Is it possible to dump the contents of the PCF7953 from the keyfob? I want to try and implement the protocol using an STM32 micro and an FSK transmitter as a research project. I see a number of keyfob tools available that appear to be able to read the PCF7953. I have not been able to find a datasheet for the chip but my general plan of attack was to

1. Dump the contents of the chip
2. Figure out how to the protocol works by disassembling the bin file if possible (guessing that should reveal the algorithm for Hitag 49 pro?)
3. Implement this on the STM32

Any ideas or pointers - guessing this is a pretty daunting task seeing as how there is no info available and I cannot even locate the data sheet for the PCF7953 :-(

Thanks
Mike

Maybe these will help? http://transpondery.com/pcf/5E0U40247.rar

Sent from my Pixel 3 using Tapatalk

I will not answer exactly in the case of PCF7953 but similar generation MCU PCF79XX does not have encryption procedures (in this case HT3) in the flash area only a special ROM.
So you will not succeed decompile because the program jumps to the encryption routines (algorithm) implemented in the ROM on this chip, long ago I wanted to do this ...this is also visible in source code from random one model remote and tansponder key ;)

768650

I will not answer exactly in the case of PCF7953 but similar generation MCU PCF79XX does not have encryption procedures (in this case HT3) in the flash area only a special ROM.
So you will not succeed decompile because the program jumps to the encryption routines (algorithm) implemented in the ROM on this chip, long ago I wanted to do this ...this is also visible in source code from random one model remote and tansponder key ;)



Thanks avital. That makes sense - I was afraid of something like this :frown: - so next crazy idea... I got the service manual for the Fpace that uses this keyfob and looks like it has a RF receiver and an RFA.

First thought I had was that the RF receiver would receive the RF data and the decoded output would be going over the lin line (so naive of me ) - anyways it turns out that the RF receiver just spits out the demodulated RF data over the lin bus without decoding it - uses a TD5240 chip

https://www.infineon.com/dgdl/Infineon-TDA5240-DS-v04_00-EN.pdf?fileId=5546d4625debb399015e286e4d9b3caa


So next step was to chase it down to the RFA - looks like the RFA uses a MC9S12XEQ38 micro and from what I can tell the decoding of the data happens in here. I was a bit surprised by that because that means the NXP folks must have had to provide the decryption algorithm to the programmers (I was under the impression that the HiTag protocol was secret and the algorithm was not available to anybody)

I had assumed maybe NXP had a companion chip to the (PC7953) that would do the decoding and then hand the data to the necessary micro. Anyways this makes it a bit harder but looks like there are programmers like the upa and xprog that could potentially read the micro. Maybe that will yield some results. I will keep you all posted on what I find out. Thanks for the hints so far and hope fully this might help someone else along the way...