Hello,
after more than 2 years of research and development and more than 1000€ of hardware costs i managed to understand how the immobilizer between engine control unit and skreem works.
And it was possible for me to find a way on which I want to replace the Skreem module. The first (and maybe most difficult) step is to unlock the immobilizer with my hardware and then start the car. This is done
The first prototype on a breadboard is finished and working.
See:

The next steps are to build a second prototype on a perfboard and install it in my Crossfire to do a long term test.
At the same time I still have to find solutions for the remaining functions of the Skreem module like opening and closing the car, deactivating the alarm system etc.
The goal of the project is to replace the existing Skreem module 1:1 with my "Skreemulator".

Greets Andre

 

Keep us posted. Sounds like great work!!!

 

Estimated cost ?

 

If you can just get the car to start you have a product you can sell.

 

The price is set by his customers and competition, charge as much as you can to stay in business

 

this.

 

No, you don't. If you can, fine - but you don't need to do that to have an item you can sell.

 

Great job so far, and thank you for taking on the under taking of resolving electronic issues that can help others.

 

Good! Someone is working on a way to solve a huge problem that we all probably face. Good work, Sir! Please keep us informed of your progress.

Jim

 

It may be premature, but I nominate Andre for the Crossfire Hall of Fame !

 

As a start $1000, and for you sceptics This will double the value of your car's resale value. To have something that you can drive until the engine fails

 

That is exciting news, Andre! Looking forward to any updates as you do further testing.

 

Thank you very much for your praise, I can only calculate what the module ultimately costs once I have integrated all the functions.
Surely you could offer it like this but my goal is to replace the skreem completely, because with the original key fobs there are also delivery problems.
But I am not sure which way I will go, again with radio keys, with rfid tags or...

But anyway i need help from you find someone who can deliver the finished modules to you in the us and take over the service.

This person must meet the following requirements:

1. he must be known to you as reliable
2. he must have at least one Crossfire
3. he must be able to program the EEPROM of the PCM
4. he must take care of customs clearance

My goal is to make a collective order later, the person has to collect the money (the whole thing would only be possible by prepayment) and send my share to me.
Later he would get a package with all ordered modules from me and has to send them to you.

Of course he does not do this for free, I would then agree with him to set a total price for you where all costs like shipping, customs and support are included.

He must be able to program PCMs, for those where the skreem is already broken.
There I will deliver my module together with codes, so that he only has to program your PCM for these codes.
By programming I mean changing Code in the EEPROM on the PCM.

 

We rarely need new parts for our SKREEM repairs, but in the event a module does completely fail, it would be good to have you as a source. Send us your info when you have it ready to test.

 

My test shows that the skreem module can only produce a defined number of codes. I thing it is 65535 so every module will fail some times. I think your repair is to program the skreem and pcm new so that they are able to produce codes again. I would be able to do the same, my module doubles the codes who are left on any skreem or I can provide a EEPROM with 8000 Codes and an instruction how to program the PCM to use them. You can so always used this 8000 Codes again you have only program the PCM new.

 

first off, awesome work so far. This stuff looks like rocket science to me, so hats off to you sir.

Regarding the fixed amount of codes the SKREEM can produce; how many are sent for every start/stop cycle? This could give us a base estimate of how many car trips a SKREEM has in it, before it dies.

 

65,535 starts, so if I keep it at 20 starts a week, I should be good for 63 years, sweet, makes me feel better

I wish there was a cost effecient way to get rid of skreem, and all security.
keys just need cut and no rfid.
if I want to unlock doors, a separate stand alone system.
If I want a alarm, another separate system.

Ecu only has one job, make the car run, cruise control and gauges, as almost a stand alone system.
LEDs issues, less problems, more reliable.

 

You only drive it 3 times a day 😜?

I’d recon the SKREEM sends multiple call/response codes every start/stop as the video showed it had a lot of codes in there. Also I heard a lot of failure stories on this device, so there must be something to it why it doesn’t survive the engine. Love to hear more about that.

 

Every time you switch the ignition lock to Pos 2 (where all lights of the dashboard goes on) you used 1 key also if you don't start your car.

 

The 65,535 are estimated by me (2 bytes) maybe the code length which the skreem sends to the PCM also limits the number (8 bytes).

A rolling code system normally works in such a way that there is a secret and a formula that both parties (Skreem and PCM) know and a consecutive number.
This is how the simplest form looks like:
Code = Secret + Sequential number.
But since this would be much too easy to crack, the formula is more complicated, e.g:
Code = (Secret + 14 + (Consecutive number * 4)) /2
The consecutive number prevents codes from being easily intercepted and reused.
Only codes with a number that are higher than the last one used will be accepted.