Can someone explain me like on idiot how to unlock used key with key pass from the car

For example I have Saab 93 with 7946

I used HB to calculate the pass from working key the pass is B39E4AA0D70A

On what too and where exact must write this pass to return the key virgin state and read the remote precode?

I have Tango VVDI2 Zedbul and a lot of key readers

Now I saw that when decode the pass there is button - EDIT when press it showed the original precode - 6732F2C5

but still can't unlock it to virgin state

The key password is a combination of SK high (page 2) and SK low (page 1). The default password for Hitag 2 is 4F4E4D494B52 and if the key is unlocked it should have that value in the SK high and low fields. The 4D494B52 is the default encryption key. Once you have the ecryption key you are able to read all the pages of the transponder but you can not edit the pages because the transponder is locked (there is write protection on several data fields). To unlock it you have to change the configuration byte on page 3.

How to change the config byte on P3 I do not know because I am unable to edit that field once the tranponder is locked. I am quite interested in the procedure myself.

That bits in P3 are OTP.

Can someone explain me like on idiot how to unlock used key with key pass from the car

For example I have Saab 93 with 7946

I used HB to calculate the pass from working key the pass is B39E4AA0D70A

On what too and where exact must write this pass to return the key virgin state and read the remote precode?

I have Tango VVDI2 Zedbul and a lot of key readers

Your PSW is: B39E4AA0D70A by KD it show Hi crypto + Low Crypto: so B3 9E is High - 4A A0 D7 0A is Low

Here how to Unlock when you have PSW: B3 9E - 4A A0 D7 0A

1/ Choose read 7946 -> Crypro mode

2/ Enter your PSW: 4A A0 D7 0A B3 9E ----> Read again. If PSW is correct, it will show all page

3/ ISK Lo will show: 4A A0 D7 0A ---> Modifie to: 4D 49 4B 52 ---> Write

4/ ISK Hi: will show: B3 9E ----> Modifie to: 4F 4E ----> Write

5/ TMCF if 0E ---> Modifie to 06 ---> Write

Your PSW is: B39E4AA0D70A by KD it show Hi crypto + Low Crypto: so B3 9E is High - 4A A0 D7 0A is Low

Here how to Unlock when you have PSW: B3 9E - 4A A0 D7 0A

1/ Choose read 7946 -> Crypro mode

2/ Enter your PSW: 4A A0 D7 0A B3 9E ----> Read again. If PSW is correct, it will show all page

3/ ISK Lo will show: 4A A0 D7 0A ---> Modifie to: 4D 49 4B 52 ---> Write

4/ ISK Hi: will show: B3 9E ----> Modifie to: 4F 4E ----> Write

5/ TMCF if 0E ---> Modifie to 06 ---> Write

I tried that method already on a Astra H key and it didn't work. Now I tried again on Clio 3 keys and it works, but it still won't write data to the Astra H chip. I am able to read the TMCF page and all the pages below so I know the password is correct but the SK low and SK high fields return empty. When I try to write them I get a "writing unsucessful" error.

What could be my issue ? Does it have something to do with it being a PCF7941 chip instead of the PCF7946 from the Clio or does the issue lie with the configuraion byte. It is set as F8 (I decyphered that that means that the Sectec Key lock, Page 3 lock, Protection write Page 4,5,6,7 and Crypto mode are enabled.)

Is there any way to change the configuration if the password is known even when the Secret key is locked ?

I tried that method already on a Astra H key and it didn't work. Now I tried again on Clio 3 keys and it works, but it still won't write data to the Astra H chip. I am able to read the TMCF page and all the pages below so I know the password is correct but the SK low and SK high fields return empty. When I try to write them I get a "writing unsucessful" error.

What could be my issue ? Does it have something to do with it being a PCF7941 chip instead of the PCF7946 from the Clio or does the issue lie with the configuraion byte. It is set as F8 (I decyphered that that means that the Sectec Key lock, Page 3 lock, Protection write Page 4,5,6,7 and Crypto mode are enabled.)

Is there any way to change the configuration if the password is known even when the Secret key is locked ?

This methode work for 7946/47 and 7936 in some model of car. Not all 7936 can be unlock with this method.

Also Ducato 2012+ BSI 95640 with 7946 i cannot unlock

I'm have a few used transponders for various makes of car keys from vw to BMW to range rover I'm trying to either delete the entire memory and somehow write a new memory from a brand new chip onto the old used one to effectively reset the used chips back to factory . I'm thinking of sending a high voltage to the transponder via RFID and somehow writing over the used chip with a new chip . Any help would be appreciated

Sorry to bring up old thread but how do I brute force to determine password from ID46? Also, what is HB?

Either you need to make it with sniffer by car where transponder belongs or use dump/data from car to determine it. Bruteforce is possible only in theory or in very rare cases where clever manufacture reduced extremely space of it.

Sorry to bring up old thread but how do I brute force to determine password from ID46? Also, what is HB?


You need a transponder cloner to collect the ignition lock signal and decode the ID46 pass. They need the password to read all the data of the original transponder and write the same data to a new one (effectively making a clone) But most show the password after they decode it.

HB is short for HandyBaby, one such handheld transponder cloner.

Or alternatively most of the time you can get the password from the dump of the immobiliser of the car the key is programmed to. For that you need software (most of the time bundled with hardware) that can program transponders from dump. But not all such software show the ID46 password when they decode the dump. A lot of the time it is automatically done in the program background.