NefMoto

edc15vm+

presently i'm trying to decode how the immobilizer works.

The ECU sends a message on the CANBUS at id 010h
If the key is inserted, then the instrument cluster replies at 011h id and the car can be started. But if the correct key is not inserted, then the reply by instrument cluster at id 011h is wrong and the ECU sends another message at 010h id, to which also the reply is wrong and this repeats for some time after which immobilizer warning is activated and car cant be started.

this is a log from my car with correct key:

010;3E;18;F4;FC;F4;E9
011;F9;21;9B;0D;04;BA

another log:

010;BB;DD;B0;5B;F9;61
011;34;B7;4F;8F;34;65

The transponder in the key has a code stored in it. That is used by the instrument cluster to reply to the ECU.
How i think it works:
-ECU and cluster both have the code which is stored in the transponder.
-ECU sends a seed at id 010h
-cluster does some math with seed and transponder code, and replies at id 011h
-if correct key is inserted, the seed-key matches and car can be started.

can anyone confirm?
also can anyone give any pointers as to the math done by the cluster? Ive tried XOR,and,or but no success.

If you started reversing the ECU code already, then it makes sense to find out there what exactly is happening.
Find CAN routines, find how 010 and 011 are handled.

Depending on what you're trying to achieve, it might be way easier to immo off than to reverse the whole algo.

hi
thanks for the input
 
ive started disassembly of the ROM and have identified most of the subroutines but im not able to identify WFS routines as there is no document available. Has anyone done it on the me7? cause i believe they share the same immo algo(ive swapped diesel and petrol clusters with no issues, hence immo algo must be same on both ECUs)

regards and sorry for the late reply,was busy disassembling...

Haven't bothered with immo routines themselves, but I think I have most of the CAN communication reversed. At least I was able to produce custom packets and so forth. :)
So I suggest you start with CAN communication routines and find out where and how are those immo packets handled. In fact, I might later on check my binary for them as well.

I was relying heavily on CAN IDs from the FR. If there's a similar document for the EDC, you can try searching for known packet IDs, their contents - and build your idb around that. If it's not as documented, you probably can still try and utilize info from the ME7 - as I'm fairly sure that CAN communication is more or less standardized even between different ECU families.

nihalot I dont understand why your going to such lengths to know what exactly what immobilizer is doing??Just curious as immobilizer could be very easily disabled to matched without much tools or knowledge.

I applaud the technical curiosity.

The "I just want it fixed now, I don't care how it works" mentality is not always a good thing.

i wish i was smart enough to understand all of it. it is all so very interesting.

Dude thats how i feel all the time I'm on here.

I want to design a remote start/stop system and i don't like the idea of disabling immo/keeping key under dash.
so I'm going to have a "man in the middle" attack on immo(using a MCU on canbus).


appreciate the compliment.

regards

thanks for your help, I was able to identify how the canbus messages are handled and have identified the immo message routine also...

I had to use a RAM dumper made by @john9357 and we were able to see how the message ids 0x010h and 0x011h were handled by the ECU

regards

You don't need to have a physical key under dash all you need is the immobilizer pill next to the antenna/reader.This is how it's supposed to be done.But ok if that's what your set on keep at it.


Sent from my iPhone using Tapatalk

That is a workaround.
You loose immo functanality by doing that...

I'm also interested in this.

What about ordering this one

https://www.aliexpress.com/item/Top-Rated-VAG-Drive-Box-OBD2-OBD2-IMMO-Deactivator-Activator-for-Bosch-EDC15-ME7-VAG-IMMO/32592032879.html?ws_ab_test=searchweb0_0,searchweb201602_4_10065_10056_10068_10055_10054_10069_10059_10078_10079_10073_10017_10080_10070_10082_10081_421_420_10060_10061_10052_10062_10053_10050_10051,searchweb201603_1&btsid=5f806a45-e44b-4c5e-854e-994480c71d42

and check how it works? There are also IMMO Emulators over K-Line

https://www.aliexpress.com/item/VAG-IMMO-Emulator-Free-Shipping/32294068109.html?ws_ab_test=searchweb0_0,searchweb201602_4_10065_10056_10068_10055_10054_10069_10059_10078_10079_10073_10017_10080_10070_10082_10081_421_420_10060_10061_10052_10062_10053_10050_10051,searchweb201603_1&btsid=5f806a45-e44b-4c5e-854e-994480c71d42

Only one little ATTiny onboard, algo could not be too hard.

If these could bring us further i will buy them for learning purposes. I can record the signals with CAN / K-Line logger or with LA / Oscilloscope if necessary. :)

Cheers

But who cares?
Immo off the ECU, build in the immo pill so the cluster is happy.
Then add a custom code routine to allow or not allow start based on a condition YOU specify.
You can make it as difficult as CAN or you can make it as simple as an analog input to an unused pin of your ECU from your keyless controller.
Hell, you can even do it without any code in the ECU by just shorting the RPM signal to ground with your MCU if the key is not found - but that will produce a DTC.

Your approach is an extreme waste of time for absolutely no reason...

Well, his approach has at least one legit reason - learning c167 asm. :)

Me.


also, to learn what engineers at bosch thought when they designed this system.


I think these work by turning immo off, not by emulating the key or the dashboard.
I logged the ram on my ecu and saw the area which contained ids 10 and 11(these are used for immo) Then you can trace which part of the program writes to these ram locations, and you will have the code for immo algo. I did this on the edc15.
let me know if you need any help..
regards

I am just curious about the following:

The cluster will send the correct 011h answer when it sees a valid transponder.
Does it actually use a value programmed in the transponder to generate the right response?
Or does it simply check if the transponder ID is stored in its list, and then generate the correct answer based on the other immo data (like CS, MAC, PIN, STATUS) ?


Rgs H2Deetoo

I don't know how the transponder is handled as i haven't disassembled the instrument cluster...
Does anyone have any info on the micronas chip in the instrument cluster? I would like to disassemble it's firmware...
Regards

Well, we know the transponder itself is not really needed, I mean the ecu can validate the correct answer only using its 6 bytes CS (and MAC and/or PIN perhaps).
So the rest is don't care as far as this immo challenge goes.


Rgs H2Deetoo