last week i change bsi code in citroen c4 picasso, after that the key stop working and i was needed to program a new key.
my question - does the transponder key got bsi code in memory?
it is possible to find this code from reading the key or it is crypted?

The way I see it, the keys are locked after programming, with an algo that uses the pincode, I think this is the way for all ID46, this is the only way I can explain it to myself as if you fit new bsi and use ori pincode then the original keys work again, but not if you change pincode.

ninja

The way I see it, the keys are locked after programming, with an algo that uses the pincode, I think this is the way for all ID46, this is the only way I can explain it to myself as if you fit new bsi and use ori pincode then the original keys work again, but not if you change pincode.

ninja
the pincode must be store in the transponder data - like renault id33 and 4d60 but i guessing it is encrypted in some way

http://www.digital-kaos.co.uk/forums/f177/reusing-old-peugeot-citroen-remotes-type-73373067b-c-325914/index9.html

RFRemote has found the secret. :)

Unfortunately not yet :(
I have success with only few transponders.
Secret key 48 bit used to lock transponder depends on PIN code and maybe transponder ID somehow but for now algo is not fully clear to me.
Now I'm on the way to sniff communication in the moment of coding new key.

Unfortunately not yet :(
I have success with only few transponders.
Secret key 48 bit used to lock transponder depends on PIN code and maybe transponder ID somehow but for now algo is not fully clear to me.
Now I'm on the way to sniff communication in the moment of coding new key.

dont suppose you have any details on a sniffing device you will share??

Using a 307 bsi and COM2000 not from same car though. Connection between them is VAN bus which can be sniffed with CAN bus receiver which needs modifying because protocol is different. Still not have filtered and sensible data from it but working on improvement.

Using a 307 bsi and COM2000 not from same car though. Connection between them is VAN bus which can be sniffed with CAN bus receiver which needs modifying because protocol is different. Still not have filtered and sensible data from it but working on improvement.

might have a look at some point into make a sniffer, once the hardware is made the software should be simple enough to write as there is info on the hitag protocol

In fact I want to avoid examining hitag2 data but look at inter-processor communication as there data may be in pure and more understandable form.
From one side com2000 which includes a nec cpu and must be a plug and play module with no programming needed if replaced.
On other side HC912 in the BSI. They may exchange data in terms of bytes which are same as recorded in pcf if not encrypted communication of course.

i just gussing that keydiy crack it and know where is the code store and how to unlock

i just gussing that keydiy crack it and know where is the code store and how to unlock

unlocking the transponder side of the pcf7941 will be of no use to keydiy, they still would not be able to read the remote coding.

the remote side should only have access to the last two pages of the transponder side but I would of thought more likely they have found a way to access the entire memory from the remote code to enable them to unlock the pcf, this will be no usse when it comes to reusing normal keys

Things can be simpler than I thought. A good test will be to set BSI pin to 'UUUU' then adapt a transponder to it.
It is possible that locked transponder will have crypto SK 48bit 'UUUUUU'.
I'm talking about 2 button remotes with separate pcf7936 not 7941.

Hi!

I think there might be a posibility to "unlock" PCF7941 by a HITAG2 Reader/Writer.
I`ll try in few weeks and post back the result. IF anyone have a blank original remote to read the blank PCF transponder in a HITAG2 R/W, and then copy all the values in a already used key that use ID46 (PCF7941)... maybe it will do the trick.

Pin code in psa is used as synchro code it is for sure one reason why car wont start.

Waking this old thread again just to say that PIN code theoretically can be derived from PCF7936 within 24hrs.
Also if one has an old key (remote + transponder paired but locked) and pin from the car, I can tell the SK to unlock pcf and read remote pages data.
After that remote can be reused by loading this data to another new blank transponder and pairing to another car.

I have new one locked to the wrong pin
Could I get SK to read it?
Citroen C3
ID- 6097891D and pin WB3G

Thanks Adam

Calculation works on Citroen C5/C8 as well on Eurovans Peugeot 807 Fiat Ulysse and Lancia Phedra.
Other pugs use another algo, trying to find out all details about it, I'm missing something for now :(

Later I figured out that this calc works for 308/C4 too!

Waking this old thread again just to say that PIN code theoretically can be derived from PCF7936 within 24hrs.
Also if one has an old key (remote + transponder paired but locked) and pin from the car, I can tell the SK to unlock pcf and read remote pages data.
After that remote can be reused by loading this data to another new blank transponder and pairing to another car.

Didnt understand very clear, you can calculate SK code just from pin code, or you need some more info from that key? And what would be that, I want to help to push this thread :)

All from my post #17 confirmed to be true and yes, can get ISK just from pin

nice work, will you be making software or sharing?

I think manufacturers of key making tools will not be happy to see this as free software because it will be immediately cracked by others who still do not have the calc. Anyway if someone needs particular translating pin->isk I can help with this.

I think manufacturers of key making tools will not be happy to see this as free software because it will be immediately cracked by others who still do not have the calc. Anyway if someone needs particular translating pin->isk I can halp with this.
That is good if someine code wrong remote key :) you are master my friend, this is very good

Послато са GT-I9060 уз помоћ Тапатока

That is good if someine code wrong remote key

Yes, exactly. So don't be lazy and always backup your new keys user pages :)