MB1 Posted March 9, 2021 Author Report Share Posted March 9, 2021 27 minutes ago, Skezza said: Did you send your locked out ECU to a service? Or buy an already IMMO OFF ECU? I'll be getting down to business with Matts this week. I'll document the process for reference. Once you've got your SKC, adapting new keys is trivially easy. I've done it on Audi A4s. Believe it or not, this whole process is easier on Audis of the same era because their ECUs are less secure. The separate IMMO boxes in these Lupos are a nightmare. There's a guy down the road from me who disabled the immo on my existing ECU. Dropped it in 5pm yesterday, had it in the car again by lunchtime today. Had no idea he did this sort of thing or I'd have gone to him first! Really interested in your write up of the process too. Is getting the SKC something I can do myself with a VAGCOM/similar cable? Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 9, 2021 Report Share Posted March 9, 2021 6 minutes ago, MB1 said: There's a guy down the road from me who disabled the immo on my existing ECU. Dropped it in 5pm yesterday, had it in the car again by lunchtime today. Had no idea he did this sort of thing or I'd have gone to him first! Really interested in your write up of the process too. Is getting the SKC something I can do myself with a VAGCOM/similar cable? On an A4... Definitely. A Lupo? No chance. Ask your mate if he noted down the SKC while doing your IMMO OFF. Quote Link to comment Share on other sites More sharing options...
MB1 Posted March 9, 2021 Author Report Share Posted March 9, 2021 Will do, cheers. If not I'm sure a beer or two will help! Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 9, 2021 Report Share Posted March 9, 2021 2 hours ago, MB1 said: Will do, cheers. If not I'm sure a beer or two will help! Did you take the ECU and Immob or just the ECU? I've attached an ECU and Immo box. Specifically @mattarosa's ECU and Immo box. I intend to find a few things out from this experiment as he has kindly donated them to this research. Hopefully, fingers crossed, I can extract the SKC from the ImmoBox which would allow me to subsequently re-pair his keys to the car. The IMMO OFF appears to be an ECU configuration rather than Immo configuration, while the SKC extraction appears to be an ImmoBox thing. It would be interesting to see if it can be extracted from the ECU as well. Let the games begin. Quote Link to comment Share on other sites More sharing options...
MB1 Posted March 11, 2021 Author Report Share Posted March 11, 2021 On 3/9/2021 at 6:56 PM, Skezza said: Did you take the ECU and Immob or just the ECU? I've attached an ECU and Immo box. Specifically @mattarosa's ECU and Immo box. I intend to find a few things out from this experiment as he has kindly donated them to this research. Hopefully, fingers crossed, I can extract the SKC from the ImmoBox which would allow me to subsequently re-pair his keys to the car. The IMMO OFF appears to be an ECU configuration rather than Immo configuration, while the SKC extraction appears to be an ImmoBox thing. It would be interesting to see if it can be extracted from the ECU as well. Let the games begin. I handed over just the ECU. Do you have any experience/schematics of these two boards? I believe the immo off stuff was an EEPROM flash job but I'm not sure what else is on each board etc. Would be interested in understanding their config. (Sorry for quoting the images too, I'm on mobile save couldn't edit it out) Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 11, 2021 Report Share Posted March 11, 2021 2 hours ago, MB1 said: I handed over just the ECU. Do you have any experience/schematics of these two boards? I believe the immo off stuff was an EEPROM flash job but I'm not sure what else is on each board etc. Would be interested in understanding their config. (Sorry for quoting the images too, I'm on mobile save couldn't edit it out) I do. The reason I asked is because I have a sneaking suspicion you cannot obtain the SKC directly from the ECU. You can IMMO OFF the ECU, and you can obtain the SKC from the Immobilizer (then re-pair keys), but from my current understanding you cannot obtain the SKC from the ECU directly. This is the reason this system is so secure. I don't know if you can IMMO OFF and ImmoBox. I suppose that's what the emulators are trying to fool, but when me and Matt tried, we had very little luck. Quote Link to comment Share on other sites More sharing options...
MB1 Posted March 11, 2021 Author Report Share Posted March 11, 2021 8 hours ago, Skezza said: I do. The reason I asked is because I have a sneaking suspicion you cannot obtain the SKC directly from the ECU. You can IMMO OFF the ECU, and you can obtain the SKC from the Immobilizer (then re-pair keys), but from my current understanding you cannot obtain the SKC from the ECU directly. This is the reason this system is so secure. I don't know if you can IMMO OFF and ImmoBox. I suppose that's what the emulators are trying to fool, but when me and Matt tried, we had very little luck. That's a much better setup than I expected for this car to be honest! I believe there are two versions (Immo2 and Immo2) and I guess the one in Lupos is 3? Happy to be thoroughly corrected. I'll hold fire on anything key related for the time being until I know more! Quote Link to comment Share on other sites More sharing options...
Rich Posted March 11, 2021 Report Share Posted March 11, 2021 First six digits of the eeprom Quote Link to comment Share on other sites More sharing options...
mk2 Posted March 11, 2021 Report Share Posted March 11, 2021 Where did you get the memory map from? Is the data little or big endian, and in what sequence do you read the data out? What I'd give for a full Lupo address map.... what tool do you read the data out with? Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 11, 2021 Report Share Posted March 11, 2021 1 hour ago, Rich said: First six digits of the eeprom Correct. Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 11, 2021 Report Share Posted March 11, 2021 20 minutes ago, mk2 said: Where did you get the memory map from? Is the data little or big endian, and in what sequence do you read the data out? What I'd give for a full Lupo address map.... what tool do you read the data out with? I'm going to do it with the eeprom directly Quote Link to comment Share on other sites More sharing options...
mk2 Posted March 11, 2021 Report Share Posted March 11, 2021 How the hell does everyone else know this and I don't?! Not happy. I design this sort of stuff... Just goes to show that pros know nothing these days. SMH. Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 11, 2021 Report Share Posted March 11, 2021 To be clear, I'm talking a big game. I've not actually done it yet. Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 17, 2021 Report Share Posted March 17, 2021 The company i want to buy the parts off are currently closed and doing no business. So I'm slightly delayed on this. They promised me that they intend to re-open tomorrow. If no luck, I'll order from elsewhere. Quote Link to comment Share on other sites More sharing options...
mattarosa Posted March 17, 2021 Report Share Posted March 17, 2021 Good job you know your stuff 😂 nothing beats running repairs on a Lupo under pressure Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 25, 2021 Report Share Posted March 25, 2021 I've potentially cracked @mattarosa's Immobilizer and extracted the PIN. What I need now is his car so I can actually try and test it. If so, we're there. We have our (relatively) easy method of getting the PIN code without need for messing around with desoldering or anything. I've tried to extract the ECU ROM as well. That appears to be a desoldering job as I'm getting a bad read everytime. Although theoretically, anything with the ECU should be possible through the OBD2 port. Quote Link to comment Share on other sites More sharing options...
MB1 Posted March 25, 2021 Author Report Share Posted March 25, 2021 Great progress! I've generally no idea on how these things are set up - is there encryption/hypervisor on the general code that you need to read in a decrypted form from memory at runtime etc...? Literally coming at this problem from my own angle so happy to be thoroughly corrected! Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 25, 2021 Report Share Posted March 25, 2021 1 hour ago, MB1 said: Great progress! I've generally no idea on how these things are set up - is there encryption/hypervisor on the general code that you need to read in a decrypted form from memory at runtime etc...? Literally coming at this problem from my own angle so happy to be thoroughly corrected! Not at all and the Immo chip is stable while still soldered. It's the ECU that isn't. However, the PIN is accessed from the Immo chip I believe. I will find out when he brings the car back. Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 25, 2021 Report Share Posted March 25, 2021 I've been able to get a stable read from the ECU as well. Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 25, 2021 Report Share Posted March 25, 2021 I've just been able to extract the PIN code from the ECU, on an Immo2 vehicle. I'll be honest.... this is kind of huge really. Aside from it blowing my theory out the water that the PIN is not held within the ECU, rather the Immo, it also potentially correlates to my previous theory that I'd been able to do this on my old Immo2 Lupo SDI. I've since sold the vehicle, and couldn't remember. Lupo GTI Immo3 next. Quote Link to comment Share on other sites More sharing options...
MB1 Posted March 25, 2021 Author Report Share Posted March 25, 2021 Nice one! I'm guessing the MPI 1.0 is Immo3 right? Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 25, 2021 Report Share Posted March 25, 2021 Ask your mate if he still has your bin file from your ECU and I reckon I can get your SKC ( @mk2 didn't you say you have one? ) and then you can fix your key issue. Just proving it off currently but until the Arosa comes back I can't. MPI doesn't really matter. Immo3 came into use on most Lupos around 2002. I will admit, none of this is for the feint hearted. There's been a few occasions I've had my phone at the ready to tell @mattarosa his ECU is bricked. Getting the code from the IMMO box isn't horribly difficult though. The ECU EEPROM feels like you're playing with fire every time you touch it. I will eventually document this stuff. All I would say is, if you own a Lupo with only one key. Get a spare cut but don't panic about getting it paired. Quote Link to comment Share on other sites More sharing options...
mk2 Posted March 26, 2021 Report Share Posted March 26, 2021 Yeah, I can suck out the Hex data dumps from my ECUs, but naturally without any address maps I can't do much. I have two early SDIs and one late. The serial EEPROM is tougher than you think. It just doesn't like super high temps, so best to desolder pin by pin with desolder braid. Or a thermostatic hot air blower. Quote Link to comment Share on other sites More sharing options...
Rich Posted March 26, 2021 Report Share Posted March 26, 2021 I have a GTi ECU which doesn't want to de immob. Eeprom off and it just kinda resets itself once flashed. Quote Link to comment Share on other sites More sharing options...
Skezza Posted March 26, 2021 Report Share Posted March 26, 2021 43 minutes ago, mk2 said: Yeah, I can suck out the Hex data dumps from my ECUs, but naturally without any address maps I can't do much. I have two early SDIs and one late. The serial EEPROM is tougher than you think. It just doesn't like super high temps, so best to desolder pin by pin with desolder braid. Or a thermostatic hot air blower. Send me an ECU dump via PM, I'll see if I can work out the code based on what my understanding is. Then you can test the code. Nothing to lose right? It's not that the EEPROM can't take it, but if you don't want to desolder then you're using clips and the EEPROM on the ECU is ever so slightly smaller than the 24c04 Immo chip which the clips fit like a glove. The clips slip very easily and if you're reading or writing at the time, that's not very clever. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.