Introduction:
This thread will be an attempt to distill the work that I've done to understand the immobilizer circuit in my 2005 OBXT.
My initial goal was to "clone" the ECM so that I could run either my stock ECM, or a JDM ECM which has the necessary hardware to run dual AVCS which my engine swap will require.
As I got deeper into it, I got more interested in actually understanding the entire system, and I'm well on my way.
You can read all of the discovery in my engine swap thread, from post 39, until about post 73. Of course, the actual findings will be documented here.
Organization of this thread:
The first five posts will contain the latest information about what I have discovered. They will be organized as such;
I will regularly post new replies indicating an update, or just for discussion (please provide feedback, and ask questions!). However, the first 5 responses will always be the canonical, and up-to-date "truth" as discovered by my work.
Immobilizer system design and operation:
In order to effectively manipulate the immobilizer system, it's important to understand how it is designed and how it operates.
While actual details of the inner workings are hard to find, the factory service manual provides a fairly detailed, tho high level, description of the system.
From this, we learn that the BIU, the ECM, and the Combination Meter (gauge cluster) are all used in authenticating a transponder key. This is why when any one of these computers is changed, the key registration process must be completed, since the three systems will no longer be synchronized.
There are two communications between the BIU and the ECM. A high-speed (500Kbps) CAN network, and a dedicated immobilizer line.
There is one communication channel between the BIU and the Combination Meter. A low-speed (125Kbps) CAN network.
This is also shown in the factory service manual.
Answered Questions:
Remaining Unanswered Questions:
Common Tools:
In the process of reverse engineering this system, I used several tools, with varying effectiveness.
EEPROM Programming tools:
Reveltronics REVELPROG-IS.
This can read and write the BIU and ECM EEPROMs with proper settings. However, it can not read or write the ECM EEPROM in system, it must be desoldered from the board for this programmer to access it.
Adafruit FT232H
This can read and write the ECM EEPROM, both in system, and when it is desoldered from the ECM.
It can probably be made to read and write the BIU EEPROM, but I'm still working on code that properly supports this.
SOIC8 IC Test Clip
Not a programmer, per-say, but a necessary tool for reading and programming the EEPROM chips without desoldering them from the computer(s) they reside in.
The above link will likely die, and isn't the definitive source for shopping for such things. What you're looking for is something that looks like this.
This thread will be an attempt to distill the work that I've done to understand the immobilizer circuit in my 2005 OBXT.
My initial goal was to "clone" the ECM so that I could run either my stock ECM, or a JDM ECM which has the necessary hardware to run dual AVCS which my engine swap will require.
As I got deeper into it, I got more interested in actually understanding the entire system, and I'm well on my way.
You can read all of the discovery in my engine swap thread, from post 39, until about post 73. Of course, the actual findings will be documented here.
Organization of this thread:
The first five posts will contain the latest information about what I have discovered. They will be organized as such;
- This post, an introduction and overview
- Details on about the ECM
- Details about the BIU
- Details about the Combination Meter
- Placeholder for TBD content
I will regularly post new replies indicating an update, or just for discussion (please provide feedback, and ask questions!). However, the first 5 responses will always be the canonical, and up-to-date "truth" as discovered by my work.
Immobilizer system design and operation:
In order to effectively manipulate the immobilizer system, it's important to understand how it is designed and how it operates.
While actual details of the inner workings are hard to find, the factory service manual provides a fairly detailed, tho high level, description of the system.
From this, we learn that the BIU, the ECM, and the Combination Meter (gauge cluster) are all used in authenticating a transponder key. This is why when any one of these computers is changed, the key registration process must be completed, since the three systems will no longer be synchronized.
There are two communications between the BIU and the ECM. A high-speed (500Kbps) CAN network, and a dedicated immobilizer line.
There is one communication channel between the BIU and the Combination Meter. A low-speed (125Kbps) CAN network.
This is also shown in the factory service manual.
Answered Questions:
- How to clone the ECM EEPROM?
- How to clone the BIU EEPROM?
- Rough data organization of the BIU EEPROM.
Remaining Unanswered Questions:
- How to clone the combination meter EEPROM?
- What size (in bytes) is a key code?
- How can a new key code be added?
- Are the key codes encrypted in some way?
- Is there a "shared secret" which is used between all three computers when authenticating a key? An encryption key perhaps?
- What protocol is the dedicated immobilizer line between the ECM and BIU?
- How can a transponder key be "read" to get it's unique code?
- Where is the key count stored in the ECM EEPROM?
- Where would a 4th key code be stored in the ECM EEPROM?
- What low speed CAN message(s) are sent from the BIU to the combination meter?
- What dedicated message is sent from the BIU to the ECM?
- What additional high speed CAN message(s) are sent from the BIU to the ECM?
- What is the exact data organization of the BIU EEPROM?
- Is it possible to enable/disable the immobilizer check in the BIU?
- Is it possible to enable/disable OBD-II Mode 9 responses from a JDM ECU?
- What command sequence does the SSM tool use to perform the key programming ritual?
- What is the order of operations for validating a key?
- Does it occur on keysense, on ignition on?
- Which computer does the BIU validate with first, the Combination Meter, or the ECM?
- Does the ECM validation happen over the dedicated immo communication line(s) as well as high speed CAN?
Common Tools:
In the process of reverse engineering this system, I used several tools, with varying effectiveness.
EEPROM Programming tools:
Reveltronics REVELPROG-IS.
This can read and write the BIU and ECM EEPROMs with proper settings. However, it can not read or write the ECM EEPROM in system, it must be desoldered from the board for this programmer to access it.
Adafruit FT232H
This can read and write the ECM EEPROM, both in system, and when it is desoldered from the ECM.
It can probably be made to read and write the BIU EEPROM, but I'm still working on code that properly supports this.
SOIC8 IC Test Clip
Not a programmer, per-say, but a necessary tool for reading and programming the EEPROM chips without desoldering them from the computer(s) they reside in.
The above link will likely die, and isn't the definitive source for shopping for such things. What you're looking for is something that looks like this.
Attachments
-
73.2 KB Views: 3,339
-
176.1 KB Views: 3,663
-
89.4 KB Views: 3,737