Pages: [1] 2
Author Topic: Audi ZF 8HP55 Immoblizer Delete  (Read 5617 times)
projectLSaudiA4
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 21


« on: January 03, 2024, 04:36:28 PM »

First time posting here...

I'm looking into deleting the immobilizer on a 2011 Audi A8 8HP55 (Audi calls this transmission the AL551) since I haven't found anyone that can do this for me. These TCUs use a Renesas SH72549 / R5F72549R which the datasheet isn't published but the SH7254R is. I've attempted to disassemble some PCMflash dumps I found online (I don't have PCMflash or module 82 yet) but I have no idea how the immobilizer works let alone Renesas disassembly code. I've done about as much as I can learn via google and chatGPT so I could use some help... All I've been able to find is some can bus IDs, such as OBD_01 at 0x00044750; and a couple functions such as at 0x000259dc where the VBR is updated to 0x000200F0. Numerous other functions update On-chip RAM locations, but it's very hard to follow.

The latest idea I had was to compare the dump from the Audi with a Dodge/Chrysler as they do NOT have an immobilizer. Problem is I probably need the Funktionsrahmen or Damos for this TCU to at least point me in the right direction but I can't find it.

I guess I'm asking for what you guys think I should do. I need the immobilizer and component protection removed from the ASW due to using this transmission with an aftermarket ECU. I have the Audi Kmatrix (DBC file) which I plan to use in order to make a canbus bridge. The DBC file doesn't explicitly mention how the WFS5 immobilizer is implemented nor mention any signals transmitted over CAN 2.0 so I assume it's being done over UDS or K-line perhaps. From my research, BCM2 and the TCU communicate with one another regarding the immobilizer but from sniffing the drivetrain traffic on my 2014 A6 (same transmission probably different software ver), I don't see anything sent via UDS.

Side note, the DQ380/381 and DQ500 also use the same microcontroller, so if anyone has experience with them maybe the immobilizer implementation is similar?

Lastly, any information on what the difference between the frf files (0x200000 length, I think these are flashed with ODIS) and EEPROM (0x20000 length) and FLASH/MAPS (0x2800000 length) files would be appreciated.. I assume EEPROM is just according to datasheet 0'80100000 to 0'8011FFFF but no idea where MAP files would be in physically. During my attempted analysis I've tried adjusting the start address to a few locations to no avail. I will say the frf files contains the canbus IDs previously mentioned.
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #1 on: January 03, 2024, 05:02:33 PM »

I've done about as much as I can learn via google and chatGPT so I could use some help...
lol...
Yeah reversing shit like this you either need a very strong existing background or it's gonna take years.
Quote
The latest idea I had was to compare the dump from the Audi with a Dodge/Chrysler as they do NOT have an immobilizer.
Waste of time.
Quote
Problem is I probably need the Funktionsrahmen or Damos for this TCU to at least point me in the right direction but I can't find it.
hex/a2l is out there.
Quote
I guess I'm asking for what you guys think I should do. I need the immobilizer and component protection removed from the ASW due to using this transmission with an aftermarket ECU. I have the Audi Kmatrix (DBC file) which I plan to use in order to make a canbus bridge.
Good luck with that ... you probably won't get very far unless you run something like MoTeC and implement all the torque calculations...
Is there any good reason you want to use this transmission? There are much simpler alternatives.
Quote
The DBC file doesn't explicitly mention how the WFS5 immobilizer is implemented nor mention any signals transmitted over CAN 2.0
That's because the WFS5 documentation is a higher level clearance need-to-know basis and there are it's own documents. It is also not part of the ASW in most ECU's, it gets linked in as a library.
Quote
I assume it's being done over UDS or K-line perhaps.
Completely wrong. K-Line is not used in over a decade and UDS is a diagnostic protocol that has nothing to do with inter-module communication.

For immo there is a switch in the cal on/off, I have never tried if it actually bypasses it.
Component protection no idea.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
projectLSaudiA4
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 21


« Reply #2 on: January 03, 2024, 05:20:12 PM »

Thanks for the quick reply! Yeah I'm mechanically inclined not so much with electronics. I have logged my A6 and the torque calculations should be pretty straight forward, lots of time, but straight forward since I have the DBC file. The reason I'm using this transmission is that it's a transaxle with pretty unique layout. I have successfully matted the 6-speed manual version of it to an LS for use in my A4 already, see attached. Now I want the automatic from my A6 lol..

For immo there is a switch in the cal on/off, I have never tried if it actually bypasses it.
Component protection no idea.

I don't follow what you mean "in the cal" you mean like adaptation values. What I can gather, the checksum and class are part of the WFS5 so I'm not sure how these can be accessed otherwise. As I said, I have logged traffic and don't see anything this isn't in my DBC file. There are some extended frame messages in the DBC that I have no logged traffic on thus far. For example, SKey_Getriebe_01_Req 0x17fc0277, which the only comment is "Request of the Service Key2 Function" but I was thinking this was seed key for UDS flashing, maybe I'm wrong here.
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #3 on: January 03, 2024, 05:37:26 PM »

Thanks for the quick reply! Yeah I'm mechanically inclined not so much with electronics. I have logged my A6 and the torque calculations should be pretty straight forward, lots of time, but straight forward since I have the DBC file.
"Straightforward" is not the word I would use, you need an ECU that uses torque as input. The gearbox tells you what torque it wants.
The only ECU I am aware of where you're gonna get the ability to have that kind of control is MoTeC's M1 Build.

Quote
I don't follow what you mean "in the cal" you mean like adaptation values.
Switch in calibration. DATA section, idk what else you wanna call it.

There's literally a switch that says evaluate immobilizer yes/no. As I said, I've not tested it.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
projectLSaudiA4
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 21


« Reply #4 on: January 03, 2024, 05:50:15 PM »

Switch in calibration. DATA section, idk what else you wanna call it.

There's literally a switch that says evaluate immobilizer yes/no. As I said, I've not tested it.

Forgive my ignorance here please, but could you tell me the location in DATA section or where I can find documentation that labels a switch "evaluate immobilizer." This is all new to me and I'm trying to learn jargon and various other things along the way.

I believe Maxxecu has the capabilities I need, as that is what CANTCU suggests using for their BMW 8HP canbus bridge they sell.
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #5 on: January 03, 2024, 06:02:53 PM »

I believe Maxxecu has the capabilities I need, as that is what CANTCU suggests using for their BMW 8HP canbus bridge they sell.
It does not.
Just another ECU that has no concept of torque whatsoever apart from sending some random values based on a single 2d table, which is far from reality.

If you just want it for drag race it will probably work, but driving around with it, nah, not really.

Forgive my ignorance here please, but could you tell me the location in DATA section
No, because you didn't even post a file. You're just talking.
That said, I don't sell, trade or exchange OEM descriptor files, so you will have to find someone who will sell you the damos.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
projectLSaudiA4
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 21


« Reply #6 on: January 03, 2024, 06:23:20 PM »

It does not.
Just another ECU that has no concept of torque whatsoever apart from sending some random values based on a single 2d table, which is far from reality.

If you just want it for drag race it will probably work, but driving around with it, nah, not really.
No, because you didn't even post a file. You're just talking.
That said, I don't sell, trade or exchange OEM descriptor files, so you will have to find someone who will sell you the damos.

I'm not looking for a free lunch here. I didn't even know such parameters existed in the OEM descriptor files which is I why I'm asking for help, so thank you I appreciate it! The file I'm working off of and disassembled a few things on is attached. If there's a way to attach Ghidra projects, then I can attach that too but there's not much done there.

The DBC file I found and confirmed the IDs are correct for my C7 A6 is here if you wanna take a look: https://raw.githubusercontent.com/rusefi/rusefi_documentation/master/OEM-Docs/VAG/B8_Q5_D4_C7_MLB.dbc

Could you at least point me to the source for where I could purchase the OEM descriptor file for the AL551 TCU???
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #7 on: January 04, 2024, 01:51:45 AM »

Could you at least point me to the source for where I could purchase the OEM descriptor file for the AL551 TCU???

For example this site lists some stuff:
https://damos-files.ru/search/?search=ZF

Though usually it's OLS projects, and you need OLS. The OLS projects usually also do not have any ram cells defined.
If you want to also know the ram cells for reversing you will need to find someone who will sell you a hex/a2l.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
sda2
Full Member
***

Karma: +23/-1
Offline Offline

Posts: 76


« Reply #8 on: January 08, 2024, 04:15:25 AM »

Easiest solution for you would be a MaxxECU for the LS engine and a Dodge gearbox with corresponding mechatronic unit since that will be wahts possible to run with Maxx ECU directly.

Other way would be an 8HP45 (or better 70) with the BMW xdrive ATC and a CanTCU for street, or Turbolamik for Drag/Drift useage.

Logged
projectLSaudiA4
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 21


« Reply #9 on: January 08, 2024, 07:11:41 AM »

Easiest solution for you would be a MaxxECU for the LS engine and a Dodge gearbox with corresponding mechatronic unit since that will be wahts possible to run with Maxx ECU directly.

Other way would be an 8HP45 (or better 70) with the BMW xdrive ATC and a CanTCU for street, or Turbolamik for Drag/Drift useage.



I’ve reached out to Maxxecu previously and they are indeed working on dodge 8HP support directly but not implemented yet last time I checked. Also the problem is I need the front differential for AWD and reverse output direction (driveshaft spins backwards compared to most transmissions) associated with the Audi 8HP55 transmission.

Side note, I bought a couple FRMs for this transmission and one OLS and was able to confirm a lot of the underlying logic regarding torque input and feedback, but wasn’t able to find anything on WFS besides a function that stores mileage in the EEPROM. I’ve reached out to a couple people to purchase A2L/hex so maybe that will reveal more.

I’ll keep digging…
Logged
sda2
Full Member
***

Karma: +23/-1
Offline Offline

Posts: 76


« Reply #10 on: January 09, 2024, 02:40:33 AM »

BMW 8HP Gen 1 & 2 will ignore immo once they are virginzed. Maybe that also works for VAG.
Logged
acab
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 11


« Reply #11 on: January 10, 2024, 06:31:32 PM »

does anyone know where is checksum located?
Logged
projectLSaudiA4
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 21


« Reply #12 on: February 08, 2024, 08:18:10 PM »

Update. Bought an A2L+Hex (AL551 hybrid is only one around apparently) and a few FRs and I don’t see a switch to bypass WFS unless I’m overlooking something. I was able to get the TCU to communicate via CCP using a Kvaser Leaf but could only dump CAL (0x180000 to 0x200000) and RAM memory address 0x600000 to 0x680000 is available for upload / download. Surprisingly seed/key is not required to do this. Unfortunately the immobilizer function that triggers all the WFS logic is located at 0x7DE2C (at it is least for 4h1927158AD 1006). I’ve checked various PCMflash maps dumps and they are most likely 0x160000 to 0x3DFFFF from what I can tell (think it depends on software). I’m relatively new to VAG ECU/TCU files but the FRF for my 1006 SW contains the ASW which I believe can only be flashed with ODIS, right?

Maybe I’ll try looking into UDS next… The AL551 does connect using VW_Flash using the DQ380 UDS protocol.

Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #13 on: February 09, 2024, 02:48:11 AM »

You need a tool that will do SBOOT on the TCU and give you the whole file.
UDS is not useful to you because you can't enter bootloader if immo is not authenticated.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
projectLSaudiA4
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 21


« Reply #14 on: September 10, 2024, 09:10:01 AM »

PCMflash Module 82 got the job done. Full read and write with checksum correction. Haven't tested as my plans have changed but pretty sure this will disable immobilizer.
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.03 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)