Reverse Engineering MKIV Radios

gmenounos

Vendor
Joined
Jun 26, 2003
Location
Watertown, MA, USA
TDI
'99.5 Golf GLS, '01 Jetta GLX Wagon (TDI conversion)
Stumbled upon this today: https://github.com/mnaberez/vwradio

This guy has figured out how to extract a ROM dump from various MKIV radios and reverse engineer some of the code. He's written a tool that can extract the SAFE code from Premium 4 (Clarion), Premium 5 (Delco), Gamma 5 (TechniSat) and Rhapsody radios.
 

oilhammer

Certified Volkswagen Nut & Vendor
Joined
Dec 11, 2001
Location
outside St Louis, MO
TDI
There are just too many to list....
Since this is likely above my pay grade, by "tool" he means some form of software? It would be nice to be able to send a radio to someone, have its code extracted, and sent back, if that is what it takes. The current system sucks, didn't used to be this way, and I really have no idea why VAG changed this. Do they really think the black market on stolen radios for 15+ year old Volkswagens is a thing? :rolleyes:
 

compu_85

Gadget Guy
Joined
Sep 29, 2003
Location
La Conner, WA
TDI
... None :S
Yup, this looks like a bit of software you run on a PC, then using a ross-tech cable in "dumb" mode, it talks to the radio and gets or resets the code.

I have some old radios sitting on my bench, I'll have to play around with this when I get back home.
 

mnaberez

Member
Joined
Jun 24, 2020
Location
California
TDI
'98 Jetta
Yup, this looks like a bit of software you run on a PC, then using a ross-tech cable in "dumb" mode, it talks to the radio and gets or resets the code.
The GitHub link above is my project.

It only works with the custom hardware that is described in the GitHub repository. Instead of using a "dumb" cable, I built own my interface from scratch using a microcontroller. This allowed me to implement automatic baud rate detection and have guaranteed timing for more reliable communications. An interesting aspect of my interface is that in addition to VW's KWP1281 protocol, it speaks a proprietary manufacturing protocol used by TechniSat radios. This protocol is unlike any VW protocol. I discovered and reverse engineered it by disassembling radio firmware binaries.

For the radios it supports, my project is able to retrieve the SAFE code by simply plugging into the back of the radio. However, please note that VW has many radios that look similar but are completely different inside. Each one requires a nontrivial reverse engineering effort. My project only works with the specific radios listed.

Building my project currently requires electronics and microcontroller experience. A couple of people with these skills have written to me to say they have used my project successfully. This is a hobby project and fun technical challenge for me. As time permits, perhaps I can make it accessible to a wider audience. I always update the GitHub repository linked above for those who want to follow my progress.
 

gmenounos

Vendor
Joined
Jun 26, 2003
Location
Watertown, MA, USA
TDI
'99.5 Golf GLS, '01 Jetta GLX Wagon (TDI conversion)
The GitHub link above is my project.
Thank you for that!

If you're feeling bored and want to reverse engineer more MKIV radios, I have a Gamma 5 made in Germany by Blaupunkt and several Delta 6 double-DINs made in Hungary. I like the Gamma and the Delta because they support RDS. The only problem with the Delta is that it uses the Euro AM frequencies so most AM stations in the US can't be tuned. I'd love to know if there's some way to reprogram it for the US frequency spacing.
 

mnaberez

Member
Joined
Jun 24, 2020
Location
California
TDI
'98 Jetta
If you're feeling bored and want to reverse engineer more MKIV radios, I have a Gamma 5 made in Germany by Blaupunkt and several Delta 6 double-DINs made in Hungary.
Thank you but I've already collected a small pile of different VW radios from Europe. I hope to look into them eventually.

I'm currently working on modifying the Premium 5 (Delco) radio used in North America. I drive a Mk3 and I have installed a Premium 5 radio in it. The Mk3 only has a single-DIN opening and also doesn't have an FIS cluster option for things like FIS-Control. Instead, I have been modifying the Premium 5 radio (video). The radio works as before but hitting a button puts it into a new scan tool mode. It is partially working now but I still have a lot more work to do.

The only problem with the Delta is that it uses the Euro AM frequencies so most AM stations in the US can't be tuned. I'd love to know if there's some way to reprogram it for the US frequency spacing.
I suspect some radios can be reconfigured. When I disassembled the Premium 4 (Clarion) radio, I was surprised to see North American frequencies hardcoded into the ROM. That particular radio can't be reconfigured. Each radio model has to be investigated on an individual basis.
 

gmenounos

Vendor
Joined
Jun 26, 2003
Location
Watertown, MA, USA
TDI
'99.5 Golf GLS, '01 Jetta GLX Wagon (TDI conversion)
I'm currently working on modifying the Premium 5 (Delco) radio used in North America. I drive a Mk3 and I have installed a Premium 5 radio in it. The Mk3 only has a single-DIN opening and also doesn't have an FIS cluster option for things like FIS-Control. Instead, I have been modifying the Premium 5 radio (video). The radio works as before but hitting a button puts it into a new scan tool mode. It is partially working now but I still have a lot more work to do.
Very cool! I was just about to ask what logic analyzer you're using but then saw the Saleae software. Coincidentally I just bought a Logic 8, which arrived today. I'm hoping to reverse engineer how Vag-Tacho and similar tools read the MKIV instrument cluster's EEPROM and how VDS-Pro talks to the CCM.
 

mnaberez

Member
Joined
Jun 24, 2020
Location
California
TDI
'98 Jetta
I'm hoping to reverse engineer how Vag-Tacho and similar tools read the MKIV instrument cluster's EEPROM and how VDS-Pro talks to the CCM.
I haven't studied the clusters. I do have a Mk4 FIS cluster that I use for testing the radios. My KWP1281 tool in the GitHub repository is able to reliably communicate with the cluster. You could use it to send arbitrary messages to the cluster if you reverse engineered what to send.
 

gmenounos

Vendor
Joined
Jun 26, 2003
Location
Watertown, MA, USA
TDI
'99.5 Golf GLS, '01 Jetta GLX Wagon (TDI conversion)
I've written a program that can send some KW1281 commands to various VW control modules. It can extract the SAFE code from a Delco Premium 5 radio using the technique discovered by Mike Naberezny (but doesn't require a custom board). It can read/write the CCM EEPROM like VDS-Pro (but doesn't require an old PC running DOS). I would eventually like to add the ability to read/write the instrument cluster EEPROM like VAG-Tacho but that's going to require some time to reverse engineer.

The program runs on Windows 10 (and maybe Windows 7, Linux and macOS). It needs just a dumb serial or USB KKL cable or an older VCDS cable with the Virtual COM Port drivers installed.

You can download the source code and instructions here:
https://github.com/gmenounos/kw1281test

Here's an example of extracting a SAFE code from the radio:
Code:
C:\> kw1281test.exe COM1 10400 7C DelcoVWPremium5SafeCode
Opening serial port COM1
Sending wakeup message
Reading sync byte
Keyword Lsb 0x01
Keyword Msb 0x8A
Protocol is KW 1281 (8N1)
ECU:
Sending Login block
Sending ReadEeprom block (Address: 0x0014, Count: 0x02)
Received "Read ROM/EEPROM Response" block: 03 42
Safe code: 0342
Sending EndCommunication block
Here's an example of reading a byte from the CCM's EEPROM:
Code:
C:\> kw1281test.exe COM1 9600 46 ReadEEPROM 4361
Opening serial port COM1
Sending wakeup message
Reading sync byte
Keyword Lsb 0x01
Keyword Msb 0x8A
Protocol is KW 1281 (8N1)
ECU: 1C0959799C  1H Komfortgerat HLO 0003☻♦B
Sending Login block
Sending ReadEeprom block (Address: 0x1109, Count: 0x01)
Received "Read EEPROM Response" block: 8A
Address 4361 ($1109): Value 138 ($8A)
Sending EndCommunication block
 
Last edited:

gmenounos

Vendor
Joined
Jun 26, 2003
Location
Watertown, MA, USA
TDI
'99.5 Golf GLS, '01 Jetta GLX Wagon (TDI conversion)
My app can now pull the SAFE code from Clarion Premium IV and Delco Premium V radios (not to mention pulling the SKC from many types of MKIV clusters) using either a generic KKL cable or older Ross-Tech VCDS cables:

 
Top