Get a free Giffgaff Sim

Wednesday, 1 February 2017

BMW 1 series F20 iDrive controller hacking with arduino and PI

As part of a larger in car entertainment project I needed a simple and safe input  method to control the software that wasn't a touch screen. As BMWs are popular in the carpc scene I thought I'd buy an idrive controller as surely there will be an arduino lib to get it working.

Nope, there are a few pages of people giving out tiny bits of information or claiming to have done it but haven't shared it on the Web.

The one piece of helpful information i did pull from the aforementioned websites was the fact that these controllers use a low speed  ( 100kbit for bmw ) fault tollerant canbus transceiver, the TJA1054 or TJA1055.

Some more googling pointed out that the MCP2551 I normally use wasn't going to work and I needed to use the TJA1054/5

The frugal / lazy part of me didn't want to have to make up a pcb board straight away for the TJA1054 before it was tested and I was more familiar with it.

In comes a VAG canbus gateway. These handy devices are how VAG manage the different speed canbus networks at the obd2 port. TL;DR these are a cheap board with 2x TJA1054, 2x highspeed transceivers and a 5v regulator.

After removing the NEC Cpu from the gateway I connected one of the low speed transceivers to an Arduino with my diy MCP2515 shield and the other to a PI zero with a MCP2515 canpi hat.

The first controller I tried was from an e60 which has 2 external button and the twist joystick.

With any can frames on the bus this would reply with 0x4e7 messages, turns out there isn't much info on these and I couldn't find any example of someone getting it to work.

The second was from a 2012 1 series this is the lower spec model that only has the 5 buttons and the left right joystick with rotary encoder.

Everyone seems to know that sending frames to 0x202 will enable the lights but no other information exist to explain how to get it to reply back with button presses.

So it's time to brute force the canbus. a tiny bit of arduino code later got me sending 8 bytes of 0xff to every 11bit ID twice every 100ms while I repeatedly pressed the buttons.

With both eyes on wireshark it gets to the 0x500 numbers and thing replies start happening then the magic number appears 0x535 this is the ID that will keep the device awake and will allow you to get the frames for button presses.

This sadly doesn't give any data for the rotary encoder but I thing that may need extra data to "initialize".

I'll be doing some more testing to get the rotary encoder working as well as some code to use this a hid device.

Keep an eye out for that!


Saturday, 21 January 2017

Getting started with the ASUS Tinker board... or not!

Google Now pointed me to some blog posts about a newly released SBC to compete with the raspberry pi, the ASUS Tinker board.

The Specs of  ASUS Tinker board sound good on paper but I guess the proof is in the pudding. 



I have made a quick unboxing video and wanted to follow up with my initial thoughts but I'm stuck at the first hurdle, I can't find any software!

The quick start guide mentions an "OS image" to write to a micro sd card but google has come up with nothing so far.

I have tweeted ASUS directly but I've had no reply :(


Clutching at straws to get some sort of life out of the board I have found an image for a miqi SBC that has the same rockchip rk3288  CPU that I may try if nothing else emerges from ASUS.




Saturday, 17 December 2016

DIY 50mil (1.27mm) to 100mil (2.54mm) adapter for atatmel ice

I've been meaning to try the new cortex m0 chips by atmel but was put off by the high programmer price, fortunately they now sell a bare version known as atatmel-ice-pcba with no case or cables. So after the initial shock of how small the cortex debug connector is I set off to find a cheap way to break this out to 0.1" headers. Fortunately a soic chip has the same footprint as the SMD variant of the mating connector. Flicking through the CPC site to find anything 1.27mm (50mil) I found some soic to dip adapters, after checking the data sheets to confirm it would work I made the order.
 









Description CPC code Manufacturer code
AMPHENOL FCI Minitek127 10way SMT RECEPTACLE CN18263 20021321-00010C4LF
PROTO ADVANTAGE SOIC-14 to DIP-14 Adapter PC01795 PA0003

Thursday, 1 December 2016

Using the TPLink TL-POE10R PoE Splitter with a Cisco Inline power switch WS-C3550-24PWR-SMI

As part of my Raspberry Pi Zero CCTV project, I've opted to use PoE to get data and power outside to the cameras.

After another hasty ebay spree I ended up with a Cisco WS-C3550-24PWR-SMI 24 port "PoE" switch.  Little did I know Cisco had their own version of PoE before the 802.3af standard arrived called Inline power.

After doing my usual and researching what I've bought after purchasing (and not before) and realizing it wasn't compatible :(  I initially I thought to just return it but after pricing up real PoE or passive PoE compared to what I payed for this switch (£25) it seemed daft to not give it a go.

I took the switch apart and googled some of the part numbers that looked like they may control the Inline power circuit  and I couldn't find any datasheets to see if there was any way to "hot wire" or reverse engineer the circuit.

Anyway after hours of searching Cisco inline power and seeing if anyone else had the pleasure, all I could find were people trying to use inline power phones with 802.3af switches.

At this point the only information I had was that a "PD" echos a low frequency signal back to the switch via a low pass filter which then tells it to enable the power output.

So now the plan is to measure this low frequency signal with my scope and try and reproduce this filter with my own circuit.

By this point I figured a Cisco Inline power phone is going to be the cheapest method of seeing this signal being used and what components are used in the phone.

Back to eBay to acquire a cheap Cisco phone, so £8 lighter and a few days later a CP-7912G-A arrived. Connected it up to the switch and its powered up OK so good news!

Get the screw driver out and take the phone apart and everything is very compact and there isn't the magical silkscreen with labels to the filter PCB that I was hoping for to copy however I did spot some relays which help explain some of the Cisco trouble shooting guides.

TL:DR using some relays to bridge the tx and rx pins on the "normally closed" pins so that it go open circuit when powered is enough to enable the power output and it works no problem with a TL-POE10R









Tuesday, 1 November 2016

Technika Freeview 8320HD box hacking

I've had this sat on a shelf for a few years in the hope I can one day get root on this device and have it multicast the dvb-t2 streams over the network.

I've crawled the internet to find what info is about for this and there doesn't seem to be a publicly know way to get root.

My first port of call is to removed the BGA flash chip and try and read this with some sort of DIY nand reader.



Saturday, 21 May 2016

Hummingboard i2 & Motorola lapdock 720p fix.

I bought a Hummingboard i2 off ebay as it was going cheap and I've wanted to play with an sbc with canbus and lvds.

Anyway it came with openelec on the memory card so to test it I connected it up to my to my lapdock and getto usb cable.

Kodi loaded but it would only give 720x576p resolution.

Turns out any none standard resolutions given over edid are ignored by the kernel and it defaults to 576p.

I did some investigation on the solidrun forums and came across this post which has some manual timings for the lapdock.

I've added the below command to /storage/.config/autostart.sh which sorts everything out before kodi boots

#!/bin/sh
fbset -g 1280 720 1280 720 16 -t 13468 140 210 10 10 20 10



Reboot and hey presto it all works.


Tuesday, 5 January 2016

Teensy 3.1 with working flexCAN interrupts and BUSMASTER compatibility

The Teensy 3.1 flexCAN library doesn't have the facility for setting up interrupts for incoming messages. So I set out to fix the problem, and after a lot of forum research and a few tweaks I've been able to get interrupts working.

I've ported my mcp2515 based Arduino CAN to USB logger to the Teensy, this firmware implements the Lawicel protocol (badly haha) to be compatible with canhacker software.

While doing a bit of research I discovered that VScom's ser-com tool also uses the Lawicel protocol and they have drivers built into Bosch's BUSMASTER software, WINNER!! so I've now got access to what looks like a pretty sweet bit of canbus logging software.

To test I programmed one of my STM32 boards to spam the bus continuously and it seems that BUSMASTER and the teensy were able to keep up, and the network stats showed 99.9% bus load! horray.

I still have the transmit side of the Lawicel protocol to implement and maybe tidy up and complete my changes (add loopback and listen only mode and some error detection) made to the flexCAN library.