DIY Immobilizer Hacking



Here’s how to hack into your car’s engine immobilizer to program new keys in the invent of lost keys or a swapped ECU.

This tutorial video demonstrates how you can reset the engine immobilizer in your car (be it in the ECU or a separate transponder ECU in the dash). This will clear the EEPROM chip of all previously stored keys and “virginize” it to accept new keys. When the ECU is first powered up, it will go into Auto-Programming mode, and accept any keys that you insert into the ignition.

Full DIY PDF writeup available for download here:

https://mega.nz/#!q9pBCSSL!ckwyyjeJNNic0pT3KLWt1E95LbBUzX96skoyaZgk0RM

Modern cars use a key with an embedded RFID chip as an added means of theft prevention. The key is read by the computer and if it matches, it will enable all systems to start the car. If the key does not match, the car will only crank but not start.

The immobilizer system presents a barrier to many owners when it comes time to swap out a bad ECU, or if you lost all the master keys and can’t program new keys.

While taking the car to a dealership or locksmith is an option, it will get expensive because you are at their mercy.

The tools required are fairly basic, three 4.7K ohm resistors, three 5V zener diodes, and a computer with a serial port. To connect the 8-pin EEPROM chip to the computer you’ll either have to solder hook-up wires to the pins or get a Test Clip for onboard programming.

PonyProg, a free serial device programmer was the software used to read information from the serial port and “dump” the EEPROM’s contents. The immobilizer uses HEX programming. Each key has a unique 8 digit HEX code. There are also bits to indicate key count, enable programming mode and valet lockout.

The HEX dump is edited to remove the old keys and rewritten to the chip. When reconnected to the car, the ECU will be in auto-programming mode and will accept new keys as per the procedure below:

1. Briefly insert any key into ignition lock cylinder and remove immediately. The security light should illuminate and remain on.

2. Insert first transponder key into ignition lock cylinder for registration DO NOT TURN ON. The security light should remain on
for 3-5 seconds then go off. After security light goes off remove the
first key from ignition. Security light should come back on and remain on indicating you’re still in programming mode.

3. Insert second transponder key into ignition lock cylinder for registration DO NOT TURN ON. The security light should remain on
for 3-5 seconds then go off. After security light goes off remove the second key from ignition. Security light should come back on and remain on indicating you’re still in programming mode

4. Insert third transponder key into ignition lock cylinder for registration DO NOT TURN ON. The security light should remain on
for 3-5 seconds then go off. After security light goes off remove third
key from ignition. The security light should extinguish and then commence to blink regularly.

5. Wait 30 seconds for the programming cycle and programming mode to close.

The first two keys are internally (inside the ECM) designated as MASTER keys and the 3rd key inserted will be internally designated as the VALET key.

This procedure should work on many Toyota and Lexus vehicles from the 1990′s to early 2000′s. Newer Toyota/Lexus/Scion cars have a separate transponder ECU under the dashboard instead of having the EEPROM store key info in the ECU. The procedure is similar, though a hand-shaking procedure must be performed between the Transponder ECU and Engine Control Unit before key programming by shorting two wires on the OBDII port for 30 mins.

Reference material:

http://qcwo.com/technicaldomain/working-with-immobilizer-software-for-virginizing-files

http://www.spyderchat.com/forums/showthread.php?44760-Lost-Keys-amp-Immobilizer-Fix

http://www.locksmithcharley.com/toyotapostflash.pdf


Post time: Oct-24-2017

INQUIRY DETAILS *

INQUIRY NOW
  • captcha