Pages: 1 [2]
Author Topic: Audi ZF 8HP55 Immoblizer Delete  (Read 8048 times)
Audirama
Jr. Member
**

Karma: +3/-1
Offline Offline

Posts: 44


« Reply #15 on: September 10, 2024, 06:08:53 PM »

PCMflash Module 82 got the job done. Full read and write with checksum correction. Haven't tested as my plans have changed but pretty sure this will disable immobilizer.

that great news. I'm planning to do this swap soon for my c7 S6. recently they have changed the approval process to remove TCU IMMO via ODIS so I have been trying to research alternative methods.
Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #16 on: September 11, 2024, 04:58:38 AM »

that great news. I'm planning to do this swap soon for my c7 S6. recently they have changed the approval process to remove TCU IMMO via ODIS so I have been trying to research alternative methods.

From what I've seen, each software is different, so the function is at a different address.
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-115
Offline Offline

Posts: 1071


« Reply #17 on: September 11, 2024, 07:50:46 AM »

PCMflash Module 82 got the job done. Full read and write with checksum correction. Haven't tested as my plans have changed but pretty sure this will disable immobilizer.

That's pretty cool if you are getting somewhere disassembling that shitty SHA CPU that's in the AL55x TCUs... I would actually need someone to help me with some stuff in that kind of architecture and CPU sometime.
Logged

I have no logs because I have a boost gauge (makes things easier)
Audirama
Jr. Member
**

Karma: +3/-1
Offline Offline

Posts: 44


« Reply #18 on: September 11, 2024, 05:16:36 PM »

From what I've seen, each software is different, so the function is at a different address.

Got it,

I'm planning to take a ZF8HP55 from C7 A6 and swap it in, maybe If I'm lucky the function can be found in the same place. I will have to dive more into it but hopefully it can be done without ODIS
Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #19 on: September 11, 2024, 06:10:35 PM »

That's pretty cool if you are getting somewhere disassembling that shitty SHA CPU that's in the AL55x TCUs... I would actually need someone to help me with some stuff in that kind of architecture and CPU sometime.

Thanks! I used the SH2A language in Ghidra and while it disassembled and cross referenced numerous functions, I still have something I’m missing. Reason I say is because some functions and data that I know which are used are not cross referenced. I don’t have a great understanding of this processor in general but having an A2L helps quite a bit—another problem is it’s from the gen 2 AL551 while my TCU is a gen 1. Most of the function implementations are similar enough I can search for common constants or instructions and find them to work backwards but some are very different.

There’s also numerous H’FFF80000 addresses in the Gen 2 TCU that they use for flags which are not documented for example so it’s a struggle to sift my way through them. With that being said, if you have something specific, I am willing to share because now at this point this this is a hobby for me. I planned to take on this project making a canbus bridge to make the AL551 standalone compatible but now Maxxecu has pretty much already done this from what Natanael has told me. Beta stage for the AL551 for now. They accomplished this by flashing their custom dodge TCU firmware onto the Audi TCU.
« Last Edit: September 27, 2024, 12:23:15 PM by projectLSaudiA4 » Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #20 on: September 27, 2024, 12:19:31 PM »

does anyone know where is checksum located?
Don't quote me on this but from what I can tell, ASW checksum is at 0x50244 for the Gen 2 AL551. It's at 0x40044 on the Gen 1 Al551 (from what I can tell, haven't tried to calc and check it). Looks like it's also in the EEPROM.
« Last Edit: September 30, 2024, 11:54:38 AM by projectLSaudiA4 » Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #21 on: October 03, 2024, 01:28:18 PM »

I patched the 4G1927158A 1006 Software on my personal 2014 Audi A6 and flashed with PCMflash module 82. Checksums were updated and car runs and drive fine. Of course the immobilizer is already paired on this TCU to the ECU so it’s not definitive but at least it still functions. I’m planning on testing this weekend to replay the CAN traffic from my A6 back to my D4 A8 TCU to see if it flags the immobilizer DTC.
Logged
prj
Hero Member
*****

Karma: +1075/-501
Offline Offline

Posts: 6073


« Reply #22 on: October 03, 2024, 01:58:13 PM »

I’m planning on testing this weekend to replay the CAN traffic
This won't show you anything whatsoever, waste of time.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #23 on: October 03, 2024, 03:06:15 PM »

This won't show you anything whatsoever, waste of time.

If it lets me shift out of park then I think it will Smiley I wired up the EGS already. The trace is just going to be with ignition on and foot on brake which normally allows shifting to neutral in my A6. Or I’ll check the On-chip ram address for shift lock release or I think there’s one for ready to start (can’t remember exact name at the moment.)
Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #24 on: October 08, 2024, 04:46:40 AM »

Anyone know what ECU pin J623 T91/17 or J393 T32c/28 (Convenience System Control Unit) is for?
Edit: Nvm looks like it's either ground or power out to ECU for P/N

« Last Edit: October 08, 2024, 06:55:08 AM by projectLSaudiA4 » Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #25 on: December 09, 2024, 12:14:00 PM »

I was able to cross reference and figure out the memory segments for the AL551 with the SH72519, see below in A2L format:
/begin MEMORY_SEGMENT
Pst0 "" RESERVED FLASH INTERN 0x0 0x40000 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x0 0x0 0x40000
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x0 0x0 0x40000
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Pst40000 "" RESERVED FLASH INTERN_2 0x40000 0x80 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x40000 0x40000 0x80
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x40000 0x40000 0x80
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Pst40080 "" CODE FLASH INTERN_1 0x40080 0x13FAF0 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x40080 0x13FAF0
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x40080 0x13FAF0
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Pst17FB70 "" RESERVED FLASH INTERN_3 0x17FB70 0x490 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x17FB70 0x17FB70 0x490
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x17FB70 0x17FB70 0x490
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Dst180000 "" RESERVED FLASH INTERN_4 0x180000 0x280 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x180000 0x180000 0x280
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x180000 0x180000 0x280
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Dst180280"" CODE FLASH INTERN_2 0x180280 0xFD80 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x180280 0x180280 0xFD80
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x180280 0x180280 0xFD80
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Dst190000 "" DATA FLASH INTERN_1 0x190000 0x6FD60 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x190000 0x190000 0x6FD60
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x190000 0x190000 0x6FD60
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Dst1FFD60 "" RESERVED FLASH INTERN_5 0x1FFD60 0xA4 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x1FFD60 0x1FFD60 0xA4
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x1FFD60 0x1FFD60 0xA4
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Dst1FFE04 "" DATA FLASH INTERN_2 0x1FFE04 0x4 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x1FFE04 0x1FFE04 0x4
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x1FFE04 0x1FFE04 0x4
/end IF_DATA
/end MEMORY_SEGMENT
/begin MEMORY_SEGMENT
Dst1FFE08 "" RESERVED FLASH INTERN_6 0x1FFE08 0x1F8 -1 -1 -1 -1 -1
/begin IF_DATA ASAP1B_DIAGNOSTIC_SERVICES
ADDRESS_MAPPING 0x1FFE08 0x1FFE08 0x1F8
/end IF_DATA
/begin IF_DATA ETK
ADDRESS_MAPPING 0x1FFE08 0x1FFE08 0x1F8
/end IF_DATA
/end MEMORY_SEGMENT

 For CAL checksum, CRC32 is used (0x190000 to 0x1FFD5F) is located at 0x180244.
Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #26 on: December 10, 2024, 01:18:49 PM »

So Audirama was nice enough to test out several attempts at patching the immobilizer on his AL551 swapped S6 and while the car will shift out of park, it shifts to N and throws P1701... So looks like it doesn’t work...
Logged
fastboatster
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 81


« Reply #27 on: December 10, 2024, 03:08:17 PM »

imo, this is not a good indicator if this immo-off patch doesn't work at all. if it works when swapping one a6 transmission into another then it's good enough. I think it was mentioned that in his case, this is likely a powerclass mismatch issue. a6 trans is expecting to see an engine with 3.0"t" powerclass, but he has a 4.0tt which has different powerclass.
Logged
projectLSaudiA4
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 24


« Reply #28 on: December 10, 2024, 07:56:27 PM »

imo, this is not a good indicator if this immo-off patch doesn't work at all. if it works when swapping one a6 transmission into another then it's good enough. I think it was mentioned that in his case, this is likely a powerclass mismatch issue. a6 trans is expecting to see an engine with 3.0"t" powerclass, but he has a 4.0tt which has different powerclass.

To be honest WFS5 is still a mystery to me and the TCU has several variables that seem to be a flag for the immobilizer status as well compliment flags, but I was under the assumption power class was just another piece of the pie that makes up the “immobilizer” and or component protection.

I did find the function that TXs on powertrain bus (to ECU presumably) using can ID 0x12 but there’s no XREFs to the data that makes up the payload so it’s probably written at some offset from another address. Numerous helper functions are simply just returning addresses at some offset from param 1 for example so it’s a bit of a nightmare to track these down manually.

I also found the same function, which calls the immobilizer TX function on the Audi, in a RAM 8HP70 ASW which simply don’t have these function calls and are padded with 0’s (Because there’s no immo in that SW). I tried to mimic this in the AL551 but TCU doesn’t communicate after doing so. Lastly, I haven’t confirmed with Ghidra but there’s also some communication pattern tables listed in the AL551 A2L which I assume monitor processing times of tasks / functions which might be affected by doing so..

Audirama got the immo adapted with ODIS, which he will send me bench read, so I plan to at least compare before after to see what is changed to maybe get a better clue to functions.
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 1.636 seconds with 17 queries. (Pretty URLs adds 0.00099999999999989s, 0q)