Page 1 of 81 123456789101151 ... LastLast
Results 1 to 10 of 801
Like Tree1Likes

Thread: Renault "Tuner List" Head Unit/CD changer hacking - Controls

  1. #1
    Variable Bitrate
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    326

    Renault "Tuner List" Head Unit/CD changer hacking - Controls

    The goal of this thread is to centralize information about hacking the control protocol between Renault's "Tuner List" head unit and CD changer.

    ****
    IMPORTANT EDIT : DISCLAIMER
    ALL THAT YOU DO IS AT YOUR OWN RISK. WE TAKE NO RESPONSIBILITY IN CASE OF INJURY, DAMAGE, DEATH OR ANYTHING THAT COULD HAPPEN AS A RESULT OF TRYING ANYTHING DESCRIBED IN THIS THREAD. Please note in particular that wrong wiring and electrostatic discharges could result in damages to your head unit and/or PC.
    ****

    The (digital) audio-in part has already been successfully achieved by a few people including myself - see Renault Scenic II - SPDIF PC - but the control wires are still connected to the CD changer to fool the HU into thinking it's still playing sound coming from the changer.

    Drawbacks :
    - the dashboard cd#/track#/time fields give information completely unrelated to what you actually hear
    - each time the changer loads a new CD, sound is muted for a few seconds
    - stalk controls (next/previous) and head unit front panel buttons (1-6) are useless

    I can live with that, but thinking of it more and more, using stalk controls and front panel buttons instead of touch screen has many advantages :
    - they're much more ergonomic.
    - your carPC doesn't need an (expensive) touchscreen, or even a screen at all if you use text-to-speech for feedback
    - you can reassign all buttons to whatever you like. For example each numbered button (CD1-6) could be linked to an ID3 tag category (1=Track Number, 2=Album, 3=Artist, 4=Genre, 5=Year) and by pressing it, it would speak the value for the current track and select this "mode". Then, Next/Previous stalk controls could enumerate other values for this field, so by default, next/previous control the track number, but could as well switch to next/previous album by the same artist, or next/previous artist, or even next/previous genre or year (toggling to shuffle mode). Of course, this would have to be linked to some kind of backend index or DB to speed things up, but it would be great fun to press a few keys to hear what we listened to 20 years ago. Back to 1986 :-)

    What has to be done :
    - hardware connection of control wires to the PC. The pinout is available in this post and as I said there :
    among the protocols listed on http://www.mictronics.de/?page=cdc_proto , the only one that uses asynchronous two wires transfer (RX + TX + no clock) is the Blaupunkt one. Moreover it uses the same wires as our Tuner List, so that's encouraging : compare the last page of http://www.blaupunktusa.com/NR/rdonl...5E/0/MDP01.pdf to the attached pinout of the Tuner List. I also had confirmation by bistie on planeterenault.com forums that once the levels are adapted (5V TTL to 12V RS232) the protocol is compatible with a PC serial port.
    Using a Max232-based circuit, we could thus relatively simply spy on the control wires. Ideally, both directions (Changer > HU and HU > Changer) should be spied at the same time to ease question/answers matching.

    - protocol reverse engineering, enumerating all messages sent back and forth between devices

    - actual emulation, listening to head unit messages and sending back responses or information to be displayed on the dashboard. Note that I believe that the CD changer is rather autonomous : I really think that when the CD changer is selected as source on the head unit, the control is given to the changer and all information is just passed through. For example, I believe the CD changer has the responsibility of loading a new CD when the previous one ends etc. If this is confirmed, it would minimize the emulation work as we wouldn't have to send "coherent" information to the head unit and we could for example use the dashboard display for custom use...

    - link this emulation module with target applications. I'd suggest not to link the module to a particular app (Winamp) or front-end, but leave it as open as possible for anyone to be able to reuse the emulator for its own needs. Conversely, I guess there are already input plugins for Winamp etc that we could link to or reuse (LIRC ?).

    Please feel free to enrich this thread with any link or information that would help, in any of the above fields.

    Let's roll !

  2. #2
    Variable Bitrate
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    326

    Proposed schematics.

    Preliminary note : I chose the MAX3232 instead of the 232 as this one is a low power version. It's pin to pin compatible but the capacitors car have lower values.

    The first schema is just a development circuit to be able to spy on the protocol. Nothing is emitted but the chip converts all information passing in both directions into RS232-compatible levels. Each direction is fed to a separate serial port of the spying PC.

    The second schema will be used later as the emulator. If you actually have a CD changer, a switch allows you to flip two relays between actual changer and PC emulation.
    If you don't, just throw away the switch, the relays and the upper "CD changer" connector and directly link pin 11 and 12 of the MAX3232 to resp. pins 13 and 14 of the head unit connector, and SPDIF to pins 18 and 19 of this connector.

    I'm planning to try and make the spy circuit in the following weeks, and in the meantime I'm looking for good software to spy and dump information from serial ports.

    Any hint or source code is welcome, as well as feedback on these circuits.

    *** PRELIMINARY CIRCUITS REMOVED. Edited versions available in post 197 for the spying circuit and in post 245 for the emulating circuit.***

  3. #3
    mox
    mox is offline
    Constant Bitrate mox's Avatar
    Join Date
    Nov 2004
    Location
    The Netherlands
    Posts
    183
    I did a quick google and it came up with http://www.serial-port-monitor.com
    Haven't tried it yet, but from the screenshots it seems capable of displaying hex data as opposed to plain ASCII, like hyperterminal. Capturing data shouldn't be too difficult.

    - the dashboard cd#/track#/time fields give information completely unrelated to what you actually hear
    Right. Once I select cdchanger as a source, my Connects2 interface permanently displays "CD 1 TR 1" and all cdchanger related commands (either from stalk or HU) are ignored.

    How about shooting email to connects2.com for a few hints?

    As for the TTL-to-RS232 issue, I plan on dragging the ol' oscilloscope outside to check on signal levels, but the weather has to improve first. My scope has a storage mode, which might come in handy.
    CarPC status: HW all done, SW needs tweaked.
    Hardware: VIA MII-12K, 512MB, 60GB 2.5", CW-8123 DVD-CDRW, 7" Lilli ts, Opus 90W, BU-353 GPS, 802.11b PCI, USB bluetooth dongle, AverMedia AverTV Cardbus Plus, Morex Cubid 3677
    Software: RR, MM/FD

  4. #4
    Variable Bitrate
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    326
    Quote Originally Posted by mox
    http://www.serial-port-monitor.com
    Haven't tried it yet, but from the screenshots it seems capable of displaying hex data as opposed to plain ASCII, like hyperterminal. Capturing data shouldn't be too difficult.
    This free version seems to be a stealth "man in the middle" serial communication monitor, but needs a PC application to open the port and read/write to it ("work with any software that opens a serial port and initiate communication through it"). Then, it will dump what goes through the serial line.
    However, their (paying) "Serial monitor" line of products seems to be what we're looking for...

    I also came across interesting source code to read and write serial data that we could use as a I/O system.

    Once I select cdchanger as a source, my Connects2 interface permanently displays "CD 1 TR 1" and all cdchanger related commands (either from stalk or HU) are ignored.

    How about shooting email to connects2.com for a few hints?
    Dear sirs, we would like to provide people with an alternative to your expensive interface. Would you be so kind to give us your source code please ? Yours faithfully :-)

    As for the TTL-to-RS232 issue, I plan on dragging the ol' oscilloscope outside to check on signal levels, but the weather has to improve first. My scope has a storage mode, which might come in handy.
    Yes, indeed.
    All the above is based on the assumption that there are TTL levels going through these wires and that the serial protocol is compatible with standard PC interfaces, but if they're using other levels, or 4 bits, or a CRC, or anything non-standard, it could prove much more difficult to hack.

    I'd mainly like to have your confirmation of voltage used before connecting my PC to it because I don't particularly like to burn UARTs :-)

  5. #5
    Variable Bitrate
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    326

    Progress report + help needed

    This is my progress report :

    1) I managed to get another pair of M/F mini-iso connectors.
    You can get them too by ordering a Blaupunkt 1.3m extender, ref 7 607 621 154.
    I got it here in Brussels (at Arwac's) for 16 EUR, which is quite reasonable.
    I wouldn't advise using the extender as is though, because the pins are assigned
    differently in Blaupunkt head units, and shielding is absolutely not suitable for the
    pin assignment of Renault. But for the connectors alone, it's perfectly OK.

    2) Before spying with the above circuit, I thought it would be interesting to "see"
    what travels on the wires. So I built myself a "4 resistor oscilloscope"
    (2 resistors 470k/10k divide the voltage by about 50, and then the signal is fed to
    my sound card (Rx on right channel and Tx on left channel) and sampled at 44.1 kHz.

    3) The first samples (see for example the attached gif file) are rather encouraging.
    Here are some elements I observed or concluded, but I might be wrong so please
    bear with me and tell me if I'm wrong :
    - Rx on the pinout diagram actually is "Receive" from the point of view of the head unit.
    This wire carries data from the CD changer to the head unit
    - Conversely, Tx carries data from the head unit to the CD changer.
    - Every second, the CD changer sends a burst of data to the head unit, even if listening
    to the radio, not a CD (probably a mandatory "I'm alive" message so that the head unit
    knows a CD changer is attached)
    - The head unit always replies with an ACK (see second attached gif)
    - The width of a bit seems to be a around 4.5 samples at 44.1kHz, or 4.5/44100 seconds,
    which translates to a data rate of around 44100/4.5 = 9800 bps. => 9600 bauds actually
    - In the long GIF, if you start at the middle of the first bit and count alternatively 4 and
    5 bits and take note of each value (0 or 1), you get a long bit sequence like this (I may
    have taken another sample than the gif one so you might have slightly different results
    - which would be interesting to compare) :
    10100001100100101100001001011110010001110110
    10111111100101111111001111111111011111111110
    11001001110111111111101111111111011111111110
    111010011001111111111011110001010
    and the acknowledge would be 10101110010
    - Seeing this, I interpret it as :
    1 start bit (1), 8 data bits (01000011), one parity bit (0) and one stop bit (0) and so on,
    so cutting the stream like this :
    1 01000011 0 0
    1 00101100 0 0
    1 00101111 0 0
    1 00011101 1 0
    1 01111111 0 0
    1 01111111 0 0
    1 11111111 1 0
    1 11111111 1 0
    1 10010011 1 0
    1 11111111 1 0
    1 11111111 1 0
    1 11111111 1 0
    1 11010011 0 0
    1 11111111 1 0
    1 11100010 1 0

    and the ack goes :
    1 01011100 1 0

    All of the above have a start bit at 1, a stop bit at 0 and a "odd" partity bit :
    the number of 1's in the 9 bits (data + parity) is always odd

    I made a first attempt with the the above circuit with the MAX3232 (Spy mode) but
    unfortunately I could only collect garbage.
    Maybe I made a mistake somewhere in the circuit implementation, but can anyone confirm
    the schema in question *should* work ?

    Anyway, I hope I'll be able to do some more testing this week-end...

    PS : Sorry for the extra wide gif :-(
    Attached Images Attached Images   

  6. #6
    mox
    mox is offline
    Constant Bitrate mox's Avatar
    Join Date
    Nov 2004
    Location
    The Netherlands
    Posts
    183
    I am still with you Vicne, but I am dealing with Lilliput woes at the moment

    Your samples look promising and the MAX3232 schematic looks fine to me. Signal level might be an issue -- I still need to check things out with my scope here, but the weather has been keeping me from doing so.
    CarPC status: HW all done, SW needs tweaked.
    Hardware: VIA MII-12K, 512MB, 60GB 2.5", CW-8123 DVD-CDRW, 7" Lilli ts, Opus 90W, BU-353 GPS, 802.11b PCI, USB bluetooth dongle, AverMedia AverTV Cardbus Plus, Morex Cubid 3677
    Software: RR, MM/FD

  7. #7
    Variable Bitrate
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    326

    Levels

    Well, OK, here are the levels running on the line :
    - logical 0 : 3V
    - logical 1 : 12V

    (see oscilloscope snapshot below)

    Unfortunately, it's not TTL so that's why the above circuit won't work !

    Edited circuits out soon...
    Attached Images Attached Images  

  8. #8
    FLAC TheLlama's Avatar
    Join Date
    Jul 2004
    Location
    All over the world
    Posts
    970
    what are you all using for Oscilloscopes? I want to pick up a relatively cheap one. I have a techtronics at home, but I need something for school. I guess I could use my PC's sound card...

    Thanks

  9. #9
    Variable Bitrate
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    326
    Quote Originally Posted by TheLlama
    what are you all using for Oscilloscopes? I want to pick up a relatively cheap one. I have a techtronics at home, but I need something for school. I guess I could use my PC's sound card...
    The first samples above were taken using only my soundcard as stated. I just put a 1:50 resistor divider to make sure I remained in the 1V range of the line input
    Of course, you're limited to the 20 Hz - 20 kHz range at best, and you can't measure levels as the soundcard input stage is driven by Windows. To make things worse, you have no idea of the DC offset as it is filtered out, but well, it gives an idea.
    The second samples were taken with a handheld (discontinued) Tektronix THM550 like this I borrowed from a colleague.

  10. #10
    Constant Bitrate Putput's Avatar
    Join Date
    Sep 2005
    Location
    Belgium
    Posts
    181
    I had a quick look into your results and there are a lot of '1's in the bitstream. Try inverting them, perhaps this could make more sense.
    Then you have 2 groups of zeros which could indicate disk 1, track 1 ?? And the last byte inverted reads as a GS or Group Separator. Keep up the good work, I'm very interested. Perhaps I can assist you writing software to access the serial port, I'm currently working on software to link my GSM via serial port over Bluetooth.

Page 1 of 81 123456789101151 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •