NUMBER | CHECSUM | 0x31 | FOLDER | TRACK | HRS | MIN | SEC | 0x00 | 0x01
CONSTANTS
CHECKSUM is the BINARY XOR ADDITION of the following values : 0x31, FOLDER, TRACK, HRS, MIN and SEC.
*0x10=Track Time Info MCU request?
0x12=?
0x14=next track MCU request?
0x31=Track Time Info
0x41=File ID3 Tags Info
0x53=File infos MCU request?
I am trying to make a spy in SPI SLAVE MODE with a microchip PIC16F887 (or PIC18F4455/PIC18F4550) @ 20Mhz which would read these bytes and store them in an array of 10 values and display them on the graphic LCD of the development board every 1 second.
This 8-bytes-word appears on the SPI bus each second.
My problem is for the SPI read part. It doesn't work.
Each second, instead of reading 10 values, it only read 1 which correspond to nothing.
In SPI, the ENABLE PIN should be set to '0' beetween each byte. Here, this is not the case.
In my scan, this is not the case. could it be a source of problem?
I am looking for help.
Thank you.
Brice.
looks like you are well on the right track, you have worked out all the commands. Im wondering if you have set up the slave correctly, ie mode, frequency selection, either way I wonder if it would be easier to create your own routine if your only reading the data... just a thought.
Hi,
The PIC is in SLAVE mode, no frequency needed because it is in slave mode, this is the clock of the master which determine the frequency.
I am trying to make my own routine because SPI librairies do not work.
I need some ideas to make my program.
It shouldnt be that hard to make a simple routine. The routine will obviously start when the enable pin is low, and end when high. You would just have to get the state of the 'MISO' data on every 'CLOCK' cycle (low-to-high) and shift it into a buffer. When the enable line is high you can then proccess the 10 bytes received. The easiest was is to start with a flow chart.
hope this helps.
The problem is that the ENABLE pin should go high then low beetween each byte.
This is not the case.
That's ok, you can use the low-to-high enable signal to tell you that all bytes have been received. With the PIC micros you can generate an interrupt on a low-to-high pin change on the CLOCK pin. Then every interrupt you get (1 CLOCK cycle) you then read the value of MISO then shift that bit into a buffer. When you fill up 10 8-bit buffers you will have your decoded bytes. Hop this makes sence
I have attached a pdf showing you how to decode the data, this is as much help I could give without writing the code myself. The PDF is an exploded image of the 2nd byte sent from your device.
this should help.
Schematic Prints.pdf
Thank you Civic Modz for your schematic. I understood how bytes are read.
The problem is that is not that simple. It seems that it only scan 1 and only 1 byte instead of 10 bytes and the byte received seems corrupted.
I actually use PIC16F887 @ 20MHz.
I use EASYPIC5 from MikroElectronica with MicroBasic software.
Here are parameters I used :
SSPCON = %00110100
SSPCON = %b7|b6|...|b0
Bit 7, WCOL: Write Collision Detect bit. In Slave mode :
1 = The SSPBUF register is written while it is still transmitting the previous word (must be cleared in software)
0 = No collision
Bit 6 SSPOV: Receive Overflow Indicator bit. In SPI mode :
1 = A new byte is received while the SSPBUF register is still holding the previous data. In case of overflow, the data in SSPSR
is lost. Overflow can only occur in Slave mode. In Slave mode, the user must read the SSPBUF, even if only transmitting
data, to avoid setting overflow. In Master mode, the overflow bit is not set since each new reception (and transmission) is
initiated by writing to the SSPBUF register (must be cleared in software).
0 = No overflow
Bit 5 SSPEN: Synchronous Serial Port Enable bit. In SPI mode:
In both modes, when enabled, these pins must be properly configured as input or output
1 = Enables serial port and configures SCK, SDO, SDI and SS as the source of the serial port pins
0 = Disables serial port and configures these pins as I/O port pins
Bit 4 CKP: Clock Polarity Select bit. In SPI mode :
1 = Idle state for clock is a high level
0 = Idle state for clock is a low level
Bit 3-0 SSPM<3:0>: Synchronous Serial Port Mode Select bits
0000 = SPI Master mode, clock = FOSC/4
0001 = SPI Master mode, clock = FOSC/16
0010 = SPI Master mode, clock = FOSC/64
0011 = SPI Master mode, clock = TMR2 output/2
0100 = SPI Slave mode, clock = SCK pin, SS pin control enabled
0101 = SPI Slave mode, clock = SCK pin, SS pin control disabled, SS can be used as I/O pin
I tried both mode, with or without SS enabled.
SSPSTAT = %00000000
SSPSTAT = %b7|b6|...|b0
Bit 7 SMP: Sample bit. In SPI Slave mode:
SMP must be cleared when SPI is used in Slave mode
Bit 6 CKE: SPI Clock Edge Select bit
CKP = 0:
1 = Data transmitted on rising edge of SCK
0 = Data transmitted on falling edge of SCK
CKP = 1:
1 = Data transmitted on falling edge of SCK
0 = Data transmitted on rising edge of SCK
Following in italic are only for I2C :
Bit 5 D/A: Data/Address bit (I2C mode only)
1 = Indicates that the last byte received or transmitted was data
0 = Indicates that the last byte received or transmitted was address
Bit 4 P: Stop bit
(I2C mode only. This bit is cleared when the MSSP module is disabled, SSPEN is cleared.)
1 = Indicates that a Stop bit has been detected last (this bit is ‘0’ on Reset)
0 = Stop bit was not detected last
Bit 3 S: Start bit
(I2C mode only. This bit is cleared when the MSSP module is disabled, SSPEN is cleared.)
1 = Indicates that a Start bit has been detected last (this bit is ‘0’ on Reset)
0 = Start bit was not detected last
Bit 2 R/W: Read/Write bit information (I2C mode only)
This bit holds the R/W bit information following the last address match. This bit is only valid from the address match to
the next Start bit, Stop bit, or not ACK bit.
In I2 C Slave mode:
1 = Read
0 = Write
In I2 C Master mode:
1 = Transmit is in progress
0 = Transmit is not in progress
OR-ing this bit with SEN, RSEN, PEN, RCEN, or ACKEN will indicate if the MSSP is in Idle mode.
bit 1 UA: Update Address bit (10-bit I2C mode only)
1 = Indicates that the user needs to update the address in the SSPADD register
0 = Address does not need to be updated
bit 0 BF: Buffer Full Status bit
Receive (SPI and I2 C modes):
1 = Receive complete, SSPBUF is full
0 = Receive not complete, SSPBUF is empty
Transmit (I2 C mode only):
1 = Data transmit in progress (does not include the ACK and Stop bits), SSPBUF is full
0 = Data transmit complete (does not include the ACK and Stop bits), SSPBUF is empty
PIE1 = %00001000
PIE1 = %b7|b6|...|b0
Bit 7 Unimplemented: Read as ‘0’
I have noticed that in PIC18F, this is implemented an means :
SPPIE: Streaming Parallel Port Read/Write Interrupt Enable bit(1)
1 = Enables the SPP read/write interrupt
0 = Disables the SPP read/write interrupt
Bit 6 ADIE: A/D Converter (ADC) Interrupt Enable bit
1 = Enables the ADC interrupt
0 = Disables the ADC interrupt
Bit 5 RCIE: EUSART Receive Interrupt Enable bit
1 = Enables the EUSART receive interrupt
0 = Disables the EUSART receive interrupt
Bit 4 TXIE: EUSART Transmit Interrupt Enable bit
1 = Enables the EUSART transmit interrupt
0 = Disables the EUSART transmit interrupt
Bit 3 SSPIE: Master Synchronous Serial Port (MSSP) Interrupt Enable bit
1 = Enables the MSSP interrupt
0 = Disables the MSSP interrupt
Bit 2 CCP1IE: CCP1 Interrupt Enable bit
1 = Enables the CCP1 interrupt
0 = Disables the CCP1 interrupt
Bit 1 TMR2IE: Timer2 to PR2 Match Interrupt Enable bit
1 = Enables the Timer2 to PR2 match interrupt
0 = Disables the Timer2 to PR2 match interrupt
bit 0 TMR1IE: Timer1 Overflow Interrupt Enable bit
1 = Enables the Timer1 overflow interrupt
0 = Disables the Timer1 overflow interrupt
PIR1 = %00000000
Bit 7 Unimplemented: Read as ‘0’
I have noticed that in PIC18F, this is implemented an means :
SPPIF: Streaming Parallel Port Read/Write Interrupt Flag bit(1)
1 = A read or a write operation has taken place (must be cleared in software)
0 = No read or write has occurred
Bit 6 ADIF: A/D Converter Interrupt Flag bit
1 = A/D conversion complete (must be cleared in software)
0 = A/D conversion has not completed or has not been started
Bit 5 RCIF: EUSART Receive Interrupt Flag bit
1 = The EUSART receive buffer is full (cleared by reading RCREG)
0 = The EUSART receive buffer is not full
Bit 4 TXIF: EUSART Transmit Interrupt Flag bit
1 = The EUSART transmit buffer is empty (cleared by writing to TXREG)
0 = The EUSART transmit buffer is full
Bit 3 SSPIF: Master Synchronous Serial Port (MSSP) Interrupt Flag bit
1 = The MSSP interrupt condition has occurred, and must be cleared in software before returning from the
Interrupt Service Routine. In SPI mode :
A transmission/reception has taken place
0 = No MSSP interrupt condition has occurred
Bit 2 CCP1IF: CCP1 Interrupt Flag bit
Capture mode:
1 = A TMR1 register capture occurred (must be cleared in software)
0 = No TMR1 register capture occurred
Compare mode:
1 = A TMR1 register compare match occurred (must be cleared in software)
0 = No TMR1 register compare match occurred
PWM mode:
Unused in this mode
Bit 1 TMR2IF: Timer2 to PR2 Interrupt Flag bit
1 = A Timer2 to PR2 match occurred (must be cleared in software)
0 = No Timer2 to PR2 match occurred
bit 0 TMR1IF: Timer1 Overflow Interrupt Flag bit
1 = The TMR1 register overflowed (must be cleared in software)
0 = The TMR1 register did not overflow
INTCON = %11000000
INTCON = %b7|b6|...|b0
Bit 7 GIE: Global Interrupt Enable bit
1 = Enables all unmasked interrupts
0 = Disables all interrupts
Bit 6 PEIE: Peripheral Interrupt Enable bit
1 = Enables all unmasked peripheral interrupts
0 = Disables all peripheral interrupts
Bit 5 T0IE: Timer0 Overflow Interrupt Enable bit
1 = Enables the Timer0 interrupt
0 = Disables the Timer0 interrupt
Bit 4 INTE: INT External Interrupt Enable bit
1 = Enables the INT external interrupt
0 = Disables the INT external interrupt
Bit 3 RBIE: PORTB Change Interrupt Enable bit(1)
1 = Enables the PORTB change interrupt
0 = Disables the PORTB change interrupt
Bit 2 T0IF: Timer0 Overflow Interrupt Flag bit(2)
1 = TMR0 register has overflowed (must be cleared in software)
0 = TMR0 register did not overflow
Bit 1 INTF: INT External Interrupt Flag bit
1 = The INT external interrupt occurred (must be cleared in software)
0 = The INT external interrupt did not occur
Bit 0 RBIF: PORTB Change Interrupt Flag bit
1 = When at least one of the PORTB general purpose I/O pins changed state (must be cleared in software)
0 = None of the PORTB general purpose I/O pins have changed state
My idea was to write it from scratch instead of using the SPI hardware in the pic.
I assume the software IDE has some kind of simulator in it so you can step through code and set breakpoints etc, without the need of any hardware.
Try,
Enable the interrupt for the IRQ pin
Set INTEDG in OPTION register to '1' (interrupt on rising edge)
with your debugger/simulator your code should enter the interrupt routine on every low-to-high pin change. Then you can work from there.
I haven't used easyPIC5 but i assume its the same as all those PICBASIC, BASICSTAMP, ARDUINO etc type PIC's with pre-written routines. So there might be a routine that utilizes the interrupt on pin change. Try looking at an IR receiver routine that might help.
I had a look at the EASYPIC5, its that big development board right. I'd like to help more but not really keen to purchase the board. Though if you can send me a link for the Microbasic IDE and I will see if I can help further.
Hi,
Looks like a good project.
Just in case you haven't seen this one:
I have used the following solution for a previous project on my old Audi and head unit:
http://k9spud.com/vwcdpic/
Might be some useful background, and has a good developer area and forum.
Good luck
Hi Tony G,Originally Posted by Tony G
Thank you for your link. I already know it. They use the CD Changer port to communicate with the radio unit (no CD TEXT support)
For my project, I try to emulate the MP3 CD Drive. But as you suggest, I will ask on their forum some advises.
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
Bookmarks