MrSporty

Member
I'm currently working on a project to make P38 remote fob issues a bit easier to resolve. Something that would make my job easier would be to acccess the existing stored fob codes in the BECM.

I'm fully aware they cannot be read directly on a locked unit and that its commonly known that BBS's SM035 is needed to unlock the BECM.

With all that clarified, does anyone have the type and/or maskset of the Motorola CPU's used in the BECM. As far as I know there are two types used and both can be unlocked via their BDM.

mcu2.JPG


Just in case you have an open BECM to hand but aren't exactly sure what the heck i'm on about, the above example MCU is a 68HC705, its mask set is 2D10J.


Thanks in advance.
 
Hehe, If I was interested in stealing cars, im not sure a P38 wouldn't exactly be top of my list. I already provide services for repairing/recutting P38 fobs and am simply expanding on that service.

I've got a BECM on the way from fleabay but would like to make a start on working out the BDM interfacing. Im not asking for anything other than someone reading the numbers off the top of their existing MCU, there's nothing secret or special about that.
 
If you're trying to make generic key-fobs, this sounds like the wrong approach. what happens if you figure out the rolling code sequence, and then the info leaks out ? You might not want to steal P38's but other people do and will try.

If you're looking create an alternative to expensive LR RF Receivers, then you need a different approach. Clearly LR have figured out a software mechanism in the latest RF Receiver, that works using any genuine P38 key-fob, and filters the other RF crap out. This highlights some insight into the protocols used, and the ideal method to block weather stations etc. I know how to do it, but simply don't have the time.
 
The rolling code algorithm won't be an issue for me in the long term.

The thing i'm aiming to eventually provide to legitimate P38 owners is a way of ordering precut and precoded replacement fobs. As it stands, the only ways of doing this at the moment is to either order them from a dealer who use the lockset barcode OR sniffing the transmission of an existing fob and creating replacement KEY3/4's from that. Both methods in my opinion are quite expensive and time consuming.

My initial research is to understand the method of unlocking BECM's. I would imagine at least a few owners would benefit from a cheap device for example an easily obtainable arduino that could be used to unlock their BECM.

BTW this has nothing to do with existing or updated RF receivers.
 
There are devices and services already available to the public that can do both tasks I have mentioned, my ideas were to streamline them.

As it stands, the 2 existing ways that replacement remote fobs can be provided are:

1. Order from an approved/official dealer using the lockset barcode. The blade is cut from the profile in the official database. The FOB Code (which includes the Fob number) is pre-programmed (using a pogo pin jig onto the test pads under the fobs battery cover. On receipt of the fob it is then resynced using the standard proceedure.

2. Order from an aftermarket service that provides replacement keys. A device is sent out to recorded the transmissions of a valid working fob which are then returned to the company, from these recordings the company can calculate your existing fobs FOB code. They then provide a replacement aftermarket fob that they program with the same FOB code and a different Fob number (3 or 4 I assume). The blade is then cut and the fob resynced as above.

There are issues with the methods that I personally would like to address and quite simple pique my interest . Unfortunately in order to acquire a vehicles FOB code without access to official databases requires either access to the BECM in an unlocked state OR access to a working fob (not something all owners have, hence the need for the above services).

My first step in this was to see if there would be a way of creating a simple device to unlock BECM's.

This is currently done using the Background Debugging Module on the BECMs MCU to rewrite the locked/unlocked byte (bit?). I could gain this information by using one of my Logic Analyser's to monitor the process as it occurs using the currently available tool.

Or, I can do a little bit of background research and see if I can gain this info myself, hence the original posts question.

Can't be done easily, Can't be done cheaply and Can't be done are all are in my experience (and it is sincerely its only my opinion) usually quite separate things.

.. does anyone have a pic of the MCU ?
 
Last edited:
Judging by the pinout and a quick sniff around the net, it appears that the MCU is possibly a MC68HC11KA4. It also appears that this MCU can be read by some popular device programmers.

Ill wait for my BECM to turn up and have at it with my tools. I'll report back any findings.
 
Considering Rick lives and breathes the P38A BeCM's I am inclined to sit on his side of the fence when he says it can't be done.

Best of luck and I do look forward to being stood corrected...
 
That's great news ! Im sure someone with an indepth knowledge of BECM's can easily confirm the MCU type.

I'm still wondering if Rick meant a cheap BECM unlocker couldn't be done or if a working fob couldn't be created using the FOB code extracted from a BECM dump ?

Either way I'll have fun discovering if it is indeed possible.
 
Considering Rick lives and breathes the P38A BeCM's I am inclined to sit on his side of the fence when he says it can't be done.

Best of luck and I do look forward to being stood corrected...
I'm quite sure it can be done if you have the correct kit and contacts. For security reasons, some of these chips cannot even be purchased unless you are a manufacturer of vehicles or other kit that may use them.
 
Luckily these older MCU's are quite well documented.

Freescale (who took over Motorola) are good enough to host datasheets that describe the Bootstrap Modes in detail. This is the mode that is used to login and read/write the internal EEPROM, the key part of unlocking the BECM.

Another nice side effect of working this out might be to produce a tool that effectively can "backup" and "restore" from one BECM to another, regardless of its locked status.
 
Yes, Anything is possible, but the economic side needs seriously looking at.

We're still not sure of what you're trying to achieve, & why?

We have 100's of MCU's, & plenty of readers to access them.
I can't understand what you're trying to do here or what you're trying to improve?
 
Re-reading your post.

I cut lot's of keys, I have laser cutters, in fact one of my skill sets is a Non destructive locksmith. A typical 2012 porsche boxter takes me approx 15 seconds to open up, Hence my name Rick-the-Pick. I don't use slide bars, or wedges, I pick the lock. The system these range rovers use works fine, & the complexity of the system will lock you out even if it sniffs a breach. It's designed to do this. You need to get past the 2 x cat 1 alarm systems built in. This cannot be removed or altered either.
The best solution is to keep your range rover in good condition. If things do fail, masking the problem with another problem clearly doesn't help. You also need to inform the insurance companies of any changes to these vehicles security & that includes a sub keyfob system.
These range rovers had to have this specific security /fob system fitted before the underwriters would offer insurance. In theory, what you wish to do would render insurance invalid, & therefor illegal.
 
I too cut and program keys for a range of vehicles but repairing and re-engineering remote fobs is my main interest.

This all came about as I keep getting asked by my customers if I can provide spare P38 keys, usually in the situation where they have a single working key and they can't afford both a dealership replacement or the time without their vehicle to get one duplicated (If you can find dealerships who will !)

I think quite a few owners do try to keep their P38 vehicles in good condition but are also aware that P38 fobs are very badly engineered. The battery covers may aswell be glued in place, the buttons frequently fail and the number of MCU timing crystals ive had to reattatch due to poor factory reflow soldering is beyond belief.

So , with that in mind I've set about investigating a solution to providing a cost effective and reliable solution to owners to provide spare keys. As you rightly highlighted an obvious goal would be to keep the entire existing security system intact and functional (and therefore 100% Legal!). I believe this can be done and the first step in my personal research into this was the main reason for this initial post.

If it helps even one P38 owner to keep their vehicle up, running and fully road legal then Ill be more than happy.
 
I too cut and program keys for a range of vehicles but repairing and re-engineering remote fobs is my main interest.

This all came about as I keep getting asked by my customers if I can provide spare P38 keys, usually in the situation where they have a single working key and they can't afford both a dealership replacement or the time without their vehicle to get one duplicated (If you can find dealerships who will !)

I think quite a few owners do try to keep their P38 vehicles in good condition but are also aware that P38 fobs are very badly engineered. The battery covers may aswell be glued in place, the buttons frequently fail and the number of MCU timing crystals ive had to reattatch due to poor factory reflow soldering is beyond belief.

So , with that in mind I've set about investigating a solution to providing a cost effective and reliable solution to owners to provide spare keys. As you rightly highlighted an obvious goal would be to keep the entire existing security system intact and functional (and therefore 100% Legal!). I believe this can be done and the first step in my personal research into this was the main reason for this initial post.

If it helps even one P38 owner to keep their vehicle up, running and fully road legal then Ill be more than happy.
It's not that difficult to do what you envisage as far as I can see, if you can read the rolling code and fixed code from the FOB it's easy enough to duplicate and indeed modify the FOB number. I do not see why you need to access the BECM to do this which makes me a little suspicious of your motives.
Dealers cannot duplicate FOB's, they can only supply new ones from the makers HUFF in Germany.
 
In order to make a compatible replacement fob, you need to know the FOB code.

As I mentioned in a previous post there are only 3 ways of getting this code.

1.Official dealers.
2.Unrolling and decoding and an existing fobs transmission.
3.Extracting from the BECM.

I'm looking at BECM access because then it puts the ability all in the hands of the owner. It needs neither an expensive dealership trip or any additional delays in sending recording devices back and forth.

It would also allow users who find themselves in the situation where the only fob that came with the vehicle suddenly ups and dies (an occurrence that is sadly becoming more and more frequent given the age of these vehicles.)

The only hickup so far is that the FOB code cannot be extracted directly from a locked BECM via OBD. If it could Id have no need to access the BECM directly, I'd be coding an OBD dongle to read the code for me.

I envisage this first hickup could be solved using a simple push fit adaptor that sits over the BECM mcu. It could perform standalone lock/unlock function as well as the possibility of displaying useful information such as FOB code or EKA. It would basically be a cut down standalone version of the Faultmate+SM035

I wouldn't question anyone wanting to keep their vehicle and property safe which is why my proposed method would keep all actions in the hands of the owner AND maintain the integrity of the existing security systems.
 
Easier just to take the code from the FOB.
I do not like the idea of making the info acessable,
 
Unfortunately extracting the code from a non working fob wouldn't be possible.

Just as an OT bump, can anyone confirm the markings of their BECM controller chip ?
 

Similar threads