Introduction: DIY: Immobilizer Hacking for Lost Keys or Swapped ECU

DIY: Immobilizer
Hacking for Lost Keys or Swapped ECU

Here's how to reprogram your car's engine immobilizer to program new keys in the invent of lost keys or a swapped ECU.

DIY Video:

Disclaimer:

The engine immobilizer is a security device. Use the information provided here in a legal and appropriate manner.

Introduction:

Modern Toyota and Lexus vehicles use a key with an embedded RFID chip as an
added means of theft prevention. The key is read by the computer and if it matches, it will enable all systems to start the car. If the key does not match, the car will only crank but not start.

This engine immobilizer system presents a barrier to many owners when it comes time to swap out a bad ECU, or if you’ve lost all the master keys and can't program new keys.

While taking the car to a dealership or locksmith is an option, it could get expensive because you are at their mercy. What follows is a cheaper method you can do yourself to “virginize” your ECU to accept new keys.

Step 1: Overview of the Immobilizer System

Here’s an overview on how the immobilizer system works on older Toyota and Lexus vehicles.

When you insert the key, a coil near the ignition ring picks up the RFID signal from your key and sends it to an amplifier. The amplifier then decrypts it and sends it to the ECU. Inside the ECU is a 93C56 EEPROM chip (IC900) that stores the key values. If the key code matches the stored values, the engine will start.

On newer Toyota and Lexus vehicles, the transponder ECU is a separate unit and it’s housed under the dashboard.

The reason for separating the Transponder ECU with the EEPROM storing the keys is that in the invent of lost keys, it would be cheaper for a dealership to replace the Transponder ECU than the Engine Control Unit. However its location under the dash means you will have to remove the entire dash pad. The procedure for reprogramming is similar, however you will have to short two wires on the OBDII port to perform a hand-shaking procedure between the ECUs to program new keys.

Step 2: The Hardware

Here’s what the immobilizer system components look like.

Here’s a closer look inside the transponder amplifier.

To demonstrate the immobilizer reprogram, I’ll be swapping
ECU’s on my 1999 Toyota Solara with one from a 2001. Therefore my current keys won’t match what is in the new ECU.

Step 3: Open the ECU

To be safe, pull the battery so you don’t cause any harm when unplugging the ECU.

In most cars the ECU is located behind the glove box.

Here’s the ECU behind the glove box. It’s got 5 electrical connectors on it and is held in by two 10 mm nuts on the brackets.

When you open up the ECU, we’re going to be looking for IC900.

It’s a 93C56 EEPROM chip, surface mounted with 8 pins.

Step 4: Programming Hardware

This is where you need to get a programmer to connect the chip to your PC. You can either buy a USB programmer from eBay or make your own to communicate to the serial port. In my case, I made my own, using this EEPROM circuit.

The components required are fairly basic, three 4.7K ohm resistors, three 5V zener diodes, and a computer with a serial port. To connect the 8-pin EEPROM chip to the computer you'll either have to solder hook-up wires to the pins or get a Test Clip for onboard programming.

Note: This is the same circuit for programming the odometer’s EEPROM:

https://www.instructables.com/id/Odometer-Reprogram...

Using a test clip helped a lot during prototyping.

However the clip doesn’t have a good grip on the SMD chip so I chose to solder wires directly to the leads of the chip.

If you do have problems reading and writing from the chip, you have to short the crystal on the board.

Here’s the setup, with the computer connected to the ECU via the EEPROM circuit on a prototype breadboard.

Step 5: Reading From the EEPROM

PonyProg, a free serial device programmer was the software used to read information from the serial port and "dump" the EEPROM's contents. First go to setup under options.

Select SI Prog I/O, COM 1 and then press Probe to check that the reader is communicating to the software.

Then select the device as 93C56 MicroWire EEPROM.

Click Read Device to dump the EEPROM’s contents.

The content should appear as an array of HEX characters. Each key has a unique 8 digit HEX code. There are also bits to indicate key count, enable programming mode and valet lockout.

Step 6: Immobilizer HEX Dump Decoding

Here’s a breakdown of an EEPROM dump. After a lot of experimentation, it was observed that there are three distinct keys. Each key is an 8 digit HEX value, repeated three times. It is split across two groups of four, but there is symmetry in their positioning within the dump.

With 8 digits and 16 HEX characters, there are 4.2 billion different key combinations.

Looking on the right side of the EEPROM dump, there are three noteworthy HEX clusters.

The Valet Lockout should be kept as is, FB DF 5A 69. Erasing this will only allow you to program one Valet key, and then you’re stuck.

The virginize keys are values that are “10” in the original dump but must be changed to “00” to tell the computer to go into auto-programming mode.

The Key counter is a number count, in inverse HEX, of how many keys are currently stored in the ECU. This must be zeroed as well.

Here’s a look-up table to invert HEX. It’s pretty much 0 to F and F to 0 backward.

Step 7: Write the Virgin Dump to the EEPROM Chip

All other characters in the EEPROM dump must be changed to 00 to “virginize” the chip. In PonyProg, to do this, click Edit Buffer Enabled.

Then click on any HEX character to edit that bit.

Everything is zeroed (except for FB DF 5A 69), and you have your virgin dump.

You can then write to the chip.

And then proceed to replace the ECU back in the car.

Step 8: Key Programming

Key Programming:

When reconnected to the car, the ECU will be in auto-programming mode and will accept new keys as per the procedure below:

1. Briefly insert any key into ignition lock cylinder and remove immediately. The security light should illuminate and remain on.

2. Insert the first transponder key into ignition lock cylinder for registration DO NOT TURN ON. The Security light may blink indicating it has accepted the key. After 3-5 seconds remove the first key from the ignition. Security light should remain on indicating you're still in programming mode.

3. Insert the second transponder key into ignition lock cylinder for registration DO NOT TURN ON. The Security light may blink indicating it has accepted the key. After 3-5 seconds remove the second key from ignition. Security light should remain on indicating you're still in programming mode.

4. Insert third transponder key into ignition lock cylinder for registration DO NOT TURN ON. After security light goes off remove third key from ignition. The security light should extinguish and then commence to blink regularly.

5. Wait 30 seconds for the programming cycle and programming mode to close.

The first two keys are internally (inside the ECU) designated as MASTER keys and the 3rd key inserted will be internally designated as the VALET key.

As a test, when you insert a MASTER key, the security light
should stop blinking right away. If you insert a VALET key, the security light will remain solid for 2 seconds and then go out. If the security light does not stop blinking, that key is not programmed to the car.

Step 9: Conclusion and Reference Material

Compatibility

This procedure should work on many Toyota and Lexus vehicles from the 1990's to early 2000's. Newer Toyota/Lexus/Scion cars have a separate transponder ECU under the dashboard instead of having the EEPROM store key info in the ECU. The procedure is similar, though a hand-shaking procedure must be performed between the Transponder ECU and Engine Control Unit before key programming by shorting two wires on the OBDII port for 30 minutes.

Reference material:

http://qcwo.com/technicaldomain/working-with-immob...

http://www.spyderchat.com/forums/showthread.php?44...

http://www.locksmithcharley.com/toyotapostflash.pd...

ToyotaNation DIY Writeup:

http://www.toyotanation.com/forum/103-3rd-4th-gene...

Full PDF download of the procedure:

https://mega.nz/#!q8ojjSoQ

Comments

author
justindunner made it!(author)2016-11-27

Thank god i fount this info this pointed me in the right derection i hhad trouble underatanding a few things but i fount those on http://obdplanet.com and a other called http://revimmo.com or something they are bassiclly whole sites explaining how to turn off the immobiizer

author
Beans38 made it!(author)2017-07-18

Hi can you please help me with more info regarding explaining how to turn off the immobiizer.

The links you suggested don't seem to work.

I will appreciate any help

Thanks

author
nothanksok made it!(author)2017-05-16

hello any help on the 2011 Toyota Camry immo reset for the type 4 93c66 eeprom. also I only had gotten 1 key with the car cut, but not programmed. Thanks

author
jayches made it!(author)2016-07-12

Great Instructable, saved me $300 and a day without a car! Just a few minor clarifications that might be helpful to others:

0) instead of tracking down zener diodes for the programming adapter, replace those with two clamping diodes in series "pointing from ground to 5V", so the anode of the first one is at ground, the cathode/anode of the junction is the signal, and cathode of the second is +5V. The function of the Z1-Z3 zener diodes on your diagram is just to clamp the rs232 voltages from going negative, or more than +5V positive. regular signal diodes (1n914, etc) are easier to find.

1) PonyProg has two 9356 programming modes, MicroWire8 eeprom (which reads the immobilizer eeprom but won't write correctly), and MicroWire16 eeprom mode, which reads and writes correctly and is the one you want to use!

2) I noticed the D0 (pin 4) waveform looked funny with 3 voltage values, so I lifted that one pin and wired directly to it (with very fine wire), signals looked binary once again (soldered it back down when finished programming). SMT work isn't for the first-timer, so these instructions may not be for everyone.

3) I used your initialization values FB DF and 5A 69 as the only non-zero values after the edit, but mine were different than those initially, and the instructions aren't clear on this point, but yours work, which is the main thing.

4) For some reason, the website for PonyProg and others repeat that a USB serial adapter (I use FTDI) won't work (recommending a PCI adapter, which I notice you used in an old motherboard here), the FTDI USB adapter worked fine, it may have issues with different memory devices, but it worked fine for this..

5) Should lastly note that there doesn't seem to be a way to program fewer than 3 keys at the last step - the ECU stays in programming mode with the security light solid on until the third key is inserted. Most replacement locks are sold with two, so be sure you have three before launching that programming step! I used a key for a totally different toyota just to complete, valet keys seem pretty useless anyway, which is how we ended up here in the first place!

I told my daughter (whose car this was done to) to be nice, or I'd set her odometer to 980,000 using the other instructable. That other instructable would help explain how the 3 out of 6 cars we looked at had mileage that was many 100K miles lower than the respective Carfax last recorded mileage showed.

You did great detective work on this, thanks again!

IMG_8649.JPG
author
FabrizioV7 made it!(author)2016-12-29

Hi Jayches, could you explain better the question of the diodes?

I don't have zener, your suggestion could be really helpful for me!

Thanks

author
Dovi90 made it!(author)2016-09-09

Im getting a write fail message do you have any ideas why?

author
speedkar9 made it!(author)2016-11-14

I got this sometimes too. You have to double check all your EEPROM connections to the serial port.

Depending on the ECU you might have to program it out of circuit.

author
AllenS59 made it!(author)2016-08-07

Would it be easier just to solder a new chip into the board?

author
speedkar9 made it!(author)2016-11-14

Yes but you still would have to program it.

author
DrewBarker made it!(author)2016-11-07

I lost the key to my 98 Camry and the dealership is trying to charge me $600 to $3,000. I am going to try to do this. I do have a question though. Where can I download the program you have on your computer?

author
Zohan65 made it!(author)2016-10-29

hi. I have a Toyota corona verso 2005.

I lost one key and broke the othe key :-)

Reconstructed the broken key but in the procces lost the immobilized chip.

The "new" key works and open and closes the car with the remote but of course doesn't start it.

What should I do? In the dealer they want to change everything in the car.

author
MoisesG14 made it!(author)2016-10-19

my forenza does not want to start and my beeper got crushed by a jeep and does not work but i still have the key is there a 4 digit code to immobilize the alarm using the key

author
MoisesG14 made it!(author)2016-10-19

those these codes work for suzuki forenza?

author
Lucienmuller made it!(author)2016-09-21

Hi guys... I got a question for you..
I got a 2001 toyota corolla 4afe with diagnostic plug in engine bay.firstly i want to know if its possible to swop whatever bits of old transponder amplifier to new one as old one is badly burnt.got a used transponder amplifier from salvage yard off a car exactly to mine.basically what i need to know...is it possible to swop the chip/s from old to new so i can keep using my old keys because i didnt get any keys from new transponder amplifier.because my engine cranks perfect but as soon as it fires up it shuts down after a second or 2.can actually say that as soon as it must keep the idle it will kick ot

author
discostu956 made it!(author)2016-03-07

That's one hell of a project. Must have taken some time and problem solving to get that all worked out. Thanks for sharing

author
speedkar9 made it!(author)2016-03-07

Thanks, yes it did take a lot of trial and error to decode what the HEX characters mean. Of course I wouldn't have tried it on my own ECU, I had a spare one from the junkyard to do all my testing.

author
Dovi90 made it!(author)2016-09-09

Im getting a write failed prompt any ideas why.

author
Dovi90 made it!(author)2016-09-09

I getting a write fail prompt any ideas why

author
liquidhandwash made it!(author)2016-03-08

That is way cool,

Its it posible to clone a the Transponder chip in the key? Ive lost a key, I was thinking of removing the chip and gluing it to the ignition ring to disable the immobilizer.

author
jayches made it!(author)2016-07-12

Our local automotive locksmith offered to make a toyota "clone key" for $80 each on the spot, it's a special key with a unique programming procedure. He didn't recommend them though. Our only (valet) key was totally worn away, as was the lock cylinder, I bought a replacement cylinder, only to discover I couldn't program a new master key from the valet key. One of the "there I fixed it" suggestions I got was to saw off the valet key and duct tape it next to the head of the new key, not bothering to program the transponder of the new key into the immobilizer, which would require following these instructions, as we did today with great success ;-)

author
speedkar9 made it!(author)2016-04-09

Yes you can glue the chip to the ring, but it would defeat the purpose of an immobilizer making your car easier to steal.

I don't think you can clone a Toyota key, but I've read Honda's can be cloned.

author
speedkar9 made it!(author)2016-03-08

I don't think its as easy to clone an RFID chip. They're made to have unique HEX values. Yes you can glue it to the ignition ring (essentially what they have to do to install a remote start) to disable the immobilizer. Or simply order a new key off eBay and program it to work with your car as the spare.

Of course, it is a security feature, so without the immo, anyone can hotwire and run with your car.

author
prolocksmithmelbourne made it!(author)2016-06-16

I love this one

author
azam49 made it!(author)2016-03-12

I became a fan of you and just wanna talk to you

author
speedkar9 made it!(author)2016-03-14

Thank you

author
tinaciousz made it!(author)2016-03-11

Really cool! I like your video.

author
speedkar9 made it!(author)2016-03-14

Thanks

author
ThomasK19 made it!(author)2016-03-08

Wow, cool! Are you sure Toyota won't sue you for that? xD

author
speedkar9 made it!(author)2016-03-08

Thanks. What will they sue for? Locksmiths virginize the ECU's all the time as a business. This is the first time I figured out how to do it myself at home...

author
ThomasK19 made it!(author)2016-03-09

It was more or less kidding :-) Revealing those techniques is a need. Safety is always relative. Sometimes a note "Dangerous Dog" will repel burglars. In other cases the best lock won't help. But in both cases the user should know what threat the lock mechanism will have.

But sometimes the lock inventors have a strange attitude in a way that they don't like others to show the methods they used. Many think that obfuscation is a good means of bringing security. Again, it's a relative security.

About This Instructable

102,252views

164favorites

License:

More by speedkar9:How to Remove a Car EngineHow to Hotwire Your CarDIY: Reset Airbag Computer Crash Data
Add instructable to: