Security bytes needed for MC68HC08AB16A, Mask ID 0L72A, from 2004 Jeep GC, IMMO 3

**Stroker347** · 27th March, 2021, 02:43 PM

I have a Siemens Immobilizer 3, P04686665AD, which I am reading with an IPA-USB V1.3 Programmer. It is an MC68HC08AB16A but can be read with the setup for an MC68HC08AZ32A. To read it in-circuit I had to lift pins PTC0 and PTA0 and use a 9V battery to supply enough VST voltage to pin IRQ to enter monitor mode. I have verified with traces obtained with a digital oscilloscope that eight security bytes are being sent by the programmer and echoed by the MCU following a power on reset (POR). After receiving the eight security bytes the MCU sends the expected break signal and responds to subsequent commands to read memory. I have tried 19 different security byte combinations, obtained from this and other forums, but none of them have worked. I perform a POR before sending each combination to ensure that monitor mode is being re-entered and that all eight bytes are being received. I can read all the non-secured parts of memory in the range 0 – FFFF but the secured parts return “AD”. I’m hoping that someone may know a security byte combination that will work or that is different from what I have already tried. The following are the combinations that I have tried:

F3-B1-F3-AB-F3-A5-F3-9F
BE-07-BD-57-BD-57-BD-54
F1-6A-FA-04-E4-DA-FA-04
F9-F1-F9-F4-F9-F7-F9-FA
FD-F7-FF-FF-FD-FA-2C-F9
C0-18-C0-18-C0-18-C0-18
FB-C6-FB-CC-FB-D2-FB-D8
EE-D6-FF-FF-EE-D6-EE-D6
DC-A0-DC-93-E1-24-DC-A0
BD-57-BD-57-BD-57-BD-54
A7-05-A6-58-A6-58-A6-55
FF-DD-FD-E0-FD-E3-FD-E6
E0-A6-B1-24-B1-24-E0-A6
9F-A4-F6-E0-F6-E0-F6-E0
9F-9C-F6-98-F6-98-F6-98
81-10-81-2F-81-2F-81-2F
DA-AC-E5-2C-E5-2C-E5-2C
FF-FF-FF-FF-FF-FF-FF-FF
00-00-00-00-00-00-00-00

Thanks in advance.

**Gesha Nemirov** · 27th March, 2021, 04:26 PM

Hi.F3-B1-F3-AB-F3-A5-F3-9F 100%

**Stroker347** · 28th March, 2021, 12:41 AM

Thanks Gesha, but that one is the first in my list of one's that I already tried that did not work. I found another for the 0L72A, F5-13-F5-0D-F5-07-F5-01, and a generic one, F5-12-F5-0C-F5-06-F5-00, that didn't work either.
Does anyone have anything different?

**dtip** · 28th March, 2021, 01:44 AM

Try F5-2A-F5-24-F5-1E-F5-18

**Stroker347** · 28th March, 2021, 05:35 AM

Thanks, dtip but unfortunately that one doesn't work either. I recently found the "hc08 security 100%" list, from the hc08sec.ini file, that was posted on this website and I've already tried all the combinations on that list except those for the hc908 and hc708 chips. I'm thinking since those chips came out later than the one I'm dealing with that those combinations would not be applicable. Does anyone disagree?

**Zmann** · 28th March, 2021, 06:31 AM

If you have ETL908 programmer that might help to find the SS.

**Gesha Nemirov** · 28th March, 2021, 09:06 AM

Hi.lift up IRQ,Reset.Try it 3.3v

**Stroker347** · 29th March, 2021, 04:24 PM

Instead of lifting the IRQ pin, and risking damage to the chip, I use a 9V battery and SCR switch, triggered by the programmer, to get the necessary Vtst and timing to enter monitor mode. This has proven to be very reliable. To verify that the security bytes are being sent and received I use an inexpensive Logic Analyzer to capture the communication between programmer and mcu. Attached are two example outputs from one of those captures. One shows just the security bytes being sent and received followed by the mcu sending a break signal to indicate it is ready to receive commands and the other shows the following read command sequence with the mcu echo bytes and memory data that follows each sequence. The capture data is for one of the "hc08 security 100%" security combinations for Mask ID 0L72A. I have now tried all 34 combinations from that list as well as 14 additional ones that were suggested or obtained from other postings. None of them have worked, ie they all result in "AD" being returned for secured memory locations. I conclude that this SKIM has a truly unique security byte combination but I welcome any further suggestions for security byte combinations. In lieu of reading the secure memory locations from this SKIM, I would like to know if anyone has a successful ROM dump, which includes region BE00 to FDFF, from a similar vehicle SKIM, Jeep Grand Cherokee year 2004 down to 1999 that they could provide me. My goal is to dissassemble the code and figure out what it is doing for key programming in order to develop a method of key programming that can be done with an inexpensive ELM327 ODB2 interface. I have already succeeded at doing this, with the passenger door module, for key fob programming.
0L72A_4_sec_bytes.JPG 0L72A_4_read_bytes.JPG

**Stroker347** · 31st March, 2021, 04:38 PM

I found a more extensive list of HC08 security bytes, on mhhauto.com, than what I previously had and what is included in “hc08 security 100%” on this site. For the benefit of everyone looking for security bytes for the MC68HC08 series chip I have attached images of everything I have found (73 combinations in total not counting duplicates), including some that were suggested by others but for which the Mask ID is unknown. I have now tried 73 different combinations with my IMMO chip but none of them have worked for me

. Hopefully the attached list will be more useful to others. I would still welcome any new suggestions or would like to get a full memory dump (0 – FFFF) from a similar vehicle IMMO chip as mine from anyone who has successfully unlocked theirs.
HC08 security bytes 1 of 3.JPG HC08 security bytes 2 of 3.JPG HC08 security bytes 3 of 3.JPG HC08 security bytes 100%.JPG HC08 security bytes unknown origin.JPG

**fuzz1** · 11th July, 2021, 12:46 PM

Try to desolder the MCU from the board. Or remove the capacitor to the mcu then cut the traces for reset.

Cutting traces is easier to repair than broken MCU leg definitely