I hacked the Skreem, the Skreemulator
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
As already written my goal would be to replace the skreem completely, if only because of the delivery problem with the key fobs. I had read somewhere that Mercedes has problems to get suitable transponders. This electronic components are no longer produced because the transponders used by mercedes are from the 90s.
But if there is more interest from your side to have only a bypass for the immobilizer, I would be finished with the development and could offer this after several months of testing.
What do you want?
1. only bypass
2. skreem replacement
But if there is more interest from your side to have only a bypass for the immobilizer, I would be finished with the development and could offer this after several months of testing.
What do you want?
1. only bypass
2. skreem replacement
that would make easier to decide which 1.
Last edited by phil alvirez; 01-28-2020 at 12:12 PM.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
I have reproduced this three times, so I'm sure that the skreem can only provide a finite amount of codes, if this is because they have only two bytes for the counter variable of the rolling code system or why the only have a 8 byte code, I don't know.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
well, not to contradict you, but there are lots of articles written on planned obsolescence. for instance:
https://www.google.ca/search?hl=en&s...iz.3MbaJlB1eSw
even another goes as far as saying: Using software to program a product, like a printer, to fail after a set period of time or number of actions
and another: https://timeline.com/gm-invented-pla...e-cc19f207e842
more: https://auto.howstuffworks.com/under...ed-to-fail.htm
https://www.google.ca/search?hl=en&s...iz.3MbaJlB1eSw
even another goes as far as saying: Using software to program a product, like a printer, to fail after a set period of time or number of actions
and another: https://timeline.com/gm-invented-pla...e-cc19f207e842
more: https://auto.howstuffworks.com/under...ed-to-fail.htm
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
I believe (correct me if I'm wrong) Viper-666 is referring to a transponder bypass, not a SKREEM bypass. In other words, programmed keys would not be necessary, but his SKREEM still would be. The transponders are not the problem, the handshake between the ECM and SKREEM is the problem. A true bypass or immobilizer delete would involve rewriting the program for the ECM, as previously noted, so it no longer looks for authorization from the SKREEM. Not simple on this model. I see no need for a transponder bypass. Transponders are and always will be readily available. You will only be making your car easier to steal and you would still need a SKREEM module (his). But, to each his own. I'm going to keep my transponders and fix the SKREEM IF and WHEN necessary. So far, neither of our cars has ever had an issue. Of all the Crossfires we have worked on, only one or two had a real SKREEM hardware failure.
We look forward to seeing your finished product Viper-666.
We look forward to seeing your finished product Viper-666.
I would only disagree in a few points, i don't think that transponders from the 90s are always available. The ones used by mercedes were orginal from phillips and they weren't produced from them since a long time ago.
There are still replicas now, but you always have to see what quality you get. But the demand for these transponders is decreasing year by year because the number of cars using these transponders is decreasing. At some point the replicas are no longer worthwhile.
And as I know the transponders can not be copied so you can make max. 8 pieces for one skreem where mercedes has already preprogrammed the codes in the skreem. And new transponders can only be made with a lot of effort or if you be a dealer you can buy the codes from mercedes/chrysler.
My module would be, depending on the version, a bypass of the immobilizer, which then only needs the original key with transponder to extract new codes from the skreem. But in this version a working key would still be necessary to open and close the car and deactivate the alarm. In the bypass version the immobilizer would also be disabled because you can start the car with all keys who fit or simply by connecting the right wires how often shows in movies.
The Version 2 would also do the opening and closing and disarming of the alarm. And in addition, the transponder would have to be used before the start, so the immobilizer would be retained.
For all versions it would be possible to get a preprogrammed EEPROMs with 8000 codes and instructions how to program the PCM. When the codes are used up you can program the PCM again according to the instructions and use the codes again. This can be repeated infinitely. If you buy two EEPROMs preprogrammed by me you will always have 16.000 codes before you have to reprogram the PCM.
And to disable the immobilizer completely I agree that you have to find first a way to do this and then reprogram the PCM completely.
Last edited by Viper-666; 01-28-2020 at 02:01 PM.
Join Date: Jun 2009
Location: Fort Worth, Texas
Age: 64
Posts: 13,489
Received 903 Likes
on
704 Posts
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
Hello,
after more than 2 years of research and development and more than 1000€ of hardware costs i managed to understand how the immobilizer between engine control unit and skreem works.
And it was possible for me to find a way on which I want to replace the Skreem module. The first (and maybe most difficult) step is to unlock the immobilizer with my hardware and then start the car. This is done![Very Happy](https://www.crossfireforum.org/forum/images/smilies/icon_biggrin.gif)
after more than 2 years of research and development and more than 1000€ of hardware costs i managed to understand how the immobilizer between engine control unit and skreem works.
And it was possible for me to find a way on which I want to replace the Skreem module. The first (and maybe most difficult) step is to unlock the immobilizer with my hardware and then start the car. This is done
![Very Happy](https://www.crossfireforum.org/forum/images/smilies/icon_biggrin.gif)
The most part what you say is true and shows that you have a lot of expertise.
My module would be, depending on the version, a bypass of the immobilizer, which then only needs the original key with transponder to extract new codes from the skreem. But in this version a working key would still be necessary to open and close the car and deactivate the alarm. In the bypass version the immobilizer would also be disabled because you can start the car with all keys who fit or simply by connecting the right wires how often shows in movies.
The Version 2 would also do the opening and closing and disarming of the alarm. And in addition, the transponder would have to be used before the start, so the immobilizer would be retained.
For all versions it would be possible to get a preprogrammed EEPROMs with 8000 codes and instructions how to program the PCM. When the codes are used up you can program the PCM again according to the instructions and use the codes again. This can be repeated infinitely. If you buy two EEPROMs preprogrammed by me you will always have 16.000 codes before you have to reprogram the PCM.
And to disable the immobilizer completely I agree that you have to find first a way to do this and then reprogram the PCM completely.
My module would be, depending on the version, a bypass of the immobilizer, which then only needs the original key with transponder to extract new codes from the skreem. But in this version a working key would still be necessary to open and close the car and deactivate the alarm. In the bypass version the immobilizer would also be disabled because you can start the car with all keys who fit or simply by connecting the right wires how often shows in movies.
The Version 2 would also do the opening and closing and disarming of the alarm. And in addition, the transponder would have to be used before the start, so the immobilizer would be retained.
For all versions it would be possible to get a preprogrammed EEPROMs with 8000 codes and instructions how to program the PCM. When the codes are used up you can program the PCM again according to the instructions and use the codes again. This can be repeated infinitely. If you buy two EEPROMs preprogrammed by me you will always have 16.000 codes before you have to reprogram the PCM.
And to disable the immobilizer completely I agree that you have to find first a way to do this and then reprogram the PCM completely.
If you are keeping the "immobilizer" function, what is it that you have "Hacked"? What am I not understanding here? I understand that we have a language barrier, so maybe that is the problem with me not understanding what you are saying.
Last edited by pizzaguy; 01-28-2020 at 03:06 PM.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
perhaps if we try to explain what hacking really means?
Hacking generally refers to unauthorized intrusion into a computer or a network. The person engaged in hacking activities is known as a hacker. This hacker may alter system or security features to accomplish a goal that differs from the original purpose of the system.
Hacking generally refers to unauthorized intrusion into a computer or a network. The person engaged in hacking activities is known as a hacker. This hacker may alter system or security features to accomplish a goal that differs from the original purpose of the system.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
Viper,
I am an Electrical Engineer and an Arduino enthusiast. I would be happy to help in any way I can, as I only have one key for my Crossfire and am deathly afraid of losing it haha. I don't have ECM programming equipment - unless the USB-OBDII communications cable provided by Eurocharged counts...
From my perspective, the highest value of this product would be a bypass of the immobilizer so that we could use any keys that fit, combined with a simpler "kill switch" that we could hide somewhere to replace the fancy immobilizer.
I am an Electrical Engineer and an Arduino enthusiast. I would be happy to help in any way I can, as I only have one key for my Crossfire and am deathly afraid of losing it haha. I don't have ECM programming equipment - unless the USB-OBDII communications cable provided by Eurocharged counts...
From my perspective, the highest value of this product would be a bypass of the immobilizer so that we could use any keys that fit, combined with a simpler "kill switch" that we could hide somewhere to replace the fancy immobilizer.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
The hack is, that I used valid codes who are extracted from your skreem and double them. Or I can use valid codes form an other skreem (and program the PCM that it accepted this codes) this where eg. my EEPROMs. And this works already now I will install my prototyp hopefully this weekend (unfortunately I am very busy with my job at the moment so that I also have to work on Saturdays so that I have not so many spare time) so that I can make a long time test with my Crossfire.
How sosxfire already wrote the immobilizer works with two parts, the skreem and the PCM. To disable the immobilizer function in the PCM is verry difficult, you have to make a new firmware so that the PCM don't want this codes any more. My hack is, that I found a way that my hardware can use valid codes, double them and send them to the PCM, so that the PCM thinks they are from the skreem. And this work also if your skreem is already broken (with my preprogrammed EEPROMS). This all works now but you need a skremm to open and close the doors and disarmed the sirene. I have to find out how the skreem does this to include this functions also in my module and replace the skreem completely. Than you would also able to install a start button, so that you don't need a key any more.
IT is my understanding that the immobilizer is a subroutine of the ECM, it is the SKREEM-supervised function of starting the car. It is our problem, and you say you have hacked the problem.
If you are keeping the "immobilizer" function, what is it that you have "Hacked"? What am I not understanding here? I understand that we have a language barrier, so maybe that is the problem with me not understanding what you are saying.
If you are keeping the "immobilizer" function, what is it that you have "Hacked"? What am I not understanding here? I understand that we have a language barrier, so maybe that is the problem with me not understanding what you are saying.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
Viper,
I am an Electrical Engineer and an Arduino enthusiast. I would be happy to help in any way I can, as I only have one key for my Crossfire and am deathly afraid of losing it haha. I don't have ECM programming equipment - unless the USB-OBDII communications cable provided by Eurocharged counts...
From my perspective, the highest value of this product would be a bypass of the immobilizer so that we could use any keys that fit, combined with a simpler "kill switch" that we could hide somewhere to replace the fancy immobilizer.
I am an Electrical Engineer and an Arduino enthusiast. I would be happy to help in any way I can, as I only have one key for my Crossfire and am deathly afraid of losing it haha. I don't have ECM programming equipment - unless the USB-OBDII communications cable provided by Eurocharged counts...
From my perspective, the highest value of this product would be a bypass of the immobilizer so that we could use any keys that fit, combined with a simpler "kill switch" that we could hide somewhere to replace the fancy immobilizer.
The idea with the "kill switch" is not so bad, so you would be able to use my module like is is now and switch it only on when you want to start your car. So you don't completely disable the immobilizer.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
Hello,
here the next small update, after almost a week I have found only a small problem.
I have connected the module to ignition plus, but since the Arduino needs about 2 seconds to boot is if you turn the ignition key in one go until the engine starts, the skreemulator has not yet managed to send a code, so the immobilizer is not yet disabled.
At the moment I "help" myself by turning the ignition to position 2, fasten my seatbelt and then start the engine. The problem will probably have solved itself when the Arduino is later on permanently power and always running.
here the next small update, after almost a week I have found only a small problem.
I have connected the module to ignition plus, but since the Arduino needs about 2 seconds to boot is if you turn the ignition key in one go until the engine starts, the skreemulator has not yet managed to send a code, so the immobilizer is not yet disabled.
At the moment I "help" myself by turning the ignition to position 2, fasten my seatbelt and then start the engine. The problem will probably have solved itself when the Arduino is later on permanently power and always running.
The following users liked this post:
medamo (02-11-2023)
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
well, if this is the only thing that we have to remember in order to have it working as we need, we can live with it. is sort of the routine that we must follow.
so seems like good news after all. thank you for telling us.
keep working on it. we hope you will solve all the other details.
the instructions could be something like:
to start the car:
1- fit the key into the slot;
2-turn it to the right until it reaches the 2nd position (lights go on);
3-wait 3 seconds;
4-turn the key to the right until the engine starts;
5-release the key.
(of course, if you fix the arduino to not to need this, still would be better)
so seems like good news after all. thank you for telling us.
keep working on it. we hope you will solve all the other details.
the instructions could be something like:
to start the car:
1- fit the key into the slot;
2-turn it to the right until it reaches the 2nd position (lights go on);
3-wait 3 seconds;
4-turn the key to the right until the engine starts;
5-release the key.
(of course, if you fix the arduino to not to need this, still would be better)
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
Great work.
is it set up for plug and play, or need to be programmed per vechicle?
so, just have to wait till the display says code sent then start, didn't take ling![Smile](https://www.crossfireforum.org/forum/images/smilies/icon_smile.gif)
how is the brightness on the screen, to dim at day or to bright at night ?
could a simple small green led light be pigtailed to a location of users choosing, when green light comes on, car can start, and leave the monitor under dash, and just pull out if there is a problem?
or a plug in display, if there is a problem , then can plug in and check / diagnose ?
TY for your work.
is it set up for plug and play, or need to be programmed per vechicle?
so, just have to wait till the display says code sent then start, didn't take ling
![Smile](https://www.crossfireforum.org/forum/images/smilies/icon_smile.gif)
how is the brightness on the screen, to dim at day or to bright at night ?
could a simple small green led light be pigtailed to a location of users choosing, when green light comes on, car can start, and leave the monitor under dash, and just pull out if there is a problem?
or a plug in display, if there is a problem , then can plug in and check / diagnose ?
TY for your work.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
you said: " could a simple small green led light be pigtailed to a location of users choosing, when green light comes on, car can start, and leave the monitor under dash, and just pull out if there is a problem? "
sounds like the light at the diesel trucks that goes off when the glow plug has warmed up, just the opposite. takes a few seconds and you should not start until then. and could be located anywhere.
anyway, seems a good idea. simple and practical. lets see what Andre decides.
sounds like the light at the diesel trucks that goes off when the glow plug has warmed up, just the opposite. takes a few seconds and you should not start until then. and could be located anywhere.
anyway, seems a good idea. simple and practical. lets see what Andre decides.
Last edited by phil alvirez; 02-10-2020 at 08:22 PM.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
Join Date: Jun 2009
Location: Fort Worth, Texas
Age: 64
Posts: 13,489
Received 903 Likes
on
704 Posts
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
When do you believe you will be ready to help someone with a car that won't run?
We have a LOT of people in the USA with cars sitting in garages or driveways that won't start due to bad SKREEMS. On our Facebook page, I read about one every few days.
We have a LOT of people in the USA with cars sitting in garages or driveways that won't start due to bad SKREEMS. On our Facebook page, I read about one every few days.
![Default](https://www.crossfireforum.org/forum/images/icons/icon1.gif)
perhaps if we try to explain what hacking really means?
Hacking generally refers to unauthorized intrusion into a computer or a network. The person engaged in hacking activities is known as a hacker. This hacker may alter system or security features to accomplish a goal that differs from the original purpose of the system.
Hacking generally refers to unauthorized intrusion into a computer or a network. The person engaged in hacking activities is known as a hacker. This hacker may alter system or security features to accomplish a goal that differs from the original purpose of the system.
~..Great work on the SKREEM unit, your efforts will not go unrewarded by this community....Peace