[airlia101]

Update (better late than never), got this working and the car runs again with the donor ECU! I think I just changed the "start" address in order to write the EEPROM in 4 512-bit chunks... but I don't quite remember.

But, I came looking for this thread to share what might be another resource (maybe easier?!) for programming: a terminal software called PonyProg. It seems to natively allow read/write of i2c EEPROM chips, including the 93* family.
Learned about it from this fellow's video, which is a similar reprogramming process for a Toyota Camry/Solara:

 

[SteveP84]

Well I finally got back to this, and I thought I was making some headway until I tried to write the new info to the BIU eeprom

The content written to the EEPROM was not the same as the content of the supplied file after writing.

File:
00000000  ff ff 0b 85 ff ff 0b 85  ff ff 0b 85 85 ff bf f7  |................|
00000010  ff ff 85 ff bf f7 ff ff  ff 00 ff ff ff ff ff ff  |................|
00000020  00 ff 00 16 e9 0b 24 32  ff ff 00 7f ca 50 84 c2  |......$2.....P..|
00000030  7f fc a2 65 17 a7 1c 5a  39 22 5a ff ff ff 15 4c  |...e...Z9"Z....L|
00000040  ff 00 ff ff ff ff ff ff  00 ff 00 16 e9 0b 24 32  |..............$2|
00000050  ff ff 00 7f ca 50 84 c2  7f fc a2 65 17 a7 1c 5a  |.....P.....e...Z|
00000060  39 22 5a ff ff ff 15 4c  a3 1d 7b ac ff b7 ff 8a  |9"Z....L..{.....|
00000070  85 ff ff a9 a3 1d 7b ac  ff b7 ff 8a 85 ff ff a9  |......{.........|
00000080  80 81 82 83 84 85 86 87  88 89 8a 8b 8c 8d 8e 8f  |................|
00000090  90 91 92 93 94 95 96 97  98 99 9a 9b 9c 9d 9e 9f  |................|
000000a0  a0 a1 a2 a3 a4 a5 a6 a7  a8 a9 aa ab ac ad ae af  |................|
000000b0  b0 b1 b2 b3 b4 b5 b6 b7  b8 b9 ba bb bc bd be bf  |................|
000000c0  ff 00 ff ff ff ff ff ff  00 ff 00 16 e9 0b 24 32  |..............$2|
000000d0  ff ff 00 7f ca 50 84 c2  3f fc a2 65 17 a7 1c 5a  |.....P..?..e...Z|
000000e0  39 22 5a ff ff ff 15 0c  a3 1d 7b ac ff b7 ff 8a  |9"Z.......{.....|
000000f0  85 ff ff a9 a3 1d 7b ac  ff b7 ff 8a 85 ff ff a9  |......{.........|


EEPROM Content:
00000000  80 81 82 83 84 85 86 87  88 89 8a 8b 8c 8d 8e 8f  |................|
00000010  90 91 92 93 94 95 96 97  98 99 9a 9b 9c 9d 9e 9f  |................|
00000020  a0 a1 a2 a3 a4 a5 a6 a7  a8 a9 aa ab ac ad ae af  |................|
00000030  b0 b1 b2 b3 b4 b5 b6 b7  b8 b9 ba bb bc bd be bf  |................|
00000040  ff 00 ff ff ff ff ff ff  00 ff 00 16 e9 0b 24 32  |..............$2|
00000050  ff ff 00 7f ca 50 84 c2  3f fc a2 65 17 a7 1c 5a  |.....P..?..e...Z|
00000060  39 22 5a ff ff ff 15 0c  a3 1d 7b ac ff b7 ff 8a  |9"Z.......{.....|
00000070  85 ff ff a9 a3 1d 7b ac  ff b7 ff 8a 85 ff ff a9  |......{.........|
00000080  80 81 82 83 84 85 86 87  88 89 8a 8b 8c 8d 8e 8f  |................|
00000090  90 91 92 93 94 95 96 97  98 99 9a 9b 9c 9d 9e 9f  |................|
000000a0  a0 a1 a2 a3 a4 a5 a6 a7  a8 a9 aa ab ac ad ae af  |................|
000000b0  b0 b1 b2 b3 b4 b5 b6 b7  b8 b9 ba bb bc bd be bf  |................|
000000c0  ff 00 ff ff ff ff ff ff  00 ff 00 16 e9 0b 24 32  |..............$2|
000000d0  ff ff 00 7f ca 50 84 c2  3f fc a2 65 17 a7 1c 5a  |.....P..?..e...Z|
000000e0  39 22 5a ff ff ff 15 0c  a3 1d 7b ac ff b7 ff 8a  |9"Z.......{.....|
000000f0  85 ff ff a9 a3 1d 7b ac  ff b7 ff 8a 85 ff ff a9  |......{.........|

Looks like the first 4 lines are just counting up from 80 to bf??

EDIT: Just tried with my ch341a instead of Ryan's arduino code and its doing the same thing :|

 

[airlia101]

Looks like the first 4 lines are just counting up from 80 to bf??

So it's only writing the first 16 bytes, the rest stays the same. The counting looks like it could be a default behavior, or (if it were me) like I'd left some test case running in the code.
What tools (hw & sw) are you using beside the ch341a? What's the model of the BIU EEPROM?
And, did you succeed in writing any other EEPROM with the same setup / code yet, or is this the only one you're working on?

 

[SteveP84]

No it's writing the rest successfully, the new key codes I put in are being written. It's just the first 64 bytes that are failing.

I've used an Arduino Uno, nano, a ch341a, Ryan's custom software, the ch341 programming software, two different laptops and two different BIUs and they all do exactly the same thing.

I successfully wrote to the microwire eeprom on the ECM with Ryan's software and ask the same hardware.

It's quite strange

 

[airlia101]

No it's writing the rest successfully, the new key codes I put in are being written. It's just the first 64 bytes that are failing.

I've used an Arduino Uno, nano, a ch341a, Ryan's custom software, the ch341 programming software, two different laptops and two different BIUs and they all do exactly the same thing.

I successfully wrote to the microwire eeprom on the ECM with Ryan's software and ask the same hardware.

It's quite strange

Oh, strange indeed! (I'd interpreted that backwards, and yes *64b not 16b).

Could you try writing zeroes or ones to the whole EEPROM, and see if that works, or if you get the sequentials in the beginning again? Or, only write half the length of desired data, for same sort of test?

 

[SteveP84]

I think I might've figured it out... When you look at the code I'm trying to program, that 80,81,82 etc sequence appears at address 80. I believe this chip is a 128kb chip not like the 256kb chip on the ECM, so the script filled the rest of the dump with garbage and then began repeating again, so when it tried to program the chip again, it overflowed and that was the result. I chopped the dump in half, and it programmed successfully. Ill go see if the car runs shortly!

I couldn't find the keycodes in either of the cluster eeproms, just in the ECM and BIU. I have a new cluster, ECM, biu but my old keys, so Im hoping thatby cloning the keycodes to the new ECM and BIU and using all 3 units, my car will work again :|

UPDATE: No, it doesn't work. I think Im right on the flashing the wrong size thing though. I wiped the chip, plugged it in and I get an ERR IU on the cluster, I flashed it with the original bin I pulled again and I don't get an error just a security light. However, when I change the key codes to match the ones I entered into the ECM eeprom, I get the ERR IU again. So there must be a checksum or something. I really hope I'm not going to have to haul this skow to the dealer to get it fixed, its an hour and a half away....

 

[SteveP84]

Looks like this is going to take some tinkering, if it's possible at all. I'm trying to set up the 3 components on a workbench so I can try different ROMs more easily.

I saw Ryan had this set up. I've got the cluster powered up but just gives me a high-speed canbus error on the odometer. Anyone know exactly what needs to be connected for the immobilizer system to work?

I've got power to the cluster, biu and ECM, two wires from the ECM to biu, two from the biu to cluster, the security light wire and the key switch wire attached so far...

 

[airlia101]

I couldn't find the keycodes in either of the cluster eeproms, just in the ECM and BIU. I have a new cluster, ECM, biu but my old keys, so Im hoping thatby cloning the keycodes to the new ECM and BIU and using all 3 units, my car will work again :|

UPDATE: No, it doesn't work.

You changed the VIN as well as key codes, right?
What's your project again? Many posts back, you were replacing just the ECU. Are you now doing a full swap of some sort, or did the damage go further?

 

[SteveP84]

Yea VIN changed too, Im not sure if that makes a difference?

Basically I drowned the ECU, the immobilizer quit on me, so I tried to reflash it, botched it. Got a matching BIU, Cluster and ECM from a wrecker but couldn't get a key. So Im trying to clone my key codes over from my old BIU which wasn't damaged. All to save myself a tow and a dealer repogramming bill

And also because I love a good puzzle

 

[airlia101]

Ahh, that's quite the adventure so far!
Was the wrecker's an exact P/N match? Or just from the same year, or otherwise an interchange match? There might be larger or smaller memory on a different model.

 

[SteveP84]

Im confident I've solved the issue of the memory being the incorrect size, it's flashing properly now.

The only problem I'm having now is trying to program the new units to recognize my keys. I think there must be some sort of checksum or hash that goes along with the key codes.

I don't suppose you have a memory dump from your biu and ECM you'd be willing to share?

The other remaining option is getting a knockoff factory programmer and programming the key myself, but that requires that I get a programming code from a dealership.

If this was my only vehicle I'd probably have gotten it towed by now but it's just my camping rig so I have time to tinker

 

[SteveP84]

Ok so got everything up and running on my kitchen table, can read DTC codes with my laptop and reprogram the biu on the fly. Making some progress. Once I've got a better idea of what all the values do I'll post some info up

 

[SteveP84]

I think Ive managed to frustrate myself enough to put this back on pause, at least for a few days.
Ive got everything to play nicely together, but still gives me code P1574, wrong key. I don't know what I'm missing!

This is my old BIU dump

FF FF FF 94 FF FF FF 94 FF FF FF 94 28 FF FF FF
FF FF 28 FF FF FF FF FF FF 00 FF FF FF FF A8 FF
00 FF 00 BB EC 07 A4 1F B0 FF 58 7F CA 50 84 0F
7F FC 93 26 C8 66 4A 8A 0D A1 FF FF FF FF 17 25
FF 00 FF FF FF FF A8 FF 00 FF 00 BB EC 07 A4 1F
B0 FF 58 7F CA 50 84 0F 7F FC 93 26 C8 66 4A 8A
0D A1 FF FF FF FF 17 25 A3 1D 7B AC FB B7 FF 89
85 FF FF A4 A3 1D 7B AC FB B7 FF 89 85 FF FF A4

This is my new BIU dump

FF FF 0B 85 FF FF 0B 85 FF FF 0B 85 85 FF BF F7
FF FF 85 FF BF F7 FF FF FF 00 FF FF FF FF FF FF
00 FF 00 16 E9 0B 24 32 FF FF 00 56 C7 4B 64 C2
7F FC A2 65 17 A7 1C 5A 39 22 5A FF FF FF 15 4C
FF 00 FF FF FF FF FF FF 00 FF 00 16 E9 0B 24 32
FF FF 00 56 C7 4B 64 C2 7F FC A2 65 17 A7 1C 5A
39 22 5A FF FF FF 15 4C A3 1D 7B AC FF B7 FF 8A
85 FF FF A9 A3 1D 7B AC FF B7 FF 8A 85 FF FF A9

This is the merged BIU I created and flashed

FF FF 0B 85 FF FF 0B 85 FF FF 0B 85 85 FF BF F7
FF FF 85 FF BF F7 FF FF FF 00 FF FF FF FF FF FF
00 FF 00 16 E9 0B 24 32 FF FF 00 7F CA 50 84 0F
7F FC A2 65 17 A7 1C 5A 39 22 5A FF FF FF 15 4C
FF 00 FF FF FF FF FF FF 00 FF 00 16 E9 0B 24 32
FF FF 00 7F CA 50 84 0F 7F FC A2 65 17 A7 1C 5A
39 22 5A FF FF FF 15 4C A3 1D 7B AC FF B7 FF 8A
85 FF FF A9 A3 1D 7B AC FF B7 FF 8A 85 FF FF A9

This is the new ECM dump

56C7 0000 4B64 0000 C200 0000 56C7 0000 4B64 0000 C200 0000 56C7 0000 4B64 0000
C200 0000 0100 0000 0100 0000 0100 0000 3453 3442 5038 3543 3835 3433 3338 3938
3800 3453 3442 5038 3543 3835 3433 3338 3938 3800 3453 3442 5038 3543 3835 3433
3338 3938 3800 FFFF FFFF FFFF 000E 07FF 7F6F 7F4D 7F4D 7F4D 7F4D 7EF6 7EEF 7F36
7F6F 7F6F 7F6F 8107 80D8 80D8 80D8 80D8 80FC 80F9 810B 8107 8107 8107 7FD0 7FDB
7FDB 7FDB 7FDB 7FE7 8030 8019 7FD0 7FD0 7FD0 8025 7F98 7F98 7F98 7F98 7F13 7F1E
7F1B 8025 8025 8025 A2A2 7F52 8037 8037 8037 8037 8082 808D 8021 7F52 7F52 7F52
8037 8036 8036 8036 8036 8055 804C 805A 8037 8037 8037 0000 0000 0000 0000 0000

This is the merged ECM I created and flashed

7FCA 0000 5084 0000 0F00 0000 7FCA 0000 5084 0000 0F00 0000 7FCA 0000 5084 0000
0F00 0000 0100 0000 0100 0000 0100 0000 3453 3442 5038 3443 5835 3433 3138 3930
3600 3453 3442 5038 3443 5835 3433 3138 3930 3600 3453 3442 5038 3443 5835 3433
3138 3930 3600 FFFF FFFF FFFF 000E 07FF 7F6F 7F4D 7F4D 7F4D 7F4D 7EF6 7EEF 7F36
7F6F 7F6F 7F6F 8107 80D8 80D8 80D8 80D8 80FC 80F9 810B 8107 8107 8107 7FD0 7FDB
7FDB 7FDB 7FDB 7FE7 8030 8019 7FD0 7FD0 7FD0 8025 7F98 7F98 7F98 7F98 7F13 7F1E
7F1B 8025 8025 8025 A2A2 7F52 8037 8037 8037 8037 8082 808D 8021 7F52 7F52 7F52
8037 8036 8036 8036 8036 8055 804C 805A 8037 8037 8037 0000 0000 0000 0000 0000

The relevant key codes, as far as I can tell are 7F CA 50 84 0F

 

[airlia101]

I don't suppose you have a memory dump from your biu and ECM you'd be willing to share?

I never read the BIU, but I've got ECU reads from my donor car. See if you can download this file to compare. Note, it's not actually a PDF, just remove that part of the extension and open.
This is from a 2007 3.0 Outback ECU, P/N 22611AM04A.

 

[airlia101]

Hah, guess we just crossed replies.
Yeah, I know that feeling of frustration. I took a lazy 4 months of on/off work to get my new one flashed and into the car!

One thing immediately jumping out from your ECM reads is, except for two words post-VIN-repetitions, mine was pretty boring. You seem to have a lot of data in the lower half of the memory. Don't know that it's wrong, might be another difference between XT and 3.0. Or, 2005/2007.

Here is mine, human-readable, with fake keys and VIN, that I used for illustration a few months ago:

 

[SteveP84]

Maybe Ill try blanking out all the same stuff you and Ryan have blanked and see if that changes anything, thanks!

 

[airlia101]

Alright, one more thing - user @mj2k (post #84 here) kept up with this project on the UKLegacy forums, and has some reads of the BIU there, too. Looks like they were active less than a month ago, maybe you can reach them with other questions?

Fiddling with a Gen 4's ECUs - Howto

PLEASE NOTE - dont attempting anything in this thread if you dont understand what Im on about, its likely to leave you with a dead car, so if in doubt, leave it aht! (as theyd say in this part of the world). Ditto if youre no good at soldering, an unnoticed solder blob in the wrong place, a broke...

www.uklegacy.com

 

[SteveP84]

Alright, one more thing - user @mj2k (post #84 here) kept up with this project on the UKLegacy forums, and has some reads of the BIU there, too. Looks like they were active less than a month ago, maybe you can reach them with other questions?

Fiddling with a Gen 4's ECUs - Howto

PLEASE NOTE - dont attempting anything in this thread if you dont understand what Im on about, its likely to leave you with a dead car, so if in doubt, leave it aht! (as theyd say in this part of the world). Ditto if youre no good at soldering, an unnoticed solder blob in the wrong place, a broke...

www.uklegacy.com

I'm going to try that. I'm starting to become dubious that his method of simply copying key codes between the BIU and ECM will work, from what I've read from Ryan's research, it looks like the CMU also contains encrypted key codes. I haven't been able to determine how or where they are stored yet, and I just don't have enough knowledge of data manipulation to have this be a hopeful avenue.

Through my tinkering I've discovered that if you put mismatching key codes in the BIU and ECM, or just put in garbage or blank data in place of the codes, it will NOT generate any special kind of error. It still just produces the same "P0513 incorrect key" DTC. There's only a short string of data that when edited wiil produce a "P1571 reference code incompatibility". This indicates to me that if there are key hashes stored in the CMU, there is no way to determine if they match the ones stored in the ECM and BIU without a matching key and a successful immobilizer unlock. The only way I can think of working on this backwards is sequentially blanking out individual bytes of the CMU EEPROMs until I find all the addresses for the reference code, and copying just that section over from the new cluster to the old cluster. This only will be succesful if there is no checksum. It'll also be very time consuming.

I have however ordered an RFID shield for my arduino, and discovered a way of spoofing a key transponder with a programmable AVR, so if I can work out how the key hashes in the ECM/BIU are determined from the key codes, I can bypass the whole system.

Failing all of this, I may end up ordering a VXDiag, which allows you to emulate most of the SSM3 functions, if I can convince a dealership to give me my programming code for the keys. They're a few hundred dollars, but that's still cheaper than a 2 hour tow and dealer bill!

 

[airlia101]

Failing all of this, I may end up ordering a VXDiag, which allows you to emulate most of the SSM3 functions, if I can convince a dealership to give me my programming code for the keys. They're a few hundred dollars, but that's still cheaper than a 2 hour tow and dealer bill!

Hey, if all our stumbling around in the dark means finding more ways to get a job done, then hooray for Science! That VXdiag sounds like quite a nifty tool, especially for <$200?!

If you feel like you've got to resort to the dealer, maybe try a local auto-locksmith first? I had an Infiniti that I deleted my only key from, while trying to use a Doorman automatic spare-key programmer ... for just about $100 he came to me, and had one of those $1000+ multi-car computers that got it programmed again in five minutes. A phone call should at least be able to see if they can do Subaru keys; hard to say if the BIU/ECU mismatch would spoil their job, but one more option before a tow.

 

[SteveP84]

I learned something new. Booting your ECM with a blank rom will brick it.

Luckily I managed to use the Renesas flash utility to download the original rom that I had on hand and I'm back to merely being stymied by the immobilizer.

It looks like the BIU doesn't check that the CMU has a matching reference ID until after it checks if the keycodes are valid so my plan of blindly hacking out chunks of the CMU rom to find the ID won't work

here's a question - What is the BIU checking against in the ECM for a reference ID? I'm going to refer to my two sets of units as Old and New. Old is the one I have the keys for but no original ECM eeprom, New is the set I have no keys but a complete set of 3 working units.

If I flash the BIU with the New eeprom, it gives me a code for using the wrong key, regardless of what is on the ECM rom. If I flash it with the Old eeprom, it gives me a code for mismatched reference IDs, again regardless of the eeprom. the New ECM now has the SH7058 from my Old ECM, and the only unknown item in the 256byte eeprom is that odd checksum value down at the bottom, but changing that, the VIN, or the keycodes seems to have no effect on the code I get.