How to clone immobilizer data (& recover pin)

The PIN is definitely in the right ECU, but not sure anyone has bothered trying to pull it yet. I believe Trev now knows how to make a Motronic ECU virgin again for the PIN, but you would have to ask him directly.

Gobble is now making sets of fobs with CR1632 watch batteries, which do not require the batteries to be changed at 6-12 month intervals. They also weigh less so dropping one does not have the heavy battery cause damage. My new set is working great. You can pick your own PIN, so mine is now back to the factory original PIN.

 

Thanks @tazandjan, I may end up sending the immobilizer and/or ECU to Gobble or a similar expert to get the PIN if everything else fails (I have no PIN and no red remote). Meanwhile the more I learn about the 360 the more I like it (looks quite simple comparing to over complicated electronics of recent cars), so getting more DIY skills is worthwhile to me.

 

Having three working fobs definitely lowers your blood pressure.

 

Wow you guys went deep... anyone ever found out where the PIN is located in the immo box?

 

Still a mystery to me. I guess for now the only option is to send the parts to someone who has figured it out

 

Image Unavailable, Please Login

Well... This is the 0D60J dump from the immo box. Alfa 156 has similiar, but as far as i know the 360 has 4 digit pin. I know its a longshot but my friend would really like to keep his immo

So the best way would be probably to remove the right ECU, burn a new dump in it and put in the car, see what values get written in the new dump probably? The problem is i dont have a working immo right now.

 

Thanks, yes, Alfa is similar and there is quite a bit of data on the Internet about Alfa PIN decoding. The problem is that the PIN is encoded. So looking for example at Ferrari EEPROM from the right ECU and comparing it to a virginized one, or comparing left to right ECU etc you can see which bytes differ and where the PIN related information is stored. But you still don't know what the PIN is. So you could try to extrapolate from the published Alfa encoding into a possible Ferrari encoding but at that point my brain bent itself into a pretzel and I gave up.

 

Probably the easiest stuff would be reading a virgin immo, putting it in the car, syncing to the ECU with knowing the PIN code and reading again ☺️

dont know how this works with Ferrari having seen SD3 up close i bet Italians didnt even think of this when designing this system being a long time BMW tech the Germans would be hanging from trees by many aspects of the car

but yeah it would make it alot easier knowing the PIN code to this car and reversing the process i guess but since i dont have any info at all its gonna be a hard one since this holds the fob ID-s probably? Does SD3 show the fob statuses and blocked/enabled status? That info is probably not encoded… have to check i guess since i could remove that part of the dump…

 

Ok, so here is actual readout from my virgin ECU section:

03 02 60 02 b2 01 fc ff 31 04 06 0e 07 00 98 fc
00 00 9e 0d 53 0e 00 00 00 00 00 00 00 00 f0 fe
ff ff ff ff ff ff ff ff ff ff ff ff ff ff 09 f2

And here it is after a PIN has been applied:

03 02 6f 02 bd 01 09 00 1d 04 99 0e 07 00 f1 fd
00 00 a0 0d 52 0e 00 00 00 00 00 00 00 00 ef fe
ff ff 35 0a ac 82 fd 6a 7b a2 3a 28 83 ff 28 f8

Can anyone extract the PIN from the above differences?

Unfortunately I don't have this PIN, but let's assume that the PIN would be 1 2 3 4 and so what? How do you correlate a PIN to the difference between those two ECU strings of bytes?

 

Yup, easy to do once you know the trick, but it is basically a trade secret only shared by a few.

 

@modificator can you give me the start-end adress to immo section in ME7.3H4? I will remove the rght ECU from this car and do a full read, then compare the data from the 0D60J in the immo to the section. One section has to be the same i think and that should be the immo pin.

Since immo is only cross checking the PIN to the ECU that should be the PIN. But still there remains a problem of figuring out a "decrypt" for it. For me the problem is i dont have the red fob or the PIN.

I'm also waiting for an ordered used immo box that i will be getting i think next week... I ordered the interface + immo box

 

0x30 to 0x60

And please note there are two non volatile memories in the ECU, a small one (1KB typically called EEPROM) which contains the above immo data and a large one (512KB typically called FLASH) which contains the actual operating program which runs the engine.

If the programmers doing this work were really trying to be secure they would use different encoding in ECU and immo so your method would not work, but my guess is that they made it easy on themselves and some bytes should match.

 

Yeah i doubt it that they used different encoding. Imagine this; this car does not have a key rolling code lol... No transponder. So with the fob, you can take any car lol. A week ago i cloned a Maserati ECU and spared the owner 2k

But im biting my nails with this PIN code since i know they were not able to hide it from the world, just want to know how they did it

Yeah my plan is to read e2p + fls files on the right side and take a look

 

Hey,

Looking at Julie Emulator user manual it says to make the emulator work you should read the ECU and copy the data from 0x52 to 0x57 to Emulator so that is probably the PIN code included which gives the ECU an immo release.

Tommorow i will read the ECU.

 

Address is within the range I've observed so it's a good sign. I looked at Julie long time ago but it's an add-on emulator and not revealing the PIN. But congrats on finding some useful information

It's also something which in my case changes from FF in a virgin to 35 0a ac 82 fd 6a with a PIN which would further confirm we are on the right track.

 

Means that something in there has to be located in the immo box also.

not encrypted in other way i hope

Yeah they dont do sh*t except emulate an immo so the ECU gets sparky

Will see tommorow when i read the ecu a PIN code would help alot with decryption but ok, lets hope for the best

 

This does not look like the area where the PIN is.

 

This is a good one, with PIN inside

 

Image Unavailable, Please Login

Give me a hint? Left is the 0D60J -> right is the right ECU EEPROM (95080)

Am i looking at the right stuff in the EEPROM? If im not mistaken it should be somewhere in the 0x52->0x57 range.

 

The PIN is not present in the ECU EEPROM.

 

In flash? R u sure? Or is the PIN present only in immo which releases the starter line with a single 0/1 in ECU?

 

when you say "ecu eeprom" , are you talking about the ignition ecu?

 

Yes, the Motronic 7.3.

 

AFAIK
The PIN is present only in the alarm ECU.
Then the alarm ECU exchanges some data with the Immo ECU which, in turn, sends some data to the right engine ECU. None of these are PIN related.

Part of the area you have highlighted in the ECU EEPROM are the data which comes from the Immo ECU.

 

Understood. Tought it communicates and does a cross check with ME. So it really does only give a release to ECU which in turn enables the spark/injection.

good 2 know. Thanks Eric.

Well, this makes it even worse for peeling out the PIN code