Jump to content

No start and no OBD!


Recommended Posts

27 minutes ago, Skezza said:

Did you send your locked out ECU to a service? Or buy an already IMMO OFF ECU? I'll be getting down to business with Matts this week. I'll document the process for reference. 

Once you've got your SKC, adapting new keys is trivially easy. I've done it on Audi A4s. Believe it or not, this whole process is easier on Audis of the same era because their ECUs are less secure. The separate IMMO boxes in these Lupos are a nightmare.

There's a guy down the road from me who disabled the immo on my existing ECU. Dropped it in 5pm yesterday, had it in the car again by lunchtime today. Had no idea he did this sort of thing or I'd have gone to him first!

Really interested in your write up of the process too. Is getting the SKC something I can do myself with a VAGCOM/similar cable?

Link to post
Share on other sites
  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I wouldn't mess on with emulators, I would find someone clever with the vagcom and get the ECU de immob. I like changing engines in cars and this is the route I take. Less likely to bite you

Posted Images

6 minutes ago, MB1 said:

There's a guy down the road from me who disabled the immo on my existing ECU. Dropped it in 5pm yesterday, had it in the car again by lunchtime today. Had no idea he did this sort of thing or I'd have gone to him first!

Really interested in your write up of the process too. Is getting the SKC something I can do myself with a VAGCOM/similar cable?

On an A4... Definitely.

A Lupo? No chance. Ask your mate if he noted down the SKC while doing your IMMO OFF.

Link to post
Share on other sites
2 hours ago, MB1 said:

Will do, cheers. If not I'm sure a beer or two will help!

Did you take the ECU and Immob or just the ECU?

I've attached an ECU and Immo box. Specifically @mattarosa's ECU and Immo box. I intend to find a few things out from this experiment as he has kindly donated them to this research. Hopefully, fingers crossed, I can extract the SKC from the ImmoBox which would allow me to subsequently re-pair his keys to the car. 

The IMMO OFF appears to be an ECU configuration rather than Immo configuration, while the SKC extraction appears to be an ImmoBox thing. It would be interesting to see if it can be extracted from the ECU as well.

Let the games begin. 

f56842be-c1c2-46a7-a548-bae346b6ef58.jpg

739222a2-b4ba-4c48-ad0f-5939f692a47d.jpg

8ab5409b-2eab-445c-a5f9-f11460cab2aa.jpg

Link to post
Share on other sites
On 3/9/2021 at 6:56 PM, Skezza said:

Did you take the ECU and Immob or just the ECU?

I've attached an ECU and Immo box. Specifically @mattarosa's ECU and Immo box. I intend to find a few things out from this experiment as he has kindly donated them to this research. Hopefully, fingers crossed, I can extract the SKC from the ImmoBox which would allow me to subsequently re-pair his keys to the car. 

The IMMO OFF appears to be an ECU configuration rather than Immo configuration, while the SKC extraction appears to be an ImmoBox thing. It would be interesting to see if it can be extracted from the ECU as well.

Let the games begin. 

f56842be-c1c2-46a7-a548-bae346b6ef58.jpg

739222a2-b4ba-4c48-ad0f-5939f692a47d.jpg

8ab5409b-2eab-445c-a5f9-f11460cab2aa.jpg

I handed over just the ECU.

Do you have any experience/schematics of these two boards? I believe the immo off stuff was an EEPROM flash job but I'm not sure what else is on each board etc. Would be interested in understanding their config.

(Sorry for quoting the images too, I'm on mobile save couldn't edit it out)

Link to post
Share on other sites
2 hours ago, MB1 said:

I handed over just the ECU.

Do you have any experience/schematics of these two boards? I believe the immo off stuff was an EEPROM flash job but I'm not sure what else is on each board etc. Would be interested in understanding their config.

(Sorry for quoting the images too, I'm on mobile save couldn't edit it out)

I do.

The reason I asked is because I have a sneaking suspicion you cannot obtain the SKC directly from the ECU. You can IMMO OFF the ECU, and you can obtain the SKC from the Immobilizer (then re-pair keys), but from my current understanding you cannot obtain the SKC from the ECU directly. This is the reason this system is so secure. I don't know if you can IMMO OFF and ImmoBox. I suppose that's what the emulators are trying to fool, but when me and Matt tried, we had very little luck.

Link to post
Share on other sites
8 hours ago, Skezza said:

I do.

The reason I asked is because I have a sneaking suspicion you cannot obtain the SKC directly from the ECU. You can IMMO OFF the ECU, and you can obtain the SKC from the Immobilizer (then re-pair keys), but from my current understanding you cannot obtain the SKC from the ECU directly. This is the reason this system is so secure. I don't know if you can IMMO OFF and ImmoBox. I suppose that's what the emulators are trying to fool, but when me and Matt tried, we had very little luck.

That's a much better setup than I expected for this car to be honest! I believe there are two versions (Immo2 and Immo2) and I guess the one in Lupos is 3? Happy to be thoroughly corrected.

I'll hold fire on anything key related for the time being until I know more!

Link to post
Share on other sites

First six digits of the eeprom

Link to post
Share on other sites

Where did you get the memory map from? Is the data little or big endian, and in what sequence do you read the data out? What I'd give for a full Lupo address map....

what tool do you read the data out with?

Link to post
Share on other sites
1 hour ago, Rich said:

First six digits of the eeprom

Correct.

Link to post
Share on other sites
20 minutes ago, mk2 said:

Where did you get the memory map from? Is the data little or big endian, and in what sequence do you read the data out? What I'd give for a full Lupo address map....

what tool do you read the data out with?

I'm going to do it with the eeprom directly

Link to post
Share on other sites

How the hell does everyone else know this and I don't?! Not happy. I design this sort of stuff... Just goes to show that pros know nothing these days. SMH.

Link to post
Share on other sites

To be clear, I'm talking a big game. I've not actually done it yet. 

Link to post
Share on other sites

The company i want to buy the parts off are currently closed and doing no business. So I'm slightly delayed on this. They promised me that they intend to re-open tomorrow. If no luck, I'll order from elsewhere.

Link to post
Share on other sites

I've potentially cracked @mattarosa's Immobilizer and extracted the PIN. What I need now is his car so I can actually try and test it. If so, we're there. We have our (relatively) easy method of getting the PIN code without need for messing around with desoldering or anything.

I've tried to extract the ECU ROM as well. That appears to be a desoldering job as I'm getting a bad read everytime. Although theoretically, anything with the ECU should be possible through the OBD2 port.

Link to post
Share on other sites

Great progress! I've generally no idea on how these things are set up - is there encryption/hypervisor on the general code that you need to read in a decrypted form from memory at runtime etc...? Literally coming at this problem from my own angle so happy to be thoroughly corrected!

Link to post
Share on other sites
1 hour ago, MB1 said:

Great progress! I've generally no idea on how these things are set up - is there encryption/hypervisor on the general code that you need to read in a decrypted form from memory at runtime etc...? Literally coming at this problem from my own angle so happy to be thoroughly corrected!

Not at all and the Immo chip is stable while still soldered. It's the ECU that isn't. However, the PIN is accessed from the Immo chip I believe.

I will find out when he brings the car back.

Link to post
Share on other sites

I've been able to get a stable read from the ECU as well. 

Link to post
Share on other sites

I've just been able to extract the PIN code from the ECU, on an Immo2 vehicle.

I'll be honest.... this is kind of huge really. Aside from it blowing my theory out the water that the PIN is not held within the ECU, rather the Immo, it also potentially correlates to my previous theory that I'd been able to do this on my old Immo2 Lupo SDI. I've since sold the vehicle, and couldn't remember. Lupo GTI Immo3 next.

Link to post
Share on other sites

Ask your mate if he still has your bin file from your ECU and I reckon I can get your SKC ( @mk2 didn't you say you have one? ) and then you can fix your key issue. Just proving it off currently but until the Arosa comes back I can't.

MPI doesn't really matter. Immo3 came into use on most Lupos around 2002. 

I will admit, none of this is for the feint hearted. There's been a few occasions I've had my phone at the ready to tell @mattarosa his ECU is bricked. Getting the code from the IMMO box isn't horribly difficult though. 

The ECU EEPROM feels like you're playing with fire every time you touch it.

I will eventually document this stuff. All I would say is, if you own a Lupo with only one key. Get a spare cut but don't panic about getting it paired. 

Link to post
Share on other sites

Yeah, I can suck out the Hex data dumps from my ECUs, but naturally without any address maps I can't do much. I have two early SDIs and one late.

The serial EEPROM is tougher than you think. It just doesn't like super high temps, so best to desolder pin by pin with desolder braid. Or a thermostatic hot air blower.

Link to post
Share on other sites

I have a GTi ECU which doesn't want to de immob.

Eeprom off and it just kinda resets itself once flashed.

Link to post
Share on other sites
43 minutes ago, mk2 said:

Yeah, I can suck out the Hex data dumps from my ECUs, but naturally without any address maps I can't do much. I have two early SDIs and one late.

The serial EEPROM is tougher than you think. It just doesn't like super high temps, so best to desolder pin by pin with desolder braid. Or a thermostatic hot air blower.

Send me an ECU dump via PM, I'll see if I can work out the code based on what my understanding is. Then you can test the code. Nothing to lose right?

It's not that the EEPROM can't take it, but if you don't want to desolder then you're using clips and the EEPROM on the ECU is ever so slightly smaller than the 24c04 Immo chip which the clips fit like a glove. The clips slip very easily and if you're reading or writing at the time, that's not very clever.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.