P38A trying to contact CALLROVA

This site contains affiliate links for which LandyZone may be compensated if you make a purchase.
Other than CallRova has anyone reverse engineered these?
Is CallRova a chap in Brighton?

Depends on what you mean by reverse engineering...

I've got the equipment to unlock BECMs from an alarmed state, and also unlock them to allow changing of data like the VIN/mileage etc. I've recently figured out where all the vehicle identity data is stored in the BECM EEPROM chip (VIN, EKA, Locked Status, Date of Build, EMS code, Mileage and key FOB codes) and in what format it is stored. A couple of weeks ago I also managed to work out how the vehicle specification data is stored, and again what format is used.

With some help from another member on here I now also know some more of the basics of how the key fob transmits, and what is transmits - and am hoping to be able to have access to a tester which will read a key fob transmission, tell you what button has been pressed, and what the hardware ID of the key is - so that could then be checked against what the BECM has stored, which would save having to get lockset barcode numbers and translate them into the fob codes.

Recently have also mapped out most of the main components on both the power an logic boards, and managed to make a couple of component repairs on the logic boards, but unlike callrova (they also have far more advanced test gear I would imagine!) I do it as a hobby as I enjoy working on P38's and electronics... and having a stack of BECM's in the garage in various conditions means that if I've got one which is already faulty and no use, then it's not a big issue if I can't fix it, but is good to learn on! I also have a 'real' job which usually involves a fair bit of travelling, so I'm never home long enough it seems to be able get stuck into much, though will hopefully be able to work on some new P38 projects over summer.

I am also slowly working on making myself a bench test rig for all the inputs/outputs to the BECM - but as you can imagine, it's a bit of a minefield as the BECM controls so much!
 
Well done Marty!
That is exactly what I mean by reverse engineering!

I have spent the last year doing the same to Porsche alarm control units in current model Porsche cars. It is a bit of a pointless and thankless task in some ways.. I already have the Porsche kit to reprogram them, so it has no monetary motive, and I can't help others by publishing how to decrypt the megamos security, partly because Megamos VW and Porsche have already sued a couple of students for doing just that as part of their dissertation, but also because it would make every Porsche out there less secure! So although I have spent a year doing it without thinking too much about why I have been doing it, the only reason I can think of why I did it was for the thrill of being me versus the software and electrical engineers who designed it not to be cracked.. And because I do love a good tinkering session!

Have you figured out how to knock out the diesel engine management computer from waiting for an immobiliser code? (which I presume it does?).. I would be a lot happier if I could get this gone from my BECM and from the engine management, as my lack of faith in the BECM is the one thing which knocks my confidence in my P38.. I would rather have the immobiliser gone from the BECM and fit something like a Toad cat-1 alarm and immobiliser to it for the immobiliser and remote locking functions.

What are your motives? Just tinkering? A business idea, or are you thinking of posting a common electrical faults and how to fix them guide?

When you get a new key from LandRover, does it come with a barcode with digits they program in with their computer to the BECM to code the key, or do they put it into a learning mode and then just use the key?
 
Thanks guys... It's always nice to meet other P38 owners in person!

I just really do it because I enjoy tinkering... I've done BECM unlocking for a number of owners now where their BECM has gone into an alarmed mode - I even had one sent to me from NZ for unlocking at the local dealers over there wanted the owner to pay silly money for them to basically swap parts about to try and fix the problem. The fact that these vehicles are getting older, and a lot of independant LR garages don't know a lot about the electrical side of them intrigued me, and kinda wanted to know what all the fuss was about and why they were always regarded so badly by garages, when they aren't actually that difficult to work on and it's kind of just grown from there. The BECM stuff is more because it seems to get commonly blamed for a lot of problems and silly amounts quoted to fix/replace it. In my experiences a lot of problems (not all, but a fair chunk of them) are actually due to external influences (broken wire, dodgy switch - door latch microswitch failure etc) that have either caused the BECM to go into an alarmed state and flatly refuse to do anything, or the external input is confusing it and causing strange things to happen. Granted, they do occasionally actually fail too!

Well done Marty!
That is exactly what I mean by reverse engineering!

I have spent the last year doing the same to Porsche alarm control units in current model Porsche cars. It is a bit of a pointless and thankless task in some ways.. I already have the Porsche kit to reprogram them, so it has no monetary motive, and I can't help others by publishing how to decrypt the megamos security, partly because Megamos VW and Porsche have already sued a couple of students for doing just that as part of their dissertation, but also because it would make every Porsche out there less secure! So although I have spent a year doing it without thinking too much about why I have been doing it, the only reason I can think of why I did it was for the thrill of being me versus the software and electrical engineers who designed it not to be cracked.. And because I do love a good tinkering session!

Have you figured out how to knock out the diesel engine management computer from waiting for an immobiliser code? (which I presume it does?).. I would be a lot happier if I could get this gone from my BECM and from the engine management, as my lack of faith in the BECM is the one thing which knocks my confidence in my P38.. I would rather have the immobiliser gone from the BECM and fit something like a Toad cat-1 alarm and immobiliser to it for the immobiliser and remote locking functions.

What are your motives? Just tinkering? A business idea, or are you thinking of posting a common electrical faults and how to fix them guide?

When you get a new key from LandRover, does it come with a barcode with digits they program in with their computer to the BECM to code the key, or do they put it into a learning mode and then just use the key?

Very interesting what you say about the Porsche system - I've been looking into some of the P38 key fob transmissions and trying to figure out how it 'encrypts' the transmission, then be able to 'decrypt' it to check the fob identity and the likes as I get a lot of people ask me if I am able to tell them what key # they have, which a tester would be able to do. I have an idea thanks to another member about roughly how it does the sending of information, but without knowing the exact details on how it does it, I'm pretty much dead in the water on that. I am hoping to collaborate on some BECM bits and as I mentioned above - try and get a key fob tester made so that I can then be able to check key identities against what is stored in the BECM if I have on the bench to then be able to identify the fob and if it should actually work with the vehicle.

The diesel immobiliser code is only sent by the BECM when the vehicle is unlocked and disarmed. I have read of ways of being able to turn that off in the diesel ECU, so that it doesn't require an immobiliser code to be sent - but that is done in one of the EEPROMs in the DDE ECU rather than at the BECM end. It might be something I will look into at some point, as I have a couple of spare DDE ECU's around somewhere!

When a new key comes from Land Rover, it is pre programmed at the factory and is programmed to the lockset barcode which they have on file against the vehicle VIN number. When it arrives, all that needs to happen is to sync the key to the vehicle and it will work. Some people have found out after buying a new key that it doesn't work because the BECM has been changed (and thus is programmed to a different lockset). The lockset barcode sadly doesn't come with the new key fob - but it is usually obtainable direct from Land Rover as it is noted on their database with the rest of the vehicle details. If that is obtained, then it can be sent to BBS to be translated into the fob codes which are stored in the BECM - so you can reprogram a lockset to the vehicle if needed. though you can't use say a key 1 from one lockset and a key 2 from another - all keys have to be from the same lockset to work with the vehicle.

My motives... pretty much just tinkering - I'm a self-confessed P38 enthusiast, and love them for some reason! I like the idea of being able to help owners keep them on the road at a reasonable cost and hope I can offer more of a detailed/specialist P38 service to people who have been told by a local garage that it's going to be silly money to fix, when it is really a simple problem! It's not really a business idea - I do it as a hobby outside of my real job, and any money I do make usually goes into acquiring more bits, or a bit towards the maintenance of my own P38. Other than BECM bits I refurbish door latches, repair window switchpacks, refurbish EAS compressors (well the occasional one as there are loads of places that do EAS bits!), and have a repair for the dead HEVAC LCD pixels. I'm also thinking of offering a HEVAC overhaul service which includes the LCD Pixel repair, upgrade of the screen backlight to LED, and an option to do it as white LED aswell. I also have done LED dash/switch conversions and other projects which are in the pipeline are a replacement for the commonly faulty DSP amplifier using the older and more robust individual door amplifiers, and also have been working on a replacement for the EAS driver pack. I also want to work on modifying a BECM power board to then be able to use LED lamps in all the indicators/brake lamps etc without generating a warning error - but that's a bit further off!

I have already done a number of writeups on various electrical bits, most of which are posted on Rangerovers.net (my username there is marty_nz if you want to have a look). Previous writeups include door latch microswitch tests, how to repair dodgy window switches, wiring pinouts for the DSP system all collated and described for functions in a spreadsheet, a writeup on LED conversions for the instrument cluster and dash switches, and one on my upgrade of the factory navigation system to a 7" touchscreen unit, which I've tried to make look as 'factory' fitted as possible.

I don't think any of it is ever going to become a fully fledged business, but it's nice to have 'on the side' and keeps me out of trouble when I am at home.... anything extra I make doing it this year is going to be going into restoring a couple of other P38's I bought last year - as they were 'spares or repair' but far too nice (in my mind) to scrap... An 'R' reg with 83K and an 'X' reg Vogue with 89K. They both need a LOT of work, but I like a challenge! Nothing much is going to be happening project wise for the next couple of months as I'm away a lot with work, and don't have a lot of spare time to work on anything P38 related until the end of June now - so I'll just have an online presence until then, and hopefully over summer can get my DSP replacement project tested (it's built already)

Marty
 
Resurrecting a very old thread I know (just used the search function for Rick the Pick), but was wondering if he's still up and running. I am out of the country atm, but was hoping to bring my P38 BECM back with me on my return to the U.K. for him to de-programme all the "Keycode lockout/Engine immobilised" b/s on it (and add the fog light capability) as he did on my English one?
Many thanks
 
Yes, he's still going. Or Marty is near Swindon if that is closer. Marty cloned a BECM for me.

Thanks for that Grrrrr, Just West of Brighton is a fair bit closer to me. I had a nice drive out there last time and had a coffee in a quaint little cafe while Rick worked his magic on his "while you wait" service, then I brought it home with me. Happy!
I, admittedly naively, originally had the RR towed to the nearest dealership, where they proceeded to "carry out a BECM check" (£110 !!) before writing my car off (telling me it needed a whole new BECM, so was uneconomical to repair) ! They also told me that the original "fault"y one was from a scrapped French P38. What??!!
 
Thanks for that Grrrrr, Just West of Brighton is a fair bit closer to me. I had a nice drive out there last time and had a coffee in a quaint little cafe while Rick worked his magic on his "while you wait" service, then I brought it home with me. Happy!
I, admittedly naively, originally had the RR towed to the nearest dealership, where they proceeded to "carry out a BECM check" (£110 !!) before writing my car off (telling me it needed a whole new BECM, so was uneconomical to repair) ! They also told me that the original "fault"y one was from a scrapped French P38. What??!!

Goes french in lockdown. They were talking crap. If Rick is nearby you are in luck!
 
Back
Top