logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

[Solved] BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

glapsson 132801 291
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
| New topic
  • #211 19768835
    kamyczek
    Level 38  
    No exaggeration, who would want to do a commercial project on arduino, other than to have some commercial quality, still has a little more water. It should be treated rather as a curiosity and toy for an amateur who rummages around in his dog and derivatives in the garage. In my opinion, this is an educational topic. A friend just had a little fun and shared what he thought, the program makes it available for free, and because it is based on a universal project on arduino with a can available for free, which anyone can assemble by themselves buying manels literally anywhere, it's hard to talk about some kind of commercial here.
  • ADVERTISEMENT
  • #212 19769266
    glapsson
    Electronics specialist
    bbmax wrote:
    Hmm, it can be interpreted differently only how can you sell something that was programmed from github? How many people, so many interpretations, there will be, but either continues with the github license or goes to a closed soucecode, unless I don't know myself.


    Then download and write - you'll have it for free.

    Added after 9 [minutes]:

    Of course he treats it as a hobby and I didn't even think about commercialism.

    And Arduino for amateurs like me - it's a pretty cool educational base.

    I can only add that I was able to emulate the ECU on arduino and thus programmatically communicate with other devices.
    This made it possible to trace IMMO data transfer communications
    And thus to investigate the PIN encoding algorithm in the CAN PSA network.
    Build a virtual emulator - and probably reading the PIN from the ECU.

    And it's only on a toy called ARDUINO.
  • ADVERTISEMENT
  • #213 19771963
    NiNo1803
    Level 2  
    Hi everyone,
    great job that I follow with great interest.
    I tried to type in 741: 641 with the A8EE key, but it doesn't work. have you ever managed to write?
    sorry for mistakes, this is a translation ?
  • #214 19772547
    glapsson
    Electronics specialist
    Here's how immo emulation on an Arduino works.
    I did some work on the algorithm but it worked.

    In preparation, reading PIN - we will see - I have some ideas - I wonder how they will work.

    [movie: 03c0cd6e5e] https://filmy.elektroda.pl/11_1639950825.mp4 [/ movie: 03c0cd6e5e]

    I am after trying to read the PIN from the engine controller:
    First, I performed the tests on the EDC17C60 because I knew the PIN
    And then on VD56.1

    The tests were successful - the PIN was successfully read

    I HAVE 3 ideas how to do it

    1 - FIRST IDEA - effective

    Querying the ECU for all PIN codes

    Already tested on the purchased VD56.1 - I did not know the pin of this ECU before.

    Time consuming

    The number of different PIN codes is 34 ^ 4
    34 because we have so many characters available 0-9 A- Z (excluding o, and) capital letters.

    ^ 4 because we have 4 PIN code fields

    the number of combinations is therefore: 1,336,336

    The method of polling (ARDUINO) gives the possibility to perform 4 queries per second
    And receiving 4 answers and information confirming unlocking or not unlocking.

    The time-based loop runs look like this:


    .......... 92h 45` .................. 163`45`` ............ 4` 48`` .......... 8.5``
    ... ok (3 days 20h 40min) ....... ok (2h 45min) ........ ok 5 min ......... approx 9 sec
    ............... X .............................. X ... .................... X ...................... X

    Assuming that our PIN code is: ZZZZ
    You have to be patient (it is not a very efficient method).

    But it's not that bad - this is how this type of encryption and polling is not super perfect (similar to SEED and SEED KEY) - I've already described it before.

    - I got the first working random pairs after 5 minutes and the next two after an hour.

    This suggests a slightly different sampling algorithm
    (IDEA # 2).

    I think getting a PIN code should take 15 minutes to 30 minutes
    and at worst 2-3 hours

    And that's acceptable for my needs.
    I will test.
  • ADVERTISEMENT
  • #215 19774514
    NiNo1803
    Level 2  
    glapsson wrote:
    And lest it be that I deviate from the topic of BSI - it is still closely related to bsi because these devices appear as a pair.

    I have access to 3 modules:

    1 - In the car - so far I haven't been looking for anything except coding and connecting the handle, no reaction

    2 - light module, the same number as in the car, but has unlocked access and reacts to the handle on the table

    3 - full module that I read but after uploading it does not respond in the CAN network (feel and program) - when it worked, it also responded to the handle because it also had unlocked access.



    No additional antenna is needed
    CAN power supply and the door handle and talking on the table.

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    I have a module with the same numbers in the car, but the software has a different number

    I had a full module - i.e. with bt, but attempts to clean vin ended with the fact that despite the fact that it is read and programmed - even with the original - the processor gives an ID
    This module does not talk in the CAN network

    I have a second light, the same number as in the car, but as I already wrote, it has unlocked access and as you can see - only the handle is connected and talks.

    as for the charge

    in the full module it is identical to the PCB as in the light - only the bt section is missing (there are several dozen elements - empty solder pads)

    In the full module there is an RH850 processor that can be read and programmed ... but I beat it somehow

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    and in the light module, the markings on the prock are encrypted (mask?) - and can not be read - it does not even reflect the ID

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    I warn you - upa read but after uploading ... silence in CAN.

    CRC is also to be counted

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    I don't know where the PIN is (it's encrypted)

    Of course, it does not do anything as there is no 100% programmer for reading and uploading - unless someone has tested it with a programmer.

    and more ripples

    KEY CODING - A8EE

    CAN

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F


    hi can you tell me what you coded because when i encode mine with arduino i get error message: 7F2E7F

    @glapsson @bbmax
    do you have any idea to help me?

    Thank you
  • #216 19785560
    glapsson
    Electronics specialist
    Reading the PIN on the table is possible.
    In total, I did it even in 15 minutes, but in three different stages - I have to stick it in one program now.

    Coding while emulating with the PIN code of the engine controller is 100% possible.
  • #217 19787731
    glapsson
    Electronics specialist
    melas wrote:
    Hello, if you had a problem with the pin, I have SMOK bsi + pin, I can fix it, no problem, I would have to have an ecu at home because only older from the file. Regards


    Thanks a lot-BUT
    I wrote my own program to extract the PIN from the new ECU.
    Regards.
  • #218 19787739
    melas
    Level 31  
    Well, congratulations to my friend remains only. I'm trying to get a new ECU, this MD1 .... From new diesels. This I would send to you for testing. Regards
  • #219 19787878
    glapsson
    Electronics specialist
    Great ... I will contact PW as I pick up topics because a lot of started ...
    And I have to sort this out a bit ....
    CMM VD56.1 coding mastered.
  • #220 19788191
    melas
    Level 31  
    Well, congratulations to my friend remains only. I'm trying to get a new ECU, this MD1 .... From new diesels. This I would send to you for testing. Regards

    Added after 1 [minutes]:

    And you want VD46.1 because I have a loose one ?.
  • #221 19796253
    drago
    Level 20  
    Offtop: The guys from France worked out ESP with scirocco without arduino
  • ADVERTISEMENT
  • #222 19797155
    bbmax
    Level 15  
    drago wrote:
    Offtop: The guys from France worked out ESP with scirocco without arduino


    I threw it because Ruski boasted that he did and wanted some incredible money for it :) I gave it for free for the new year ...
  • #223 19797270
    drago
    Level 20  
    bbmax wrote:
    drago wrote:
    Offtop: The guys from France worked out ESP with a scirocco without arduino


    I threw it because Ruski boasted that he did and wanted some incredible money for it :) I gave it for free for the new year ...


    Well, respect, I didn't know it was you :) , I saw this topic in the Ruthenian, and you know how to make it show the speed limits on the scirocco?
  • #224 19797698
    bbmax
    Level 15  
    drago wrote:
    bbmax wrote:
    drago wrote:
    Offtop: The guys from France worked out ESP with a scirocco without arduino


    I threw it because Ruski boasted that he did and wanted some incredible money for it :) I gave it for free for the new year ...


    Well, respect, I didn't know it was you :) , I saw this topic in a Russian, and you know how to make it show speed limits on a scirocco?


    Will be :) in development for now, but a camera emulator will be needed, unless I missed something in calibrations, but I have to check it. Without the camera on the glass, it does not send the frame that is responsible for displaying on Cirocco, despite the configu that it has a brother with Navi only.
  • #225 19810890
    drago
    Level 20  
    @glapsson something moved in the topic?
  • #226 19810951
    glapsson
    Electronics specialist
    It started
    it all adds up ... a few more tests.
    I ran it all a little differently.

    Earlier, I have already written applications to extract the PIN from the ECU of the keybases on the table directly from the engine controller.
    Due to the fact that it works a bit on the principle of selection and randomization (depending on the SEED from the ECU)
    After several dozen tests on several ECUs, I can say that the PIN removal time is from 10 minutes to a maximum of 3 hours.

    There is an Immo emulation tab, so also - emergency launch without keys should work.


    I also wrote a small program to read the PIN as there is at least 1 key - after OBD in the car.
    the time needed to decode the PIN is several seconds.
    It was not without rewriting the Arduino batch again.

    I have to integrate these programs into one program together with the BSI coding and other developed drivers.

    Maybe tomorrow I will post a video of how it works.

    [movie: 3381ede20d] https://filmy.elektroda.pl/77_1641822126.mp4 [/ movie: 3381ede20d]
  • #227 19812047
    drago
    Level 20  
    Fantastic, quick, which year the car from?
  • #228 19812066
    glapsson
    Electronics specialist
    C3 III 2018
    I also checked on 3008 II YEAR 2018 - it also works
    And the new 208 II from 2020 also without a problem.
  • #229 19812085
    drago
    Level 20  
    And bsi Continental, did you manage to master it?
  • #230 19812086
    glapsson
    Electronics specialist
    some fucked up algorithm on SEED is either I'm going in the wrong direction and it's easier than I think.

    I also made a calculator for pin counting
    From that I started and when it started to talk, I just went on to OBD
    But if there was no arduino, pin counting is possible - as long as you only have any CAN analyzer.

    As you can see, with one pair there can be from several to several dozen compatible keys
    With two pairs it is usually 1 key, but I even hit 3-4
    With 3 pairs, it is practically a sure thing.

    In Arduino, I put on 5 pairs of data - so that there would be no mistakes.

    The calculator works below

    [movie: 800c82d4b2] https://filmy.elektroda.pl/77_1641833109.mp4 [/ movie: 800c82d4b2]
  • #231 19812716
    bbmax
    Level 15  
    It's getting interesting :) algo known only that people are afraid to publish :)
  • #232 19812759
    glapsson
    Electronics specialist
    I spent several hours to count it.
    I wasn't even looking on the web.

    But for sure the known ... immo emulators work somehow.
    And they have been available for years.
  • #233 19812775
    bbmax
    Level 15  
    Hmm zrodlo https://github.com/prototux/PSA-RE/commit/d2f79c9a05e7c578a38bc2eb27733d5873aa73d5
    [code:1:1a664825e3]// Immobilizer challenge-response implementation
    // This should match the authentication between the BSI and the engine ECU
    // The protocol is pretty simple:
    // * On frame 0x72 (ECU to BSI): 0x00 (4 bytes of challenge)
    // * On frame 0xA8 (BSI to ECU): 0x04 (4 bytes of response)
    // * If the challenge is accepted: {0x00, 0x00, 0x00, 0x00, 0x00} on frame 0x72
    // Thanks a lot to Wouter Bokslag for the original work and algorithm :)

    #include

    // Transformation function with PSA not-so-secret sauce
    int16_t transform(uint8_t data_msb, uint8_t data_lsb, uint8_t sec[])
    {
    int16_t data = (data_msb
  • #234 19812817
    drago
    Level 20  
    @bbmax and @glapsson, maybe you could sit down to the topic together? What do you say ?
  • #235 19813687
    glapsson
    Electronics specialist
    But I already have it .... after all, it emulates a PIN and I calculate it from the CAN data.
    I don't have to sit down for this anymore.
    Anyway, you can see that the calculation is the same as for SEED BSI for encoding - otherwise, only the substitution of data for the OR operation.

    I wonder what it looks like in SEED2 for Continental
    Because everything indicates that it is completely different mathematically - or there is some additional XOR or OR operation.

    I do not pursue the topic myself, because for me Continental is rather a curiosity, just like Valeo.
    I do not expect that I would ever have a chance to do something on this subject for my needs.

    But if someone found this algorithm, I will try to write to the existing program with the valeo continental options tab and I will make it available here.

    It has changed a little again

    [movie: e5766f43b4] https://filmy.elektroda.pl/43_1642279989.mp4 [/ movie: e5766f43b4]
  • #236 19822739
    drago
    Level 20  
    Ooh, I can see you have mastered bsi delphi :)
  • #237 19825854
    Hallahub
    Level 1  
    Hello to everyone, Sorry for not typing in Poland, I own a 2021 208 II, I also have a workbench using bsi2010 and I have connected to it the Visteon 3D speedometer which has increased the mileage of both. I've read a bit the topic and found the tool for bsi2010ev. Any idea if it can work on the bench too? My main aim is to lower the mileage of the Visteon 3D speedo since I need to put in my car for some testing purpose. Unlike older PSA speedometer, the Visteon doesn't have a separate EEPROM like 3008 Cirocco for example. I hope you guys understand me.
  • #238 19861099
    kamyczek
    Level 38  
    I see some stagnation in the topic, is there no desire?
  • #240 19861236
    glapsson
    Electronics specialist
    So far this is a monologue on my part and sharp remarks from other sides ... so the question arises ... Why contribute?
| New topic
Report a violation of the law

Topic summary

The discussion revolves around the telecoding and reading of BSI (Body Systems Interface) units, specifically the DELPHI series EL HW D6 used in Peugeot 208 II and Opel Corsa F models. Users share their experiences with reading EEPROM data, modifying mileage, executing VIRGIN states, and performing diagnostics without online access. Various methods for telecoding and the challenges faced with different BSI versions are explored, including the need for specific algorithms for PIN code extraction and the importance of checksum calculations. The conversation also touches on the use of Arduino for interfacing with these systems, the development of coding software, and the sharing of resources among users to enhance their capabilities in working with BSI units.
Summary generated by the language model.
ADVERTISEMENT