Custom CDCs

[Evilution]

Hi all, ok i'm a newbie.
I have been running a Traxdata M-station (neo) for the past 2 years and recently because sick of the poor quality of MP3s.
I had a search around for the same sort of thing that could play WMA and OGG and eventually found the Phatbox/Music Keg.

After trawling through the internet I have managed to buy just the unit, I don't even know what car it is currently flashed to work with. If anyone can tell from looking, it was this one.
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&ih=012&item=220038029353&rd=1&sspagename=STRK%3AMEWA%3AIT&rd=1

I've managed to buy a 10Gb DMS cart so just need a cradle to start me off.

From what I can see, the phatbox is pretty much the same except it is flashed to work with certain car OEM stereos plus Kenwood and Sony. I assume that each flash installs the particular CDC (CD Changer) protocols.

So I was wondering if anyone had managed to crack these and add other CDC codes.

I have a Grundig OEM stereo and from what I can tell, probably runs the same CDC as the Blaupunkt stereos.
The other option is to see if Grundig made OEM stereos for any of the supported car makes and see if that works.
My absolute final option is a protocol changer that will change my Grundig CDC to a Sony CDC and see if a Sony flashed PB will work on that.

So many questions, so little knowledge so all appologies.

[judb]

The code that is loaded for interface with the various changer protocols is encrypted and we've not spent much time trying to break it down...  As far as I know no one has managed to hack it or update it in any way.

Now that said, your stereo format is not supported but the sony method you mentioned MIGHT work.. no promises though.

There are three types of phatboxes .. the red ones (first run, no disk protection) the 1.1 version (silver ones for most cars) and the 1.2 which work with specific cars from japan I think.

(well theres also the kenwood music keg which is an OEM version of the 1.1)
you can load any firmware on any unit, but the 1.2 boxes have an extra chip involved that makes them work with specific stereos and other versions wont work with those stereos.

[zero cool]

What would it take ($?) to get someone interested in hacking the protocals? I would REALLY like to be able to get a PB to work with my Nakamichi head unit.


Zc

[judb]

The issue in this case is a bit more complex than just $$$..

it would be time consuming to decode the protocol between a head unit and a native changer since as far as I can tell that documentation is not available freely...

secondly, once you have the protocol documented, you'd have to write the code for the 8052 microcontroller in the phatbox.  the code shipped by phatnoise is encrypted and then its loaded onto the 8052 using the forceupdate file (thats the "firmware update" that phatnoise releases) ... this code is then verified and stored encrypted again inside the 8052 so its hard to extract something to debug / start from.

So unless we can get phatnoise to share the code and the loading process for encrypting the data i don't think we'll get very far with the tools available to us.

Maybe if we had some test kits for the microcontroller they use.. i dont know.

[Evilution]

That's what I figured. I have contacted Phatnoise about giving me the code but i'm not expecting any response.
I have also contacted Grundig to ask if they would consider making a code with Phatnoise to support their players.
Again, i'm expecting a no.

I'll have to look into protocol changers and this voice add on thingy.

[az1324]

The issue in this case is a bit more complex than just $$$..

it would be time consuming to decode the protocol between a head unit and a native changer since as far as I can tell that documentation is not available freely...

secondly, once you have the protocol documented, you'd have to write the code for the 8052 microcontroller in the phatbox.  the code shipped by phatnoise is encrypted and then its loaded onto the 8052 using the forceupdate file (thats the "firmware update" that phatnoise releases) ... this code is then verified and stored encrypted again inside the 8052 so its hard to extract something to debug / start from.

So unless we can get phatnoise to share the code and the loading process for encrypting the data i don't think we'll get very far with the tools available to us.

Maybe if we had some test kits for the microcontroller they use.. i dont know.

Is it encrypted when it is written across the serial link to the 8052?

[zero cool]

I want this pretty badly myself. I have a couple of engineers i am going to toss this at as soon as they finish the project they are on now.

Zc

[judb]

The issue in this case is a bit more complex than just $$$..

it would be time consuming to decode the protocol between a head unit and a native changer since as far as I can tell that documentation is not available freely...

secondly, once you have the protocol documented, you'd have to write the code for the 8052 microcontroller in the phatbox.  the code shipped by phatnoise is encrypted and then its loaded onto the 8052 using the forceupdate file (thats the "firmware update" that phatnoise releases) ... this code is then verified and stored encrypted again inside the 8052 so its hard to extract something to debug / start from.

So unless we can get phatnoise to share the code and the loading process for encrypting the data i don't think we'll get very far with the tools available to us.

Maybe if we had some test kits for the microcontroller they use.. i dont know.

Is it encrypted when it is written across the serial link to the 8052?

AFAIK yes it is.  its encrypted the whole time in various forms or never decrypted  until run time.. not sure though.

[az1324]

well it would probably be decrypted by the 8052 bootloader before being written into memory if it is in fact encrypted.  i tend to doubt whether it is encrypted over serial.  im sure it is protected inside the 8052 though.  The IAR C compiler supports that winbond chip and has a free trial so someone could definitely play around with it.  As far as I can tell from the wiki, the 8052 acts like a watchdog timer for the main processor and also just passes back and forth commands and info.  So the programming isnt terribly complicated if you know how to interface to the head unit.

[sbingner]

personally, I tend to agree with az1324 -- the 8052 is a pretty simple chip, I doubt they'd go to all the trouble of making it decrypt the firmware update in the 8052.   My guess is we just havent had the right people looking at it yet, but I'm no expert so could be wrong.

[sbingner]

I can now state with certainty that firmware.pac is encrypted and the 8051 decrypts it.   There may be a way to load an unencrypted firmware, but I wouldn't have any idea where to start with that

[az1324]

Hmm that is unexpected.  How did you discover that?

[sbingner]

I sent an email to one of the ex-phatnoise devs  What I said is pretty much verbatim their reply

[zero cool]

I sent an email to one of the ex-phatnoise devs  What I said is pretty much verbatim their reply

Can i hire this guy to develope a Nakamichi firmware set for me  8-)?



Zc

[sbingner]

That would not be permissable, they signed contracts

[judb]

generally, non competes and work related contracts that limit what you can do with patented knowledge have limited terms...  in the 1 to 5 year range.. with 1 to 2 years being the norm in my experience.  

I would think that some of the ex phatnoise employees should be able to at least openly discuss things with us at this point, if not do work on our projects if they were not being paid to do so and not run foul of these agreements.

[sbingner]

True, however Non-disclosure agreements can have much longer terms.   I don't know exactly what they signed tho

[Evilution]

Can we not give them a backhander for essential info and just make out that Sbingner worked it out  

[zero cool]

Well in reality they would not need to disclose anything. I send him a Nakamichi car stereo and $$$ and anything else he needs and in return he sends me back a firmware file. nothing to disclose.

No need to divulge where it came from or who did it. i just have it. seems simple enough.

(I do understand about contracts etc....But you never know until it is asked)


Zc

[Evilution]

Plus everyone needs a little extra cash before Christmas.