Home

Awesome

VW PQ35 EPS flasher

This repository conatains tools to reflash a PQ35 VW EPS, it also contains some useful libraries to deal with the TP 2.0 transport layer and abstracts away the KWP2000 diagnsotics protocol.

See the related blog series for reference.

Read this first

Procedure

Dump the existing firmware

Dump the existing firmware + calibration using CCP. Technically it’s possible to use the update files to skip this step, but this ensures the exact same firmware is flashed back. This needs to be done using a direct connection to the EPS, and can’t be done through the OBD-II port since there is a gateway that blocks the CCP addresses. For example, this can be done using a J533 harness.

This step takes about 15 minutes. Store the ouput in a safe location if you ever want to restore the original firmware. The dump script will also output the current firmware version.

./01_dump.py --bus 0 --output firmware/orig.bin

Connecting using KWP2000...
Reading ecu identification & flash status
ECU identification b'1K0909144E  2501\x00\x00\x00\x00------EPS_ZFLS Kl. 184    '
Flash status b'\x00\x1b\x0f\x00--------.--.--'

Connecting using CCP...
  0%|▏                       | 928/393215 [00:02<16:24, 398.35it/s]

Apply patches

The patching script will change the minimum speed to 0 km/h and HCA timer and fix the necesarry checksums. It verifies it’s patching the right firmware version based on the version string, and checks the existing values before changing them. These patches should be tested on a spare ECU first if you don't want to risk bricking the EPS in your car.

./02_patcher.py --input firmware/orig.bin --output firmware/patched.bin --version 2501

Flashing

You can choose to flash back the whole firmware, but this is not recommended since this takes about 10 minutes, and can risk bricking the ECU if you apply the wrong patches. By default the flasher script will only overwrite the calibration area that contains the values we actually changed.

2501 FW

./03_flasher.py --bus 0 --input firmware/patched.bin

[READY TO FLASH]
WARNING! USE AT YOUR OWN RISK! THIS COULD BREAK YOUR ECU AND REQUIRE REPLACEMENT!
before proceeding:
* put vehicle in park, and accessory mode (your engine should not be running)
* ensure battery is fully charged. A full flash can take up to 15 minutes
continue [y/n]y

Connecting...

Entering programming mode
Done. Waiting to reconnect...

Reconnecting...

Reading ecu identification & flash status
ECU identification b'1K0909144Y  2501\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00EPS_ZFLS BB        \x00'
Flash status b'\x00\x1d\x11\x00--------.--.--'

<...>

Transfer data
100%|███████████████████████▌| 4080/4096 [00:06<00:00, 618.70it/s]

<...>

3501 FW

The 3501 firmware has two calibration areas, but only the one from 0x5D000 to 0x5DFFF needs to be reflashed.

./03_flasher.py --bus 0 --input firmware/patched.bin --start-address 380928 --end-address 385023

Flash whole file

To flash the whole firmware use:

./03_flasher.py --bus 0 --input firmware/patched.bin --start-address 40960 --end-address 393215

License

Code in this repository is released under the MIT license.

USING ANYTHING FROM THIS REPOSITY IS AT YOUR OWN RISK!