Freelander 1 L series - Bosch MSA-11 DCU and 93C46 EEPROM / IMMO removal ?

Joe_H · Jun 23, 2016

Hello all,
Don't know if any of you guys are into the ECU (DCU Diesel control unit) and also the CCU (body control unit) on the L series , and how the immobiliser operated, but - it would seem the code transfer is via one of the two 93C46 eeprom units in the MSA11 unit.
Has anyone got any info on removing the bloody annoying immobiliser for this setup ? - also - I want to have several DCU units to exchange with differing chipped setups - I don't want to have the immo in the way.
I think i could possibly program the existing 93C46 units the same as the original but would rather remove the protection all together.
If that is gobbledegook -

- no worries - however - someone here may be into these things.
I am already replacing the 27C256 units with socketed 27SF512 with 0X8000 offset to allow reprogramming at will ..

deep joy...

Joe

Skinny Mike · Jun 23, 2016

Er, yes definitely, what you said

Not Being into the programing side of things, I stopped when I sold my commodore amiga!
Is it not possible to get a Haltec type of unit that would replace or work alongside the current coms?
Mike

Nodge68 · Jun 24, 2016

I don't believe that the immobiliser can be switched off, for the EU market at least. There is a coms link between the alarm and engine ECU which negotiates if the engine is authorised to run or not. However it might be possible to implement a market dependant programme that doesn't include immobilisation. I don't think Japanese markets require immobilisation, but I'm not 100% sure. It's a possibility that there is a way, but I suspect it'll need T4 to carry out the change.

Joe_H · Jun 24, 2016

Nodge68 said:
I don't believe that the immobiliser can be switched off, for the EU market at least. There is a coms link between the alarm and engine ECU which negotiates if the engine is authorised to run or not. However it might be possible to implement a market dependant programme that doesn't include immobilisation. I don't think Japanese markets require immobilisation, but I'm not 100% sure. It's a possibility that there is a way, but I suspect it'll need T4 to carry out the change.

Hello Nodge,
I am actually sure the immo can be removed, however, the alarm system is not removed.
You are correct in that a comms link connects the CCU to the EDC unit. I actually want the alarm unit etc to function - just not the EDC immo.
That means basically that the edc is independent of the CCU.
Ok, so, how do we achieve this ?

Well, first school of thought is as follows - in the EDC unit are four (E)eproms - well - 2 eproms (27C256) containing the mapping - and also two 93C46 EEPROMS.

The 27C256 contain the mapping and are what are changed in a remap (chipping) process. - however, the 93C46 EEPROMS contain both VIN etc and also comms data for code verify from the CCU.
One could - theoretically - read and then reprogram the 93C46 units in situ (quite possible with a clamp on unit and programmer) - in the 'new' EDC units to be identical - hence accepting all CCU commands for IMMO - or, you could actually disable the ability of the CCU to communicate with the EDC (Internally to the EDC) by fudging one of the 93C46 EEPROMS... in the second way, the EDC would be vehicle independent whereas the CCU would be vehicle dependent.

That seems the way forward.

We are not interested in removing the 'alarm' system - simply enabling differing and individual EDC units to work with the existing CCU - in other words, the comms link from CCU to EDC is voided and all EDC units work.

I can only reprogram the main eproms by removing and socketing them - and replacing them with newer units (normal method of 'chipping' the L series)
the VIN and IMMO eeproms (93C46 can be read and programmed in situ - not via any T$ etc - simply by direct connection.
That seems the way to go.

In fact, simply copying the contents of the 2 eeprom 93C46 units - and rewriting to another EDC should in theory make the unit 100% compatible - the object though is to remove the verification within the EDC which seems possible within the second (nearest to the yellow caps) 93C46 - read in situ via a clip on reader - program offset then write - some say remove the second 8 pin eeprom altogether and wire the starter relay comms line to gnd - need to experiment with that

All good fun......

Have two new EDC L series units on the way for experimenting......
Deep joy...

Tony Reeves · Jun 26, 2016

That all looks quite familiar to me. I am near the end off a VVC conversion in my 1.8K Freelander 1 and was all geared up to modify the eeprom in the MEMs 2j the VVC uses. Bought a dozen 93c66 and sockets to make the job easy.

But checked first, and she runs as is, with the immobiliser line from the alarm to the ECU disconnected. It appears I have been lucky and my Rover VVC engine ECU combo is from and Japan vehicle, they don't seem to use immobilisers there.

Nodge68 · Jun 26, 2016

Tony Reeves said:
That all looks quite familiar to me. I am near the end off a VVC conversion in my 1.8K Freelander 1 and was all geared up to modify the eeprom in the MEMs 2j the VVC uses. Bought a dozen 93c66 and sockets to make the job easy.

But checked first, and she runs as is, with the immobiliser line from the alarm to the ECU disconnected. It appears I have been lucky and my Rover VVC engine ECU combo is from and Japan vehicle, they don't seem to use immobilisers there.

A lot of vehicles don't use immobilisation when they are sold in Japan. I don't know why this would be. Maybe there's little vehicle crime or maybe there's a local regulation that prohibits the use of immobilisers. Maybe our NZ friends could check it there Jap imports have immobilisers fitted?

I VVC Freelander sounds a brilliant project to me.
Let us know how it goes.

Tony Reeves · Jun 26, 2016

Nodge68 said:
A lot of vehicles don't use immobilisation when they are sold in Japan. I don't know why this would be. Maybe there's little vehicle crime or maybe there's a local regulation that prohibits the use of immobilisers. Maybe our NZ friends could check it there Jap imports have immobilisers fitted?

I VVC Freelander sounds a brilliant project to me.
Let us know how it goes.

Well I am an NZ Friend (at least I hope so).

The project is here, progress has been slow lately due to a personal plumbing issue - the joys of maturity... https://www.landyzone.co.uk/land-rover/a-minor-upgrade-vvc.301389/

Joe_H · Jun 26, 2016

Tony Reeves said:
That all looks quite familiar to me. I am near the end off a VVC conversion in my 1.8K Freelander 1 and was all geared up to modify the eeprom in the MEMs 2j the VVC uses. Bought a dozen 93c66 and sockets to make the job easy.

But checked first, and she runs as is, with the immobiliser line from the alarm to the ECU disconnected. It appears I have been lucky and my Rover VVC engine ECU combo is from and Japan vehicle, they don't seem to use immobilisers there.

Hi Tony, nice work !.

... yes, it would appear that the Jap units don't have the immo function.
I am surprised that the 93c66 are not SOIC format ? are yours PDIP ? - mine are definitely SOIC so I planned to use my clip over reader and read in situ (Usually works) but, want to try it on a 'spare' ECU (DCU) first - otherwise I have a hot air rework so can pop them out pretty rapidly.
What were you planning to do if you had IMMO ? - I presume the eeprom only has appropriate and very limited data containing the effective verification - the CPU (Dual 8051's) in the MSA-11 units would (again best 'reasonably educated guess

) would be that the code from the CCU is read by the processor, the processor then serial reads (look to be SPI) the data from the 93C46 and compares that to the code from the ccu - if ok, then go for launch... so on further pondering - the removal of the eeprom completely may well cause the CPU to read a constant state (well WOULD as I presume the data out (DO) is pulled up - the cpu would not even know that the eeprom was not there ! it would still send a DI request, CS and then send the Clock and read the data form DO - (as we said - now all logic high)
With the wire cut from the CCU, the MSA11 has - I presume as per normal practice - a weak pull up on the CCU data line hence the read data comes back as Logic 1 also... I would also presume that the signal line from the CCU is fairly basic - ie - on startup the cpu awaits a simple data start pulse on the line and reads a serial string at a preset rate.
If that is the case, the 93C46 could also be programmed with all xFF ........
again - deep joy eh

Joe

Tony Reeves · Jun 26, 2016

Joe_H said:
Hi Tony, nice work !. ... yes, it would appear that the Jap units don't have the immo function.
I am surprised that the 93c66 are not SOIC format ? are yours PDIP ? - mine are definitely SOIC so I planned to use my clip over reader and read in situ (Usually works) but, want to try it on a 'spare' ECU (DCU) first - otherwise I have a hot air rework so can pop them out pretty rapidly.
What were you planning to do if you had IMMO ? - I presume the eeprom only has appropriate and very limited data containing the effective verification - the CPU (Dual 8051's) in the MSA-11 units would (again best 'reasonably educated guess ) would be that the code from the CCU is read by the processor, the processor then serial reads (look to be SPI) the data from the 93C46 and compares that to the code from the ccu - if ok, then go for launch... so on further pondering - the removal of the eeprom completely may well cause the CPU to read a constant state (well WOULD as I presume the data out (DO) is pulled up - the cpu would not even know that the eeprom was not there ! it would still send a DI request, CS and then send the Clock and read the data form DO - (as we said - now all logic high)
With the wire cut from the CCU, the MSA11 has - I presume as per normal practice - a weak pull up on the CCU data line hence the read data comes back as Logic 1 also... I would also presume that the signal line from the CCU is fairly basic - ie - on startup the cpu awaits a simple data start pulse on the line and reads a serial string at a preset rate.
If that is the case, the 93C46 could also be programmed with all xFF ........
again - deep joy eh
Joe

Hi Joe,

The 93c66 is SOIC, I have some ZIF sockets for them. Was going to take out the one in the ECU and hack a socket into it. I was not going to bother trying to read it in circuit, trying to change it in circuit did not seem to be a good idea anyway.

There are a bunch of dumps on various ECU hack sites, I have collected some and was going to diff them to get an idea of the bits to change. Also put a scope on the line between the alarm and ECU to get an idea of the signal level and decode the data logic going over. Was looking forward to a couple of weeks of stuffing around, but was not needed.

Joe_H · Jun 26, 2016

Hi Tony, replacing with a ZIF is not a job I would relish. I thought it must be SOIC though. If you haven't got a rework kit - there are some amazingly cheap (50 quid or so) Chinese units that are perfectly suited to the job with a nice selection of 'nozzles' - makes life far easier - the hardest part is using a suitable lifting mechanism that stops the now free to move unit from sliding ! - yikes ! - I use some fine tweezers from the amazing IFIXIT tool kits - if you haven't seen them - check them out ! - this is the one I use and would not be without it - lifetime guarantee as well - a genuine one ! https://www.ifixit.com/Store/Tools/Classic-Pro-Tech-Toolkit-/IF145-072-1
Use offer code 'LINUS' (from Linustechtips) to get 10% off as well - anyway - I digress.
I think the design of the older ECU units is so dated that they are fairly simple really - certainly the MSA11 which was designed around 1994/5 ? - possibly earlier.
Also, the single comms line from the CCU to the ECU is a give away as to the simplicity of the code transfer mechanism. - obviously just cutting it would not work as the ecu would have an incorrect data reading - presuming the ccu code delivery is a simple timing from switch on (which I believe it is), but, as it is 'pulled up' in a default state then cutting it would possibly cause an all xFF reading - if we make the CPU in the ECU read xFF from the eeprom, then we have a match - a huge fudge - but hey !

In that respect, I cannot see a dump of the eeprom contents ( the 8 pin SOIC units) to be of any value at all as it must be a purely simple read only and compare the data from the eeprom to the data received via the CCU.
Hell

if it doesnt let the magical smoke out then it is worth a go lol

And, to be really fair - I cannot see any other way they would have done it back then - it is not a system that can be hacked at all without internal mods to the ECU - simply cutting wires from CCU and fudging the starter will not work as the 8051's will disable electronic operation of the fuel pump / timing / stop solenoid / mechanical position sensors etc etc etc.
But, once internal access is granted (ohh ahh missus

) then Robert's your Auntie's Husband - or so the cunning plan goes haha..

Joe

oh, edit- - here is a pic of the 'offending' eeprom - note the miniscule size next to the main map DIP 27C256 eproms ! - it is the little SOIC B^gger next to the yellow capacitors - yikes.....

Tony Reeves · Jun 26, 2016

Joe_H said:
Hi Tony, replacing with a ZIF is not a job I would relish. I thought it must be SOIC though. If you haven't got a rework kit - there are some amazingly cheap (50 quid or so) Chinese units that are perfectly suited to the job with a nice selection of 'nozzles' - makes life far easier - the hardest part is using a suitable lifting mechanism that stops the now free to move unit from sliding ! - yikes ! - I use some fine tweezers from the amazing IFIXIT tool kits - if you haven't seen them - check them out ! - this is the one I use and would not be without it - lifetime guarantee as well - a genuine one ! https://www.ifixit.com/Store/Tools/Classic-Pro-Tech-Toolkit-/IF145-072-1
Use offer code 'LINUS' (from Linustechtips) to get 10% off as well - anyway - I digress.
I think the design of the older ECU units is so dated that they are fairly simple really - certainly the MSA11 which was designed around 1994/5 ? - possibly earlier.
Also, the single comms line from the CCU to the ECU is a give away as to the simplicity of the code transfer mechanism. - obviously just cutting it would not work as the ecu would have an incorrect data reading - presuming the ccu code delivery is a simple timing from switch on (which I believe it is), but, as it is 'pulled up' in a default state then cutting it would possibly cause an all xFF reading - if we make the CPU in the ECU read xFF from the eeprom, then we have a match - a huge fudge - but hey !
In that respect, I cannot see a dump of the eeprom contents ( the 8 pin SOIC units) to be of any value at all as it must be a purely simple read only and compare the data from the eeprom to the data received via the CCU.
Hell if it doesnt let the magical smoke out then it is worth a go lol
And, to be really fair - I cannot see any other way they would have done it back then - it is not a system that can be hacked at all without internal mods to the ECU - simply cutting wires from CCU and fudging the starter will not work as the 8051's will disable electronic operation of the fuel pump / timing / stop solenoid / mechanical position sensors etc etc etc.
But, once internal access is granted (ohh ahh missus) then Robert's your Auntie's Husband - or so the cunning plan goes haha..
Joe

oh, edit- - here is a pic of the 'offending' eeprom - note the miniscule size next to the main map DIP 27C256 eproms ! - it is the little SOIC B^gger next to the yellow capacitors - yikes.....

View attachment 102801

Yes, my eeprom is like that. I have no problem working with that stuff, and some much smaller.

Lots of info around about hacking into those and other ECU's. One example is http://www.digital-kaos.co.uk/forums/forumdisplay.php/149-The-Garage However be careful, malware abounds on such sites and in many countries some of the info may not be legal.

The MEMS Ecu can be set into 3 states:
- Listen for correct 16 bit value from alarm module and immobilise if no code or incorrect code after 3 seconds (normal state if immobilise active)
- Listen for code and fix that in eeprom as the active mobilise code (initial state of MEMS ECU)
- Ignore codes (Common on Japan market).

Testbook can set an ECU to either of the 3 states, it does that by writing values into the eeprom. So by changing ECU eeprom values you can achieve any one of the three states. But by publishing the actual values and eeprom addresses you are enabling vehicle theft so the information is not readily available.

Joe_H · Jun 27, 2016

Excellent stuff Tony -

I will send an eeprom dump of the 93c's and ask for advice. Appreciated. It would be a better solution than a butchered one

What do you know about the actual CCU unit ? - are you aware of any method of removing the alarm system completely ? - it would be just better to have central locking on the keyfob and open by key only without all the other garbage.
Joe

Joe_H · Jun 27, 2016

Just checked Digital-Kaos and found I have had an account there since early 2015 ! doh

That was for something else (Fiat Panda issue( - but had forgotten about the site)
Thanks for jogging the memory.!

Tony Reeves · Jun 27, 2016

Joe_H said:
Excellent stuff Tony -
I will send an eeprom dump of the 93c's and ask for advice. Appreciated. It would be a better solution than a butchered one
What do you know about the actual CCU unit ? - are you aware of any method of removing the alarm system completely ? - it would be just better to have central locking on the keyfob and open by key only without all the other garbage.
Joe

Never thought of removing the CCU/alarm. I don't have any problem with it, and it adds some good intelligence to the vehicle.

If you did remove it you would need to recreate central locking, wiper functions, tail window lift and a heap of other bits and pieces in something like Arduino. I would not bother.

Joe_H · Jun 28, 2016

Tony Reeves said:
Never thought of removing the CCU/alarm. I don't have any problem with it, and it adds some good intelligence to the vehicle.

If you did remove it you would need to recreate central locking, wiper functions, tail window lift and a heap of other bits and pieces in something like Arduino. I would not bother.

Hi Tony, no, not actually physically removing the CCU unit and am aware of all the other functions it performs - I am simply thinking about removing the alarm and key entry checking procedures from it.
Joe

GrumpyGel · Aug 21, 2016

Bit of a thread revival here, but in looking at the immobiliser a while back, the CCU earths (or doesn't if immobilised) the starter relay. So from that perspective, the ECU doesn't play any role in stopping the engine from starting.

This topic appears to imply the ECU is checking the CCU and immobilising the engine if there's a mismatch. However, is it the other way around? If the ECU does not match the CCU is it the CCU that is immobilising the engine by not raising the starter's earth?

Is this earth on the starter motor the only aspect of immobilisation? ie if immobilised, do all other functions of the CCU and ECU operate normally? If they do, then would the simplest thing to do simply be to reroute the starter relay earth to a permanent earth?

Nodge68 · Aug 21, 2016

GrumpyGel said:
Bit of a thread revival here, but in looking at the immobiliser a while back, the CCU earths (or doesn't if immobilised) the starter relay. So from that perspective, the ECU doesn't play any role in stopping the engine from starting.

This topic appears to imply the ECU is checking the CCU and immobilising the engine if there's a mismatch. However, is it the other way around? If the ECU does not match the CCU is it the CCU that is immobilising the engine by not raising the starter's earth?

Is this earth on the starter motor the only aspect of immobilisation? ie if immobilised, do all other functions of the CCU and ECU operate normally? If they do, then would the simplest thing to do simply be to reroute the starter relay earth to a permanent earth?

It's not just the starter that is disabled. The engine ECU doesn't apply ground to the spark plugs and injectors on the petrol engine. And inhibits injectors on the diesel. So the bump starting won't work either

GrumpyGel · Aug 21, 2016

Nodge68 said:
It's not just the starter that is disabled. The engine ECU doesn't apply ground to the spark plugs and injectors on the petrol engine. And inhibits injectors on the diesel. So the bump starting won't work either

Bugger!

Was just a thought. I was googling trying to find out what comms protocol the L Series ECU talks through the diag port and Google threw this link up so had a read

Shall get back to reading through the search results....

Nodge68 said:
Maybe our NZ friends could check it there Jap imports have immobilisers fitted?

Unlike the immigrant writing this post, my Freelander is a thoroughbred NZ new vehicle. It does have an immobiliser because the battery in my fob died and it wouldn't start - I presume its all part of the same immobilisation facilities as with the ECU/CCU code check.

Nodge68 · Aug 21, 2016

GrumpyGel said:
Bugger!

Was just a thought. I was googling trying to find out what comms protocol the L Series ECU talks through the diag port and Google threw this link up so had a read

Shall get back to reading through the search results....

Unlike the immigrant writing this post, my Freelander is a thoroughbred NZ new vehicle. It does have an immobiliser because the battery in my fob died and it wouldn't start - I presume its all part of the same immobilisation facilities as with the ECU/CCU code check.

I didn't think the fob battery needed to be ok for the transponder to work. It doesn't in most keys, as the immobiliser transponder is independent of the remote system. In the 2000 on Freelander, the transponder is in the way, not the fob.

GrumpyGel · Aug 21, 2016

Nodge68 said:
I didn't think the fob battery needed to be ok for the transponder to work. It doesn't in most keys, as the immobiliser transponder is independent of the remote system. In the 2000 on Freelander, the transponder is in the way, not the fob.

A working fob is needed on my '98. I have left just the key with a garage and they needed me to go back with the fob o they could start it - and with the battery going low it bleeps as you enter, then when the battery finally fails you get the solid light n the dash and it won't start.

Freelander 1 L series - Bosch MSA-11 DCU and 93C46 EEPROM / IMMO removal ?

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Similar threads