unlocked E41( and t87a) swapping to another vehicle

Bosch Motronic etc ECUs and PCMs
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

Tazzi wrote:
ironduke wrote:I was able to unlock it with minimal delay between attempts.
Im pretty sure I still had a 10 second delay when attempting that, You can tell by the error responses code returned (I cant recall exactly off top of my head). First thing I tried was spamming at 1 second intervals but it would only actually register the 10th second item as that was within the wait limit. Although this could be an ECU specific kinda thing... even though its suppose to be standardized.

I knew there was a time limit since testing on an ECU with a known code resulted in it skipping over it it time limit was not satisfied.
Sorry, I thought I was messing with the immo, now I'm not sure what I was messing with.. lol.. I remember the vin was locked and I couldn't write it even with an OS write.. Afterwards I could write the vin.. Though it was immo code but memory is not so good and I could not find my notes..

Anyways, back on topic.. Could he put the old vin back in the ecu and perform an immo learn(ecm learn) and log the command/responses? This would give him the immo code since it's supposed to be tied to the vin? I assume GM has a database of vins and immo codes? Is this the same database that a gm dealer would access for key codes?? I used to have access but they tightened up exactly who has all the keys to the kingdom, lol..
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

ironduke wrote:I'm kind of standing here watching this topic out of interest, all I can do is offer suggestions and they may be out there as it is, lol.. For the immo on the E92 there doesn't seem to be a timeout of 10 seconds like the seed and key from my experimenting a while ago. For the E55 project that mattyjf01 has posted up here he originally had code to go thru all the immo keys until it reported unlocked and that gave me an idea awhile ago on an E92 I had on t he bench. I went looking earlier today for my own code when I experimented with an E92 but basically I had logged a failed E92 write that failed at the end and copied the code that pushed the immo and wrote some code that cycled thru all the keys 0-10,000 and spit out the response.. I was able to unlock it with minimal delay between attempts.. If I find the code I'll post it up, I remember it differing from the E55 code but not by a lot..
This might be a possibility for the E41 and T87a?

this is interesting definately, but I'm pretty sure the immo value I'm sending is correct. I also don't think the 87A needs the immo reset and it takes a VIN willingly.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Tazzi »

gmtech825 wrote: this is interesting definately, but I'm pretty sure the immo value I'm sending is correct. I also don't think the 87A needs the immo reset and it takes a VIN willingly.
Tried doing an immo relearn procedure to see what it tries and send with the original ECU? This may require multiple other modules on the bench.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

Tazzi wrote:
gmtech825 wrote: this is interesting definately, but I'm pretty sure the immo value I'm sending is correct. I also don't think the 87A needs the immo reset and it takes a VIN willingly.
Tried doing an immo relearn procedure to see what it tries and send with the original ECU? This may require multiple other modules on the bench.
Yeah, I tried an immo learn on the bench with an E92 and I needed to have a BCM hooked up as well as the ecm.. They're both locked and I've screwed around with the vins so it ended up failing
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

I have been trying to figure out what the immo value looks like on the Can bus by logging low and high speed and searching for the known value, but no luck. I was hoping to see if I can simulate the message the ecm wants to see from the bcm...it may be much more complicated than that though.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Gampy »

Did you encode the known value into a hex string and look for the hex string.
It may not be contiguous either ...
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Tazzi »

Im pretty certain they don't make it obvious. When I played around with it a couple years back, I start recording from pull bench power off to ON. My custom hardware sat in between a BCM and ECU so it could identify what the ECM and BCM were sending individually. From there I could replay the same data to/from each module.

I never narrowed it down, but it did at least fool the ECM to think security was passed.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by gmtech825 »

Gampy wrote:Did you encode the known value into a hex string and look for the hex string.
It may not be contiguous either ...
I have, I've searched for the actual decimal value, the hex value and hex encoded ascii(I'm not sure that's the correct phrasing but for example 1234 would be 0x31323334). Like Tazzy said I think that it is intentionally hard to figure out. I did find this on open DBC:

BO_ 2150367232 Immobilizer_Identifier_LS: 5 XXX
SG_ ImoId : 7|16@0+ (1,0) [0|65535] "" XXX
SG_ LrnEnvId : 23|16@0+ (1,0) [0|65535] "" XXX
SG_ LrnEnvIdSt : 32|1@0+ (1,0) [0|1] "" XXX
SG_ ImoIdSt : 33|1@0+ (1,0) [0|1] "" XXX

I found frames logging pin 1 that match that header for a couple of vehicles I know the code for.
the vehicle with Immo code 0400 had data 0x96114c8403 from the BCM
the vehicle with Immo code 1464 the data was 0x64b9767003 from the BCM

maybe someone smarter than me can make sense of that, or maybe that's not even the correct frame.
User avatar
Gampy
Posts: 2331
Joined: Sat Dec 15, 2018 7:38 am

Re: unlocked E41( and t87a) swapping to another vehicle

Post by Gampy »

I don't know the proper phrasing either ...
gmtech825 wrote:0x31323334
However, the addition of 0x is invalid, it is not a hex value in total, it is an ASCII hex encoded string ... :)

And after Tazzi's response, my response seems pretty numb ... They are likely obfuscating it somehow, they're not going to make it easy, them days are gone!
gmtech825 wrote:maybe someone smarter than me can make sense of that
I can assure you that will not be me, it seems I missed that line when they were passing out brains, I'm a Numbers Dummy!
Intelligence is in the details!

It is easier not to learn bad habits, then it is to break them!

If I was here to win a popularity contest, their would be no point, so I wouldn't be here!
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: unlocked E41( and t87a) swapping to another vehicle

Post by ironduke »

My thoughts were to copy the immo reset procedure that happens using sps.. I've got a failed log for an E92 here somewhere I'll post it up..

off of memory, it looks like it asks the bcm something..
Then it looks like it tries to unlock the ecm.. Mine fails since it doesn't have the original vin?? Looking to find the original vin and then I'll try again..
Assuming if it unlocks then you have to wait 10 minutes, then either write a new immo key or cycle the key and it should learn the immo from the bcm?? Not sure since I haven't had it work yet on the bench and haven't thought to log a good one.. I did see somewhere that it does not need a tester present command during the 10 minute wait..
E92.bench.immo.learn4.log.txt
(2.81 KiB) Downloaded 167 times
Post Reply