A hand holding a toyota immobilizer ecu

1st Gen Prius Immobilizer Lost All RFID Keys

No matter what job you undertake, there will always be a first time you do it. Sometimes the instructions are good, and your first attempt goes smoothly. Other times it’s not so easy, but you have an experienced coworker to guide you through the rough spots. Then there are times when nothing goes right, and you can’t find anyone who has had the problems you’ve having and you just have to struggle through it. The article below describes one of those times.

The Toyota Prius uses an “immobilizer” system to prevent anyone from starting the car without a special key. The key contains a RFID (Radio Frequency Identification) chip in the head of the key. When the key is near the antenna loop around the ignition lock cylinder and the ignition switch is in the “on” position, the key will reflect an encrypted code to the key transponder ECU. The key transponder ECU checks to see if the key is registered as belonging to the car, then sends a message to the Hybrid Control ECU. The Hybrid Control ECU also checks to see if the key is registered. If it is, it sends a series of random numbers to the Key Transponder ECU. The Key Transponder ECU does some magical math, then sends the result to the Hybrid Control ECU. The Hybrid Control ECU checks the result and if it checks out, allows the car to start. Since the system is built into the Hybrid control ECU, it can not by by-passed or defeated. This prevents theft of the car by sneakily copying the key Mission Impossible soap impression style, or by simply hammering the ignition lock cylinder out Terminator style. The system can apparently be hacked (type RFID hack into Google) by those smarter and more determined than I am. However, towing the car would be a whole lot easier for those of not doing our doctoral work in RFID security.

I found this article about the theft of cars with immobilizer systems the other day and enjoyed it. You may too.

So far everything sound great. You’re car is safe. No one can steal it without buying a tow truck or diploma from MIT. If you could afford either, why would you want to steal someone’s car; right? But what happens if you lose one of your magical keys?

Losing one key is not a big deal, so long as you have at least one “master key”. A master key usually has a black head, and can unlock the glove box and the trunk, unlike the “sub key” AKA “valet key”. A master key can be used to register a new key with your Key Transponder and Hybrid Control ECUs. You can register up to 5 keys, and I’d recommend that you do, because…..

If you lose all of your keys, or all of your keys but the sub key, you will need to buy a new Key Transponder ECU to get your car to start again. As of 01/05, it’s cheaper to buy a key transponder ECU in a lock set including the ignition lock cylinder and two master keys than it is to buy just the key transponder ECU alone. Go figure. Since we were trying to do this as cheaply as possible, we planned to use only the ECU. That way we wouldn’t need to rekey the door and trunk lock cylinders. However, we would need to buy two new master keys and have them code cut to match the original locks.

Prius key transponder ECU, ignition lock, and replacement car key

When we got the call for a quote to replace the key transponder ECU, we checked the key registration procedure in the manual and it looked pretty easy. There was no flat rate time for replacing the Key Transponder ECU, but it looked like it would be under the lower portion of the dash on the driver’s side and would be pretty easy to get to. As it turned out, we were wrong about that part. We quoted an hour labor. Whoops. After a more careful look at the manual, we realized that the ECU was in the upper portion of the dash. We pulled the cover off and found this (red arrow). If this were the right black box, it would have been a pretty easy job. Alas, it was not the right black box.

Toyota immobilizer ECU hidden way under the dash

After moving the wrong black box out of the way, we were able to see the top of the bolt that secures the bracket for the Key Transponder ECU (red arrow). The photo doesn’t really show how deep inside the dash the ECU is. Or how taut that wiring harness is above the bracket. Or how hard it is to press the release button on the electrical connector with my fat fingers. That being said, it’s still a lot easier to deal with the above mentioned problems than it is to remove the entire dashboard to get better access.

ECU bracket bolt deep under the dash board

After relaxing my arm and stuffing it in bit by bit, I was able remove the bracket bolt, unplug the connector, and remove the ECU. Steering column support shaped indentations in my arm chronicle my progress. The hardest part was getting the connector lined up and plugged into the new ECU.

My arm with scratches from sharp metal parts under the dashboard

Once the new Key Transponder ECU is installed, I attempt to register the first key. The way it’s supposed to work is — 1) install new ECU 2) put the first key to be registered into the ignition lock cylinder and turn the key to the on position 3) leave the key in the on position for 30 minutes. 4) start the car 5) use the new master key to register the other keys.
Unfortunately, this Prius had a bad 12 volt battery, and was unable to stay “on” for more than 5 minutes before going black. Those of you familiar with flashing ECUs may be wondering the same thing I wondered. What happens if the power goes out in the middle of programing? Is the new ECU now a paperweight? Only a new ECU can register a key without having a Master Key. Will an ECU halfway through it’s first registration still allow Master Key registration. Turns out a dead battery won’t mess anything up. Luckily for me. Next time, I’ll use a battery charger. It may not ruin the computer, but it is a real pain.

My troubles didn’t end when I hooked up the battery charger. I put one of the new code cut RFID keys in the lock cylinder. The immobilizer light (yellow arrow) did not come on and stay on when the key was inserted in the lock cylinder and turned to the on position, as it should when registering the first key. Instead it just blinked, which is what it does when there is no RFID signal or the wrong RFID signal. I didn’t know whether there it was a misprint in the manual or whether I had toasted the new ECU by letting the battery go dead. Not wanting to buy a new ECU, I tried again. And again. And again. Then again with the other code cut key. If you count the 1/2 hour for each attempt, you’ll notice that the car has been tying up a bay for at least 2 1/2 hours on a 1 hour job, not even counting the time it took me to replace the control unit.

New ignition lock cylinder installed

Then I thought, “What if the new Key Transponder ECU comes programmed when sold with the lock set?” There is no mention of this in the instructions, but wanting to avoid the shame of failure, and the fear of having the same problem with the new part, provided me with all the motivation I needed to completely exhaust all avenues before giving up and ordering yet another new ECU.

We used a test cut key without an RFID chip we had made to insure the VIN code cut would work . (If the locks had ever been rekeyed, the key cut based on the VIN would not work. Better to ruin a $3 key blank than a $35 key blank). Anyway, I used this key to turn the ignition to the “on” position with one of the master keys from the lock set taped to the top. There was immediate hope: the immobilizer light stayed lit and did not blink. 30 minutes later, the car started up. 5 minutes after that, I had programed a total of 4 master keys and 1 valet key.

So, lessons learned: 1) always use a battery charger when doing any sort of ECU learning, especially on a hybrid — since the car is started with the 274 volt battery, the 12 volt battery can be *very* bad with no noticeable symptom. 2) Key transponder ECUs sold with lock sets must use a key provided with the lock set for the first key registration. Any other RFID key blank can be programmed after. 3) Charge at least 2 hours labor to replace key transponder ECUs and register the keys.

metal key in ignition lock cylinder with chip key taped to the outside of immobilizer antenna

We believe that referring unfamiliar (and sometimes unprofitable) work to the dealer will slowly chip away at our business volume, and our skill set. Every year new systems and designs are introduced. Sooner or later a shop that doesn’t keep up with new technology will find the number of people willing bring their car in only for easy service work, then take their car to the dealer when it breaks, too few to keep their doors open.

In addition, high tech is slowly seeping into previously low tech jobs, like tire replacement. By 2007, all cars will be required to have a tire pressure monitoring system. Most manufacturers are using RFID tire pressure sensors, which must be registered with an ECU, just like the RFID keys. Will tomorrow’s consumer by willing to put up with an annoying warning light and a “Gee, I dunno. Better take it to the dealer”, after paying $800 for tires? We’re betting they won’t. By losing a few dollars providing “dealer only” repair shortly after new technologies are introduced, we gain experience and our customer’s confidence.