Use it at your own RISK.
These tools have evolved significantly. Initially, they were merely scripts for dumping the memory content of my car (Lotus Exige S2). Now, they have the capability to flash nearly all recents Lotus ECUs.
The work of Obeisance and Cybernet has greatly assisted me in understanding how the ECU functions. It saddens me that their work has not found widespread application, perhaps due to its complexity for those less inclined towards computing. I strive to make my approach more user-friendly without sacrificing too much time.
Initially, I had a USB-to-CAN Adapter but lacked a J2534 adapter. If I were to start over, I might consider the J2534 adapter, but for now, I will stick with my cables.
For those wishing to flash a car with a J2534 adapter, the EFI Pseudo Programmer could prove useful.
My car came unlocked from the factory, so I quickly learned how to write to the RAM long before I could flash my ECU using the Factory Method described below.
So at the beginning, I misused the live tuning access to inject another program. This program, known as the flasher, enabled me to flash the entire flash with plain binary data through the OBD Port and CAN-Bus.
Now this flasher is a bit outdated and flashing a car with a CRP file is probably the way to go, but it's still have some advantages over the factory method:
- Works faster with CAN-Bus on older K-Line cars.
- Capable of flashing the bootloader to convert T4e ECUs.
- Useful to read older locked cars.
- Access to the EEPROM.
Since 2008, the CAN-Bus has been used for the OBD interface, providing better and faster data logging.
Therefore, I decided to convert my car by replacing the white cluster with a black one. I purchased one in miles and needed to display kilometers. Refer to the folder cluster-black.
I've implemented various patches to fulfill my needs.
The flasher has been integrated into the bootloader for added convenience. Refer to the folder stage15.
My accusump is now controlled by the T4e ECU. Refer to the folder accusump.
Oil temperature, pressure, and wideband lambda readings are available on the OBD interface. Refer to the folders obdoil and wideband.
Last but not least, the flexfuel patch. This enhances the car's performance by enabling the use of ethanol, providing real horse power! Refer to the folder flexfuel.
These patches are intended as code snippets. For ready-to-use solutions, please contact me.
For those looking to tune their car with a maps editor, a definition file is necessary.
I've spent hundreds of hours creating definition files. The file for the 2008 T4e ECU is available in the folder romraider-defs.
For other cars, please reach out to me.
I've compiled a vast amount of documentation, containing everything necessary to accomplish this task. Processor manuals may not be of interest, unless you plan to undertake some reverse engineering work. However, the T4e pinouts, the T6 pinouts and Lotus OBD codes could prove to be quite useful.
Under CC-NC-SA. You may not use this material for commercial purposes without my approval.
Commercial rights lisenced to Phil's Targed Tuning, FRS performance engineering and VF Tuner.
ECU Updates from Lotus are .CRP files, with some available on the VSIC. Most of them are shipped with the Lotus TechCentre or Lotus Scan 3.
It's important to note that the structure of the .CRP files underwent a complete change in 2008.
The T4 and the T4e ECUs on Lotus vehicles equipped with white dashboards (Instrument Cluster) have a bootloader split into 2 parts: Stage 1 and Stage 2.
Stage 1 can update Stage 2 and is enabled only if the CRC of Stage 2 is incorrect.
Stage 2 accepts an encrypted .CRP file and can update itself, the calibration, or the software. It only allows writing via K-Line, with no reading capability.
Destination addresses are not verified, making it possible to write a program to the RAM and take control by poisoning the stack. Therefore, reading is indirectly possible.
The T4e/T6 ECUs found in black dashboard cars feature a different bootloader compared to those with white dashboards.
This bootloader employs CAN-Bus (500 kbit/s) for reprogramming, accepts an encrypted .CRP file and can update the calibration, software, or EEPROM. It only allows writing via CAN-Bus, with no reading capability.
Destination addresses are verified, eliminating the possibility of writing to the RAM. In the case of T6, destination addresses are replaced by a number.
I'm using this term to describe whether the ECU has enabled live tuning access.
If the ECU is unlocked, it allows reading and writing of any values in the main CPU memory space through this live tuning access feature.
Since the maps are copied into the RAM at startup, it becomes possible to edit the maps while the engine is running.
Most of the white dashboard cars are unlocked, but this access has been definitively locked on the black dashboard version.
It's possible to re-enable it with a JTAG/BDM access or a modified .CRP file.
Some recent T6 software versions limit access to the RAM only and display the calibration version on the instrument cluster.
The Python 3 interpreter with the pyserial module, the python-can module and a compatible CAN-BUS adapter.
For the K4, T4 and locked T4e white dashboard, a K-Line adapter is also needed. To enter the bootlooder with the VAG-COM adapter, the L-line must be grounded.
The Korlan USB2CAN is a very good cable and I recommend it. It's just a little bit more complicated to install it (it requires additional module and a DLL).
The CANable (with slcan firmware) is straightforward to use, but I've encountered some packet loss issues. This is likely due to a firmware bug that occurs when a large amount of data is being transferred.
The CANable (with CandleLight firmware) is better, but it necessitates the use of another version of python-can (gs_usb).
The IXXAT USB-to-CAN Adapter is easy to use and reliable but expensive.
The Raspberry-Pi + CAN-Hat is cheap and you can use it as a BDM-Programmer, but it's not really reliable. The MCP2515 has only two receive buffers and the linux driver for it doesn't implement HW-Filtering (patch ?). This leads to packet loss, especially for old versions (Like V0078, V0080) of the white dash (1 Mbit/s). Old version of the ECU firmware loads the CAN-Bus at 100% with data for the cluster, so HW-Filtering would be a big improvement!
The cable, I use:
Note: You do not need a such complicated cable if you have an unlocked ECU or a 2008+ car. You would only need the CAN-Bus part.
Command line examples are in the documentation folder.
You have to open the "calrom.bin" file of your dump.
It's crucial to understand that the memory of the ECU is divided into three parts: The bootloader, the calibration, and the program.
If the bootloader is erased, you will have no other choice but to open the ECU to flash it again.
The live tuning access is facilitated by the main program. Therefore, if you use this access to flash the ECU, think twice before erasing the program.
The ECU appears to boot fine without a valid calibration, so erasing this part is relatively safe. However, the car won't run in this case.
I've encountered numerous times that a freshly programmed ECU throws this error. The engine starts, runs for 1 or 2 seconds and die, then an OBD scanner reports the P0340 error.
In the T4e, the car model is stored in the EEPROM at 0x7C0. If you flash another tune, the ECU will detect it and set a flag. To address this, I recommend filling the EEPROM from 0x7C0 to 0x7E0 with zeros, as an unprogrammed ECU would be.
In the T6, the car model is stored in the coding area from 0x01C020 to 0x01C040
For the safety of the drive-by-wire throttle a second processor is involved.
The T4e bootloader will update this processor if the following conditions are met:
- String "HC08CODE" at 0x021FE0
- Value 0xAAAAAAAA at 0x021FE8
- Pointer to 9kb firmware at 0x021FEC
Once the update is successfully completed, the 0xAAAAAAAA will be changed to 0x22222222. The process is very similar for the T6 ECU, but at address 0x040080.
The bootloader uses another encryption key and the unlock magic word differs. However, the rest is very similar.
The bootloader uses another encryption key and communicates using the other CAN-Bus (PIN RH3 and RH4) at 500 kbit/s.
The live tuning feature is configured on the same interface but at 1 Mbit/s.
The unlock magic word still involves 4 bytes, but they are spread throughout the calibration and not contiguous at the end.
The CRC algorithm is altered to produces non-standard values and is stored in the middle of the calibration.
Setup example on Windows:
For the Korlan adapter, run "python -m pip install pywin32", install the Korlan Driver and copy the CANAL DLL into your python installation directory.
It's the factory method described above.
Locked ECU have only an update access, so a handcrafted CRP file is uploaded. This special CRP file won't modify your ECU, but will make it crash in a way to take control of it. Once the control is taken reading is possible.
Both cables are connected to the OBD connector of the car using a Y splitter.
Unpack a CRP file, unlock the calibration and finally repack it. Always check the CRC before modifying anything, to make sure everything is OK.
The tuning of the calibration is also possible before repacking the CRP.
Choose a software that match your car (Supercharged, Injector size, ...).
Follow the example "Unlock an original CRP file", to get the unlocked "XXXXXXXX_TAB.cpt" and "T4E_MY08_BIN.cpt" files. It's also possible to use the "calrom.bin" and "prog.bin" files from another ECU.
Then follow the example "Dump a locked white T4e ECU (2006-2007)" to get into the ECU. If you have a unlocked ECU, you can use a shortcut and use the function "Inject T4e Custom Flasher Program" instead (No VAG-COM adapter needed).
Make a complete backup of your ECU ("calrom.bin", "prog.bin", and "bootldr.bin").
Flash the ECU, using the "Erase", "Program" and "Verify" functions:
Note 1: The bootloader of the 2006 is not the same as the 2008 one. But it can start the 2008 software without any problem (Same entry point in "prog.bin").
Note 2: Turning the key off, does not shutdown the ECU when using the "Flasher". Use the "Reset ECU" function, or disconnect the battery.
Note 3: Without modifications the 2008 software is not compatible with a white instrument cluster!
The Live Tuning allows you to test quickly modifications on a running engine. I misuse RomRaider for this purpose, hence the name of "The poor man's live-tuning".
In the below example, the idling speed is adjusted with the engine running!
All changes are temporary (only in RAM) and go lost when you turn off the ECU.
My email is my nickname at hotmail dot com.