Working with Immobilizer software for virginizing files

Many people have asked us about using immobilizer programs like Immo Killer v1.0, also Immo Killer v1.1 and Immo Cleaner v2 (OtoCheck) and Immo Tool software.

To fulfill these requests, we will publish here the basic immobilizer reset procedure by using external tools, not the included functions on those programs, as many of them are undocumented or use custom hardware not available commercially.

This procedure will also apply for the Toyota Virgin Dump collection, which is a group of files called dumps, as they were “dumped” out of the chip containing it, by using an EEPROM programmer (EEPROM = “Electronically Erasable Programmable Read Only Memory”, from now on, “EPROM”) to read such contents and not generated in any other way. These “dumps”, are original software as it comes in a brand new ECM, with the potential of resetting the ECM to register new keys. Just like a brand new ECM. In this category, there is also the 2005-2008 Toyota Corolla file and the 2001-2003 Toyota RAV4 File.

SOME BACKGROUND

The automotive immobilizer system use encrypted digital codes and transponder key data to allow the system to recognize the vehicle owner’s ignition keys and disallow the engine from starting with any other key, no matter if it is an exact copy of the original keys. The code data used for such process is stored in a memory chip inside the key (no batteries needed) and in a serial EPROM, located either internally or external to the engine ECU (Engine Control Module). These two memory locations (key and module) are the ones compared by the immobilizer system when a key is inserted and engine starting is attempted. If codes in the key do not match codes in the ECM or ECU, the engine will not start.

In most cases, the chip used as storage memory for the codes in the ECM, is an SMD (surface-mount device) serial EPROM from one of the following families:

  • 24C0x (ex: 24C02, 24C04, 24C08, etc.)
  • 250xx (ex: 25020, 25040, 25080, etc.)
  • 93Cxx (ex: 93C46, 93C56, 93C66, etc.)
  • 950xx (ex: 95020, 95040, 95080, etc.)

In other cases, it is stored in the main micro-controller unit of the ECM, making it harder to work with. In this document, we are covering only the EPROM type.

EPROM type immobilizers,as mentioned earlier, can be installed in the ECM or external to it, putting it in separated module, known as the transponder ECU, transponder ECM or just, immobox.

EPROMs family listed above, are all tiny 8-leads memory chips, measuring around 5mm x 4mm and the differences among them are memory size, communication algorithm, communication speed capacity (in KHz or MHz), voltage and temperature, among some other minor factors. All you need to know about it, is how to configure your programmer to read and write these chips, nothing else, unless you are designing a system. For resetting the immobilizer, you will only need to read and/or write the data inside the particular EPROM.

PROGRAMMER

For the programmer (device programmer or EPROM programmer), you may use any available, as long as it supports reading and writing the serial EPROM(s) you will be working with. There are many inexpensive equipment out there and it is fine to buy them, but if you are going to be doing this in a frequent basis, the best investment is to purchase a programmer that supports as many as possible EPROM families, with capability of upgrading or updating it through software.

I have been asked about the Willem programmer. There are many versions of such programmer and it is quite economical. If you are going to invest on it, first make sure that it supports your devices, either by checking its compatible devices list or by contacting the manufacturer. I can not responsibly give my opinion here on Willem programmers, as I have not had any personal experience with that brand, though either for good quality or for its prices, it seems to be preferred by lots of people on forums that discuss similar topics. Examples of Willem programmers are listed below.

CONNECTION

The first obstacle that you might find will be how to connect or interface the immobilizer EPROM to the programmer, so it can be read and/or written. The device (EPROM) is an SMD (Surface Mount Device) chip, which means it has no leads (or at least too small leads to be inserted anywhere) and it is very small in overall size. At the right, you will see an example of an SMD SOIC chip, where Pin or Lead #1 is identified.

On the other hand, the programmer is a large device (pictured above) and it has a ZIF (Zero Insertion Force) socket, ready to accept the chip’s bigger cousin, the DIP or DIL (Dual In Package or Dual In Line) devices, which have 8 larger leads or pins (example pictured below).

Since the SMD (SOIC-8) EPROM chips are used more frequently, you will need a way for connecting those SMD chips to the programmer for doing the job. There are several ways of doing it, of which, we present the best two ways here. We call these the best two ways, because they both can be done without removing the EPROM from its circuit, which would require electronics soldering skills. Also, using other ways could offer some risks, like damaging the device by overheating it, static electricity discharge damage, braking it in the attempt of removing it and the less taken in care, loosing it. Yes! Loosing it! Several times I have removed the chip from the circuit, it has fallen to the floor and somehow seems like it found a breach to a wormhole!!… totally disappeared without having the opportunity of at least reading it so it could be duplicated. If you stick to any of these two methods, you will never loose a chip.

METHOD 1 – SMD SOIC-8 Clip

The first method is by using the famous SMD SOIC-8 clip. It is a clip manufactured either by Pomona (picture below) or by 3M Company. The clip will press and connect all 8 contacts at the same time against the chip’s small leads. It will have a terminal at the other side, which can be inserted in your EPROM programmer’s socket.

If you do not have the full SOIC-8 connection setup, you may just solder 8 wires to a DIL (Dual In Line) male terminal, so it can be inserted in your device programmer like if it was a normal DIL package chip. Pin order must be followed. An assembled example is below.

Watch out for Chinese replicas of the SMD SOIC-8 clip sold over the Internet, like eBay. Chinese replicas are not the same hardware. Those are manufactured with very low and bad quality materials. With Chinese replicas, you will have a hard time connecting it to the chip. Once connected, you will have problems reading it because of misalignment of the contacts. The plastic or polymer used is very weak and will not stand more than a few uses before braking apart or not working any longer. If buying this SOIC-8 clip from eBay or any other B2B market or Internet store, either alone or with assembled terminals, just make sure it is from the “Pomona” (preferred) or “3M” brand.

You may choose to buy the clip alone and construct the ribbon and terminal yourself, or you may buy it fully assembled and ready to use. Though doing it yourself could be a nice electronics learning experience, sometimes all you need is to get the work done quickly. Below you will find units already assembled. You will notice that these days, such units are not expensive at all.

If you decide to construct the interface cable yourself, you will need the SMD clip, some parallel wire from an old hard disk or floppy drive data cable, two 4-pin headers and a small piece of perforated pcboard (proto-board). Just make sure to connect pins 1 through 8 of the terminal in the right order, aligned with pins 1 through 8 of the SOIC-8 clip. The illustrations below are example to give an idea.

You will need to splice the ribbon first. It usually has 40 wires in parallel or so and you will just need (2) 4-wire ribbons. So, if the ribbon has any terminals, just cut them off.

Count 8 wires from either edge of the ribbon and do a small cut in the separator between wires (A). Pull away the now 8-wires ribbon (B) and in the same way you separated the 8 wires from the main ribbon, separate each one of the 8 wires (C) to a small length at one of the ends (D). Now do the same in the other end of the now 8-wire ribbon, but this time, pull a little bit longer the wires being separated (E). That longer wires will be spliced and soldered in the clip’s terminal.

Make sure that you configure the wires in the sequence described below. That way, the ribbon cable can be used in a linear way and will not need to be folded later. Mark wire #1 in red or any other color so it can be distinguished, as you will need to know it when reading and/or writing to EPROMs.

Conductors at the other end of the ribbon will need to be spliced and each wire soldered on the DIL-8 terminal, matching wire numbers with Pin numbers. Use an ohmmeter or continuity tester to make sure that (1) the wire numbers match with pin numbers and (2) that there is no continuity between each one of the contiguous pins. Otherwise, it means that a short circuit is present.

Below is a picture of a typical homemade SMD SOIC-8 clip and how it is engaged over the target SMD chip to be read and/or written.

I am showing this information in case you wish to do it yourself, but after seeing all the hassle of making your own SMD clip ribbon, you might take it as a challenge (newby-like) or consider buying an already made ribbon (production mode). These are not expensive, already error free and ready to be used.

METHOD 2 – Micro Pincers

The other method is by using micro pincers. Again, the same advice about replicas. I have tried some made by Pomona and also tried some Chinese replicas. I had a hard time with replicas. Pomona’s brand was very good, but the ones that performed best were the HP brand pincers. Yes, Hewlett Packard.

With the micro pincers, you will be doing the same as with the SMD clip, but instead of pressing all 8 pins together, you will need to connect the 8 pins one by one. In no time you will master the technique and believe me, it is way more reliable than the clip or any other method, as the pincers are designed to grab each one of the tiny leads of the chip, without shorting them. Once it is locked, it will read and write flawlessly.

NOTE: Please do not confuse micro pincers with micro grabbers. They are not the same. Micro grabbers are not intended for SMD devices. The micro pincers are. The difference between both connectors is that micro pincers are “Y” shaped when opened and the micro grabbers are “J” shaped when opened. We need the ones with the “Y” shape. A comparative example is below.

This is my favorite method of accessing SOIC-8 chips. It is in-circuit and very reliable at the same time. When using the previously described method with the SMD clip, I have had a good experience, but sometimes you will need to play with it a little bit and accommodate it more than once to reliably connect to all eight leads of the chip. Every EPROM package is slightly different from type to type and from manufacturer to manufacturer and some will not allow the clip to grab them reliably. The lower the physical profile of the device to be accessed with the clip, the more difficult it might be to successfully be connected. In some other cases, the leads of the chip will have materials that might prevent from good electrical contact, such as the cases where an anti-corrosion treatment has been applied to the circuit board. The most common one, silicon protection.

For constructing the same ribbon using micro pincers instead of the SOIC-8 clip, the process with the ribbon will be the same, with the exception that instead of the SOIC-8 clip terminal, the 8 wires will individually have a connector or terminal. It is very important that you number every pincer accordingly from 1 through 8, or use color coded wires. Otherwise you will be lost at the moment of connecting them to an EPROM for programming. Below is an example of a typical homemade micro pincer setup with a ribbon.

Performance of the SOIC-8 clip relies basically in the contact it makes to the chip’s leads and the cleanliness of those leads. Even when it has more surface contact than the micro pincers, many times, the contact area on the chip will likely be coated with an anti-corrosion material like silicon. Other factors are as already discussed, chip type and manufacturer and the total pressure that the clip can exert on the leads of the chip. Sometimes, due to deformities in the chip or the clip, it can not put the same pressure to all the leads, making it strong in a few leads and weak in the others.

The micro pincers will connect from the sides of the leads, which is less electrical connection area, but will do with larger force per lead than its counter part, needing not to be balanced or accommodated as hard as the SOIC-8 clip.

Below is an example of a micro pincers “spider” connected to an EPROM to be programmed.

DATA MANAGEMENT

So you might be asking by now, what will I read or write to the EPROM chip once I successfully connect it with either method? Well, you will need to write the particular virgin file of that model, if it is readily available, or will need to use any of the software titles intended to “virginize” the files first and then write the “viginized” file.

Let’s explain it in more details, but before doing that, I would like to make 5 very important points here.

A. While you are working with EPROMs in-circuit, it means that you will access the device with the hardware you have (clip or pincers, plus device programmer), but it also means that you will access part of the rest of the ECU circuit because the device (EPROM chip) is still soldered on the circuit. There are no concerns of damaging the ECM circuit, as the signals used by programming devices are safe, but please, make sure that the target device is connected or interfaced the correct way, which means lead 1 of the clip with lead 1 of the chip and so on.

B. The second point I would like to stand out is that when you are programming in-circuit, you are transferring data from your PC, through your programmer to the target device, which is a serial EPROM in this case. Such data can be corrupted before it reaches its target. The main reason for this is (1) a bad connection or (2) the crystal oscillator getting in the way. The crystal oscillator or the “crystal”, is an electronic component made primarily of quartz and encased in a protective metal package. It is used to provide the clock signal to the Micro-Controller, just like a pacemaker does to the heart. Without power, the MCU is completely off, but when programming a chip, in some cases, power from the programmer will go through our interface to the chip to be programmed in the ECM and to some other circuits of the ECM. If that power reaches the MCU, it will attempt to start working and communicate with the target EPROM, corrupting the data we are sending. We can avoid this by putting a jumper or a capacitor across the two leads of the crystal. The crystal is always close to the Micro-Controller. An example is shown below, where a 2-MCUs ECM is being programmed. The crystal that was bridged with a capacitor.

C. The third point is connection reliability. Before reading, writing, burning, zapping or whatever you wish to do to the EPROM, once connected, you will first need to make sure that connection is ok. You will do that by connecting an EPROM to your programmer and selecting the EPROM type. Then, do a quick confirmation by reading the EPROM you connected. Once read, notice the 4-digits checksum (32-Bits) and read the EPROM again two more times while looking at the checksum. If the checksum stays the same all three times, then it is well connected and ready to start working. If checksum fluctuates, then something is wrong. It may be caused either by a loose connection of the device to the programmer, by a crystal not been bridged, by bridging the wrong crystal if there is more than one or simply by selecting the wrong device from the programmer’s list.


D. The fourth point is to always be aware where pin #1 goes. If you are going to remove or replace an EPROM chip, note where pin #1 goes. The same when reading and programming EPROMs. Pin #1 will tell you where the count starts and will be the reference point on how to put the clip or locate each one of the micro pincers. Get used to always note where pin or lead #1 is located.

E. The fifth and last point is ALWAYS BACKUP FIRST! It does not matter what kind of work you will be doing with the EPROM, always save a backup copy of the file inside it first. If for any reason, you need to put it back in the same condition as it was handed to you, you will need a copy of the original images of that EPROM chip. Get used to do backups and avoid a future nightmare!

With practice, we learn how to recognize certain parts of the file inside the EPROM, like keys, VIN numbers, Odometer settings, whatever is stored in those EPROMs, although, it is not always easy, as most of the data could be encrypted. One good practice is to compare and observe original files against files that come in brand new ECMs.

The process to “virginize” or reset the immobilizer is as mentioned earlier, as simple as writing the right file in the immobilizer EPROM. So if you already have the needed virgin file, the steps are as follows:

  • 1. Locate the immobilizer EPROM, either in the ECU or in a separate Immobox
  • 2. Set your programmer by choosing the EPROM type and the virgin file to be loaded in memory. Some systems will only allow to reset the immobilizer and some will allow to totally eliminate it. When eliminated, you can cut any standard key and that will be enough to start the car. If reset, you will need a programmed key which is compatible with the vehicle’s system so it get automatically registered by the just reset immobilizer, allowing it to start the car.
  • 3. Bridge the crystal of the ECU or Immobox
  • 4. Connect your interfacing hardware to the target EPROM and do the read test to check for good connection.
  • 5. If connection is ok, load in memory the needed virgin file from your hard disk and write it to the immobilizer’s EPROM.
  • 6. Do a new read test, but this time to check if the file was written correctly. The checksum should be the same as when loading the file from disk. If it changes, it is possible that (a) EPROM was selected wrong from the programmer’s list, (b) the EPROM is write protected (only newer EPROMs) or (c) the EPROM is damaged. There is no possibility of a bad connection here if the read first test was passed. Also, if the checksum is different from the checksum when loading the file, but it reads three times the same now, it is not a connection problem. Data simply was not stored right because any other reason.
  • 7. If read test is ok and checksum matches, then the ECU or immobox will be ready to be reinstalled in the car.

If you do not have the virgin EPROM ready, but have a software like immo killer, immo tool, immo cleaner (otocheck), etc, then you will need to look in the list of the software and see if the application (vehicle) you are working with is present in that list. If it is present, then you will need to do the above procedure, but in step number 5, the procedure would be:

  • 4. …See above…
  • 5A. If connection is ok, then run the immobilizer virginizing software you have.
  • 5B. Select the application from the software list. If you are working with a 1998 Toyota Camry for example, select so from the list if available.
  • 5C. Read the file from the ECU or immobox with your programmer and save it in a file with the extension “.bin”. For example 98Camry-no-virgin.bin
  • 5D. Load the just saved file with the virginizing software and select “Fix” or “Clean” or whatever button they have to start virginizing the file.
  • 5E. After one or two seconds, the file will be virginized in the memory of the software. Save a copy in your hard disk, again with the “.bin” extension. For example: 98Camry-virgin.bin
  • 5F. Load the just virginized file from your hard disk to the programmer’s memory and write it to the immobilizer EPROM.
  • 6. …See above…

SOFTWARE

There are several software titles out there intended mainly for virginizing the immobilizer system. Many have lots of files or fixes in common. There are other files or fixes that will be unique to that software. For example, Immo Cleaner v2 (OtoCheck) will have the same Toyota files that Immo Killer v1.0 does, but in its Toyota list, Otocheck will cover a few more models. As another example, ImmoKiller will be very similar to ImmoTool, but Immotool has a Toyota key generation tool that Immokiller lacks. The best would be to have a copy of each one I guess, though it would be somewhat expensive.

You may also like...

3 Responses

  1. jesus garcia says:

    is there any immo killer software for jeep, chrysler and dodge?

    thanks.

  2. steve says:

    hi I used a willem programmer to read a 95080 3 chip which reads from 0 to 3ff which have all ff then the rest is shaded with all ff could this chip be wright protected and if so what would happen if I put 5volts on pin 3 which is wright protect pin would it unlock it so that I can read it with my programmer

    thanks steve

  3. ökröM says:

    Thanks for this article, that solved my connection problems (Especially capasitor bridge).

Leave a Reply

Your email address will not be published. Required fields are marked *

*