unemployable / Golf-Mk5-RCD330-CAN-Filter

Allow an RCD330 Head Unit to work in a Golf MK5 (fixes steering wheel buttons, brightness and adds Google Assistant button)
5 stars 1 forks source link
brightness can-bus golf-mk5 rcd330 steering-wheel-buttons stm32 stm32ide

Golf Mk5 RCD330 CAN Filter

Allow an RCD330 Head Unit to work in a Golf Mk5 (fixes steering wheel buttons, screen brightness and adds a Google Assistant button)

This DIY project is based on great ideas and information found in this forum:
https://rcd330plus.com/showthread.php?tid=6741

It is still very much a work in progress.
A prototype was tested in a 2007 2.0 FSI Comfortline for a couple of weeks.

It has now been upgraded to a new version using the Blue Board:
https://github.com/unemployable/Golf-Mk5-RCD330-CAN-Filter/tree/Blue

Hardware

Rather than building my own hardware, I decided to search for an existing board that could be easily modified.
It needed to be reasonably small, but with Dual CAN Bus interfaces to enable true message filtering.
Also, preferably capable of running directly off 12V.

This search led me to an interesting video:
https://www.youtube.com/watch?v=f4af1OBU5nQ
and then on to these pages:
https://dangerouspayload.com/2020/03/10/hacking-a-mileage-manipulator-can-bus-filter-device
https://giddi.net/posts/reversing-a-canbus-odometer-filter-manipulator

These STM32 boards are readily available for under AU$30
https://www.aliexpress.com/item/4000238881021.html?spm=a2g0o.order_list.0.0.21ef1802x5VOwn
Green CAN Filter

Most of the green versions are newer than in the articles above, using different GPIO ports & serial pins on the back.

It is still possible to buy the older green version, but it's almost twice the price:
https://www.aliexpress.com/item/1005003130024266.html?spm=a2g0o.order_list.0.0.21ef1802x5VOwn

I've combined a "new" green version with one of these common RCD330/PQ adapter cables:
https://www.aliexpress.com/item/1005003052063834.html?spm=a2g0o.order_list.0.0.21ef1802x5VOwn RCD330-PQ-Adapter

Just remove the existing CAN module and cut the white/orange CAN bus wires between the plugs.
Attach the green filter board in-line between the plugs using those white/orange wires.
Each CAN bus interface on the green board will attach to its own plug (i.e. separating RCD330 CAN & Vehicle CAN).
12V BAT & GND (yellow/black) need to be tapped to power the green board.
Quadlock PQ Connector

It is also necessary to remove the two 120 ohm termination resistors on the the green board.

Now any CAN message from the car will need to go through the green CAN filter to get to the radio (and vice versa).

Investigation

I was curious how the CAN bus module on the original adapter cable worked.
What messages was it mysteriously modifying to allow the steering wheel buttons to work?

Pulling it apart revealed an STM32F042 and although the SWD pins are exposed, the device is firmware locked using RDP level 1.
That led to the discovery of an exploit in STM32F0 series processors where RDP-1 can be bypassed:
https://www.aisec.fraunhofer.de/en/FirmwareProtection.html

Their example code runs on an STM32F051 (which I didn't have), so I ported it to a spare Black Pill.
Amazingly, it worked and I now have a binary that can be reverse engineered with Ghidra.

It turns out there are only a few messages being checked/modified:

The module changes the operation of the Up/Down buttons by switching between two modes (using Menu/Ok).
Pressing Menu (MFD mode), only the MFD screens are changed.
Pressing Ok (RCD330 mode), both the MFD and RCD330 are changed (i.e. it sends extra messages for Next/Prev to the RCD330).
Unfortunately, there is no way to stop the MFD being updated by using a CAN bus filter at the radio.
Note: The 0x5c1 filter also changes the CAN DLC (length) from 1 to 8 for all button messages.

My car only has an MFD (Midline, Multi Function Display) in the instrument cluster which does not use the Menu button, making it available for other uses. However, using the Ok button to switch modes is annoying, as it will still impact the MFD on several screens.
Golf Mk5 MFD

Implementation

I chose the "new" green filter board as it had a couple of features I thought might help during development.
There is an on board LED (toggle on receiving CAN messages) and it uses serial (for simple control/debug messages) rather than SWD. Unfortunately this made programming it a little more difficult.

Arduino IDE does not support the STM32F105/107 used on these blue/green filter boards.
I ended up using STM32CubeIDE, but it only supports programming via SWD/JTAG, not serial.
Flashing was done separately using STM32CubeProgrammer in UART mode.

This meant the device had to be manually put into bootloader mode.
I glued & soldered a couple of micro push button switches to the board for NRST & BOOT0.
BOOT0 is available on one of the pads on the back of the board. NRST is connected to a cap on the top.

FTDI connections were also attached to USART1 Tx, Rx & Gnd pads on the underside of the board.

I could not figure out how to get existing CAN & UART Rx pins to also trigger EXTI (needed to wake from deep sleep).
Apparently it should work, but the HAL libraries might be preventing it from working.
I cheated by configuring the 3 spare "config" inputs and soldering links in parallel with each of the Rx pins (CAN1, CAN2 & USART1).
These extra GPIO pins were then all configured as separate EXTI inputs (rising/falling) - seems to work fine...

I have also added an alternate function on the Mute (Star) button to send the Google Assistant (Siri) message in MFD mode.
This was done because the "Hey Google" voice detection on the RCD330 is a bit flaky at times.

The brightness message (lights off) was also detected and modified (as discussed in the forum).
0x635 [3] 0x00 0x00 0x00 is changed to:
0x635 [3] 0x00 0x00 0xfd

I found 0xfe & 0xff actually made the display dim, 0xfd seems to be the max.
It is now so bright, I am running the RCD330 in its "darkest" screen setting.
I will probably change it to 0xdc in the next version.

All other 0x635 messages are sent through unchanged, so the variable dash back light adjustment still works on the RCD330:
0x635 [3] 0xNN 0x00 0x00 (where 0xNN varies from 0x1d to 0x62)

I have also implemented the 0x436 & 0x439 filtering, but it does not seem to be invoked in my car.

Power consumption is not that great, around 50ma running and 20ma in sleep/stop mode.
The CAN drivers on these boards (VP1050?) seem to have pin 8 (S) permanently connected to Gnd.
If this is a clone of the TI SN65HVD1050, it forces "high-speed mode" and has the highest consumption (typ. 50mA).
Tying this to Vcc should enable "listen-only silent mode" (typ. 6mA), which would be useful combined with STM32 sleep/stop mode.
As the CAN Driver runs on 5V and the STM32 on 3.3V, controlling the "S" pin directly from GPIO might not work.

Vehicle time & temperature on the RCD330 also works (i.e. when not using Android Auto / CarPlay).

Future Work

If the prototype proves to be reliable, I am considering some enhancements: