Jeep key programming attempt using ELM - Page 2 - JeepForum.com
 1Likes
Reply
 
LinkBack Thread Tools
post #16 of 49 Old 03-09-2021, 03:32 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
SKIM PIN extraction

oh2WJ,

Iíve been trying to deduce the PIN for my junkyard SKIM, so that I can run the Secure Access functions. I discovered that the SKIM will initially allow three tries at entering a PIN number with the 24 C0 27 02 ďPINĒ entry function and returns 26 C0 7F 27 35 00 for invalid numbers. If all three are invalid the SKIM will lock out further attempts and returns 26 C0 7F 27 33 00 for ďAccess DeniedĒ until 60 minutes of KEY ON time have passed and then it resets and allows three more tries. If these are invalid the cycle repeats. So the brute force method of throwing all 10,000 possible PINs at it is not practical. I manually tried entering the 20 statistically most commonly used 4 digit PINs and none of these worked. So I am now going to try reading the EEPROM memory, with a programmer, and find the PIN number that way. Originally I was expecting to find a 24XXXX series EEPROM and read it with an inexpensive CH341 programmer that I bought for the purpose. However, upon removing the SKIM board from the case I discovered that itís an IMMOBILIZER 3 and uses a Motorola MC68HC08 series mcu (Mask ID OL72A) with internal EEPROM. So now Iím waiting to receive a UAP-USB programmer clone from China and try reading it with that. An eight byte security code will most likely be needed to read the EEPROM, and I have several obtained from various locksmith forums to try, but odds are against me that any will actually work. In addition, I may have to lift some pins on the mcu to be able to force it into ďMonitor ModeĒ which is required for the programmer to work. And who knows if the ďcloneĒ programmer will work. Iím determined to try anyway, but I may not get the clone until mid April. Iíll let you know then if Iím successful.

Stroker347 is offline  
Sponsored Links
Advertisement
 
post #17 of 49 Old 03-09-2021, 03:39 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
SKIM PIN extraction

oh2WJ,

Iíve been trying to deduce the PIN for my junkyard SKIM, so that I can run the Secure Access functions. I discovered that the SKIM will initially allow three tries at entering a PIN number with the 24 C0 27 02 ďPINĒ entry function and returns 26 C0 7F 27 35 00 for invalid numbers. If all three are invalid the SKIM will lock out further attempts and returns 26 C0 7F 27 33 00 for ďAccess DeniedĒ until 60 minutes of KEY ON time have passed and then it resets and allows three more tries. If these are invalid the cycle repeats. So the brute force method of throwing all 10,000 possible PINs at it is not practical. I manually tried entering the 20 statistically most commonly used 4 digit PINs and none of these worked. So I am now going to try reading the EEPROM memory, with a programmer, and find the PIN number that way. Originally I was expecting to find a 24XXXX series EEPROM and read it with an inexpensive CH341 programmer that I bought for the purpose. However, upon removing the SKIM board from the case I discovered that itís an IMMOBILIZER 3 and uses a Motorola MC68HC08 series mcu (Mask ID OL72A) with internal EEPROM. So now Iím waiting to receive a UAP-USB programmer clone from China and try reading it with that. An eight byte security code will most likely be needed to read the EEPROM, and I have several obtained from various locksmith forums to try, but odds are against me that any will actually work. In addition, I may have to lift some pins on the mcu to be able to force it into ďMonitor ModeĒ which is required for the programmer to work. And who knows if the ďcloneĒ programmer will work. Iím determined to try anyway, but I may not get the clone until mid April. Iíll let you know then if Iím successful.
Stroker347 is offline  
post #18 of 49 Old 03-20-2021, 10:34 PM Thread Starter
oh2WJ
Registered User
2002 WJ 
 
Join Date: Sep 2020
Posts: 37
Hey sorry I haven't been active on here, life had plenty of other problems for me to deal with. Since I don't have a junk yard SKIM I kept my testing very limited. Like I said before I turned my efforts to getting my micropod 2 clone to read all modules. well my efforts paid off, I was able to figure out how to make it work! I tried to program one of my new keys and it went through the process, and at the end said the key might be for another vehicle. So either the SBB screwed up this key or it is just cheap and doesn't work. I plan on monitoring with ELM while using the micropod to program my other key. it should reveal the mode, PID, and data required. will be interesting if it is the same as the SBB. Since I can now talk to all modules, I can monitor with ELM and figure out all sorts of other module modes, PID, and data needed.



The only way I can think of to help you figure out your pin is if I found the memory address where mine is stored or some command to read it back. You can get the VIN that your SKIM was attached to but dealer prob won't give you the pin unless you have title, proof of ownership, etc. I wonder tho if that VIN has a salvage title if they would make an exception? Wish you luck on this!


I'll post back when I have some recorded data from micropod trying to program a key!
oh2WJ is offline  
 
post #19 of 49 Old 03-22-2021, 03:25 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
Glad to hear youíve been successful with the MicroPod. Iím looking forward to seeing what you get with the ELM while using it. I already received my UPA-USB clone programmer and managed to read the EEPROM with it. After eliminating a bunch of known data, such as the VIN number, programmed key IDs and erased bytes (FF), I narrowed the possible and likely PIN numbers down to about a dozen. I manually entered each one with the 24 C0 27 02 ďPINĒ command, until I found it on the tenth try. I now get a positive response of 26 C0 67 02 00 00 and the same responses, to the 24 C0 B4 28 00 00 and 24 C0 22 28 00 00 requests, as you reported with the use of the SBB programmer. I donít have any blank keys to program and the SKIM module was disconnected from the antennae when I got these responses so they obviously donít show that a key was successfully programmed. Iím hoping (but doubtful) that I will be able to read the ROM from the SKIM and disassemble/simulate the program code to figure out what itís doing. I was able to read the entire SKIM but the security bytes that I used were incorrect and all the protected areas of memory returned ďANĒ. Fortunately the security restriction was not applied to the EEPROM. I will eventually try all of the various security bytes that I got off of LockSmith forums, but my clone programmer wonít connect again (I may have just got lucky the first time) and Iím having to trouble shoot it.
The following shows the SKIM DTC request commands and the list of DTCs, maybe this would give you some insight into what went wrong with the SBB:
Request Number of SKIM DTCs: 24 C0 31 FF 00 00
Request SKIM DTCs: 24 C0 22 2E 00 00 (the 2 bytes of the response after 2E are the DTCs)
Clear SKIM DTCs: 24 C0 14 FF 00 00
SKIM DTCs Bit Pos MSB LSB

EMS Status Failure 0 01
VIN Mismatch 1 02
ROM Failure 2 04
EEPROM Failure 3 08
RAM Failure 4 10
COP Failure 5 20
Stack Overflow Failure 6 40
Rolling Code Failure 7 80
Antenna Failure 8 01
Transponder Comm 9 02
Transponder CRC 10 04
Transponder ID Mismatch 11 08
Unprogrammed Key 12 10
Serial Link Internal 13 20
Serial Link External 14 40
Transponder Response Mismatch 15 80
Stroker347 is offline  
post #20 of 49 Old 03-26-2021, 02:14 PM Thread Starter
oh2WJ
Registered User
2002 WJ 
 
Join Date: Sep 2020
Posts: 37
well Stroker, I'm not sure whether to laugh, cry, or hurl. I just found out and realized I ordered the wrong keys for my Jeep. I accidentally ordered Y164-PT which is for 2005-2009 Grand Cherokee. I now ordered Y160-PT blank keys. Sorry for the wild goose chase, my guess is that the SBB actually works when you use the right transponder :P But you were able to figure out your junkyard SKIM pin number and I got my micropod clone working fully as a result so worth it in my opinion. I recorded the micropod trying to program a *wrong* key. The commands it sent to talk with the SKIM were different, but the key program commands were all the same. The last set must be "key program status" and 02 00 must be Failed. It's interesting that DRB emulator hinted to me the problem when it said "key may be for another vehicle". Well we are close, when I get the right keys I'll record what it looks like when it works. Here is the edited data from last session:


CRC byte shown



** id skim module

24 C0 22 20 15 00 EF
26 C0 7F 22 12 00 67

24 C0 22 24 00 00 3C
26 C0 62 D1 00 00 25

24 C0 22 28 04 00 1B
26 C0 62 00 00 00 12

24 C0 22 20 15 00 EF
26 C0 7F 22 12 00 67
26 C0 69 00 00 00 34

24 C0 22 20 00 00 3A
26 C0 62 04 68 00 D1

24 C0 22 20 01 00 76
26 C0 62 66 65 00 B9

24 C0 22 20 02 00 A2
26 C0 62 41 43 00 C3


** program new key, new key in ign

26 C0 51 01 01 00 04
4F C0 80 00 00 00 EA
4F C0 00 3F 12 ED 6E
4F C0 00 3F 12 ED 6E
4F C0 00 3F 12 ED 6E
4F C0 00 3F 12 ED 6E


** program key fail

4F C0 00 3F 12 ED 6E
24 C0 27 02 55 80 42
26 C0 67 02 00 00 C2

24 C0 B4 28 00 00 4F
26 C0 F4 28 00 00 57

24 C0 22 28 00 00 36
26 C0 62 02 00 00 11
oh2WJ is offline  
post #21 of 49 Old 04-28-2021, 02:42 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
Oh2WJ,

Were you ever successful at programming a key? Iíd like to see the command/response sequence for that if you did. Iíve gone off the deep end here, and have been attempting a hardware hack to get past the Monitor Mode security check. Monitor Mode is a ROM based program on the chip that allows primitive interaction and debugging capabilities. If the security check, which requires 8 bytes of user input, fails then Monitor Mode is entered but you canít read or write to any secured memory locations (which would be the most interesting!). I built an electronic interface to use with a software program called NoIce that issues the primitive Monitor Mode commands for reading/writing and code execution. I can read and write to all the unsecured locations and execute my own code loaded into RAM or EEPROM. However, Iíve been unsuccessful with all my attempts to read secured memory locations. Iím currently waiting to receive an inexpensive flash based version of the chip (MC68HC908QT4CP) with the hopes that I can figure out what changes between a successful and failed security bypass. Since Iíll be able to program my own security bytes into the chip Iíll always be able to successfully bypass security and can then deliberately enter a wrong byte to fail the security bypass for comparison. Iím hoping to discover that a writeable register or RAM byte gets toggled. But I suspect that whatever gets toggled may be internal to the MCU and wonít be accessible. If thatís the case then all my efforts will have been for naught. But it was fun trying!
Stroker347 is offline  
post #22 of 49 Old 06-11-2021, 12:20 PM Thread Starter
oh2WJ
Registered User
2002 WJ 
 
Join Date: Sep 2020
Posts: 37
well better late than never, sorry for the long delay but so much happening. I ended up selling my Jeep not too long after sucessfully programming the keys. I programmed one blank with micropod 2 and recorded. Then I used just my ELM to issue commands and was successful. The SBB must just send that first command to make sure the module responds. Since I know that module is there, I skipped the first command. So here is the data:


CRC byte shown



>at sp1

>at h1

>at l1

>at ra c0
OK

>at sh 24 c0 27
OK

>02 55 80
26 C0 67 02 00 00 C2

>at sh 24 c0 b4
OK

>28 00 00
26 C0 F4 28 00 00 57

>at sh 24 c0 22
OK

>28 00 00
26 C0 62 03 00 00 9E key program success

>at sh 24 c0 22
OK

>20 09 00
26 C0 62 06 00 00 17



as you can see now a total of six keys programmed. it can be done!
oh2WJ is offline  
post #23 of 49 Old 06-11-2021, 02:06 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
Oh2WJ,

Thanks for the update. So it looks like the command 24 C0 B4 28 00 00 does all the programming and you would have been successful on one of your first attempts if only you had the correct keys at that time! Iím sure the command 24 C0 22 28 00 00 just requests the programming status and you were getting 02 for a failure response on you early attempts whereas you got 03 for success the last time. I have as many programmed keys as I need, and donít have any blank keys to try programming, but Iím sure the ELM method will work for me if I ever need another. My grandson will be inheriting my Jeep in the near future, when he turns 16, so I wonít be surprised if he loses a key and we need another!
All my attempts at hacking the security bytes for the junkyard skim have failed so whatever changes that allows access to the secured memory is within the MCU and not accessible via the external ports. In spite of this I have been having fun programming the flash versions of the MCU that I obtained.
Stroker347 is offline  
post #24 of 49 Old 06-11-2021, 07:02 PM
Dust Devil
Registered User
 
Dust Devil's Avatar
1999 WJ 
 
Join Date: May 2021
Posts: 175
What do you need to add keys to a SKIM or PCM?

I barely understood any of this...

I have one chip key and I'm worried if I lose it or it breaks I'm going to be screwed.

From what I have read, you need two valid keys to do a typical key learn so one of the Dorman key programmers would not work for me.

I would like to have three keys so I can lose one and still be able to program another.

What would you do in my situation?
Dust Devil is offline  
post #25 of 49 Old 06-12-2021, 10:08 AM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
Dust Devil,
From your profile I see you have a 1999 WJ. For this vehicle there are two methods of key programming: 1) Customer Learn Method Ė which requires two valid Sentry Keys and is therefore not an option for you 2) Secured Access Method Ė which does not require any previously programmed keys but does require a vehicle specific 4 digit SKIM PIN number and a programming device. The PIN would have been provided with the documentation when the vehicle was purchased new, buts itís unlikely that you would have that. If you have the ownerís manual you might find it written inside. The PIN number can be obtained from Chrysler by providing the vehicleís VIN number but Iíve read that even locksmiths may find it difficult to obtain for these old vehicles. I recently had a dealer replace my SKIM, which required the PIN, and they were able to get that number, which I now have. If you have the PIN the method described in this post can be used along with an ELM327 OBD2 programming device to do it yourself. Since youíve stated that you ďbarely understood any of thisĒ it is probably not an option for you. Iím not familiar with the Dorman key programmer so I canít comment on that option except to say that you would still need the PIN. Your best option is probably to find a locksmith that can do it, or pay through the nose and have a dealer do it. I think the ďpeace of mind and securityĒ in having more than one key would make this worth the expense.
Good Luck
Stroker347 is offline  
post #26 of 49 Old 06-12-2021, 12:37 PM
exergy
Registered User
2004 WJ 
 
Join Date: Oct 2010
Location: abingdon
Posts: 21
I will offer up my quick hack approach on keys and fobs. Its not nearly as cool as the discussions here but just done out of fear of losing keys. I was in a the situation where each of my 2004 WJs had only one key. I picked up uncut aftermarket keys on amazon ($7 each), had them cut at walmart for a minimal fee, took one of each of those to dealership for programming (~$30/each) to give me the two sentry keys for each vehicle. Then made more keys from the two sentry keys. The dealer complained about the aftermarket keys, said they don't take programing very well, and I would still be charged the 30 bucks even if it failed. This was just an attempt to upsell to their expensive keys, both of my aftermarket sentry keys worked in their programmer and still work 100%. Also, all of the cheap keys I made with customer learn method have been completely reliable and have not used the oem keys for years.

I picked up several key fobs on amazon ($14 each) and programmed all of them with the dorman obd programmer ($50). You won't need any special info for the fob programming. There were a few small issues, the biggest being that the dorman programmer came with a fob that did not work too well with the programmer. i think that fob was a junk product in general. however the other cheap chinese fobs from amazon did work really well and have held up great over 3 or 4 years. i would say they function as good or better than oem.

Probably the prices of all these things have increased some but still this will at least give you a sense of how much I had invested in the new keys and fobs. I am not sure if there is anything special about the different WJ years related to this.
exergy is offline  
post #27 of 49 Old 06-12-2021, 02:27 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
Dust Devil,

I did a quick internet search on Dorman programmers and the only ones I found were for Key Fob programming which is a totally separate process from Transponder Key programming. I think "exergy's" hack is the way for you to go. Buy inexpensive aftermarket transponder keys (Y160-PT for 1999 thru 2004 WJs) and get a dealer or locksmith to program at least one. Then you could program more using the Customer Learning Method which does not require any programmer.
Stroker347 is offline  
post #28 of 49 Old 06-12-2021, 05:49 PM
Dust Devil
Registered User
 
Dust Devil's Avatar
1999 WJ 
 
Join Date: May 2021
Posts: 175
Ok, I mis-remembered a video I saw on programming key fobs and SKIM keys, sorry for the confusion there.

Now for a really advanced question:

The video I saw included putting key fob guts in to a flip key and one of the key fobs had the switch membrane from a later Jeep/Chrysler product that had a fourth button.

Looking around, I found four button key fobs and flip keys. Could a four button key fob be programmed for my WJ and could the keyless entry module be hacked or replaced with a 4 button model and do something cool like pop the hatch glass with the fourth button?

A lot of people would probably like a remote start button, not me but if you figured it out, lots of people would want to do it.

Oh, thanks a lot for the info.

I'll probably try the $30 dealer program if I can find a dealer that does it that cheap. Then I'll mess around with key fobs and flip keys...
Dust Devil is offline  
post #29 of 49 Old 08-14-2021, 02:10 PM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
Excellent work and info. Thanks all.

I am a retired network engineer and have done my share of hex hacking for other things. Was able to program several additional fobs I had collected to my vehicle using a bluetooth ELM327 dongle and terminal program on my MacBook Pro, per hex programing instructions discussed here. Had to find a real ELM 327 OBD-II dongle, which is quite difficult as most on eBay seem to be Chinese knock-offs and donít appear to implement the full ELM327 command set or are broken in other ways. Ended up using a ďTONWON OBDII ProĒ, OBDII Bluetooth dongle ($26), only one that was known to pass ELM327 functional tests, so probably uses a real ELM327 chip, and knows how to talk to the SAE J1850 VPW bus.

After reading the ELM 327 data sheet, and parsing through what oh2WJ did, I found his transponder key procedure looked plausible. Has anyone repeated his apparent success?

Also, I bet the better knock off Y160-PT keys you get on eBay have actual Texas Instrument (or exact licenced "second source") TI 4D chips in them, and are no different than the expensive Chrysler OEM key blanks. It would not make any sense for the Chinese to copy a high volume ASIC chip that they can probably just buy from TI in volume for a dollar or two. Would be interesting to cut one open and compare the die under a good microscope to a real Chrysler OEM key..

T.
tjacobson01 is offline  
post #30 of 49 Old 08-17-2021, 11:19 AM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
Wondering if anyone has figured out the appropriate ELM327 hex sequence to change the VIN in the PCM. Given that these PCMs are getting pretty old, and that the silicon in a VFET or whatever can only take so many temperature cycles before it cracks, I would love to be able to carry a spare PCM on long trips just in case... I have one from a WJ I parted out, with the SKIM, keys, and hopefully can get the PIN as I have paperwork, but would need to change the VIN in this spare PCM in order to swap it (and perhaps the SKIM w/transponder keys) into my current WJ....
T.
tjacobson01 is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the JeepForum.com forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid e-mail address for yourself.



Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome