This is an IPS (binary) patch for the evo9 88590015 ROM which attempts to find a lost immobilizer value. The immobilizer is, unfortunately, an easily defeated security feature and it's also possible to lose it when flashing ROMs to your evo.

The IPS patch is applied to an unmodified 88590015 ROM. The patching utility does _not_ check if the original file matches the base ROM. You need to make sure it applies correctly. Windows utilities:
- Floating IPS applies the patch (search for links to a binary, source available at: https://github.com/Alcaro/Flips)
- CRCs can be checked with the HxD hex editor (https://mh-nexus.de/en/hxd/, Analysis->Checksums).

ROM Name CRC-32
-------- ------
88590015_2006_USDM_5MT.hex F30F9AED

****** WARNING ******
You accept all responsibility when using the patched ROM on your evo. Do not start the car with this patch applied. In theory, your evo will run with the patch and a functioning base ROM after the immobilizer is found, but this was not tested.

The tephra 9653 evo8 patch is untested. Make sure to set the "immobilizer hex" value for your car (for example, 0x40 for 2003).
*********************

Steps to use it:
1) Obtain a 88590015 source ROM. It has also been tested on an unmodified 88590715 tephra ROM. Make sure the immobilizer is enabled in FAA periphery bits.
2) Patch the unmodified ROM with the included IPS using Floating IPS.
3) Load the patched ROM in EcuFlash and check the "immobilizer" value. It should be 0x0001.
3a) If using the tephra 96530706 patch on an evo8, set the "immobilizer hex" 0xFFA value for your year and type. See comment in EcuFlash.
4) (recommended, optional) unplug the IAC valve electrical connector from underneath the TB. The patch cycles reset and will cause the IACV to also cycle repeatedly until the correct immobilizer is found.
5) Flash the patched ROM.

At this point you will hear clicking from the engine bay as the ECU is repeatedly reset. Something went wrong if the clicking doesn't go away after a few minutes and you aren't able to connect with evoscan. It should take less than or equal to 256 resets to find your immobilizer.

6) Wait for the clicking sound to stop. Read out the raw (set evoscan function = x) immobilizer value using evoscan or other MUT reader at 3D and 3E. It may also be possible to count the number of clicks from the engine bay and use it as the MUT 3D value. This value will likely be in decimal. Convert it to hexadecimal. For example, if evoscan shows 3D = 109 and 3E = 1 the hexadecimal equivalent is 0x6D01. If 3E does not have the value 1 then either you changed it in the patched ROM or something went wrong. It's suggested you try 1 and not other values for this byte.
7) Plug in the IAC electrical connector if you unplugged it.
8) Input your immobilizer in your original ROM, enable it in FAA periphery, and flash it. Make sure your car starts, runs properly, and evoscan is able to connect.

 

How it works
------------
Values for the evo9 immobilizer usually take the form 0xNN01 in hexadecimal. For example, the unmodified 88590015 ROM CRC listed above has 0x5A01 (NN = 0x5A). This patch works by copying the immobilizer value from ROM to RAM (0xFFFF8500) during the first initialization and pointing all references to this RAM location. There's a place in the ROM where the ECU compares a received immobilizer hash value to it's own computed version. Normally, the ECU gives up if this doesn't match and the car won't start. The patch changes this behavior to increment the immobilizer upper byte, NN in 0xNN01, and reset the ECU. So it will count 0x0001 -> 0x0101 -> 0x0201 ... -> 0xFF01 and then repeat back to 0x0001. If you know what you are doing, you can change the starting value from 0x0001 by modifying the immobilizer in EcuFlash.

When the correct immobilizer value is found the ECU continues executing like normal and you can read out the immobilizer from 3D/3E using MUT.

During testing it was seen that 0xNN00 and 0xNN01 were both considered correct by the ECU. However, using 0xNN00 as the immobilizer resulted in MUT no longer being accessible and may cause other problems. Several available evo9 ROMs were checked and the majority with valid immobilizer values took the form 0xNN01. It's possible to change the behavior to cycle through all 0xNNMM values, but for now this doesn't seem necessary.

 

Any idea if this will work on an Evo 8?

 

The idea and approach will work but the patch won't as it is specific to the Evo 9 ROM listed.
You will have to write, test and debug the assembly code needed for an Evo 8 ROM.

 

I added a new zip, v2, with a patch for unmodified tephra 96530706 which supports all evo8s. It's untested since I only have access to an evo9. I'm not even sure if the 8859 patch works on cars other than mine right now.

If you are using the 96530706 patch make sure to set "immobilizer hex" to the correct value (see EcuFlash comment) and that the immobilizer is enabled before flashing the patched ROM. Source is included in both v1 and v2 - feel free to modify it.

 

I am using tephra 9653076 in my 2005 Evo RS. Long story short, it's a track car that used an Autronic ECU and I flashed a MT Lancer ECU with tephra 96530706 (swapped the 2 pins for fuel pump relay and A/C) and I have the can running on that ECU with immobilizer disabled. Since this car will eventually be returned to the street I'd like to have the immo in place, even though it's not a great deterrent. THANKS for doing this, I'll reply with my progress.

 

I am bumping this thread in hopes that someone has a solution or has done this to their evo 8. I have a 03 and the previous owner had it tuned before my ownership. I need to get my original immobilizer code and disabling it is not an option.(California)

 

Yea I met up with @BrunoBoy650 and saw that his immobilizer code was disabled and his Evo has been through a couple Evo owners so the code is lost by now. Trying to reflash the car back to stock to pass smog. We can reflash the indicated rom. There are some terms I am unfamiliar with like IPS and Floating IPS so I would like to know what this means and how it comes into play.

 

Seems like the Evo8 tephra 96530706 patch does not work for me.
Side info: Patching the stock tephra image changed the immobilizer to 1 and immobilizer hex from 40 to 4d (which is fine in my case)

After flashing the patched tephra image nothing happens, no "clicking noises" from the engine bay. I also waited a while and restarted the ignition. Evoscan can't connect even after 10 minutes. So, did I something wrong?
How can I adapt the patch for e.g. 96530006? Using the Evo9 patch also changes the immobilizer to 1 but I dont want to brick my ECU by flashing this patched image (:

 

It sounds like the evo8 patch doesn't work. Sorry about that. I did not have an evo8 or an extra ecu outside of the car to test like I did for the evo9. It's probably a bug in which regions of the code are patched or how the evo8 immobilizer works. The patch is pretty simple and copies the immobilizer memory region to RAM so it persists while the main ECU code is restarted. Then it increments the immobilizer value and restarts the ECU until the immobilizer check succeeds. The source code is included so if someone has time and interest they can try to fix it. I'm not able to do that.

I know it doesn't help you, but someone else used the evo9 patch successfully on their 9.

 

You don't have to be sorry for that
So, someone else used the evo9 patch? For the 88590015 ROM only or does this work for different evo9 ROMs too?

Since I used the evo9 patch on the evo8 universal ROM (96530006) and this changed the immobilizer correctly to 1 ..is it possible that this ROM has the similar or the same immobilizer regions than the evo9 ROM?

 

The evo9 patch only works for the evo9 on 88590015 and 88590715 (tephra). It won't work for any evo8 ROM.