Author Topic: Custom CDCs (Read 12985 times)

Evilution · « **on:** October 24, 2006, 08:44:16 pm »

Hi all, ok i'm a newbie.
I have been running a Traxdata M-station (neo) for the past 2 years and recently because sick of the poor quality of MP3s.
I had a search around for the same sort of thing that could play WMA and OGG and eventually found the Phatbox/Music Keg.

After trawling through the internet I have managed to buy just the unit, I don't even know what car it is currently flashed to work with. If anyone can tell from looking, it was this one.
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&ih=012&item=220038029353&rd=1&sspagename=STRK%3AMEWA%3AIT&rd=1

I've managed to buy a 10Gb DMS cart so just need a cradle to start me off.

From what I can see, the phatbox is pretty much the same except it is flashed to work with certain car OEM stereos plus Kenwood and Sony. I assume that each flash installs the particular CDC (CD Changer) protocols.

So I was wondering if anyone had managed to crack these and add other CDC codes.

I have a Grundig OEM stereo and from what I can tell, probably runs the same CDC as the Blaupunkt stereos.
The other option is to see if Grundig made OEM stereos for any of the supported car makes and see if that works.
My absolute final option is a protocol changer that will change my Grundig CDC to a Sony CDC and see if a Sony flashed PB will work on that.

So many questions, so little knowledge so all appologies.

judb · « **Reply #1 on:** October 24, 2006, 09:33:08 pm »

The code that is loaded for interface with the various changer protocols is encrypted and we've not spent much time trying to break it down... As far as I know no one has managed to hack it or update it in any way.

Now that said, your stereo format is not supported but the sony method you mentioned MIGHT work.. no promises though.

There are three types of phatboxes .. the red ones (first run, no disk protection) the 1.1 version (silver ones for most cars) and the 1.2 which work with specific cars from japan I think.

(well theres also the kenwood music keg which is an OEM version of the 1.1)
you can load any firmware on any unit, but the 1.2 boxes have an extra chip involved that makes them work with specific stereos and other versions wont work with those stereos.

zero cool · « **Reply #2 on:** October 25, 2006, 11:45:01 am »

What would it take ($?) to get someone interested in hacking the protocals? I would REALLY like to be able to get a PB to work with my Nakamichi head unit.

Zc

judb · « **Reply #3 on:** October 25, 2006, 06:44:11 pm »

The issue in this case is a bit more complex than just $$$..

it would be time consuming to decode the protocol between a head unit and a native changer since as far as I can tell that documentation is not available freely...

secondly, once you have the protocol documented, you'd have to write the code for the 8052 microcontroller in the phatbox. the code shipped by phatnoise is encrypted and then its loaded onto the 8052 using the forceupdate file (thats the "firmware update" that phatnoise releases) ... this code is then verified and stored encrypted again inside the 8052 so its hard to extract something to debug / start from.

So unless we can get phatnoise to share the code and the loading process for encrypting the data i don't think we'll get very far with the tools available to us.

Maybe if we had some test kits for the microcontroller they use.. i dont know.

Evilution · « **Reply #4 on:** October 25, 2006, 10:25:57 pm »

That's what I figured. I have contacted Phatnoise about giving me the code but i'm not expecting any response.
I have also contacted Grundig to ask if they would consider making a code with Phatnoise to support their players.
Again, i'm expecting a no.

I'll have to look into protocol changers and this voice add on thingy.

az1324 · « **Reply #5 on:** November 01, 2006, 09:28:52 pm »

Quote

The issue in this case is a bit more complex than just $$$..

it would be time consuming to decode the protocol between a head unit and a native changer since as far as I can tell that documentation is not available freely...

secondly, once you have the protocol documented, you'd have to write the code for the 8052 microcontroller in the phatbox. the code shipped by phatnoise is encrypted and then its loaded onto the 8052 using the forceupdate file (thats the "firmware update" that phatnoise releases) ... this code is then verified and stored encrypted again inside the 8052 so its hard to extract something to debug / start from.

So unless we can get phatnoise to share the code and the loading process for encrypting the data i don't think we'll get very far with the tools available to us.

Maybe if we had some test kits for the microcontroller they use.. i dont know.

Is it encrypted when it is written across the serial link to the 8052?

zero cool · « **Reply #6 on:** November 02, 2006, 12:37:49 pm »

I want this pretty badly myself. I have a couple of engineers i am going to toss this at as soon as they finish the project they are on now.

Zc

judb · « **Reply #7 on:** November 02, 2006, 11:08:40 pm »

Quote

Quote
The issue in this case is a bit more complex than just $$$..

it would be time consuming to decode the protocol between a head unit and a native changer since as far as I can tell that documentation is not available freely...

secondly, once you have the protocol documented, you'd have to write the code for the 8052 microcontroller in the phatbox. the code shipped by phatnoise is encrypted and then its loaded onto the 8052 using the forceupdate file (thats the "firmware update" that phatnoise releases) ... this code is then verified and stored encrypted again inside the 8052 so its hard to extract something to debug / start from.

So unless we can get phatnoise to share the code and the loading process for encrypting the data i don't think we'll get very far with the tools available to us.

Maybe if we had some test kits for the microcontroller they use.. i dont know.

Is it encrypted when it is written across the serial link to the 8052?

AFAIK yes it is. its encrypted the whole time in various forms or never decrypted until run time.. not sure though.

az1324 · « **Reply #8 on:** November 03, 2006, 12:03:03 am »

well it would probably be decrypted by the 8052 bootloader before being written into memory if it is in fact encrypted. i tend to doubt whether it is encrypted over serial. im sure it is protected inside the 8052 though. The IAR C compiler supports that winbond chip and has a free trial so someone could definitely play around with it. As far as I can tell from the wiki, the 8052 acts like a watchdog timer for the main processor and also just passes back and forth commands and info. So the programming isnt terribly complicated if you know how to interface to the head unit.

sbingner · « **Reply #9 on:** November 03, 2006, 01:14:41 am »

personally, I tend to agree with az1324 -- the 8052 is a pretty simple chip, I doubt they'd go to all the trouble of making it decrypt the firmware update in the 8052. My guess is we just havent had the right people looking at it yet, but I'm no expert so could be wrong.

sbingner · « **Reply #10 on:** November 18, 2006, 12:25:13 am »

I can now state with certainty that firmware.pac is encrypted and the 8051 decrypts it. There may be a way to load an unencrypted firmware, but I wouldn't have any idea where to start with that

az1324 · « **Reply #11 on:** November 20, 2006, 11:49:22 pm »

Hmm that is unexpected. How did you discover that?

sbingner · « **Reply #12 on:** November 22, 2006, 12:45:11 am »

I sent an email to one of the ex-phatnoise devs

What I said is pretty much verbatim their reply

zero cool · « **Reply #13 on:** November 30, 2006, 11:11:11 pm »

Quote

I sent an email to one of the ex-phatnoise devs What I said is pretty much verbatim their reply

Can i hire this guy to develope a Nakamichi firmware set for me 8-)

?

Zc

sbingner · « **Reply #14 on:** December 02, 2006, 06:43:30 am »

That would not be permissable, they signed contracts

judb · « **Reply #15 on:** December 03, 2006, 09:48:31 pm »

generally, non competes and work related contracts that limit what you can do with patented knowledge have limited terms... in the 1 to 5 year range.. with 1 to 2 years being the norm in my experience.

I would think that some of the ex phatnoise employees should be able to at least openly discuss things with us at this point, if not do work on our projects if they were not being paid to do so and not run foul of these agreements.

sbingner · « **Reply #16 on:** December 04, 2006, 10:35:57 am »

True, however Non-disclosure agreements can have much longer terms. I don't know exactly what they signed tho

Evilution · « **Reply #17 on:** December 04, 2006, 10:29:45 pm »

Can we not give them a backhander for essential info and just make out that Sbingner worked it out

zero cool · « **Reply #18 on:** December 16, 2006, 02:59:03 pm »

Well in reality they would not need to disclose anything. I send him a Nakamichi car stereo and $$$ and anything else he needs and in return he sends me back a firmware file. nothing to disclose.

No need to divulge where it came from or who did it. i just have it. seems simple enough.

(I do understand about contracts etc....But you never know until it is asked)

Zc

Evilution · « **Reply #19 on:** December 16, 2006, 03:01:54 pm »

Plus everyone needs a little extra cash before Christmas.

News:

Author Topic: Custom CDCs (Read 12985 times)