Reusing old Peugeot/Citroen remotes type 73373067B,C

[kosu]

third post in this thread

rf reader serial output --> 12F629 pic with mihodt hex--> usb-serial converter--> pc usb port--> your favorite serial port monitor sw

Oh crap, I'm blind. So the 12F629 is operating as an A/D convertor is it? Any chance I can get a copy of the .asm file?

[kosu]

not necessary if you familiar with the PIC assembly in this case take the PSAreaderv2.asm (i already sent you) use the instructions and buid your own program. But it's just the data logger part. If you want to figuring out the calculating method you have to crack the 68hc908 and disaasembly the algo

Is the 75070820 a MC68HC908JL8 or similar then? I see the data sheet for that has a 32 pin package which would make pin 18 PTD1/ADC10. Is that what I'm looking at here?
75070820.jpg
If so, are these always locked with the 8 byte key in FFF6-FFFD? Even the knockoffs? Are there ROM dumps around?

[jodge]

Oh crap, I'm blind. So the 12F629 is operating as an A/D convertor is it? Any chance I can get a copy of the .asm file?

https://en.lmgtfy.com/?q=pic+hex+to+asm



No public rom dumps

[kosu]

https://en.lmgtfy.com/?q=pic+hex+to+asm

Thanks for that great clue! I found a linux disassembler called PICDISL but the disassembly looks a little bit bogus to me. Since you already seem to have a disassembly/original ASM, would you be so kind as to send me a copy so I can compare. I found another windows one but it didn't work under wine unfortunately.

No public rom dumps

Guess that figures.

There was a nice usenix talk here: https://www.usenix.org/conference/us...ntation/garcia
which covers a lot of this, but it was interesting to see they approached it from the ECU side rather than the keyfob, which I would presume would be easier/less protected.

[kosu]

AM OOK 433.92 MHz

Is AM OOK known by another name?
Every capture here seems to have XX AA ... whereas my SDR capture using rtl_433 has a fixed first byte and then variable second byte
Here's the analysis:

Code:

$ rtl_433 -r g001_433.925M_250k.cs16 -A -a
rtl_433 version 19.08-24-g14c5b9a branch master at 201910071222 inputs file rtl_tcp RTL-SDR SoapySDR
...
Detected OOK package    @0.096508s
Analyzing pulses...
Total count:  212,  width: 120.98 ms        (30246 S)
Pulse width distribution:
 [ 0] count:  164,  width:  232 us [228;252]    (  58 S)
 [ 1] count:   46,  width:  460 us [460;468]    ( 115 S)
 [ 2] count:    2,  width: 1184 us [1184;1188]    ( 296 S)
Gap width distribution:
 [ 0] count:  162,  width:  220 us [212;228]    (  55 S)
 [ 1] count:   48,  width:  452 us [448;460]    ( 113 S)
 [ 2] count:    1,  width:  940 us [940;940]    ( 235 S)
Pulse period distribution:
 [ 0] count:  150,  width:  456 us [456;464]    ( 114 S)
 [ 1] count:   26,  width:  684 us [680;692]    ( 171 S)
 [ 2] count:   34,  width:  916 us [912;920]    ( 229 S)
 [ 3] count:    1,  width: 2128 us [2128;2128]    ( 532 S)
Level estimates [high, low]:   1872,     17
RSSI: -18.8 dB SNR: 40.3 dB Noise: -59.2 dB
Frequency offsets [F1, F2]:    1040,      0    (+4.0 kHz, +0.0 kHz)
Guessing modulation: Pulse Width Modulation with sync/delimiter
Attempting demodulation... short_width: 232, long_width: 460, reset_limit: 944, sync_width: 1184
Use a flex decoder with -X 'n=name,m=OOK_PWM,s=232,l=460,r=944,g=0,t=0,y=1184'
pulse_demod_pwm(): Analyzer Device 
bitbuffer:: Number of rows: 3 
[00] {146} ff ff ff ff ff ff ff ff ff ff ff 7b 86 69 b4 7e ef 07 c0 
[01] {64} fd ee 19 a6 d1 fb bc 1f 
[02] { 0}                                                          :

rtl_433 supports the following formats:

Code:

<modulation> is one of:     OOK_MC_ZEROBIT :  Manchester Code with fixed leading zero bit
    OOK_PCM :         Pulse Code Modulation (RZ or NRZ)
    OOK_PPM :         Pulse Position Modulation
    OOK_PWM :         Pulse Width Modulation
    OOK_DMC :         Differential Manchester Code
    OOK_PIWM_RAW :    Raw Pulse Interval and Width Modulation
    OOK_PIWM_DC :     Differential Pulse Interval and Width Modulation
    OOK_MC_OSV1 :     Manchester Code for OSv1 devices
    FSK_PCM :         FSK Pulse Code Modulation
    FSK_PWM :         FSK Pulse Width Modulation
    FSK_MC_ZEROBIT :  Manchester Code with fixed leading zero bit

I've ordered the 12F629 so I can try it from that side too. I'm sure I must be able to do it with a logic analyzer too, but haven't tried yet.

[jodge]

dude it's boring.
you contsantly asking things what we've already talked about like bazillion times
Read the whole thread everything is here.
AAmOOK

[kosu]

It's all there if I just want to buy some kit, but it's not all there if I want a technical understanding of what is happening.

[jodge]

It's all there if I just want to buy some kit, but it's not all there if I want a technical understanding of what is happening.

Then you are in the wrong place. This is a locksmith forum with mostly end-users, experienced but end-users. And whos not and understands your question will not give you answers bcose those infos are valuable.
You can build your own logger by the info provided by mihodt in this thread after logging (if you reach mihodt) he will calculate the info..or not.

few things at the end (at least for me)
the HW based hacking is a thing on linux but use a win based pc too, mostly the usb driver - kernel implementations are sucks (factory too) on linux and you not able to logging something when the only available driver and sw running only on WIN
if you want to archieve something with those remotes bulid mihodt logger. I bet you are trying to implement the whole logger without the PIC. Those PIC-s are cheap like 3 pcs beans and why are you spending time to reinvent the wheel? Mihodt logger tested and working.

Dump the remote -secured- mcu or dump the BSI flash. Thats a good start. Mihodt started with the MCU

[kosu]

Then you are in the wrong place. This is a locksmith forum with mostly end-users, experienced but end-users. And whos not and understands your question will not give you answers bcose those infos are valuable.

I see

You can build your own logger by the info provided by mihodt in this thread after logging (if you reach mihodt) he will calculate the info..or not.

few things at the end (at least for me)
the HW based hacking is a thing on linux but use a win based pc too, mostly the usb driver - kernel implementations are sucks (factory too) on linux and you not able to logging something when the only available driver and sw running only on WIN
if you want to archieve something with those remotes bulid mihodt logger. I bet you are trying to implement the whole logger without the PIC. Those PIC-s are cheap like 3 pcs beans and why are you spending time to reinvent the wheel? Mihodt logger tested and working.

I have actually already ordered the pic and the rf hardware, it's just that they haven't arrived yet. Meanwhile I was hoping I could use an SDR and a logic analyzer to achieve the same thing, but that requires more of an understanding of what I'm actually looking at, such as what's coming out of pin 18 on the keyfob and what the waveform encoding actually is.I did disassemble the hex and also ran the code in a simulator, but since there's no description of what it's actually doing, I have to figure that out first. Anway, I'll get there in the end, it's just I was hoping for a leg up. No matter.

Dump the remote -secured- mcu or dump the BSI flash. Thats a good start. Mihodt started with the MCU

Yeah, don't really want to take my car apart yet, or buy an ECU/BSI on ebay. At least the remotes are pretty cheap while I learn how this stuff works.

[vanders]

Ok Jodge, clear.. suppose you have a complete working key.. remote and transponder.. is it possible to clone / copy this key, and which key programmer do you need?

[qeso705]

Peugeot 107 is Toyota Aygo system which have only similar pcb HW. It dosent need any values to write in pcf7936 because there isnt any pcf736. There is manual remote programming procedure. Remote dont need any virginize.

[vanders]

Found this from peugeot service box.. new remote , but not sure if there is a transponder chip included.

Anyway this remote ( new ) with transponder ( new ) with the keyblade which can turn the lock, can do the trick? starting car and working remote..

[autoTkey]

Just use KEYDIY. It's cheap and saves a lot of time.

[vanders]

So with keydiy you get used remotes back to life ? and which type ? KD-X2 ?

[kosu]

FWIW I figured out how to decode this with a cheapo 10 quid RTL-SDR you can buy on Amazon
Using a program called rtl_433 available for linux/windows/mac:
rtl_433 -X 'n=peugeot,m=OOK_MC_ZEROBIT,s=252,l=476,r=916,y=12 04,preamble=1'
outputs values received over radio for each of the 3 fobs I have like so:
a5aa20f2760666f201618
7caad9c16c63a448cb2b8
c7aabfbb20c2922085e28

Without mihotd's code generator it isn't much use to me yet, but at least I've got a starting point now