Register
Page 1 of 17 12345611 ... LastLast
Results 1 to 15 of 247
  1. #1
    Banned
    Join Date
    Mar 2010
    Location
    BG / CZ
    Posts
    78
    Thanks
    0
    Thanked 109 Times in 17 Posts
    Downloads
    7
    Uploads
    0

    Default Reusing old Peugeot/Citroen remotes type 73373067B,C

    In Citroen and Peugeot the remote is precoded with the transponder. Changing transponder makes the remote stop working. In other words transponder and remote are matched in factory. When you program new transponder it must contain also data for remote. This is needed for BSI module to recognize rf transmissions from the remote.
    You can reuse old remotes if you know what kind of data to write into transponder. It is placed in USER 0,1,2,3 pages in PCF7936.
    Actual problem is retrieving data from an old, used remote and then put it into blank transponder.

    Here is a way to get this data. We need several things to do this: some used (but still working) remotes with fresh battery.
    A kind of "reader" based on PIC12F629 and a way to get the data into PC (I use so called USB-to-TTL converter), only RX channel needed and software is the ordinary HyperTerminal for windows (or some of xxxCOM apps if you're using Linux)
    Here are the pads used on the remote.
    Next part coming soon ...
    Attached Images Attached Images

  2. The Following 28 Users Say Thank You to mihotd For This Useful Post:

    + Show/Hide list of the thanked

    aassfour (26th September, 2013),armpower (1st May, 2013),artkiani (5th December, 2018),autoTkey (17th June, 2014),bram380 (21st June, 2013),Carsoft2003 (15th May, 2013),cubica1 (30th October, 2016),damih (18th May, 2013),dunnnia (7th May, 2015),F-1 (11th November, 2013),Faraday (11th March, 2014),hectorcairo (11th November, 2013),instakeys (18th April, 2014),jacostanzo (30th January, 2014),johnie-9 (16th October, 2018),jset (9th April, 2015),kyawkyaw (1st January, 2018),lion0304 (25th June, 2015),Meat-Head (1st June, 2013),mexjack (14th November, 2016),pandora6 (25th December, 2013),rm23 (20th May, 2018),SkyElectronics (24th August, 2013),srlemax (15th July, 2017),urcarpc (2nd June, 2013),valdirld (8th September, 2014),vavrich (10th February, 2018),yarecky3 (21st June, 2013)

  3. #2
    DK Veteran
    Join Date
    Feb 2011
    Posts
    531
    Thanks
    88
    Thanked 70 Times in 44 Posts
    Downloads
    7
    Uploads
    0

    Default

    Good work mate...

    Looking forward to seeing how this can be done.

  4. #3
    Banned
    Join Date
    Mar 2010
    Location
    BG / CZ
    Posts
    78
    Thanks
    0
    Thanked 109 Times in 17 Posts
    Downloads
    7
    Uploads
    0

    Default

    Part 2: Info, schematics and hex

    All needed to build the reader is attached.
    To get data open HyperTerminal, make a new connection and in screen "connect to" choose COMx (where USB to UART is).
    In COMx properties window press "restore defaults" then OK.
    If you made everytthing correctly you'll get a screen like attached one with remote data when you press a button.
    This data is different each time (only first two bytes remain the same) and this is expected, data from remotes is scrambled and rolling code.
    Calculator to produce transponder data exists (not free service though) and output is 4 bytes, which must be written in PCF7936.

    Here is the point where I need your help guys: I need data from some old remote + old transponder (paired ones!) to figure out how these calculated 4 bytes are written into transponder.
    Building all this stuff described above is a boring job, I agree. Also needs some effort and knowledge but if there are interested people I think we can resolve this whole problem which stays here for years.

    BR
    Attached Images Attached Images
    Attached Files Attached Files

  5. The Following 24 Users Say Thank You to mihotd For This Useful Post:

    + Show/Hide list of the thanked

    armpower (1st May, 2013),artkiani (5th December, 2018),autoTkey (17th June, 2014),baigano (10th March, 2014),bram380 (21st June, 2013),Cesarec (15th December, 2015),cubica1 (30th October, 2016),damih (18th May, 2013),DOUGLASDL (29th April, 2013),dunnnia (7th May, 2015),ettaoussi (15th November, 2013),F-1 (11th November, 2013),fluorescent (6th April, 2013),immooff (4th July, 2015),instakeys (18th April, 2014),kyawkyaw (1st January, 2018),Meat-Head (1st June, 2013),mijatx (18th November, 2013),n599fbm (27th September, 2014),pepin1 (22nd October, 2017),pezao (13th May, 2014),SkyElectronics (26th August, 2013),snecii (30th October, 2013),valdirld (8th September, 2014)

  6. #4
    Member
    Join Date
    Mar 2009
    Posts
    72
    Thanks
    17
    Thanked 4 Times in 2 Posts
    Downloads
    43
    Uploads
    0

    Default

    question : how to read 7936 with Hitag2 if PIN is known ?

  7. #5
    Banned
    Join Date
    Mar 2010
    Location
    BG / CZ
    Posts
    78
    Thanks
    0
    Thanked 109 Times in 17 Posts
    Downloads
    7
    Uploads
    0

    Default

    Quote Originally Posted by kerekt View Post
    question : how to read 7936 with Hitag2 if PIN is known ?
    There is no PIN for transponder. Did you mean SK (secret key 48bits) ? If so, you can read it with tango hitag2 by entering 6 bytes in the key field for crypto mode (not password mode).

    Actually all transponders from peugeot I've seen are locked
    It seems that USER pages can be read only on new, prepared for programming in car key (new couple of 7936 + remote pcb from PSA)

  8. #6
    DK Veteran
    igorr's Avatar
    Join Date
    Aug 2010
    Posts
    1,105
    Thanks
    514
    Thanked 243 Times in 160 Posts
    Downloads
    28
    Uploads
    0

    Default

    how to open PSA reader

  9. #7
    DK Veteran

    Join Date
    Jul 2010
    Location
    west mids, uk
    Posts
    4,312
    Thanks
    452
    Thanked 734 Times in 513 Posts
    Downloads
    27
    Uploads
    0

    Default

    is there not a way/equipment that can read the data from the IC on the remote board? Surely then after reading a couple of new ones and reading pcf7936 pages from the same remote - before programming, we could work out what data and where etc.

    I dont mind butchering a few new ones if we are getting somewhere with this, but only a few as they are so flippin expensive!

    Building that stuff above looks a little past me but ill have a go....

    ninja
    DK- The Bogs Dollocks!!!
    NEVER SAY IT CANT BE DONE!!
    The thanks button works wonders!!
    DONT SEND ME PM'S ASKING FOR OTHER MEMBERS WORK OR PASSWORDS

  10. #8
    DK Veteran

    Join Date
    Jan 2010
    Posts
    2,914
    Thanks
    250
    Thanked 1,398 Times in 707 Posts
    Downloads
    18
    Uploads
    0

    Default

    Quote Originally Posted by ninja123 View Post
    is there not a way/equipment that can read the data from the IC on the remote board? Surely then after reading a couple of new ones and reading pcf7936 pages from the same remote - before programming, we could work out what data and where etc.

    I dont mind butchering a few new ones if we are getting somewhere with this, but only a few as they are so flippin expensive!

    Building that stuff above looks a little past me but ill have a go....

    ninja
    if you read a new key you will have the data to reprogram that remote to another car, trouble with used remotes you have not got that data and the remote will only broadcast the rolling code.

    So you would need to know the algorithm the key is using so you could turn the rolling code back into the orignal data.

    This is what the OP want to figure out i.e. get a load of samples of data to try to figure the algorith.. although could be very hard

  11. The Following User Says Thank You to paul_12345 For This Useful Post:

    konarg (20th June, 2014)

  12. #9
    Banned
    Join Date
    Mar 2010
    Location
    BG / CZ
    Posts
    78
    Thanks
    0
    Thanked 109 Times in 17 Posts
    Downloads
    7
    Uploads
    0

    Default

    I have calculator for [rolling code] -> [original data]
    But don't know how it is written into transponder.
    Only a guess: 4 bytes of original data into USER0 page and inversed values of these written into USER1 page.

    Also there can be aadditional coding in body module, that's what i want to figure out

  13. #10
    DK Veteran

    Join Date
    Jan 2010
    Posts
    2,914
    Thanks
    250
    Thanked 1,398 Times in 707 Posts
    Downloads
    18
    Uploads
    0

    Default

    so your the one that offering the 4 byte from rolling code for $$$$$ then you want others help to finish your project ??

    If you really want to solve why not post calculator!

  14. #11
    DK Veteran

    Join Date
    Jul 2010
    Location
    west mids, uk
    Posts
    4,312
    Thanks
    452
    Thanked 734 Times in 513 Posts
    Downloads
    27
    Uploads
    0

    Default

    ok, i know there is no rolling code algo stored in transponder pages, only solid non rolling data, so, any algo's used here are either in remote or bsi, i presume bsi, as a re sync procedure is available and works all the time.

    And how can you get samples when then transponder is locked during programming?

    The only way I see is reading new/virgin remotes/transponders and working from there.

    I just dont know how to move on from this or I would....

    ninja
    DK- The Bogs Dollocks!!!
    NEVER SAY IT CANT BE DONE!!
    The thanks button works wonders!!
    DONT SEND ME PM'S ASKING FOR OTHER MEMBERS WORK OR PASSWORDS

  15. #12
    Banned
    Join Date
    Mar 2010
    Location
    BG / CZ
    Posts
    78
    Thanks
    0
    Thanked 109 Times in 17 Posts
    Downloads
    7
    Uploads
    0

    Default

    Quote Originally Posted by paul_12345 View Post
    so your the one that offering the 4 byte from rolling code for $$$$$ then you want others help to finish your project ??

    If you really want to solve why not post calculator!

    I can find out the remaining things for this algo alone but I think it's not worth the effort. I already spent a lot of time and money to get there, so i will not post calculator now, maybe later time (it is not a program in fact).
    If someone wants to calculate data from rolling code I will calculate it, no problem (and not for $$$$ !)

    Nobody is is obliged to help me, i can do it alone, just want to save time and money, that's all.

  16. #13
    Member
    Join Date
    Mar 2009
    Posts
    72
    Thanks
    17
    Thanked 4 Times in 2 Posts
    Downloads
    43
    Uploads
    0

    Default

    how to find this 6bytes in bsi to read transponder in crypto mode?


    Quote Originally Posted by mihotd View Post
    There is no PIN for transponder. Did you mean SK (secret key 48bits) ? If so, you can read it with tango hitag2 by entering 6 bytes in the key field for crypto mode (not password mode).

    Actually all transponders from peugeot I've seen are locked
    It seems that USER pages can be read only on new, prepared for programming in car key (new couple of 7936 + remote pcb from PSA)

  17. #14
    Banned
    Join Date
    Mar 2010
    Location
    BG / CZ
    Posts
    78
    Thanks
    0
    Thanked 109 Times in 17 Posts
    Downloads
    7
    Uploads
    0

    Default

    Quote Originally Posted by kerekt View Post
    how to find this 6bytes in bsi to read transponder in crypto mode?
    I think these bytes are stored in NEC cpu internal eeprom. One of available tools for reading is NecProg programmer.

  18. #15
    Banned
    Join Date
    Mar 2010
    Location
    BG / CZ
    Posts
    78
    Thanks
    0
    Thanked 109 Times in 17 Posts
    Downloads
    7
    Uploads
    0

    Default

    Finally I get it. Here is how it works.

    Decoded four bytes from remote are written to its corresponding transponder in USER0,1,2 pages. For example we have a remote with bytes E7D020A5, here A5 is remote TYPE, other 3 bytes are remote ID. For such data you must write to PCF7936 the following:

    USER 0: 55E7D020 - remote ID, first byte is always heading 55
    USER 1: AA182FDF - inverted USER 0 bytes
    USER 2: 0A55FFFF - stands for remote type A5 (Pug 307 in this case)
    USER 3: no matter - can be FF's (usually some date is stored here, say 05112003 for 5 NOV 2003)

  19. The Following 19 Users Say Thank You to mihotd For This Useful Post:

    + Show/Hide list of the thanked

    artkiani (5th December, 2018),autoTkey (16th June, 2014),bram380 (21st June, 2013),cubica1 (30th October, 2016),datapage (9th May, 2013),F-1 (10th November, 2013),kemaster (18th June, 2014),MACKIE (10th August, 2013),madaxe (3rd January, 2018),malva (15th December, 2013),mijatx (18th September, 2013),monje gris (22nd July, 2014),nazz2 (17th October, 2013),pandora6 (26th November, 2013),PETERALC506 (27th November, 2013),rm23 (20th May, 2018),smokey08 (25th September, 2013),tecnicoauto (31st October, 2017),urcarpc (2nd June, 2013)

 

 
Page 1 of 17 12345611 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •