CD Spoofing and Overclocking

Introduction

5.5 million CD player stereo head units are purchased every year in the United States, and many more vehicles already have CD player head units. These vehicles have been left behind by the smartphone revolution: they lack an easy way to connect smartphones to the car. Oddly enough, older cars with cassette decks are more equipped to handle smartphones, as cassette-to-headphone adapters are readily available. We aimed in this hack to produce a way to connect smartphones to CD players. The only readily available option for this is an FM transmitter for a smartphone, but that has no privacy. A CD player based system would have audio privacy.

What We Did

We created an implementation of the CD-DA Red Book digital audio CD standard in embedded C which is correct within our ability to test it. We used no references beyond the official standard. The Red Book CD standard is extremely complicated to take into account the multiple layers of error correction needed to ensure that scratched, warped CDs are still playable. There were no publicly available reference implementations to check ours against. We were unable to use this implementation because the 80 MHz ARM processor in the SparkFun FreeSoC that we used was not powerful enough to generate the CD datastream in real-time. We estimate that a full-size computer or smartphone processor only performing the CD encoding with no operating system would have enough computing power. Alternatively, an FPGA implementation could be used. An FPGA implementation would be simpler and require less capable hardware, but would take much longer to implement.

How We built it

We concurrently worked to A) develop an embedded C implementation of the red book CD-DA bitstream and B) develop a method to get this bitstream into the CD player. Initially we wanted to use a non-invasive optical method, similar to a real disk, but determined this was effectively impossible. Then, we reverse engineered the analog front-end of four CD players until we found how to insert data into the CD player circuitry without destroying the CD player. Then, we discovered how to electrically defeat the tracking and focus mechanism of the CD player. Our final CD player tracked and focused on a real CD but received bitstream data from our hack, allowing us to inject our own data.

Challenges we ran into

We were not successful in injecting our own CD bitstream because it was effectively impossible to generate the CD bitstream in real time on the Cypress PSoC5LP. Generating this bitstream would require a processor roughly one order of magnitude faster than the PSoC5LP. The CD bitstream was incredibly difficult to generate, mostly because none of the information is byte-aligned. This required us to develop a set of bitstream manipulation functions which made bit-level access easy but with a performance penalty as compared to byte access. Debugging the analog front-end of the CD player required us to destroy 2 CD players and take apart 2 more. We now have a collection of broken CD players.

Accomplishments that we are proud of

We overclocked the CD player by 50%!

What we learned

We now have a deep appreciation for the engineering effort that went into designing the CD audio standard and are well versed in Red Book CD Audio. We would love to be able to talk to any of the engineers who developed this standard.

What's next for CD Spoofing and Overclocking

Future work would definitely include an FPGA implementation of the Red Book bitstream generator. Once we finish developing the technology, we will be able to develop external hardware for your car CD player that can play any audio file in real time. It can be built with Bluetooth connectivity and make your car’s CD player system a large Bluetooth speaker.

Built With

• cypress
• hardware
• psoc