Quick And Dirty Immobilizer Hack Lets You Use Cheaper Dumb Keys

Car enthusiasts can find themselves in a pickle if they’re into cars from the 80s and 90s. These vehicles are much beloved by some, but one can find themselves having to fork out immense amounts of money for repairs and out-of-production parts. Once a car passes that 15 year milestone, suddenly manufacturer support can start to dry up. Even just getting a set of keys can be a problem.

Modern cars tend to use a small chip implanted in the key as a security measure. This chip functions similarly to an RFID chip, being energised by the car’s reader when the driver turns the key in the ignition. If the chip returns the right code, the computer allows the car to start. Getting a new key cut and recoded is expensive, particularly on older cars. Naturally though, there’s a way to hack around the problem.

The trick is to perform surgery on an existing good key, to extract the working chip inside. This chip can then be permanently affixed to the immobilizer’s antenna in the steering column. This allows the driver to use any properly cut “dumb” key to start the car, as the chip will always provide the right signal at startup. It takes some finesse to avoid damaging the delicate chip inside and to know where to look – but with a little work, it’s achievable by even the novice hacker.

It’s a simple hack that can save hundreds of dollars, and is a great way to keep your modern classic on the road for cheap. You can always take things a step further though, and CNC yourself a key from scratch if you’re so inclined.

33 thoughts on “Quick And Dirty Immobilizer Hack Lets You Use Cheaper Dumb Keys

    1. The point of the immobilizer was to add a second factor to the authentication scheme. That made sense when the car was new and valuable. Many years later, not so much. Mooting the immobilizer doesn’t mean the car still doesn’t need the key to start.

      1. On second reading, I think I misunderstood.

        You can tape a key to the steering column and its chip would work the immobilizer, but then a crook just needs to grab the key and take the car.

        Separating the chip from the key means that you still have to obtain the key (or moot the lock) to start the car.

        1. You can always make a dumb copy and tape the original to the inside of the steering column, hiding it in the process. You can also “cripple” the original by cutting the metal so no can use the key if they somehow find it.

        2. If the original key is capable of starting the car, then you can just continue to use it, you don’t need this immobiliser hack.

          That said, I think this is a terrible idea. It’s not new cars that get stolen (in Australia at least) – it’s old cars, because there’s a huge market for parts for old cars (for obvious reasons) so they steal the old cars and sell them for parts. Right now Nissan Pulsars are a huge target for car thieves.

          I know because I originally didn’t bother getting a car alarm for my Nissan Pulsar thinking nobody would steal an old bomb. Now that I no longer have a car I know better.

    2. This is what they apparently do, but the additional chip in the new key causes problems with the systems so they pull it out of the key to makey a chip-less key.

      Admittedly, you can just microwave the key for 1 second, the chip on the key will be paperweight.

  1. Is it really a hack? I thought it was common practice, but that’s definitely some good knowledge to share.

    It’s often possible to open the shroud between the dashboard and the steering wheel to tape the RFID chip around its antenna. This way everything looks stealth.
    As someone who likes old junk, I don’t think anyone is going to steal it, so that makes plenty of sense.

      1. I have owned my 2009 Outback for over a decade now.

        I only discovered this winter that it had an RFID immobilizer to authenticate keys and that Subaru’s “valet” keys are about as useless as possible for that sort of purpose – because they’re basically good for only the things you DON’T want a valet key to do.

        They open up any physical lock in the vehicle (trunk, glovebox, etc.) but won’t allow it to move.

  2. Agree, if you’re worried about someone opening up the steering column to take the key out and start the car, then just cut the key part of and leave the RFID part intact.

  3. Reminds me of what some people will do to keep their tire monitor system happy when using aftermarket wheels; a pressurized container made from plastic is used to hold all of the tire pressure monitors and stored somewhere on/in the vehicle.

    1. Had to trade in my 05 work van last year for a brand new one and within a week had TPMS errors. After 3 trips to the shop, and as many replacement sensors, I went with the easier approach: a 1/2″ strip of electrical tape over the warning light.

    2. Certain versions of the corvette change engine mapping and fuel delivery based on tire pressure. I’ve known drag racers who used the pressurized container trick so that they could change the actual tire pressure without the system affecting performance.

  4. I first did this around 2000 with a Nissan key that used a Hitatchi passive transponder.. If you have access to OBDII or ECM you could also just disable the system. I’ve yet to see a maker that you couldn’t do plug and play ECM on or even disable the check..

    The actual crypto firmware that the RF bus communicates with is always in the BCM or a dedicated “SKIM” module if you want to actually attack the crypto(it’s not uncommon for debug to be enabled and even BGA to be mapped). Sometimes the “SKIM” is a black box right next to the key-lock and it either controls ECM ground or authenticates against some ECM meta data.

    1. Do you know where there’s some documentation on disabling an immobilizer with OBDII?

      I could use that on my car, I’m down to only one key that will start the vehicle but I’ve got some spares that are kinda useless.

      I don’t even care if it requires functionality that isn’t present in normal ELM dongles, I’ve got a Canable and pyvit.

      1. There is no documentation. I watched it done with a ECM/PCM flash tool on an OEM Mopar unit and the tool listed pretty much every make. Plug&Play ECM/PCM you order by sending in your unit sometimes do the same. You’ll usually just have the indicator stay lit.

        Car thieves are known to use plug&play ECM/PCM and break or remove lock cylinder.

        Older units just restricted ECM/PCM ground and you could hotwire past the system.

    2. Crud, somehow my first attempt at leaving this reply failed?

      Do you know where there’s some documentation on disabling an immobilizer with OBDII? I’m down to one transponder key remaining for my car and I’ve got a Canable + pyvit.

    3. I’m pretty sure the volvo the key in the article comes from doesn’t allow to disable the key check. (Seems to be similar vintage to my car. At the time Volvo didn’t really use normal OBDII. You need the Volvo software and a compatible interface box to work with the system)

  5. SAAB used the same chip inside the early OG9-5 and all OG9-3 keys. it’s possible, with some judicious application of force, to pop the key apart, and use a pair of needle nose pliers to pull the chip out. When the TWICE module in my 9-5 died (essentially the body control module, but also handles the immobilizer,) I pulled the immobilizer chips out of the keys that came with the new (used) replacement and transplanted them into my cars original keys. Saved having to get new keys cut, or changing my ignition barrel to match the keys that came with the replacement TWICE.

    At some point in mid 2003 SAAB decided to epoxy the key together, essentially making it impossible to remove the immobilizer chip without destroying it, probably partly as a cost savings (less parts in the key), and partly to stop people doing what I did. Didn’t stop you from doing EPROM swaps between dead TWICE modules and good replacements. Though, that’s a little harder considering the TWICE is under the carpet under the driver’s seat and the tiny pin pitch on the EPROM. xD

    1. Id have to have another look but from memory the early 9-3s and probably 9-5 the TWICE only inhibits the starter motor via a relay ;-).

      Unlike newer cars ie VWs that require valid handshaking between the ecu, dash, and the module in the steering column.

  6. I’ve had to repair my i10 key before, its also got a chip.

    In case anyone else has this problem, the switches can indeed be replaced.
    Used tested units from old laptops work.

  7. Many of the old rfid chips have been hacked and documented to the point you can get them cloned at any auto or hardware store for under 100 a pop or an ACTUAL locksmith, or buy a cloner for the same (even come in Android phone versions!) and blank key and do it yourself for less. No need to deal with a stealership or reprogram a ECU. Cloning is the future past perfect.

  8. If I recall from my youth of installing remote starters in 90s cars, the “ring” around the key has only 2 wires, meaning that there is no “code” its not an RFID. You merely insert the key into the lock, measure the resistance on the ring with the key in, disconnect the ring, use a bunch of different resisters in series and parallel as needed to match the exact resistance of the ring when the key installed.

    Remotely starting a car is exactly like hot-wiring it on command from a distance, so we had to figure out how to do it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.