DIY Immobilizer Hacking
HTML-код
- Опубликовано: 22 мар 2019
- This video was originally posted on my speedkar99 channel but has been moved to speedkar100 channel.
Here's how to hack into your car's engine immobilizer to program new keys in the invent of lost keys or a swapped ECU.
This tutorial video demonstrates how you can reset the engine immobilizer in your car (be it in the ECU or a separate transponder ECU in the dash). This will clear the EEPROM chip of all previously stored keys and "virginize" it to accept new keys. When the ECU is first powered up, it will go into Auto-Programming mode, and accept any keys that you insert into the ignition.
Full DIY PDF writeup available for download here:
mega.nz/#!q9pBCSSL!ckwyyjeJNN...
Modern cars use a key with an embedded RFID chip as an added means of theft prevention. The key is read by the computer and if it matches, it will enable all systems to start the car. If the key does not match, the car will only crank but not start.
The immobilizer system presents a barrier to many owners when it comes time to swap out a bad ECU, or if you lost all the master keys and can't program new keys.
While taking the car to a dealership or locksmith is an option, it will get expensive because you are at their mercy.
The tools required are fairly basic, three 4.7K ohm resistors, three 5V zener diodes, and a computer with a serial port. To connect the 8-pin EEPROM chip to the computer you'll either have to solder hook-up wires to the pins or get a Test Clip for onboard programming.
PonyProg, a free serial device programmer was the software used to read information from the serial port and "dump" the EEPROM's contents. The immobilizer uses HEX programming. Each key has a unique 8 digit HEX code. There are also bits to indicate key count, enable programming mode and valet lockout.
The HEX dump is edited to remove the old keys and rewritten to the chip. When reconnected to the car, the ECU will be in auto-programming mode and will accept new keys as per the procedure below:
1. Briefly insert any key into ignition lock cylinder and remove immediately. The security light should illuminate and remain on.
2. Insert first transponder key into ignition lock cylinder for registration DO NOT TURN ON. The security light should remain on
for 3-5 seconds then go off. After security light goes off remove the
first key from ignition. Security light should come back on and remain on indicating you're still in programming mode.
3. Insert second transponder key into ignition lock cylinder for registration DO NOT TURN ON. The security light should remain on
for 3-5 seconds then go off. After security light goes off remove the second key from ignition. Security light should come back on and remain on indicating you're still in programming mode
4. Insert third transponder key into ignition lock cylinder for registration DO NOT TURN ON. The security light should remain on
for 3-5 seconds then go off. After security light goes off remove third
key from ignition. The security light should extinguish and then commence to blink regularly.
5. Wait 30 seconds for the programming cycle and programming mode to close.
The first two keys are internally (inside the ECM) designated as MASTER keys and the 3rd key inserted will be internally designated as the VALET key.
This procedure should work on many Toyota and Lexus vehicles from the 1990's to early 2000's. Newer Toyota/Lexus/Scion cars have a separate transponder ECU under the dashboard instead of having the EEPROM store key info in the ECU. The procedure is similar, though a hand-shaking procedure must be performed between the Transponder ECU and Engine Control Unit before key programming by shorting two wires on the OBDII port for 30 mins.
Reference material:
qcwo.com/technicaldomain/worki...
www.spyderchat.com/forums/show...
www.locksmithcharley.com/toyot...
Link to Etsy shop where you can purchase speedkar99's brother's socks, t-shirts or hoodies:
www.etsy.com/ca/shop/Speedkar
Check out the speedkar99 Facebook page:
/ speedkar9
Check out the speedkar99 Linkedin page:
/ speedkar99
Follow speedkar9 on Instagram for behind the scenes coverage:
/ speedkar9
Subscribe for more videos just like this:
ruclips.net/user/subscription_...
![DRAGON BALL: Sparking! ZERO - Fused Warriors Trailer [BUDOKAI TENKAICHI Series]](http://i.ytimg.com/vi/84p4Lvyfyes/mqdefault.jpg)
I know you probably won’t read this, but despite the pandemic, I was able to commit in doing this and saving my car from street parking! You’ve saved lives with these videos. You’re a hero, thank you for the content. Amazing work, I can’t thank you enough.
That’s amazing dude, I just started watching this out of interest
can you share what hardwareyou used to connect to the chip?
I'm hoping to use a USB connector like the C341a, and since it uses different software I can't be sure why it's not connecting
@@mrkazman sorry mate, I used the serial port and I don’t exactly know if it’s possible for the USB port, I used PonyProg which is the video above’s program, serial port and whatnot.
I'm confused how it saved lives!
@@mrkazman requires an serial port capable of 12v communication levels. this is what the zener diodes and resistor do (clamp voltage down tp 5v TTL) If you use a USB to serial cable, you have to adjust the circuit to the new (lower) voltages and is dependent on the USB serial chip. Like this guy, I also just use an old computer with a proper serial port but in my case, it happens to be an old laptop. Since then I have simply built a custom serial USB adapter.
Well that's all it takes. Looks like you need to just start a business doing this because I'm sure that almost nobody has a clue even after watching your video so maybe you could help some people out? Least I know I'm still lost. Lol
Same hahaha
😂😂😂😂😂
TRUE!!
You are so right , but I will sub to learn whaterver I can from this channel,😊
Hey man, just wanted to let you know that thanks to your hard work and documentation, I just successfully did this on my 1998 LS400.
I used an EZP2019 programmer and it's own software. I ended up having to remove the chip and resolder, and even then I couldn't get a proper read(locations of all the code were correct, but a bunch of repeating numbers that weren't logical. Even the valet lockout code was completely different), and it wouldn't write(I probably torched it taking it off). I bought a replacement chip for 30 cents and ended up just zero'ing and putting in the lockout code exactly like yours and it wrote/verified fine, so I tried it out and sure enough, it worked!
For 16 months I had a paperweight in the garage that I was repeatedly told by dealerships, shops and locksmiths continent wide(actually called 50+ locksmiths across North America) that it was impossible to do. Finally after some further research I came across you and now I've got my baby back.
Thank you so friggin much. Seriously, you have my utmost gratitude.
I'm a mechanic and that's exactly the car that I'm working on right now, 1998 Lexus LS400 I swapped the ECU used from a junk yard, now I'm trying to figure out how I can program the key to start the car, one local key smith don't want to do it, the 3rd I'm waiting an answer, little bit more research from myside and I will try to do this myself.
You're just an all-around great mechanic aren't you thank you for your work you save me a lot of research
This is way too advanced.
This guy is good.
🤔 "something tells me to disconnect the battery when dealing with the ECU" 😂
Very detailed videos, thank you for the hard work 😏
You are welcome.
Didn’t understand a word. But it was fascinating! Mans a genius.
Hahahaha me too
Just that immobilizer have a memory of key, he wiped the memory of old keys
Dude, great video!! I'm just discovering your channel, just watched your other video on AC compressors. Really digging your channel, instant subscribe 👍
Thanks for subbing
You’re a solid teacher! Though it gets above my head eventually.
Question.. Do you really have to reprogram a new manu replaced virgin ecu ?
I’m in a all keys lost 04 Toyota Sequoia in a rural area with the only locksmith in the region having failed to be able to reprogram orig ecu after multiple trips out trying. Dealer (which is over hr away) says Control Module, Amplifier, and new keys all need replaced for this model Seq .. for a fortune.
1 Can I just plug in new toy manu ecu and new keys and program keys and go??
2 Do I really need to change out amplifier?
Thanks
LMFAO at end of video - --- and that's all it takes haha your too smart
Lmaoo this guy, right?
Nice, i love your channel Speedkar100. Simple to understand.
Thanks and make sure you check my main channel, speedkar99
This video is well done but it includes a major error that need to be corrected in order not to mislead readers into a frustrating experience. The included electrical schematic for a homemade EEPROM reader do not work. The software (Ponyprog) does not recognize this homemade circuit as a serial communication device. The for immobilizer hacking shown in this video will work only with the use of professionally produced EEPROM reader and there are lots of those on the market.
VERY useful hack there. Requires a little prior knowledge of computers and electronics, but this is thebest one by far ❤
Yup, MAD soldering skills being of the utmost importance!
Thanks for taking the time to make these videos.
Welcome
this is great and you are a good instructor, I am impressed, is there any thing different with the 02 Altima ecm and what about the bcm on this model , thank you plz guide me with this car .thanks again
not planning to do this, but I enjoyed (and shared) the video w some electro-friends
I swear it’s easier to just swap the eeprom chips from the old ecu to the new one. I’ve done it before on voltswagons. You just need micro solder tools. Just the mini heat gun. Done in 20 min
Dope video nice to see all the values in their places for sure. But are familiar with how you would edit the chip to be a NONE IMMO or (Ready to start, as they call it in some ecu programers)
Noticed this is a secondary channel after looking at your sub count. How many channels do you have? Awesome content on both.
Speedkar99 speedkar100 and speedcar9 so far...why?
Hello,i would like to ask in 3:59 of video about the numbers of keys.FF means no keys,FE=1 key,and value FD is both for 2 and for 3 keys and this confuse me somehow.Otherwise the counting of keys number looks like one's complementary.
The eeprom reader actually showed a value of FC (see video at 3:20 or 3:26) for the number of keys (3), so it was just a typo error in the video.
Awesome work!
You’re a dangerous man. Impressive.
Great info, how can i get info or books to understand how you interpreted the memory data ?. Thanks in advance
Great Video speedkar100, have you ever used this procedure on a Volvo car? Say from 2000 to 2007?
Some questions. How do know if you have a master key before doing this? Does the ecu automatically make a key master then after the second one the third becomes a valet? What if the only key I have is a valet? Will this work? And lastly, do you need 3 keys? Or can it be done with just one key? Thanks
Going by the extra blink when you insert the valet key
Awesome video, does this work on mercedes vehicles aswell? If so im tearing apart my ecu this weekend.
My car is Daihatsu Sirion 2007.
Can you explain the procedure for a separate transponder module and ECU?
Should the pins on OBD II be shorted for 30 minutes or 30 seconds and should they be shorted during the key coding procedure?
There should be eeprom chip in transponded module, might work as in video.
But if you are swapping ecu for used one it might also been paired with immo, then there should be chip in ecu also for pairing. But this is my theory.
Trying to follow this tutorial. I created a serial port to USB adapter. It's coming up in device manager, but ponyprog keeps saying probe failed. I created the eeprom reader exactly how you did except for USB. What do I do? I have a GS300
Thank you sir, very big help
well explained will certainly follow and subscribe
I bought 3 new keys but thanks to a newbie at Ace Hardware putting a hole through one of them, I now only have two new keys which include the Lock/Unlock, Panic buttons. Will it allow me to program only 2 masters?
I hope it will work in my mazda's rx8 transponder module.
Having wiring harness and and modules in room with me preparing to swap, and sudently immo does not respond for key that was programmed.
Your crazy bro but I like how smart you ate brother keep on keeping on
My 2002 R50 mini cooper.lost keys.Is it a good idea to grab ecu,bcm,key,barrel n door lock from another R50.
Hi, when selecting from device, it shows me microwave 16 eeprom and 8, both have 9356. Which one should I use for a mitsubishi outlander 2007? Thanks.
Thanks very helpful.
Great video.
Great video. Would this work on older B5 Audi's.? On hot days, the immobilizer light flashes and car won't start.
Nice explain,very good , thank you
You are welcome
very informative ideas how to repair and program immobiliser i want to learn about that
very good video, in short time alot information
Thanks
Great video.
1. Something is not clear to me though. The value 0xFC at offset 0x4C means there are 252 keys stored in the eeprom. The eeprom's capacity is 256 bytes.
2. Can you program just a single key?
Yes one key will work. I believe you just exit out of the system when you've finished
@@speedkar1005 How?
@@fernandohood5542 What worked for me to end programming with a single key was: After the key was inserted, removed, then inserted again for 5 seconds, I had to push the brake pedal 5 times. This was on a 2001 Highlander. I was able to use an EZP2023 programmer with a chip clip the last time I programmed it (at one point I removed the chip from the board due to connection issues and wanting to experiment, but the final flash was done with the chip in circuit via clip).
Could you just run a jumper wire from somewhere on the EPROM to the code wire returning to the ecu, feeding itself its own code bypassing the amplifier all together?
Never been in snow. This is way advanced.
very intersting video tnx bro
Ok. So i have original ecu, an original key fob but new ignition switch and new keys with no programming. I pulled out the ecu (an Delphi MT38) thinking i can just take the entire IMMO chip off and have the truck start the old fashioned way. But don't know which chip to pull. There's only 2 ..8 pin chips on the board. And one in the key fob. Numbers don't match.
I also have the old ignition switch assembly with transponder ring.
So could I just put the old transponder ring on the new ignition switch and will it start up like that with the new keys. I'm thinking it will work but one roadblock may be the signal from the new keys and their chip maybe blocking comms.
Nice dude! Where do you get this information from, where the data is saved, how it is encoded and so on?
Trial and error
is this the same process for all makes of cars ? im looking to do Audi
I have IS300 ECU (2JZ) with the same chip 93c56 , if i zeroed all the values will it work on non-immobolized key .. because i've installed the engine in GX81 1988 which have no immobolized key .. engine crank but not starting because of this immo thingy
Very cool video. I need help.
I wanted to try that with Hyundai Santafe 2005. But guess what? Couldn't locate the eeprom on the ecu. There are no 8pin chips on the foreside of the ecu. The underside has eight 8-pin chips. Non of which I'm convinced is the eeprom.
I am about to check for transponder ecu for the eeprom.
My worry is this; is the eeprom in the transponder ecu? If so, can I use the same procedure to reprogram the eeprom? Is any of those small 8-pin chips on the rear side of the ecu the eeprom? Does this method works with Hyundia? If not, what can I do.
Yes it can be in the transponder unit like the newer Toyotas
Is there a way I can wipe the codes so that I don’t need the key reader or anything? So the ecu enables without a key? Using a in a track car.
My 06 caravan , the wires in the plastic ring surrounding the keyhole, those wires were pulled from the immobilizer box... id like to solder a wire into the box and run the wire arounnd the keyhole. Theres 2 metal "posts" off the chip. Id like to confirm thats where the wire ends get hooked.
Class 1: you will be taught better in the next class.
Next Class: This Video. 😢
Hey there I have a mitsubishi lancer se 2012 I want to change my immobilizer to a different one and program a new keyfob can I do it with this method or am I screwed.
Will this work for a 1999 Porsche 911 Carerra C2?
This is that brilliant man
hi, does this work with a benz-c lass 2003?
Great job bro! where did you go to school at? i wish i stayed in there a little longer when went. i was young and probably bbad timing in my life. any way great job bro keep up great work
I’ve been having a problem with my Honda prelude 2001 type sh not starting.. it looks like it has a bad ecu. I don’t have the original keys any help would be appreciated
Great 👍 job!
can you hack the values in the eeprom and use the data to reprogram a new rfid chip?
Hi, thanks for the video, very helpful.
Can anyone confirm if the keys on all eeprom's repeat 3 times?
I seem to have code only repeating twice.
Thanks.
Have any info how the smart key version would differ from this rfid version? thanks
Thanks man! This is awesome! Do you know if it's possible to flash using a CH341A ?
Not sure what the capabilities of that are
@@speedkar99 Thanks for the reply! I actually managed to program it using a CH341A although it doesn't officially support it. For the rest your steps helped a lot. You rock!
How did you manage to write 93CXX with CH341? There are only 2 options 24XXX and 25XXX. In what slot do you put it?
can you help me out on how u used ch341a to program ? what O.S did u use windows 7 or Linux ? what slection on the program did u use?
Sweet! SAVED!
Awesome!
Great video. Although my technical skills are not good enough to even attempt it. I just picked up a 99 Avalon xls, with the Toyota theft deterrent system in it. Would you do this on my car for a fee?
I don't work on others cars sorry
@@speedkar1005 i get it. I dont either lol. Cool vid
hello i did swap the existing ecu eprom to new ecu but the car won't start. is it i need to copy out the eprom code and write it to new ecu eprom chip only it able to work? the car is kia forte year 2010. thank you
Nice information
At 03:33 .. that looks more like 2.5 BILLION combinations... (you say million)
thanks very much
thank you, fixed my car
Is there a USB version of that EEPROM reader you recommend? I don't have a computer with a serial port. All I have are USB ports.
I'm late, but you can get a USB to serial adapter for $5-$10
@@2987ms yep I just made the eeprom reader as he did but I soldered directly to a serial port to USB adapter.
This is really awsome. How can I add another transponder who can receive a remote signal from a remote key to turn on the engine. Like a transponder who has a relay in serices and that relay activates with a remote signal say from 20 ft away from the car. Basically turn on the car remotely.
You might as well get a cellular adapter and connect your relay to that.
Need help please. Everything worked but only had 2 keys to program after that light never went off and kept flashing and wouldn’t start. Do I have to have 3 keys?
do u need 3 keys or can u do it with only 1 or 2?
Once in auto-registration mode, can the ECU learn an used key, or does it have to be a brand new key?
Based on the video, it looks like the ecu is being cleared completely, so an used key should work. The ecu basically have no memory at all, and any thing is 'new' in its point of view.
question: i'm playing around with 2003 lexus is 300 ecu
my plan was to program in a transponder into the eeprom, this is what i have so far
when i put this transponder into the ZED BULL i get
7E 71 40 00 00 03 9F 00 00 E5 E7 7E 00 00
but that same transponder registers as
8E 02 C0 F9
in the toyota/lexus eeprom
Might be, that immo is coding key, hashing it, or something like that.
Way code validation often works in programming, we take code hashing it, so nobody could just copy paste it into system (or decode in matter of web passwords)
But this is only my theory from web programming.
Thanks for info that i might cannot use my one immo chip from one car to program other tho.
Hi, how exactly would this work on newer 2007 Toyota Matrix? This car has both ECU and Transponder ECU. Where would I try to get EEPROM data from? You say on newer vehicles the procedure is similar but you need a handshaking procedure between transponder ECu and Engine ECU, how is this accomplished?
By shorting pins 4 and 13 obd for 30 min
Thanks so much for responding!! Would I still need to pull EEPROM dump from ECU? Or just short out pins, wait 30min and then program new keys (All previous keys were lost)
Do I still need to viginize EEPROM? Is the key code data located on EEPROM in ECU or transponder ECU? Please help if you can
@@mikel7631 did you ever figure this out I have the same problem and can find no information
IC900 is it same with the IC902? seems theres no ic900 on a 1hdfte 2006 ECU
How easy would it be to just remove the immobilizer so it starts with whatever? Our car is old and its just bothersome.
Will this work on nats/ivis immobilizer systems?
You are very advanced,
thanks
I'm replacing secondhand ECM on my car Hyundai Santro Xing Key not matching help me please. I'm already read EEPROM data.
Hallo. For EU cars - so the IC900 on the transponder ECU must be programmed - correct? But the Engine ECU still are with the old key-codes - correct? My LandCruiser Prado is blocked, bought a used set of keys, lock, transponder and Transponder ECU - but the Engine ECU does not accept the code from the Transponder ECU.
So, resetting the Transponder ECU like shown, will lead to Engine ECU accept Transponder ECU?? Thank you, you surely my last help. Car is in between 10weeks at the repair shop.
I removed the ECU on my 2014 Scion FRS located behind the glove compartment. I took it apart and can't find that chip you pointed out. I have the wires and chip reader ready. All I have to do is find that chip. Do you have any idea if it might be on another part?
I know this is a month old but did you pull the ECU or the transponder ECU
@@shookdarts4247 do you need to programme both or just the immobox?
Any ideas how to do this to my 2000 murcery mountaineer and do I need a acuall key cut or how can I do this from scratch
Not familiar with Ford's
How do you end the sequence if you only have two keys? Zeroing is 00 or ff?
will it work if you replace the coil ring and key from another car
Super difficult! But thanks💪🏼
For anyone wondering this is a very specific method that is only applicable to this environment. This is not how ever system works nor will most of this information generally help you in anyway towards other applications. Great vid for this specific application though.
Thanks. There's alot of cars they use this method
Definitely a cool trick
Toyota used a nearly identical system in most of their vehicles for just shy of a decade. This worked in my 1999 and 2000 4runners and to my understanding, would work in many other cars. But yes, this is not applicable to significantly newer toyotas, or something from another manufacturer with it's own unique software. However, the basic concept of programming an eeprom memory chip can be applied to dozens of car models and manufacturers for all kinds of different functions.
Does anyone know if you can code an lkp02 transponder via tango or other programmer as master? so no ecu programming necessary as the transponder code for master is static?
It's probably a bit to late to get a reply, but using this method could you just dump the original ECU's eeprom and write it to the replacement ECU?
Yes, you could.
Yes
what about Subaru WRX 2014. does this apply? thanks
Do you do this for others at a charge of course? I've watched your video 5 times and yet, I cannot find a way to connect my computer with no serial port to the car. I"d be afraid to blow up the PC.
I have a 2003 Avalon with all keys lost and already bought the new chip key from Toyota dealer. I'm looking at who to send the ECM to program the key, or do a "Immobilizer defeat"
hey did it work out
"Immobilizer hacking" no shit. No click bait here! You're brilliant. Not sure I can recreate the process shown here, but boy was this interesting.
"Thats all it takes to hack into your immobilizer in case yoh lost all your keys." Yeah, just have a 'state of the art' computer with an external board 😂👍👍🙌
Hahaha good call. State of the art indeed
Hi, 2003 Toyota Sequoia Limited, try for 6 months but immobilizer no longer recognizes original/any keys. Will this work for my suv?
My 2003 has chip reader ring on ignition switch, immobilizer ECU in dash above radio, ECU behind the glove box.
I new your a smart 1 thank you so much.
I'm texting from north iraq kurdistan city erbil.
I got the same issues with outlander mitsubishi 2017 right now same sh.
So my question can i do the same with it as the ECU has just been replaced.
Thank you.
Bad ass video!
what about the VIN # from the replacement ecu. it won't match your own. so what about that issue?
Can you link to a USB programmer that I can use thats compatible with this chip? I don’t want to wire my own circuit.