BTW, literally as I was typing I received this as a message from a potential customer :

I believe I have asked you this before, but forgive me for trying again: Im based in Denmark - is there any possibility at all that I can pursuade you to refurbish my Range Rover P38 key FOB even though you normally only ship within UK?
I'm now in real trouble since my other key FOB dosn't wotk properly either. I am fully prepared to pay for the extra inconvenience for you, alternatively arrange shipment via DHL myself.

I'd love to be able to request a simple picture of that guys key blade and then ship him 2 brand new compatible fobs and the necessary kit so he wouldn't have to mess about shipping things across Europe just to get his Rangie running !
 
Judging by the pinout and a quick sniff around the net, it appears that the MCU is possibly a MC68HC11KA4. It also appears that this MCU can be read by some popular device programmers.

Ill wait for my BECM to turn up and have at it with my tools. I'll report back any findings.

I used to write a lot of Motorola 68K assembler - happy days!
 
In theory, what you wish to do would render insurance invalid, & therefor illegal.

To be fair you'd render the theft part of your insurance invalid - the 3rd party bit covers you - not the car and cannot be invalidated whatever smallprint the insurance company writes on the document.
 
Thanks for the positive input Steve, done a bit of 68k in my Amiga days so it might be fun if I have to write some bootloader code :)

I'm not sure if any part of what I intend to do would render anything invalid. Apparently there are P38 shipped from factory with the BECM unlocked. That combined with the fact that I wouldn't be permanently disabling or modifying any part of the security system should be fine

If that rendered it illegal, then having spare keys made for ANY vehicle by a third party other than the official dealer would be the same.
 
Started with the GST 68K Assembler toolkit on the Sinclair QL (still got it to this very day -and it's still working) - ended up writing code for automotive ECUs for a large US car manufacturer - most if which was 68K Motorola.
 
I've been rebuilding them for £29.99 for years but as stated this isn't about existing fobs or the cost of anyone's current services.

The current P38 fob in any of its 3 revisions is over engineered. The battery compartment/terminals is the most serious design flaw.

All a re engineered fob really needs is a PCB with a SAW based transmitter, MCU, LED, 2 buttons and the necessary coil and supporting passives to allow for the more recent active disarm function. The battery should be on a pcb mount holder, that way they could be housed in the currently available after market fob housings (the ones with no logo to stay 100% legal of course) and the existing battery cover would be just that, a cover.

As a mock up I was thinking like this :

 
Hurray, my BECM turned up from Fleabay .. A quick whizz round it with the T10 Torx and out she popped !



Turns out its a Motorola MC68HC11KS2 (Mask 1E59B)

Funny thing is, a quick look at it shows some curious solder deposits on some familiar parts .. that's right, it's already been unlocked at some point in its past !

Now to get it hooked up to a programmer and see what we can see.
 
Well, setbacks and progress in equal measures today.

I hooked up one of my programmers that I know can read these devices to the relevant pads on the PCB and .. it wouldn't read. I kept getting a "device silent" message and after checking the pins with a logic analyser, I could see the programmer trying to upload the bootcode but no response from the chip.

So .. off with its head !



The conformal coating on these PCB's (designed to keep the moisture at bay) is horrific stuff .. it turns into toffee at the slightest application of heat or acetone !

As you can see I also removed the chips crystal (to the left of the chip) as this is needed when reading/writing to them.

With the chip off board I rigged it (and its 12Mhz crystal) upto my programmer :



.. hit READ .. and ...



Yay ! .. We have hexcode :)

I also started to dissasemble the bootloader code that is sent by my programmer and i'm glad to say it looks VERY simple, here's a snippet from the start of it (its enabling access to the EEPROM and setting the serial port of the chip to the correct speed :

RAM:0080 ldaa #0
RAM:0082 staa BPROT ; Block Protect Register
RAM:0085 lds #$1FF
RAM:0088 ldx #0
RAM:008B ldaa #0
RAM:008D staa SCBDH ; SCI Baud Rate Control Register High
RAM:0090 ldaa #$1A
RAM:0092 staa SCBDL ; SCI Baud Rate Control Register Low

I can only conclude that my programmer for some reason cannot supply enough power to the board to keep the chip running OR one or more of the relevant lines needs pulling up or down with a resistor. Either way, Ive got another sacrificial BECM coming in the post and this one has a matched key with it !
 
Replacement BeCM hasn't arrived yet but I am making pretty good progress porting the bootloader code to an Arduino Uno.

The current code uses a pretty non standard baud rates (14300 and 17900). Luckily i found a software serial library that lets me set non standard bauds.
 
Replacement BeCM hasn't arrived yet but I am making pretty good progress porting the bootloader code to an Arduino Uno.

The current code uses a pretty non standard baud rates (14300 and 17900). Luckily i found a software serial library that lets me set non standard bauds.

Is there a version of these post's in English by any chance?:confused::D
 
Hehe, I know what you mean .. it can get a bit bogged down with the technical stuff at times. I like to include as much info as possible so that other people with the same inclination can have a try themselves.

In plain english, the end result will hopefully be a readily available circuit board you can buy off Ebay for a tenner that can be used to read/write and unlock a BeCM with just a little bit of soldering.

.. Oh and it should be a little bit cheaper than other alternatives :)
 
Hehe, I know what you mean .. it can get a bit bogged down with the technical stuff at times. I like to include as much info as possible so that other people with the same inclination can have a try themselves.

In plain english, the end result will hopefully be a readily available circuit board you can buy off Ebay for a tenner that can be used to read/write and unlock a BeCM with just a little bit of soldering.

.. Oh and it should be a little bit cheaper than other alternatives :)

Ah I see, I must lean the other way.:D:D
 
Another quick update.

Did a bit more work on the bootloader code this weekend. First I got the MCU wired upto a very popular and easily accessible dev tool .. an Arduino Uno ! I also hooked up a Logic Analyser to see what was happening with regards the bit timings.



I used my programmer to write an identifiable string to the first 8 bytes of the MCU's EEPROM. Then, using the arduino and some really kludgy code, I pushed the bootloader to the MCU and then sniffed the data coming out ..



Yay! .. DEADBEEFG00DF00D ... mmm think a celebration burger is in order.

Now .. onto the Write routines...
 
That info includes the fob codes, sync codes, all general settings and importantly the lock bit using a PCB that is simple, cheap (£10!) and easily available on Ebay or Amazon.
 
That info includes the fob codes, sync codes, all general settings and importantly the lock bit using a PCB that is simple, cheap (£10!) and easily available on Ebay or Amazon.

In laymans terms what are the implications or more importantly applications?:)
 

Similar threads