D2B reverse engineering info

Many people send me private messages about the D2B protocol. Here is some info how I managed to reverse engineer the data:

The D2B optical transceiver chip is called OCC8001 if you use google you can find basic information on it. The schematics for the Mercedes-Benz Audio 30 is available – just google for “BE3300 service manual” or “BE3300 schematics” you can see how the OCC8001 chip is connected to the optical transmitter; the DAC and the ADC.

The Benz CD-Changers have a separate bard on the back that does the D2B communication. The board contains the OCC8001 chip and optical transmitter and receiver. It also has 3 pin connector for 12V power, ground and “wake up” signal. The “wake up” signal is used to start the device from sleep, when the car is started.

Here is the pinout for the board’s flat cable connector.

Optical IO board
(contacts up) MC3010
17 pin connector

1 – Fsync (pin 12)
2 – SCLK (pin 13)
3 – SR0 (pin 14)
4 – OCERR
5 – GND
6 – OCREQ – Optical input AND gate (pin 1 on TC7S08F)
7 – i2c SCL
8 – i2c SDA
9 – OCINT
10 – WAKEUP
11 – OCRESET
12 – RMCLK (pin 6)
13 – GND
14 – GND
15 – BAT +12V
16 – BAT +12V
17 – VCC +5V

On MC3198 Contacts are down and pin 1 = pin 17

1. Device Addressing

Addresses in the D2B network ring are 12-bit numbers. Each device in the D2B network has two addresses. One is the device position address, which describes the device position in the ring relative to the master – the master has position 0 and position address of 0x400. The first device has position 1 and position address 0x401 and so forth. The devices initialize their position address by a special procedure initiated by the master. This procedure is one of the first things that the master performs.

The second address is the device physical address. Each device assigns it’s own address. For example the master address is usually 0x1c8; The CD-Changer address is 0x190. The device starts with a particular address and probes the network if that address is already taken. If the address is not taken, the device assigns the address to itself, otherwise it tries the next value.

When the master starts the network, it assigns an address to itself. When a slave device is participating in the network it starts with a default physical address of 0xfff. When the slave device first sends a packet to the master, the master would “notice” the device has “unassigned” address and send an “Assign Device Address” command to the slave. The slave would then initiate the procedure to assign a physical address to itself and notify the master.

In addition to the physical and position address, there is a “broadcast” address 0x3c8 – a message sent to that address would be received by all devices in the ring. There is also a group cast address – any other address in the 0x300-0x3ff range. The device must be a member of that group to receive the message. Each device decides what group it is a member of – there is no set procedure for that. Each device is a member of only one group at a time (limitation of OCC8001). I have not observed any group cast messages being sent.

2. Message Format

Each message is up to 16 bytes long. Each message has a type and a length encoded in the message header. The receive and transmit buffer formats are:

<address><type|len><message data>

Where the address is the source or destination address (depending whether you are receiving or sending a message). The address is 2 bytes with the LSB byte first and the top 4 bits 0 on the second byte. The third byte contains the message type – 4 high order bits; and the message length – 1 in the low 4 bits. A message length of 0 means 1 byte long message. A message length of 0x0f means 16 bytes long message. A message is minimum 1 byte long.

The receive and send buffers are 19 bytes long total. I have not been able to decipher much of the data messages being exchanged, just enough so I can simulate a CD-changer being connected to the network.

3. Errors

A message transmission could fail. Usually because the target device’s receiving buffer is not free. Thus when sending a message one has to check for “successful transmission” flag. Luckily the chip handles the acknowledgement and errors automatically. All you have to do is check if the transmission succeeded or not. It is suggested that an app retries up to 5 times to send a message if the transmission was unsuccessful.

Errors due to loss of signal are very rare and usually indicate a problem with the cables. In this case a device detecting the error just shuts off breaking the ring. Eventually the master would shut off the whole ring. Momentary loss of carrier is tolerated if the loss is less than 20ms.

4. Chip communication

The D2B optical controller is called “Conan” the chip is labeled OCC8001 and sometimes OS8101. These are the same identical ship. There is a brief data sheet available for OCC9001 – but that chip was meant to be way more advanced. Anyway the chip can use i2c or SPI for communication in the Audio 30 it is connected via i2c.

The chip’s i2c address is 0x46. I used a logic analyzer to sniff the communication between the CPU and the chip. The chip uses a protocol similar to other i2c devices, when writing the first byte is a “register address” the second byte is the value that is written to that address. If more than one value is sent the next value goes to the next address etc. When reading the CPU first sends a “write” request with only an address – which is the address where it want’s to read; The the subsequent device read requests read first value from that address, next value from the next address etc. until the CPU terminates the transfer.

The chip receive and transmit buffers (19 bytes each) are located at i2c addresses 0x6b and 0xaa respectively.

Happy hacking.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.