I want to develop a method to program keys, using the inexpensive ELM327 OBD2 interface, for Jeep Grand Cherokees (or likely any Chrysler) from 2004 to possibly 1999 that use the MC68HC08 series chip for the SKIM immobilizer. I succeeded at key fob programming, using the ELM, working with the passenger door module (https://www.jeepforum.com/forum/f310/diy-key-fob-programming-99-04-jeep-gc-wjs-4338227/). For key programming, however, I need to disassemble the SKIM immobilizer code bytes in secured memory region BE00 to FFFF. With the benchtop SKIM module that I am using (PN: P04686665AD, Immobilizer 3, MC68HC08AB16A, Mask ID 0L72A) I have been unable, after trying 48 different security byte combinations, to find one that unlocks it. Of those, 34 came from the “hc08 security 100%” list posted on this forum and the remaining 14 came from suggestions from another posting and from various forums. So I would like to know if anyone has successfully read a similar immobilizer and would they be willing to make the file, containing at a minimum the region from BE00 to FFFF but ideally all from 0 to FFFF, available to me for this project?

Thanks in advance.

For those looking for security bytes for the MC68HC08 series chips, I have attached a fairly comprehensive list. Hopefully if one of these works for you, you would be willing to share and attach a 0 - FFFF memory dump from that chip.

Hi Stroker, where you ever able to find the password to this secured MCU? I have a 2004 Dodge Ram 1500 SKIM module that I'm unable to read due to incorrect password.

No, I did not, but fortunately the EEPROM region was not secured in my module. The 0L72A is a MC68HC08AB16A chip which uses the hard wired EESEC bit of the Mask Option Register B (bit 5 of location $003F) to secure access to the EEPROM region. This bit was not set in my module and I could read the EEPROM region ($0800 to $0A00) in spite of not having the 8 security bytes. The PIN was located at bytes 7 & 8 of the EEPROM region. I used a UPA-USB programmer set at 7680 baud and used any arbitrary security bytes to enter Monitor Mode and gain access to the non-secured memory. On my module the PTC0 pin was grounded on the board and it was necessary to lift that pin to get into Monitor Mode. I would still like to read the ROM regions, which are secured, and I do need the security bytes for that. So if you come across any that work for this chip, that are different from those in the lists that I already tried, I would appreciate your sharing them.