garmen Posted March 17, 2015 Share Posted March 17, 2015 Hi all!! I'm new here, and I come from the spanish forum. I'm am reverse engineering the Td5 ECU, and I thougth you may me interested in it. By now, I have managed to remove the immobilizer to a NNN ECU, basically you need to rewrite the 93C66 serial Eeprom in the board. The entire post is here, if you wanna follow it: http://www.clublandrovertt.org/index.php?topic=85938.0 Here a video of the Def starting with the alarm engaged: http://www.youtube.com/watch?v=SN5vsCIEcYU This was the code before the removal of the immobilizer: talaikide@debian-TOSH:~/Documentos/Td5_inside/Serial_Eprom_Hack$ xxd Nanocom_dice_ROBUST.bin 0000000: 008f 367a 0000 0000 0000 0000 4000 0008 ..6z........@... 0000010: 0000 0000 0000 eeff ffff ffff ffff ffff ................ 0000020: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000030: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000040: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000050: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000060: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000070: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000080: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000090: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000a0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000b0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000c0: ffff ffff ffff ffff ffff 008f 3675 0000 ............6u.. 00000d0: 0000 0000 0000 4000 0008 0000 0000 0000 ......@......... 00000e0: eeff ffff ffff ffff ffff ffff ffff ffff ................ 00000f0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000100: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000110: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000120: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000130: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000140: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000150: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000160: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000170: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000180: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000190: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00001a0: ffff ffff ffff ffff ffff ffff ffff 0000 ................ 00001b0: ffff ffff ffff 01f4 1724 14aa 02e0 06e2 .........$...... 00001c0: 0af2 fec4 5556 0007 14aa 02e0 06e2 0af2 ....UV.......... 00001d0: fec4 5556 0007 14aa 02e0 06e2 0af2 fec4 ..UV............ 00001e0: 5556 0007 a001 6610 5001 660b fc03 fc03 UV....f.P.f..... 00001f0: fc03 dfdf dfdf db9c 5332 5a44 0466 280e ........S2ZD.f(. This is after: talaikide@debian-TOSH:~/Documentos/Td5_inside/Serial_Eprom_Hack$ xxd Nanocom_dice_NON_ROBUST.bin 0000000: 008f 367a 0000 0000 0000 0000 4000 0008 ..6z........@... 0000010: 0000 0000 0000 eeff ffff ffff ffff ffff ................ 0000020: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000030: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000040: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000050: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000060: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000070: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000080: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000090: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000a0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000b0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000c0: ffff ffff ffff ffff ffff 008f 3675 0000 ............6u.. 00000d0: 0000 0000 0000 4000 0008 0000 0000 0000 ......@......... 00000e0: eeff ffff ffff ffff ffff ffff ffff ffff ................ 00000f0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000100: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000110: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000120: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000130: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000140: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000150: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000160: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000170: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000180: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0000190: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00001a0: ffff ffff ffff ffff ffff ffff ffff 0000 ................ 00001b0: ffff ffff ffff 01f4 1724 14aa 02e0 06e2 .........$...... 00001c0: 0af2 fec4 5556 0007 14aa 02e0 06e2 0af2 ....UV.......... 00001d0: fec4 5556 0007 14aa 02e0 06e2 0af2 fec4 ..UV............ 00001e0: 5556 0007 a001 6610 5001 660b 0000 0000 UV....f.P.f..... 00001f0: 0000 dfdf dfdf db9c 5332 5a44 0466 280e ........S2ZD.f(. You can see how in the last two lines the bits 1EC to 1F1 changing to 0x00.After doing that, the Nanocom shows the ECU as NON-ROBUST. This means that the engine can fire up without the signal from the alarm module. It is important that the cable from the alarm B34, must be disconnected, otherwise the engine won't fire if it recives any alarm code. Important also to hack the starter relay, connecting the upper pin to ground, so the key directly energizes the relay.I have written the Eerpom, using an Arduino. I'll post the source code of it, after I tidy it up Photos: Have a nice day!!!! 2 Quote Link to comment Share on other sites More sharing options...
Shackleton Posted March 19, 2015 Share Posted March 19, 2015 Welcome garmen. That's very interesting, (especially that you keep referring to people as sausages) So what exactly are you trying to do - is it to keep central locking but no immobiliser? Because if you just want to run a Td5 without needing a signal from a 10AS then I believe you can just use the nanocom to deactivate all security and that does the job. That's how my RR is set up. Quote Link to comment Share on other sites More sharing options...
Rovertech Posted July 18, 2016 Share Posted July 18, 2016 Hi Garmen I would like to know more about immo off option on TD5. In Africa it is better to have immo off so that Landy will be more reliable. I am a begginer at electronics so you might have to explain with this in mind. I see some remove the 93c46 chip, program a new one and solder back on ecu board. Would you be kind enough to please explain to me how this process would work. Many Thanks Nicky Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 19, 2016 Share Posted July 19, 2016 Nicky there would be no need to use a new chip as the old one should be reprogrammable. If you were lazy I suppose you could cut all the legs off the chip and then unsolder them one at a time and thus needing a new chip. However it is simple enough to remove surface mount chips without damaging them or the board. Here's a video I made ages ago of removing one with many more legs. 1 Quote Link to comment Share on other sites More sharing options...
Rovertech Posted July 20, 2016 Share Posted July 20, 2016 Hi Wow that looks easy but only if you have done it a good few times. Thank You Do you place the old chip 93c46 into a programmer and remove bin file. Then programme the new modified bin file to the chip and resolder. Thanks Again Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted July 20, 2016 Share Posted July 20, 2016 If I were doing it I would read the contents of the chip and save it somewhere then write the modified contents to the chip, that way if you get 'undesired results' you can put the old version back. It depends what chip programmer you have as to whether you can program the chip whilst still on the board or have to remove the chip and pop it in a socket. I don't modify TD5 ECU's, mainly as I don't have a TD5, but I've removed many flash chips over the years to dump and modify their contents, I also have reprogrammed plenty whilst still in circuit. All the TD5 speedometers that I've modified have been a similar chip and were done without removing the chip from the board. It's not scary, it's just patience and a good temperature controlled soldering iron. Quote Link to comment Share on other sites More sharing options...
Rovertech Posted July 21, 2016 Share Posted July 21, 2016 Great. Thanks so much for the help. I am a Land Rover specialist from Durban SA, so anytime you need any help just give me a shout. Regards Nicky Quote Link to comment Share on other sites More sharing options...
mike870 Posted December 12, 2016 Share Posted December 12, 2016 It works , i did it for the first time (first immo off) , i used carprog to read the eeprom ( not working whit the chip on pcb , reading whit errors ) modify the 3 pairs of hex that are the same from the last 2 lines of code with 0000 (the bold ones from the quote) , cut pin 34 , and in the engine bay fuse box at the nr 2 relay connect the pin that comes from the bcm to ground . Quote 00001e0: 5556 0007 a001 6610 5001 660b fc03 fc03 UV....f.P.f..... 00001f0: fc03 dfdf dfdf db9c 5332 5a44 0466 280e ........S2ZD.f(. Now my car starts like but the alarm is on ! I will try to silence her the hard way ! Thanks Garmen nice work , but why did u do a immo off if u have nano and u can program a new key ? Quote Link to comment Share on other sites More sharing options...
madis Posted June 29, 2021 Share Posted June 29, 2021 Some years have gone by but some guys are still messing with old Discovery II immos. What must be changed in the MSB 93c46 chip? Thank you in advance! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.