Pages: 1 [2] 3 4 ... 6
Author Topic: Understanding/retrofitting immobilizer (Updated for Allroad owners/DEATH CODE)  (Read 182097 times)
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #15 on: February 11, 2013, 06:03:36 PM »

Keith-the eeprom I'm referring to isn't the main flash (29f800bb), but rather the 95040 that stores immobilizer data/adaptations/skc. Having the contents of the 95040 as well as the cluster dump would help me identify where the skc is stored in the cluster, and how it interacts with the rest of the systems.

The file I'm looking for (off the ecu) is 512 BYTES in size (very, very small). It is stored on a small SOIC-8 chip on the ecu (labeled 950403, on me7.5 it's on the bottom of the board, me7.1 the top).
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
keithwbloom
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 43


« Reply #16 on: February 11, 2013, 06:21:04 PM »

Keith-the eeprom I'm referring to isn't the main flash (29f800bb), but rather the 95040 that stores immobilizer data/adaptations/skc. Having the contents of the 95040 as well as the cluster dump would help me identify where the skc is stored in the cluster, and how it interacts with the rest of the systems.

The file I'm looking for (off the ecu) is 512 BYTES in size (very, very small). It is stored on a small SOIC-8 chip on the ecu (labeled 950403, on me7.5 it's on the bottom of the board, me7.1 the top).

OK that's what I was investigating at the end of last week when my ThinkPad HD crashed.

I think I understand what you may be looking for, I sure hope we can find it. If I am correct, you are looking for a set of corresponding values in the 95040 (which I located on my spare ECU) that would handshake with the cluster to authorize a key to start the car.

Problem is, IMMO-2 doesn't include the ECU in the mix, and IMMO-3 may use a PIN to recognize the cluster, key transponder and ECU are part of the IMMO loop, but the validation is carried out with a random 4- or 5-digit value sent from the cluster to the ECU and ignition lock sensor that has to be returned to the cluster after being processed by an algorithm that should be identical in all three components. if the three values match (the cluster calculates a return vaule from the same random number it sends to the ECU and ignition lock, then the cluster green lights ignition.

The SKC may have the power to re-scramble that algorithm with every authorized installation as part if its runtime processes. If it does, then the needles we are searching for int he proverbial haystacks are not going to be consistent unless they are searched for in a working cluster eeprom and coordinating 95040 eeprom bin.

When I sent my OE ECU off to J.Fonz to rescue my SC install from the inadvertently applied Tiptroinc bin, I am afraid he may have altered my 95040 eeprom in the process. Or perhaps he didn't, and I will be able to pull it down from the ECU when it arrives later this week.

Logged
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #17 on: February 11, 2013, 06:35:45 PM »

Hmm-it's commonplace for tuners to (for lack of a better word) "tag" the 95040, altering it's contents (even nefmoto does this) but I honestly can't see any of them doing something as irresponsible as erasing the immobilizer data. It's always a good idea to back up the eeprom prior to tuning just in case. When you get it back read it off, the procedure is outlined in argdub's thread (linked here).

Your assumption is correct, I'm looking for some insight into the relationship between the ecu and the cluster. A matching set would make life MUCH easier Smiley
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
keithwbloom
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 43


« Reply #18 on: February 11, 2013, 06:44:57 PM »

Hmm-it's commonplace for tuners to (for lack of a better word) "tag" the 95040, altering it's contents (even nefmoto does this) but I honestly can't see any of them doing something as irresponsible as erasing the immobilizer data. It's always a good idea to back up the eeprom prior to tuning just in case. When you get it back read it off, the procedure is outlined in argdub's thread (linked here).

Your assumption is correct, I'm looking for some insight into the relationship between the ecu and the cluster. A matching set would make life MUCH easier Smiley

Well suffice it to say that at least some magic beans are in the 95040. I flashed the Tip tuned ECU on my desk last week with the bin from my OE 3B0 907 551 DB and it will not start my car now because the IMMO has been triggered. I would have though the Galletto boot mode dump transplant would have made a clone of my OE ECU, but there is some secret sauce to sort out on the 95040 before it will let my horses run. Wink
Logged
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #19 on: February 11, 2013, 06:53:03 PM »

That's the thing. Galletto, nefmoto, etc-all they do is copy the main flash eprom, not the 95040. That's your responsibility to make a backup of (It's not really made that clear). The poor me7.1.1 guys end up with cars that won't start all the time after flashing.
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
keithwbloom
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 43


« Reply #20 on: February 12, 2013, 07:13:13 PM »

So my ThinkPad is back from the dead and better than ever with a new HD and a whole lot more streamlined instance of XP.

I pulled the bin from my spare ECU's 95040 and here it is as png file and a bin file:

And also attached are an edited version where I changed the PIN code from 06909 to 08508. I then took note that the ECU stores the vehicles VIN number and IMMO identification (14 digits) further down the hex starting at 00B5 (the VIN is segmented, starts with WVWRH, and continues at the 00D0 address with 63B54P151235) and stranger still each segment repeats itself in the same starting offset of the following line (00C5 and 00E0).

In the example I pulled from my spare, the IMMO identification starts at 00DC (V) and continues from 00F0 through 00FC. It too repeats itself on the same starting offset ont he line immediately below (00EC and 0100).

I hope I have described the offset addresses correctly, but if I haven't the pictures are worth a thousand pardons.

My problem now lies in the checksum getting messed up when I make the changes. I have loaded the new bin in the EEPROM, and VCDS throws an ECU EEPROM error. I reloaded the original bin to the EEPROM, and the ECU thinks my VIN and IMMO identification are the values from the spare ECU's donor chassis and cluster.

Is there any way to figure out how and where the checksums are in this tiny file? If I were to hazard a guess, I would say they are the last two or three bytes in each line, since the longer data words are getting segmented. Am I correct about this?

Logged
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #21 on: February 12, 2013, 07:17:45 PM »

All you need to know is attached young grasshopper.

 Grin
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
keithwbloom
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 43


« Reply #22 on: February 12, 2013, 07:58:39 PM »

All you need to know is attached young grasshopper.

 Grin

I found a similar utility and it worked beautifully, but there is deeper voodoo to be solved apparently. VCDS now reads the correct VIN and Immo Identification in the Extra Field on scanning, I an have to assume that is a good thing. But the Immo is still actively locked. Something is not matching up.

Logged
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #23 on: February 12, 2013, 08:08:47 PM »

Virgin eeprom dump attached. Writing this to the eeprom will allow you to complete adaptation of the immobilizer as though the ecu were new from the dealer.
« Last Edit: February 12, 2013, 08:50:51 PM by ddillenger » Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12270


WWW
« Reply #24 on: February 12, 2013, 08:42:20 PM »

dd: a request: can you edit your OP to reflect another case.. i.e. i want to tune my immo-enabled ecu and preserve the immo (and immo-enabled ECU main flash)

If i understood your pm right: nefmoto is VERY picky about flashing cars with immo enabled. 1) it wont work on a bench 2) it is timing sensitive etc.

So your advice seems to be: back up the eeprom, and overwrite it with immo-off. Tune car (flash reflash etc etc). When done, restore the eeprom, re-enabling the immo.

or, alternately, use a virgin eeprom image (assuming you have one or can generate one), and readapt the ECU

Does this sound right?
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #25 on: February 12, 2013, 08:49:15 PM »

My experience has been removing the ecu from the car, defeating the immobilizer, flashing it, and re-installing it is usually the best way to avoid drama. My 2001, and 2002 are both VERY finicky about flashing in the car-sometimes taking 5-6 minutes to complete a flash, failing multiple sectors, restarts, etc. On the bench, They flash in a consistent 3:00 without fail.

If you want to keep your immobilizer active (keep in mind this is only possible if you are using a flash from an immobilizer equipped car-flashing an m or l-box bin will bypass all immobilizer functions), my advice is to back up the 95040, defeat the immobilizer, flash it, then restore the original 95040 (or use the virgin dump I've attached 2 posts down and complete adaptation as though it were a new ecu).

Backing up the eeprom prior to flashing, then restoring it also has the added benefit of not having it tagged with "nefmto" (not that it matters, but I don't like anything modifying an immo-equipped 95040 for many reasons)

I really hope Tony returns (more than that, I hope he's ok) and approves a subforum for immobilizer/cluster posts. I think with all the questions, it would be beneficial.
« Last Edit: February 12, 2013, 08:55:21 PM by ddillenger » Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
keithwbloom
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 43


« Reply #26 on: February 12, 2013, 09:18:36 PM »

Virgin eeprom dump attached. Writing this to the eeprom will allow you to complete adaptation of the immobilizer as though the ecu were new from the dealer.

This sounds like a promising idea. Just put this on the 95040 in the ECU and connect to car, run VCDS IMMO adaptation as if ECU were new? Hopefully that process can be done without the 7-digit SKC...

Josh emailed me earlier this evening that my manual transmission ECU is on its way back. He had to make a whole new definition file, so I am going to be sending my SCAudi.com buddies to talk to him now when they want more WHP.  Cool
Logged
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #27 on: February 12, 2013, 09:27:29 PM »

Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
keithwbloom
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 43


« Reply #28 on: February 15, 2013, 10:50:20 AM »

Virgin eeprom dump attached. Writing this to the eeprom will allow you to complete adaptation of the immobilizer as though the ecu were new from the dealer.


Thanks Dazq. This worked brilliantly. No IMMO block on my IMMO-3 equipped Passat once I put this on the 95040. Worth noting, I did no changes to this file, loaded as you have posted it here. Had the same effect as IMMO defeat, VCDS says IMMO not active.

Logged
ddillenger
Moderator
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640



UPDATE:

I ran into something earlier today I thought I'd share. If it happened to me, it could happen to you.
Allroad owners(and BEL a6 owners as well), pay attention.

Prerequisites:

You've read this thread and understand how to pull your eeprom data.
You have a hex editor

The immo-off files in this thread won't work on the me7.1.1 allroads. If you flash one, you'll get a
p1640, EEPROM error. The only option here is to off your own file. You need to get out your trusty hex
editor, and browse to locations 12 and 22. The values in these locations will be 01, indicating an
active immobilizer. Change these to 02, and you have off'd your file. Chances are you're doing this on a used ecu, now is the time to correct the vin if you'd like. It's location in the eeprom dump is obvious. When you've finished modifying the file, correct the checksums (for simplicity's sake I have attached the tool to do so. Big thanks to the creator, and 360trev for re-writing it.) Flash the off'd file, and you're good to go.

This next part is for those of you that have either:

A: Had APR flash your ecu and turn it into a brick
B: Flashed a file with a bad checksum

If either of the above has occurred chances are you have ended up with p0601, memory checksum error,
and been unable to clear it. No amount of flashing in the world will solve this, the code is stored in
the eeprom, not the main flash. Pull the eeprom bin, and whip out your trusty hex editor. Browse to
offset 1c.



If you have the previously mentioned DTC chances are the value stored in this location (and
right below it in 2c) will be 01, or 33. You need to change these values back to 00 to clear this code.
Afterwards, correct your checksums and flash your fixed file back to the ecu. p0601 will be gone.

Usage instructions for 95040sum:

1. Save the exe into your user directory (C:\Documents and Settings\usernamehere)
2. Place your eeprom bin into the same folder
3. Open up a CMD line, and type: 95040sum (name of your eeprom).bin (desired name of corrected file).bin
4. Click enter

Example:

95040sum eeprom.bin fixed.bin

The checksum corrector, and an IMMO off'd bin compatible with ME7.1.1 is attached.

Big thanks to K0mpresd for allowing me to bounce Idea's off of him throughout this. Appreciate it.
« Last Edit: February 22, 2013, 10:38:21 AM by ddillenger » Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
Pages: 1 [2] 3 4 ... 6
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.024 seconds with 16 queries. (Pretty URLs adds 0.001s, 0q)