What's new
Club Scuderia

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

  • Please take a minute to read this thread about our recent server issues and forum platform Switch

355 immobiliser PIN recovery project

redwedge

Member
Hi all,

I'm considering putting my Raspberry Pi to good use by coming up with a method to recover the immobilser PIN from a 355's immobiliser ECU using a brute force attack. You wouldn't want to sit in the car and try the 10,000 possible combinations using the key-turning method, but it's a small enough number to make recovery using cheap computer hardware possible.

I've no problem writing the code, but what I am looking for is any assistance with the I/O of the immobiliser ECU. I could spend a few hours with wiring diagrams and a multimeter to figure it out, but I just thought I'd check to see if anyone's had a crack at it before and could provide that info and save me the hassle. I just need to know which pins on the ECU are activiated when the ignition is flicked on and off (i.e. someone's entering a PIN) and how the ECU indicates that PIN entry is successful (i.e. the dashboard LED turns off), plus the voltages at the PINs.

Any help appreciated.
 
There's a few threads on Fchat covering the pins & the PINS - you might also want to see what ground Eric355 here has already covered as well as taking a look at the Oz site which claims to have cracked it (link http://www.immofixer.com/)
 
Last edited:
I am desperate for this, as I have no code for my project car 355 5.2

FYI

Roger at Kent High Performance may be able to help as I spoke to him and he spent a couple of days with an alarm specialist trying to crack it. Mayn have info you require. He is a nice chap and very helpful.

Regards

Simon
 
I had my 355 5.2 Alarm system reprogrammed in Australia

I thought this might be of interest to other 355 owners.

I sent my alarm off to Australia £40.00 shipping cost, I received excellent email communication from the company, including pictures of the items that they required to reprogram my alarm system. I also received regular updates and confirmation that my alarm arrived that was nice. Not cheap but a darn sight cheaper than buying an alarm from Ferrari.

My immobiliser is ready for return now fully programmed and tested. They have also cleaned the contacts in the remote I provided and fitted a new screw for the case and a new battery.

The whole package IMMOFIXER provide will contain my immobiliser, a total of 3 remotes (1 new master and one new standard ) and the pin code.

Also the price quoted is $1196 USD = USD Dollars, is around £757 at current exchange rates.

Now the proof of the pudding is when I receive it back. Will it work. I hope so. It comes with the years warranty.

Regards

Simon
 
Thanks for the tip Simon

I have the PIN, one red and one black remote for my 575M but would like another black remote to complete the set. I've just emailed immofixer to see if I have to send them the red fob and PIN for them to program one of their replacement black fobs.

It will be a lot cheaper than buying a complete new set from Maranello !
 
I had this idea over 2 years ago... well I finally started to get stuck into the project today. Having played around with the immobiliser board and my multimeter, it was clear that the project was feasible, so the main body of work was to write and test the code that will generate the patterns to replay to the board. Rather than start at 0000 and count up, I have chosen a method that will take the least possible time to discover the PIN. So, my program begins with 1111, 1112, 1121, 1211 etc and works its way in order of pulses required all the way UP to 0000 (which requires forty pulses). A couple of videos demonstrating the attack, with an LED indicating that the relevant pin on the immobiliser is being pulled high - first one sped up to show the method:

method.m4v

...and the second one at the speed required when connected to the car (i.e. bloody slow):

realtime.m4v

I am using the car's immobiliser LED as an input to determine when the correct code has been found (it extinguishes when the correct PIN has been entered).

I'll hook it up to the car next weekend and leave it to run to completion. I don't actually know my PIN, so I can't do a quick unit test and am only going by the WSM that the pattern is correct and the LED will be a good input to stop the program when the PIN is successfully discovered.
 
Well, someone has a sense of humour. My last remaining fob has gone AWOL. :cry3: It's just missing from my keyring. Can only assume that the plastic loop broke and the fob fell off.

I've searched the flat high and low - no sign of it anywhere. Fortunately, I have key insurance.
 
I had this idea over 2 years ago... well I finally started to get stuck into the project today. Having played around with the immobiliser board and my multimeter, it was clear that the project was feasible, so the main body of work was to write and test the code that will generate the patterns to replay to the board. Rather than start at 0000 and count up, I have chosen a method that will take the least possible time to discover the PIN. So, my program begins with 1111, 1112, 1121, 1211 etc and works its way in order of pulses required all the way UP to 0000 (which requires forty pulses). A couple of videos demonstrating the attack, with an LED indicating that the relevant pin on the immobiliser is being pulled high - first one sped up to show the method:

method.m4v

...and the second one at the speed required when connected to the car (i.e. bloody slow):

realtime.m4v

I am using the car's immobiliser LED as an input to determine when the correct code has been found (it extinguishes when the correct PIN has been entered).

I'll hook it up to the car next weekend and leave it to run to completion. I don't actually know my PIN, so I can't do a quick unit test and am only going by the WSM that the pattern is correct and the LED will be a good input to stop the program when the PIN is successfully discovered.

Wow - Steve this is really cool and I'm interested in knowing if this works. If it does, please email me.

Thanks!!!
 
Will do Dave. I finished my HVAC fix/refurb yesterday by fitting your overlay. Looks great; the smooth finish and correct fonts are an improvement from the previous overlay that was fitted.
 
I can't believe it's almost 10 years since I started this thread... that's kids for you. I finally got round to finishing this project. It's not very pretty at the moment, but when I get some time, I will package this up into a black box that anyone can plug into their immobiliser (no need to remove it from the car) and recover their PIN.

Here's the tool on its 4,982nd attempt, which is PIN 5025 (it doesn't start at 0000 and count up to 9999, it starts at 1111 and counts up to 0000, as zero takes ten blips to enter therefore 0000 is the longest PIN). The red flashing LED is what you see in the car, on the centre air vents. The green LED is someone sitting in the driver's seat, turning the ignition on and off to enter the PIN:


The small computer that is sending the inputs also reads the blinking LED output and knows it has found the right PIN when the LED stops flashing.
 
Top