unlocked E41( and t87a) swapping to another vehicle

[ironduke Profile]

I was able to unlock it with minimal delay between attempts.

Im pretty sure I still had a 10 second delay when attempting that, You can tell by the error responses code returned (I cant recall exactly off top of my head). First thing I tried was spamming at 1 second intervals but it would only actually register the 10th second item as that was within the wait limit. Although this could be an ECU specific kinda thing... even though its suppose to be standardized.

I knew there was a time limit since testing on an ECU with a known code resulted in it skipping over it it time limit was not satisfied.

Sorry, I thought I was messing with the immo, now I'm not sure what I was messing with.. lol.. I remember the vin was locked and I couldn't write it even with an OS write.. Afterwards I could write the vin.. Though it was immo code but memory is not so good and I could not find my notes..

Anyways, back on topic.. Could he put the old vin back in the ecu and perform an immo learn(ecm learn) and log the command/responses? This would give him the immo code since it's supposed to be tied to the vin? I assume GM has a database of vins and immo codes? Is this the same database that a gm dealer would access for key codes?? I used to have access but they tightened up exactly who has all the keys to the kingdom, lol..

[gmtech825 Profile]

I'm kind of standing here watching this topic out of interest, all I can do is offer suggestions and they may be out there as it is, lol.. For the immo on the E92 there doesn't seem to be a timeout of 10 seconds like the seed and key from my experimenting a while ago. For the E55 project that mattyjf01 has posted up here he originally had code to go thru all the immo keys until it reported unlocked and that gave me an idea awhile ago on an E92 I had on t he bench. I went looking earlier today for my own code when I experimented with an E92 but basically I had logged a failed E92 write that failed at the end and copied the code that pushed the immo and wrote some code that cycled thru all the keys 0-10,000 and spit out the response.. I was able to unlock it with minimal delay between attempts.. If I find the code I'll post it up, I remember it differing from the E55 code but not by a lot..
This might be a possibility for the E41 and T87a?

this is interesting definately, but I'm pretty sure the immo value I'm sending is correct. I also don't think the 87A needs the immo reset and it takes a VIN willingly.

[Tazzi]

this is interesting definately, but I'm pretty sure the immo value I'm sending is correct. I also don't think the 87A needs the immo reset and it takes a VIN willingly.

Tried doing an immo relearn procedure to see what it tries and send with the original ECU? This may require multiple other modules on the bench.

[ironduke Profile]

this is interesting definately, but I'm pretty sure the immo value I'm sending is correct. I also don't think the 87A needs the immo reset and it takes a VIN willingly.

Tried doing an immo relearn procedure to see what it tries and send with the original ECU? This may require multiple other modules on the bench.

Yeah, I tried an immo learn on the bench with an E92 and I needed to have a BCM hooked up as well as the ecm.. They're both locked and I've screwed around with the vins so it ended up failing

[gmtech825 Profile]

I have been trying to figure out what the immo value looks like on the Can bus by logging low and high speed and searching for the known value, but no luck. I was hoping to see if I can simulate the message the ecm wants to see from the bcm...it may be much more complicated than that though.

[Gampy]

Did you encode the known value into a hex string and look for the hex string.
It may not be contiguous either ...

[Tazzi]

Im pretty certain they don't make it obvious. When I played around with it a couple years back, I start recording from pull bench power off to ON. My custom hardware sat in between a BCM and ECU so it could identify what the ECM and BCM were sending individually. From there I could replay the same data to/from each module.

I never narrowed it down, but it did at least fool the ECM to think security was passed.

[gmtech825 Profile]

Did you encode the known value into a hex string and look for the hex string.
It may not be contiguous either ...

I have, I've searched for the actual decimal value, the hex value and hex encoded ascii(I'm not sure that's the correct phrasing but for example 1234 would be 0x31323334). Like Tazzy said I think that it is intentionally hard to figure out. I did find this on open DBC:

BO_ 2150367232 Immobilizer_Identifier_LS: 5 XXX
SG_ ImoId : 7|16@0+ (1,0) [0|65535] "" XXX
SG_ LrnEnvId : 23|16@0+ (1,0) [0|65535] "" XXX
SG_ LrnEnvIdSt : 32|1@0+ (1,0) [0|1] "" XXX
SG_ ImoIdSt : 33|1@0+ (1,0) [0|1] "" XXX

I found frames logging pin 1 that match that header for a couple of vehicles I know the code for.
the vehicle with Immo code 0400 had data 0x96114c8403 from the BCM
the vehicle with Immo code 1464 the data was 0x64b9767003 from the BCM

maybe someone smarter than me can make sense of that, or maybe that's not even the correct frame.

[Gampy]

I don't know the proper phrasing either ...

0x31323334

However, the addition of 0x is invalid, it is not a hex value in total, it is an ASCII hex encoded string ...

And after Tazzi's response, my response seems pretty numb ... They are likely obfuscating it somehow, they're not going to make it easy, them days are gone!

maybe someone smarter than me can make sense of that

I can assure you that will not be me, it seems I missed that line when they were passing out brains, I'm a Numbers Dummy!

[ironduke Profile]

My thoughts were to copy the immo reset procedure that happens using sps.. I've got a failed log for an E92 here somewhere I'll post it up..

off of memory, it looks like it asks the bcm something..
Then it looks like it tries to unlock the ecm.. Mine fails since it doesn't have the original vin?? Looking to find the original vin and then I'll try again..
Assuming if it unlocks then you have to wait 10 minutes, then either write a new immo key or cycle the key and it should learn the immo from the bcm?? Not sure since I haven't had it work yet on the bench and haven't thought to log a good one.. I did see somewhere that it does not need a tester present command during the 10 minute wait..

E92.bench.immo.learn4.log.txt

(2.81 KiB) Downloaded 97 times