My 1.5-year-old midnight hobby is coming to an end.
Artificial sound systems on VAGs are easy to retrofit, so I sparkled up with this idea from the first day I learned about it.
Basically, symposers are the only future for us: the planet is making another round, and production is reducing emissions and carbon footprint. Mankind does everything for hedonism, Tik-Tok, and entertainment at every moment of life. So, the car (regarless of the power unit) should reflect the mood of the owner and be as quiet or as loud as desired. You will be amazed at how many cars already have sound symposers and how they affect the sensations of driving. (Porsche Cayman owners, last sentence was directed to you personally, try turning it off!) 😉
Two types of systems can be installed in a car: interior and exterior (exhaust). Both are made by Kendrion (formerly Kuhnke) company and are identical in terms of software. The difference is only in the built-in amplifier and connected speakers.
Internal units have part numbers ending with … 907 159; external ones – mostly with … 907 160, but there are several different patterns. More numerology is in my previous posts:
The most popular generations of those modules are SAK-GEN2 and SAK-GEN2.5. The 3rd generation started not so long time ago – it appears only in the newest hybrids and EVs of MQB-Evo and MEB platforms. Part numbers are … 035 335. I’m not sure how the Kendrion names them for real, they are visible in CAN-bus as ESoundKenKuMQBENG, ESoundMEBHarma, and similar. The firmwares are four times bigger and encrypted with SHA256 keys. There will be no way to do anything with them in the next few years.
Firmware structure
Together with my buddy Jille daChillout, we studied GEN2 as the most popular and available. The first step is to convert .frf file to .odx format, and I would not describe it there – the web is full of converters. ODX can be easily read and understood as it’s a plain XML. Firmware parts are stored there in HEX format and should be extracted into binary files. Every firmware contains three blocks of code: bootloader, program, and data.
02DATA data block (57,344 bytes) includes:
- 8 engine / VIN masks with pointers to internal sound profiles and FPA modes
- Spreadsheet data with 8 / 16 graphs of the volume dependencies to the position of the throttle pedal, RPM, linear speed, acceleration, etc.
- Smaller tables with delay, pitch, gain, and clip effects from the music-making world
- Single-tact audio samples
One firmware could store graphs for one car model split into 5-8 “Drive Select” profiles (Audi RS mostly);
or 3-5 VIN masks with 2-3 sound profiles assigned to each mask. (This is the majority of firmwares, regular cars have only Normal and Sport / Dynamic modes.)
Large spreadsheets, after importing to Excel as CSV, look something like this:
Samples
When all the data had already been marked up, and the CRC protection still did not give in, I wrote a script to generate the sound from samples; to find out why we were suffering so much.
Examples with ~1000 RPM frequency (web-browsers play them badly, download and open in your OS native media player):
With high motivation and a lot of time, you can even create your own hybrid firmware with the sounds of different cars, assigned to Eco / Comfort / Normal / Offroad / Dynamic / Race modes. But it takes hours to copy and paste all the rows and cells to and from binary files in spreadsheets and verify everything. Having some visual tools would help a lot.
Protection
In total, the data block of firmware is protected with 3 checksums. It took us hundreds of hours to search for them and find the right settings and ranges. Without updated CRC, the module generates a corrupted data error. (There is also a checksum for the executable code, but we didn’t touch it yet.)
Most of the time, I was writing scripts to convert, repack files and calculate the checksum with all possible algorithms. Jille daChillout was experimenting with ready-made utilities and libraries for an automated search. His technical posts detailing all the steps and math:
- Investigating soundaktor firmware
- Investigating soundaktor firmware Part 2
- What is CRC32ADLATUS?
- Cracking the soundaktor firmware checksum
At the final stage, we even got our hands on the Renesas V850 disassembler. Willem Melching’s blog about hacking the steering rack was helping a lot. He provides a great theoretical base on reverse engineering of automotive units, which I highly recommend to read. (He is also the head of the autopilot company comma.ai)
- Hacking a VW Golf Power Steering ECU - Part 1
- Hacking a VW Golf Power Steering ECU - Part 2
- Hacking a VW Golf Power Steering ECU - Part 3
- Hacking a VW Golf Power Steering ECU - Part 4
Algorithms
ODX container uses the CRC32_ADLATUS algo to check for integrity of any HEX data before flashing.
“ADLATUS” is some internal VAG term, but it appears to be regular CRC-32 with default polynomial and reversed permutation flag enabled:
crc(32, 0x04C11DB7, 0, 0, true);
The module code checks for 2 byte-swapped CRC-16/CCITT ranges in the data part. The first one covers XLS filename at the [64..128] interval, and the main one runs thru the whole file [02..57344].
Results
As the final result of our sleepless nights, we made a template for the 010 Editor to colorize all known values and spreadsheets in 02DATA files. We’ve progressed in a slightly different ways – you could either use Jille’s version, or mine:
I also made a set of tools (NodeJS + binaries) to extract binary data from ODX firmwares and pack it back with the right checksums calculated and injected. They are pushed to GitHub as well, check “tools” folder:
- odx2bin.js, compiled Windows executable
- bin2odx.js, compiled Windows executable
And finally, my little 🎁 gift to the community. This is an unlocked firmware from Audi TTRS 8S that can be flashed to any MQB and MLB-Evo car. I’ve tried them all and in my opinion this one sounds the best.
I started researching GEN2.5 (the template already covers about 95% of it) and also discovered a new type of GEN2 module from chinese EVs with a hardware switch to turn the sound on/off.
It isn’t the end…
Comments
temp temp