Immo off trionic 7: Difference between revisions
No edit summary |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
[[File:Start relay 9-5 - 2005.png|thumb|right]] | |||
[[File:Immo-off-wiring-mod-9-5.jpg|thumb|right]] | |||
The immobilizer number is listed on the Twice unit. if you don't have a tech 2, and don't mind removing the seat you can simply read it from there!<br> | The immobilizer number is listed on the Twice unit. if you don't have a tech 2, and don't mind removing the seat you can simply read it from there!<br> | ||
Starter relay is activated by TWICE, grounding relay pin 85. If you make permanent connection between relay pin 85 and ground, Car will start if IMMO is disabled in ECU software<br> | Starter relay is activated by TWICE, grounding relay pin 85. If you make permanent connection between relay pin 85 and ground, Car will start if IMMO is disabled in ECU software<br> | ||
<br> | <br> | ||
Below Mirrored from TrionicTuning so it never gets lost<br><br> | Below Mirrored from TrionicTuning so it never gets lost<br><br> | ||
As some of you know, we have been fiddling around a bit with removing the immobilizer check function from T7. | As some of you know, we have been fiddling around a bit with removing the immobilizer check function from T7. | ||
Line 55: | Line 54: | ||
== Short list of what is what in hex: == | == Short list of what is what in hex: == | ||
BNE = 66 | BNE = 66<br> | ||
BEQ = 67 | BEQ = 67<br> | ||
BRA = 60 | BRA = 60<br> | ||
== Verify your changes: == | == Verify your changes: == |
Latest revision as of 22:59, 10 April 2022
The immobilizer number is listed on the Twice unit. if you don't have a tech 2, and don't mind removing the seat you can simply read it from there!
Starter relay is activated by TWICE, grounding relay pin 85. If you make permanent connection between relay pin 85 and ground, Car will start if IMMO is disabled in ECU software
Below Mirrored from TrionicTuning so it never gets lost
As some of you know, we have been fiddling around a bit with removing the immobilizer check function from T7. After some testing, i have managed to figure out where and how to "disable" the immobilizer code check in the T7 binary, bellow is a small writeup of how.
What does this do?
This "Hack" will remove the immobilizer code check completly from the binary. However, the twice functionallity will still be intact so you still have to have the appropriate key to start the car, therefor this should NOT affect the cars "security features". You can after theese changes, upload a bin with either your correct immobilizer code or a bin with a faulty immobilizer code and it will still start and should not give any errors what so ever.
How is this tested?
First of all, this was done to help White_Estate here on the forum to be able to run a closed bin with tipin/out maps in is Saastra (Vauxhall astra with T7 engine+ECU). This was tested and confirmed firstly in his car, after that i asked Aeroride to do the same in his 9-5 with twice and everything - Both tests where a success!
Base binary used was from a 9-5 B205 MY2005 (EG03Y5OC.46E)
How to do it
First of all, you will have to find the immobilizer instructions in the code, the ones you want to look for in the dissasembler is theese (example addresses below is from the binary we used for this test):
00030538: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 0003053E: 6762 BEQ 000305A2 00030A98: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00030A9E: 6724 BEQ 00030AC4 00030AA0: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 00030AA6: 671C BEQ 00030AC4 00030AE8: 4879 00F0 63F2 PEA (ROM_obdImmobilizerStatus) 00030AEE: 4878 0001 PEA (0001).W 00030BCC: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00030BD2: 6714 BEQ 00030BE8 00037DA8: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00037DAE: 6730 BEQ 00037DE0 00037DB0: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 00037DB6: 6608 BNE 00037DC0 0004186A: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00041870: 6710 BEQ 00041882 00041872: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 00041878: 661C BNE 00041896
Once you found all the addresses, open up the binary you are working with in a hex editor, "search" for the address and you should find the value (underlined) What you want to do here is to change the "BNE"'s and "BEQ"'s into "BRA"'s. Also, you will have to change the value of 'ROM_obdImmobilizerStatus' to 0000.
Short list of what is what in hex:
BNE = 66
BEQ = 67
BRA = 60
Verify your changes:
Once you have made all the changes needed for this, doublecheck your binary. You can do this easy with the following steps:
1: Rename your edited binary so it does NOT have the same name as when you did the complete dissasembly the last time in T7 suite. 2: Open the binary in T7 suite and VERIFY CHECKSUM <---- YOU HAVE TO DO THIS BEFORE YOU PROGRAM YOUR ECU WITH THIS BINARY! 3: Run a complete dissassembly on the "hacked" bin and verify so that the output this time is as the one bellow
00030538: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 0003053E: 6062 BRA 000305A2 00030A98: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00030A9E: 6024 BRA 00030AC4 00030AA0: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 00030AA6: 601C BRA 00030AC4 00030AE8: 4879 00F0 63F2 PEA (ROM_obdImmobilizerStatus) 00030AEE: 4878 0000 PEA (0000).W 00030BCC: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00030BD2: 6014 BRA 00030BE8 00037DA8: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00037DAE: 6030 BRA 00037DE0 00037DB0: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 00037DB6: 6008 BRA 00037DC0 0004186A: 4A39 00F0 3A24 TST.B (ROM_Immo.killInjection) 00041870: 6010 BRA 00041882 00041872: 4A39 00F0 773C TST.B (ROM_Immobilizer_Enable) 00041878: 601C BRA 00041896
Once you have checked so that everything is looking as above, go ahead and upload it to your ECU with what ever immobilzer code you want :)