Skip to content

Commit

Permalink
update documetation: drop A0 native support, clean up some explanations
Browse files Browse the repository at this point in the history
  • Loading branch information
bri3d committed Dec 31, 2023
1 parent 9c4711d commit 4cb972f
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 35 deletions.
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
BSD 2-Clause License

Copyright (c) 2022, Brian Ledbetter and contributors
Copyright (c) 2022-2024, Brian Ledbetter and contributors
All rights reserved.

Redistribution and use in source and binary forms, with or without
Expand Down
10 changes: 7 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,11 @@

VW Flashing Tools over ISO-TP / UDS

Currently supports Continental/Siemens Simos12, Simos18.1/4/6, and Simos18.10 as used in VW AG vehicles, as well as the Temic DQ250-MQB DSG. RSA-bypass/"unlock" patches are provided for Simos 18.1/4/6 (SC8 project identifier) and Simos18.10 (SCG project identifier).
Currently supports full custom reflashing of the Continental/Siemens Simos18.1/6, and Simos18.10 control units as used in MQB VW AG vehicles, as well as the Temic DQ250-MQB, Bosch DQ381-MQB DSG, and Gen 5 Haldex4Motion control units over UDS.

RSA-bypass/"unlock" patches are provided for Simos 18.1/6 (SC8 project identifier) and Simos18.10 (SCG project identifier).

Additionally supports reflashing of several other Simos ECUs provided that RSA validation (if present) has already been disabled.

# Use Information and Documentation

Expand All @@ -14,8 +18,8 @@ Prebuilt releases for Windows are available at : https://github.com/bri3d/VW_Fla

# Supported Interface Hardware

* Macchina A0 with BridgeLEG firmware, via both USB-Serial and Bluetooth Low Energy (BLE): https://github.com/Switchleg1/esp32-isotp-ble-bridge . Supported on Windows, Linux, and MacOS.
* Tactrix OpenPort 2.0 J2534. Other J2534 devices are supported, but only if they support the STMIN_TX IOCTL, which many do not. Clones and counterfeits have mixed results. Supported on Windows, possible to make work on Linux/OSX.
* Macchina A0 with BridgeLEG firmware, via J2534: https://github.com/Switchleg1/esp32-isotp-ble-bridge
* Tactrix OpenPort 2.0 J2534. Other J2534 devices are supported, but only if they support the STMIN_TX IOCTL. Clones and counterfeits have mixed results. Supported on Windows, possible to make work on Linux/OSX.
* SocketCAN on Linux, including MCP2517 Raspberry Pi Hats, slcan, and other interfaces.

# Technical Information and Documentation
Expand Down
6 changes: 2 additions & 4 deletions docs/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ A target file matching your vehicle. This can be the FRF file for your stock box
You also need CAN hardware compatible with the application. Three devices are currently approved and recommended:

* Raspberry Pi with Raspbian and Seeed Studios CAN-FD hat. This can also be used as a "bench tool" if things go wrong.
* Macchina A0 with BridgeLEG firmware: https://github.com/Switchleg1/esp32-isotp-ble-bridge/tree/BridgeLEG/main. Supported on all platforms with a working Bluetooth Low Energy system supported by `bleak` .
* Macchina A0 with BridgeLEG firmware: https://github.com/Switchleg1/esp32-isotp-ble-bridge/tree/BridgeLEG/main .
* Tactrix OpenPort 2.0 and some clones. Easy on Windows, supported with custom drivers on Linux and OSX: https://github.com/bri3d/j2534 .

Other J2534 devices may be supported on Windows, but most (Panda, A0) do not yet support the necessary `stmin_tx` ioctl parameters to allow flashing to complete successfully.
Other J2534 devices may be supported on Windows. Most commercial interfaces will work, but some DIY interfaces (Panda, A0) do not yet support the necessary `stmin_tx` ioctl parameters to allow flashing to complete successfully.

# Installing, building, and running an initial flash process

Expand Down Expand Up @@ -119,8 +119,6 @@ FD_2.DRIVER.bin FD_3.ASW.bin FD_4.CAL.bin

`--interface SocketCAN` (the default for the command-line tools) is used to communicate via the `can0` SocketCAN interface on Linux only.

`--interface BLEISOTP` is used to communicate via Bluetooth Low Energy firmware for an ESP32 (Macchina A0), which is available from the following repo: [[https://github.com/Switchleg1/esp32-isotp-ble-bridge/tree/BridgeLEG/main]]

`--interface USBISOTP` is used to communicate via USB with an ESP32 running the BridgeLEG firmware.

Other interfaces supported by `python-can` should be fairly easy to add.
Expand Down
3 changes: 1 addition & 2 deletions docs/patch.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Patching CBOOT in RAM is much safer and easier for several reasons:
* By patching in RAM, the patch becomes idempotent. We don't need to check whether or not the patch has been applied already, we don't risk the ECU bricking if the end-user reboots the ECU willy-nilly, and we have a lot of opportunity to develop and debug the patch.
* The size of the patch can be made very small, saving painstaking time transferring block data.

For the rest of this exercise, we will use the CBOOT from 8V0906259H__0001.frf . This CBOOT has header information `SC841-111SC8E0` and responds to the CBOOT Version PID with `SC8.1 E0 02 SC8.` We will also use the corresponding ASW, which has software structure/revision `O20`. My recommended approach is to flash 8V0906259H__0001 onto your ECU, patch it, and then flash whatever altered software you would like. To apply this information to another CBOOT and ASW combination, we will need to locate the engineering mode / verification disable functions, which can be located by searching for XREFs to B000218C, we will need to re-locate a suitable nop area to inject our patch, and we will need to adjust the location of the function calls in the patch (to enable supervisor mode, alter the vector table, and so on). To do this, I recommend starting with a disassembly of 8V0906259H__0001 and re-applying the patches accordingly using a disassembly of the other software. Some more automated "needle" based patching is coming as most procedures are quite recognizable, but of course is always fraught with peril.
For the rest of this exercise, we will use the CBOOT from 8V0906259H__0001.frf . This CBOOT has header information `SC841-111SC8E0` and responds to the CBOOT Version PID with `SC8.1 E0 02 SC8.` We will also use the corresponding ASW, which has software structure/revision `O20`. To apply this information to another CBOOT and ASW combination, we will need to locate the engineering mode / verification disable functions, which can be located by searching for XREFs to B000218C, we will need to re-locate a suitable nop area to inject our patch, and we will need to adjust the location of the function calls in the patch (to enable supervisor mode, alter the vector table, and so on). To do this, I recommend starting with a disassembly of 8V0906259H__0001 and re-applying the patches accordingly using a disassembly of the other software. Some more automated "needle" based patching is coming as most procedures are quite recognizable, but of course is always fraught with peril.

Back to patching: we need to learn to load CBOOT into RAM, but this is easy as CBOOT does it on its own. The mechanics are documented line-by-line below, but are really quite simple and consist of resetting the peripheral controllers, resetting the task context base, moving the trap vector, and finally copying the new CBOOT and jumping into it. Because we essentially "stop" the rest of ASW execution, we don't have to be overly careful about where we jump into the patch from, and because most of the code is available to us in CBOOT, we don't have to do a whole lot.

Expand Down Expand Up @@ -83,7 +83,6 @@ If you plan to use this exact hook, please also check you are patching over ASW
808fdd66 d9 ff 00 08 lea a15,[a15]-0x8000 // low half of dest addr
808fdd6a 91 10 00 50 movh.a a5,#0x1 // 0x162FF bytes to copy
808fdd6e d9 55 3f b6 lea a5,[a5]0x62ff // lower half of 0x162FF
LAB_808fdd72 XREF[1]: 808fdd78(j)
808fdd72 09 22 01 00 ld.b d2,[a2+]0x1=>DAT_80022000 // Load data from Flash
808fdd76 24 f2 st.b [a15+]=>DAT_d0008000,d2 // store data to RAM
808fdd78 fc 5d loop a5,LAB_808fdd72 // loop until done
Expand Down
33 changes: 8 additions & 25 deletions docs/windows.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,48 +6,31 @@ If you have an earlier release, [please see the previous documentation version](

# Ingredients

* Supported Hardware: Macchina A0 (instructions for building a clone here: https://github.com/Switchleg1/AMAleg) or Tactrix OpenPort (genuine).
* Supported Hardware: Macchina A0 (instructions for building a clone here: https://github.com/Switchleg1/AMAleg) or Tactrix OpenPort (genuine). Some other J2534 interfaces are known to work, but an extensive compatibility matrix has not been tested.
* FRF files (Flashdaten) - see below.
* VW_Flash_GUI distribution package from ["Releases"](https://github.com/bri3d/VW_Flash/releases) on GitHub.

# Setting up your Hardware

* For Tactrix OpenPort, install the latest OpenPort drivers from here: https://www.tactrix.com/index.php?Itemid=61
* For Macchina A0/homemade clone, plug in your A0 using a MicroUSB cable. Check in the Windows Device Manager for a "Silicon Labs CP210x USB to UART Bridge" device. If it has an exclamation point next to it, download the CP201x drivers from here: https://www.silabs.com/documents/public/software/CP210x_Universal_Windows_Driver.zip and install the drivers using the "Have Disk..." option in the Windows Device Manager.

# Reflashing the A0 (required for genuine A0)

* Open the VW_Flash_GUI application. You should see a command window as well as the application GUI.

<img src="windows_images/main.png" width="700" alt="Screenshot of Main UI" />

* Open the Interface menu and choose Select Interface.

<img src="windows_images/select.png" width="700" alt="Screenshot of Select Interface Dialog" />

* Pick the interface which reads "Silicon Labs CP210x USB to UART Bridge."
* Open the Interface menu again and select Reflash A0

<img src="windows_images/a0.png" width="700" alt="Screenshot of A0 Reflash" />

* Wait for the dialog to disappear. If it does not, check the black command prompt window for errors, restart the application, and try a better MicroUSB cable.
* For Macchina A0/homemade clone, refer to the documentation from https://github.com/Switchleg1/esp32-isotp-ble-bridge/releases/tag/v0.90
* For other J2534 hardware, ensure that 32-bit J2534 drivers are installed (the release versions of VW_Flash are 32-bit as most J2534 hardware still ships with only 32-bit drivers).

# Picking an interface

* Open the VW_Flash_GUI application. You should see a command window as well as the application GUI.
* Open the Interface menu and choose Select Interface.
* To use an A0 over serial, pick the interface which reads "Silicon Labs CP210x USB to UART Bridge."

<img src="windows_images/select.png" width="700" alt="Screenshot of Select Interface Dialog" />

* To use an A0 over Bluetooth, pick the interface which reads BLE_TO_ISOTP.
* To use J2534 / OpenPort, pick the J2534 interface you'd like to use.
* To use an A0, configure the J2534 interface using the Switchleg configuration tool.
* On a non-Windows OS, direct connection to the A0 over USB-serial is still supported.

# Getting information

* It's time to get in the car. Turn the ignition on without starting the engine. Make sure a key is in range. On 2020 model year cars, you may also need to open the hood.
* Click Get ECU Info.
* You should now see information in the information area. If you don't, verify that your A0 has the correct firmware and/or you've selected the right interface. Counterfeit OpenPort cables are not supported and unreliable, and other J2534 interfaces are completely untested.
* You should now see information in the information area. If you don't, verify that your A0 has the correct firmware and/or you've selected the right interface.

<img src="windows_images/info.png" width="700" alt="Screenshot of ECU Get Info" />

Expand All @@ -61,7 +44,7 @@ Create a new folder on your PC to store the files you'll be using. Make two fold

<img src="windows_images/folders.png" width="700" alt="Screenshot of folder" />

First, you need a specific file that VW_Flash will use to unlock your ECU. Please don't get clever and download a different file for this part of the process. Just use the specified file for the Unlock process:
First, you need a specific file that VW_Flash will use to unlock your ECU. Please don't get clever and download a different file for this part of the process. Just use the specified, stock, unmodified file from the VW Flashdaten for the Unlock process:

* If your Boot Loader Identification said SC8, you need `FL_8V0906259H__0001.frf`.
* If your Boot Loader Identification said SCG, you need `FL_5G0906259Q__0005.frf`
Expand Down Expand Up @@ -134,7 +117,7 @@ In your Tune folder, you should have a `FL_XX_XX.bin` file *matching your car*,

* Pick "Open Folder..." and navigate to your Tune folder.
* Pick "Full Flash Unlocked (BIN/FRF)".
* Pick the `FL_XX_XX.bin` file *matching your car*. This example is for a US Golf R which originally had 8V0906259H__0002 on it, so I picked 8V0902659K__0003 as an update. It is critical that you make sure that this BIN either matches your car's software version, or is compatible per the matrix above.
* Pick the `FL_XX_XX.bin` file *matching your car*. This example is for a US Golf R which originally had 8V0906259H__0002 on it, so I picked 8V0902659K__0003 as an update. It is critical that you make sure that this BIN either matches your car's software version, or is compatible per the matrix above. Do NOT pick the file you used to unlock the car.
* Pick Flash.

<img src="windows_images/selectbin.png" width="700" />
Expand Down

0 comments on commit 4cb972f

Please sign in to comment.