Ecu Unlocking

[Rob Turbo 3]

Don't you need the dongle for that software to work?

[M@tt 77]

you do to read the ecu to get the bin file but i thought your bit of software/diagnosis thing might be able to do the same thing, might be worth a go

[rich_gti6 0]

There's no way 'bypass' the ECU's internal immobiliser.

 

To unlock it, the normal solution is to flash the EEPROM which contains the immboliser data with blank data [i.e. all F's in HEX I think]. Then you cut the pins internally which carry the tansponder or keypad signal into the ECU.

 

Basically what normally happens is the ECU receives a code from the transponder or keypad when you try to start the car. If the code matches the one stored in the ECU it will start. Programming a 'blank' code, then cutting the pins leaves the ECU in a permanently unlocked state. There's no code there for it to compare, and it won't receive a 'lock' code [this is sent when you switch the engine off] from the transponder as you've cut the pins.

 

The chip storing the immobiliser data is not generally the same chip that contains the main maps. It's likely to be smaller package.

 

I wouldn't bother trying to do it yourself, just pay the going rate.

 

 

[Rob Turbo 3]

Just a thought, the trick for locked stereos, where you freeze it then you can put any code you want in, what are the chances of this working with an ecu? Not really bothered about the actual code from the transponder, it's the security key that I'm bothered about, once I have that for my ecu I can do what I want with the immobiliser through peugeot planet, the security key is available from peugeot for around £38, but you need to give them your vin number, which I don't have because I never had the car!

[dch1950 37 1 Cars]

Hi all,

I'm gradually getting a feeling for this Immobiliser business the more notes/suggestions there are.

So far we have this.

1) A PUG keypad ECU comes new with a code of 1111. in memory this is 0001 0001 0001 0001

this can be changed (once only) by over blowing with another value which is not 1.

i.e 00010 0010 0010 0010 for 2222 etc.

this tells us that the Eprom will take 0 to 1 and 1 to 0 re-programming in situ.(i.e we don't need a new blank eprom)

2) The ecu power up routines check for the existence of a non blank (FFFF) code and if it exists expects confirmation of that code in order to enable the ignition.

3) The apollo-auto software works because it knows the addresses (in the .bin file(s)) of the immobiliser codes.

Thus read eprom to .bin file. select the type of ECU - i.e the address offset in the bin file of the data we need, and then read it. You can then either run with that one,change it or Disable it (set it to FFFF) and burn a new prom.Although this may not be neccessary. see earlier remark..

4) A lot of the ECU's seem to use Motorola cpu's. A nice assembler language, that I am very familiar with.Of course PC's use Intel assembler. Well known and documented.

To summarise, dongle based software is a pain, and indicates to me that the actual program can't be that complicated in doing what it does. Over blowing with FFFF will probably disable the immobiliser so it's the offsets of the relevant data we need.(hence my post about link maps to McDude)

5) Where did I leave my copy of Symbolic Debug ?

regards

Dave.

[M@tt 77]

i've got a serial EEPROM reader/writer somewhere that i bought years back to make mod chips for playstations, i'll dig it out and see if i can get an adapter to read the appropriate chips.

 

All you'd need to do then is read an "unlocked" ECU chip, blow it to these new chips and send these to people to replace the chips on their board with.

[Rob Turbo 3]

Well, tomorrow a lad with a 406 v6 is coming to let me have a go at unlocking my ecu on his car, I'm going to put my transponder chip into his key so I don't have to pull his car to bits, I'm going to plug my laptop into his car when I try it so I can check for fault codes etc. while I do it. Fingers crossed I'll be able to get it unlocked.

 

I have a card reader/writer that I used for ondigital cards many moons ago, now covered in dust in a box!! It has a socket of a chip of some description, so my have the equipment to read the eeprom once it's unlocked, if that will be of any use to anyone?

[dch1950 37 1 Cars]

Well, tomorrow a lad with a 406 v6 is coming to let me have a go at unlocking my ecu on his car, I'm going to put my transponder chip into his key so I don't have to pull his car to bits, I'm going to plug my laptop into his car when I try it so I can check for fault codes etc. while I do it. Fingers crossed I'll be able to get it unlocked.

 

I have a card reader/writer that I used for ondigital cards many moons ago, now covered in dust in a box!! It has a socket of a chip of some description, so my have the equipment to read the eeprom once it's unlocked, if that will be of any use to anyone?

Hi Rob,

I have got together the technical data sheets for the various ECU's cited in the apollo-auto software in order to determine how many chip types we would need to support. Appollo suggest 2 convertors so hopefully that will be all that is needed.

Which of the types is the 406 V6? could you let me know.That is to say micro controller or just an eeprom. What exactly are you going to try?I need to get access to the .bin files to see exactly how they process the on-board code. I also have access to an IDE suite which will let me program the 93XX66 series of eeproms. It is coming together slowly.

Dave.

[Rob Turbo 3]

The 406 v6 uses bosch motronic mp 7.0 if that's any help? If not, I've got the ecu here with me and I can open it up and let you know what's inside.

[Guest SordFish]

I've managed to get hold of a few programs that claim they can kill the immobiliser on Pug/Citroen ecus but It looks like MP 7.0 can't be done by software yet.

It would be interesting to see what comparing the locked and unlocked bin would prove.

Only thing I can think of as a problem is different firmware versions not using the same address for the immobiliser, or it could be random address for each ecu.

 

Im going to try and get hold of a few ecus and have a try with my willem and see if I can can get an ecu to run decoded on the bench

[dch1950 37 1 Cars]

I've managed to get hold of a few programs that claim they can kill the immobiliser on Pug/Citroen ecus but It looks like MP 7.0 can't be done by software yet.

It would be interesting to see what comparing the locked and unlocked bin would prove.

Only thing I can think of as a problem is different firmware versions not using the same address for the immobiliser, or it could be random address for each ecu.

 

Im going to try and get hold of a few ecus and have a try with my willem and see if I can can get an ecu to run decoded on the bench

Hi mate,

yes I'd already thought of the address thing, but from the tech sheets i've read so far the ram and eeprom sections have base registers which are set up when the ECU is configured (so that they fit in the appropriate address range of a particular ECU).These can only be set to so many values as the ECU software system doesn't occupy that many proms (of a given size and hence address range). Data is usually kept at low address bases as well. I've got a nice little program called Ollybug which can let me look at windows applications for error tracing purposes ,of course. Interestingly by looking at the .exe header of the so called diagnostic software you will get details of the data segments and thus details of where the various ECU's need to be looked at to get the data.(I've only just thought of that as I was typing!)

regards

Dave.

[dch1950 37 1 Cars]

Hi all,

I've run up the Peu_cit program to have a look at it's internals. It does not read the relevant hardware itself, it assumes you have the .bin file on your PC. You can then select the ECU data source (the address offset problem already mentioned)

and it will then read the current 4 digit code for you.You can the opt to change it (in the bin file you have on your PC) or disable it (I think this will be an FFFF overwrite of the appropriate code location).Once that has been done you can download the bin file to your burner (attached to a serial port of the PC - Com1 or 2).Once downloaded you can "burn" the new file.

The 7.0 version of the ECU is not modifiable as the write protection/enable register for the the chip has been disabled. This is effectively a fuseable link which when it's blown write protects the eeprom. To get round this a new chip would have to be burnt.(as opposed to re-using the old one)

Flog on

Dave.

[M@tt 77]

dave when you say that the 7.0 version of the ECU is not modifiable then how do you change the pin code to something other than factor? or are you saying it's not possible and it would be the protection method for cars where there is no keypad and it's purely based on the key/transponder for protection

[dch1950 37 1 Cars]

No Matt,

Somebody mentioned that the 7.0 ECU couldn't be changed/modified using software and I was trying to see(for my own interest) how that was achieved.

Dave

[Rob Turbo 3]

On my ecu (MP 7.0 with a transponder) the code isn't the actual key, it's an access code that doesn't change, this code is supplied on a card with the car from new, if lost it can be replaced for about £40, but you need the vin number of the car (which I don't have), once you have this code, you can use peugeot planet to access the immobiliser settings, for example to add or remove keys from the "allowed" list, I'm not sure if there's an option to dissable the immobiliser through peugeot planet, or if you can only add/remove keys.

 

I still haven't managed to get my ecu connected to my laptop through peugeot planet either, I can't find out which pins go where on the diagnostic connector, so even if I did have this code it would be no good to me (yet, anyway!)

[dch1950 37 1 Cars]

On my ecu (MP 7.0 with a transponder) the code isn't the actual key, it's an access code that doesn't change, this code is supplied on a card with the car from new, if lost it can be replaced for about £40, but you need the vin number of the car (which I don't have), once you have this code, you can use peugeot planet to access the immobiliser settings, for example to add or remove keys from the "allowed" list, I'm not sure if there's an option to dissable the immobiliser through peugeot planet, or if you can only add/remove keys.

 

I still haven't managed to get my ecu connected to my laptop through peugeot planet either, I can't find out which pins go where on the diagnostic connector, so even if I did have this code it would be no good to me (yet, anyway!)

Hi Rob,

this is the password protected ECU then. I wondered which one it was. This bit of code (to verify the password) will be the section that is in the protected part of the ECU memory. The protection register disables both read and write operations thus you can't get at the password, and hence you can't get into the normal code/data section.(bugger) to read/modify the key codes. Interestingly enough there see to be a number of Croatian lads who are also interested in this ECU does it contain mileage figures as well? (or should I be posh and say "odometer"). They seem to be looking at connection via the diagnostic plug as well. Will see if anything useful can be borrowed from them. Dobrah Dan.

Dave.

[Rob Turbo 3]

I have heard that it contains the mileage, along with the clocks, and apparently something else, then the clocks display the highest figure if any of them differ. In peugeot planet, where you go to access the immobilizer, it comes up with a box to enter the access code, when I had it connected to my dad's 306 diesel I didn't have the code so I just put in 1111, it obviously told me the code was wrong, then waited for me to enter the code again. Do you know if there's any limit on the amount of incorrect codes it will allow before it completely locks you out? If it will let you do it as much as you want, would it be possible to write a program that will just keep trying codes until it gets it right? There's only 4 digits, although it does contain letters as well as numbers, so there's a lot of possible combinations for it to go through.

 

Would it help you figure something out if you had a copy of peugeot planet? You wouldn't be able to use it to access an ecu unless you have the peugeot interface, which isn't cheap, but it might throw up some clues?

 

I've got an unlocked ecu on it's way to me (or it will be on it's way soon), so the locked one I have can be used for testing purposes!

[Rob Turbo 3]

Has anyone seen THIS? I know it's for renault but it does say it works with MP 7.0.

[dch1950 37 1 Cars]

it's a con.

Why? - croc clips, 2 leds ! You have to be able to read/display and then modify the eeprom. I honestly don't see how you can do that with this equipment.

Dave.

[Goliath 94]

Rob, where did you find that would unlock your v6 ecu for £95? I have had a quote of £158 from ECU clinic.

 

p.s. If you type 'ECU unlocking' into google this thread is the 3rd result!

[Rob Turbo 3]

It was someone on ebay, just had a look for them and can't find them anymore.

 

I'll have a dig through my old emails to see if I can find their username because I know I sent them a question through ebay to check they could unlock my ecu and they said they could.

[nick9one1 2]

Im not sure if this is really relevant but i have an mp5.1.1 from an xantia 16v that ive used in my 205. The supplier told me he didnt know if the ecu was locked but I feared the worst anyway. upon fitting the engine and ecu, turning the key did nothing (as far as i can tell) except turn over the engine. e.g the fuel pump didnt prime.

So i sent it off to someone to get unlocked (cant remember where now) anyway it ended up taking a bit longer than expected because the guy told me the eeprom was faulty but said he had replaced it at no extra cost.

on getting the ecu back it did exactly the same (no prime) and after looking at the wiring diagram i determined that on turning the key the ecu should earth a pin on the double relay. which it didnt.

so i simply earthed that wire and it started. then I went on to supplying the whole relay with a switched 12v so it didnt drain the battery.

 

could it be as simple as the ecu not grounding a pin when its immobilised? so that the fuel pump and spark plugs dont do anything?

[mhyphenl 10 1 Cars]

Anyone got peugeot plant software??

[wracing 19]

i can unlock anything thats got a eprom i have the full version of winols, i would offer to help you guys out but ive just broken my rom burner, as soon as ive got a new one ill start doing it again for say £10 for rev limiter unlock £10 for password removal

 

im having trouble getting a good burner there are not many on the market.

[[L'e$kro] 2]

i can unlock anything thats got a eprom i have the full version of winols, i would offer to help you guys out but ive just broken my rom burner, as soon as ive got a new one ill start doing it again for say £10 for rev limiter unlock £10 for password removal

 

im having trouble getting a good burner there are not many on the market.

 

Sorry for bringing this thread back on earth

Wracing what you are saying interests me quite much

 

I quite like doing things by myself

I'd like to be able to unlock my gti-6 ECU and I also'd like to be able to extract the eeprom content to modify it, then burn it back

Any suggestions on what piece of hardware I should be looking for?

 

Thank you!

 

Nicolas