Yamaha - i made a solution for making master key without need to cut the ECU or MORIC

[somebodynobody]

Hi there!

I found the way for creating the master key from paired ECU & MORIC 1/2 without need of cutting the glue of any of these two. How do you think, is this usefull service nowadays? The only physical difference is that i can make a transponder for red key and i leave ECU & MORIC 1/2 untouched. Do you think it can be treated as real added value to the service, compared to the service that usually leaves a traces of interference in the device? Thanks for your suggestions, any idea or advice.

Sincerely,
Maciek

[sv2hqx]

Hi there!

I found the way for creating the master key ................................


Maciek

sure is very useful as it will be faster ,safer,and a untouched ecu
interesting

[avital]

It simple over by immo communication protocol , immo when is like NEW state read someone from ECU i have this solution more than 10 years it is nothing new, there are many solutions to other immo systems, but I do not publish them - let people get tired of reading dumps

[MagicProg]

mmm I am interested

[somebodynobody]

I will give you some technical information about how the Yamaha immobilizer works and why what I mention in the title is not as easy to do as many of you might think. Immobilizer consists of 3 active components: 4D60 transponder, immobilizer with induction loop - Immobox and ECU motor controller. The communication takes place by means of serial transmission in accordance with UART in half-duplex mode (in the end communication takes place via only one line - K-line). The transmission data is: baud rate: 15625 bits/s, no parity bit, 1 stop bit. The communication has the following format: 1 byte sent by Immobox (depending on the situation, either opcode or data byte), five bytes sent by the ECU. The construction of these 5 bytes sent by the controller is as follows: 1, 2 - data byte, 3 - opcode, 4 - data byte, 5 - arithmetic checksum of modulo 0x100 counted from 4 of the previous bytes. First, Immobox (MORIC 1/2) checks if it has one of the correct keys (Master or Slave). If the key is correct, it sends a puzzle request to the ECU (sending opcode 0x3E). The ECU responds by sending a 3-byte puzzle to solve (format: B, B, 0x43, B, check sum). Immobox then sends opcode 0x3D. On request from Immobox, the ECU responds by sending 24 bits (3 bytes) of the Hash, which is generated from 32 bits (4 bytes) of the Master key at the stage of learning a component that is able to "reset to new" - the Hashing algorithm is implemented in Immobox. The ECU controller responds: (B, B, 0x4B, B, checksum). The hash is saved in any ECU Yamaha in the EEPROM most often in the form: B, B, B, 0xAA and is repeated in three places for self-healing purposes. The solution to the puzzle is counted in Immobox and sent to the ECU in the form of sequences: Immobox: (B1o), ECU: (0x47, 0x47, 0x47, 0x47, checksum (0x1C)), Immobox: (B2o), ECU: (0x47 , 0x47, 0x47, 0x47, checksum (0x1C)), Immobox: (B3o), ECU: (0x47, 0x47, 0x47, 0x47, checksum (0x1C)). If the solution is correct, the ignition is unlocked. The algorithm for calculating the puzzle solution is as follows:


Bni - bit input number
Bno - bit output number


B1o = ( int ((( B1i x B2i ) + ( B1i x B3i ) + ( B2i x B3i )) / 0x1000 )) + 0x80
B2o = ( mod (( int ((( B1i x B2i ) + ( B1i x B3i ) + ( B2i x B3i )) / 0x40 )) / 0x40 )) + 0x80
B3o = ( mod ((( B1i x B2i ) + ( B1i x B3i ) + ( B2i x B3i )) / 0x40 )) + 0x80


Some time ago, thanks to the successful reverse engineering of the algorithm calculating the puzzle sent by the ECU, I created my own test Yamaha Immo Emulator on Arduino. Of course, I know that this is not a novelty and that for a long time you can buy such an emulator in China for a few dollars, nevertheless it was an interesting experience to sit down to this subject with zero knowledge of Yamaha's immobilizer or any immobilizer in general. A real curiosity comes at this moment. Thanks to the fact that I got to know exactly how the immobilizer works, I found one loophole in the possibilities of repair services. In the case of losing the master red key, the only system known to me so far on the service market, but running in such a way that it retains the original operation behavior (master key functionality, slave key coding) was a physical interference in the MORIC 1/2 immobilizer and interference in the ECU and system re-pairing with the pre-coded master transponder. Such a method always leaves a visual mark in the form of cut-out windows in ECU and Immobox, which is associated with a lack of aesthetics - it can be seen that something was buried, and is also associated with time wasted on carefully cutting out the windows in order to get into the EEPROM memory in ECU and Immobox. Going further in my thoughts I decided to try to face the Hash algorithm of 32-bit master key code. The reverse engineering method mentioned earlier was able to reproduce this algorithm. Along with learning the Hashing pattern, it became easy to create a design for the AntiHash algorithm. And here again some numbers: Master key saved in Immobox has 32 bits, which gives it 2^32 possible different keys (ie 4,294,967,296). If we are dealing with a paired ECU and Immobox, but with missing keys, due to the fact of hacking the Hash and AntiHash algorithm, the problem of Master key reproduction drops from 2^32 combinations to 2^14 possible combinations (ie 16,384). So having Hash read from the ECU driver, which is obvious information read by the UART protocol using K-line, you can perform AntiHash operation on it and create any of 16,384 Master keys that will be a pair with this ECU, which will correctly unlock immobilizer signal. Unique ECU controllers are not, as might be supposed based on the amount of data in the Hash (for reminder, 3 bytes) sent to Immobox - 2^24 (ie 16,777,216), only there are 2^18 (262,144). Hence the curiosity is that there is a very small, but still real, chance that the replaced from another ECU will work in a new environment. In the end, this chance is like 1 to 262,144, and not as indicated by the amount of data in the Hash - as 1 to 16,777,216. What I have already mentioned makes it possible to generate a master key for a used ECU without the need to physically interfere with it. In my opinion, it is a big profit - just in terms of aesthetics and time devoted to opening an officially unopenable driver. It should be noted here that in different controllers the EEPROM memory is located in different places, which can often be a significant problem with the controller, which you have not dealt with before and there is no information on where the memory is. Having the ability to obtain from the ECU controller, using the AntiHash algorithm, information about Master key code, this operation becomes extremely simple, very fast and free of damage to electronic components during physical interference with the controller. The Immobox module will remain at the next stage and at the same time an additional difficulty in approaching the subject of activating the immobilizer completely non-invasively. The information read from the ECU with AntiHash is a huge hint when generating the master key. To illustrate the situation: the number of master keys to be generated for 32-bit code is the previously mentioned value of 2^32 (for a reminder: 4,294,967,296 combinations). If we adopt a BruteForce type method, which in this case consists in generating a 4D60 transponder emulating next possible codes, in cooperation with the FeedBack system, which retrieves information from the K-line and examines whether the currently tested key code is correct and if so, the last one used the key sequence is based on the assumption that one code can be taken with regard to the safety limit for correct transponder readout (transponder, which is after all a device based on electromagnetic induction, thus having a tendency to read errors due to the transmission path and the number transormation, which passes the information transmitted), generate every 1 - 2 seconds, then the maximum time needed to generate all possible codes, varies between 136 and 272 years, which is an abstract value. As a reminder, thanks to the AntiHash algorithm the number of possible combinations drops from 2^32 to 2^14 (up to 16,384 combinations), which using the same method of generating consecutive codes every 1 - 2 seconds, gives the maximum time for generating all possible master key sequences on very acceptable level - 5 to 10 hours. The next stage and at the same time a very big problem that stands in front of me is the implementation of the 4D60 transponder emulator with the FeedBack system used to stop the search when the proper master key sequence is detected. Such a system would communicate with Immobox via electromagnetic induction and generate each of the 2^14 possible codes for the master key. I would also have to write software for PC and probably Arduino, which would choose from the pool 2^32 all possibilities only those 2^14 codes that have a chance to match, that is, all those sequences that can be generated using the AntiHash algorithm for Hash that is kept inside the ECU. Of course, this method will work only if we are dealing with a paired set, i.e. Immobox and ECU come from one vehicle. This is due to the fact that no change is made to the EEPROM of any of the components, and this method works only on the basis of reading the Hash information and generating next possible master key sequences based on the AntiHash algorithm. As you can see, the matter is not so simple. Personally, I do not see any other possibility of generating a master key non-invasively than the one I presented here, although there is a good chance that there is a completely different approach to this problem, for example by leaving the "wicket" by the manufacturer Immobox and ECU, through which you can use the bus K-line modify the EEPROM content of one and the other. Even if such a "wicket" exists, apart from a possible leak of information from the company producing components for Yamaha, there remains only a method based on an attempt to read the microcontroller managing the work of Immobox and ECU, probably the method of microprobing the silicon wafer, and then subjecting the read batch disassembly, in order to extract a piece of code responsible for what possibilities for the K-line interface were implemented by the creators of Immobox and ECU. This scenario seems to be a completely unprofitable time and cost venture. If you think it makes sense and that, despite the fact that nowadays, when the world of motorcycles is already ruled by Keyless, it is still worth providing a service consisting of the Master key for paired Immobox and ECU set for older Yamaha models, which still use the mechanical key, then I will try my hand at creating a device that comprehensively, i.e. not only for ECU but also for Immobox, will create the possibility of non-invasive learning of the Master key. As a last resort, I will stop at the stage where I am at present, i.e. the ability to quickly extract Master key code using the AntiHash algorithm without physical interference in the ECU, but unfortunately with physical interference in Immobox in order to set it to "reset to new" mode, and then pairing of such a set using a transponder programmed with a code reconstructed just using the AntiHash algorithm. The interference is only in Immobox, and in the end there are only 2 types - MORIC 1 and MORIC 2. In the case of ECU controllers, each controller has a different structure and the fact that I do not need physical interference in it, despite the current method underplaying is a big plus.

[drugowaz]

Tired to read faster cut smd make mey

[Coelhochaves]

exelentissimo estudo parabens que DEUS te abeçoe sempre

[TeL200]

A good read...Very impressed with your knowledge

[boris7589]

Have you made any progress in this project? I love the implementation and thinking behind it.

[Y0SHI]

I think I'm gonna have to wait for the youtube version

[izaac]

hello my friend congratulations for the post i have a yamaha ecu with eeprom 24c01 i opened the ecu and i have the file but i don't know how to generate the red key can you help me to generate this tamsponder?

[xt660x]

It simple over by immo communication protocol , immo when is like NEW state read someone from ECU i have this solution more than 10 years it is nothing new, there are many solutions to other immo systems, but I do not publish them - let people get tired of reading dumps

Hi, im trying to create a data logger for the Yamaha via k-line
Im in need of PIDS


but the info is not found anywhere online.

I see that there is an immo solution for this ecu so people have managed to speak to the k-line.

If I can find this information out, I can create something cool.

I know there is a SDS and a KDS, but YDS i don't have the diag tool for, so i cannot sniff the k-line to find out any information.

I have my bin file, also I am able to write to the ecu no issues via the k-line on bench, but the project is to live data log the ECU on pre-2016 models which lack the port.

SO I have to passively monitor the data, unless maybe there is a solution to tap into the k-line to send data to the ECU like the dash is able to.


Has anybody on this great forum ever managed to do this ?


Here is a link to my bin file if anybody wants to have a look

https://www.dropbox.com/scl/fi/ytug4...s367mm5cd&dl=0
MCU is a Renesas SH705x Denso



Thanks

[xt660x]

Just want to add, if there is no PID values
would anybody know any opcodes or even anything to point me into the direction?


Thanks

[xt660x]

Bump has anybody any advice please.

thanks

[Kris777]

Is this solution for both type of yamaha immobilizer antenna? with S29190 memory and without it?