immobilizer 4, "pills", rfid range, keys, older car - simpler living

Group - 2007 A4 Avant (instrument and immobilizer scans below) trying to do what every car owner would be trying to do having a nine-year-old car and one, just one (kinda sick looking, but still works) key. HAA blanks are easy to get and cut. (And they work great - turn lock cylinder, life is good). Key fobs that appear to be new, not before used, of Asian origin are easy to get. (Where do we think Audi gets them?)
And.....
- PIN codes or PKC passwords / date are HARD to come up with.
- One dealer wants $600 per new key
- Another dealer will play with his scan tool for an hour, adapting as many keys as req'd for $135 (but, wants to think the fobs are 'dealer')

I have searched these forums to find the answer to the obvious questions, but haven't done well at finding them. Thus, this post in an effort to set them out to see whether, among us are those who know the answers.

a. What is the range (distance - I suppose "through plastic" and "through air") of the Audi B7 RFID system? The experiment with the working key held next to the lock while a no-pill-inside key is rotated in the lock cylinder has been done and produced negative results (no go). If the one working "pill" is installed inside the steering column cover -- is life suddenly good? Reliably good?

b. Is there any way to tell, using the kind of stuff that people have lying around the house, a vag-com interface and a sample car, whether the "pill" inside a given fob is "virgin" or has been "married before"? Or, does any part of the VCDS interface give the user better than "key recognized" / "key not recognized" -- and could it?

c. Does anyone know (and is willing to say) how "complex" the "message" that the immobilizer box provides to the ECU "box" that says "yuh, fine, let's go driving" is? Put another way, if one were to go after this mess by some computer program modifying, where is the simplest place to do it? In the immobilizer? Which runs a ... grungy little ARM chip? And prom memory with security bit burnt? A microcontroller w/ on board that can only be accessed by a JTAG interface? One images that one could get some very cheap and simple little processor unit to whisper sweet words in the ear of the ECU in substitute for all the cranky fussiness of the immoblizer? (And have a nine year old car for which you only have to worry about the torque converter seal and the noisy potientiometers and plastic gears in the throttle body....)

Answers to these (and obviously related) question greatly appreciated. Thanks.

Address 17: Instruments Labels: 8E0-920-9xx-8EC.lbl
Part No SW: 8E0 920 982 F HW: 8E0 920 982 F
Component: KOMBI+WFS 4 H14 0120
Revision: 0120 Serial number: 00000000000000
Coding: 0023261
Shop #: WSC 01308 444 178129
VCID: 31694376ABF3C9B6E2-5142

No fault code found.

-------------------------------------------------------------------------------
Address 25: Immobilizer Labels: 8E0-920-9xx-8EC.lbl
Part No SW: 8E0 920 982 F HW: 8E0 920 982 F
Component: KOMBI+WFS 4 H14 0120
Revision: 0120 Serial number: 00000000000000
Coding: 0023261
Shop #: WSC 01308 444 178129
VCID: 31694376ABF3C9B6E2-5142

No fault code found.

breeve said:

a. What is the range (distance - I suppose "through plastic" and "through air") of the Audi B7 RFID system? The experiment with the working key held next to the lock while a no-pill-inside key is rotated in the lock cylinder has been done and produced negative results (no go). If the one working "pill" is installed inside the steering column cover -- is life suddenly good? Reliably good?

Click to expand...

This can surely be done, but think about the shape of the field produced by a toroidal coil in terms of the optimal location for the transponder.

breeve said:

b. Is there any way to tell, using the kind of stuff that people have lying around the house, a vag-com interface and a sample car, whether the "pill" inside a given fob is "virgin" or has been "married before"? Or, does any part of the VCDS interface give the user better than "key recognized" / "key not recognized" -- and could it?

Click to expand...

MVB 023.2 should tell you whether it's locked or not locked.

breeve said:

c. Does anyone know (and is willing to say) how "complex" the "message" that the immobilizer box provides to the ECU "box" that says "yuh, fine, let's go driving" is? Put another way, if one were to go after this mess by some computer program modifying, where is the simplest place to do it? In the immobilizer? Which runs a ... grungy little ARM chip? And prom memory with security bit burnt? A microcontroller w/ on board that can only be accessed by a JTAG interface? One images that one could get some very cheap and simple little processor unit to whisper sweet words in the ear of the ECU in substitute for all the cranky fussiness of the immoblizer? (And have a nine year old car for which you only have to worry about the torque converter seal and the noisy potientiometers and plastic gears in the throttle body....)

Click to expand...

There is no separate immobilizer box in your car. The immobilizer is an integral function of your instrument cluster.

-Uwe-

a. I think the rf field should look sorta like a "doughnut" -- just as a guess. But it could be a really small, skinny doughnut if the strength of the emission is very low ... and then it could be kinda challenging to find a good place for the "pill" except where the key turning the lock is (which, obviously wouldn't do well in a situation in which one is trying to get one pill to serve many keys). Experimenting a bit with a non-pilled key in the lock and a pilled key right beside it suggested that a) either this may be very "near field" or b) something may be used, or half used, as a reflector or guide of a very little bit of RF energy, or c) holding the blade of the key to ground in the lock is used as a help...? It may be that the pill has to be pretty much right on the swing circle of the key on the outside of the lock....?

c. Okay as to immobilizer being part of instrument cluster (shows same part number, etc.) but the ECU is in front of the firewall on the left side, receiving messages from the cluster/immobilizer which "say" either "turn the car off -- we hate this guy, he has to suffer" OR "yeah, nice day, let's keep the car running and go for a ride". Any message can be synthesized. (A message is just information, embodied in a set of differences in physical entities, etc. etc.) The question is how difficult is it to synthesize the right message, for example, by changing the program that runs inside it to say, whenever it is time to say anything, "yeah, let's go...."

breeve said:

a. I think the rf field should look sorta like a "doughnut" -- just as a guess. But it could be a really small, skinny doughnut if the strength of the emission is very low ... and then it could be kinda challenging to find a good place for the "pill" except where the key turning the lock is (which, obviously wouldn't do well in a situation in which one is trying to get one pill to serve many keys). Experimenting a bit with a non-pilled key in the lock and a pilled key right beside it suggested that a) either this may be very "near field" or b) something may be used, or half used, as a reflector or guide of a very little bit of RF energy, or c) holding the blade of the key to ground in the lock is used as a help...? It may be that the pill has to be pretty much right on the swing circle of the key on the outside of the lock....?

Click to expand...

Suggestion: With the ignition switched on using a key that has no transponder in it, try moving the "pill" around while watching MVB 022.3

breeve said:

c. Okay as to immobilizer being part of instrument cluster (shows same part number, etc.) but the ECU is in front of the firewall on the left side, receiving messages from the cluster/immobilizer which "say" either "turn the car off -- we hate this guy, he has to suffer" OR "yeah, nice day, let's keep the car running and go for a ride". Any message can be synthesized. (A message is just information, embodied in a set of differences in physical entities, etc. etc.) The question is how difficult is it to synthesize the right message, for example, by changing the program that runs inside it to say, whenever it is time to say anything, "yeah, let's go...."

Click to expand...

Yes, in principle that could probably be done. Thing is if I were designing the "handshake" for whether the engine is allowed to start or not, I'd come up with some means of making it resistant to replay attacks. So the approach you're suggesting could be quite difficult to implement in practice.

A more traditional way to skin this cat is to do an Immo defeat in the code of the ECU itself. Then the ECU no longer cares whether the immo (in the cluster) thinks it's OK to start the car or not. I believe there are people who frequent this forum who have the ability to do that, but Ross-Tech does not.

-Uwe-

Uwe said:

Suggestion: With the ignition switched on using a key that has no transponder in it, try moving the "pill" around while watching MVB 022.3

Click to expand...

Tried that before posting. Results were ... let's call them... "uncertain". In other words, I couldn't find a location on the outside of the steering column where "recognized" was a 'sturdy' indication. I could get it to come on fine, and then as I adjusted my body position to see where it was it would, for example, 'bounce' off. It is the reason I wonder, among other things, whether going inside the column will help. (or whether I have a somewhat 'weak' example of an rfid unit, or a kinda flaky pill for testing... etc.)

Quick report on more experimentation with (another) key transponder / "pill" in the area in and around the outside of the lock cylinder on the steering column. 2007 A4 Avant B7 body. Similar results. It appears that the signal is strong enough truly reliably to interact with the pill within the circle where the fobbed key rotates. Very little distance outside the 'lock circle' (say, 3/8 of an inch) and the connection appears to become uncertain or non-existent. The chance of getting a good spot for one pill to live in the car and provide for pill-less keys does not seem high. I haven't taken the steering column cover off, but if I were to, I think the lock cylinder would be in the way of a good home for the pill.

(The cheap Asian key fobs do seem to be virgins. And ready to play. At this point in this little project, then , the challenge has become to figure out my pin code. (I am now thinking it is a "4 digit type" -- which may be wrong.) Anyone who knows how to use a Ross-Tech cable to dump ECU prom memory - where a hex byte-order-switched version of the pin code should be - (Vag CAN Commander???) -- and is kind enough to share -- is most cordially invited to contribute anything from a hint to a how-to.)

breeve said:

The chance of getting a good spot for one pill to live in the car and provide for pill-less keys does not seem high.

Click to expand...

Have you considered relocating the pickup coil to a more favorable location than the ignition lock?

-Uwe-

Maybe I'm luckier than I though I was

Uwe said:

Have you considered relocating the pickup coil to a more favorable location than the ignition lock?

-Uwe-

Click to expand...

This issue/problem may be somewhat reminiscent of the "measure the height of the building using a barometer" example that Murray Gell-Mann offers in his _Quark and the Jaguar_ book / essay on Science and Education. Many solutions and a certain distribution of complexity, involvement, sturdiness, effort among them. Your proposal certainly would be an approach to the problem that would work. But to be fair, there is some "re-slicing" of the beast/car involved -- if not "butchery." Nothing wrong with re-slicing as such, but, by argument, doing it by moving wires and coils around a compact environment is a little less "graceful" than providing signals that work as satisfactory inputs to the electronic system as presently constructed. (How fragile is the coil, and am I going to break it trying to get it "un-glued" to move? Although a substitute coil probably not that killer hard to come up with.)

I may end up doing exactly as you suggest.

My attention at the moment, however, is directed to trying to understand what is in my car and trying to figure out a thoughtful way -- with the continued help of Asian suppliers -- to work with it.

I think I now know (or I should say I now believe - have talked myself into believing -- by crediting the descriptions and explanations of others):
- That my car actually has Immobilizer III technology in it (not IV)
- That the "pill" is an "ID 48 CAN" device also called a "TP-25"
- That I actually have only the older "PIN code" - 4 digits
- That this PIN code is in 2 bytes (low order / high order i.e. "backwards") at bytes 32 and 33 in the ECU EPROM
- That the EPROM is readable from the OBD2 connector
- That my Ross-Tech cable in "dumb mode" may work to read it, but the results of others seem to be split (about 50/50), but that a crap-o FleaBay KKL "409" cable will work
with one or another version of "VAG Commander" (early Abrites handiwork - I have collected a few versions already.)

(And (sadly) it is going to be a while until I am back in the same place with the car to resume experimenting - work gets in the way of auto education). Sooo..... this may all be untrue, and you can be laughing at me and having a good time (for the next couple of weeks), but I am thinking that with a little more fussification I am going to be making fully working keys without struggle, don't gotta move nothing, type in the found PIN, code the keys, drive out to the dance....

In any event, I will eventually report back (even if nobody is listening) whether I win or lose, providing any worthwhile details of the defeat or victory.

We can agree to disagree and remain friends, but it would be my view that reading (at least reading - writing we can argue about further) the ECU PROM would be a suitable and proper facility to include in the Ross-Tech suite.

breeve said:

That my car actually has Immobilizer III technology in it (not IV)

Click to expand...

I expect there is indeed a PIN code in your ECU, but it is insufficient to match transponders to the immobilizer in your car, which I do think is Immo-4. Let's find out:

What do you have in MVB 081 of your Instrument Cluster or Immobilizer?
What do you have in Advanced ID of the those modules?

breeve said:

We can agree to disagree and remain friends, but it would be my view that reading (at least reading - writing we can argue about further) the ECU PROM would be a suitable and proper facility to include in the Ross-Tech suite.

Click to expand...

Giving people the ability to read PIN codes directly from cars would mean that every time I hear of a car being stolen, I'd be wondering whether our product is responsible. This would cost me much sleep and quite possibly my sanity.

-Uwe-

Uwe said:

I expect there is indeed a PIN code in your ECU, but it is insufficient to match transponders to the immobilizer in your car, which I do think is Immo-4. Let's find out:

What do you have in MVB 081 of your Instrument Cluster or Immobilizer?
What do you have in Advanced ID of the those modules?
-Uwe-

Click to expand...

Uwe -- Unfortunately I am away from my car at the moment (and will be for a while), but I believe that the first "Advanced ID" was blank and the second read "Geraet 178129". (I do not know German, but "Geraet" apparently means "device" in English. It may also mean, in this context "challenge value" -- in which case you are going to be right as to Immo 4. Am I crazy if I remember Meas. Block 81 to have the car serial number: WAUKH78E97A122190, followed by a blank, followed by 14 0's (00000000000...)? (Which also suggests Immo 4.)

One of your people at Ross-Tech said 2007 was a "transition" year, and that, by year and model, it was either Immo 4B or Immo 4C. That said, the "determining type of Immobilizer" information that I was able to find posted on the Ross-Tech site indicated that I should expect to "have the revolving "Challenge" Value in Advanced ID." (Which may indeed be what "Geraet" really means.)

The information that it is Immo-3 came from a mechanic in a garage in the Boston area, made by reference to the part number. The garage was not especially "geeked/wired/" but, in the way that we people do, I took apparently correct information on a couple of other issues (throttle body connection) as an indication of probably correct information on this matter. (Inductive reasoning misapplied, again....) I did confirm that the part number and letter code was, by internet info, said to go back to model years supposedly in the Immo 3 period.

If it is Immo 4, I think we should translate "Geraet" conspicuously in some part of the notes or documentation on the Ross-Tech site. And, arguably, it would be nice to do for immobolizers something like what is done, for example, for bluetooth modules by a list of part numbers (providing what we think is inside them).

I remain completely on the other side of the issue as to reading PROM text w/ Vag-Com. Guilt because people steal cars? Doesn't seem right to me. I think you should sleep without the least frown. Stay sane. a) The pin code apparently can be read with other, cheaper, means (irrelevantly inexpensive to those who would be stealing cars), b) There are also very available, cheap, plug-in de-immobilizers, c) One does need a key besides, d) If we really want security, the better way "centers" on the car owner, not the car maker and some database maintained in Germany and, like SSH and SSH passwords in the world of computers, the code / program is all publicly disclosed; the user creates his own passwords and key structure properly to suit the relevant security needs, e) particularly at this point, Imm0 3 pin code cars are all something like ten years old; the need to change older parts, from a societal perspective, gets to exceed the trouble of stolen cars. Etc.

This car stuff is "security by obscurity" which, just about everybody (who is anybody) these days knows is not really the right way to do it.

I would still like to think that somehow, out of this, I end up with a way to get two new/new-ish keys/fobs for my car that I can just adapt to it and go driving, but I may be paying an Audi dealer ... Although I do have a friend who is the Service Manager at a VW dealership (but, unfortunately not much of a computers and codes sort of guy, who has said that if he can code me a couple of keys w/ ODIS, he would do it as a favor.)


Giving people the ability to read PIN codes directly from cars would mean that every time I hear of a car being stolen, I'd be wondering whether our product is responsible. This would cost me much sleep and quite possibly my sanity.

This car has Immo 4c and it is not possible to program key using VCDS.
This car has Bosch RB8 cluster and if you do not have Very good tool , you car damage this cluster very easy.
Only High $$$$ tool will do correct job for this cluster.

WFS 4 means Immobilizer 4c.

Address 17: Instruments Labels: 8E0-920-9xx-8EC.lbl
Part No SW: 8E0 920 982 F HW: 8E0 920 982 F
Component: KOMBI+WFS 4 H14 0120
Revision: 0120 Serial number: 00000000000000
Coding: 0023261
Shop #: WSC 01308 444 178129
VCID: 31694376ABF3C9B6E2-5142

No fault code found.

Jetta said:

This car has Immo 4c and it is not possible to program key using VCDS.
This car has Bosch RB8 cluster and if you do not have Very good tool , you car damage this cluster very easy.
Only High $$$$ tool will do correct job for this cluster.

WFS 4 means Immobilizer 4c.

Address 17: Instruments Labels: 8E0-920-9xx-8EC.lbl
Part No SW: 8E0 920 982 F HW: 8E0 920 982 F
Component: KOMBI+WFS 4 H14 0120
Revision: 0120 Serial number: 00000000000000
Coding: 0023261
Shop #: WSC 01308 444 178129
VCID: 31694376ABF3C9B6E2-5142

No fault code found.

Click to expand...

Thank you very much for your post. It confirms what seemed to be the emerging facts. I do think it would be good if somehow on the Ross-Tech Wiki in the "What kind of immobilizer?" section the fact that WFS 4 means Immobilizer 4C and Bosch RB8 cluster were noted.

I suppose you would also tell me to spend money ($$$ ... $$$$...????) at the dealer in order to get some keys? (I assume that if the one key I have fails, my life will only be worse.) Do you agree that the "pill" / transponder is a TP25? ("pre-programmed for Audi)? Do you agree that Fobs that duplicate my existing part number probably can be dealer programmed (provided that have a virgin TP25 inside)?

Trying to create a substitute antenna in the steering column and put the one working transponder/pill in that antenna permanently to serve any key, I'm guessing you would tell me is a somewhat foolish exercise?

Thanks again for your help.

Thank you very much for your post. It confirms what seemed to be the emerging facts. I do think it would be good if somehow on the Ross-Tech Wiki in the "What kind of immobilizer?" section the fact that WFS 4 means Immobilizer 4C and Bosch RB8 cluster were noted.

I suppose you would also tell me to spend money ($$$ ... $$$$...????) at the dealer in order to get some keys? (I assume that if the one key I have fails, my life will only be worse.) Do you agree that the "pill" / transponder is a TP25? ("pre-programmed for Audi)? Do you agree that Fobs that duplicate my existing part number probably can be dealer programmed (provided that have a virgin TP25 inside)?

Trying to create a substitute antenna in the steering column and put the one working transponder/pill in that antenna permanently to serve any key, I'm guessing you would tell me is a somewhat foolish exercise?

Thanks again for your help.

Click to expand...

Nope....... I think its a great idea and not foolish at all.........just add your own hidden kill switch.
What is foolish, is to think the immobilizer will protect you from a skilled thief........ or shit...... a tow truck!
Immo defeat and kill that crap.....

AFT RFID blanks can be made and married............don't believe the hype.........RB4 or RB8.

Experiments are in progress.

breeve said:

Thank you very much for your post. It confirms what seemed to be the emerging facts. I do think it would be good if somehow on the Ross-Tech Wiki in the "What kind of immobilizer?" section the fact that WFS 4 means Immobilizer 4C and Bosch RB8 cluster were noted.

I suppose you would also tell me to spend money ($$$ ... $$$$...????) at the dealer in order to get some keys? (I assume that if the one key I have fails, my life will only be worse.) Do you agree that the "pill" / transponder is a TP25? ("pre-programmed for Audi)? Do you agree that Fobs that duplicate my existing part number probably can be dealer programmed (provided that have a virgin TP25 inside)?

Trying to create a substitute antenna in the steering column and put the one working transponder/pill in that antenna permanently to serve any key, I'm guessing you would tell me is a somewhat foolish exercise?

Thanks again for your help.

Click to expand...

Yes , For this immobilizer generation transponder has to be preprogrammed to be able to adopt it .
However key does not have to be direct for dealer if you have right tool. But like I said tool is $$$$$.
Also used key can be programmed if you know how to modified them.

Jack@European_Parts said:

Nope....... I think its a great idea and not foolish at all.........just add your own hidden kill switch.
What is foolish, is to think the immobilizer will protect you from a skilled thief........ or shit...... a tow truck!
Immo defeat and kill that crap.....

AFT RFID blanks can be made and married............don't believe the hype.........RB4 or RB8.

Experiments are in progress.

Click to expand...

Jack on this car Immo Delete not good solution, After immo Delete , hazards activate right after start car and saty On all time and A/C quit working.

Many thank-yous again to Jack and Jetta both for comments and contributions.

Again, I can't keep myself from asking questions. Much of the information on the subject comes "occluded" I suppose one would say, and the actual facts are valuable.

The official VAG/Audi immobilizer antenna appears to be many turns of small "magnet wire." 28 ga copper has been mentioned. Is that true? The DC resistance of the coil has been described as 200 ohms. That seems higher than I would have guessed -- do we know the DC resistance of the winding? The stimulus signal has been described as 125 kHz, and the response signal as 315 mHz. (This is thus not about "tuned" ext rf components.) Are these frequencies correct? The coil one sees through the "glass" of the 'pill' must be its antenna. It appears to be maybe a bit smaller than 28 ga -- in the 30s anyway. And the pill did not act especially 'directionally' in my brief experiments. Which suggests that an antenna made of leftover small gauge kynar wire, wound around a little plastic spool-ish / round something should do pretty well????

Agreed that the immobilizer at this stage is more "dealer protection" than "theft protection." There's the tow truck, There are ads for fifty dollar devices not useful for replacing failed/damaged parts, but useful for starting the cars of other people without them.

My instincts and little bit of experience in other fields suggests tol me that *just* not responding to the immobilizer is probably not a good solution. And Uwe Ross, to problem-point, I would guess, would want to suggest that a) the Immobilizer - and its code - are wound up in the instrument cluster and b) one or another way made difficult to download and dis-assemble. Which is why one kinda focuses on the keys, rather than the boxes.

It does surprise me that nobody seems to talk about having a 'pill' reader as such. There are a loft of rfid things in the world, a lot of Texas Insts sample circuits and code, presumably other makers had to provide engineering development kits as well. A pill reader would easily work with a pill creator -- which would solve the key making problem for anybody who had a key to start with. Even if the immobilizer/pill relationship is challenge and response, the car is 'on its own' in the informational universe, so the relationship betw challenge and response is ultimately determinate.

Jack on this car Immo Delete not good solution, After immo Delete , hazards activate right after start car and saty On all time and A/C quit working.

Click to expand...

All depends how you do things..........

Many thank-yous again to Jack and Jetta both for comments and contributions.

Again, I can't keep myself from asking questions. Much of the information on the subject comes "occluded" I suppose one would say, and the actual facts are valuable.

The official VAG/Audi immobilizer antenna appears to be many turns of small "magnet wire." 28 ga copper has been mentioned. Is that true? The DC resistance of the coil has been described as 200 ohms. That seems higher than I would have guessed -- do we know the DC resistance of the winding? The stimulus signal has been described as 125 kHz, and the response signal as 315 mHz. (This is thus not about "tuned" ext rf components.) Are these frequencies correct? The coil one sees through the "glass" of the 'pill' must be its antenna. It appears to be maybe a bit smaller than 28 ga -- in the 30s anyway. And the pill did not act especially 'directionally' in my brief experiments. Which suggests that an antenna made of leftover small gauge kynar wire, wound around a little plastic spool-ish / round something should do pretty well????

Agreed that the immobilizer at this stage is more "dealer protection" than "theft protection." There's the tow truck, There are ads for fifty dollar devices not useful for replacing failed/damaged parts, but useful for starting the cars of other people without them.

My instincts and little bit of experience in other fields suggests tol me that *just* not responding to the immobilizer is probably not a good solution. And Uwe Ross, to problem-point, I would guess, would want to suggest that a) the Immobilizer - and its code - are wound up in the instrument cluster and b) one or another way made difficult to download and dis-assemble. Which is why one kinda focuses on the keys, rather than the boxes.

It does surprise me that nobody seems to talk about having a 'pill' reader as such. There are a loft of rfid things in the world, a lot of Texas Insts sample circuits and code, presumably other makers had to provide engineering development kits as well. A pill reader would easily work with a pill creator -- which would solve the key making problem for anybody who had a key to start with. Even if the immobilizer/pill relationship is challenge and response, the car is 'on its own' in the informational universe, so the relationship betw challenge and response is ultimately determinate.

Click to expand...

www.erwin.audi.com

RTFB my friend and you will know the values you seek.

If you have an existing key......... just glue the pill inside the coil ring, or take coil off and relocate, or buy second coil; and locate the key pill elsewhere with a kill switch of your own. Than everything works, and you still have protection, just not tow truck protection.........buy insurance rider.

Jack@European_Parts said:

All depends how you do things..........

Click to expand...

Absolutely true. Details matter entirely with this stuff. That noted, just saying so doesn't get us too far. Waay to cryptic to do anything with.

Is the Immobilizer code in an RB8 understood anywhere outside of Audi? (Where 'understood' means, in substance, that someone has dis-assembled it and understands its functionally.) Are there informational inputs to the RB8 system that are known that have the effect of de-immobilizing without corollary adverse effects (4-ways, A/C etc)?

Jack@European_Parts said:

www.erwin.audi.com

RTFB my friend and you will know the values you seek.

If you have an existing key......... just glue the pill inside the coil ring, or take coil off and relocate, or buy second coil; and locate the key pill elsewhere with a kill switch of your own. Than everything works, and you still have protection, just not tow truck protection.........buy insurance rider.

Click to expand...

Bentley Manual. Been there, done that, got the T-shirt, wore it, used it as a rag, pitched its grungy ... (No, I'm not still using Win XP on at 32 bit machine, you?) Insurance for this car? Not so much.

Yuh, I have an ohm meter, can measure across coil terminals when I next get to my car. That said, signal from mine -- which does always work -- is notably low, less than the 1 inch, 3 inches propositions out there. (Right, one definitely wouldn't think that current would burn these things up, but... in addition to people breaking the wire, apparently they do go 'bad'. I'm not sure we know why?) True, depending upon whose rfid chipset is in there (and what the impedance properties of the transmitting electronics are), the antenna may be, as a practical matter, all and only about proximity anyway. And two wires, yuh, but one end (one wire) may well be going, basically, nowhere. (And even if, curiously, one end does go back to ground, the right thing to do may be to make a much less wound antenna, and just not take the far end down to ground; connect just to the one "live" wire.) May actually not want, for optimum, to use another Audi antenna.

From pictures, there appears to be a convenient plug in there; the antenna (round black plastic object around key) appears to plug in about four inches down the steering column. Therefore, as a matter of being graceful, it would seem that the right thing to do would be to "plug in" a suitable substitute, probably not nearly as big around as the back plastic ring. Which just lifts out from around the lock? -- or is glued in? The pill cones in a little gray enclosure of a sort. That enclosure could probably do fairly well with just a smallest ty-wrap or two to the center of a plastic "bobbin" affair that was wrapped with 30 ga kynar. (That stuff is about .3 ohm / meter -- which means that just to get to 10 ohms dc - random number - that about a hundred feet on the "bobbin". In any event, one would end up with a unit about the size of a milk bottle / cider bottle cap (winding depending) with two wires to the plug. Pretty manageable.

But this is cars. And with cars we have a whole culture in which everybody does everything possible to 'hide' basic technical details, starting with the car makers, continuing to the dealers...

I will be continuing (although sorta left-handed - I have a couple of other things to do) on my research project. We'll see what I learn.

IMMO 4c, 2007 A4 B7, RB8, Adapting keys attempt,"L3 3-4" on odometer, keys work, UGLY

Because there are a lot of other things to do in life, I got to the point of having one old, original, but sad key and two prepped keys (New Megamos ID 48, TP25, in unlock state) sitting around... when showed up in my world a certified "Auto Locksmith" (with a store and an ad in the "Yellow Pages" etc.) who said he was sure he could code them to my car for a fee that was reasonable. He showed up in a van that said "Auto Locksmith" all over the side of it, etc. received keys, car; used two devices (he was in car, I wasn't - just saw the two big plastic-y things with "handles" get connected to ODB connector) and we have the results here noted:

1. Now all three keys start the car. Every time. Brrrmmmmm... (New Keys were also easily adapted to work door locks -- although not, hmmm, by said locksmith).
2.The odometer reads "L3 3-4" -- and reads this all the time. Car off, car on...still same. (I am given to understand that is a message from the Immobilizer/ Inst Panel saying, in effect, that three keys have been presented for adaptation, and it is expecting a fourth). But thi is not "DeF" and this is not "SAFE".
3. Inst Panel / Immo Measuring Blocks in the 20's for the ORIGINAL key are one's all the places one wants ones (yes-engine start, yes immo, yes ECU). Immobilizer is shown at level 3. shows three keys have been adapted to car.
4. Meas Blocks for two new keys have ECU - but only ECU - posting 0/'no'. Otherwise the same as original key.

And.... it would be dumb question time. Answers always very much appreciated:

a. I believe the immobilizer has six levels (1-6). Six is 'normal', 1 is not yet installed. Is there any documentation anywhere regarding RB8 Immobilizer levels and what they "mean" / entail? Does anybody know anything about level 3? Is there a way to change levels as such? Just change? Is 3 the 'ordinary' key-programming level?

b. Is the proposition that Immobilizers 'reset' themselves (eventually?) when they enter certain states mere blog noise? How about the idea that one can de-power the Immobilizer (disconnect the battery, bleed out stored charge.. in capacitors somewhere ... w/ brake pedal, or grounding b+) also just an odd notion offered up by those who don't know?

c. Should I dare try to re-set the Immobilizer anyway? Or is it just a bad idea ... for example due to 'lock-up' or loss of other coding... Will the two keys to which the ECU says 'no' no longer start the car after a 'reset' of one kind or another?

d. Do we all agree that all of the Megamos 48 transponders involved have 256 bits of memory content, do NOT have the VIN in them, have a 32 bit 'device id' that is 'read only' (never written / un-writeable) and have a 32 bit pin code and 96 bits of 'secret code' (that are write-only and only when the lock bits are NOT set).

e. Is there anybody who thinks that the contents of the write-able memory can be changed while the pill is in a key and the key is in the car?

f. Anybody have an interesting theory as to what has actually happened? Ex. secret code has been matched but not pin - therefore ECU is saying 'no'? Or, it doesn't really matter what the ECU says. Or - it only matters what the ECU says when the Immo does a reset -- and then it takes the ECU's word for things....

f. Can you get an inspection sticker in your state without a working odometer? Anybody know about my state (Massachusetts)?