Building on the work shared in the AL551 threads here and chrisgotboost's compression research, I've put together an open-source toolkit for extracting ZF 8HP TCU firmware from VAG flashdaten FRFs.
Key findings:
The ZF 8HP ODX method 0x22 encryption is a 19-byte repeating XOR:
Key: CyA2008ZFVAGtcuxsam
Hex: 437941323030385a465641477463757873616d
The XOR key itself reads as ASCII: CyA 2008 ZF VAG tcu xsam — looks like an internal project label. If anyone recognizes the CyA/xsam naming convention from ZF tooling, the method 0x01 AES key might follow a related pattern.
The compression (also method 0x22) is an LZSS variant with a 2047-byte window instead of the standard 1023. Inverted flag bits (0=literal, 1=reference), 5-bit count + 11-bit displacement. Verified with a 1,310,208 byte perfect match against a known-good decrypted block.
Confirmed working on 4G0927158 (A6/A7 C7) and 4H1927158 (A8 D4) families. The 8K0 (A4/A5 B8) uses method 0x01 which is actual AES — that key is still unknown.
The repo also covers DQ381 BL301 extraction (same SH72549 MCU) and documents where the AES key/IV is stored in the bootloader (BOOT offset 0x344/0x354) for anyone chasing the BL401 key.
All keys, decompression algorithms, and platform research in one place:
https://github.com/dspl1236/vag-tcu-toolsCredits to chrisgotboost for identifying the encryption type and compression format (topic: ZF8 AL551 Compression
http://nefariousmotorsports.com/forum/index.php?topic=22625.0), projectLSaudiA4 for the AL551 memory map and Ghidra work(
http://nefariousmotorsports.com/forum/index.php?topic=22488.0title=), and bri3d/VW_Flash for the FRF pipeline that made this possible.
If anyone has the method 0x01 AES key (8K0 family) or a BL401 DQ381 bench read, the repo has a contributing section. Happy to add support for other TCU platforms (DQ500, DL501, DL382) if people share what they know... if its already out there then I need todo more reading.
