Author Topic: Autoliv NV2 on Raspberry Pi  (Read 32098 times)

0 Members and 1 Guest are viewing this topic.

Offline tmbincTopic starter

  • Regular Contributor
  • *
  • Posts: 249
Autoliv NV2 on Raspberry Pi
« on: December 22, 2018, 02:42:54 pm »
Some people may be interested - I made the NV2 (famous from Mike's teardown) work on a Raspberry Pi.  https://debugmo.de/2018/12/autoliv-nv2-teardown/

 
The following users thanked this post: oPossum, Fraser, BravoV, railrun, lukier, Cat, zbqpig, dnhkng, VGN

Offline railrun

  • Regular Contributor
  • *
  • Posts: 113
Re: Autoliv NV2 on Raspberry Pi
« Reply #1 on: December 22, 2018, 04:14:43 pm »
This is

AWESOME!
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 13148
  • Country: gb
Re: Autoliv NV2 on Raspberry Pi
« Reply #2 on: December 22, 2018, 06:53:26 pm »
It certainly is an Awesome investigation and result :-+

Fraser
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline railrun

  • Regular Contributor
  • *
  • Posts: 113
Re: Autoliv NV2 on Raspberry Pi
« Reply #3 on: December 27, 2018, 11:09:18 am »
How did you get the dump from the flash? Or have you found it somewhere in the internet?

Cheers
Martin
 

Offline tmbincTopic starter

  • Regular Contributor
  • *
  • Posts: 249
Re: Autoliv NV2 on Raspberry Pi
« Reply #4 on: December 27, 2018, 12:51:38 pm »
I desoldered the flash chip and dumped it in a programmer. (Previously I sniffed the SPI traffic and reconstructed the content; but this doesn't yield all data as some data is only read after the security challenge is completed.)
 

Offline oddbondboris

  • Contributor
  • Posts: 38
  • Country: us
Re: Autoliv NV2 on Raspberry Pi
« Reply #5 on: January 09, 2019, 12:04:32 am »
wow nice work, i picked one of these up on the super cheap and was working on interfacing the bolometer directly but this will be much easier to duplicate if i can ever find the time.
the fpdlink II docs are also welcome.
 

Offline tmbincTopic starter

  • Regular Contributor
  • *
  • Posts: 249
Re: Autoliv NV2 on Raspberry Pi
« Reply #6 on: January 09, 2019, 08:03:43 am »
I really want to work on documenting the bolometer interface next; How far have you gotten there?

I'd like to use them in a more compact design, and if I could replace the PCBs with a custom PCB then one could build a self-contained camera in the original case (say with WiFi/USB/... output). Also I have a couple of NV3 that I would want to use, but interfacing with the high-speed serial stream is even more annoying.
 

Offline lukier

  • Supporter
  • ****
  • Posts: 634
  • Country: pl
    • Homepage
Re: Autoliv NV2 on Raspberry Pi
« Reply #7 on: January 09, 2019, 12:53:13 pm »
Awesome job tmbinc!

Back when I looked at this (2015) I've also downloaded the SPI flash, saw some strings there in the FW part, but I didn't know about cpu_rec and binwalk wasn't helpful to say which architecture it is so I kind of put this project on the shelf and moved to do something else. I'm glad you had more determination and skill :)

I'm thinking, is the FPGA on the receiving end necessary? Maybe just DS90C124 deserializer + GPIO to USB IC (like Cypress FX2/FX3) could do to get the pixels to the PC in real time?

Somebody on the forum approached the problem from the ROIC end and ignored the FPGA, CAN and security which is also an option I guess.

Did you figure out this dense SMD pin header on the power board? Maybe it is the raw 14 bit video like in Tau cameras, so one could tap there and don't bother with FPD Link?
 

Offline cq-317

  • Contributor
  • Posts: 38
  • Country: cn
Re: Autoliv NV2 on Raspberry Pi
« Reply #8 on: January 10, 2019, 12:27:01 pm »
Awesome job tmbinc!

Back when I looked at this (2015) I've also downloaded the SPI flash, saw some strings there in the FW part, but I didn't know about cpu_rec and binwalk wasn't helpful to say which architecture it is so I kind of put this project on the shelf and moved to do something else. I'm glad you had more determination and skill :)

I'm thinking, is the FPGA on the receiving end necessary? Maybe just DS90C124 deserializer + GPIO to USB IC (like Cypress FX2/FX3) could do to get the pixels to the PC in real time?

Somebody on the forum approached the problem from the ROIC end and ignored the FPGA, CAN and security which is also an option I guess.

Did you figure out this dense SMD pin header on the power board? Maybe it is the raw 14 bit video like in Tau cameras, so one could tap there and don't bother with FPD Link?

I think even if the dense SMD pin header on the power board is the 14 bit raw video, it also has no value, because this is just the sensor data, the FPGA also needs to calculate the final image, including various corrections and signal processing.
 

Offline oddbondboris

  • Contributor
  • Posts: 38
  • Country: us
Re: Autoliv NV2 on Raspberry Pi
« Reply #9 on: January 10, 2019, 06:05:59 pm »
I really want to work on documenting the bolometer interface next; How far have you gotten there?

I'd like to use them in a more compact design, and if I could replace the PCBs with a custom PCB then one could build a self-contained camera in the original case (say with WiFi/USB/... output). Also I have a couple of NV3 that I would want to use, but interfacing with the high-speed serial stream is even more annoying.
i've got one rigged up pretty cleanly, cpld and an fx2 is all you really need, just havent had the time to get the sensor working properly. if you want standalone, a beaglebone and a cpld should be about ideal with it's fast gpio and dedicated io processors, shouldn't have an issue implementing a 28 bit dual input shift register/level shifter in basically any cpld or fpga that supports 2.5v io
 

Offline ArsenioDev

  • Regular Contributor
  • *
  • Posts: 236
  • Country: us
    • DiscountMissiles: my portfolio and landing page
Re: Autoliv NV2 on Raspberry Pi
« Reply #10 on: January 11, 2019, 07:59:40 pm »
Holy hell the madmen actually did it! Now I want one of those even more than I already did for their lens stack
 

Offline LesioQ

  • Regular Contributor
  • *
  • Posts: 66
  • Country: pl
  • Every king should be naked.
Re: Autoliv NV2 on Raspberry Pi
« Reply #11 on: January 13, 2019, 11:46:06 am »
I really want to work on documenting the bolometer interface next; How far have you gotten there?

I'd like to use them in a more compact design, and if I could replace the PCBs with a custom PCB then one could build a self-contained camera in the original case (say with WiFi/USB/... output). Also I have a couple of NV3 that I would want to use, but interfacing with the high-speed serial stream is even more annoying.

This is about where I postponed the work:

https://www.eevblog.com/forum/thermal-imaging/interfacing-isc0601b-bolometer/msg1495546/#new

Some static images captured, but without FPGA work - no chance for faster frame rate, I'm afraid.

Piotr.K
 

Offline ArsenioDev

  • Regular Contributor
  • *
  • Posts: 236
  • Country: us
    • DiscountMissiles: my portfolio and landing page
Re: Autoliv NV2 on Raspberry Pi
« Reply #12 on: January 16, 2019, 07:23:53 pm »
Interesting, I wonder if it could be done on one of the Lattice series, considering it appears to be parallel, a few SERDES might do the trick.
 

Offline oddbondboris

  • Contributor
  • Posts: 38
  • Country: us
Re: Autoliv NV2 on Raspberry Pi
« Reply #13 on: January 17, 2019, 09:26:15 pm »
Interesting, I wonder if it could be done on one of the Lattice series, considering it appears to be parallel, a few SERDES might do the trick.
the gearboxes in lattice fpgas do roughly the same thing if fed with a proper clock, you can probably abuse the ddr3 deserializer

so i did a bit more research on fpdlink II and it seems ti makes a fpdlinkII to mipi csi bridge, somone well versed in writing csi drivers/firmware could ideally interface the i2c channel on the csi interface to the can with a cheap micro and get this working with hardware accellerated capture on a raspi or some other sbc with a csi connector for <$20 bom cost and with a proper fpdlinkII interface with all the noise immunity that brings.  even if an exploit can't be found for reading the key out of the camera without disassembly, (assuming the key isn't a static value), reading a configuration rom isn't exactly major surgery.
« Last Edit: February 04, 2019, 02:48:27 pm by oddbondboris »
 

Offline Treehouseman

  • Supporter
  • ****
  • Posts: 58
Re: Autoliv NV2 on Raspberry Pi
« Reply #14 on: March 27, 2019, 12:18:54 am »
I know you weren't looking to give out the key you used to complete the UDS challenge but I can't seem to repeat your process. I got the flash dumped, I can see strings at the end of the flash, including the few lines you showed, cpu_rec identified microblaze, but whenever I try to run data2mem it crashes. I've tried windows and linux, and 2 different versions of data2mem, they all give the same response.

Code: [Select]
tripp@MoonServ2:~/thermal$ /tools/Xilinx/SDK/2018.3/bin/data2mem -bt flash.bit -bm dummy.bmm -d


INTERNAL_ERROR:Data2MEM:45 - Memory allocation leak of 136 bytes at 0x0227E7A8 for a 'fileIODescriptorType' record.
    Total memory in use at allocation was 2400 bytes.
    Source file "FileUtils.c", line number 1853.

Memory contents:

 0227E7A8:   00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00   ................
 0227E7B8:   10 EA 27 02 00 00 00 00 18 0F 28 02 00 00 00 00   ..'.......(.....
 0227E7C8:   A0 86 01 00 00 00 00 00 00 00 00 00 A0 86 01 00   ................
 0227E7D8:   A0 86 01 00 01 00 00 00 00 00 00 00 00 00 00 00   ................


INTERNAL_ERROR:Data2MEM:45 - Memory allocation leak of 33 bytes at 0x0227E8A8 for a StrDup.
    Total memory in use at allocation was 2536 bytes.
    Source file "FileUtils.c", line number 1858.

Memory contents:

 0227E8A8:   01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
 0227E8B8:   66 6C 61 73 68 2E 62 69 74 00 00 00 00 00 00 00   flash.bit.......
 0227E8C8:   00                                                .


INTERNAL_ERROR:Data2MEM:45 - Memory allocation leak of 100003 bytes at 0x02280F18 for 'char' data.
    Total memory in use at allocation was 2569 bytes.
    Source file "FileUtils.c", line number 1919.

Memory contents:

 02280F18:   FF FF FF FF AA 99 55 66 30 00 80 01 00 00 00 07   ......Uf0.......
 02280F28:   30 01 60 01 00 00 00 7C 30 01 20 01 00 20 31 E5   0.`....|0. .. 1.
 02280F38:   30 01 C0 01 01 C2 E0 93 30 00 C0 01 00 00 00 00   0.......0.......
 02280F48:   30 00 80 01 00 00 00 09 30 00 20 01 00 00 00 00   0.......0. .....

 

Offline tmbincTopic starter

  • Regular Contributor
  • *
  • Posts: 249
Re: Autoliv NV2 on Raspberry Pi
« Reply #15 on: March 27, 2019, 04:04:46 pm »
Hi,

I realized I hand-waved a little bit too much here, sorry - you need to convert the .bin file (from the flashdump) to .bit, for example by pre-pending this header:


00000000: 0009 0ff0 0ff0 0ff0 0ff0 0000 0161 001a  .............a..
00000010: 746f 702e 6e63 643b 5573 6572 4944 3d30  top.ncd;UserID=0
00000020: 7846 4646 4646 4646 4600 6200 0d33 7331  xFFFFFFFF.b..3s1
00000030: 3230 3065 6674 3235 3600 6300 0b32 3031  200eft256.c..201
00000040: 382f 3036 2f32 3900 6400 0931 363a 3535  8/06/29.d..16:55
00000050: 3a34 3200 6500 0753 94                   :42.e..S.

 

Offline Treehouseman

  • Supporter
  • ****
  • Posts: 58
Re: Autoliv NV2 on Raspberry Pi
« Reply #16 on: March 28, 2019, 09:22:33 pm »
That header worked perfectly. Though now I'm struggling to find the actual bootloader, it looked like it might just be inverted since data2mem dumps row 13 first, but I can't get any reasonable looking instructions. So far I've tried it in the original order from data2mem, making the rows go from 0-13, and doing byte reversal, but nothing matches, is there a standard entry point for the bootloader? I tried just seeing if I could find where it was loading from spi but I can't find anything documenting what the standard register addresses are. It's not in the IP ref or in the spartan datasheet.

I at least got somewhere with the flash, looks like all the code starts at 0x7E0000, but it doesn't look like there's an obivous main loop, so I'm going to have to trace it until I find that bit check you mentioned or the can bus stuff if I can figure out the registers.

On another note it looks like the cameras are likely keyed to thier modules and it's not a universal key for all the cameras. Really it's not surprising since this has been standard for quite some time with ECU's and immobilizers. In the strings output from the flash I found a VIN matching a 2013 Audi S6, followed by the model and sw of the camera, and then the serial of the camera as indicated on the sticker. While there's a private bus between the camera and the module, the module is still on the main can bus for the vehicle.
 

Offline tmbincTopic starter

  • Regular Contributor
  • *
  • Posts: 249
Re: Autoliv NV2 on Raspberry Pi
« Reply #17 on: March 28, 2019, 09:51:48 pm »
It should be 2 cols x14 rows, and Microblaze typically starts with a number of "BRI" (or something) instructions, i.e. 0xB8 ... No inversion is necessary, just pick the right rows and order them correctly.

I have a number of NV2s, from both Audi and BMW (I don't have one from Mercedes), and they all use the same key. The VIN is not used for unlocking in the camera.

If someone has the firmware from the ECU (decrypted; all I have is the encrypted firmware update) I'd be interested. Otherwise I need to try to dump the S12x...
 
The following users thanked this post: ArsenioDev

Offline Treehouseman

  • Supporter
  • ****
  • Posts: 58
Re: Autoliv NV2 on Raspberry Pi
« Reply #18 on: April 16, 2019, 03:42:45 am »
Finally got the camera to wake up, ended up throwing me for quite a few loops. Mainly there's 2 massive capacitors on the can lines inside the camera that were causing massive ringing making it impossible to talk to. After removing those capacitors from the circuit I was able to figure out that the camera wanted 100kbit/s and it finally started talking. I'm going to build up a proper deserializer board using the companion TI chip for the serializer in the camera and go from there instead of the fpga route. I think it might still be easier overall than it was figuring out the can bus issues and disassembling the microblaze code.

Before cap removal:


After cap removal:


Capacitors in question:
« Last Edit: April 16, 2019, 03:45:07 am by Treehouseman »
 

Offline tmbincTopic starter

  • Regular Contributor
  • *
  • Posts: 249
Re: Autoliv NV2 on Raspberry Pi
« Reply #19 on: April 16, 2019, 07:07:51 am »
Huh, interesting, the caps never posed a problem. I've used all of a Lawicel CANUSB, 8devices USB2CAN, a non-isolated custom CAN board as well a cheap mcp2515 (modified to 3.3V for raspberry PI) without having trouble. The nice thing is that all ports on the camera are 12V tolerant - which means you hook up any permutation of these wires to GND, 12V, CANH, CANL, LVDS+, LVDS- without any damage to the camera. (This includes for example 12V on LVDS ports, or inverted polarity on the power).

I would be interested in a deserializer board as well, maybe coupled to a small FPGA or directly going into a SoC (if possible).
 

Offline Treehouseman

  • Supporter
  • ****
  • Posts: 58
Re: Autoliv NV2 on Raspberry Pi
« Reply #20 on: April 16, 2019, 11:51:25 am »
Yeah, I had tried multiple drivers and chips, mcp2515, esp32, NEC 1050, mcp2561, and finally I ordered the same ti chip as the camera and put it on a mcp2515 board (I ordered mcp2515 boards after a breadboarded one didn't work, it wasn't until I removed those caps it magically had a proper signal, I spent more time stuck on can bus than the fpga.

It's nice to know all pins are 12v tolerant, makes me a bit more reassured I'm not going to easily damage it, I'm still not 100% on how video decoding is going to work, but I figured the right deserializer chip was a good place to start, I don't have your exact fpga to try your code on and it should just spit the parallel data out once connected, I just need something to read it in.
 

Offline ArsenioDev

  • Regular Contributor
  • *
  • Posts: 236
  • Country: us
    • DiscountMissiles: my portfolio and landing page
Re: Autoliv NV2 on Raspberry Pi
« Reply #21 on: May 14, 2019, 04:51:29 am »
Alright guys, I finally got a ping on my radar of a DEAL on the NV2 and since I already have my ICEBreaker FPGA on hand, I figured why not go for it!
Threw down the cash and now it's a waiting game while I download the software to extract the key and grab the docs I need. Worst case I can resell the camera on here to one of you all
 

Offline Treehouseman

  • Supporter
  • ****
  • Posts: 58
Re: Autoliv NV2 on Raspberry Pi
« Reply #22 on: June 15, 2019, 04:05:44 am »
Progress has been made! A deserializer daughterboard attached to the FT2232H dev board is dumping data in a usable fashion, this is just a raw dump of the port with the upper 6 bits opened in gimp as a raw image.
 

Offline Treehouseman

  • Supporter
  • ****
  • Posts: 58
Re: Autoliv NV2 on Raspberry Pi
« Reply #23 on: June 16, 2019, 06:00:47 am »
And we now have 14 bit data coming in via the FTDI board! Images have to be manually assembled right now, but the data is coming through as valid. There's some issues with the decode, not sure if it's the FTDI or if it's the deserializer. Still some major progress, now to just work out software to automatically stitch images together.
 
The following users thanked this post: railrun

Offline tmbincTopic starter

  • Regular Contributor
  • *
  • Posts: 249
Re: Autoliv NV2 on Raspberry Pi
« Reply #24 on: June 16, 2019, 07:58:57 am »
\o/

Great to see this working!
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf