How to clone immobilizer data (& recover pin)

Well done Trev,

I did try saying last week it should be possible to read the ECU for it!

Regards,
Phil.

 

Don't know if the obd2 tools to do the immo are generic or car model specific. Even the immokiller software shows specific car models and I don't think list any ferraris. But I guess in essence your idea is sound and easy to defeat by someone like Eric355 with the knowledge and the tools. Your idea is much better than cloning FOBs. Cloning FOBs is like taking asprin for a headache instead of treating the cause of the headache. I'm sure the answer is simple. Let us know if you figure it out.

 

Oh baby...

 

Has anyone figured out how to retrieve the pin code if you have the red fob but no PIN code?

Thanks

 

Ok so where do i begin , i recently got another 360 spider (no keys or remotes) , been reading the posts made by 360trev and Eric355 ,and started to put these methods in to practice .First i tried to remove the Immo from the Bosch me7.3h4 control units using those Immo tools i found on the net . NO LUCK !!!! So then i began looking at the challenge race cars, believe it or not they are pretty popular here in South Africa ,so i went down to one race shop that looks after a couple of them to take a look .Seeing as i know the guy pretty well, i explained to him what a was trying to do and he let me poke around with one challenge car .they still have there immobiliser boxs in them but it doesn't require you to push any remote . So i asked if i could clone them ,they didnt look to impressed but i got him to agree as long as (you break ,you pay) principal was applied. Anyway after buying an xprog -m programmer ,about $50 worth) i realized that my Immo box has a different mcu in it ,the boards are identical so ill go to the local electronic shop tomorrow and see if i can order it , and hopefully ill be able to start it (with out a remote )!

Ill report back in a couple of days .
Below are a few pics of the process so far

 

Stevi,

Hi, I am also trying to solve a similar issue, I have a challenge car. It also has an immobilizer. No keys but an immobilizer. Thank you Ferrari! Now 13 years later the immobilizer fails sometimes. Usually shut down, reset gets her going again, but it seems to occur with greater frequency. For myself and other Challenge owners, this is bad. The immo servers no purpose on a car that starts with a flick of a switch and push button. I have also tried 2 internet downloads to patch the software. No joy. I have both the eeprom data and the maps for 1. 360 Challenge car and 2. EU 360, I will get a U.S. Car in a few days.

Not sure how to proceed from here, my goal is removal of the immo- I would even run us or eu street car software if I could patch either of those versions.

 

Steve- You need to contact the guys in Australia who have figured out how to pull the PIN from both the Alarm ECU and the red fob. See the other fob clone thread for contact info. They can provide fobs to match your PIN.

You can buy a new ignition, lock and key set with 2 ignition keys for around $500 most days on the internet. Or a good locksmith can make a key for you. A very good locksmith.

 

I would love to see if the immobilizer can be permanently defeated and the remotes only lock and unlock the doors. Security is not a concern for my particular situation. Reliability long term is a bigger concern.

 

You and the other 1000 F355 owners.

 

With the help of your awesome PIN out, Mitch.... I'll be trying this over the winter.

 

I have a quick question; I have a 2003 360 F1, in which I have to replace the ignition control module, if I get a set of second hand units (ECU’s) how do I make it works so the immobilizer and new ECU pair and permit me to start the engine?

 

reytech,

I was just testing that.

I just flashed a EU ECU with my Challenge ECU software and will change over to make sure it works. I had a mechanical failure at the track so I haven't gotten the car back yet and am not 100% sure it works.

But, the ECU on the passengers side is the one which communicates with the immobilizer, so it must "match up". The ECU software (Bank1& Bank0) are identical. As long as you have one functioning ECU, you can copy the working ECU's software & EEPROM. Then flash a third ECU with that software and it should work as a replacement for either side. The one I did is exactly the same as the original Challenge ECU down to the bit, it should work, i.e. the immobilizer should not be able to detect any difference in the ECU's.

I do not know if the year (i.e. Ferrari part#) contain any hardware differences, they all appear to be the same but I don't know that. It is not very difficult. You will need a test bench - the flashing must happen with the ECU's out of the car on a test bench using a Galletto tool. Please read this:

http://www.***********.com/forums/modern-v8s-360-f430/19714-how-bench-flash-your-3.html

And send 360Trev a thank you, he did all the work.

Looks like your in Baltimore - I'm near Allentown PA, I would do it for you just for fun. I also may have a way to remove the immobilizer completely but also have not yet tested that.

How do you know the ECU is bad?

 

search google for "how to bench flash a Ferrari 360 ecu" to get to the link that was blocked above

 

Rey- If you get a used set of two, one of the Motronic ECUs should be a virgin without the Alarm PIN stored in the the ECU. You might have to swap them to find out which is which. If you are only getting one, you can take your left (port) ECU and put it on the right (starboard) side and it should work fine.

Alternatively, someone would need to know how to clear that PIN out of a Motronic ECU, and I am not sure anybody knows how to do that yet. Or follow RMJ's advice.

 

Hello all,

I found something interesting during testing. Hope this helps understand the interaction between the ECU & IMMO. As Taz stated I am not sure how to clear a PIN but may have found one, or at least the effect of the pin's interaction with the ECU.

After flashing my Challenge car Right side software - both EEPROM & ecu data - to a random ecu I purchased on Ebay, I attempted to start my car. No go when used on the right side - worked on the left side.

I then downloaded the software back and did a comparison of the files. The IMMO changed the EEPROM data. It would appear that the "clone" ecu was not recognized and the "pairing" process occurred but the resulting data did not match the key.

9 data sets were changed from the orginal file. Here are the data changes that the IMMO made to eeprom. I believe that someone smarter then me could dig a pin code out this.

Test Date: 12/3/2014

Conditions: Random EU ecu - unknown prior usage - reflashed both eeprom & data
Flashed using "right side" known good data
Verified data after flash - 100% identical byte for byte

Test1: Install clone ECU into right side
Result: Car would run on only on bank 1, no cyl firing on right side.

Test2: Install clone ECU into left side
Result: Car ran normally

After test ECU was removed and data downloaded back into computer for comparison.
Result: EEPROM data was modified by the IMMO/Alarm

Ferrari 360 CH - EEPROM data before & after IMMO connection:

0x34 E9 => 80
0x36 FB => 07
0x37 FF => 00
0x38 2F => 16
0x3A 23 => CB
0x3E 29 => 89
0x3F FC => FD
0x42 A4 => 8F
0x4E 01 => 16

I have just flashed the ECU to the left side EEPROM & data, will try that next and see if I can a proper start. Hopefully in the life of this car no one had ever moved the left side ECU to the right side, as the eeprom data is different I may get lucky. I also have a friend sending me his confirmed "virgin" ecu's to be read. We will see if that data will "pair" when written onto this random ecu.

Has anyone tested the relays of 360 to see if the fuel/ignition system is actually hard off when the immo is triggered? Or is it just that the ECU is not acting on the ignition/fuel system? Or both(most likely)?

 

I believe on the 360 (Motronic 7.3) with the immobilizer active, she will not even turn over so the start circuit is inhibited. On my 575M (Motronic 7.1.1) with immobilizer active, she will turn over, but will not start, so fuel, spark, or both inhibited.

 

Thanks Taz.
Oddly enough on the 360 ch the car will start but only on the drivers side bank. It will run and drive fine- don't ask how I know. Does anyone know if the 360 street car does the same?

 

Well this is getting to be a PIA. Next test also failed. The EEPROM data in the ECU is getting overwritten by the immo(my assumption). So after cloning the left side ECU to my ebay ECU and attempting start (on right side)- the data was changed again and does not match the orginal ECU. I was hoping that it would pair up and run. I have noticed a few bytes are the same between the rewritten data from my first test on ECU's that will not start the car.

0x37 = FF on ECU that works = 00 on all ECU's that do not work & Left side ECU.

I am wondering if this process occurs in a paired ECU/IMMO - I will do a hard shutdown on the car - kill the disconnect while running and then reread my original pass. side ECU to see if its data changes or remains the same after pairing.

Next - I will clone a 100% virgin ECU and write that to the ebay unit. These bosch guys are not messing around.

Some unanswered questions...
How does the immo know that the clone is different? another chip?
Why won't the ebay ECU "re-pair" to this immo?
Could this failure to pair be caused by the ebay ECU having already paired with another IMMO?

 

good stuff !

the resulting test will probably answer your three above questions

if it fails, that means the immo somehow recognizes the clone
if not, the car will start

last test would be to install the virgin unit ...

 

Guys, excellent work, but what is the conclusion? I know the problem has been solved and the solution has been posted years ago, but perhaps removed as I can not find it anywhere. Also several people around the world recover the PIN if the immobilizer is mailed to them (and understandably they may want to keep this information off the net).

Still, can anyone post how to recover PIN from the immobilizer? E.g. the address at which the PIN is stored and the storage format? If there is a security concern about publicly posting immobilizer information, can someone PM me that information off-line directly (and I will continue to keep it off the net, if that is the sender's desire)?

Also, is the PIN also known to the ECU and can it be extracted from the ECU? That would be much more convenient, as the ECU may need to be accessed anyway for tuning and other purposes.

Any help greatly appreciated! Thanks!

 

I've found a very important comment from @tazandjan (thanks Terry!) which explains initialization sequence and demonstrates that one of the ECUs is also storing the PIN:

"Both Motronic ECUs start out identical, with exactly the same contents and part number. When the system first initializes, the alarm ECU looks for the PIN stored in its memory and compares it to the one in the Motronic ECU. If blank, the PIN is passed over the CAN and written in the Motronic memory."