Subaru Outback Forums banner
141 - 160 of 180 Posts

· Registered
Joined
·
11 Posts
One more quick update although I've had to move on to other stuff... I figured out the true format of the messages. They are 80 bit challenge and response, with a single byte addition checksum.

Message structure (byte numbers):

0 - message origin: 0x07 for ECU, 0x08 for immobiliser
1 - always zero
2 - 6 - message. 80 bits (4 bytes)
7 - always zero for immobiliser, checksum for ECU message
8 - checksum for immobiliser

The checksum is a very simple algorithm - I just happened upon it by chance. It's the sum of all the other bits - just overflows past 0xFF as necessary. So the checksum for:

0x07 0 0x96 0x03 0 0xFF 0
is 9F

0x07 + 0 = 0x07
0x07 + 0x96 = 9D
0x9D + 0x03 = A0
0xA0 + 0 = A0
0xA0 + 0xFF = 9F
0x9F + 0 = 0x9F

So the entire message becomes:

0x07 0 0x96 0x03 0 0xFF 0 0x9F

Simples!

Andrew
 

· Registered
Joined
·
1 Posts
Hi Ryan, Hi everybody,

First of all I want to say thanks for the great work with FT232H EEPROM reading setup. I imagine many people ask for help, unfortunately I am one of these people.

I have installed everything on PC Win10 and I'm able to read EEPROM from my FXT 2007, however I cannot write it.. When I start the eeprome-write script it does something but at the end the eeprom is the same as it was.
By any chance, do you think you can help me? My original ECU is dead and I'm trying to revive my car.

Thank you very much!

Anton
 

· Premium Member
2008 JDM Outback 3.0R, 5EAT
Joined
·
635 Posts
Hi Ryan, Hi everybody,

First of all I want to say thanks for the great work with FT232H EEPROM reading setup. I imagine many people ask for help, unfortunately I am one of these people.

I have installed everything on PC Win10 and I'm able to read EEPROM from my FXT 2007, however I cannot write it.. When I start the eeprome-write script it does something but at the end the eeprom is the same as it was.
By any chance, do you think you can help me? My original ECU is dead and I'm trying to revive my car.

Thank you very much!

Anton
I had to repeat the write then read process 3 or 4 times before the read matched the new data.
 

· Registered
Joined
·
1 Posts
One more quick update although I've had to move on to other stuff... I figured out the true format of the messages. They are 80 bit challenge and response, with a single byte addition checksum.

Message structure (byte numbers):

0 - message origin: 0x07 for ECU, 0x08 for immobiliser
1 - always zero
2 - 6 - message. 80 bits (4 bytes)
7 - always zero for immobiliser, checksum for ECU message
8 - checksum for immobiliser

The checksum is a very simple algorithm - I just happened upon it by chance. It's the sum of all the other bits - just overflows past 0xFF as necessary. So the checksum for:

0x07 0 0x96 0x03 0 0xFF 0
is 9F

0x07 + 0 = 0x07
0x07 + 0x96 = 9D
0x9D + 0x03 = A0
0xA0 + 0 = A0
0xA0 + 0xFF = 9F
0x9F + 0 = 0x9F

So the entire message becomes:

0x07 0 0x96 0x03 0 0xFF 0 0x9F

Simples!

Andrew
Good day all, I stumbled upon this thread and posts regarding the subaru immobilizer system in hopes to find solutions to my situation.

I run VW Syncro vans with ej25s and stock subaru harness/ECMs out of subaru vehicles prior to immobilizers. Recently, I happened upon modifying a newer subaru harness with the CANBUS and Immobilzer security. I can get the harness and engine to work, but shutdown soon after due to the immobilizer limitation/security.

That said, I am looking for a way to delete the immobilizer functionality from the ECM as I do not need the security in my VW vehicles. Did you ever continue your effort in running stand alone ECMs that previously had the immobilizer functionality on them?

Thanks for the info, in advance!
Jason
 

· Registered
2005 Outback 3.0R
Joined
·
156 Posts
Did you ever continue your effort in running stand alone ECMs that previously had the immobilizer functionality on them?
Presently there is no publically documented way to defeat the immobilizer. Near as i can tell, there will /never/ be a way to run the ecm without the matching biu. I now have a parts car and at some point in the near future I'm planning on setting up a test/reprogramming stand i can use to probe further, but i think the best you can hope for is deleting the instrument cluster. The ecm communicates with the biu for more than just the immobilizer function.
 

· Registered
Joined
·
13 Posts
OK So I realise everyone has probably moved on from this old hat, But I'm in a fix.

I'm offering a reward for anyone that can help me get this chip reading/writing thing (or a newer solution, I have an arduino Uno too) working.

I don't really understand how any of this works, I am just following instructions given by those on this thread, and the deprecated Adafruit link. Although I'm not completely cabbaged, and got this far, hopefully from this post you will get an idea of my problem solving process and abilities thus far.

When I took this project on a few years back the Adafruit FT232h solution was still (just about) current. I bought all the stuff, life got in the way and now I am having trouble getting this to work, on the plus side I downloaded a lot of the info/files back then. I feel like I'm only one step away now from being able to clip onto my chip and have problems with the read/write script :LOL:

Heres a screengrab of it pulling my pants down 2 strides before the finish line:
Terrestrial plant Font Screenshot Number Computer terminal


As you can see it seems to have imported the ftdi1 library, but not the adafruit_GPIO module.

Looks like it falters trying to connect to a site to grab some package related info, and seems like an SSL Certificate issue?

The site it is pointing to still exists, with the index and a bunch of relevant looking files:

Blue Rectangle Font Screenshot Software


Things I have tried before running the py install command:
-I have set to run Python as admin in properties.
-I have set Python as an 'allowed program' with windows security/firewall
-I have tried switching windows firewall off.

Things I have yet to try:
-Figure out a way to bypass SSL Certificate requirement, a quick bit of research suggests this is extremely dangerous for security (especially running an old version of windows)

-Try using the newer Blinka/circuitpython stuff. (I have a feeling this would be even more frustrating)

-See if there is a way to manually 'build' what it requires, or download it and alter paths it loos for (probably requires way more decompiling/programming/recompiling than I am willing to do, and is WAY above my IQ resource limit)

-Use my Arduino Uno instead (I have no idea where to start with this, beyond assembling the circuit as detailed in this thread)

-Break the car up for parts, take the shell to the scrapyard and go to the Pub on the way home.

This has taken me hours upon hours and I will feel like less of a wang if I can achieve it.
I also hate asking for help and usually people ask me for help, Hence the offered rewards as follows, should you choose to accept:

-ECM, BIU, Cluster, Key, Transponder ring and some related plugs/wiring from a UK Spec 2008 Forester XT, including shipping to anywhere I can ship it to! Only thing I cannot cover is any import duty your end but will be shipped as a gift (which is kinda what it is) to try and negate that.

-A picture of my map of Tazmania (Mapatazi)*






*VERY optional, this is more just to show how grateful I would be.


If you want a giggle the bigger process upto this point is below, and a link to the whole project thread:

"The main problem I have now is when I did a lot of my initial reseach, it was based on using the Adafruit FT232h board for swapping the Immo data over.
Of course life got in the way and in the what feels like 6 seconds since I last looked (more like over 2 years), nothing is relevant or supported any more, after I took the following steps:

-Bought an Adafruit FT232h board, chip clamp, wired it up.
-Realised the stuff needed only wanted to run on Windows 7 under 32bit architecture
-Noted I had only laptops with Win10 and WinXP SP3 on.
-Remembered I have an old Toshiba that was Windows 7 until the hard drive died.
-Bought an SSD for it, fitted that and installed Win7 32 bit without any drama.
-Installed all the crap to make the FT232h work, got to the last item before running the actual read write code and it seems like it needs to connect to the internet to download a section.
-Realised that my fresh install is missing a load of drivers, not a problem until I needed it to connect to the internet.
-Found on my hours and hours of searching for a driver that didn't exist that the laptop originally came with Win7 64 bit. Because the network controller fitted to it only works with 64 bit, and only has a 64 bit driver. FML.
-Found a way of running 32bit applications on a 64bit machine, surprisingly easy to configure, great but this means I could probably have done it on the Win10 laptop all along. FML again.
-Decide I have come this far, Removed Win7 32, Fresh install of Win7 64, more finding compatable drivers, get it connected to the internet.
-Reinstall all the Adafruit/Python crap that had to get wiped to install Win7 64.
-Find it does exactly. the same. fkn. thing. as. before. Because even seemingly managing to find the right 'deprecated' software, links, libraries etc there is still that one thing that will not work"

My hastily created project thread


I'm going to thank you guys, Ryan for starting this and all the other contributors, if just for showing it can be done, although all it has caused me so far is pain and sleep deprivation :ROFLMAO:o_O I probably won't let this go now either way I have too much invested!
 

Attachments

· Premium Member
2008 JDM Outback 3.0R, 5EAT
Joined
·
635 Posts
Heres a screengrab of it pulling my pants down 2 strides before the finish line:
Seem to remember that I had a similar'ish error - don't have the details - after installing the current AdaFruit software in May 2021. This issue was resolved by installing the officially deprecated version @ Adafruit FT232H Breakout.
 

· Registered
Joined
·
13 Posts
I d/l'd it from the same link you posted before I think, but stumbled upon a link whenchecking the readme file for version about deprecated version install, which led me to download github/gitbash (chose the old 32bit version) which downloaded me another GPIO, looked about the same but without the -master suffix in the folder name, tried that but still the same. Turns out both state they are for python 2.7.

Although I did notice when I installed the github/gitbash software it asked me to select SSL procurement either its own preference or through windows, I tried it installed/setup with both options but still no dice.

Thanks anyway though, you still prompted me to discover another layer, and check it out!
 

· Registered
Joined
·
13 Posts
OK, after about 2 hours checking the validity of pypi.orgs SSL certs trees on SSLlabs website (I had no idea that you could do this before tonight, all of thier servers check out) and frustration trying to enter commands to bypass the process in python without the pretty much impossible method of re-writing source code for things, I found I kept getting input errors, because there was a package for python that wasn't installed and crucial to verifying SSL certs when importing libraries.

So after looing up how to install 'requests' which goes like this (from command prompt like C\: NOT python '>>>') type:
pip install requests

That installed itsself, then again at command prompt and in the right directory hit it again with the old python setup.py install and it went for it this time!

Terrestrial plant Font Screenshot Darkness Document


It has returned some traceback errors, (not supported by other items by the looks of it) but I remember somebody on this thread said that It did that but still worked, seems legit as they are not critical errors preventing the library from loading its dependancies etc. Lets hope so.

Oh, one other thing I noticed that could catch you out, in case anyone else is dumb enough to try this, is that when you enter the import checks IT IS CASE SENSITIVE! You can see in the bottom of the screengrab I was playing around with it.

I'm going to sleep now as Its nearly 1AM GMT,and have to be up for work in about 4 hours. But I will try the next step hopefully tomorrow, and see if that wants to b!tchslap me silly as well; will report back whatever happens..

Peace out.
 

· Registered
Joined
·
13 Posts
UPDATE:

Apologies to those of you that are well beyond this basic copy and paste IC405 stuff, But I'm sticking this here as reference for anyone patient and silly enough to try this.

It may clarify a few questions/musings that I had when I looked at earlier stuff in this thread, and help to (slightly) bolster that documentation. A lot of this becomes evident as you progress but its nice to have verification and even more idea of what to expect when you try it, and hopefully make the process much quicker and easier for you.

Excuse the retro green screen scheme, I am old skool, and old and I find it easier on the eyes/easier to read.

I seem to have sucessfully read the donor ECU, next step is to pull my existing ECU, read that, write to the donor, and read check to make sure it took. Hell knows when I will do that but I'll shout a quick update on here.
I won't be able to test it for a while though as the ECU's are pinned differently, so I have to sort that as I harness merge for the different engine, and get the new motor swapped in and hooked up.

I havn't sanitised any of the info shown from the ECU because, well, it was bought from the states (I am in the UK) from a car that was broken up for parts already... ...and even if it was from my actual car, if you are smart and patient enough to go through this nonsense, locate where my car is, come here, get into it, then figure out a way to steal my 16 year old 162k mile car with it, then fair play on those grounds I salute you and you can have it. Knock my door when you have done it, show me and I'll give you the actual keys. :ROFLMAO:
Computer Personal computer Netbook Computer keyboard Input device

Remember when engine conversions were easy?

Passive circuit component Circuit component Hardware programmer Electronic engineering Computer hardware

The 'ADA' in adafruit stands for A. Dumb. Ass.

Passive circuit component Circuit component Hardware programmer Microcontroller Electronic instrument

Reference pic, offending chip. pin 1 on the clip to the end pin where the dot/dimple is.

Passive circuit component Circuit component Hardware programmer Font Electronic component


Above and below pictoral references for the wiring and pins/legs.

Circuit component Electrical wiring Cable Electronic engineering Wire


Rectangle Font Audio equipment Multimedia Display device

This is what you get when you read. it spits the file out into the python directory (the main folder not a subfolder) in the format Ryan stated. The only way to see if it was a successful read is to check it in a hex program like below.

Rectangle Font Pattern Parallel Electronic device

Whatever option you choose with hexdump it spits out the same gobbledeegook (yes when it unzipped I was overcautious and it ended up double foldered, I might fix that oneday)
...I am going to try and translate said gobbledeegook just out of interest, and when I read my original. I can check the VIN is right at least, knowing the keycodes will be pretty pointless but they are a short entry so no big deal to try it.

-The Count
 

· Registered
Joined
·
13 Posts
UPDATE:

This old deprecated junk still works:

Computer Personal computer Laptop Output device Table

2006 UK Outback EJ253 M/T Ecu (top), & 2005 US OBXT M/T Ecu

Azure Rectangle Aqua Pattern Tints and shades

A sucessful read. It takes more time than a write. Not long enough to make a cup of tea
but long enough that the thought cosses your mind if it will actually stop...


...So there it is.

Notes:
(some of this has already been mentioned in this thread, if so, see it as a +1)

-I gently scraped the pins/legs on the chips with am x-acto knife (rest of the world: scalpel)
to remove any conformal coating that might be there and clean up the contact areas for obvious reasons

-It took a few read attempts, moving/re-seating the chip clip each time (and subsequent checks with hexdump) each time, for writing do this first until you get a good read, then don't move the equipment, sneeze or breath hard near it etc. whilst you write it immediately after.
Probably common sense (like where and when you set this up) but there it is.

-I did a test read after writing and compared to make sure the data had gone across.

-I put the original ECU back in the car (and it still works) but will not get to test this one for a while, need to do the actual conversion/wiring now I know this works. Will update here when I get to that point, in the meantime y'all know where my project thread is!

hope this helps somebody out there!

-The Count
 

· Registered
Joined
·
13 Posts
Oh, anybody know how to translate the .bin file into readable information?

(or the key code and VIN stuff anyway) not that knowing the key code numbers would make a blind bit of difference to anything, but the VIN would be interesting to check.

I have tried the relevant blocks of information in hex to text/ascii converters and many different text encoding standards but it still doesn't make sense. Its probably way simpler than I am making it.
 

· Registered
2005 Outback 3.0R
Joined
·
156 Posts
Oh, anybody know how to translate the .bin file into readable information?

(or the key code and VIN stuff anyway) not that knowing the key code numbers would make a blind bit of difference to anything, but the VIN would be interesting to check.

I have tried the relevant blocks of information in hex to text/ascii converters and many different text encoding standards but it still doesn't make sense. Its probably way simpler than I am making it.
I wouldn't rely on the information discussed early in the thread about where the key codes are supposedly registered. I don't think they're kept in the ECM at all, only the BIU. I attempted to change the ECM locations where the key codes were purportedly stored and it was unsuccessful. Your VIN shows up in plain text in the images you posted above.

Rectangle Font Pattern Parallel Symmetry


It's on the 4th line down on the right, starts with 4S4BP6, repeats 3 times.
 

· Registered
Joined
·
6 Posts
Presently there is no publically documented way to defeat the immobilizer. Near as i can tell, there will /never/ be a way to run the ecm without the matching biu. I now have a parts car and at some point in the near future I'm planning on setting up a test/reprogramming stand i can use to probe further, but i think the best you can hope for is deleting the instrument cluster. The ecm communicates with the biu for more than just the immobilizer function.
I think it's possible to extract the RFID chip from one of the keys that work, and tape it under the ignition key block, so that the car will start with any key that turns into the ignition block. At least I've done it once, to verify that it was the case.

My current challenge is adding a new key with a new RFID and have it added to the immobilizer memory. Any good tips to save on having a key cut? I found a blank key with keyless entry on Amazon for around $35. The only quotation I was able to get so far for having it cut, is from a service called KeyMe for $180. I have an Outback 2011.

Thanks to all who have contributed information to this thread, especially Ryan.
 

· Registered
Joined
·
63 Posts
Bump. Anyone want to help? Just need some folks to send serial comms to the OBD port to gather info from the BIU to compare against what I think it means.

The 'prize' here is having freeware with full SSM functionality including diagnosis of BIU issues, adding keys, ECU swapping, BIU swapping etc
 

· Super Moderator
Outback 2011 3.6R Premium (sold Jan 22)
Joined
·
4,608 Posts
I am happy to help. I have access to a 2005 Impreza 2.0 Automatic, 2007 Liberty/Legacy 2.5 manual and a 2006 Forester 2.5 Turbo manual.

I also have a Vag-Com cable and laptop

Segrass
 
141 - 160 of 180 Posts
Top