98 LX470 lost keys ECU hack

This site may earn a commission from merchant affiliate
links, including eBay, Amazon, Skimlinks, and others.

I am happy to hopefully expand on this for some later 2001 LX470 models. The data structure is different to earlier model ECU's, I can only speak for part number 89666-60360 but I assume this applies to the 2002 models too. Mauser was kind enough to sent me a chip for the LX470 because I was stuck in "valet lockout". I was able to get all up and running but still only in valet mode. After getting a CH341A and wiring it up and lots of trial and error I think I have a working solution for the 89666-60360 ECU.

After programming the new keys using Mauser's instructions and the new data structure I ran into a strange issue where the immobilizer was stuck in learning mode (security light on solid without key, security light flashing with engine running). Looking at some dumps from a valet lockout I think programming mode has to be manually set after the keys are programmed. To do this i plan on changing line 0x60 from 0000 0000 to 1010 FC10. Searching around the internet I found instructions mentioning cycling the ignition 5x within 5 seconds. I quickly tried this with no success but I may have been doing it wrong. Attached is a picture of the different data structure and what got me into programming mode with 3 keys added (FC).
lx470datastruct.png


progmodelx470.png

In circuit programming is possible with the CH341A, these chips(93c56) are 16 bit and need the ORG pin tied to high or +5v in our case. With the CH341A I was able to chip clip after installing a 5v jumper and an adapter for the chip clip 24xxx socket to 93xxx. I will post a diagram later of how to adapt the ch341A and sources to the various programming tools I found along the way.

Thank you Mauser for writing this great tutorial and thank you for sending me the chips!
 
Last edited:
samson365 said:
I am happy to hopefully expand on this for some later 2001 LX470 models. The data structure is different to earlier model ECU's, I can only speak for part number 89666-60360 but I assume this applies to the 2002 models too. Mauser was kind enough to sent me a chip for the LX470 because I was stuck in "valet lockout". I was able to get all up and running but still only in valet mode. After getting a CH341A and wiring it up and lots of trial and error I think I have a working solution for the 89666-60360 ECU.

After programming the new keys using Mauser's instructions and the new data structure I ran into a strange issue where the immobilizer was stuck in learning mode (security light on solid without key, security light flashing with engine running). Looking at some dumps from a valet lockout I think programming mode has to be manually set after the keys are programmed. To do this i plan on changing line 0x60 from 0000 0000 to 1010 FC10. Searching around the internet I found instructions mentioning cycling the ignition 5x within 5 seconds. I quickly tried this with no success but I may have been doing it wrong. Attached is a picture of the different data structure and what got me into programming mode with 3 keys added (FC). View attachment 2447444

View attachment 2447447
In circuit programming is possible with the CH341A, these chips(93c56) are 16 bit and need the ORG pin tied to high or +5v in our case. With the CH341A I was able to chip clip after installing a 5v jumper and an adapter for the chip clip 24xxx socket to 93xxx. I will post a diagram later of how to adapt the ch341A and sources to the various programming tools I found along the way.

Thank you Mauser for writing this great tutorial and thank you for sending me the chips!
Click to expand...

You're welcome. I am glad it worked for you.

Did you add 3 keys during registration mode? It should have exited auto-reg mode afterward.
 
For some reason this ecu was not happy with just 3 keys. Strange but I now have 3 master keys and programming mode is off via manually changing 0x60. My pictures above are incorrect, I ended up having to change 0x60 to "0101 FC01" to exit programming mode successfully. My guess is maybe with the later 2001-2002 models more keys were available? Not sure but it all works now :). I did notice that while I was in valet lockout, it was writing my valet key to a location that isn't currently populated on the 3 master key dump. Part of me wants to tinker with a 4th key but the LX470 is my very soon to be daily so I think ill just stick with the 3 keys for now.

Hopefully this helps someone that was in the same situation as me. The 89666-60360 ECU seems to be the oddball of the bunch.
 
@Mauser thanks for the write up! Does the offer still stand for a virginized 93C56 chip? (99 LX470). I was golden and about to flash until I realized I needed a real serial port =(. Cheers
 
incudie said:
@Mauser thanks for the write up! Does the offer still stand for a virginized 93C56 chip? (99 LX470). I was golden and about to flash until I realized I needed a real serial port =(. Cheers
Click to expand...

Sure does. Send me a message with an address to send it to and I will get it out tomorrow.

Yeah. I never have been able to get a USB to serial to work.
 
Hey btw for anyone else that may need this info: When you get your key code from Lexus/Toyota, they may give you a 5 digit code. Locksmith tells me the machine takes 4 digits for 98-00. 2001+ is 5 digits. Ex: Dealership may give you: "05010", you need to cut off the first zero! So cut to "5010" and not "0501". Naturally, I just had to learn this one the hard way =/.
 
I thought I would share my experience with this for completeness sake. I successfully executed this procedure on a 99 LX470 using an external USB programmer (Reveltronics), here.

EEPROM: Wireline 93c56
This is very similar to SPI but not quite the same, the flasher I have is advertised to be compatible with Wireline.


The only way I managed to get the chip to read/write was by removing it from the board.

IMG_20201031_224904.jpg


Here are before/after screenshots of the changes.

Before:
Before Changes.png



After Virginizing:
After Changes.png


Another thing I noticed, is that in addition to the NC (not connected) pin on the 93c56 chip, the ORG pin also does not appear to be connected anything.

The only way I was able to get the chip off the board was by adding flux and solder. While still molten, you can pull the chip off with tweezers. Then use a solder wic and alcohol (with toothrbrush) to clean the pads.

When reapplying, flux was immensely helpful.


*Something to note* I may have goofed after reinstalling the ECU, my key is recognized as a valet key. My hex changes above are either incorrect, or I accidentally added the same key to the ECU three times (with the final being valet).
 
Nice!... I just read through this entire thread for no reason at all just to see what it was all about and all I can really say is that that wow Mauser you are a legend in my book... I already have three working keys and I want this hack just to say I did it 😆.... Just curious and hopefully I will never need to actually know this first hand but is this hack good for a 2003 LX also?
 
JohnnyMackerel said:
Nice!... I just read through this entire thread for no reason at all just to see what it was all about and all I can really say is that that wow Mauser you are a legend in my book... I already have three working keys and I want this hack just to say I did it 😆.... Just curious and hopefully I will never need to actually know this first hand but is this hack good for a 2003 LX also?
Click to expand...

2003 is easy. It is resettable onboard using Techstream.
 
Hey everyone, came across this topic while google searching and decided to join in on the discussion.

I attached a photo of my little eeprom reader I cooked up. I was able to cram all the little diodes and resisters inside the black connector housing, and for the 5v power and ground I just took an old micro usb phone charger cable I had laying around and chopped off the end, stripped it back for the red and black wires. You can then plug the usb end into your computer or use the usb wall adapter that your phone uses.

Now reading the chip, a couple months ago I actually tossed out two old tower PC's that had the serial ports I needed. So I called around asking anyone I knew if they had an old PC laying around but came up empty handed. Also found some used ones online that people wanted too much for. I currently only have one PC that I built last year, so I bought a PCIE serial port card to add to my computer for like $20.

I know some people were having to solder wires directly to the chip while on board or remove it entirely. While I am capable of doing so I wanted to avoid it if necessary. I bought the SOIC8 Pomona blue test clip from amazon, I read the reviews and people were saying that this one works much better than the typical cheap generic black clip sold everywhere else. I didn't have any issues getting it to clip and stay on my first try, but the second time I ended up placing some pliers on the cable to take any strain off my wires and it stays on perfectly (see attached photo). I may rebuild this eeprom reader and wire loom it up completely with a little weight attached to the cable as a strain relief so the clip is less likely to pop off.

My project is a 2000 Lexus Es300 right now that has a bad transmission. I have one broken master key and one valet key that Ive been using since I bought the car a couple years ago. I'm planning to swap in a 2000-2004 Toyota Avalon transmission, they share the same engine but the Avalon has the better/more reliable transmission. The Es300 transmission is so failure prone I dont want to swap in another used one to take my chances. To rebuild it isn't worth my time or money, and going the swap route is actually cheaper. I'm waiting on a Avalon engine harness to get here so I can go over it and make any necessary repairs. I already snatched a Avalon ECU at my local yard so that I can reflash it.

I started to consider not even bothering with the Immobilizer and chipped keys once I get the Avalon transmission and ecu+harness in. So first I decided to mess around with the Lexus ecu to test and see if I can accomplish this, and was successfully able to read and write to the eeprom with my setup. I know on the MR2 forums people like to swap in the same 1mzfe engine and they disable the immobilizer by virginizing the ecu and apparently leaving the middle ecu connector unplugged. For Toyota Solara and Camry's the middle ecu connector has the immobilzer wires, but on the lexus these wires are located in a different ecu connnector. I depinned that CODE, RXCK, and TXCT wires from the ecu. I attemted to use my broken master key. I have just the key blade only and the little RFID chip inside the button house I left in my house on my desk.

What I flashed to the eeprom looks a lot like above in post #67

First attempt I zeroed out everything except FB DF and 5a 69, I left those values in there. Car would not start with just the metal key

Second attempt I zeroed out everything, still cant start the car

Third attempt I will try reflashing the eeprom to look exactly like post #67

If I can get this to work with the Lexus ECU, I may not bother with chipped keys for the Avalon ECU.

IMG_1150.jpg


IMG_1100.jpg
 
OG YOTA said:
Hey everyone, came across this topic while google searching and decided to join in on the discussion.

I attached a photo of my little eeprom reader I cooked up. I was able to cram all the little diodes and resisters inside the black connector housing, and for the 5v power and ground I just took an old micro usb phone charger cable I had laying around and chopped off the end, stripped it back for the red and black wires. You can then plug the usb end into your computer or use the usb wall adapter that your phone uses.

Now reading the chip, a couple months ago I actually tossed out two old tower PC's that had the serial ports I needed. So I called around asking anyone I knew if they had an old PC laying around but came up empty handed. Also found some used ones online that people wanted too much for. I currently only have one PC that I built last year, so I bought a PCIE serial port card to add to my computer for like $20.

I know some people were having to solder wires directly to the chip while on board or remove it entirely. While I am capable of doing so I wanted to avoid it if necessary. I bought the SOIC8 Pomona blue test clip from amazon, I read the reviews and people were saying that this one works much better than the typical cheap generic black clip sold everywhere else. I didn't have any issues getting it to clip and stay on my first try, but the second time I ended up placing some pliers on the cable to take any strain off my wires and it stays on perfectly (see attached photo). I may rebuild this eeprom reader and wire loom it up completely with a little weight attached to the cable as a strain relief so the clip is less likely to pop off.

My project is a 2000 Lexus Es300 right now that has a bad transmission. I have one broken master key and one valet key that Ive been using since I bought the car a couple years ago. I'm planning to swap in a 2000-2004 Toyota Avalon transmission, they share the same engine but the Avalon has the better/more reliable transmission. The Es300 transmission is so failure prone I dont want to swap in another used one to take my chances. To rebuild it isn't worth my time or money, and going the swap route is actually cheaper. I'm waiting on a Avalon engine harness to get here so I can go over it and make any necessary repairs. I already snatched a Avalon ECU at my local yard so that I can reflash it.

I started to consider not even bothering with the Immobilizer and chipped keys once I get the Avalon transmission and ecu+harness in. So first I decided to mess around with the Lexus ecu to test and see if I can accomplish this, and was successfully able to read and write to the eeprom with my setup. I know on the MR2 forums people like to swap in the same 1mzfe engine and they disable the immobilizer by virginizing the ecu and apparently leaving the middle ecu connector unplugged. For Toyota Solara and Camry's the middle ecu connector has the immobilzer wires, but on the lexus these wires are located in a different ecu connnector. I depinned that CODE, RXCK, and TXCT wires from the ecu. I attemted to use my broken master key. I have just the key blade only and the little RFID chip inside the button house I left in my house on my desk.

What I flashed to the eeprom looks a lot like above in post #67

First attempt I zeroed out everything except FB DF and 5a 69, I left those values in there. Car would not start with just the metal key

Second attempt I zeroed out everything, still cant start the car

Third attempt I will try reflashing the eeprom to look exactly like post #67

If I can get this to work with the Lexus ECU, I may not bother with chipped keys for the Avalon ECU.

View attachment 2592669

View attachment 2592744
Click to expand...
Awesome! I haven't had any luck programming in circut, I just pull the chip.

Almost all the different models of Toyota and Lexus have different code that puts the ecu into registration mode. I can look when I get out to the garage and see if I have the code you need.
 
Yeah I would definitely recommend trying out the Pomona test clip. It can pop off but I believe that is just due to the weight of the wires I have attached, taking the strain off of the clip really helped. Much as I love a good excuse to buy new tools and equipment, I was happy I didn't need to buy an hot air rework station. I was having some issues with programs crashing on my PC the past couple of days so i removed the serial port card I installed, and so far no crashes. This weekend I will try to source the issues and get back to messing around with the Lexus ECU.
 
You must log in or register to reply here.

Similar threads

A
Lost Master keys
Replies
6
Views
610
azusa
A
shtbrwn86
Android head unit for 98-02 LX470?
Replies
3
Views
523
x8o8drifter
x8o8drifter
BullElk
Window track hack
Replies
0
Views
473
BullElk
BullElk
roadstr6
Need ECU Reflashed for Keys; 2000 LX470
Replies
11
Views
2K
godawgs25
G

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)

Share this page

Back
Top Bottom