Re: [opendiag] Re: 'Master' key questions

Hi guzzi,

Yeah things are good, work is too busy, way too busy. Too much time spent
dealing with stupid customers who shouldn't even own a calculator let alone a
network.
Hope things are better with you!

Right, here's what I've been playing with:

Immobiliser ECU
Engine ECU
Master key

I have no original key, and don't know the keycode (though the previous owner is
trying to find it)
These are from a 155, M2.10.4 ignition. The setup is the same as the M1.5.5 that
I need it to work for bar the engine ecu.

The chip thats in the mster, hmm if it looks the same as the normal keys, then
there must be something different. There is something inside that chip. It'd be
interesting to get the signal from the transponder round the barrel ->
immobilsier ecu on a scope, see how/if it changes each time.

If you read the emergency starting procedure, you can enter the code with the
acelerator pedal - the pot on that only links to the engine ecu. Now this can be
used when the key is faulty/goes flat, etc so as far as the transponder is
concerned it receives nothing. The immob ECU receives nothing. So the engine ECU
alone, must know whether it is wrong or right to permit starting.
So in theory if you could get power to the right components, and knew the master
code you could start the car with no key.

I did sniff some traffic between the immobiliser ecu -> engine ecu at different
data rates, but nothing obvious.

I want (need) to run a second ecu I can play about with different maps on,
ideally.

I've ripped apart the immobiliser ecu, no eeproms :( all processor based. I got
the numbers off it:

>Logo: Texas Instruments, markings:

B69249
(C)1995 TI
RD200510FN
61A82VW
W

IIRC 11 pins each side, multilayer board makes it harder to track certain pins.
I've no idea.

I've got an eeprom programmer and proc programmer, but I need to know what chip
it is first otherwise can't really make a start on it! (or at least I can't get
my dad to pull the binary from it )

Debugging that proc is the only way to go, as this is going to be the easiest
device to crack. I could also read the M2.10.4 eeprom and try and debug the
entire management ecu just to crack the immobiliser checking... but i'd rather
do it from the immobiliser end to run a 'bodged' one.

These are fiat based links, but these look the same system:

http://codeman.org/fiat.html
Claims to need both ECU's to set to virgin state.

Entry 14th October:
http://www.injectioncorrection.co.uk/newsedit/news.htm

Looks like the original unit with their badge on it. They claim to just need the
immobiliser ecu.

Now i'm guessing they've managed to get an image of the virgin state processor.
Bastards.....

Also if you look at the diagnose documents you can read the state of the
immobiliser:

0 No code received or link interrupted
1 Code unknown or not recognised
2 Erroneous key code
3 Virgin ECU
4 Engine starting not permitted
5 Universal code received
6 Seperate line used

So, universal code as well, hmm

I've tried various things, but I can only wire the immobiliser I have to the
M1.5.5. (wrong ecu), as I cannot talk to the M2.10.4 ecu :( that would make
things a bit easier as well....

I want to start by getting the code, and see what can be done then...

maybe I'll come back to this tonight after a few beers & strong coffees..

Are you on msn? or voip? might be easier to talk about some stuff as I hate
typing after doing it all day..

Cheers

> Hi Adam,
>
> How's things?
>
> I've done my usual and took a couple of days off the rest of the
> work that I should be getting on with and
>
> had another glance over this immobiliser thing, hence my recent post.
>
> I've purchased a lockset that includes a master key and transponder
> and 3 'normal' keys. Two of these
>
> 'normal' keys are the new Alfa type with the built in alarm remote.
> They can be spilt apart to change the
>
> battery which also means I can see the type of transponder that they
> are using - and it's the same one as
>
> the master key!?! Obviously then, something else has been written
> into the memory of the master key to
>
> make it 'special' and also contain, either directly or by some
> mathematical function, the bypass or
>
> emergecy code that you were describing. I have an ECU set and master
> key from EBay (as you know) and the
>
> chip in that key is the same as your picture. The new keys I have
> are also the same except for being the
>
> latest version (PCF7931AS). That chip is now discontinued and the
> datasheet is no longer available for
>
> download but I've made a request for it anyway.
>
> I had always been under the assumption that the codes for ALL the
> keys for the car were stored in BOTH the
>
> main ECU and the immobiliser ECU, but, last night I discovered that
> this is not the case. The
>
> immobiliser certainly stores all the car's key transponder codes but
> the main ECU only has the master key.
>
> When a key is used to start the car the immobiliser ECU checks to
> see if it is valid, if it is then it
>
> sends it's memorised master code (encrypted) to the main ECU. If
> that compares correctly to it's stored
>
> value then the car will go.
>
> I share your goal to find a way to reset both systems to use a
> different master key, especially as I do not have one for my own
> car. I think the next reasonable plan of attack is to examine the
> immobiliser ECU's eeprom and then try loading/unloading different
> keys into it to get a feel for how the data is stored, but for that
> I'll have to go and buy an EEPROM programmer :( .
>
> Keep up the good work I know you're doing and I'll try and answer
> your emails/posts a bit more promptly - mind you being the lazy
> b*stard that I am I wouldn't count on it ;)
>
> Cheers
>
> Guzzi
>
> YAHOO! GROUPS LINKS
>
> Visit your group "opendiag" on the web.
> To unsubscribe from this group, send an email to:
> opendiag-unsubscribe@yahoogroups.com
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
>
</blockquote></BODY>

 
Received on Fri Aug 12 11:32:20 2005