Introduction: DIY: Immobilizer Hacking for Lost Keys or Swapped ECU
Hacking for Lost Keys or Swapped ECU
Here's how to reprogram your car's engine immobilizer to program new keys in the invent of lost keys or a swapped ECU.
The engine immobilizer is a security device. Use the information provided here in a legal and appropriate manner.
Modern Toyota and Lexus vehicles use a key with an embedded RFID chip as an
added means of theft prevention. The key is read by the computer and if it matches, it will enable all systems to start the car. If the key does not match, the car will only crank but not start.
This engine immobilizer system presents a barrier to many owners when it comes time to swap out a bad ECU, or if you’ve lost all the master keys and can't program new keys.
While taking the car to a dealership or locksmith is an option, it could get expensive because you are at their mercy. What follows is a cheaper method you can do yourself to “virginize” your ECU to accept new keys.
Step 1: Overview of the Immobilizer System
Here’s an overview on how the immobilizer system works on older Toyota and Lexus vehicles.
When you insert the key, a coil near the ignition ring picks up the RFID signal from your key and sends it to an amplifier. The amplifier then decrypts it and sends it to the ECU. Inside the ECU is a 93C56 EEPROM chip (IC900) that stores the key values. If the key code matches the stored values, the engine will start.
On newer Toyota and Lexus vehicles, the transponder ECU is a separate unit and it’s housed under the dashboard.
The reason for separating the Transponder ECU with the EEPROM storing the keys is that in the invent of lost keys, it would be cheaper for a dealership to replace the Transponder ECU than the Engine Control Unit. However its location under the dash means you will have to remove the entire dash pad. The procedure for reprogramming is similar, however you will have to short two wires on the OBDII port to perform a hand-shaking procedure between the ECUs to program new keys.
Step 2: The Hardware
Here’s what the immobilizer system components look like.
Here’s a closer look inside the transponder amplifier.
To demonstrate the immobilizer reprogram, I’ll be swapping
ECU’s on my 1999 Toyota Solara with one from a 2001. Therefore my current keys won’t match what is in the new ECU.
Step 3: Open the ECU
To be safe, pull the battery so you don’t cause any harm when unplugging the ECU.
In most cars the ECU is located behind the glove box.
Here’s the ECU behind the glove box. It’s got 5 electrical connectors on it and is held in by two 10 mm nuts on the brackets.
When you open up the ECU, we’re going to be looking for IC900.
It’s a 93C56 EEPROM chip, surface mounted with 8 pins.
Step 4: Programming Hardware
This is where you need to get a programmer to connect the chip to your PC. You can either buy a USB programmer from eBay or make your own to communicate to the serial port. In my case, I made my own, using this EEPROM circuit.
The components required are fairly basic, three 4.7K ohm resistors, three 5V zener diodes, and a computer with a serial port. To connect the 8-pin EEPROM chip to the computer you'll either have to solder hook-up wires to the pins or get a Test Clip for onboard programming.
Note: This is the same circuit for programming the odometer’s EEPROM:
Using a test clip helped a lot during prototyping.
However the clip doesn’t have a good grip on the SMD chip so I chose to solder wires directly to the leads of the chip.
If you do have problems reading and writing from the chip, you have to short the crystal on the board.
Here’s the setup, with the computer connected to the ECU via the EEPROM circuit on a prototype breadboard.
Step 5: Reading From the EEPROM
PonyProg, a free serial device programmer was the software used to read information from the serial port and "dump" the EEPROM's contents. First go to setup under options.
Select SI Prog I/O, COM 1 and then press Probe to check that the reader is communicating to the software.
Then select the device as 93C56 MicroWire EEPROM.
Click Read Device to dump the EEPROM’s contents.
The content should appear as an array of HEX characters. Each key has a unique 8 digit HEX code. There are also bits to indicate key count, enable programming mode and valet lockout.
Step 6: Immobilizer HEX Dump Decoding
Here’s a breakdown of an EEPROM dump. After a lot of experimentation, it was observed that there are three distinct keys. Each key is an 8 digit HEX value, repeated three times. It is split across two groups of four, but there is symmetry in their positioning within the dump.
With 8 digits and 16 HEX characters, there are 4.2 billion different key combinations.
Looking on the right side of the EEPROM dump, there are three noteworthy HEX clusters.
The Valet Lockout should be kept as is, FB DF 5A 69. Erasing this will only allow you to program one Valet key, and then you’re stuck.
The virginize keys are values that are “10” in the original dump but must be changed to “00” to tell the computer to go into auto-programming mode.
The Key counter is a number count, in inverse HEX, of how many keys are currently stored in the ECU. This must be zeroed as well.
Here’s a look-up table to invert HEX. It’s pretty much 0 to F and F to 0 backward.
Step 7: Write the Virgin Dump to the EEPROM Chip
All other characters in the EEPROM dump must be changed to 00 to “virginize” the chip. In PonyProg, to do this, click Edit Buffer Enabled.
Then click on any HEX character to edit that bit.
Everything is zeroed (except for FB DF 5A 69), and you have your virgin dump.
You can then write to the chip.
And then proceed to replace the ECU back in the car.
Step 8: Key Programming
When reconnected to the car, the ECU will be in auto-programming mode and will accept new keys as per the procedure below:
1. Briefly insert any key into ignition lock cylinder and remove immediately. The security light should illuminate and remain on.
2. Insert the first transponder key into ignition lock cylinder for registration DO NOT TURN ON. The Security light may blink indicating it has accepted the key. After 3-5 seconds remove the first key from the ignition. Security light should remain on indicating you're still in programming mode.
3. Insert the second transponder key into ignition lock cylinder for registration DO NOT TURN ON. The Security light may blink indicating it has accepted the key. After 3-5 seconds remove the second key from ignition. Security light should remain on indicating you're still in programming mode.
4. Insert third transponder key into ignition lock cylinder for registration DO NOT TURN ON. After security light goes off remove third key from ignition. The security light should extinguish and then commence to blink regularly.
5. Wait 30 seconds for the programming cycle and programming mode to close.
The first two keys are internally (inside the ECU) designated as MASTER keys and the 3rd key inserted will be internally designated as the VALET key.
As a test, when you insert a MASTER key, the security light
should stop blinking right away. If you insert a VALET key, the security light will remain solid for 2 seconds and then go out. If the security light does not stop blinking, that key is not programmed to the car.
Step 9: Conclusion and Reference Material
This procedure should work on many Toyota and Lexus vehicles from the 1990's to early 2000's. Newer Toyota/Lexus/Scion cars have a separate transponder ECU under the dashboard instead of having the EEPROM store key info in the ECU. The procedure is similar, though a hand-shaking procedure must be performed between the Transponder ECU and Engine Control Unit before key programming by shorting two wires on the OBDII port for 30 minutes.
ToyotaNation DIY Writeup:
Full PDF download of the procedure:
Question 11 days ago on Step 5
So does this dump file used in instrctions work for a 93lc66b chip or can i get the file from some one or some it seems to be givin me no start
Question 7 weeks ago on Step 2
How do your bypass the immobilizer on a 2002 VW jetta is it the same way ask what is showed
Question 4 months ago
Good day. I Own a 2008 keyless entry mark x. I purchased the car used with one key. I have lost the key but I am having trouble to get a new key programmed. The locksmith managed to open the car door, delete the old key and reset the ECU however he is unable go add the new key to the car. Their system is not gaining access to the car the error is that the communication failed. What could be the issue? I have tried 3 locksmiths since and nome of their systems can connect with the car.
Question 8 months ago on Step 3
Will it work for mercedes c230 sport w203 ? I have lost all keys
Question 10 months ago on Introduction
Is it the same process on a Mazda 3 or would the codes be different
Question 1 year ago
Hello, good morning, I need help to virginize the immobilizer of my car, well that's what they told me to do but I don't know if it is really the solution. since my 2 remote fobik keys discharged the batteries and I tried to turn it on before changing the batteries and it did not turn on or the dashboard, it is a 2013 dodge challenger sxt and when I open my ecu to look for the 8 pin ic 900 there is only one and it is ic 400 the others are more than 8 pins. If anyone can help me or knows any other procedure I would appreciate your generous help, thank you.
Question 1 year ago on Step 1
does any who know what chip it would be on the nissan 5ze15p eco?
7 years ago
That's one hell of a project. Must have taken some time and problem solving to get that all worked out. Thanks for sharing
Reply 1 year ago
Can anyone tell me what I've did wrong . I installed a steering column , with new switch and key . I put the old immobilizer and old key fog on the column . Pop a lock can't program my 03 Honda Odyssey. How can I get the key programed
Reply 7 years ago
Thanks, yes it did take a lot of trial and error to decode what the HEX characters mean. Of course I wouldn't have tried it on my own ECU, I had a spare one from the junkyard to do all my testing.
Reply 3 years ago
I lost my jeys to my 2009 chevy equinox so if i go get another ecu out of a wrecked on and use the keys out the wrecked one by just putting the chip in the new key i had made will it work
Reply 6 years ago
Im getting a write failed prompt any ideas why.
Reply 6 years ago
I getting a write fail prompt any ideas why
Tip 2 years ago
Tip 2 years ago
You could also just desolder the EEPROM chip from original ECM and the new one then solder the old one onto the new board.
Since you're already desoldering the chip it'd be much quicker and easier to just switch out the chip with the one thats already programmed to work with your key.
The IC# on the board could be diff than the one in this instructional. You could try googling: "EEPROM chip location on (your ECMs part number)" and might find a picture online pointing out which chip it is on your circuit board.
Tip 3 years ago on Introduction
3 years ago
I have a 05 cadillac cts with a crank no start issue locksmith told me that the transponder in the steering wheel column is burnt out. My question is can i just shut the anti theft off all together if so how thank you in advance
Question 3 years ago on Introduction
Can this be done to my 2012CacAmSpyderrtse5 ,I am in jam.i have been evected and lost keys but my bike is going to get towed it's apple ready
3 years ago
This was a lifesaver. It worked like a charm once some issues were sorted. I was on windows 7 so the first problem was to resolve a driver signing issue for DlportIO.dll and DlportIO.sys. There is a solution here:
After that, I was still having write errors. I tried shorting the 3 clock crystals on the board, but that didn't help. As it turned out, it was actually getting a read error during the error checking of the write cycle. The problem I has was that I was running with the case off the PC and my wires were picking of noise. I had them strewn across the PC. So once I pit the cover on and routed the wires cleanly, it read and wrote OK.
Soldering to the IC is difficult and should be done with a good soldering tip and a magnifier glass. I wouldn't recommend this to most. Someone suggested having a repair shop swap the chip for you, and that seems like a good idea.
It won't work to erase the chip as that writes FF, not 00 to all memory. That is why you have to program a new chip.
Mine had 00 00 00 BF for the valet lockout code. I kept it, but still wonder what would happen if I had zeroed out the B4. I followed the advice of the intractable in this regard and it worked.
I had 2 keys and a dummy key that I used for the 3rd but it's not cut and I don't know if it's the right kind of key.
The two I bought on eBay and they shipped from China and arrived on schedule a couple weeks later.
I hope other people are appreciating this hack as much as I did. What are you going to do when you lose your keys? This is a vital workaround for a big shortcoming in those great old Toyotas.
3 years ago
FWIW, I was unsuccessful in on-board reading or programming (1999 Toyota 4Runner), ended up desoldering the chip to get this to work. This was true for 2 different ECM units, and 3 total times (bought a test unit, then virginized it for resale after making sure my original was working well). This may very well be due to the fact that I didn't have anything with native RS-232 and was trying to make it work through an adapter.
For others in this same boat, desoldering the chip and using the EZP2010 programmer ($20) on Common 93c56 (16bit) works just fine. If you're unwilling to do the soldering, then buy some 93c56 blank chips, program them and then walk the board and new chip into a cell/tablet/laptop repair business and ask them to swap the chip. Shouldn't be much more than $20 for a simple component swap.