My latest aquisition is an Audi A6 2.8 Quattro. Of the many really nice bits of thought that Audi put into this was the flap that covers the head unit. Like many I like as little light in the cabin as possible as night so I thought this was great. Sadly the Alpine head unit, which is Awesome) that has been fitted after market sticks out too far, you cant close tha flap. In fact a quickl look shows that most manufacturers insist in a stupid, huge control knob, so there is nothing that will drop in. I’d also like to keep is stock and get the dash display back. So off we go looking….

Exhibit 1, the Concert 2. This is CD rather than Casette but requires a CAN bus equipped car. The facelist A6 B5 does support this and this is the radio in those cars. It supports the BOSE audio system in mine, should make the dash work and supports multiple inputs (CD Changer, Nav, Phone) So should be hackable for bluetooth and Line in. I obtained a CAN adaptor and off we went…..

No Dash screen. Seems the Concert 2 wants to chat to the dash screen over CAN, not the FIS interface my car had. Bugger. This is fixable with a different CAN adaptor to the one I have. It shouldnt be a huge thing to make a convertor. A bigger pain is despite being the radio fitted in the facelift car it physically doesnt fit. You have to press both controls in and then close the flap which will turn the radio back on as it presses the tops or turns it off. Close but no cigar.

So Option 2. Hack a concert. Having otained one I hit the first big snag. Unless you have the code you are stuffed. Working concerts with the code and working volume controls are few and far between.  I’ve stripped it down and decided there are a few ways to do this but by far the easiest is the realisation taht the tape unit is not only a module but its largeley independant with its own MechCon board. As this is a logic driven deck its very likeley this board simply takes commands from the main MCU in the form of play/stop/rev/etc. Having found a schematis the audio out from the head pre-amp is easy to get to as well so a drop in board is a possiblilty.

The MCU uses a large number of serial busses which are a mix of SPI, I2C and RS232 and each section of the radio is a clearly defined block so there are a large number of possibilities here.

First goal is to get this bugger unlocked. I have the dev kit for the Micro they chose (Its been in storage for years because I thought it may be useful) so I’m planning on sucking its brains out and pulling the code out. I’m also chasing Audi who, in the manual, insist its a free service but the main stealers want £50 to get the code.  Audi UK are chasing this for me. Given that locked ones can be found easilly it may be a better bet to work out how to get it myself.

http://kovo-blog.blogspot.co.uk/2015/08/audi-chorus-concert-how-to-recover.html

Gives some pointers on how to do it, so I guess this is the first stop. I modified a cheap CH340 dongle and using that circuit pulled the code out first time. Not only can you do this WITHOUT removing the micro Audi/Blaupunkt left test pads for all of these connections under the board…

Its worth noting at this point that it *should* be possible to suck the ROM contents out too. I’m not sure if this version of the chip uses EEPROM or Mask ROM/EPROM for the main program. Armed with a disassembler it should be possible to fix the actual bug. You can also use the MotoHack tool to change the keycode or disable it. I opted to leave well alone as I dont know if there is a checksum in there or not.

Having pulled the cod I confirmed it does work and unlocked the unit. Turns out my display is a little dead but for our purposes its good enough. Off we go now to decipher the front panel…

Next: Keypad Hacking