Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

16

Omega Electrical and Audio Help / Re: Remote key coding

« on: 14 May 2012, 16:27:57 »

So I connected the diagnostics again.
Basically the first row of characters in the dump is exactly what is shown in the diagnostics as ECU ID, except it's read 2 bytes at a time, and the high and low byte are swapped.

So we can pretty much rule out any of that being the code, it goes like ES,2442,6916,1200,4700.
Also, it can not address individual bytes, rather it has to always read two bytes at a time, as it is a 16 bit memory.

So if we assume it is an integer and the integer is between 1000 and 9999, and it is stored exactly the same as the string data (the high byte and low byte are swapped), then looking through the dump, we get the following possible numbers:
3855, 2560, 5140, 2590, 1124, 1310, 2077, 4313, 7423, 4096, 4401

I wish I had an emulator for that 93LC chip. I could just see where it stores it's countdown timer and bruteforce it.
Ah well.

17

Omega Electrical and Audio Help / Re: Remote key coding

« on: 14 May 2012, 11:43:06 »

Very good, one step closer to solving this.
I'll read the EEPROM off of the unit you send me, and compare as well.

Whether I find where the code is or not, I will still be able to fit the unit you send me to the car and get everything to work

18

Omega Electrical and Audio Help / Re: Remote key coding

« on: 13 May 2012, 21:23:46 »

I found the code

Where does the ECU need to go prj?  If you don't need any more, no problem, there is another member about 50 miles away that could do with one for testing a problem he has...

I'll take it!
I messaged you with my details.

Thank you!

19

Omega Electrical and Audio Help / Re: Remote key coding

« on: 11 May 2012, 11:28:16 »

Ok, cool.
Thanks for helping out guys

20

Omega Electrical and Audio Help / Re: Remote key coding

« on: 08 May 2012, 13:29:05 »

So, this started to become hopeful, with Vega offering to take a look and TheBoy finding a second unit...
And now silence, so back to square 1?

I guess I'll have to start going through breakers.

21

Omega Electrical and Audio Help / Re: Remote key coding

« on: 07 May 2012, 11:10:10 »

Can you tell me where the eeprom is located, photo?
I can take look over here.

I don't have a photo, because I already refitted everything to the car.
It's not hard, there is only one chip that is 93C46.

1. Remove the unit from the car (front right side, behind plastic, there are two size 10 nuts holding it on, and two connectors).
2. Open the unit by carefully bending the tabs on each side to allow the plastic casings to separate
3. Pull the board out from the top plastic.
4. Look at the board so that the connector is facing UP, then the EEPROM will be in the LOWER RIGHT corner, next to the only MCU on the board. There will be also a big round metal component on a 90 degree board near/on the top of it. It is SOIC-8, 93LC46B, this is also written on the chip if you look against the light.

Desoldering it will be hard, the problem is there is a metal component in the way, and a small resistor next to it. Also the entire board is dipped in lacquer.
I used the soldering iron to melt the lacquer, and then used paste flux and chipquik to precisely remove the chip... Once you have heated all the 8 pins, it will come away without any force at all with your tweezers.

Before soldering it back, lightly scrub every pad with a needle, because the lacquer will get in there, and then you will have bad contact between the pad and the chip, so the solder can't flow in between.

Hope that helps... and I'll be really grateful if you could provide me with a dump

22

Omega Electrical and Audio Help / Re: Remote key coding

« on: 06 May 2012, 11:06:57 »

Wonder if the code is on the controller's ROM, as a 1 hit only program?  If its in that flash dump, I guess its well encrypted

I found the ATWS unit, just need to dig out code, so that may be a way out for you if postage isn't that expensive?

It's not in the ROM. The unit comes from factory, then it can be adapted once, when it is first fitted to the car.
The ROM is just that. Read only memory. The ROM is programmed in those processors once, and that's it. The data sheet does not mention any flash memory, so I am guessing those things can't even be programmed in-circuit, and even if they were, it would need to be done in download mode...
My point is, that the ONLY memory which can be possibly altered by the Tech 2 is that 16 bit serial EEPROM. So that means the code is in there.

As for being encrypted - just look at the immo dump. Does that look encrypted to you?
I am 100% sure it is just a two-byte value, little-endian or big-endian, if not plaintext like in the immo ECU.
It's possible to rig up some stuff and brute force the code, but it's way too much work.
The reason they put those codes in plaintext, is because ascii characters are transmitted over the serial connection. So if they wanted to store it in some weird format, they'd have to do some translation in the MCU. They mostly don't do that

As for the anti-theft unit you found - If you want to send it over (postage won't be too bad) and you don't want to charge me a lot for it, I'll gladly have it.
More than that, I'll actually open up that unit and read the chip off it, so we have two dumps, and can compare the differences... If that is even needed - I am pretty sure knowing the code you can easily locate exactly where it is.

23

Omega Electrical and Audio Help / Re: Remote key coding

« on: 05 May 2012, 18:11:48 »

Soldered it back on, connected unit to car, car starts flashing blinkers, central locks don't work.
Took it back out, looked with a magnifying glass, sure enough all that lacquer made sure one of the pins wasn't soldered on properly.
Cleaned, re-soldered, re-connected to car, works...

At least I see why these are not known to fail, that thick lacquer dip takes care of most moisture.
Still not gotten anywhere with the code for the damn thing...

I guess I could try to visit the local breakers and get another of these things, then dump it...
But if someone has a block from a car with a car pass, I'll take it off your hands.

24

Omega Electrical and Audio Help / Re: Remote key coding

« on: 05 May 2012, 15:48:26 »

I am going to solder that thing back on for now and put the block back in my car so central locking works...

I can't find any info anywhere on the web, any dumps, anything for the 93LC46B. And I am 100% sure that this chip contains the pin code, because it is the only programmable memory on the board.
The processor only has ROM, it's one time programmable as far as I can see...

There are two ways to get the code:
* A serial EEPROM emulator with address hit tracing, and watch it like a mofo when you enter the code (it'll probably access it at that point)
* A second dump from a similar block, and then compare them

I don't have a serial EEPROM emulator, only parallel ones, and I don't have a second block. I'm screwed

25

Omega Electrical and Audio Help / Re: Remote key coding

« on: 05 May 2012, 15:06:41 »

Chip is a 93LC46B, 16bit.
MCU is a M37733 mitsubishi.

Got the chip off as well, the lacquer is a bitch, gets in the way of everything, resoldering will be fun...
I don't have a SOIC8 adapter, so I had to just solder on wires, not fun.

Anyway, here's the contents of the chip:


And as a comparison, the immo chip, the security code being 3922 for this car:


Doesn't look that easy in the ATWS.
I wish I had a second dump to compare. The changed bytes would show where the code is.
Or maybe there some sort of tool that can extract the code from the dump.

26

Omega Electrical and Audio Help / Re: Remote key coding

« on: 05 May 2012, 12:32:28 »

Postage will be 10 quid if you just send it with Royal Mail, don't worry about that.

I took the unit out of the car. Basically the bit of trim was only shoved in place, no screws, nothing.
Some tabs on the unit are broken, someone has been in there.

The entire board is dipped in red laquer, and I think this is factory, there are no soldering marks.
I think the board has been changed and the case left in tact. I can not explain it otherwise.
The manufacturing date is also early 1998 on the board, while my car is 2000.

Also, I finally squeezed enough info from the dealer, the ATWS needs to be coded to the car when it's installed and that procedure can only be done once.
Well, yeah, my friendly 93C46 programmer can do it as many times as I like, but the problem is, that I don't know the format of the dump.

There is a MCU and 93C46 on the bottom right corner of the board. Everything else seems like buffers, and radio transmitting related devices.
I will desolder the 93C46 (need to get through the lacquer) and read it with a programmer. Let's see what's inside...

P.S.
Yes, I am talking about ATWS. Immo is real easy, if you read the EEPROM the security code is in plaintext

27

Omega Electrical and Audio Help / Re: Remote key coding

« on: 04 May 2012, 14:16:31 »

I know that no one probably cares, but a dealer in another city said they should be able to read the anti theft warning system's VIN code via Tech 2, then I'd have to pay for the car pass for the car it was lifted from.

I know the immo module displays the vin code, but does the ATWS also do that?
Maybe someone with a Tech 2 can comment.

I don't want to go and waste money.

28

Omega Electrical and Audio Help / Re: Remote key coding

« on: 03 May 2012, 19:15:54 »

http://i9.photobucket.com/albums/a59/Hillper/IMG_2050.jpg

That answers a few questions.

So I guess I just remove the unit and look inside then.
I see no other solution apart from swapping in a unit from a car that is being broken, with a car pass.

Of course if someone has one left over (there are a few part numbers there), and has the car pass for it, I'll happily take it off your hands so I don't have to waste my time with this...
I am pretty sure the only way to get the code will be through reverse engineering

29

Omega Electrical and Audio Help / Re: Remote key coding

« on: 03 May 2012, 18:59:57 »

Waited for the security wait time to run out, tried again, wrong code.

My only conclusion then is that the ATWS module has been replaced.

Does anyone know where exactly it is located?
The picture shows http://www.autopro.spb.ru/articles/00000014/AstG_ATWS05.jpg towards the right fender.

If this is true, I am pretty sure the car was hit into the right fender at some point, so that would be logical...

30

Omega Electrical and Audio Help / Re: Remote key coding

« on: 03 May 2012, 17:33:11 »

I have one key, I re-soldered the battery holder, and there is a voltage on both ends, however it fails to work.
If I hold a button for a really long time, sometimes I will get the activation message in diagnostics.

Tbh, I'd rather just get this coding procedure to work, as I have a perfectly valid working key, which gets detected in measuring blocks every time I press a button, but as it's not coded to it, it fails to work.

I dumped my immo EEPROM and the security code was in plaintext.
Currently I have a "Security Wait Time" on the ATWS, so I left ignition on the car, I'll go and see if that clears within 1h20 min.
I didn't actually check if I had a Security Wait Time before I tried programming, but I've had this car for a while.

I am guessing if the immo EEPROM had the code in plaintext, it can't be that hard to find the code for ATWS either.
Do you know what the procedure is by the dealer to replace the ATWS? Could someone look it up in the system?
Are they ordered from factory for a certain car by VIN code pre-programmed? Or are they programmed with the security code on the car?
I am thinking that if I could get EEPROM dumps from two ATWS units, it'd become a cakewalk to figure out the code location.

My dealer is fairly useless in this regard, if they won't be able to log in, I am for some reason quite sure they'll just say "the ATWS is broken, you have to swap it"