Immobilizer Removal

From The 07K Wiki

Revision as of 16:26, 31 October 2022 by Arte (talk | contribs) (→‎ME17.5)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

ME7.1.1

Generic cable, they are fairly cheap

To remove the immobilizer, we will need to read the EEPROM

Reading the EEPROM

You will need the following :

  • 1K or 2K ohm resistor
  • A VAG KKL cable or any cable with a FTDI (FT232) chip
  • A power source to supply the ecu on bench
  • ME7EEPROM_st10.exe
  • A hex editor software (You can use the one from TunerPro)

Open the ecu, you can refer here for instructions : Opening the ecu

To supply power to the ecu off the car, you can make your own harness or use one of these (81 pin ME7 OBD2 Adapater):

You can use a variable power supply like these

ME7.1.1 ADAPTER.jpg

If you wish to make your own harness you can find the pinout here: ME7.1.1 Pinout, OBD2 Pinout

Bench setup example

Bench setup example.jpg

Powering up the ECU in boot mode

This process can take multiple times before you get the ecu to boot in boot mode

Boot mode with resistor.png

  1. Before powering up the ECU, you need to ground the boot pin and put your resistor as shown above
  2. Now you can power up the ecu, wait about 2 seconds and remove the resistor
  3. The ecu should now be in boot mode (I noticed that the ecu generally runs under 300mA when in boot mode, if you see higher amperage, it's probably not in boot mode)

Using ME7EEPROM to read / write

Port settings

COM port settings

  1. On your Windows, open the Device manager
  2. Go into Communications ports, find the device that correspond to your cable.
  3. Double click on it, a properties window should open
  4. In the Port settings change Bits per second to 9600
  5. Take note of the COM port number (COM1 would be 1)


Open a terminal (In the search bar, type cmd), go into the directory where ME7EEPROM_st10.exe is located.

Cmd.png

At this point ecu is in boot mode

To read the EEPROM type in the following command (adapt the parameters for your usage):

ME7EEPROM_st10.exe -p 1 –b 9600 –bootmode 95160 –r immo_on.bin –CSpin P6.3

  • -p : Your COM port
  • -b : baudrate, we set it previously to 9600 (Some ecus revisions need to use an higher baudrate like 57600)
  • --bootmode : Required for ME7.1.1 ecu. Equipped with a 95160 EEPROM chipset
  • -r : Read the EEPROM and save it into the filename immo_on.bin
  • --CSpin : Keep it a P6.3. Most ME7 ecu use P4.7, but for our specific ME7 with a ST10F microcontroller, it uses P6.3

Disabling the EEPROM from the file

In your hex edit, open the file immo_on.bin. Change the following values (If hex adresses are confusing, refer to the images):

  • At 0012 and 0022, change 01 to 02 (This is immobilizer status, 2 = not active)
  • At 001E and 002E, remove 1 from actual value (These are the checksums)

Immo on.pngImmo off.png

Save the modified file under the name immo_off.bin. Turn off the ecu, power it back on boot mode.

Using ME7EEPROM_st10.exe, type in the following command to write back the ecu (adapt the parameters for your usage):

ME7EEPROM_st10.exe -p 1 –b 9600 –bootmode 95160 –w immo_off.bin –CSpin P6.3

  • -w : Write the file immo_off.bin into the EEPROM

The writing process take some take and will indicate "error" at the end. This is normal, you can read back the ecu to confirm the modifications has been applied.

ME17.5

The method is the same for both ME17.5 and ME17.5.6, only the hex strings will differ

Read the flash memory from the ECU using the method of your choice (Refer to Reading and writing ECU)

Using an hex editor (TunerPro provides one), find the following sequence:

ME17.5

BF E2 F6 FF 0C EE

ME17.5.6

BF E0 F7 FF 0C DE

And replace it by this one:

ME17.5

BF E2 F6 FF 82 2F

ME17.5.6

BF E0 F7 FF 82 2F

Prior flashing the file back into the ECU, you should fix the checksums, multiple flashing tools does it for you, but you should fix them yourself by precaution

In-depth explanation

This part will require disassembly, refer to the disassembly guide

Using a2lextract, open the .ecu file that correspond to the definition file (.a2l) that match your ECU

Locate the variable u_immo

U immo.png

Offset the address by 4 : D0000130 would become D0000134 in this case

In your disassembly tool, look for the following label : word_[your address] (in IDA, you can press G to goto a label)

Address.png

Now find the reference to this label (in IDA, you can press X)

Xrefs.png

Look for a st.h instruction that use d15 and access it

Ld16.png

Above your st.h instruction, you have a ld.bu instruction that set d15 to [a13]0xE

(If you don't find those instructions, you can search for occurrences of either [a13]0xE or [a14]0xE)

To disable the immobilizer, we will change the ld16.bu to a mov16 instruction in order to set d15 to 2:

  • Select the ld16.bu instruction, go to Hex View
  • 0c.png
  • Press F2 to edit the hex and replace the selected instruction by 82 2F, press F2 again
  • 82.png

Now d15 is set to 2:

Mov16.png

Save your file and you're done

Retrieved from "https://the07k.wiki/index.php?title=Immobilizer_Removal&oldid=2733"