Where do I begin? ... Well it all started out really as trying to offer to help out a good friend of mine and member on here, Ingenere. He'd been experiencing the famous 'will it, won't it start' problems seriously denting his confidence in an otherwise fantastic Challenge Stradale ownership experience. I guess 15+ year old Bosch electronics pre-dating the millenium where never going to last forever where they, especially in a desert climate of Arizona! And so it began. As it happens I was planning a trip over in San Francisco last year on a month long business trip and I reached out to help him. I brought all the kit i needed with me 'just in case'. As it happened in my spare time at the weekend I took a flight over to Arizona to see him and that's when I saw it for myself. Obviously very little hot weather testing was done on this kit. Opening up the Immobilizers for the first time I was greeted with some horrific things. The first of which was soldered on Mechanical relays in the immobilizer box (!). Why oh why where they not relocated into the swappable area of the car? All mechanical relays will eventually die and these immobilizer relays are no different meaning your 360 *will* eventually get this issue... Sigh. Tracing the pins with a multimeter I was able to easily identify that the first box behind the seats (the bigger one) is actually just a reciever for the keyfob with an old Motorola MC68H (16-bit) processor from the 80's... Really really cheap old kit that I haven't seen for decades. Anycase on to the relay's. They are in actual fact part of the immobilizer circuit but in a rather crude way. All of the relays are controlled by the MCU (micro controller). One of the relay's controls flashing of the indicators when you blip the key fob and the other does the lock/unlocking of the central locking function. The 3rd i never really discovered what it actually did (maybe nothing on the 360 since this immobilizer unit is actually a generic piece of Bosch kit used on many cars of that era). The 4th relay simply enabled power to the starter motor. There is also an additional function of the big box immobilizer and that is to send an start authorization message over to the smaller immobilizer box (the second box behind the seats). This then sends a start authorization message over to the right bank ignition computer to tell it to grant access to start the engine. Without that start authorization message the ignition computers will not run the engine regardless of if the starter motor relay is bypassed or not. I confirmed all of this in a few hours that weekend I was over in Dino's house that weekend. Fast forward to today and what's been achieved since? Well I know that one company obviously must have traced the output of the little immobilizer unit with some sort of bus snooper bit of kit then decided to simply send an authorization message REGARDLESS, this approach however still isn't the end of the story since you still have all the problemsof pairing, etc. to contend with and what happens if an ecu goes down that has your pairing information on it? Your buggered... The approach I've taken (the hardest) and I believe a world 1st is to extract the firmware via the method I first disclosed a few years ago now (2014?) then spend time to understand the format of that firmware image. This was challenging because so little was the same versus other more common ecu's on other cars. However with continued research I discovered how all the checksums work (these are numbers inside the code which verify that nothing has been changed). I then wrote a tool which allowed me to alter parts of the code and re-calculate the checksums. This was the first step towards solving the immobilizer issue since without this I could not disable it completely in the code and then not have the ecu reject those changes. Following me? I hope so.. There had been some attemps to use a EEPROM dumping method but again it varies between car models so the eeprom is not the same across car variants so nobody got this method working correctly. Anyway after resolving the checksuming issues I then reseached how other cars with similar Bosch ME7 ecu's worked and discoverd a whole wealth of information on VW golf's, Alfa Romeo's and so forth with similar but different code. After this I then wrote a special piece of software which could extract all of the unique functions out of the code and compare them with known functions from other similar bosch cars. This helped me to identify their functions and eliminate them. It also helped me to work out where all the maps and data in our own cars lay in the firmware which has been very useful. Literally many weeks of work... Finally I stumbled upon the SIA WFS.. What's that? Sia is the Supervisor Immobiliser Authority functions. And WFS is the term in German (Wegfahrsperre) which is IMMO immobiliser or (drive away lock). Bingo!!! After some time analyzing the code I discovered that helpfully Bosch engineers had left in a back door (!!!!) literally you only need to change a SINGLE BYTE (one byte!) in the code (And ofcourse recalcuate the checksums so that byte isn't rejected) and then volia... Immobilizer is defeated....This applies to all model years, all variants of 360 incluiding Challenge cars. I've worked out how to cleverly isolate the single byte out of the 524,288 bytes in a dump that works for every variant I've tested so far Yeeehar... So after doing a simple loop of wire which joins two pin on the big box immobilizer I defeated the first stage immobilizer of the starter motor disabling. Then after reflashing both ecu's (left and right bank) with the modified firmware the WFS is totally disabled and the car can now start without the keyfob, without either of the immobilizer boxes behind the seats but doing this full removal you loose central locking. So you can either do something different (I plan a keyless entry module and clever smart phone app now) or retain the original big box immobilizer and simply bypass the starter relay pins giving you the ability to just get in and start the car. No fussing around having to play with the fob locking unlocking because it timed out, etc. Its wonderful because it makes the car so damn easy to start, like it should have always been. So next steps are to test my keyless entry next and prepare a few boards for some 'testers'.. If anyone wants to be part of the testing group please let me know. I will initially focus on an Andriod app and later do an Apple one. This will message you every time someone gets into your car, and you can see if its locked, I will add a simple GPS and GSM module so you can also track in realtime its location and I will add in option in the app to place the car in valet mode where it cannot be rev'd past 4000 rpm. Many other things will come with time but this is the starting point. Best Regards, Trev
Picture one shows my custom harness required to flash new firmware onto the ecu's. Second picture shows the immobilizer ecu's I can now throw in the bin Image Unavailable, Please Login Image Unavailable, Please Login
Just one last thing about the consequences of this.... 1. ALL old Ferrari 360 ecu's are now re-usable (there is no concept of pairing anymore) - Its all disabled. You simply reflash with a immo off version either a left or right bank ecu your done and they work on either side. 2. You don't need to use your keyfob to authorize the starting of your car. Your physical key is doing this. No messing around fumbling to turn on/off to start the car. No pin codes. Nothing. 3. Less crap to go wrong and believe me when you see the soldering in these early bosch units they look like they where done by a 5 years old. I also managed to identify all the maps... So I can now do things such as; 1. Swap the maps for linerization of HFM5 AFM voltages (Air flow meter's) with the ones from a Challenge Stradale grafted into the Modena's firmware. The net result is that if you fit the larger F430/599/CS afm's and airboxes you get a healthy increase in horsepower and the engine starts smoother. I suffered for years with the old 80mm maps and the only work around after a battery disconnect was to depress throttle to end of stop before starting car. It wasn't ideal and idle was lumpy.. 2. Adjust RPM limiter. Very useful for tuned cars making peak power beyound 8600 rpm.. 3. Adjust TPS (Throttle Position) maps 4. Disable secondary o2 sensors (and their CEL's) so you can fit decat pipes or sports cats without CEL. 5. Disable cold start air injection 6. Adjust Fuel maps and injection scaling values (for turbo or supercharger conversions), with some work I could make F430 injectors work on a 360 for example which may actually yield more power since the 360 ones really are at the end of their range and again very useful for turbo/supercharger conversions. 7. etc.etc. Now that I'm inside the code I can pretty much do anything... Watch this space!
Watching and waiting! Would love to ditch the IMMO stuff even though I forked out the money to retrive the pin and get a red fob! I'd even be a interested in being a tester if you need an early model car.... Hey Trev, I've got the 430 MAF's on order, should be here next week so Steve over at Mase Eng can flash the ECM's, From what I read above, you've seen behind the curtain so to speak. I understand that Steve has a wealth of knowledge and a large customer base which allows him to build a "catalog" so to speak to match up to individual customer mods. Is what you discovered the same with the MAF airflow and fuel/rpm tables? Looking to the future, if I have a custom tune and all the bugs are worked out on disabling the IMMO, will that impact the tune since you will have to flash the ECM's I'm assuming?
Great work Trev! Really interesting reading what you have done. Having worked in the OEM automotive world with the engine and transmission calibration groups, there is a lot that can be done with the code...
I'm going to chat to Steve at mase and come back.... I've now got so far with this ECU I can even inject or graft new features into it... Such a pops and bangs on throttle lift off as example
Yes, we are just scratching surface. I'm interested to make a companion board to allow all these things to be done via your smartphone. That would be the best. Then you can control exactly what features you want as an owner. You can also get high speed telemetry out by looking at something Bosch engineers called McMess
I'm looking to defeat my immobilizer so let me know if your doing this for customers I would gladly pay you. Sent from my SM-G950U using Tapatalk
Since I'm not in USA I'm going to see if I can get Steve at Mase to help out here... Watch this space.
I sent tcu to France no problems for a cs flash from a fourm member Sent from my SM-G950U using Tapatalk
As SkidKid earlier mentioned those of us in California are concerned about passing all DMV tests Keep us advised please
That’s really awesome. What did you mean about bypassing the Start relay. Is this possible with just a wire in the relay socket or are you saying this is done with your firmware flash? Sent from my iPhone using Tapatalk
There are actually 3 immobilizer functions in the 360.. 1. A very simple one which doubles up as the keyfob reciever and does a starter motor cut using a built in relay soldered onto the pcb. It also has 3 other relays of which 2 are for controlling the indicators and central locking functions. One appears unused. This is called the 'VEHICLE IMMOBILISER' and its so crude its almost worth not even calling it an immobilizer. It basically is defeated by joining pins 12 to 13 which is what the relay does under computer control when the keyfob is 'approved'. You can simply trace pin those pins, they are on the first connector with the largest blades. Looking at the ecu fom front its pins 8 to 1 are bottom row and pins 16-9 top row. When I unplugged the ecu entirely I simply put a loop of wire which joined those pins together and then you can crank the engine with the key at any time but the car wont yet start (as it still has the digital lockout immo)... 2. Second immobilizer box is called the 'VEHILE IMMOBILIZER INTERFACE'. This is the smaller of the immobilizer units that sit behind the seats. This one is wired so that when you get a keyfob entitlement from the first box it will send a digital message to the Ignition computers to 'authorize' the starting. Sometimes this can take longer than it should and hence you see a car start on only 4 cylinders! This is because one of the Ignition ecu's is paired to the immobilizer and the other isn't and its a bug/timing issue in their code!! Both the above boxes can be removed once the Ignition ecu's are reflashed with my immobilizer disabling patch or you can continue to keep the first big box 'as is' without any change at all. Then however you still need the keyfob to start the engine since it won't disable the starter cut without it. A better solution is you join the 2 pins together with a small loop of wire and keep the keyfob and box only to let you get in and out of the car [just performing function of door lock/unlock with all immo functions disabled]. This is then a full immo defeat and still allows you to user power locks. I will then later this year bring out a modern plug in replacement for it connected to your smartphone etc. with an advanced keyless entry, etc. Hope this make sense...
I'm very interested as well! I've already done the CS flash on the ECU's and will need a set of new Air Flow Meters together with boxes... This will be a better setup though - being able to adjust various parameters yourself.
Great work Trev! As a previous recipient of your amazing work, i'm really excited to see what comes of this.
Well guys I've been out and driven the car today without any key fob, without either the vehicle immobilizer or the vehicle immobiliser interface fitted behind the seats and the car is working flawlessly. No faults, no issues. Starts first turn of the key every time...
360t- Did i see you in ‘Gone in 60 Seconds’? Sir? I wont tell anyone Thx for advancing this platform sir.
Wow, this is amazing! Can’t wait for everything to be worked out and available for us! I occasionally had hot start issues that seemed like the car was running on 4 cylinders instead of on all 8 and now that you mentioned a time delay in the ECU since only one bank of ECU gets a start authorization signal, I wonder if my issues were attributed to that and is a sign that the immobilizer system is starting to go out Sent from my iPhone using FerrariChat.com mobile app
Haha actually it takes about 3 minutes to do an Immo off reflash. Technically I could develop a way to send you a device you plug into obd port via a GSM data link to a laptop sitting in a different country but its just easier to send me your old ECUs
Its what prompted me to push this over the line, I have seen how much heartache it can cause, ask Dino!!!
