Defeating 2000-era Chrysler anti-theft system

[Carmine]

No, I'm not planning a rash of PT Cruiser thefts.

I bought an '02 Chrysler Town and Country roughly one year ago, mostly for the AWD viscous coupling. Since then it's been sitting behind a building I own. Occasionally I'd start it up, but eventually the battery ran dead and I gave up that charade of caring.

Now I have a gent interested in buying the rest of the van. So last week I went to start it up again using a jump box on the stone-dead battery. Probably a bad idea with something that has so many computers.

I suspected the anti-theft system because it did start and run (twice) for about 5 seconds. The system allows this, but if it doesn't communicate with the transponder key, it shuts down (fuel I think). Then it was dead, wouldn't crank. No codes beyond P1684, "battery disconnected within the past 50 starts"

Today I installed a known-good battery and had the same no-crank issue. After following various procedures on the interwebs, still no crank. (touch battery cables together, lock/unlock with door key, etc.) For the hell of it, I invented my own... set off the alarm by opening it from inside, then shutting it off with the key fob. Success! Fired right up and ran great for a few minutes. Then I tried to restart. Two 5 second runs and no more crank.

Now I can't even get back to that point. The buyer only wants it for parts, but obviously "running" helps. I suspect I toasted something in the anti-theft module with the dead battery/jump start.

Is there a wire I can ground, a fuse I can pull, a resistor I can put between a wire, etc. to bypass the system? Again, the Internet is full of "suggestions", but nothing conclusive.

Thankee

 

[CBODY67]

A side issue . . . on many of the newer charging systems, when the vehicle has a dead battery, when the vehicle is jumped-off, then the jumper is removed, the charging system goes to "full tilt bozo" max output, which can fry the alternator. I first became aware of this with 1990s Fords. New/reman alternator would do the same thing with the same weak battery. Until the battery is almost fully-charged, it can be "cycle-repeat". I believe that Chrysler's charging system controller is in the engine computer's module? I remember that Daniel Stern discovered a way to keep the Check Engine light off and convert the system to use an external Chrysler voltage regulator.

Until the transponder key is changed and/or the new key is recognized, nothing changes in the programming. When we first got transponder keys at GM, I went out to check to see how it acted. I'd just cut a new non-transponder key for a vehicle. I could lay the known key on the seat and a non-transponder key would start the vehicle. IF I placed the known key on the roof, crank and no run only.

Since then, the systems are much more sophisticated, but the basics are still there.​

Just as with keyfobs, when any re-programming is done, the memory is first cleared and then the new "values" are recognized and stored. Prior values are over-written with the new ones, possibly?

Might take a Chrysler service manual or "training film" to describe the hierarchy of what happens in the system?

Just some thoughts,
CBODY67

 

[cantflip]

I'm out of date and have no schematics... on older ones you could jump the ASD relay, which is how the PCM killed the fuel and ignition. Bringing the starter relay into the mix happened after my time. Also could take the column cover off to see if the antenna for the transponder is intact... in the later 90's the aftermarket ignition switch armor guys often knocked them off and caused the keys to not read reliably.

My info may be too old to be of use at all... IDK

 

[Carmine]

I'm out of date and have no schematics... on older ones you could jump the ASD relay, which is how the PCM killed the fuel and ignition. Bringing the starter relay into the mix happened after my time. Also could take the column cover off to see if the antenna for the transponder is intact... in the later 90's the aftermarket ignition switch armor guys often knocked them off and caused the keys to not read reliably.

My info may be too old to be of use at all... IDK

No, your info is of value... bypassing the ASD relay was a thought I had as well.

Just in roaming the halls of CTC, I've gotten conflicting answers on SKIM (Sentry Key Immobilizer Module) modes. One guy says he's never seen a no-crank condition, another says you get 3 start-run-5-sec-off cycles, then no crank. I think I'll be doing a bunch of skim research to become knowledgeable on a subject where I have zero interest! Dang it, I just want to move this stupid van!

 

[fury fan]

Back when I built utility trucks (1997-2005 era) we needed a way for the operator to start/stop the engine from an aerial lift bucket. On GM chassis cabs, we used a relay to bypass the Passlock system that read off a chip in the ign key.

Can't tell you how we did it, only that such things can be done if you can find the schematic and decipher what is going on.

 

[cantflip]

Back when I built utility trucks (1997-2005 era) we needed a way for the operator to start/stop the engine from an aerial lift bucket. On GM chassis cabs, we used a relay to bypass the Passlock system that read off a chip in the ign key.

Can't tell you how we did it, only that such things can be done if you can find the schematic and decipher what is going on.

That system isn't too hard, it can be permanently defeated. The silly resistor keys were replaced by this, which uses a fragile magnet assembly built into the column instead of anything attached to the key itself...

The minivan is far more sophisticated, and might not be able to be bypassed very easily at all. Several years earlier, the automatic shut down relay could be bypassed... Carmine's might work like that... if he bypasses the starter relay to start it. On the other hand, some of those systems will just lock up the PCM so nothing will work. Then maybe a new PCM or dealer bench flash might bring it back.

It might be time to review the non-running value...

 

[CBODY67]

GM had several variations of "Passlock", depending upon carline and model AND model year. The resistor chip keys had their own "box" to bypass, or you could read the resistance and use a resistor of the same value to trick the system. They were a good "first step" in the anti-theft area.

The earlier GM Passlock systems depended on things happening in a particular order in order for the starter to be energized to start the car. Poor internal wiring connections, gunked contacts, etc. were higher-mileage issues. They could be "wired around", too. The following transponder systems were more sophisticated.

I suspect that Carmine's van's system is more sophisticated than any other OEM system of that model year. That's usually how Chrysler systems differed from other OEM systems, by observation. For some, just seeing the emblem on the grille might be enough theft deterrent? Heading for "easier pickins" instead?

CBODY67

 

[Carmine]

I have read so many half-assed ideas about this sytem that my brain hurts. Everybody wants to hack their ecu, fix a Neon on a military base in Shitistan, put a late model Hemi in a VW bug, etc.

It seems like all I can do is try some of the crazy ideas, get it running again and never shut it off.

For example one is leaving the battery cables connected (done, I left it that way). Another says leave key in ign turned on for an hour. Another says cycle door cylinder 6 times. I swear some of these are just to screw with people.

 

[LeBaron1973]

I have read so many half-assed ideas about this sytem that my brain hurts. Everybody wants to hack their ecu, fix a Neon on a military base in Shitistan, put a late model Hemi in a VW bug, etc.

It seems like all I can do is try some of the crazy ideas, get it running again and never shut it off.

For example one is leaving the battery cables connected (done, I left it that way). Another says leave key in ign turned on for an hour. Another says cycle door cylinder 6 times. I swear some of these are just to screw with people.

Why not ask dobalovr as he's a Chrysler fellow and may know how to bypass the system.

 

[65sporty]

I will have to do some research on the system, it's a transponder system and I don't believe there is any way to permanently disable it. I have never tried jumping the ASD relay to start one. I have worked on a lot of the GM Passlock I and II systems, but just don't see problems with the Ford and Chrysler transponder systems

 

[Dobalovr]

Why not ask dobalovr as he's a Chrysler fellow and may know how to bypass the system.

I took a look through our system and didn’t find anything usefull but I would need the VIN to look in depth. I am sure Carmine has access to similar info. I seem to remember something similar happening due to low battery voltage and the ignition disable system assuming someone disconnected the battery to silence the alarm

 

[cantflip]

GM had several variations of "Passlock", depending upon carline and model AND model year. The resistor chip keys had their own "box" to bypass, or you could read the resistance and use a resistor of the same value to trick the system. They were a good "first step" in the anti-theft area.

The earlier GM Passlock systems depended on things happening in a particular order in order for the starter to be energized to start the car. Poor internal wiring connections, gunked contacts, etc. were higher-mileage issues. They could be "wired around", too. The following transponder systems were more sophisticated.

I suspect that Carmine's van's system is more sophisticated than any other OEM system of that model year. That's usually how Chrysler systems differed from other OEM systems, by observation. For some, just seeing the emblem on the grille might be enough theft deterrent? Heading for "easier pickins" instead?

CBODY67

Starting in the mid 90's, the modules on many platforms were "married" to the VIN. I can't say this was an exclusive, but Chrysler was an early player with the strategy. IDK if there would be any simple "wire around", other than temporary measures mentioned previously, and they would result in a very unhappy vehicle even if it did run (lights flashing, horn cycling, etc).

I will have to do some research on the system, it's a transponder system and I don't believe there is any way to permanently disable it. I have never tried jumping the ASD relay to start one. I have worked on a lot of the GM Passlock I and II systems, but just don't see problems with the Ford and Chrysler transponder systems

I've played with PATS problems a few times, the last was poked at for several years prior to my involvement. We wound up going to the DIY yard and grabbing all of the related modules (complete column, IP and PCM... don't recall if there was anything else) from a similar car to work around the VIN matching, it was important to find one with at least one key. It was a Focus, and we'd have been more screwed if it was a higher line car. Having an IDS available was critical too.

I have read so many half-assed ideas about this sytem that my brain hurts. Everybody wants to hack their ecu, fix a Neon on a military base in Shitistan, put a late model Hemi in a VW bug, etc.

It seems like all I can do is try some of the crazy ideas, get it running again and never shut it off.

For example one is leaving the battery cables connected (done, I left it that way). Another says leave key in ign turned on for an hour. Another says cycle door cylinder 6 times. I swear some of these are just to screw with people.

I had the notion that you would have a DRB III at your disposal, when I saw your post, I realized that isn't the case. I don't think anything else will allow you deep enough into the modules to try to reset anything. I also doubt that shorting the battery cables to each other will discharge the capacitive backup in the PCM and possibly other modules. If it did, you'd wipe all codes... I don't recall that working on Chrysler's PCM's and don't know if you'd have to relearn keys if it did.

My one stray thought, which might work, is if you managed to blow a fuse. If something on the network is powered down, you may have an easy fix... but it's a long shot. Anything else is a cobble-together-workaround, like a 120v light switch and a couple bare wires for the starter to solve a failed ignition switch (saw that once). If it works, its tough to say it will continue to work before something code locks and you're even more screwed.

If you can lay hands on a DRB III... maybe you can clear codes and/or find the root cause. Maybe it lost the key programing, but IDK if they can reprogram without the tool.

 

[commando1]

I have read so many half-assed ideas about this sytem that my brain hurts. Everybody wants to hack their ecu, fix a Neon on a military base in Shitistan, put a late model Hemi in a VW bug, etc.

I feel your pain.
I hired these guys to purge your vehicle of evil spirits.
It's worked for me a cupla times in this kind of situation.

 

[67Monaco]

HazardFrought used to have a scanner/programmer that could do the job of the DRBIII. Matter of fact it could program mercedes too which was my initial interest in it. Price was near a grand though.

Nevermind they still have it... Clearence..

AUTEL® MaxiDAS® Automotive Diagnostic and Analysis System

 

[Dobalovr]

No, I'm not planning a rash of PT Cruiser thefts.

I bought an '02 Chrysler Town and Country roughly one year ago, mostly for the AWD viscous coupling. Since then it's been sitting behind a building I own. Occasionally I'd start it up, but eventually the battery ran dead and I gave up that charade of caring.

Now I have a gent interested in buying the rest of the van. So last week I went to start it up again using a jump box on the stone-dead battery. Probably a bad idea with something that has so many computers.

I suspected the anti-theft system because it did start and run (twice) for about 5 seconds. The system allows this, but if it doesn't communicate with the transponder key, it shuts down (fuel I think). Then it was dead, wouldn't crank. No codes beyond P1684, "battery disconnected within the past 50 starts"

Today I installed a known-good battery and had the same no-crank issue. After following various procedures on the interwebs, still no crank. (touch battery cables together, lock/unlock with door key, etc.) For the hell of it, I invented my own... set off the alarm by opening it from inside, then shutting it off with the key fob. Success! Fired right up and ran great for a few minutes. Then I tried to restart. Two 5 second runs and no more crank.

Now I can't even get back to that point. The buyer only wants it for parts, but obviously "running" helps. I suspect I toasted something in the anti-theft module with the dead battery/jump start.

Is there a wire I can ground, a fuse I can pull, a resistor I can put between a wire, etc. to bypass the system? Again, the Internet is full of "suggestions", but nothing conclusive.

Thankee

With a DRB here is the SKIM Verification process..Note: Key in run position for 1 hour is mentioned
1. Reconnect all previously disconnected components and connectors. 2. Obtain the vehicle’s unique Personal Identification Number (PIN) assigned to it’s original SKIM. This number can be obtained from the vehicle’s invoice or Chrysler’s Customer Center (1-800-992-1997). 3. NOTE: When entering the PIN, care should be taken because the SKIM will only allow 3 consecutive attempts to enter the correct PIN. If 3 consecutive incorrect PIN’s are entered the SKIM will Lock Out the DRB III for 1 hour. 4. To exit Lock Out mode, the ignition key must remain in the Run position continually for 1 hour. Turn off all accessories and connect a battery charger if necessary. 5. With the DRB III, select Theft Alarm, SKIM and Miscellaneous. Then select desired procedure and follow the steps that will be displayed. 6. If the SKIM has been replaced, ensure all of the vehicle ignition keys are programmed to the new SKIM. 7. NOTE: Prior to returning vehicle to the costumer, perform a module scan to be sure that all DTC’s are erased. Erase any DTC’s that are found. 8. With the DRB III erase all DTC’s. Perform 5 ignition key cycles leaving the key on for at least 90 seconds per cycle. 9. With the DRB III, read the SKIM DTC’s. Are there any SKIM DTC’s? All Yes → Repair is not complete, refer to appropriate symptom. No → Repair is complete.

 

[Carmine]

HazardFrought used to have a scanner/programmer that could do the job of the DRBIII. Matter of fact it could program mercedes too which was my initial interest in it. Price was near a grand though.

Nevermind they still have it... Clearence..

AUTEL® MaxiDAS® Automotive Diagnostic and Analysis System

Very interesting and thanks! I'm so afraid of a $850 paper weight. I wish somebody rented these damn things.

Contrary to what might be thought outside the Detroit area, they are not common or easily accessible. Although we do crack into ECUs where I work, it's an entirely different way of doing it. I can get down to changing things like the most minute degree of engine timing, control of a turbo wastegate, even stuff that doesn't exist yet... but it's all PC based.

I spotted the ad below just shopping locally. Everybody wants one of these. Makes an excellent Christmas gift!

 

[Dobalovr]

More:

Tamper Alert The VTSS tamper alert will sound the horn three times upon disarming after an initial alarming has occurred to indicate a tamper condition has occurred. Manual Override The system will not arm if the doors are locked using the manual lock control or if the locks are actuated by an inside occupant after the doors are closed. Diagnosis For complaints about the Vehicle Theft Alarm triggering on its own, use the DRBIIIt and read the Last VTSS Cause status. 3.20.1 THATCHAM ALARM SYSTEM (EXPORT ONLY) The Thatcham Alarm Module monitors the vehicle doors, liftgate, hood and the interior of the vehicle for unauthorized operation. The vehicle doors, liftgate, and hood use ajar switches as inputs to the BCM to indicate their current status. The interior of the vehicle is secured by the use of Intrusion Sensors. The Intrusion Sensors are used as inputs to the RKE/Thatcham Alarm Module to report any motion in the interior of the vehicle. The alarm activates by sounding the siren, flashing the hazard lamps, and the VTSS Indicator Lamp. Arming Before arming, all doors, liftgate, and the hood must be completely closed. The system can only be armed by locking the doors with the RKE transmitter. Disarming To disarm the alarm system, use the RKE transmitter or turn the ignition on with a valid SKIM key. This will also halt the alarm once it has been activated. NOTE: A powertrain control module from a vehicle equipped with a vehicle theft security system cannot be used in a vehicle that is not equipped with a vehicle theft security system if the VTSS indicator lamp comes on after ignition on and stays on, the PCI Bus Communication with the powertrain control module has possibly been lost.

 

[Dobalovr]

This feature is only available on domestic vehicles or those which have a U.S. country code designator. This procedure requires access to at least two valid Sentry Keys. If two valid Sentry Keys are not available, Sentry Key programming will require the use of a DRB III® scan tool.

The steps required to program Sentry Keys with two valid Sentry Keys follows:

1. Obtain the blank Sentry Key(s) that need to be programmed. Cut the keys to match the ignition lock cylinder mechanical key codes.
2. Insert one of the two valid Sentry Keys into the ignition switch and turn the ignition switch to the ON position.Step 3, the indicator light will start to flash and a single audible chime tone will sound to indicate that the system has entered the "Customer Learn" programming mode.Step 5, a single audible chime tone will sound and the indicator light will stop flashing and stay on solid for three seconds and then turn off to indicate that the blank Sentry Key has been successfully programmed. The SKIS will immediately exit the "Customer Learn" programming mode and the vehicle may be started using the newly programmed Sentry Key.

These steps must be completed in their entirety for each additional Sentry Key to be programmed. If any of the above steps are not completed in the given sequence, or within the allotted time, the SKIS will exit the "Customer Learn" programming mode and the programming will be unsuccessful. The SKIS will also automatically exit the "Customer Learn" programming mode if:

• It sees a non-blank Sentry Key when it should see a blank.
• If it has already programmed eight (8) valid Sentry Keys.
• If the ignition switch is turned to the OFF position for more than about fifty (50) seconds.

NOTE: If you attempt to start the vehicle while in “Customer Learn” mode (LED flashing), the vehicle will behave as though an invalid key is being used (i.e. the engine will stall after two (2) seconds of running). No faults will be logged.

NOTE: Once a Sentry Key has been programmed to a particular vehicle, it cannot be used on any other vehicle.

 

[67Monaco]

Very interesting and thanks! I'm so afraid of a $850 paper weight. I wish somebody rented these damn things.

Contrary to what might be thought outside the Detroit area, they are not common or easily accessible. Although we do crack into ECUs where I work, it's an entirely different way of doing it. I can get down to changing things like the most minute degree of engine timing, control of a turbo wastegate, even stuff that doesn't exist yet... but it's all PC based.

I spotted the ad below just shopping locally. Everybody wants one of these. Makes an excellent Christmas gift!

View attachment 209003

They're not really a HazardFrought tool. Something that seems to be decent quality for some reason. Amazon also carries it;

https://www.amazon.com/Autel-Diagno...20&sr=8-2-spons&keywords=AUTEL®+MaxiDAS&psc=1

But if you use your 25% off hazardfrought coupon on Labor day.. it's MUCH cheaper...

 

[cantflip]

HazardFrought used to have a scanner/programmer that could do the job of the DRBIII. Matter of fact it could program mercedes too which was my initial interest in it. Price was near a grand though.

Nevermind they still have it... Clearence..

AUTEL® MaxiDAS® Automotive Diagnostic and Analysis System

NO,NO,NO... my inner tool snob must surface here... HF has very little you'd want in the way of electronic diag... their DMM's suck, and I can run down most diagnostic platforms that claim MB compatibility as nothing but mere code readers that limit your access to the OBD II legal minimum requirements.

I have an old OTC scan tool, which I would have happily mailed to Carmine, it won't do anything with the SKIM. IDK how deep a Snap On would get, but doubt it's compatibility.

Including Snappy, very few diagnostic platforms can dig through a Benz beyond the most basic emissions codes. which is all but useless on a car that has 30, 50,100 control modules... they can't even unlock an A/C control head that has a compressor failure code.

It's been a number of years since I've had to source aftermarket diagnostic platforms... the last I purchased for work were from these folks... they seemed to have the best coverage/price/support of any I looked at. Their Chrysler software will touch the SKIM, but IDK if it would reset it or not.

Home - autoenginuity