So... What is the immo...bi..liser?
It is a fancy thing that was set as mandatory in cars the year 1998. What does it do? It blocks the car so, the car cant move if the keys "don't activate the car", the car doesn't start... That is the idea.
In my case, one of the keys I had, got broken. The key was ok, but the Infrared Circuit didn't work anymore.
I had a problem. If the other key got lost or broke down, I wouldn´t be able to start the car anymore.
My first attempt was to try to replicate, the code of the Infrared emitter. That didn't work so well... It seemed like they putted in the key a rolling encryption.
So... what do I do, if I cant attack my car from the front? Well... I attack it from behind.
I had seen on the internet that some people were selling a microprocessor that somehow made the car believe it had gotten the code. But they were selling the microprocessor for 70€.
I knew there was somewhere I could attack, and make the car believe it had the code, but I didn't know where. And I didn't have enough tools to find it out. So I bought it. When I got it, I got the instructions to install it... They wanted me to desolder an EEPROM, to write on the file 66, a byte 0x00, and solder it back to the board computer... WTF? They were selling it like something that you would just connect and it would work, without any problems. Obviously, I gave it back and asked for a refund. The plan I had, had been a waste of time because I had bought something that was too complicated for what I wanted, it was risky, and the instructions didn't match with what I wanted to do.
I kept searching in the internet, and found out that someone had found out the cable that carried the signal from one of the peripherals to the main computer (I already knew that one of the 20 cables had to carry the signal, but I didn't know which one) I took one Arduino pro nano(??), and made a program whose function was to send over serial the time since the last falling edge
So with first the help of the Arduino, and then with an oscilloscope my father had lying there (and didn't tell me until I explained to him what I was doing) I got a signal that looked something like this:
The signal of the car
So, in every project, there is a fail, and this project didn't have an exception to the rule. As i didn't want to desolder the cables that where hanging from the receiver, i decided to keep driving with the cables hanging. I went down to a city near where I lived, to buy groceries. As I came back and wanted to start again the car, to go back to my house, the car didn't want to start. Why?
Well, if you put a microchip without powering it properly, just using ground and the signal cable, the port registers won't put the pin in a state where it doesn't interfere with the signal. Let's say, the signal cable was put to the ground. And without a way to power the Arduino, there would be no way that the signal would get to the computer board of the car and start the car.
The next thing I decided to do, was probably the dumbest thing to do. I took a metal scissor I had in the car and cut the cables that connected the Arduino to the receiver. While doing it, I made a shortcircuit with the 12V line and the microprocessor. A lot of smoke came out, some fuses burned, and a trace of the PCB almost disappeared.
As u can see a trace is almost burned out.
Anyway, I had a bit of luck, because the car decided to start again. So the microchip wasn't burned, and the most important things still worked fine. I went back home, and I already had a signal, I could hardcode somewhere and push it over the same cable. I decided to hardcode it into an attiny85, and test it over a week, to see if it gave any problems. After a week passed, and I saw it didn't give any problems, I decided to put it on an esp8266 I had lying around.
Before you all see the next pictures, I have to tell you, that I made this in my summer holidays, in the house of my grandmother. In Germany. I live in Spain. I didn't have propper tools, resistors, protoboard... I literally had a bare ESP8266, a soldering Iron, One Arduino Nano, one attiny85, one ISP Programmer and one Serial Programmer. I had to get components from somewhere, and the only place I could get them was from an old TV receiver.
First I made the ESP8266 connections
Front ESP12E. See the reset button and the GPIO0 programing button?
If you zoom in, u can barely see the 0402 SMD resistors I saved from the TV receiver. Yep... I soldered that.
So the next part was to make something that would still let me use my old keys to open and start the car, and wouldn't interfere with the signal made by the car. The easiest solution? One multiplexer. Did I have multiplexers? NOPE. But I had one TV receiver. Searching I found 3 Quad NAND Chips. I made one karnaugh Diagram, to see how I could make one multiplexer from 4 NANDs. The result?
See by yourself:
It was time to put it all together and start putting it in the car. I decided to put the NAND gates into a blob of silicone. I would have preferred epoxy but I didn't have any by hand. I think it was a very bad idea because when I tested it, the multiplexer of the led worked half as I wanted. it did cut the signal of the receiver but didn't put the signal of the esp8266. I couldn't repair it anymore because it was behind a blob of silicone, but i didn't care that much. It was just a led after all.
The final result:
I made a sweet webpage to open the car and let it start, or stop it from starting, tested it and worked quite well. I made space in the plastic cover that held before the receiver circuit and put it everything there together. I guess I had the luck that while squeezing everything inside the tiny space I had there, nothing broke down.
Later in Spain, I changed the regulator, from one linear regulator to one switching regulator, that brought down the 100mA that wasted the system to 18mA.
Now that I had two keys that would work perfectly, one with any phone and the wifi password, and another normal key, I cut the key and put it into a screwdriver. Just to make it more... Hacker-friendly? Or for the lols...
Later in Spain, I changed the regulator, from one linear regulator to one switching regulator, that brought down the 100mA that wasted the system to 18mA.
Now that I had two keys that would work perfectly, one with any phone and the wifi password, and another normal key, I cut the key and put it into a screwdriver. Just to make it more... Hacker-friendly? Or for the lols...
Yeah, I drive with that key.
A few months later, i lost my keys, so i guess this hack saved my car from being useless, because I still drive it with the screwdriver.
