A forum for RFID hobbyists and enthusiasts
|
|
RFID Toys A forum for RFID hobbyists and enthusiasts |
Immobilizer bypass project |
Post Reply 
|
Page 12> |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
||
Alex 
Newbie 
Joined: 10 January 2010 Location: Italy Online Status: Offline Posts: 11 |
 Post Options
 Quote Reply
 Topic: Immobilizer bypass projectPosted: 10 January 2010 at 4:17pm |
||
|
Hi, I've already posted something in the comment section of this blog post http://blog.amal.net/?p=292.
Basically what I'm trying to do is to bypass somehow my bike immobilizer system to be able to start her  with a simple 125khz tag (I'm planning to do an implant on my hand like most of you already did :) )Amal showed me that immobilizer bypass kits already exist, in particular this type caught my attention:  basically it has a space where you have to put your original key, a coil which reads the tag in the key, and then uses the original coil of the car to read the new tag. if it is a correct one, it uses the original tag and sends it to the original transponder reader. What I'm trying to realize is something like this, possibly without leaving the original key. I don't know how exactly the tag reading process works, but I think that it could be complicated to emulate the original key, or nearly impossible if it has some encryption system (variable codes? I don't know anything about this stuff, but I love to learn as much as I can, so I'll try to inform) I found that immobilizer systems usually use 125khz frequency, so I could use the same coil without adding anything visible on the outside. Another solution could be to emulate the signal from the transponder reader to the ECU (like this kit does http://www.bypasskit.com/product.aspx?prodid=CANMAX400&catid=15), maybe this could be simplier with a microprocessor, but I don't know anything about the signal that comes out from my bike's reader, and I don't have enough instruments to study it. I post the wiring diagram for the immobilizer part, maybe it comes helpful somehow... oh, it's in italian, I translate the legend for you: 1. ECU 2. Chassis Ground 3. Dashboard Ground 4. Waterproof junction 5. Fuse Box 6. ECU fuse 10A 7. Start fuse 10A 8. this is the connector that goes to the diagnostic pin 9. Key switch 10. Antenna 11. what they call "immobilizer amplifier", I think it's just a reader who communicates with some communication standard to the ECU 12. Waterproof junction 13. LED on the dashboard 14. dashboard 15. relais box 16. ECU's main relais 17. main fuse 30A 18. 12V 8Ah battery here I put everything I know so far. If anyone has advices, observations or anything else, just let me know :P
Edited by Alex - 10 January 2010 at 4:17pm |
|||
 |
|||
|
amal
Admin Group 
Joined: 22 November 2005 Location: United States Online Status: Offline Posts: 1530 |
Post Options
Quote Reply
Posted: 10 January 2010 at 4:35pm |
||
|
Hmm yeah, I'd be very interested to see what happens on the Y, LG, and V lines coming from box 11 do when the key is inserted and rotated to the accessories position. I think you are correct that box 11 is the entire RFID reader and it is only reporting back key data to the ECU, however you might also find that it may be performing the entire authentication process and only reporting basic electrical signals back to the ECU.
If you have an oscilloscope, I would be interested to see what those Y, LG, and V lines do... watch them during each phase of the key rotation from dead to accessories to actually starting the bike. If you don't have an o-scope, start with a simple volt meter and simply measure voltage on those lines from ground and see if they are simple 0v / 12v signals. If your voltmeter is digital and can handle accurately measuring pulsed dc signal levels, and supports a mix/max function, you may be able to set it to record the max value and catch either a 3v, 3.3v, or 5v signal voltage... which would tend to indicate data of some sort. Only RS232 serial communicates with +12/-12 signals, and that would never be used in equipment like this. |
|||
|
Amal ;)
www.amal.net |
|||
|
|||
|
Alex
Newbie
Joined: 10 January 2010 Location: Italy Online Status: Offline Posts: 11 |
Post Options
Quote Reply
Posted: 10 January 2010 at 11:22pm |
||
|
LG and V lines go up to 12V when i turn the key, and stay that way (I only used a voltmeter on these two)
on the Y line using a voltmeter i saw that goes on HIGH level for a very short period (it indicates more than 10V, but I don't trust it too much for a signal so short). I only have analog oscilloscopes with no memory, and for what I could see it's definitely a digital signal. (yes, there were no need of an oscilloscope to guess that :P) as soon as I can put my hands on a digital oscilloscope with memory, I'll dig more.
|
|||
|
|||
|
amal
Admin Group
Joined: 22 November 2005 Location: United States Online Status: Offline Posts: 1530 |
Post Options
Quote Reply
Posted: 11 January 2010 at 9:06am |
||
|
Hmm, the Y like spikes over 10v? Is that what the o-scope confirmed? That just seems like an odd voltage for data to me. If you have a decent video camera that you can set to record at a high frame-rate with (many consumer cameras can do this), you could video the screen and replay it (a crude form of "memory") slowly to verify the signal.
Also, I would go to the hardware store and get a physical copy of the bike key made that does not have the RFID transponder and then use that to turn the key switch while monitoring the Y line... or I guess you could try wrapping your factory key head in tinfoil to try and block the signal... just to see what the difference might be in the Y line. If there is a notable difference, then you're probably on the right track to being able to emulate the data signal going to the ECU. |
|||
|
Amal ;)
www.amal.net |
|||
|
|||
|
Alex
Newbie
Joined: 10 January 2010 Location: Italy Online Status: Offline Posts: 11 |
Post Options
Quote Reply
Posted: 11 January 2010 at 9:18am |
||
no, that's what the voltmeter indicated, I didn't pay too much attention on the oscilloscope scale, if I remember well it was set on 5V/div and the signal took only one division, but really I'm not sure, I'll try again tonight.
yes, i have a digital camera and it records up to 60fps, not so much but always better than human eye; I'll try that way.
I'll follow all of this suggestions you gave me and then I'll post the results, thank you  |
|||
|
|||
|
amal
Admin Group
Joined: 22 November 2005 Location: United States Online Status: Offline Posts: 1530 |
Post Options
Quote Reply
Posted: 11 January 2010 at 9:19am |
||
|
Cool :) Looking forward to hearing the results!
|
|||
|
Amal ;)
www.amal.net |
|||
|
|||
|
Alex
Newbie
Joined: 10 January 2010 Location: Italy Online Status: Offline Posts: 11 |
Post Options
Quote Reply
Posted: 11 January 2010 at 3:35pm |
||
|
well, I start saying that I absolutely have no idea on how to use an oscilloscope. :) now that I told all the truth :P , I can post the videos. they're recorded at 60fps, if you want I can post single frame pictures, but they don't seem useful to me. wire colors are different from the wiring diagram, 2006 was the first year they introduced immobilizer and the last year for that model, so there are no correct diagrams for it. In fact, from 2007 model there is a new ECU and the electrical connections are slightly different, for example the immobilizer amplifier is located under the dashboard. The yellow wire remains yellow, and so do the brown/white for +12V and the black yellow for gnd. but the LG (light green) wire on my bike is orange/black, and the Violet wire is Blue. I made these 3 videos, try to take a look and tell me if you can understand something, i personally do not. :S From the yellow wire comes a +5V signal, from the other two a 12V signal, I still can't figure out what those 2 wires are there for… |
|||
|
|||
|
amal
Admin Group
Joined: 22 November 2005 Location: United States Online Status: Offline Posts: 1530 |
Post Options
Quote Reply
Posted: 12 January 2010 at 2:23am |
||
|
Nice videos :) It really looks like a nice o-scope too... too bad its got no memory :( Anyway, it looks like a standard 5v data signal is coming out of the reader and heading into the ECU... either that or... hmm, can you by chance disconnect the yellow wire from the ECU and test the data stream from both sides... just to see which direction data is flowing?
You might also be able to just tap yellow wire and dump it into a 5v TTL to RS232 (or TTL to USB) adapter and fiddle with the baud rate to see if you come up with any clear data. As for the other two wires, I'd play with the timing a bit to see if you can't find out what's going on there. Also, it may be that the ECU is signaling the reader to power up the antenna by pulling one line high. The other line might be an indicator that the ECU is ready to receive data. Finally, have you been able to try watching the Y line data when a simple key copy (without RFID tag) is used? I'd be interested to see if the Y line stays silent... however it could also send different data in the event a non-authorized key was used to turn the key switch. Edited by amal - 12 January 2010 at 2:23am |
|||
|
Amal ;)
www.amal.net |
|||
|
|||
|
Alex
Newbie
Joined: 10 January 2010 Location: Italy Online Status: Offline Posts: 11 |
Post Options
Quote Reply
Posted: 12 January 2010 at 5:31am |
||
it's impossible to disconnect a single wire unless I cut it, I can disconnect the amplifier connector and see which wires are outputs from the ecu.
I tried with an arduino and I came up with no result at all, but I was using some components to step down the voltage (I was thinking that it was a 12V signal). I'll try tonight with a direct connection.
No, I forgot. I'm going to try this too. :) |
|||
|
|||
|
Alex
Newbie
Joined: 10 January 2010 Location: Italy Online Status: Offline Posts: 11 |
Post Options
Quote Reply
Posted: 16 January 2010 at 9:47am |
||
|
Got something!
no luck with the serial connection, I tried all rates but nothing came out. Then I tried to use the analog/digital converter pin, and came out this: the values are read with 1ms of delay 0 now I'm going to make other tries and then I'll go home (more warm than here :D) to see if I can to figure out something! EDIT: Now I tried with a port logger on the pc and no delay (about 100us of adc conversion), set the transmission from arduino to pc at 256000 baud and came out this, it seems a bit more complex than before, probably it's the tag code! 0 810 815 821 821 809 819 812 821 823 812 817 822 814 821 814 819 817 826 817 825 809 815 818 814 823 828 817 820 816 825 809 827 819 822 819 820 817 819 820 829 828 813 828 815 817 817 822 815 821 817 822 822 812 813 823 816 825 823 810 821 816 814 812 827 822 815 814 823 811 823 819 820 820 820 824 820 816 820 828 828 816 827 817 817 819 821 819 818 816 822 822 812 812 820 815 818 818 812 817 820 809 825 814 814 819 816 817 810 812 0 807 0 0 821 0 807 821 0 818 0 0 820 0 822 807 819 0 807 0 0 814 0 815 0 0 816 0 0 0 818 0 0 0 812 0 814 812 0 0 805 0 0 0 814 0 816 803 0 0 807 0 0 809 815 0 0 814 0 808 0 0 817 0 0 0 817 0 0 0 819 0 804 820 0 0 802 0 0 817 0 0 815 0 0 0 806 0 0 806 0 0 0 817 0 0 0 809 0 0 0 808 0 818 0 0 813 0 0 0 820 0 805 0 817 0 0 815 815 807 822 822 817 817 812 811 818 815 823 810 822 812 820 815 817 819 816 819 817 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 818 807 805 819 811 814 814 820 815 813 815 821 808 824 815 826 816 817 817 819 816 814 824 811 807 822 811 816 811 818 816 818 811 818 820 806 820 825 812 812 819 816 817 809 817 820 810 823 823 811 811 821 824 813 822 818 818 810 823 813 819 820 816 815 821 818 814 821 820 809 821 810 814 808 811 820 823 812 813 813 814 813 824 811 817 814 823 819 810 811 815 815 819 827 814 815 812 822 808 826 815 821 816 816 818 816 812 821 0 0 815 0 0 0 806 0 813 808 0 808 812 0 0 0 sorry for the lenght :P Edited by Alex - 16 January 2010 at 11:10am |
|||
|
|||
|
Post Reply
|
Page 12> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
