Sunday, 30 August 2020

Easy 2.5" bixenon upgrade for DEPO audi a4 b5 facelift headlights

If you like to upgrade your projector assembly in DEPO headlights for facelifted Audi A4 B5 for whatever reason here is a simple solution:

you need this 4TL-R 2.5" projector


https://www.aliexpress.com/item/32759121526.html

these are also available from other sources, but I did not test them and can not tell if they are same.
 

https://my.aliexpress.com/wishlist/shared.htm?groupId=100000023931021

and also here:

https://www.theretrofitsource.com/bi-xenon-4tl-r-P-M-4TLR?quantity=1


Next, you need the template for drilling which can be brought from my tindie store:

https://www.tindie.com/products/tomaskovacik/template-for-25-bixenon-depo-audi-a4-b5-lights/

With this template also comes document with detailed instructions on how to modify the projector to fit. It requires 4holes to be drilled into projector and made few cuts to clear inside of headlights.

Here are some sample pictures:

The adapter bolted to projector prior drilling new mounting holes.
Projector inside DEPO headlight.
 
Finally inside.
 
Low beams
Low beams

High beams

 

 

I sell on Tindie

Tuesday, 11 August 2020

fixing wiper motor JL 52372

If your wiper motor in V.A.G. car with part number JL 52372 is continuously running (probably as result you leave it on while blade is frozen to window :) )  most probably the chip inside is fried. If so, nee chip can be sourced on aliexpress: https://www.aliexpress.com/item/32958082771.html . After soldering chip in place, everythings works as it should.

Few pictures from module:







8205 datasheet:  http://file.elecfans.com/web1/M00/89/C6/o4YBAFyLiueATEfcAAvj6BVhw28408.pdf?filename=1527231143785052751.pdf

 

 


Monday, 10 August 2020

REFLASHING BM62 to 2.1.3

https://github.com/tomaskovacik/IS2020/wiki/Upgrading-firmware-on-BM62


P2_0 and P2_4 pulled to ground

EAN pulled high directly to VDD_IO (this is required even that datasheet stated there is pullup!)

22uF cap on VDD_IO (check erata)

5V connected to 5V

gnd to gnd

rx to B10 of stm32

tx to B11 of stm32

run isbtflash.exe

select com port, speed 115200:240 hit connect

browse-> select firmware files:

BT5506_SHS_FLASH.H00

BT5506_SHS_FLASH.H01

BT5506_SHS_FLASH.H02

BT5506_SHS_FLASH.H03

BT5506_SHS_FLASH.H04

BT5506_SHS_FLASH.H05

BT5506_SHS_FLASH.H06

BT5506_SHS_FLASH.H07

BT5506_SHS_FLASH.H08

BT5506_SHS_FLASH.H09

BT5506_SHS_FLASH.H10

BT5506_SHS_FLASH.H11

BT5506_SHS_FLASH.H12

BT5506_SHS_FLASH.H13

BT5506_SHS_FLASH.H14

BT5506_SHS_FLASH.H15

hit update button

after the restart of the module identify in EEPROM_tool as IS2064S_012_SPK02_V2.1_BETA

unfortunately, EEPROM_TOOL is not able to upload a new EEPROM patch created from

UITool_IS206x_012_DualModeSPK_v2.1.25_UI_Default_Table.txt or UITool_IS206x_012_DualModeSPK_v2.1.25_BM62_EVB_UartEnable.txt

and IS206X_012_DUALMODESPK2.1_E1.0.4.1_1214.bin

"Device's IC version doesn't match File's IC version: IS206X_012_DUALMODESPK2.1_E1.0"

reading the second post in this thread https://www.microchip.com/forums/m1046854.aspx I just remembered about stupid EAN PIN!

PULL P2_0 and ENA DOWN DIRECTLY TO GROUND! reset! -> IS206X_012_DUALMODESPK2.1_E1.0 !!! VOHO!!

write new eeprom, do not forget check "Load default in into IP" on third screen of MPET.exe

code for stm32:

#define BLUETOOTH_EEPROM_UPLOAD PA4 //goes to P2_0
#define BLUETOOTH_FLASH_UPLOAD PA5 //goes to P2_4
#define BLUETOOTH_EAN PA6 //goes to EAN
#define BLUETOOTH_RESET PB14

void setup() {
  Serial.begin(115200);
  Serial3.begin(115200); //Serial3 => TX = PB10, RX = PB11
//  pinMode(BLUETOOTH_EEPROM_UPLOAD, OUTPUT);
//  digitalWrite(BLUETOOTH_EEPROM_UPLOAD, LOW);
//  pinMode(BLUETOOTH_FLASH_UPLOAD, OUTPUT);
//  digitalWrite(BLUETOOTH_FLASH_UPLOAD, LOW);
//  pinMode(BLUETOOTH_RESET, OUTPUT);
//  digitalWrite(BLUETOOTH_RESET, LOW);
  delay(100);
  digitalWrite(BLUETOOTH_RESET, HIGH);
}

void loop() {
//  Serial.println("Start\nsending 0x0120fc00:");
//  delay(1000);
//  Serial3.write(0x01);
//  Serial3.write(0x20);
//  Serial3.write(0xFC);
//  Serial3.write(0x00);
//  Serial.println("responce:");
//  while (Serial3.available()) {    // If anything comes in Serial1 (pins 0 & 1)
//    Serial.write(Serial3.read());   // read it and send it out Serial (USB)
//  }
//  delay(1000);
  while (1) {
    if (Serial3.available()) {    // If anything comes in Serial1 (pins 0 & 1)
      Serial.write(Serial3.read());   // read it and send it out Serial (USB)
    }
    if  (Serial.available()) {     // If anything comes in Serial (USB),
      Serial3.write(Serial.read());   // read it and send it out Serial1 (pins 0 & 1)
    }
  }
  //delay(100);
}

Monday, 22 June 2020

Fixing AcceleDent Aura

Battery with same dimensions and same capacity for the unit can be found here: https://www.aliexpress.com/item/32820495056.html

 

If your unit stops working and the LED Indicator is flashing alternating green and orange it means that you reach some stupid hardcoded lifetime of unit. Check FAQ on https://acceledent.com/faq/:

There is only one correct response to this if you pay 1000euros for this unit:

Open it, desolder Microchip SPI EEPROM 25LC1024, then use Arduino with this sketch to dump content and then another sketch to clear the whole EEPROM. Solder it back and the unit is again working. My dump is saved here.









Friday, 11 October 2019

connecting JTAG to BK8000L

from datasheet of BK3254 bluetooth module, we know that CPU is BA22, there is posibility that cpu in bk8000L is the same, so I searched "ba22 openocd" and found this post:

https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/

from which I take jtag HW and SW part

jtag HW and SW part


JTAG HW:
 FT232H usb module: https://www.aliexpress.com/item/33052982174.html

SW: https://github.com/alephsecurity/BA2-toolchain (jtag-r34432.tar.xz)

patch for generic FT232H board


 open ftdi_driver.c

and add this line to ftdi_driver.c file

{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },

/* vendor, product, name pairs of supported devices */
struct ftdi_device_desc supported_devs[] = {
    { 0x0403, 0x6010, "Beyond", "Debug Key", l_beyond_debug_key_v1_2, 0 },          // Beyond Debug Key
    { 0x0403, 0x6010, "Beyond", "Debug Hub", l_beyond_debug_key_v1_1, 0 },          //   (eng. sample 2)
    { 0x0403, 0x6010, "Beyond", "JTAG Adapter", l_beyond_debug_key_v1_0, 0 },       //   (eng. sample 1)
    { 0x0403, 0xcff8, "Amontec", NULL, l_amontec_jtagkey2, 0 },                     // Amontec jtagkey/jtagkey2
    { 0x15ba, 0x002a, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny-h
    { 0x15ba, 0x002b, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd-h"
    { 0x15ba, 0x0004, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny"
    { 0x15ba, 0x0003, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd"
    { 0x0403, 0x6010, "Digilent", "Digilent Adept USB Device", l_digilent_hs1, 0 }, // Digilent hs1 ("adept")
    { 0x0403, 0xac09, "Atomic", NULL, l_amontec_jtagkey, 0 },                       // Atomic programming AP-114 (same layout as Amontec)
    { 0x0403, 0x8220, "DISTORTEC", "JTAG-lock-pick Tiny 2", l_lockpick2, 1 },       // JTAG-lock-pick Tiny 2
{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },
    { 0, 0 }
};



Connecting JTAG to BK8000L



AD0    TCK
AD1    TDI
AD2    TDO
AD3    TMS
AD5    /SRST
 
(https://www.tiaowiki.com/w/TIAO_USB_Multi_Protocol_Adapter_Lite_User%27s_Manual#20_PIN_JTAG_Connector) 
 
then short SCLK and SO pin on external flash, so CPU cant start up, plug FT232H adapter to USB and fire up jtag sw:
 
update: starting jp3 shortly after releasing RESET button does the trick also ... 
 
 
 nail@sid:~/tmp/jtag_ba22$ ./jp3 ftdi jtag://localhost:1234 -t15M
jp3: JTAG protocol via USB/parallel port for linux.
Version 1.6.3
Assuming debug_if's TAP has an IDCODE of 0x14951185.
Using 'FTDI Single RS232-HS (?)' interface.
Enabling high speed ftdi mode.
Using JTAG clock of 15 MHz
Disabling UART not supported/required on this adapter.
JTAG chain length: 1
Found device 0 (IDCODE: 14951185) to have a debug_if connected to it
  Debug interfaces(s) detected: if3
  Using debug interface 3.
Processor version: BA22 v5.2.2
  Memory interface for debuggers: yes
Remote ba debugging using jtag://localhost:1234
Press CTRL+c to exit.
 

OPENOCD

nail@sid:~/tmp/jtag_ba22$ openocd -f interface/ftdi/um232h.cfg -c "adapter_khz 100" -c " transport select jtag"
Open On-Chip Debugger 0.10.0+dev-00936-g0a13ca1-dirty (2019-10-07-08:06)
Licensed under GNU GPL v2
For bug reports, read
    http://openocd.org/doc/doxygen/bugs.html
adapter speed: 100 kHz

jtag
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 100 kHz
Warn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!
Info : JTAG tap: auto0.tap tap/device found: 0x14951185 (mfg: 0x0c2 (Flextronics (Orbit Semiconductor)), part: 0x4951, ver: 0x1)
Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 2 -expected-id 0x14951185"
Error: IR capture error at bit 2, saw 0x3FFFFFFFFFFFFFF5 not 0x...3
Warn : Bypassing JTAG setup events due to errors
Warn : gdb services need one or more targets defined


 small update: 


so I have few minutes while eating my lunch:


https://www.beyondsemi.com/25/beyond-ba22-de-deeply-embedded-processor/#tab3
-> GCC
https://www.beyondsemi.com/86/beyondstudio-integrated-development-environment/
  • GCC 4.9.2
  • Binutils 2.24
  • GDB 7.8,1
  • Newlib C library 2.1.0
so I created account and requested access to beyond studio

GCC is GPL, so it one of these applies:
 - processor supported in upstream

 - they must give as patch




give as some hints, but I do not have time to play with it

Performance
Transfer rate in excess of 600 kB/s
30MHz maximum JTAG clock
....


SW was something special for BA22:  https://github.com/alephsecurity/BA2-toolchain
there are patches for gcc and other utils .....  anyone to take look?



then I go back to original site where It all started:
https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/
and previous post:
https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/


I installed radare2 pyba2 and run ti against bk8000l.bin, but I never use it so, I only try what I find on net :)


git clone https://github.com/radareorg/radare2
cd radare2 ; sys/install.sh
r2pm init
r2pm -i lang-python

git clone https://github.com/alephsecurity/pyba2
cd pyba2

r2 -I ba2r2.py BK8000L

in radare2:

aaaa -AA
v


Wednesday, 11 September 2019

Audi a4 b5 avant modifying washer fluid reservoir

How to modify washer fluid reservoir on the Audi A4 (b5 platform) to support the headlight washer pump and level warning switch for water level.

Positions of new components after the modification:



 Washing fluid level warning switch

Check the previous picture for the exact position for the switch. The hole needs to be 25mm wide, I use the wood drill (see the pictures). Simply place the rubber seal on the reservoir and mark the center of the seal. Be careful while drilling to avoid damage to the reservoir. After the hole is drilled, clean up edges.







Headlight washer pump

 There is a mark on the water tank at the position where the pump should be mounted. I use a 20mm drill for wood, gently to avoid damage to the reservoir, then clean edges. After drilling and cleaning are done insert rubber grommet for the pump, use some water as lubrication. Then install the pump. Wires for the pump must be at least 2.5mm2. The connector could be the same as for windscreen just connector on the pump must be modified, little notch on the connector must be cut flush.