A BECM sync tool isn't something that this research would bring about immediately. That being said I am interested in how the Sync tool works and am pretty sure one could be produced for a much reduced price.

I'll look into it once Ive finished this project.
 
Forgot to mention.

In Laymans terms, this tool would allow you to take the information from your existing (and possibly faulty) BECM, back it up using the tool and then re-write it back into a spare (working) BECM.

It would also allow you to set the unlock bit of your BECM, allowing you to change all modifiable settings using 3rd party diagnostic tools.

As long as you can solder 5 wires with a bit of confidence and use a Torx screwdriver then it should be useable.
 
A BECM sync tool isn't something that this research would bring about immediately. That being said I am interested in how the Sync tool works and am pretty sure one could be produced for a much reduced price.

I'll look into it once Ive finished this project.

It would act as a sync tool as long as you used it before sync was lost to read the sync code from the BECM. You could then write it back to the BECM. Basically if the tool was cheap enough an owner should really buy it to back up their fully-functional BECM, allowing them to re-write settings in the event of the settings being lost due to a battery failure, but would also allow them to write settings to a replacement BECM.
 
I never looked at it that way. For some reason I always thought the Sync tools forced the EMS to recalibrate, i,e the security code comms direction was BECM->EMS.

If its EMC->BECM then yes, what Bladerunner919 describes should be possible.
 
That's good news :)

Even better news. I got the write functions working fine now so I have full control over the entire EEPROM. This is of course on a bench mounted MCU.

and ..



Prototype "Solderless" adaptor !

Seems to work fine with the pinout. All that's needed is to gently scrape, scrub or sand off the conformal coating and your good to go. I used a scalpel and literally 2 or 3 scrapes makes it flake off to leave nice shiny chip legs.
 
Well, another day, another burnt finger :)

I got another few hours work done and Im pretty happy with the results. Ive got a dead basic menu that has most of its functions working (just need to fixup the individual byte editing) :



But the best result :



I GOT SOLDERLESS ONBOARD READ/WRITE WORKING !!!!

I'm going to get a handful of prototype PCB's spun to tidy things up a little (get rid of all the damn fly wires).

At this point I'm tentatively going to ask if anyone out there would like to be an early doors alpha tester. Preferable you would have a brave heart and a strong stomach OR just be plain crazy ;)

PM's are welcome if you think you can help in any way.
 
I suspect you'd need to look at making the comm work through the OBDII port for it to be a practical proposition for most people, rather than having to open up the BECM - do you think that's feasible?
 
Anything is feasible if the circumstance dictates.

I haven't dissembled the BECM MCU's code yet but I'm sure people have in the past and reached the conclusion that the only solution to fully unlocking the BECM is hardwiring.

Here's another option. Open the BECM once to install a DB9 port wired directly to the programming pins. Mount the socket so its accessible externally without having to remove the seat again. Now you have a BECM that you can restore and reconfigure without having to rag it in and out every time.
 
Last edited:
Ahh .. sorry Bladerunner919.

For some reason (half asleep this morning after a nights soldering) I read your post as "Do you think its feasible to expect people to open their BECM's" and not "Do you think its feasible to do this work via the OBD port"

Unfortunately as mentioned this does (at the moment) need you to remove and open your BECM at least once to do the unlocking (of which we still need to find which bit/byte that is. At least you can get away without having to solder anything if your handy enough.

Nothing more than the right Torx drivers, a small blade to do some scraping and a PC with a working USB port should suffice.

I guess what else is needed now is the time and tools to work out exactly what functions the bitmaps correspond to.
 
Is it a ..

"I've personally seen the disassembled source of the BECM and know for certain there are no bugs, loopholes, hidden vendor specific commands or buffer overflows, to the best of my knowledge" .. not possible.

Or is it a ..

"I've never seen anyone else do it so I don't think it can be done".. not possible.

I know I sit firmly in the camp of "everything can be done .. I've just not worked it out yet". Rick-the-Pick made a similar statement regarding this threads project a couple of weeks ago and hasn't elaborated much since..

Take it all as puzzle to solve and it makes for much more interesting pastimes .. maybe i'm just a glass half full kinda guy :)
 
Which is what page one of this thread said about the whole project. I'd say it's already gone beyond what was thought possible four pages ago. And even if it's not, the human race has only progressed through trying the impossible.
There is no external access to the lines needed to access the EEPROM, you have some magic answer to that?
While I'm suspicious of the project, I've not said what he's doing is impossible, I know it can be done as my Faultmate can do some of what is proposed with the SM035 module.
 
Access to the EEPROM in all instances is done by a proxy upload technique. A bootloader (in this case a SCI port bootloader) is uploaded to allow access to the EEPROM via the SCI port.

Regular diagnostic access can see part of the EEPROM if not all of it. This is bounds checked by the lock bit so as to not allow access to "sensitive" information. It may well be that this bounds check can be bypassed or subverted in some way to allow access to sensitive parts irrespective of the lockbit.

Its not magic and never will be. Like all magic its methodically planned and investigated. Then its usually just a bit of (in this case technical) sleight of hand :)

Ohh .. and please note I did say *may* well be possible. I'll always give these issues some clear investigation before pronouncing "I couldn't do it, because ..."
 
Last edited:
Access to the EEPROM in all instances is done by a proxy upload technique. A bootloader (in this case a SCI port bootloader) is uploaded to allow access to the EEPROM via the SCI port.

Regular diagnostic access can see part of the EEPROM if not all of it. This is bounds checked by the lock bit so as to not allow access to "sensitive" information. It may well be that this bounds check can be bypassed or subverted in some way to allow access to sensitive parts irrespective of the lockbit.

Its not magic and never will be. Like all magic its methodically planned and investigated. Then its usually just a bit of (in this case technical) sleight of hand :)

Well you seem to know what you are talking about, keep at it:D
 
When I used to program the P38 BECM's, if I had one that was playing up afterwards, I often soldered "Fly" leads on to the relevant connections on the Logic board. I would then program it to suit my P38, fit and connect the Power board and install it into my car minus the lid. If there was a problem I could if needed, unplug the ribbon cables (As a precaution), connect my SM035 lead and read/edit the logic board data.
Later I built a test rig which enabled me to power the repaired/reprogrammed BECM up and test/reset all of the functions including the owners keyfob synchronisation and engine ECU handshake of the vehicle. I had a full BECM harness and all of the engine ecu's, keyfob transponder coil and transmitter etc. on the rig.
Fair play to Mr Sporty for having a go at this project, I wish him well. A few years ago, a guy by the name of Storey Wilson decided to put a lot of time and effort in trying to de-mystify the control systems on the P38 and a few people scoffed at the idea...How many people now take his EAS free software for granted and also use the New Range Rover software ???
Anything that makes access to the "Sewn up" diagnostics systems on the P38 deserves encouragement, if only for their dedication.:clap2:
One thing to remember though is that the electronics and particularly the components, which were the bees knees in their day, are now getting old and tired and this will result in a higher incidence of BECM problems as time goes by. There comes a time, I feel, that it will be uneconomical for cost reasons and non availability of parts (PCB's and some components) which will make the BECM end up in the bin. Land Rover are not getting new BECM's, they are putting factory refurbished items on the shelves instead-this supply scource must dry up at some time in the future.
My feelings are that someone needs to be looking at a means of replacing the almost obsolete BECM with a much more robust and reliable system which uses today's technology at a reasonable cost...Now that would be a real dream come true for all you P38 owners out there.
:):amen:
 

Similar threads