Friday 11 October 2019

connecting JTAG to BK8000L

from datasheet of BK3254 bluetooth module, we know that CPU is BA22, there is posibility that cpu in bk8000L is the same, so I searched "ba22 openocd" and found this post:

https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/

from which I take jtag HW and SW part

jtag HW and SW part


JTAG HW:
 FT232H usb module: https://www.aliexpress.com/item/33052982174.html

SW: https://github.com/alephsecurity/BA2-toolchain (jtag-r34432.tar.xz)

patch for generic FT232H board


 open ftdi_driver.c

and add this line to ftdi_driver.c file

{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },

/* vendor, product, name pairs of supported devices */
struct ftdi_device_desc supported_devs[] = {
    { 0x0403, 0x6010, "Beyond", "Debug Key", l_beyond_debug_key_v1_2, 0 },          // Beyond Debug Key
    { 0x0403, 0x6010, "Beyond", "Debug Hub", l_beyond_debug_key_v1_1, 0 },          //   (eng. sample 2)
    { 0x0403, 0x6010, "Beyond", "JTAG Adapter", l_beyond_debug_key_v1_0, 0 },       //   (eng. sample 1)
    { 0x0403, 0xcff8, "Amontec", NULL, l_amontec_jtagkey2, 0 },                     // Amontec jtagkey/jtagkey2
    { 0x15ba, 0x002a, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny-h
    { 0x15ba, 0x002b, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd-h"
    { 0x15ba, 0x0004, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-tiny"
    { 0x15ba, 0x0003, NULL, NULL, l_olimex_armusb, 0 },                             // Olimex arm-usb-ocd"
    { 0x0403, 0x6010, "Digilent", "Digilent Adept USB Device", l_digilent_hs1, 0 }, // Digilent hs1 ("adept")
    { 0x0403, 0xac09, "Atomic", NULL, l_amontec_jtagkey, 0 },                       // Atomic programming AP-114 (same layout as Amontec)
    { 0x0403, 0x8220, "DISTORTEC", "JTAG-lock-pick Tiny 2", l_lockpick2, 1 },       // JTAG-lock-pick Tiny 2
{ 0x0403, 0x6014, NULL, NULL, l_amontec_jtagkey2, 0 },
    { 0, 0 }
};



Connecting JTAG to BK8000L



AD0    TCK
AD1    TDI
AD2    TDO
AD3    TMS
AD5    /SRST
 
(https://www.tiaowiki.com/w/TIAO_USB_Multi_Protocol_Adapter_Lite_User%27s_Manual#20_PIN_JTAG_Connector) 
 
then short SCLK and SO pin on external flash, so CPU cant start up, plug FT232H adapter to USB and fire up jtag sw:
 
update: starting jp3 shortly after releasing RESET button does the trick also ... 
 
 
 nail@sid:~/tmp/jtag_ba22$ ./jp3 ftdi jtag://localhost:1234 -t15M
jp3: JTAG protocol via USB/parallel port for linux.
Version 1.6.3
Assuming debug_if's TAP has an IDCODE of 0x14951185.
Using 'FTDI Single RS232-HS (?)' interface.
Enabling high speed ftdi mode.
Using JTAG clock of 15 MHz
Disabling UART not supported/required on this adapter.
JTAG chain length: 1
Found device 0 (IDCODE: 14951185) to have a debug_if connected to it
  Debug interfaces(s) detected: if3
  Using debug interface 3.
Processor version: BA22 v5.2.2
  Memory interface for debuggers: yes
Remote ba debugging using jtag://localhost:1234
Press CTRL+c to exit.
 

OPENOCD

nail@sid:~/tmp/jtag_ba22$ openocd -f interface/ftdi/um232h.cfg -c "adapter_khz 100" -c " transport select jtag"
Open On-Chip Debugger 0.10.0+dev-00936-g0a13ca1-dirty (2019-10-07-08:06)
Licensed under GNU GPL v2
For bug reports, read
    http://openocd.org/doc/doxygen/bugs.html
adapter speed: 100 kHz

jtag
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 100 kHz
Warn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!
Info : JTAG tap: auto0.tap tap/device found: 0x14951185 (mfg: 0x0c2 (Flextronics (Orbit Semiconductor)), part: 0x4951, ver: 0x1)
Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 2 -expected-id 0x14951185"
Error: IR capture error at bit 2, saw 0x3FFFFFFFFFFFFFF5 not 0x...3
Warn : Bypassing JTAG setup events due to errors
Warn : gdb services need one or more targets defined


 small update: 


so I have few minutes while eating my lunch:


https://www.beyondsemi.com/25/beyond-ba22-de-deeply-embedded-processor/#tab3
-> GCC
https://www.beyondsemi.com/86/beyondstudio-integrated-development-environment/
  • GCC 4.9.2
  • Binutils 2.24
  • GDB 7.8,1
  • Newlib C library 2.1.0
so I created account and requested access to beyond studio

GCC is GPL, so it one of these applies:
 - processor supported in upstream

 - they must give as patch




give as some hints, but I do not have time to play with it

Performance
Transfer rate in excess of 600 kB/s
30MHz maximum JTAG clock
....


SW was something special for BA22:  https://github.com/alephsecurity/BA2-toolchain
there are patches for gcc and other utils .....  anyone to take look?



then I go back to original site where It all started:
https://alephsecurity.com/2019/07/15/xiaomi-zigbee-3/
and previous post:
https://alephsecurity.com/2019/07/09/xiaomi-zigbee-2/


I installed radare2 pyba2 and run ti against bk8000l.bin, but I never use it so, I only try what I find on net :)


git clone https://github.com/radareorg/radare2
cd radare2 ; sys/install.sh
r2pm init
r2pm -i lang-python

git clone https://github.com/alephsecurity/pyba2
cd pyba2

r2 -I ba2r2.py BK8000L

in radare2:

aaaa -AA
v


Wednesday 11 September 2019

Audi a4 b5 avant modifying washer fluid reservoir

How to modify washer fluid reservoir on the Audi A4 (b5 platform) to support the headlight washer pump and level warning switch for water level.

Positions of new components after the modification:



 Washing fluid level warning switch

Check the previous picture for the exact position for the switch. The hole needs to be 25mm wide, I use the wood drill (see the pictures). Simply place the rubber seal on the reservoir and mark the center of the seal. Be careful while drilling to avoid damage to the reservoir. After the hole is drilled, clean up edges.







Headlight washer pump

 There is a mark on the water tank at the position where the pump should be mounted. I use a 20mm drill for wood, gently to avoid damage to the reservoir, then clean edges. After drilling and cleaning are done insert rubber grommet for the pump, use some water as lubrication. Then install the pump. Wires for the pump must be at least 2.5mm2. The connector could be the same as for windscreen just connector on the pump must be modified, little notch on the connector must be cut flush.




Friday 2 August 2019

AUDI concert/chorus stable 12V power for antenna amplifier

If you have a problem with your radio reception it is possible that your radio is shutting down power for the amplifier in your antenna. I do not know why it is, just that output is controlled by the RDS processor, which will shut it after 5seconds.  So simple solution is simply emulating signal from the RDS processor. 1resistor(10k SMD 0805) need to be desoldered and then turned 90 degrees so one side is still connected to the base of the transistor and other side can be connected to ground, check pictures:


 After this mode, 12V DC is on antenna input jack, the only problem which probably raised up is that this setup is probably not protected against short to ground, so be careful and check your cables in your car!

EDIT: radio will not disable 12V on antenna input if around 2.5mA is drawn from it, so 390Ohm resistor should do the trick, use 1W, it can get hot!
EDIT2: soft coding of radio will change nothing.

AUDI concert/chorus fixing missing LCD pixels

Old audi radios concert and chorus (1st gen) are here for almost 20years and flex cable connection to front panel LCD is most likely gone on all of them. Recently I found a cheap solution ( around 10euros). This is not well tested ye, but what can we lose?

Symptoms


- missing pixels, rows or columns

few pictures caused  by bad flex cable connection:





problematic flex cable:


(updated: ) take pictures before you disassemble it

To fix this we need a new cable, I sourced mine at aliexpres (but only 2pcs required). If it will be no longer available simply search for bmw e34 dashboard speedometer flex cable, check this search on aliexpress. You also need T-tip iron similar to this one.  You can buy a combo of cable and iron, but unfortunerly these combos are most time 1cable and 1 iron and you need 2 cables.

When you will have required cable and iron

- while old cable is attached to LCD mark position of tracks on the LCD on both left and right side of LCD, use permanent marker which can be then removed with alcohol, but test if it can be removed or use transparent duct tape. Nex step is to take old flex of lcd and PCB.

 - clean in with IPA. The cable need to by extended, to accommodate for more tracks required. I simply cut one side of cable to close as possible to track, but not damage it. Then I attache this part of the cable to the LCD with fully heated iron, take your time and align tracks of cable to pads on lcd. You will do not have another chance with this probably ....  then count how much more traces you require and cut it from second cable and attache it.


The cable is longer then required, so updated next step is to assamblle it all together, then place cable on PCB side and mark where it needs to be cut and cut it with scissors.




Audi a4 b5 xenon headlight upgrade

Just to be clear: this can be done with H7 headlights also and you can put H7 in this projectors. Using D2S in original halogen headlight is most likely ilegal so ... do not forget that what you do is your responsibility, use your brain ...


Recently a friend of mine has contacted me, that he develops adapters for bi-xenon projectors into ours AUDI's A4 (B5 platform). So I had to try it, and I'm really pleased with the results, so we made few and sell them, read the whole article to find out more.

This is alternative to re-applying reflective metal coating on stock parabolas in old Audi A4 B5 headlights which is almost the same price as aftermarket headlights. This setup works for both halogens or xenons, facelift version with projectors, stock Valeo or DEPO aftermarket.

Why? Old projectors are gone:

Valeo from 2005 (27/01/05)
Xenon from 2000
And inside ... 

 

 

 

 

 

 

 

 

New bixenon projector

edit: they are gone from ali, so only source is retrofitlabs:
 https://www.retrofitlab.com/de/aharon-fx-r-bi-xenon-projectors-40-2.html

or alibaba?

https://www.alibaba.com/product-detail/AILECAR-Stanley-2-5-inch-Hid_60603606242.html

https://www.alibaba.com/product-detail/Wholesale-FXR-4-0-Hid-Bi_60603332193.html

I got my from these 2 stores:

DLAND store:


AUTOKI store:
AUTOKI FXR 4.0 2.5inch LHD RHD HID bi-xenon projector (59 + 5 shipping), these came with terrible moldy smell, but are same as DLAND from what I can see:

If they sell all, then you must search ali, ebay etc ...  but buy only one which looks exactly the same!
 
I cannot find these projector anymore on aliexpress, but they are still available at https://www.retrofitlab.com/en/xenon-projectors-1/aharon-fx-r-bi-xenon-projectors-40-1.html or you can take a look at other option: https://kovo-blog.blogspot.com/2020/07/easy-25-bixenon-upgrade-for-depo-audi.html
 

From DLAND store:


Projectors in my hands:




pics from AUTOKI store, black version:


New vs. old


Adapter

You can buy adapter version for OEM Valeo headlights and depo aftermarket, there is a slight difference in one hole. Personally, I put these projectors only in OEM headlights. OEM headlights (Valeo) for halogen and xenon are identical except for:

 - different projector, xenon is bigger, but holes are at the same locations
 - internal harness
 - xenon ballast
 - a sticker which says what should be inside: (d2s + h7 or h7 + h7)

Add caption

Where to get them? You can buy them at my store at tindie. Price is 30$ + shipping. The adapter is made of 3mm stainless steel. In case you upgrading halogen headlights you will need additional cover plates for the hole where xenon ballast sits (+10$). Kit includes adapters, screws, in case of cover plate +6screws then link to PDF manual, with detail step by step instructions.


I sell on Tindie

Simplified instruction

- mark original light projection on the wall in front of the car, do not move it, or mark car position on the ground, this simplifies final steps!!!
- mark the position of the headlight on a car and remove them from the car
- protect headlights optics!
- take ballast out of headlight or cut a hole in his place in case of halogen
- take out 3 screws which hold original projector inside
- mark projector assembly in case you want to put it back (which you will not want to 😉 ) and dismantle projector (4clips, a narrow flat screwdriver)
- take parts of projector out of the headlight
- cut small notch of one stand in the headlight, vacuum it afterwards!
- make 4 small modifications to the new projector, protect projector optics, do not even touch it with bare hands!
- put the projector in the headlight
- put the adapter on the new projector
- screw assembly in place of the old projector
- put ballast/cover plate in place, 6screws
- put the headlight back on the car
- setup light output based on markings made in the first step

Projectors mods


New projectors require a few small modifications:

 - drilling one hole(4,5mm) then make space for the head of this screw which will go into this hole
 - make space for two screw heads

It is not a big deal and can be done in a few minutes.
Tools required:
- drill + 4,5mm drill-bit
- flat and round file (or half-round)
- 5mm hex(allen) key

This is how the finished projector looks with mods:




In the place where the hole is drilled, the surface of the projector needs to be filed down so the screw can sit flat on the project. Simply put the screw in the hole and you will see how much to take. In the case of 2 bottom half circles, I simply mark how much to take and then just file it down to these marks. Bulb holder spring needs to be shaped so it does not touch headlight housing in the most upper position, check the next picture how I did it. It is not the prettiest but this is spring wire, hard to change its shape ...
modified bulb holder spring

After these steps, we can put the new projector in, then inside headlight put the adapter on new projector place it to its final position and remove protection from optics. Finally, screw it in place with original bolts. Then assemble headlight and put it in the car. In case you replacing halogen projector, put the bottom cover plate in place. In case you are upgrading ballast, the cover plate is a perfect place to drill a hole for it. I personaly use this ballast by DMEX Do not forget when retrofitting HID in halogen setup, headlight washer and height adjustment must be retrofitted also, but this depends on local law.

Here are finished headlights and light output, I have set it on the left side a little lower, just to be sure.


in car
Output, left side set low on purpose, just to be sure, while I was testing it.