Ecu Unlocking

[Rob Turbo 3]

I'm looking for somewhere to have my v6 ecu unlocked, I've found a couple of places and the cheapest I can find is £95 IIRC

 

I'm sure I read somewhere on here that someone had a gti6 ecu unlocked by someone on ebay for about £60, but can't find the post anymore and can't find anything on ebay, anyone know who it was by any chance, or know anyone that can do it?

 

I'm looking at getting the peugeot planet diagnostic kit soon, would I be able to hook that up to the ecu and remove the code or would the ecu need to be in a car with the diagnostic port wired up properly?

[All Praise The GTI 3]

i was about to say a guy got his done for about £60 on ebay (i was gutted after that guy took mine and reckoned hed done it and charged me £125 )

thought id bookmarked his page but obviously not sorry mate

[djinuk 2]

i also need a gti6 ecu to be unlocked so also interested.

[M@tt 77]

surely there must be some electronics whizz who could "clone" a working ECU chip then just flash any other locked ones. I might see if i can put a post up on the local uni electronic engineering dept board to see if there are any techies that could work out how to do it. Just bung them a couple of quid and voila!!

[pug_ham 240 3 Cars]

I've got a locked & (hopefully tomorrow) an unlocked GTi-6 ecu so I'm going to do some testing & see if I can find away around the locked ecu with a few fresh wires soldered on the pcd to overcome the lock.

 

Gaham.

[jackherer 543]

I've got an unlocked ECU from a keypad Xantia V6, would that be any use? I've not considered selling it but if its what you need PM me.

[Richie-Van-GTi 70 2 Cars]

I have a coded and uncoded pair of ecu's, I intend to open them both up side by side, see which components differ and if they can be bypassed , although they are not for a v6. May give valuable secrets away though.

[M@tt 77]

so how does the lcoking/unlocking mechanism work with regards to keypad/key/transponder/ECU

 

do some uses a keypad solely to send a lock/unlock signal where as others use the transponder attached to the ignition barrel & key to send the lock/unlock code? or is it a combination of both?

[dch1950 37 1 Cars]

so how does the lcoking/unlocking mechanism work with regards to keypad/key/transponder/ECU

 

do some uses a keypad solely to send a lock/unlock signal where as others use the transponder attached to the ignition barrel & key to send the lock/unlock code? or is it a combination of both?

Hi Matt,

Not sure what the "unlock" entails but if you know the chip type then that , coupled with a decent prom burner and the apprpriate mods to source , flashing a new one should not be difficult.

regards

Dave.

[McDude 33]

Usually when one unlocks and ECU it is nothing physical that is changing - as dch1950 suggests there is a 'protected area' on the EEPROM that needs to be flashed over. It is not physically protected, more that this area of the memory is not touched during a regular reflash. Legitimately only Bosch should have the tools to access the PA - not even Pug will have access.

 

Of course the non-legitamate side of the world shoud have tools to hack it.

[M@tt 77]

take a look at this

 

http://www.apollo-auto.cn/PEUGEOT_CITROEN_...eot_Citroen.pdf

 

i've emailed them for a price as it doesn't list it on their site but also to confirm that it'd be able to "unlock" the chip

 

what do you think?

[sonofsam 5]

I've opened up my unlocked keypaded 2.0T ECU and I noticed that a chip was taped to the inside of the case.

This would make sense as the person I spoke to who carried out the work, said He had to buffer out the original

security chip and replace with another> The one chip taped up might have been the original removed?!

[M@tt 77]

can you see if the one on the board looks like its been resoldred back onto the board?

[dch1950 37 1 Cars]

Usually when one unlocks and ECU it is nothing physical that is changing - as dch1950 suggests there is a 'protected area' on the EEPROM that needs to be flashed over. It is not physically protected, more that this area of the memory is not touched during a regular reflash. Legitimately only Bosch should have the tools to access the PA - not even Pug will have access.

 

Of course the non-legitamate side of the world shoud have tools to hack it.

Give me a memory map and I can rule the world. We think alike McDude.

Dave.

[Rob Turbo 3]

Well I've now got (waiting for it to be delivered) the peugeot and citroen diagnostic equiptment, looking at the wiring diagrams for the v6, pins 13, 43 and 55 go to the diagnostic connector on pins 3, 7 and 15, so if I find these wires in my loom and connect them straight to the diagnostic cable, what are the chances of it accessing the ecu, or is it likely to not work until it's connected to everything else?

[dch1950 37 1 Cars]

this is interesting.

We seem to have an ECU code and a Keypad (possibly) code. Ecu overrides which is logical. Given that the ECU has a basic set of common software loaded plus model specific parameters then only so many variants of a 4 digit (hex) code are possible if it's based on a checksum type calculation (MD5 being a typical example). Otherwise the code is a random 4 digits stored in the chip and burned in at production time. If it's the first type then given the .bin files for one or two ecu's it should be possible to work out the the checksum algorithm. If it's type 2 then just reading the .bin file and searching for the known activation code or it's 2's complement in the burner memory will enable a "zero edit" i.e a code of all ones.

This seems a bit tricky but I'm certain the encryption/encoding is not that complicated. That is to say it isn't PGP level.

regards

Dave

[M@tt 77]

dave

 

am i being to simplistic in my thought that it would be possible to read the complete memory off the "unlocked" chip to a bin file and then simply blow it onto a "locked" chip?

[Richie-Van-GTi 70 2 Cars]

Dave I see your logic but many keypad pugs were sold with the default factory code of 1111 which you were advised to change on purchase. This in my opnion would rule out a simple checksum.

What would be interesting is if someone could monitor the signals sent by the keypad, my guess is they are timed length signals or broken morse like signals that the ecu interprets binary style. This being the case surely someone could master a way of replication on a high speed scale to unlock an ecu through repetetive attempts? Or is it a case of 3 strikes and your out?

[dch1950 37 1 Cars]

Dave I see your logic but many keypad pugs were sold with the default factory code of 1111 which you were advised to change on purchase. This in my opnion would rule out a simple checksum.

What would be interesting is if someone could monitor the signals sent by the keypad, my guess is they are timed length signals or broken morse like signals that the ecu interprets binary style. This being the case surely someone could master a way of replication on a high speed scale to unlock an ecu through repetetive attempts? Or is it a case of 3 strikes and your out?

Hi Richie,

I was just bouncing ideas around.When I programmed microcontrollers (many years ago) I used to be quite devious over these startup/verification systems so I may well be complicating things. I need to get some more info on the chip so that I can pull the technical reference manual to see what the architecture is.

A default code which you can modify (optionally) is encouraging as there must be a work area of CMOS ram that update routines are loaded to when the ECU powers up.i.e the flash code is contained in the ECU and loaded to scrarch ram to give you that option.It can therefore be either bypassed or modded when the re-flash takes place. This looks like a job for a pc based emulator (I used to use one for the Intel 8051 along with a X-assembler and a debug program).

The initial sus of the system will require access to equipment like this, but once done masss reproduction would be easy - a good burner and a supply of blank chips.

Most keypads are not sophisticated and will just X-mit the individual codes (probably just a scan code) as per your PC keyboard) this will be ascii via RS232 link.

I will spend a bit more time looking at the pdf file provided gather more info.

And no Matt you are right - provided the ECU is the one you want.

regards

Dave.

[jackherer 543]

This being the case surely someone could master a way of replication on a high speed scale to unlock an ecu through repetetive attempts? Or is it a case of 3 strikes and your out?

 

The keypad immobilisers lock you out for increasing periods of time after a few wrong attempts, like a lot of coded car stereos.

[M@tt 77]

so does anyone posses the suitable hardware/software for reading the information off/on the necessary chips?

[Guest SordFish]

Just noticed this thread thought Id add my 2p.

 

When I was an auto electrician this was brought up alot.

There's software available that can remove or "decode" the ecu eeprom to allow the car to run with out the immobiliser.

 

I've been looking into how to do this so once I've got the equipment (not cheap ) I may be able to offer it.

Edited January 12, 2009 by SordFish

[Richie-Van-GTi 70 2 Cars]

this is whats needed

http://shop.ebay.co.uk/items/?_nkw=eprom&a...r&_osacat=0

 

I keep meaning to buy one when I have surplus funds but usually buy another car or engine etc

[Rob Turbo 3]

In peugeot planet theres an option to "download", I'm not sure exactly what it means, I haven't had it connected to an ecu yet, but, if it will download the eeprom to a bin file, where can I get the software to decode the immobiliser key?

[M@tt 77]

that software i linked to bit further up seems to do that Rob.

 

heres the software so if you can get an appropriate bin file you might be ok

http://www.easyobd.com/Downloads/PEUGEOT_C...DOE/peu_cit.rar

Edited January 13, 2009 by M@tt