DIY: Immobilizer Hacking for Lost Keys or Swapped ECU

451,199

236

51

Introduction: DIY: Immobilizer Hacking for Lost Keys or Swapped ECU

DIY: Immobilizer
Hacking for Lost Keys or Swapped ECU

Here's how to reprogram your car's engine immobilizer to program new keys in the invent of lost keys or a swapped ECU.

DIY Video:

Disclaimer:

The engine immobilizer is a security device. Use the information provided here in a legal and appropriate manner.

Introduction:

Modern Toyota and Lexus vehicles use a key with an embedded RFID chip as an
added means of theft prevention. The key is read by the computer and if it matches, it will enable all systems to start the car. If the key does not match, the car will only crank but not start.

This engine immobilizer system presents a barrier to many owners when it comes time to swap out a bad ECU, or if you’ve lost all the master keys and can't program new keys.

While taking the car to a dealership or locksmith is an option, it could get expensive because you are at their mercy. What follows is a cheaper method you can do yourself to “virginize” your ECU to accept new keys.

Step 1: Overview of the Immobilizer System

Here’s an overview on how the immobilizer system works on older Toyota and Lexus vehicles.

When you insert the key, a coil near the ignition ring picks up the RFID signal from your key and sends it to an amplifier. The amplifier then decrypts it and sends it to the ECU. Inside the ECU is a 93C56 EEPROM chip (IC900) that stores the key values. If the key code matches the stored values, the engine will start.

On newer Toyota and Lexus vehicles, the transponder ECU is a separate unit and it’s housed under the dashboard.

The reason for separating the Transponder ECU with the EEPROM storing the keys is that in the invent of lost keys, it would be cheaper for a dealership to replace the Transponder ECU than the Engine Control Unit. However its location under the dash means you will have to remove the entire dash pad. The procedure for reprogramming is similar, however you will have to short two wires on the OBDII port to perform a hand-shaking procedure between the ECUs to program new keys.

Step 2: The Hardware

Here’s what the immobilizer system components look like.

Here’s a closer look inside the transponder amplifier.

To demonstrate the immobilizer reprogram, I’ll be swapping
ECU’s on my 1999 Toyota Solara with one from a 2001. Therefore my current keys won’t match what is in the new ECU.

Step 3: Open the ECU

To be safe, pull the battery so you don’t cause any harm when unplugging the ECU.

In most cars the ECU is located behind the glove box.

Here’s the ECU behind the glove box. It’s got 5 electrical connectors on it and is held in by two 10 mm nuts on the brackets.

When you open up the ECU, we’re going to be looking for IC900.

It’s a 93C56 EEPROM chip, surface mounted with 8 pins.

Step 4: Programming Hardware

This is where you need to get a programmer to connect the chip to your PC. You can either buy a USB programmer from eBay or make your own to communicate to the serial port. In my case, I made my own, using this EEPROM circuit.

The components required are fairly basic, three 4.7K ohm resistors, three 5V zener diodes, and a computer with a serial port. To connect the 8-pin EEPROM chip to the computer you'll either have to solder hook-up wires to the pins or get a Test Clip for onboard programming.

Note: This is the same circuit for programming the odometer’s EEPROM:

https://www.instructables.com/id/Odometer-Reprogram...

Using a test clip helped a lot during prototyping.

However the clip doesn’t have a good grip on the SMD chip so I chose to solder wires directly to the leads of the chip.

If you do have problems reading and writing from the chip, you have to short the crystal on the board.

Here’s the setup, with the computer connected to the ECU via the EEPROM circuit on a prototype breadboard.

Step 5: Reading From the EEPROM

PonyProg, a free serial device programmer was the software used to read information from the serial port and "dump" the EEPROM's contents. First go to setup under options.

Select SI Prog I/O, COM 1 and then press Probe to check that the reader is communicating to the software.

Then select the device as 93C56 MicroWire EEPROM.

Click Read Device to dump the EEPROM’s contents.

The content should appear as an array of HEX characters. Each key has a unique 8 digit HEX code. There are also bits to indicate key count, enable programming mode and valet lockout.

Step 6: Immobilizer HEX Dump Decoding

Here’s a breakdown of an EEPROM dump. After a lot of experimentation, it was observed that there are three distinct keys. Each key is an 8 digit HEX value, repeated three times. It is split across two groups of four, but there is symmetry in their positioning within the dump.

With 8 digits and 16 HEX characters, there are 4.2 billion different key combinations.

Looking on the right side of the EEPROM dump, there are three noteworthy HEX clusters.

The Valet Lockout should be kept as is, FB DF 5A 69. Erasing this will only allow you to program one Valet key, and then you’re stuck.

The virginize keys are values that are “10” in the original dump but must be changed to “00” to tell the computer to go into auto-programming mode.

The Key counter is a number count, in inverse HEX, of how many keys are currently stored in the ECU. This must be zeroed as well.

Here’s a look-up table to invert HEX. It’s pretty much 0 to F and F to 0 backward.

Step 7: Write the Virgin Dump to the EEPROM Chip

All other characters in the EEPROM dump must be changed to 00 to “virginize” the chip. In PonyProg, to do this, click Edit Buffer Enabled.

Then click on any HEX character to edit that bit.

Everything is zeroed (except for FB DF 5A 69), and you have your virgin dump.

You can then write to the chip.

And then proceed to replace the ECU back in the car.

Step 8: Key Programming

Key Programming:

When reconnected to the car, the ECU will be in auto-programming mode and will accept new keys as per the procedure below:

1. Briefly insert any key into ignition lock cylinder and remove immediately. The security light should illuminate and remain on.

2. Insert the first transponder key into ignition lock cylinder for registration DO NOT TURN ON. The Security light may blink indicating it has accepted the key. After 3-5 seconds remove the first key from the ignition. Security light should remain on indicating you're still in programming mode.

3. Insert the second transponder key into ignition lock cylinder for registration DO NOT TURN ON. The Security light may blink indicating it has accepted the key. After 3-5 seconds remove the second key from ignition. Security light should remain on indicating you're still in programming mode.

4. Insert third transponder key into ignition lock cylinder for registration DO NOT TURN ON. After security light goes off remove third key from ignition. The security light should extinguish and then commence to blink regularly.

5. Wait 30 seconds for the programming cycle and programming mode to close.

The first two keys are internally (inside the ECU) designated as MASTER keys and the 3rd key inserted will be internally designated as the VALET key.

As a test, when you insert a MASTER key, the security light
should stop blinking right away. If you insert a VALET key, the security light will remain solid for 2 seconds and then go out. If the security light does not stop blinking, that key is not programmed to the car.

Step 9: Conclusion and Reference Material

Compatibility

This procedure should work on many Toyota and Lexus vehicles from the 1990's to early 2000's. Newer Toyota/Lexus/Scion cars have a separate transponder ECU under the dashboard instead of having the EEPROM store key info in the ECU. The procedure is similar, though a hand-shaking procedure must be performed between the Transponder ECU and Engine Control Unit before key programming by shorting two wires on the OBDII port for 30 minutes.

Reference material:

http://qcwo.com/technicaldomain/working-with-immob...

http://www.spyderchat.com/forums/showthread.php?44...

http://www.locksmithcharley.com/toyotapostflash.pd...

ToyotaNation DIY Writeup:

http://www.toyotanation.com/forum/103-3rd-4th-gene...

Full PDF download of the procedure:

https://mega.nz/#!q8ojjSoQ

2 People Made This Project!

Recommendations

  • Plywood Challenge

    Plywood Challenge
  • Plastic Contest

    Plastic Contest
  • Battery Powered Contest

    Battery Powered Contest

51 Discussions

0
Fr33spirit3d
Fr33spirit3d

Tip 7 months ago

You could also just desolder the EEPROM chip from original ECM and the new one then solder the old one onto the new board.

Since you're already desoldering the chip it'd be much quicker and easier to just switch out the chip with the one thats already programmed to work with your key.

The IC# on the board could be diff than the one in this instructional. You could try googling: "EEPROM chip location on (your ECMs part number)" and might find a picture online pointing out which chip it is on your circuit board.

0
discostu956
discostu956

4 years ago

That's one hell of a project. Must have taken some time and problem solving to get that all worked out. Thanks for sharing

0
speedkar9
speedkar9

Reply 4 years ago

Thanks, yes it did take a lot of trial and error to decode what the HEX characters mean. Of course I wouldn't have tried it on my own ECU, I had a spare one from the junkyard to do all my testing.

0
GarrettD17
GarrettD17

Reply 8 months ago

I lost my jeys to my 2009 chevy equinox so if i go get another ecu out of a wrecked on and use the keys out the wrecked one by just putting the chip in the new key i had made will it work

0
Dovi90
Dovi90

Reply 4 years ago

Im getting a write failed prompt any ideas why.

0
Dovi90
Dovi90

Reply 4 years ago

I getting a write fail prompt any ideas why

3
Caro081
Caro081

1 year ago

I have a 05 cadillac cts with a crank no start issue locksmith told me that the transponder in the steering wheel column is burnt out. My question is can i just shut the anti theft off all together if so how thank you in advance

0
karenbarredo152
karenbarredo152

Question 1 year ago on Introduction

Can this be done to my 2012CacAmSpyderrtse5 ,I am in jam.i have been evected and lost keys but my bike is going to get towed it's apple ready

0
OldeM
OldeM

1 year ago

This was a lifesaver. It worked like a charm once some issues were sorted. I was on windows 7 so the first problem was to resolve a driver signing issue for DlportIO.dll and DlportIO.sys. There is a solution here:
https://vdocuments.mx/amp/how-to-run-ponyprog2000-...
After that, I was still having write errors. I tried shorting the 3 clock crystals on the board, but that didn't help. As it turned out, it was actually getting a read error during the error checking of the write cycle. The problem I has was that I was running with the case off the PC and my wires were picking of noise. I had them strewn across the PC. So once I pit the cover on and routed the wires cleanly, it read and wrote OK.
Soldering to the IC is difficult and should be done with a good soldering tip and a magnifier glass. I wouldn't recommend this to most. Someone suggested having a repair shop swap the chip for you, and that seems like a good idea.
It won't work to erase the chip as that writes FF, not 00 to all memory. That is why you have to program a new chip.
Mine had 00 00 00 BF for the valet lockout code. I kept it, but still wonder what would happen if I had zeroed out the B4. I followed the advice of the intractable in this regard and it worked.
I had 2 keys and a dummy key that I used for the 3rd but it's not cut and I don't know if it's the right kind of key.
The two I bought on eBay and they shipped from China and arrived on schedule a couple weeks later.
I hope other people are appreciating this hack as much as I did. What are you going to do when you lose your keys? This is a vital workaround for a big shortcoming in those great old Toyotas.

0
Schmoe_Joe
Schmoe_Joe

1 year ago

FWIW, I was unsuccessful in on-board reading or programming (1999 Toyota 4Runner), ended up desoldering the chip to get this to work. This was true for 2 different ECM units, and 3 total times (bought a test unit, then virginized it for resale after making sure my original was working well). This may very well be due to the fact that I didn't have anything with native RS-232 and was trying to make it work through an adapter.

For others in this same boat, desoldering the chip and using the EZP2010 programmer ($20) on Common 93c56 (16bit) works just fine. If you're unwilling to do the soldering, then buy some 93c56 blank chips, program them and then walk the board and new chip into a cell/tablet/laptop repair business and ask them to swap the chip. Shouldn't be much more than $20 for a simple component swap.

0
Mabasa
Mabasa

Question 1 year ago on Step 9

I lost my keys for my MPV , all the technicians here in Botswana are failing to program a new key , any suggestions anyone? please help

0
MaxwellC15
MaxwellC15

Question 1 year ago on Step 3

I don't have an IC900 chip on my ECU. The only four 8 pin chips I have are IC403, IC402, IC203, and IC51

0
AllenS59
AllenS59

4 years ago

Would it be easier just to solder a new chip into the board?

0
Bettiwise2018
Bettiwise2018

Reply 1 year ago

Hi. My 2002 GTI VW is immobilized and I only have ignition key, lost fob with chip. Do you know how I can bypass immobilizer? You sounded knowledgeable in your response so I'm asking you. Can we use a resistor on 2002 GTI? Our number is 747-529-5090

0
speedkar9
speedkar9

Reply 4 years ago

Yes but you still would have to program it.

2
JohariA4
JohariA4

Question 1 year ago on Step 3

May I ask.... That 8 pins Immobilizer chip. Is there a way clone it? I plan to make a spare ECU for my car. Which in this case... I'm planning to have 2 different ECU for my car. 1 ecu as backup ready to be swapped incase I brick my ecu. I had my ecu brick on last aug18, It took me months to get it sorted. After few attempt with incorrect person.... Finally I got it done by someone really far away from my country. That is why I want to have spare ecu. Btw my car is 2012 Legacy GT EJ25 Turbo 5EAT tranny with keyless immobiliser.

IMG_20181206_171951.jpgIMG-20181001-WA0041.jpgIMG-20181001-WA0031.jpg