BMW 1 series F20 iDrive controller hacking with arduino and PI

As part of a larger in car entertainment project I needed a simple and safe input  method to control the software that wasn't a touch screen. As BMWs are popular in the carpc scene I thought I'd buy an idrive controller as surely there will be an arduino lib to get it working.

Nope, there are a few pages of people giving out tiny bits of information or claiming to have done it but haven't shared it on the Web.

The one piece of helpful information i did pull from the aforementioned websites was the fact that these controllers use a low speed  ( 100kbit for bmw ) fault tollerant canbus transceiver, the TJA1054 or TJA1055.

Some more googling pointed out that the MCP2551 I normally use wasn't going to work and I needed to use the TJA1054/5

The frugal / lazy part of me didn't want to have to make up a pcb board straight away for the TJA1054 before it was tested and I was more familiar with it.

In comes a VAG canbus gateway. These handy devices are how VAG manage the different speed canbus networks at the obd2 port. TL;DR these are a cheap board with 2x TJA1054, 2x highspeed transceivers and a 5v regulator.

After removing the NEC Cpu from the gateway I connected one of the low speed transceivers to an Arduino with my diy MCP2515 shield and the other to a PI zero with a MCP2515 canpi hat.

The first controller I tried was from an e60 which has 2 external button and the twist joystick.

With any can frames on the bus this would reply with 0x4e7 messages, turns out there isn't much info on these and I couldn't find any example of someone getting it to work.

The second was from a 2012 1 series this is the lower spec model that only has the 5 buttons and the left right joystick with rotary encoder.

Everyone seems to know that sending frames to 0x202 will enable the lights but no other information exist to explain how to get it to reply back with button presses.

So it's time to brute force the canbus. a tiny bit of arduino code later got me sending 8 bytes of 0xff to every 11bit ID twice every 100ms while I repeatedly pressed the buttons.

With both eyes on wireshark it gets to the 0x500 numbers and thing replies start happening then the magic number appears 0x535 this is the ID that will keep the device awake and will allow you to get the frames for button presses.

This sadly doesn't give any data for the rotary encoder but I thing that may need extra data to "initialize".

I'll be doing some more testing to get the rotary encoder working as well as some code to use this a hid device.

Keep an eye out for that!

Resurrecting the Sony Ericsson Live View MN800

Another STM32 I've had for years is the Liveview.

A few clever people on the XDA developers forum have reverse engineered the device and made drivers for chibios.

The code is on github here ----> https://github.com/GottZ/olvfw  FYI this is not my code!!

It's old code but I've compiled it my self and flashed it and it works!

And yes I'll be getting canbus working via the micro usb port at some point  :)

Innovate MTS to Megasquirt CAN Bus converter part 1

After quiting my job last month I've finally had some time to put my collection of STM32 boards to work.

With the addition of the STM32 cpus to the MBED platform its made it super simple to write code for them.

The first thing that I've decided to develop is an Innovate MTS to Megasquirt CANBUS converter.

You can see the MBED project here

https://developer.mbed.org/users/sordfish/code/MTS_TO_MSCAN/wiki/Homepage


Its still alpha code but I've had it connected to a Microsquirt and it was doing something!

I've added CAN filtering since I last tested so it may or may not work at this moment in time but I'll be adding a part 2 with the actual hardware in the next few days.

Making the WR702n run openwrt part 1

After blindly buying a blue tplink router off eBay at 3am, it turns out I bought the WR702n instead of the openwrt friendly WR703n.

The wr702n runs vxworks and only has 2MB flash and 16MB ram and no USB, This isn't enough for openwrt.
It turns out that other fellow hackers have upgraded the flash and ram on the 703 so I'v done the same to the WR702n.

Getting the Parts...

First port of call is to find suitable flash and ram chips.
I have bought MX25L6445EM2I-10G from china and a 512MB sodimm DDR ram stick to harvest the Hynix HY5DU121622DTP-D43 chips.

Replacing the ram...

Changing the ram first seemed best as vxworks would still run once done..
so out with the Hot air and chip Quik and we now have a 64MB ram chip installed.

 

Ram chip removed with flux and hot air

64MB RAM and serial wires.

Vxworks still booted so ram success fully swapped (first boot too).

The flash chip...

I needed an spi flasher of some kind, I had seen the bus pirate being used but I don't have one and didn't fancy buying anymore tools if I dint need to.

Arduino mini pro (3.3v) with spi chip attached to wires. Full size arduino used just for usb to serial.

After spotting  a post on hack a day using an arduino to program the chips, I installed Ubuntu and programmed serprog onto an arduino mini pro. It took a bit of fiddling to get it recognized by flashrom but after a few port speed issues I was able to dump the contents of the new chip.

DAS U-boot...

Now with it all ready to go I needed to find a copy of uboot to install. turns out there's an awesome version with an http server built in for flashing.

Wrote that to the chip with flashrom, verified it and then soldered it in place of the 2MB chip.

Success!!!

powered it up and uboot started to scroll messages in putty. Next was to get openwrt installed.

Turns out the http server is a bit temperamental and only likes firefox 13.0.1? 

after programming the latest sysupgrade file for openwrt it flashed itself and rebooted and was greeted by the boot log of openwrt :)

To be continued...

I still need to recover the unique "ART" partition from the original 2MB flash chip so the wifi will work.

I also need to update uboot for 8mb as it only can access the first 4mb atm. 

Lastly the usb port needs to work so I just need to add some components to get that working too.