Jeep key programming attempt using ELM - Page 3 - JeepForum.com
 1Likes
Reply
 
LinkBack Thread Tools
post #31 of 49 Old 08-18-2021, 10:59 AM
jtpeters
Senior Member
2004 WJ 
 
Join Date: Jun 2016
Location: Huntsville
Posts: 616
Garage
@tjacobson01 : contact @Waterluvr as he can possibly square you away.


2004 Jeep Overland WJ 4.7 H.O. (Bought new in Oct 2003)
2014 Jeep Overland WK2 5.7 Hemi (Bought used in 2016 w/7k miles)
1970 Ford Mustang Boss 302 (in Family since 1974)
2013 Ford Mustang Boss 302
2011 BMW 328i
jtpeters is offline  
Sponsored Links
Advertisement
 
post #32 of 49 Old 08-19-2021, 09:18 AM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
I did contact him. He told me to go away... not sure why.... I think he is overwhelmed.
T.
tjacobson01 is offline  
post #33 of 49 Old 08-29-2021, 04:51 PM
rdb389
Registered User
2004 TJ Wrangler 
 
Join Date: Aug 2021
Location: Houston
Posts: 3
Garage
Hi All! Just found this thread and is exactly what I was starting in on for myself. I have one original and two freshly cut Y160 blanks ready to program to the SKIM but I wanted to figure it myself out of principle instead of paying the dealer $200 to do it.



Did anyone make any particular progress in being able to extract SKIM pin without having to read the ROM off the chip on the bench?


I've seen the "Chrysler Pin Puller" Android App that claims to be able to do it with an ELM327 device but I can't test it initially as I only have a wifi ELM327 device at the moment and it has to be internet connected while using thus limiting it to BT/USB ELM327 devices.


I do also have a MicroPod2 on the way but haven't received it yet.
rdb389 is offline  
 
post #34 of 49 Old 08-30-2021, 09:07 AM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
I think it can be done... I am continuing to explore... But you should have some experience with embedded systems... Also looks like it might be possible to clone milage and VIN to a spare speedometer cluster... (93C56 I think)
See the following video:
, it just happens to show at 18:52 a full screen shot of a CHRHX2PN table...
If you rev up "ponyprog" and make a little board with thee 4.7K resistors and three 5V Zeners, you might be able to clone the 24LC02 in a SKIM and/or read the PIN... although I am dubious about editing it directly as there might be a checksum.
Now, if somebody can just figure out the hex sequence for an ELM327 to do the "PCM replaced" command as found in a DRB-III, a person should be able to create a spare SKIM, ECM, and Speedo cluster all set with the correct milage, VIN and PIN so you don't get stuck in Keokuck with a dead WJ.
tjacobson01 is offline  
post #35 of 49 Old 08-30-2021, 11:37 AM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
Oops... looks like the immobiliser2 (later WJs) is NOT 24LC02 based... back to square one... More to come.
tjacobson01 is offline  
post #36 of 49 Old 08-31-2021, 09:34 AM
rdb389
Registered User
2004 TJ Wrangler 
 
Join Date: Aug 2021
Location: Houston
Posts: 3
Garage
Good info though. Looks like dumping the eeprom is the only real solution to manually extracting the SKIM pin code. Unfortunately my expertise is in industrial automation, so beyond the CAN Bus communication I'm a little more in unfamiliar territory.
rdb389 is offline  
post #37 of 49 Old 08-31-2021, 02:40 PM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
I was hoping that the 02 WJ speedometer cluster still used an separate EEPROM, but no, that changed too, I opened up one of my junkyard spare clusters and they look to be using the internal EEPROM in the MC68HC08AZ32 sort of thing...just like the Immoblizer2, perhaps some day I might take a crack at it, using a UPA USB programmer, but have other projects... and would like to see with I could do with a DRB-III anyway.

Thought I might grab a 99-01 Immoblizer that uses the 24LC02 EEPROM and see if I could modify the VIN and PIN (checksum issue I suspect) using ponyprog, and if the PCI protocol is the same as the later Immoblizer2, I might be able to use it as a backup, and/or also as a tool to do the PCM replaced thing with a DRB-II... I made a bench setup with spare PCM, BCM, TCM, and cluster from a WJ I parted out a while back and have the PIN for, so I can try a few things without messing up my actual WJ using my old Snap-on Solus scanner, and my BT ELM327.

rdb389, will be interested in your experience with the Micropod2... please PM me once you get to 10 postings (so this BBS will allow you to PM), or update your profile with your email so I can contact you, would like to discuss that offline.
tjacobson01 is offline  
post #38 of 49 Old 08-31-2021, 03:27 PM
rdb389
Registered User
2004 TJ Wrangler 
 
Join Date: Aug 2021
Location: Houston
Posts: 3
Garage
Will do. I should be able to do a good bit of testing as soon as I get it. The parts guy at the other Jeep dealership was in a good mood today I guess and got me my SKIM Pin without any hassle. I'll be able to log all the commands and responses from the Micropod2. The end goal maybe even putting together a basic program that does some DRBIII functions over the ELM327 interface.
rdb389 is offline  
post #39 of 49 Old 09-24-2021, 01:36 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
tjacobson01,

If you're still active on this forum I can now confirm that oh2WJ's commands for programming a new key, using the ELM327, work. I recently bought two Chinese Y160-PT keys for about $20 total and was able to program them both to my 2004 Jeep GC without any trouble. As long as you have the IMMO PIN (2 bytes) just send these two commands: 24 C0 27 02 PIN_1stbyte PIN_2ndbyte followed by 24 C0 B4 28 00 00 and that's it! Do a key OFF reset and then try to start the vehicle with the new key. If you were successful it will start and stay running. Also, you can get the status of the programming attempt with the following: 24 C0 22 28 00 00 (will return 26 C0 62 03 00 00 for status = success or 26 C0 62 02 00 00 for status =failure) and 24 C0 22 20 09 00 (will return 26 C0 62 xx 00 00 where xx is the number of currently programmed keys).

Last edited by Stroker347; 09-24-2021 at 05:16 PM. Reason: clarification
Stroker347 is offline  
post #40 of 49 Old 09-25-2021, 09:44 AM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
Thanks for that Stroker347...

Did a test using DRBIII functions regarding PCM swap. Using my vehicle bench simulator (i.e. SKIM, PCM, TCM, BCM, Speedo, etc. on a hunk of plywood), under DRBIII SKIM misc menu, put a third junkyard PCM in place of my spare PCM (which came from a WJ I parted out and have the PIN for). First time was interesting… DRBIII asked for the PIN, then seemed to change the VIN to some special thing like AAAAAAA…. , then required a key cycle, then came back and asked to transfer VIN from SKIM to replaced (junkyard) PCM. Then asked to transfer the “secret key” (PIN?) to the PCM. So that proves that one can make a junkyard PCM into a ready spare. No SKIM waring on cluster, VIN looks correct in junkyard PCM.

What was interesting was the AAAA... VIN stuff… wish I had unplugged the SKIM and read the VIN before key cycle… might be when you substitute a different PCM in that has a different VIN, it resets the PCM (including SKIM flag?) to a ready to learn generic shelf spare PCM, so one could do this to remove the SKIM… hmmm. Did it a second time, but the VIN of the junkyard PCM was then the same as in the SKIM, so it did not want a key cycle… perhaps they compare VINs of PCM and SKIM before hand, and if the same, they just check, don’t actually put the PCM into some sort of factory reset learn new VIN and PIN mode… Going to grab another PCM from my local junk yard with same P/N and year, but different VIN, and see if I can repeat it, but being careful to unplug the SKIM after executing the replace PCM command but before key cycle and also take screen shots of the strange AAAAA…VIN if it re-appears.

Also picked up some 1999 SKIMs, one with keys, at my local junkyard that have the 24LC02 EEPROM in them… I am starting to think that one can substitute the older version for a newer version, i.e. perhaps it sends same messages on the bus etc. I see some P/N info that suggests this, Chrysler parts webs say the newer one (that does not have the separate EEPROM but uses EEPROM built into the embedded Moto 680X processor) is substitute for older P/N… If this is the case, one should be able to hack a 1999 SKIM (using two Zeners and two 4.7K resistors and PonyProg to make a USB programmer) and use it (as a ready programmed spare) for a later 00-04 vehicle. Would love to find a copy of the 24LC02 bin from unprogramed factory replacement SKIM (i.e. on that has never been plugged into a vehicle)... as when I did the DRBIII SKIM misc SKIM replaced command it refused because it said the SKIM was already programed and could not be changed... yet I have read someplace if you use the correct PIN with a new replacement SKIM you can reuse the existing transponder keys... Or, if one can figure out the checksum method and location one could just tweak the existing 24LC02 bin... Also want to try clearing the entire 24LC02 to however the chip comes new (I suppose FF or 00) and see what it does... might buy a new 24LC02 from Digikey and see what it looks like... you never know, perhaps the SKIM initializes it...

More to come sometime... right now time to finish all those summer projects outside before the snow falls....

T.
tjacobson01 is offline  
post #41 of 49 Old 09-25-2021, 01:21 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
tjacobson01,

You have an impressive test bed setup! You can reuse existing transponder keys with a new SKIM as long as it has the same VIN as the one for which the keys were programmed. Just execute the programming commands with an existing key in the ignition and it's Key ID will be added to the programmed keys table in the SKIM EEPROM. You can also erase the table of a programmed SKIM using the Secure Access command: 24 C0 27 02 PIN1st PIN2nd followed by: 24 C0 B4 28 03 00. Existing keys can be added back or blank keys added using the 24 C0 B4 28 00 00 command for each one. Also, if you want to read data from the SKIM's EEPROM use the Secure Access command followed by: 24 C0 A3 08 xx 00 where the EEPROM address 08xx is then read (range 0800 to 09FF but only up to 08FF is programmed). Unfortunately, only three bytes are returned for each command. Similarly you can write one byte of data to the EEPROM using the Secure Access command followed by: 24 C0 A0 08 xx yy where xx is the address LSB and yy is the new data.
Stroker347 is offline  
post #42 of 49 Old 09-26-2021, 09:15 AM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
Regarding the last sentence in your post, " Similarly you can write one byte of data to the EEPROM using the Secure Access command followed by: 24 C0 A0 08 xx yy where xx is the address LSB and yy is the new data." I wonder, does it automagically update the checksum in the 24LC02 (assuming there is a checksum) as well? If so, that would provide a way to change the VIN and PIN in a 1999 SKIM module, having read the SKIM module one wants to clone using PonyProg and thus knowing locations and coding of the VIN and PIN bytes (as noted by me in post #34 regarding finding PIN in the 24LC02).
tjacobson01 is offline  
post #43 of 49 Old 09-26-2021, 10:49 AM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
Once you have read the 24LC02 EEPROM I believe the PIN is located at byte position 7 & 8, but its encoded. I'm sure that I have the decoding information. I'll dig through my documents and see if I can find it and then I'll post it, as well as confirming the location of the PIN. Assuming that the 1999 SKIM has the same code routines as the the later SKIM's you should be able to use the commands I previously posted to change the PIN and the VIN through the OBD2 port. However, it would be easier and faster to use an inexpensive 24LC02 programmer to rewrite the EEPROM directly to the chip.
Stroker347 is offline  
post #44 of 49 Old 09-26-2021, 11:25 AM
tjacobson01
Registered User
2002 WJ 
 
Join Date: Feb 2017
Location: Gordon
Posts: 23
Garage
In my post #34 above, I mention the CHRHX2PN table.. and they show in the video referenced how to interpret it... But they discuss reading, (and perhaps cloning), but not altering the 27LC02 contents... Do you know if there is a checksum in the 27LC02? If I were doing it, I would put a correction code as well, so even if there was some cosmic ray that went by and flipped a bit, you could still drive the vehicle ;-) Wonder also, where the VIN and PIN are located in the MC68HC08AZ32 EEPROM used in the 00-04 SKIM units... assuming that the ELM327 hex command sequences remain the same... I suppose one could use the ELM327 hex read commend to walk through the entire MC68HC08AZ32 EEPROM and then gander at it to see if one could identify where the PIN and VIN are located...(Might just be that they used the same data structure as the 99 SKIM) and/or compare with one a person is trying to clone as a spare.. (I don't want/need to make a SKIM for an unknown vehicle, just want a clone my running SKIM to make a spare SKIM ready to go in case of zombie acopolypse ;-).... and am too lazy to buy/make a MC68HC08AZ32 programmer... BTW, thanks for your excellent comments
tjacobson01 is offline  
post #45 of 49 Old 09-26-2021, 05:39 PM
Stroker347
Registered User
2004 WJ 
 
Join Date: Dec 2018
Posts: 33
MC68HC08 Mask ID 0L72A EEPROM file

Attached is the EEPROM data (0800 to 08FF) from an IMMO 3 (MC68HC08AB16A with internal EEPROM) for a 2004 Jeep GC. The offset in the image starts at 0000 (without the extra zeros) but the actual offset is 0800. The EEPROM bytes from 0900 to 09FF are all FF and not shown. The PIN bytes are at 0007 & 0008 in the image and the VIN is from 00C0 to 00D0. Location 000B is the number of keys programmed (01) and 0040 to 004B is the key ID. To clone your SKIM you need to copy all the EEPROM bytes from 0800 to 08FF to the clone because some of the other data is used for encoding/decoding messages between the SKIM and Key Transponder and probably the PCM. I have done this successfully with EEPROM data from my Jeep copied to a junkyard SKIM from the same year vehicle. Afterwards, I programmed a blank key to the clone while on the benchtop (i.e. without connecting it to the vehicle or a PCM) and the new key ID was added to the EEPROM table and the number of programmed keys was incremented. Having received no error messages and with the new key acting just like the previous existing key, I then programmed it to my Jeep in order to add it to its key ID table. The VIN and encoding data were already transferred to the key from the clone so it would look like a previously programmed and deleted key to the vehicle. After programming, the new key started the vehicle and it continued to run with no DTC errors occurring. I then successfully repeated the process with a second blank key.
I still have to look for that information for the 24LC02 but it sounds like you may already have the decoding data.
Attached Thumbnails
0L72A_CB_EEPROM.JPG  
Stroker347 is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the JeepForum.com forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid e-mail address for yourself.



Email Address:
OR

Log-in











Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome