Introduction

In this series of blog posts I’ll describe my attempts at modifying the firmware of an Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6. This steering rack is probably present in all VW PQ platform cars, starting from 2008 up to the present day. Cars from the PQ46 platform are still being produced (e.g. the 2022 Pasat NMS). This probably means this is one of the most produced EPS modules in the field.

Even though the rack was introduced back in 2008, support for Lane Keep Assist (LKAS) or Heading Control Assist (HCA) in VW terminology, is already present. This makes it possible to use this car with openpilot, an open source driver assistance system. Unfortunately, steering commands are not accepted after 6 minutes of continuous operation or below 50 km/h. At that point you need to disengage for a full second. I believe these measures are counter-productive, and compromise safety when a proper camera based driver monitoring system is already in place. Therefore, I wanted to make some modifications to the firmware running on this EPS to disable them.

During my previous car hacking projects, and working on this VW ECU, I noticed there are very few good resources on the internet that describe the whole process from getting an ECU running on your desk to flashing modified firmware. In this series of blog posts I’ll describe my journey hacking this ECU, including dead-ends and detours. For each part, I’ll also give some context that might apply to other ECUs or other brands.

In this first part I’ll get a second ECU running on my desk, and will establish diagnostic communications. In part two I will fail to extract the firmware from the module, but will find a firmware update file and load that into Ghidra after decrypting it. In part three I’ll describe the actual reverse engineering process, and identify the patches I want to make to the firmware. In the fourth and final part I’ll extract the bootloader from the ECU, and describe the flashing process.

All the code written to communicate with the ECU, and eventually reflash it are open source and can be found here: https://github.com/pd0wm/pq-flasher. Note that this is personal project, done on my own time and not related to my work at comma.ai.

IMG_3189.HEIC

Obtaining the parts

The first step to hacking an ECU would be to obtain one (or more) of the ECU in question1. For this, we need to obtaining the part number. If the ECU is in an accessible place, the part number can usually be read from the module. If the ECU is buried deep inside the car you might be able to find it on the manufacturer parts website or on Ebay2.

Alternatively, if you want to be 100% sure, you can use a diagnostics tool to interrogate the ECU over CAN. Usually, it’s able to directly report you its own part number. In this case , the latter method was used, and the part number is: 1K0909144E.

With the part number in hand, we can look for second hand parts. The older and more sold the car, the easier and cheaper this will be. Depending on your location you might have to look on a few websites. In the US I had the most luck with Ebay and LKQ Online. In Europe shipping might make Ebay more expensive than sourcing something local. Just Googling the part number might turn up some results. For this project, I found one on onderdelenlijn.nl, and picked it up a few minutes from my home. I only paid €100 for a whole rack since this is such a common car/part. For more recent cars you can expect to pay up to $200-$500 depending on the type of ECU.

My newly obtained rack in the back of my car

Taking things apart

Now that we have have a duplicate of the ECU we’re interested in, we can have a closer look at it. Our first goal is to get it up and running and talking to it over CAN, to ensure it still works. Second, we’d like to connect a debugger to the microcontroller inside to see if we can extract the firmware in case debug access was not disabled3.

To connect to the ECU we have to find the pinout of the connector. This can usually be obtained using the original schematics. Most car manufacturers offer a subscription service to all their manuals and schematics, usually with a cheap 1-day option (e.g. Toyota TIS, Honda Techinfo, and VW Erwin). The premium subscriptions usually also come with the original diagnostics software, which can be used with any J2534 dongle such as a panda or Tactrix.

In this case, after connecting it to a panda and running a simple dump tool, we were presented with some nice CAN traffic. We can match this to the corresponding Golf DBC file and confirm that these are indeed messages sent by the EPS (Lenkwinkel_1, Lenkhilfe_3, Lenkhilfe_1, and Lenkhilfe_2).

hex  ( dec) data
0x0C2( 194) b'0000000080224bdd'
0x0D0( 208) b'44b0002004d0'
0x3D0( 976) b'00a10028005d'
0x3D2( 978) b'52411200010000'

After establishing communication and ensuring the module is alive, we wanted to take a look inside to see what we’re dealing with. However, after opening it up I was presented with a little surprise. The electronics seemed to be fabricated using bare dies attached to some substrate, probably to lower cost and improve reliability at higher temperatures. The board is made up of two parts, a low-power part with the CPU and