Alarm PIN Hack

[PhoneBoy]

Alarm PIN Hack

I finally have something worthwhile to contribute to this forum! But first a little history..

Recently one of my fobs went through the wash I opened it up and dried it out. Unfortunately when reassembled, it wouldn’t mobilize the car. No big deal, I figured it just needed to be reprogrammed.. one problem, no PIN (dealer never gave it to me) .

I had several items in my “car” file that had 4-digit numbers that I thought might be the PIN. I tried them all to no avail.

One thing I did notice when attempting to enter the PIN was the tach light just kept flashing after entering the first digit. Figuring that this would likely give some indication if I made a correct entry, I repeated the procedure with different digits until I found the correct leading digit and the tell tale light went out. Moving on to the second digit and repeating this procedure I discovered the next PIN digit. Repeating several more times for the third and fourth digits I found the full PIN.

So.. if you cannot find your PIN, here is how to hack your alarm system PIN:

Be prepared to be locked out of the alarm PIN entry several times unless you are an incredibly lucky guesser (in that case, I suggest you buy a lottery ticket). You can still use working fobs when you are locked out – you just cannot continue hacking until you have a time out.

Finding the First Digit
1. With the system is immobilized (security tell tale flashing), Turn the ignition on and off 3 times within 7 seconds; the security tell tale in the tachometer will light for 3 seconds. NOTE: After several unsuccessful PIN entries the alarm system will lock out and the tachometer light will continue to flash. Simply wait 15 minutes and the system will reset so you can try again.
2. Immediately after the tell tale goes out, switch ON the ignition. After 1 to 9 tell tale flashes, turn the ignition off.
3. If the tell tale light stays off, then the number of tell tale flashes in step 2 is your first PIN digit. If the tell tale light continues to flash it is NOT your first PIN digit.
4. Turn the ignition off for 10 seconds and repeat steps 1 through 3 with remaining 1-9 digits until the first PIN digit is discovered (the tell tale light stays off).

Finding the Second Digit
5. Again, with the system is immobilized (security tell tale flashing), Turn the ignition on and off 3 times within 7 seconds; the security tell tale in the tachometer will light for 3 seconds.
6. Immediately after the tell tale goes out, switch ON the ignition. Count the number of security tell tale flashes until equal to the first number of the PIN, then turn the ignition OFF, then back ON again.
7. After 1 to 9 tell tale flashes, turn the ignition off.
8. If the tell tale light stays off, then the number of tell tale flashes in step 7 is your second PIN digit. If the tell tale light continues to flash it is NOT your second PIN digit.
9. Turn the ignition off for 10 seconds and repeat steps 5 through 7 with remaining 1-9 digits until the second PIN digit is discovered (the tell tale light stays off).

Finding the Third Digit
10. Again, with the system is immobilized (security tell tale flashing), Turn the ignition on and off 3 times within 7 seconds; the security tell tale in the tachometer will light for 3 seconds.
11. Immediately after the tell tale goes out, switch ON the ignition. Count the number of security tell tale flashes until equal to the first number of the PIN, then turn the ignition OFF, then back ON again.
12. Count the number of security tell tale flashes until equal to the second number of the PIN, then turn the ignition OFF, then back ON again.
13. After 1 to 9 tell tale flashes, turn the ignition off.
14. If the tell tale light stays off, then the number of tell tale flashes in step 13 is your third PIN digit. If the tell tale light continues to flash it is NOT your third PIN digit.
15. Turn the ignition off for 10 seconds and repeat steps 10 through 13 with remaining 1-9 digits until the third PIN digit is discovered (the tell tale light stays off).

Finding the Fourth Digit
16. Again, with the system is immobilized (security tell tale flashing), Turn the ignition on and off 3 times within 7 seconds; the security tell tale in the tachometer will light for 3 seconds.
17. Immediately after the tell tale goes out, switch ON the ignition. Count the number of security tell tale flashes until equal to the first number of the PIN, then turn the ignition OFF, then back ON again.
18. Count the number of security tell tale flashes until equal to the second number of the PIN, then turn the ignition OFF, then back ON again.
19. Count the number of security tell tale flashes until equal to the third number of the PIN, then turn the ignition OFF, then back ON again.
20. After 1 to 9 tell tale flashes, turn the ignition off.
21. If the tell tale light stays off, then the number of tell tale flashes in step 20 is your fourth PIN digit. If the tell tale light continues to flash it is NOT your fourth PIN digit.
22. Turn the ignition off for 10 seconds and repeat steps 16 through 20 with remaining 1-9 digits until the fourth PIN digit is discovered (the tell tale light stays off) and the system is mobilized.

[Chris Mackey]

You rock.

[peck555]

Calling Keeper... we have an uberpost entry here.

[lotusforsale]

+1. Saved as a Favorite, and hardcopy printed and archived.

[habendanio]

So basically it should only takes like around ~36 attemps to get it right?
I know my pin and it took me like a hundred attempts to program a third fob??

Good job!

[ojars]

No security at all!

[Aedo]

Quote:

Originally Posted by lotusforsale

+1. Saved as a Favorite, and hardcopy printed and archived.

Getting the PIN and storing it safely before needing it is probably a better idea

Quote:

Originally Posted by ojars

No security at all!

Except that you need the key, a lot of patience, plus ear plugs as the alarm will be going off!!

[nockpoint]

Pretty sneaky PhoneBoy. So in the end were any of your stored codes in your car file close to the actual pin? AKA did someone just record it wrong by 1 digit?

[macdady2424]

Hmm... this might be my answer to programmnig my other fob. Maybe I have the wrong pin # and just can't get it programmed. I can use this as another check to see if I have the right pin I guess.

[njcu]

NICE HACK!

[njcu]

Quote:

Originally Posted by Aedo

Except that you need the key, a lot of patience, plus ear plugs as the alarm will be going off!!

Not a problem if you've towed the car to a garage and disconnected the horn. And you would have plenty of time to figure it out on your way to south America for that buyer who's just can't wait to have one.

lol not that I would know or anything... I just watch a lot of movies

[Crabman]

I called my local Lotus dealer (not who sold it originally or who I bought it from) and gave them my VIN. They gave me the PIN in 2 minutes. Kind of defeats the purpose of the PIN, but it worked great for my needs.

[PhoneBoy]

Quote:

Originally Posted by habendanio

So basically it should only takes like around ~36 attemps to get it right?
I know my pin and it took me like a hundred attempts to program a third fob??
Good job!

Yup - it takes a while, especially when you have to often wait for the alarm lock out to expire. Other than the time waiting, the PIN can be hacked in under 30 minutes.

Quote:

Originally Posted by Aedo

Getting the PIN and storing it safely before needing it is probably a better idea

Yup, unfortuanlty my dealer never provided it and I'm too cheap to pay for it

Quote:

Originally Posted by Aedo

Except that you need the key, a lot of patience, plus ear plugs as the alarm will be going off!!

Yup - If you left the alarm armed, it's going to get loud.

Quote:

Originally Posted by nockpoint

Pretty sneaky PhoneBoy. So in the end were any of your stored codes in your car file close to the actual pin? AKA did someone just record it wrong by 1 digit?

Nope. None of the numbers I had were even close to the PIN.

But now both my fobs work (even the one that went through the wash ) and I didn't have to spend a dime.

[kestrel74]

I have a couple of social security numbers you could have fun with !!!

[njcu]

hmm... Phone Phreaking?

[PhoneBoy]

Quote:

Originally Posted by njcu

hmm... Phone Phreaking?

You'd be surprised how many people use "1111" or "1234" for voice mail passwords. I run into hacked phone systems quite often. Usually people looking for free calls (or hiding the call origination) to SE Asia, Middle East, and Central America.

[PhoneBoy]

Quote:

Originally Posted by kestrel74

I have a couple of social security numbers you could have fun with !!!

[TimMullen]

Quote:

Originally Posted by PhoneBoy

You'd be surprised how many people use "1111" or "1234" for voice mail passwords. I run into hacked phone systems quite often. Usually people looking for free calls (or hiding the call origination) to SE Asia, Middle East, and Central America.

I ran a telephone based time entry system that 13,000 people had to call into daily. I checked one time, and over 9,000 people had their password set to: "1234". I had to modify the software to block "easy passwords", repeat passwords, and require them to change them twice a year...

[jriva]

Hmm info we should have on the forums... i think not.

[PhoneBoy]

Quote:

Originally Posted by jriva

Hmm info we should have on the forums... i think not.

I gave this significant thought before originally posting. You need the correct key and many hours (because of the system lockouts) to hack the PIN. In addition, the alarm would be blaring if the system is armed.

If your car is stolen because I posted this, I'll chip in and help buy you a new one.