Chrysler SKIM Reset

A place For General Chit Chat Etc
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Chrysler SKIM Reset

Post by Tazzi »

I have been approached a few times about this, asking about resetting SKIM on chrysler/Jeep (FCA) engine computers.
For those that don't know what that is, SKIM (SENTRY KEY IMMOBILIZER MODULE) is the security system of the vehicle. The SKIM is its own module, but the ECM looks for a pass or go message that occurs from the SKIM system which is why the industry standard seems to the ECM SKIM reset (Basically ECM security reset).
From what I have read, the J2534 toolbox by drewtech does the older stuff but none of the newer (GPEC3 ect).

It appears people use the wording SKIM reset or SKIM removal. Personally I would think its two different things but it appears to be the same. Once the SKIM is reset in the ECU, effectively it has cleared the old security information (Back to new ecu state) so the ECU is ready for new security information. By design of the SKIM system, if the actual SKIM module is disconnected and the ECU is then fitted, this keeps the ECU in a non security state thus allowing the vehicle to start, but if that SKIM module is fitted again, the ECU detects the security and will activate its SKIM security internally.

Now thats been cleared up, there appears to be a couple methods to achieve this reset :
1) Use factory replacement methods which appears to require a PIN (not well documented).
2) Read security flash (tuning style) and write back in a fresh ecu section (VIN writing required after this).


Here is a copy paste of the actual replacement procedure:
Record the flash part number in the original Powertrain Control Module (PCM).
Have the vehicle Personal Identification Number (PIN) available.
Connect a battery charger to the vehicle.
Connect the diagnostic scan tool.
Position the ignition to the RUN.
Manually enter the Vehicle Identification Number (VIN) in diagnostic scan tool to identify what vehicle you are working on.
When the diagnostic scan tool successfully identifies the vehicle, locate the correct flash and flash the PCM software. Follow the diagnostic scan tool prompts. Position the ignition off for 90 seconds then cycle the ignition as directed.
Perform the “PCM Replaced” routine in “Misc Functions” menu under the Body Control Module (BCM).
Perform the “ Proxy Configuration Alignment ” located under the Guided Diagnostics menu in the activities section of the left margin. This routine will copy the PROXI into the PCM and write the PCM VIN. Manually enter the VIN into the PCM using the “Check PCM VIN” misc function under PCM.
Select the PCM view and then select the “ Misc Functions ” menu.
In the PCM “ Misc Functions ” menu, select and run the “ Learn ETC ” routine. This routine is necessary to learn the throttle position voltages and the accelerator pedal position. Follow the prompts shown on the diagnostic scan tool.
In the PCM “ Misc Functions ” menu, perform the “ Cruise Control Learn ” routine. Follow the prompts shown on the diagnostic scan tool.
Module programming is now complete.
Its interesting it says you require the PIN, but none of the steps actually indicate it. Further readings indicate that its appears to be a "Yes or No" message sent to the ECM to tell it to start along with a VIN. So if the VIN is correct, vehicle should start.

What leads me to believing that is the below statement:
Theory of Operation
The Powertrain Control Module (PCM) stores a copy of the vehicle’s module build configuration in its EEPROM. If the stored information in the PCM does not match the information sent over by the Body Control Module (BCM) of what modules are active on the Controlled Area Network (CAN) Bus, the DTC will set.
Set Conditions:
The vehicle’s topology does not match the original factory programming.This can be from a module being added, subtracted, or replaced without performing a proxi alignment procedure.
This DTC can set if the PCM was replaced and the VIN was not programed before the proxi alignment procedure was performed.
With all this said, has anyone had experience with using a used GPEC3 ECU (Chrysler 200) and fitting to a vehicle?
Last edited by Tazzi on Tue Nov 07, 2023 4:12 pm, edited 1 time in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: Chrysler SKIM Reset

Post by The1 »

not sure if ktag can read/write ecu or eeprom area. Digitalkaos forums have anything?
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Chrysler SKIM Reset

Post by Tazzi »

The1 wrote:not sure if ktag can read/write ecu or eeprom area. Digitalkaos forums have anything?
I have had a good dig around, not alot of information around. Have spoken to multiple experts that deal with them more regular but theres not really any tools to do the job, so its all pretty new!

Started diving into it already and working out the seed/key algorithms for the ECUs which utilize a 4byte seed/key algo. :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: Chrysler SKIM Reset

Post by The1 »

good work, different kettle of fish i bet.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Chrysler SKIM Reset

Post by Tazzi »

Different kettle of fish, but.. they seem to have their similarities when programming like GM.

Id be willing to bet the FCA vehicles semi followed GM and Fords way with programming and handling communication.

For example, writing to DIDs using the same byte as GM, security unlocks are the same too except they have more different levels (ie. 27 05 for lvl5 unlock).

I have now sorted the 4byte algos for most of Chrysler, next is either scanning a brand new ECM to check all its locations and the compare with a used ECM, along with logging some factory software programming.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Chrysler SKIM Reset

Post by Tazzi »

The fun continues :lol:
Appears we have SCI, PCI, canbus 11bit and even canbus 29bit to cover the chrysler ECUs. SCI and PCI are (kinda) new to me but I have worked with integrating with them on a low level logic previously. I will have to narrow down which ECMs are specifically 11bit and 29bit, I believe its the difference between GPEC2A and GPEC2, but this is still pretty unclear due to the intentional lack of information on the web.

There is next to no new Chrysler ecus around that I can find. I believe I have found only one and its about 4times the normal cost of new :roll:
Investigating further into working out if SKIM is active or not, it appears it can be 'requested' to check. This would lead me to believe it is a DID style request being made and just verifying if it is a specific value or not, likely going to FF or 00 will be the inactive state.

Next is SRI, this is the odometer reading in the ECU which must match the instrument cluster otherwise odometer stops moving. This appears to also be a DID style request to modify and must match the instrument cluster for a successful change of an engine computer.

I also believe these ECUs have internal bootloaders for read/writing, it seems that many after the 2013 period are 'locked' which prevents sending a custom tune to the ECU. I am still unsure what it is meant by locked, since these obviously support updates from the dealership, but could be like GM where it is potentially encrypted or has a signature sent with it which is probably the most likely. The solution to this is to have the ECU 'unlocked', which is either a modification to the original ECUs bootloader or replacing with an older ECUs bootloader which is unprotected (unclear which method is commonly used here). This is all speculation here but as always, its not spoken about anywhere online that I can find.

There has been mention of some unlocking services offered online result in being unable to tune with commercial software such as hptuners or others. This would make me believe that the bootloader code is being custom edited, and likely custom to each commercial solution online.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: Chrysler SKIM Reset

Post by The1 »

Is there any AliExpress factory scantool clones? Quick Google looks like witech and micropod ii.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Chrysler SKIM Reset

Post by Tazzi »

The1 wrote:Is there any AliExpress factory scantool clones? Quick Google looks like witech and micropod ii.
Yeah, thinking I’ll pick one up for testing with. Apparently Chrysler swings the ban hammer quickly on the clones if they have a serial that’s not in their system.

Could probably just JTAG the tool to change the serial though. Everything I’m tinkering with is all offline currently though.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: Chrysler SKIM Reset

Post by The1 »

hopefully the software has offline component for most of it.

Ive been using KIA stuff and it's ancient, none of it's online it still has to have windows xp :lol:
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Chrysler SKIM Reset

Post by Tazzi »

The1 wrote:hopefully the software has offline component for most of it.

Ive been using KIA stuff and it's ancient, none of it's online it still has to have windows xp :lol:
Have a couple guys with yearly licenses to the official online update and programming systems for Chrysler, so those will be handy to check what they can do, plus they have official tools so I should be able to get away with not needing to constantly battle a clone tool. I like supporting manufactures, but they completely neglect usage of other J tools.

It is slowly but surely making more sense though. After lots of long talks with multiple people (Thankyou everyone that has been extremely patient with my basic questions!), its finally making a hell of alot more sense how these systems work. 95% of the ECUs are all CAN based which is fantastic to hear, the other 5% are on older protocols thus only specific tool manufactures will support these such as drewtech, but they at least follow the same kind of work flow which has made development far easier to follow.

Hopefully by the end of this week, I will have a demo app connecting an read some basic data from some ECUs :D
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply