prj
Well-Known Member
- Joined
- Jan 14, 2025
- Threads
- 7
- Messages
- 1,755
- Reaction score
- 2,318
- Location
- Estonia
- Website
- www.mapev.net
- Vehicles
- Taycan CT 4 - 2026
- Thread starter
- #1
1. Introduction
This is a post in a series, which will shed more light on some of the inner workings of the Taycan.
You can find Parts 1, 2 & 4 here:
Part 1: MapEV Diag
Part 2: The J1 Powertrain
Part 4: The J1.2 Powertrain
I will try to be as open as possible, but I will not be able to go in depth on some parts due to commercial and legal reasons.
2. Getting started, unsigned software download
The very first thing that must be accomplished is a way to get the full contents of the controller.
This can generally be done through bribes and social engineering, or through expensive destructive hardware probing of the control unit.
The software update packages are AES encrypted and digitally signed using RSA. The symmetrical key must be recovered (see above) as well as an exploit found to be able to flash unsigned firmware into the controller.
Luckily there are ways to bypass the RSA signature check on this controller, that can be discovered given enough time.
Testing is very difficult, because without a development factory ASG every failed test means buying a new controller.
Only once you find the means to run unsigned code on the controller, can any development take place.
The tuners generally do not do that, this is a specific thing that flashtool creators do, or someone finds an exploit and sells it to the flashtool makers for several hundred thousand $, they then resell this to the tuners.
Since I am what you could consider full-stack, and these things don't grow on trees, I had to figure all of this out for the ASG to even begin thinking about developing software:
Someday I might become as great as bri3d and opensource all the code, but that day is not today.
3. The elephant in the room - Warranty
VAG/PAG have a certain tuning detection functionality, which has been in all powertrain controllers already before 2010.
There is a special checksum function, which records the date and mileage that the flash content changes, including the checksum.
ODIS/PIWIS read out this content every time before warranty work is authorized and send it to the VAG/PAG backend. The content is RSA encrypted.
If unsigned/modified software was downloaded to the controller then the car is permanently flagged TD1 and VAG/PAG refuses to pay the dealer for warranty labor and parts.
In the early days the microcontroller only had the main core with it's flash. And because with the flash exploits we had access to the full content of the core, it was enough to find the function, and clear the contents before the container got RSA crypted.
This resulted in a "virgin" or clean slate being sent to the VAG servers. All fine and dandy.
However, with the advent of the newer generation microcontrollers, which have a separate hardware security module or HSM, this is no longer possible without having access to the HSM.
Just getting a flash exploit in the main module does not give you that access. Essentially - you can forget it, all methods for doing this are fairly destructive.
ODIS and PIWIS read out this information from the ASG already. However, the backend servers don't flag cars with modified ASG controllers. Yet.
This can change any day, hence modifying the cars own ASG unit is off the table. Not worth the risk when a battery replacement is 50 grand.
To retain warranty, the unit needs to be "cloned" somehow - leave the original one untouched and fit it back for dealer visits.
4. Cloning the ASG
The ASG has component protection, so you can't just swap it out.
The component protection implementation on the ASG doesn't really do much when it fails. It sets a bunch of faults, but most importantly - it does not initialize the Function on Demand slave.
This is where the first big problem comes in. If you just kill the fault codes in the ASG, and ignore the FoD, then you have the following issues:
I have a fairly strong conviction that nobody who offers cloned controllers actually does this at the moment, and the factory launch control functionality is somewhat compromised as a result (the tool they are using doesn't let them). The rest can be worked around in calibration.
After that there is the problem that the gearbox adaptations and a few other things need to be transferred. For that reason I created the diagnostic app, so that the needed info can be read out from the car, and transferred to the new one. This could also be done with VCDS, but since our cars have a full DoIP compliant gateway inside, it made sense to make the app and use a 5$ cable for the job. And as a bonus you guys get a completely free code scanner, even if you don't want to tune anything. See Part 1: MapEV Diag.
There is another issue with the adaptation transfer though. Unless you want to use an actual car to do all the unlocking and flashing (which is extremely impractical), then you need to create a bench setup with the gateway and some other modules to flash the controllers on the bench. Here is where the next roadblock is hit - it is not possible to write the required data on the bench, because those subroutines want the driven distance to be > 0km. But on the bench this value stays at zero. No idea how many controllers it needs for that not to be the case.
This means reverse engineering the communications stack - finding the locations of the coding/adaptation subroutines and patching the distance checks. And I did.
Finally - I had a working clone process. At this point I had 3 dead ASG's from various test attempts. There is no way to recover them - but mission successful is what counts, right?
5. Cloned ASG - now what?
Before you can even attempt any modifications you need to have an idea what configuration labels are where. And you need to know how it all interacts.
For that once again, you need very good connections to be able to get any of this stuff out of either Audi or Porsche. Usually exorbitant sums of money are involved as well, as you have to pay someone enough that they'd be willing to risk their job to get you the data.
It helps a little when you create calibration level datalogging software that some factory engineers like to use in their spare time when tuning stuff for fun outside of work (www.vehical.net). Opens some doors.
The control unit has tens of thousands of calibratable labels organized in a ton of different software modules responsible for various functions that the ASG performs.
A simpler approach is to compare the various calibrations between each other. E.g. compare the Turbo and the Turbo S and so on. And then just copy-paste the changes over without necessarily having complete knowledge of what they are - essentially modifying a Turbo to have the same torque calibration as a Turbo S.
And this works to a large extent, but you can not get full launch torque due to the inverter launch mode and so on. You do get gains doing this though, and this is mostly what has been really done until now.
6. Datalogging
Unless you want to just mash the % button and call it a day, you need full ram datalogging, or you're working blindfolded. This requires yet another patch to program code, since all of the access is tightly locked down on a production car.
Luckily, this is what I have been doing for a living for quite a while, so I adapted my datalogging software for the car, and the patches I had developed for other Continental/Vitesco control units carried over with minimal modifications.
Now I was a blind man who could finally see. See All the 33000 loggable parameters in the ASG.
This is how I figured out all the inverter and battery curves.
How I figured out that there is a launch mode in the inverters, and unless the ASG tells them it is in launch control, the torque limitation on flexray is lower.
That the launch control does not work 100% when the component protection fails and the FoD slave doesn't run.
And many other useful things.
7. Launch torque - all the time.
My first attempt was a small brained approach - request more torque on the flexray bus than the inverters advertise as available. E.g. try to request the launch torque even though the inverter is not advertising it.
During the first test I immediately had a red complete drive failure message and no drive as soon as I mashed the pedal. The car was completely dead until an ignition cycle.
The ASG was really angry it was not getting the torque that it was requesting. I killed the feedback/monitoring check in the ASG. Now I had no errors, but the car didn't make any more power or torque. The inverters clip the input torque with their internal limitation and do not allow you to run any more than that, no matter what you request. This is of course perfectly logical in a good system design.
Cue a week more of reverse engineering the firmware, and I figured out how the inverters find out about the launch status.
Whenever the ASG enters launch control it sets a bit on the flexray bus. The inverters read that bit and as long as it's set increase their torque limit.
So I took the slightly bigger brain approach and set that bit all the time, no matter what.
That didn't turn out well either...
Turns out not only the inverters read this bit, but also the suspension controller and the traction controller. When I went to test my now medium-brained modification, I realized that the suspension is harsher than in sport plus (feels like car has no shocks), and the traction control is happy to give me plenty of slip. Unless you are a lover of hyper bouncy ride and feeling every pebble of the road, this is a no-go.
Some more development needed to be done. Finally, the big brain approach was born. I modified the flexray handler to set the bit only when the pedal is fully depressed and only in case the ASG does not want to set anything itself to not interfere with the factory launch control.
This worked a treat. Immediate full torque on WOT, and because the dampers get hardened at that moment, and some slip is allowed, the car also has way better acceleration in case of some wheelspin. Beautiful.
The patch is also unique to my development, as nobody on the market was even aware of this until now.
8. Throttle delay
Another detail I noticed - for an EV the car has a significant amount of throttle delay. It takes 0.2-0.4s for the power to fully come in depending on drive mode.
This is caused by a set of modules called "Anti-surge dampers". One is on the powertrain torque path and another on wheel torque path.
They have two tasks:
a) Protect the drivetrain from excessive lash and bucking
b) Add refinement to the driving characteristics of the car
The easy way out is to just disable the torque filtering. However, this results in jerky behaviour in normal driving and is also unnecessarily hard on the drivetrain.
Luckily, the ASG has a special module to combat this throttle delay, which is disabled and not calibrated from factory. The English translation is "unfiltered driver request in case of pre-tensioned drivetrain".
Essentially you set a minimum forward torque and a maximum torque request gradient. If the minimum forward torque is fulfilled (the drivetrain is tensioned) and the torque request gradient (how fast you mash the loud pedal) exceeds the preset value, the filter is bypassed.
After calibration of the modules the end result worked exactly as expected - car drives refined like stock in normal situations, but when you make a sudden throttle change the delay is greatly reduced.
When you tie all this together with setting the launch bit + damper hardening and TC action plus some power increase, the end result is quite impressive compared to stock when you floor the car at speed.
9. Stock vs tuned performance graphs in first gear
This has been a lot of text and a little dry - as this work tends to be. Since I have the actual torque limiters out of the ASG from every variant, I can plot the stock vs maximum possible torque curves.
I have decided to use the maximum inverter limit with my patch (that gives full torque even outside launch control) as the max and the power and torque outside of launch control for the stock figures. This is because launch control is irrelevant 99% of the time. The MapEV website has peak figures for both modes.
I am plotting the curves in first gear from 0-100kph. Any higher does not matter, because every single variant has attained the peak power by then.
Coincidentally this also shows before and after charts (and gains) with my software.
Horsepower is not shown because it depends on the front to rear torque split, and is nearly impossible to get the right numbers with the stock calibration without measuring the actual torques on the front and the rear motor.
With the inverters running flat out, it can be calculated, but I did not include it in this graph, because it isn't very meaningful when you have the graph at the bottom in km/h and two motors spinning at different rpm.
These graphs essentially show you the difference in acceleration at a given speed.
Taycan Turbo S
Taycan Turbo
Taycan GTS
RS e-tron GT
Taycan 4S Performance Battery Plus
Taycan 4S Performance Battery
Taycan 4
e-tron GT
Taycan RWD Performance Battery Plus
Taycan RWD Performance Battery
9. ASG removal video
A lot of you have asked what the ASG swap looks like. Since I am going to sell this commercially, I have made an instructional video with a voiceover.
I'm not a super editor, and my buddy is not a pro videographer, but I think it turned out quite alright.
10. Conclusion
I hope this gives some more insight into what is going on inside the powertrain controller known as the ASG.
I apologize if this is a little bit more advertising heavy, but I do believe that I have a more honest, transparent and better performing product than what what is out there today on the market.
There is a temporary website up for MapEV at www.mapev.net, which will be updated once the professional website is done for the brand.
There are distributors in US, EU, Asia and probably Australia. Just hit us up via e-mail if you are interested in a controller before the full site goes live - then it will all be automated. The system will automatically check the database for ASG data from your VIN and direct you to a payment gateway.
Meanwhile I am working on J1.2 and the goal is to update Part 2 and Part 3 with all the curves as well, but I will need some time. I prefer real results driven by hard data, rather than overpromising and underdelivering.
This is a post in a series, which will shed more light on some of the inner workings of the Taycan.
You can find Parts 1, 2 & 4 here:
Part 1: MapEV Diag
Part 2: The J1 Powertrain
Part 4: The J1.2 Powertrain
I will try to be as open as possible, but I will not be able to go in depth on some parts due to commercial and legal reasons.
2. Getting started, unsigned software download
The very first thing that must be accomplished is a way to get the full contents of the controller.
This can generally be done through bribes and social engineering, or through expensive destructive hardware probing of the control unit.
The software update packages are AES encrypted and digitally signed using RSA. The symmetrical key must be recovered (see above) as well as an exploit found to be able to flash unsigned firmware into the controller.
Luckily there are ways to bypass the RSA signature check on this controller, that can be discovered given enough time.
Testing is very difficult, because without a development factory ASG every failed test means buying a new controller.
Only once you find the means to run unsigned code on the controller, can any development take place.
The tuners generally do not do that, this is a specific thing that flashtool creators do, or someone finds an exploit and sells it to the flashtool makers for several hundred thousand $, they then resell this to the tuners.
Since I am what you could consider full-stack, and these things don't grow on trees, I had to figure all of this out for the ASG to even begin thinking about developing software:
- Acquire the keys
- Find an exploit
- Make a flasher
Someday I might become as great as bri3d and opensource all the code, but that day is not today.
3. The elephant in the room - Warranty
VAG/PAG have a certain tuning detection functionality, which has been in all powertrain controllers already before 2010.
There is a special checksum function, which records the date and mileage that the flash content changes, including the checksum.
ODIS/PIWIS read out this content every time before warranty work is authorized and send it to the VAG/PAG backend. The content is RSA encrypted.
If unsigned/modified software was downloaded to the controller then the car is permanently flagged TD1 and VAG/PAG refuses to pay the dealer for warranty labor and parts.
In the early days the microcontroller only had the main core with it's flash. And because with the flash exploits we had access to the full content of the core, it was enough to find the function, and clear the contents before the container got RSA crypted.
This resulted in a "virgin" or clean slate being sent to the VAG servers. All fine and dandy.
However, with the advent of the newer generation microcontrollers, which have a separate hardware security module or HSM, this is no longer possible without having access to the HSM.
Just getting a flash exploit in the main module does not give you that access. Essentially - you can forget it, all methods for doing this are fairly destructive.
ODIS and PIWIS read out this information from the ASG already. However, the backend servers don't flag cars with modified ASG controllers. Yet.
This can change any day, hence modifying the cars own ASG unit is off the table. Not worth the risk when a battery replacement is 50 grand.
To retain warranty, the unit needs to be "cloned" somehow - leave the original one untouched and fit it back for dealer visits.
4. Cloning the ASG
The ASG has component protection, so you can't just swap it out.
The component protection implementation on the ASG doesn't really do much when it fails. It sets a bunch of faults, but most importantly - it does not initialize the Function on Demand slave.
This is where the first big problem comes in. If you just kill the fault codes in the ASG, and ignore the FoD, then you have the following issues:
- The top speed limitation is reduced. This can be bypassed in the calibration via a configuration label.
- The system torque is set to the first dataset, which causes some cars to be in limp mode and make barely any torque, others run the wrong dataset. Can be bypassed by setting all datasets the same or changing the dataset mapping in the calibration.
- Parts of the launch control do not work correctly. The car enters launch control, the inverters get the higher torque limit and everything is seemingly fine and dandy to the naked eye, however a bunch of differential protection logic, torque loading and slip adjustment logic does not work unless launch control is authenticated in the FoD. But FoD never gets initialized if component protection isn't passed...
I have a fairly strong conviction that nobody who offers cloned controllers actually does this at the moment, and the factory launch control functionality is somewhat compromised as a result (the tool they are using doesn't let them). The rest can be worked around in calibration.
After that there is the problem that the gearbox adaptations and a few other things need to be transferred. For that reason I created the diagnostic app, so that the needed info can be read out from the car, and transferred to the new one. This could also be done with VCDS, but since our cars have a full DoIP compliant gateway inside, it made sense to make the app and use a 5$ cable for the job. And as a bonus you guys get a completely free code scanner, even if you don't want to tune anything. See Part 1: MapEV Diag.
There is another issue with the adaptation transfer though. Unless you want to use an actual car to do all the unlocking and flashing (which is extremely impractical), then you need to create a bench setup with the gateway and some other modules to flash the controllers on the bench. Here is where the next roadblock is hit - it is not possible to write the required data on the bench, because those subroutines want the driven distance to be > 0km. But on the bench this value stays at zero. No idea how many controllers it needs for that not to be the case.
This means reverse engineering the communications stack - finding the locations of the coding/adaptation subroutines and patching the distance checks. And I did.
Finally - I had a working clone process. At this point I had 3 dead ASG's from various test attempts. There is no way to recover them - but mission successful is what counts, right?
5. Cloned ASG - now what?
Before you can even attempt any modifications you need to have an idea what configuration labels are where. And you need to know how it all interacts.
For that once again, you need very good connections to be able to get any of this stuff out of either Audi or Porsche. Usually exorbitant sums of money are involved as well, as you have to pay someone enough that they'd be willing to risk their job to get you the data.
It helps a little when you create calibration level datalogging software that some factory engineers like to use in their spare time when tuning stuff for fun outside of work (www.vehical.net). Opens some doors.
The control unit has tens of thousands of calibratable labels organized in a ton of different software modules responsible for various functions that the ASG performs.
A simpler approach is to compare the various calibrations between each other. E.g. compare the Turbo and the Turbo S and so on. And then just copy-paste the changes over without necessarily having complete knowledge of what they are - essentially modifying a Turbo to have the same torque calibration as a Turbo S.
And this works to a large extent, but you can not get full launch torque due to the inverter launch mode and so on. You do get gains doing this though, and this is mostly what has been really done until now.
6. Datalogging
Unless you want to just mash the % button and call it a day, you need full ram datalogging, or you're working blindfolded. This requires yet another patch to program code, since all of the access is tightly locked down on a production car.
Luckily, this is what I have been doing for a living for quite a while, so I adapted my datalogging software for the car, and the patches I had developed for other Continental/Vitesco control units carried over with minimal modifications.
Now I was a blind man who could finally see. See All the 33000 loggable parameters in the ASG.
This is how I figured out all the inverter and battery curves.
How I figured out that there is a launch mode in the inverters, and unless the ASG tells them it is in launch control, the torque limitation on flexray is lower.
That the launch control does not work 100% when the component protection fails and the FoD slave doesn't run.
And many other useful things.
7. Launch torque - all the time.
My first attempt was a small brained approach - request more torque on the flexray bus than the inverters advertise as available. E.g. try to request the launch torque even though the inverter is not advertising it.
During the first test I immediately had a red complete drive failure message and no drive as soon as I mashed the pedal. The car was completely dead until an ignition cycle.
The ASG was really angry it was not getting the torque that it was requesting. I killed the feedback/monitoring check in the ASG. Now I had no errors, but the car didn't make any more power or torque. The inverters clip the input torque with their internal limitation and do not allow you to run any more than that, no matter what you request. This is of course perfectly logical in a good system design.
Cue a week more of reverse engineering the firmware, and I figured out how the inverters find out about the launch status.
Whenever the ASG enters launch control it sets a bit on the flexray bus. The inverters read that bit and as long as it's set increase their torque limit.
So I took the slightly bigger brain approach and set that bit all the time, no matter what.
That didn't turn out well either...
Turns out not only the inverters read this bit, but also the suspension controller and the traction controller. When I went to test my now medium-brained modification, I realized that the suspension is harsher than in sport plus (feels like car has no shocks), and the traction control is happy to give me plenty of slip. Unless you are a lover of hyper bouncy ride and feeling every pebble of the road, this is a no-go.
Some more development needed to be done. Finally, the big brain approach was born. I modified the flexray handler to set the bit only when the pedal is fully depressed and only in case the ASG does not want to set anything itself to not interfere with the factory launch control.
This worked a treat. Immediate full torque on WOT, and because the dampers get hardened at that moment, and some slip is allowed, the car also has way better acceleration in case of some wheelspin. Beautiful.
The patch is also unique to my development, as nobody on the market was even aware of this until now.
8. Throttle delay
Another detail I noticed - for an EV the car has a significant amount of throttle delay. It takes 0.2-0.4s for the power to fully come in depending on drive mode.
This is caused by a set of modules called "Anti-surge dampers". One is on the powertrain torque path and another on wheel torque path.
They have two tasks:
a) Protect the drivetrain from excessive lash and bucking
b) Add refinement to the driving characteristics of the car
The easy way out is to just disable the torque filtering. However, this results in jerky behaviour in normal driving and is also unnecessarily hard on the drivetrain.
Luckily, the ASG has a special module to combat this throttle delay, which is disabled and not calibrated from factory. The English translation is "unfiltered driver request in case of pre-tensioned drivetrain".
Essentially you set a minimum forward torque and a maximum torque request gradient. If the minimum forward torque is fulfilled (the drivetrain is tensioned) and the torque request gradient (how fast you mash the loud pedal) exceeds the preset value, the filter is bypassed.
After calibration of the modules the end result worked exactly as expected - car drives refined like stock in normal situations, but when you make a sudden throttle change the delay is greatly reduced.
When you tie all this together with setting the launch bit + damper hardening and TC action plus some power increase, the end result is quite impressive compared to stock when you floor the car at speed.
9. Stock vs tuned performance graphs in first gear
This has been a lot of text and a little dry - as this work tends to be. Since I have the actual torque limiters out of the ASG from every variant, I can plot the stock vs maximum possible torque curves.
I have decided to use the maximum inverter limit with my patch (that gives full torque even outside launch control) as the max and the power and torque outside of launch control for the stock figures. This is because launch control is irrelevant 99% of the time. The MapEV website has peak figures for both modes.
I am plotting the curves in first gear from 0-100kph. Any higher does not matter, because every single variant has attained the peak power by then.
Coincidentally this also shows before and after charts (and gains) with my software.
Horsepower is not shown because it depends on the front to rear torque split, and is nearly impossible to get the right numbers with the stock calibration without measuring the actual torques on the front and the rear motor.
With the inverters running flat out, it can be calculated, but I did not include it in this graph, because it isn't very meaningful when you have the graph at the bottom in km/h and two motors spinning at different rpm.
These graphs essentially show you the difference in acceleration at a given speed.
Taycan Turbo S
Taycan Turbo
Taycan GTS
RS e-tron GT
Taycan 4S Performance Battery Plus
Taycan 4S Performance Battery
Taycan 4
e-tron GT
Taycan RWD Performance Battery Plus
Taycan RWD Performance Battery
9. ASG removal video
A lot of you have asked what the ASG swap looks like. Since I am going to sell this commercially, I have made an instructional video with a voiceover.
I'm not a super editor, and my buddy is not a pro videographer, but I think it turned out quite alright.
10. Conclusion
I hope this gives some more insight into what is going on inside the powertrain controller known as the ASG.
I apologize if this is a little bit more advertising heavy, but I do believe that I have a more honest, transparent and better performing product than what what is out there today on the market.
There is a temporary website up for MapEV at www.mapev.net, which will be updated once the professional website is done for the brand.
There are distributors in US, EU, Asia and probably Australia. Just hit us up via e-mail if you are interested in a controller before the full site goes live - then it will all be automated. The system will automatically check the database for ASG data from your VIN and direct you to a payment gateway.
Meanwhile I am working on J1.2 and the goal is to update Part 2 and Part 3 with all the curves as well, but I will need some time. I prefer real results driven by hard data, rather than overpromising and underdelivering.
Sponsored
Last edited:
.
