Czy wolisz polską wersję strony elektroda?
Nie, dziękuję Przekieruj mnie tamBsi Delphi el3
Key points
• Network: 2×HS-CAN, 1×LS-CAN, several LIN, K-Line (legacy).
• Supply: 12 V, sleep current < 25 mA; wake via CAN or 30 IGN line.
• Bench pins (typical D6 revision): +12 V = Pin 8, GND = 10, CAN-H = 6, CAN-L = 8 on the 16-way black header; IGN simulation by shorting blue-connector pins 32-33.
• Tools: PSA Diagbox/Lexia for coding; IM608/VVDI2/FVDI/SMOK/CarProg/UPA/Xprog for EEPROM.
• Always back-up original dump, use a stabilised 13.0-13.8 V supply, and respect legal/anti-theft regulations.
Hardware / architecture
• MCU: NXP SPC56AP54 (Power-Architecture e200z4, 120 MHz, ECC-flash) with secure boot.
• External memory: ST M95128 (128 kbit) or M95256 (256 kbit) SPI EEPROM; stores PIN, key list, tele-coding mirror, mileage counter.
• Transceivers: NXP TJA1042 HS-CAN, TJA1020 LIN, Melexis TLE series high-side switches.
• Power module: multiple low-RDS(on) MOSFETs plus 5 V/3.3 V DC/DC (TPS6538x family).
• Relays: electromechanical for wipers, heated rear screen, etc.
Functional domains
a. Gateway: routes UDS/KWP diagnostics between HS-CAN-1 (power-train) and LS-CAN-2 (body).
b. Security: immobiliser authentication with engine ECU via challenge-response (ISO 14229 extended-security).
c. Load control: PWM dimming for DRL/stop lamps, low-side drivers for indicators, high-side for door-lock actuators.
d. Power-mode management: three sleep levels (Stop0 ≈ 7 mA, Stop1 ≈ 17 mA, Stop2 ≈ 25 mA).
e. Data logger: event counters, low-voltage history, DTC storage.
Why PIN extraction is difficult
• From 2018-MY the four-digit PIN is AES-128 encrypted and delivered only after a seed-key exchange tied to the vehicle’s asymmetric secret stored in the MCU’s HSM (Hardware Security Module).
• Budget tools therefore fail unless an authorised key is already present (they reuse its rolling-code session).
• Reading the raw SPI EEPROM bypasses this because the clear PIN is still mirrored there (two copies, byte-swapped).
EEPROM reading / virginisation workflow
Step 1: bench-power BSI (see pinout below) or remove EEPROM.
Step 2: read full 16/32 kB dump with VVDI-Prog, TL866II-Plus, UPA-USB, or Xprog.
Step 3: save at least two backups.
Step 4: for PIN: search offsets 0x430–0x437 and 0x4F0–0x4F7, ASCII-hex reversed (e.g. “21 43” → PIN = 3412).
Step 5: for virginisation:
• clear VIN (offset 0x120–0x12F), clear key slots (0x260–0x29F), leave CRC areas intact, OR
• use forum-shared script matching exact SW ref (e.g. CEM00-D6-SW9651675080).
Step 6: write back, refit, personalise with Diagbox: VIN ➜ tele-code ➜ key-learning ➜ ECU pairing.
Common failures
• Low-battery flashing while updating → corrupt flash, non-start, no-comms; needs JTAG re-flash or clone.
• Water ingress near cabin-fuse area → corroded MOSFETs ➜ permanent lights or wiper.
• Relay fatigue (≥ 100 k cycles) → rear demister or main beam inoperative.
• LIN bus short → loss of mirror/heater control, sets B1003 fault “LIN bus short to GND”.
Pinout (most EL3‐D6 / D7 variants)
60-way BLUE plug:
32 IGN sense 33 IGN feedback (bridge 32-33 to simulate ON)
40 CAN-L (LS) 41 CAN-H (LS)
...
16-way BLACK header (bench favourite):
6 CAN-H (HS2) 8 CAN-L (HS2)
8 +12 V BATT 10 GNDConsult specific wiring diagrams; PSA sometimes swaps HS/LS nets between revisions.
• 2022-24 firmware revisions added Secure-CAN (ID-whitelisting + message MAC) between EL3 and Power-train ECUs, complicating cloning.
• Aptiv now supplies EL4 (MPC5777 MCU + encrypted QSPI flash) for the new STLA Small/Medium platforms – no public tool supports it yet.
• “Bench-mode” adapters (SMOK J-TAG2, Abrites ABRITES-PSA bench cable) allow UDS access out of the car; these require keeping the BCM awake with a 125 kbps keep-alive frame every 2 s.
• Market shift toward cloud-based tele-coding (Diagbox 9.9 + token) means local VIN/PIN injections will be phased out.
Analogy: Think of the BSI as the vehicle’s “motherboard + BIOS + TPM”. The MCU is the CPU, the EEPROM is the CMOS/NVRAM, and the immobiliser keys are stored like UEFI-TPM secrets. Any mismatch (e.g., wrong VIN) trips secure-boot and the engine ECU refuses start – similar to a PC that won’t boot after a corrupted BIOS checksum.
Example checksum pitfall: after editing the 0x260-0x29F key area you must update the 16-bit CRC at 0x2A0-0x2A1; otherwise the BSI enters “recovery” (continuous relay clicking, no bus activity).
• Immobiliser circumvention is regulated; in the EU it falls under Directive 2013/98/EU (anti-theft approval). Performing virginisation or key-addition on a vehicle that you do not own or without documented customer consent is illegal.
• Data protection (VIN, mileage) is personal data; GDPR requires secure handling and deletion of dumps after job completion.
• Many insurers void coverage if unauthorised ECU/BCM modifications are detected after theft or accident.
• Always inform customers that mileage or service data may be reset during BSI replacement and must be restored to avoid odometer fraud.
Preparation
– Stable 30 A lab PSU set to 13.5 V; battery buffer recommended.
– Anti-ESD strap, hot-air rework station with 280 °C max for EEPROM removal.
– Odissey or Lexia wiring diagram for exact variant (label e.g. 9830790580 D6-SW9651675080-HW9830406880).
Safe bench setup
– First power only +12 V & GND; verify sleep current (< 25 mA).
– Bridge IGN pins ➜ current rises to 180–220 mA; CAN frames appear (check with PCAN-USB).
– Keep CAN termination 60 Ω (two 120 Ω resistors).
EEPROM handling
– Clip reading: use Pomona SOIC-8 with LF shield; if ID read-fails > 3×, desolder.
– After write verify, compare MD5 hash with original except intended edits.
Post-installation
– Carry out full tele-coding via Diagbox: choose “download config from server” if internet available; if not, re-enter options manually (fog lights, rear sensors, tyre-pressure type…).
– Program all keys in one session; keys left out will be invalidated.
– Clear B1601/B1780 faults and perform voltage quality test.
• Information provided is for educational purposes; follow local legislation and OEM guidelines.
• Pinouts may vary; always verify against the physical label and wiring-diagram VIN range.
• New PSA firmware releases can block current aftermarket tools at any time – success cannot be guaranteed.
• Investigate SPC56xx/NXP HSM attack surfaces (side-channel, glitching) for academic security analysis.
• Evaluate CAN-FD migration in upcoming EL4/EL5 platforms and its impact on aftermarket diagnostics.
• Develop open-source checksum calculators for EL3 EEPROM to reduce dependence on forum dumps.
• Study ISO 21434 cybersecurity compliance for BCM/BSI replacement workflows.
The Delphi EL3 BSI is the nerve-centre of recent PSA/Stellantis cars, combining a secure MCU, encrypted EEPROM and extensive load-control hardware. Modern firmware virtually blocks OBD PIN reading; reliable service work therefore requires bench access to the 95128/95256 EEPROM, careful checksum handling, and subsequent tele-coding with dealer-level tools. Cloning or virginising without respecting security structures will brick the unit. All activities must respect anti-theft, safety and data-protection laws.