Jump to content

Removal of Td5 Immobilizer


garmen
 Share

Recommended Posts

Hi all!!

I'm new here, and I come from the spanish forum.

I'm am reverse engineering the Td5 ECU, and I thougth you may me interested in it.

By now, I have managed to remove the immobilizer to a NNN ECU, basically you need to rewrite the 93C66 serial Eeprom in the board.

The entire post is here, if you wanna follow it:

http://www.clublandrovertt.org/index.php?topic=85938.0

Here a video of the Def starting with the alarm engaged:

http://www.youtube.com/watch?v=SN5vsCIEcYU

This was the code before the removal of the immobilizer:

talaikide@debian-TOSH:~/Documentos/Td5_inside/Serial_Eprom_Hack$ xxd Nanocom_dice_ROBUST.bin

0000000: 008f 367a 0000 0000 0000 0000 4000 0008  ..6z........@...

0000010: 0000 0000 0000 eeff ffff ffff ffff ffff  ................

0000020: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000030: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000040: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000050: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000060: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000070: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000080: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000090: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00000a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00000b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00000c0: ffff ffff ffff ffff ffff 008f 3675 0000  ............6u..

00000d0: 0000 0000 0000 4000 0008 0000 0000 0000  ......@.........

00000e0: eeff ffff ffff ffff ffff ffff ffff ffff  ................

00000f0: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000100: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000110: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000120: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000130: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000140: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000150: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000160: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000170: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000180: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000190: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00001a0: ffff ffff ffff ffff ffff ffff ffff 0000  ................

00001b0: ffff ffff ffff 01f4 1724 14aa 02e0 06e2  .........$......

00001c0: 0af2 fec4 5556 0007 14aa 02e0 06e2 0af2  ....UV..........

00001d0: fec4 5556 0007 14aa 02e0 06e2 0af2 fec4  ..UV............

00001e0: 5556 0007 a001 6610 5001 660b fc03 fc03  UV....f.P.f.....

00001f0: fc03 dfdf dfdf db9c 5332 5a44 0466 280e  ........S2ZD.f(.

This is after:

talaikide@debian-TOSH:~/Documentos/Td5_inside/Serial_Eprom_Hack$ xxd Nanocom_dice_NON_ROBUST.bin

0000000: 008f 367a 0000 0000 0000 0000 4000 0008  ..6z........@...

0000010: 0000 0000 0000 eeff ffff ffff ffff ffff  ................

0000020: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000030: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000040: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000050: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000060: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000070: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000080: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000090: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00000a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00000b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00000c0: ffff ffff ffff ffff ffff 008f 3675 0000  ............6u..

00000d0: 0000 0000 0000 4000 0008 0000 0000 0000  ......@.........

00000e0: eeff ffff ffff ffff ffff ffff ffff ffff  ................

00000f0: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000100: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000110: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000120: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000130: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000140: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000150: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000160: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000170: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000180: ffff ffff ffff ffff ffff ffff ffff ffff  ................

0000190: ffff ffff ffff ffff ffff ffff ffff ffff  ................

00001a0: ffff ffff ffff ffff ffff ffff ffff 0000  ................

00001b0: ffff ffff ffff 01f4 1724 14aa 02e0 06e2  .........$......

00001c0: 0af2 fec4 5556 0007 14aa 02e0 06e2 0af2  ....UV..........

00001d0: fec4 5556 0007 14aa 02e0 06e2 0af2 fec4  ..UV............

00001e0: 5556 0007 a001 6610 5001 660b 0000 0000  UV....f.P.f.....

00001f0: 0000 dfdf dfdf db9c 5332 5a44 0466 280e  ........S2ZD.f(.

You can see how in the last two lines the bits 1EC to 1F1 changing to 0x00.
After doing that, the Nanocom shows the ECU as NON-ROBUST. This means that the engine can fire up without the signal from the alarm module. It is important that the cable from the alarm B34, must be disconnected, otherwise the engine won't fire if it recives any alarm code. Important also to hack the starter relay, connecting the upper pin to ground, so the key directly energizes the relay.

I have written the Eerpom, using an Arduino. I'll post the source code of it, after I tidy it up biggrin.gif

Photos:

Td5_inside_023.png

Td5_inside_025.png

Td5_inside_024.png

Have a nice day!!!!

  • Like 2
Link to comment
Share on other sites

Welcome garmen. That's very interesting, (especially that you keep referring to people as sausages)

So what exactly are you trying to do - is it to keep central locking but no immobiliser? Because if you just want to run a Td5 without needing a signal from a 10AS then I believe you can just use the nanocom to deactivate all security and that does the job. That's how my RR is set up.

Link to comment
Share on other sites

  • 1 year later...

Hi Garmen

I would like to know more about immo off option on TD5. In Africa it is better to have immo off so that Landy will

be more reliable. I am a begginer at electronics so you might have to explain with this in mind.

I see some remove the 93c46 chip, program a new one and solder back on ecu board.

Would you be kind enough to please explain to me how this process would work.

Many Thanks

Nicky

Link to comment
Share on other sites

Nicky there would be no need to use a new chip as the old one should be reprogrammable. If you were lazy I suppose you could cut all the legs off the chip and then unsolder them one at a time and thus needing a new chip. However it is simple enough to remove surface mount chips without damaging them or the board. Here's a video I made ages ago of removing one with many more legs.

  • Like 1
Link to comment
Share on other sites

If I were doing it I would read the contents of the chip and save it somewhere then write the modified contents to the chip, that way if you get 'undesired results' you can put the old version back.

It depends what chip programmer you have as to whether you can program the chip whilst still on the board or have to remove the chip and pop it in a socket.

I don't modify TD5 ECU's, mainly as I don't have a TD5, but I've removed many flash chips over the years to dump and modify their contents, I also have reprogrammed plenty whilst still in circuit. All the TD5 speedometers that I've modified have been a similar chip and were done without removing the chip from the board.

It's not scary, it's just patience and a good temperature controlled soldering iron.

Link to comment
Share on other sites

  • 4 months later...

It works , i did it for the first time (first immo off) , i used carprog to read the eeprom  ( not working whit the chip on pcb , reading whit errors ) modify the 3 pairs of hex that are the same from the last 2 lines of code with 0000 (the bold ones from the quote) , cut pin 34 , and in the engine bay fuse box at the nr 2 relay connect the pin that comes from the bcm to ground .

Quote

00001e0: 5556 0007 a001 6610 5001 660b fc03 fc03      UV....f.P.f.....

00001f0: fc03 dfdf dfdf db9c 5332 5a44 0466 280e           ........S2ZD.f(.

Now my car starts like but the alarm is on ! I will try to silence her the hard way !

Thanks Garmen nice work , but why did u do a immo off if u have  nano and u can program a new key ?

td5 fuse box.jpg

td5_ecu.jpg

Link to comment
Share on other sites

  • 4 years later...

Some years have gone by but some guys are still messing with old Discovery II immos.

What must be changed in the MSB 93c46 chip?

Thank you in advance!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We use cookies to ensure you get the best experience. By using our website you agree to our Cookie Policy