logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

[Solved] BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

glapsson 169446 291
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Report a violation of the law
| New topic
  • #211 19768835
    kamyczek
    Level 38  
    Posts: 3994
    Help: 394
    Rate: 569
    No exaggeration, who would want to do a commercial project on arduino, other than to have some commercial quality, still has a little more water. It should be treated rather as a curiosity and toy for an amateur who rummages around in his dog and derivatives in the garage. In my opinion, this is an educational topic. A friend just had a little fun and shared what he thought, the program makes it available for free, and because it is based on a universal project on arduino with a can available for free, which anyone can assemble by themselves buying manels literally anywhere, it's hard to talk about some kind of commercial here.
  • ADVERTISEMENT
  • #212 19769266
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    bbmax wrote:
    Hmm, it can be interpreted differently only how can you sell something that was programmed from github? How many people, so many interpretations, there will be, but either continues with the github license or goes to a closed soucecode, unless I don't know myself.


    Then download and write - you'll have it for free.

    Added after 9 [minutes]:

    Of course he treats it as a hobby and I didn't even think about commercialism.

    And Arduino for amateurs like me - it's a pretty cool educational base.

    I can only add that I was able to emulate the ECU on arduino and thus programmatically communicate with other devices.
    This made it possible to trace IMMO data transfer communications
    And thus to investigate the PIN encoding algorithm in the CAN PSA network.
    Build a virtual emulator - and probably reading the PIN from the ECU.

    And it's only on a toy called ARDUINO.
  • #213 19771963
    NiNo1803
    Level 2  
    Posts: 2
    Hi everyone,
    great job that I follow with great interest.
    I tried to type in 741: 641 with the A8EE key, but it doesn't work. have you ever managed to write?
    sorry for mistakes, this is a translation ?
  • ADVERTISEMENT
  • #214 19772547
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    Here's how immo emulation on an Arduino works.
    I did some work on the algorithm but it worked.

    In preparation, reading PIN - we will see - I have some ideas - I wonder how they will work.

    [movie: 03c0cd6e5e] https://filmy.elektroda.pl/11_1639950825.mp4 [/ movie: 03c0cd6e5e]

    I am after trying to read the PIN from the engine controller:
    First, I performed the tests on the EDC17C60 because I knew the PIN
    And then on VD56.1

    The tests were successful - the PIN was successfully read

    I HAVE 3 ideas how to do it

    1 - FIRST IDEA - effective

    Querying the ECU for all PIN codes

    Already tested on the purchased VD56.1 - I did not know the pin of this ECU before.

    Time consuming

    The number of different PIN codes is 34 ^ 4
    34 because we have so many characters available 0-9 A- Z (excluding o, and) capital letters.

    ^ 4 because we have 4 PIN code fields

    the number of combinations is therefore: 1,336,336

    The method of polling (ARDUINO) gives the possibility to perform 4 queries per second
    And receiving 4 answers and information confirming unlocking or not unlocking.

    The time-based loop runs look like this:


    .......... 92h 45` .................. 163`45`` ............ 4` 48`` .......... 8.5``
    ... ok (3 days 20h 40min) ....... ok (2h 45min) ........ ok 5 min ......... approx 9 sec
    ............... X .............................. X ... .................... X ...................... X

    Assuming that our PIN code is: ZZZZ
    You have to be patient (it is not a very efficient method).

    But it's not that bad - this is how this type of encryption and polling is not super perfect (similar to SEED and SEED KEY) - I've already described it before.

    - I got the first working random pairs after 5 minutes and the next two after an hour.

    This suggests a slightly different sampling algorithm
    (IDEA # 2).

    I think getting a PIN code should take 15 minutes to 30 minutes
    and at worst 2-3 hours

    And that's acceptable for my needs.
    I will test.
  • #215 19774514
    NiNo1803
    Level 2  
    Posts: 2
    glapsson wrote:
    And lest it be that I deviate from the topic of BSI - it is still closely related to bsi because these devices appear as a pair.

    I have access to 3 modules:

    1 - In the car - so far I haven't been looking for anything except coding and connecting the handle, no reaction

    2 - light module, the same number as in the car, but has unlocked access and reacts to the handle on the table

    3 - full module that I read but after uploading it does not respond in the CAN network (feel and program) - when it worked, it also responded to the handle because it also had unlocked access.



    No additional antenna is needed
    CAN power supply and the door handle and talking on the table.

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    I have a module with the same numbers in the car, but the software has a different number

    I had a full module - i.e. with bt, but attempts to clean vin ended with the fact that despite the fact that it is read and programmed - even with the original - the processor gives an ID
    This module does not talk in the CAN network

    I have a second light, the same number as in the car, but as I already wrote, it has unlocked access and as you can see - only the handle is connected and talks.

    as for the charge

    in the full module it is identical to the PCB as in the light - only the bt section is missing (there are several dozen elements - empty solder pads)

    In the full module there is an RH850 processor that can be read and programmed ... but I beat it somehow

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    and in the light module, the markings on the prock are encrypted (mask?) - and can not be read - it does not even reflect the ID

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    I warn you - upa read but after uploading ... silence in CAN.

    CRC is also to be counted

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F

    I don't know where the PIN is (it's encrypted)

    Of course, it does not do anything as there is no 100% programmer for reading and uploading - unless someone has tested it with a programmer.

    and more ripples

    KEY CODING - A8EE

    CAN

    BSI DELPHI series EL HW D6 - TELECODING READING BSI peugeot 208 II corsa F


    hi can you tell me what you coded because when i encode mine with arduino i get error message: 7F2E7F

    @glapsson @bbmax
    do you have any idea to help me?

    Thank you
  • #216 19785560
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    Reading the PIN on the table is possible.
    In total, I did it even in 15 minutes, but in three different stages - I have to stick it in one program now.

    Coding while emulating with the PIN code of the engine controller is 100% possible.
  • #217 19787731
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    melas wrote:
    Hello, if you had a problem with the pin, I have SMOK bsi + pin, I can fix it, no problem, I would have to have an ecu at home because only older from the file. Regards


    Thanks a lot-BUT
    I wrote my own program to extract the PIN from the new ECU.
    Regards.
  • #218 19787739
    melas
    Level 31  
    Posts: 1552
    Help: 138
    Rate: 684
    Well, congratulations to my friend remains only. I'm trying to get a new ECU, this MD1 .... From new diesels. This I would send to you for testing. Regards
  • #219 19787878
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    Great ... I will contact PW as I pick up topics because a lot of started ...
    And I have to sort this out a bit ....
    CMM VD56.1 coding mastered.
  • #220 19788191
    melas
    Level 31  
    Posts: 1552
    Help: 138
    Rate: 684
    Well, congratulations to my friend remains only. I'm trying to get a new ECU, this MD1 .... From new diesels. This I would send to you for testing. Regards

    Added after 1 [minutes]:

    And you want VD46.1 because I have a loose one ?.
  • #221 19796253
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    Offtop: The guys from France worked out ESP with scirocco without arduino
  • ADVERTISEMENT
  • #222 19797155
    bbmax
    Level 15  
    Posts: 131
    Help: 4
    Rate: 58
    drago wrote:
    Offtop: The guys from France worked out ESP with scirocco without arduino


    I threw it because Ruski boasted that he did and wanted some incredible money for it :) I gave it for free for the new year ...
  • #223 19797270
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    bbmax wrote:
    drago wrote:
    Offtop: The guys from France worked out ESP with a scirocco without arduino


    I threw it because Ruski boasted that he did and wanted some incredible money for it :) I gave it for free for the new year ...


    Well, respect, I didn't know it was you :) , I saw this topic in the Ruthenian, and you know how to make it show the speed limits on the scirocco?
  • #224 19797698
    bbmax
    Level 15  
    Posts: 131
    Help: 4
    Rate: 58
    drago wrote:
    bbmax wrote:
    drago wrote:
    Offtop: The guys from France worked out ESP with a scirocco without arduino


    I threw it because Ruski boasted that he did and wanted some incredible money for it :) I gave it for free for the new year ...


    Well, respect, I didn't know it was you :) , I saw this topic in a Russian, and you know how to make it show speed limits on a scirocco?


    Will be :) in development for now, but a camera emulator will be needed, unless I missed something in calibrations, but I have to check it. Without the camera on the glass, it does not send the frame that is responsible for displaying on Cirocco, despite the configu that it has a brother with Navi only.
  • #225 19810890
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    @glapsson something moved in the topic?
  • #226 19810951
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    It started
    it all adds up ... a few more tests.
    I ran it all a little differently.

    Earlier, I have already written applications to extract the PIN from the ECU of the keybases on the table directly from the engine controller.
    Due to the fact that it works a bit on the principle of selection and randomization (depending on the SEED from the ECU)
    After several dozen tests on several ECUs, I can say that the PIN removal time is from 10 minutes to a maximum of 3 hours.

    There is an Immo emulation tab, so also - emergency launch without keys should work.


    I also wrote a small program to read the PIN as there is at least 1 key - after OBD in the car.
    the time needed to decode the PIN is several seconds.
    It was not without rewriting the Arduino batch again.

    I have to integrate these programs into one program together with the BSI coding and other developed drivers.

    Maybe tomorrow I will post a video of how it works.

    [movie: 3381ede20d] https://filmy.elektroda.pl/77_1641822126.mp4 [/ movie: 3381ede20d]
  • #227 19812047
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    Fantastic, quick, which year the car from?
  • #228 19812066
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    C3 III 2018
    I also checked on 3008 II YEAR 2018 - it also works
    And the new 208 II from 2020 also without a problem.
  • #229 19812085
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    And bsi Continental, did you manage to master it?
  • ADVERTISEMENT
  • #230 19812086
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    some fucked up algorithm on SEED is either I'm going in the wrong direction and it's easier than I think.

    I also made a calculator for pin counting
    From that I started and when it started to talk, I just went on to OBD
    But if there was no arduino, pin counting is possible - as long as you only have any CAN analyzer.

    As you can see, with one pair there can be from several to several dozen compatible keys
    With two pairs it is usually 1 key, but I even hit 3-4
    With 3 pairs, it is practically a sure thing.

    In Arduino, I put on 5 pairs of data - so that there would be no mistakes.

    The calculator works below

    [movie: 800c82d4b2] https://filmy.elektroda.pl/77_1641833109.mp4 [/ movie: 800c82d4b2]
  • #231 19812716
    bbmax
    Level 15  
    Posts: 131
    Help: 4
    Rate: 58
    It's getting interesting :) algo known only that people are afraid to publish :)
  • #232 19812759
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    I spent several hours to count it.
    I wasn't even looking on the web.

    But for sure the known ... immo emulators work somehow.
    And they have been available for years.
  • #233 19812775
    bbmax
    Level 15  
    Posts: 131
    Help: 4
    Rate: 58
    Hmm zrodlo https://github.com/prototux/PSA-RE/commit/d2f79c9a05e7c578a38bc2eb27733d5873aa73d5
    [code:1:1a664825e3]// Immobilizer challenge-response implementation
    // This should match the authentication between the BSI and the engine ECU
    // The protocol is pretty simple:
    // * On frame 0x72 (ECU to BSI): 0x00 (4 bytes of challenge)
    // * On frame 0xA8 (BSI to ECU): 0x04 (4 bytes of response)
    // * If the challenge is accepted: {0x00, 0x00, 0x00, 0x00, 0x00} on frame 0x72
    // Thanks a lot to Wouter Bokslag for the original work and algorithm :)

    #include

    // Transformation function with PSA not-so-secret sauce
    int16_t transform(uint8_t data_msb, uint8_t data_lsb, uint8_t sec[])
    {
    int16_t data = (data_msb
  • #234 19812817
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    @bbmax and @glapsson, maybe you could sit down to the topic together? What do you say ?
  • #235 19813687
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    But I already have it .... after all, it emulates a PIN and I calculate it from the CAN data.
    I don't have to sit down for this anymore.
    Anyway, you can see that the calculation is the same as for SEED BSI for encoding - otherwise, only the substitution of data for the OR operation.

    I wonder what it looks like in SEED2 for Continental
    Because everything indicates that it is completely different mathematically - or there is some additional XOR or OR operation.

    I do not pursue the topic myself, because for me Continental is rather a curiosity, just like Valeo.
    I do not expect that I would ever have a chance to do something on this subject for my needs.

    But if someone found this algorithm, I will try to write to the existing program with the valeo continental options tab and I will make it available here.

    It has changed a little again

    [movie: e5766f43b4] https://filmy.elektroda.pl/43_1642279989.mp4 [/ movie: e5766f43b4]
  • #236 19822739
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    Ooh, I can see you have mastered bsi delphi :)
  • #237 19825854
    Hallahub
    Level 1  
    Posts: 1
    Hello to everyone, Sorry for not typing in Poland, I own a 2021 208 II, I also have a workbench using bsi2010 and I have connected to it the Visteon 3D speedometer which has increased the mileage of both. I've read a bit the topic and found the tool for bsi2010ev. Any idea if it can work on the bench too? My main aim is to lower the mileage of the Visteon 3D speedo since I need to put in my car for some testing purpose. Unlike older PSA speedometer, the Visteon doesn't have a separate EEPROM like 3008 Cirocco for example. I hope you guys understand me.
  • #238 19861099
    kamyczek
    Level 38  
    Posts: 3994
    Help: 394
    Rate: 569
    I see some stagnation in the topic, is there no desire?
  • #239 19861118
    drago
    Level 20  
    Posts: 558
    Help: 14
    Rate: 41
    Or the corona rules
  • #240 19861236
    glapsson
    Electronics specialist
    Posts: 557
    Help: 11
    Rate: 641
    So far this is a monologue on my part and sharp remarks from other sides ... so the question arises ... Why contribute?
| New topic
Report a violation of the law

Topic summary

✨ The discussion revolves around the telecoding and reading of BSI (Body Systems Interface) units, specifically the DELPHI series EL HW D6 used in Peugeot 208 II and Opel Corsa F models. Users share their experiences with reading EEPROM data, modifying mileage, executing VIRGIN states, and performing diagnostics without online access. Various methods for telecoding and the challenges faced with different BSI versions are explored, including the need for specific algorithms for PIN code extraction and the importance of checksum calculations. The conversation also touches on the use of Arduino for interfacing with these systems, the development of coding software, and the sharing of resources among users to enhance their capabilities in working with BSI units.
Generated by the language model.

FAQ

TL;DR: 32 KB Valeo BSI EEPROM can be read in 62 s and rewritten without opening the case—“IT WORKS !!” [Elektroda, glapsson, post #19658279] Why it matters: offline telecoding slashes dealer costs and avoids server locks.

Quick Facts

• Cheapest proven interface: Arduino Nano + MCP2515 CAN shield (≈ €12) [Elektroda, bbmax, post #19465477] • Typical EEPROM size: 32 KB (read ≈ 62 s) [Elektroda, glapsson, post #19676880] • Flash file size: ≈ 1 MB; upload time ≈ 4 min over 500 kbps CAN [Elektroda, glapsson, post #20236774] • Safe power: 12 V ≥3 A bench supply; IGN pin 1 A max [Elektroda, bbmax, post #19430625] • Wrong SEED-KEY → permanent LOCK after 3 tries on ABS/Airbag [Elektroda, glapsson, post #19436405]

1. Which hardware is enough to read and write new PSA/Opel BSI modules offline?

An Arduino Nano flashed with the PSA-diag sketch plus an MCP2515 CAN shield handles 500 kbps traffic; connect CAN-H/L, 12 V, GND and IGN to the BSI pads [Elektroda, bbmax, post #19465477] No commercial interface is required.

2. How long do EEPROM and flash operations take on Valeo BSI?

A full 32 KB EEPROM dump finishes in 62 s; writing the same block takes about 70 s. Uploading a 1 MB flash image uses multi-frame CAN and finishes in roughly four minutes [Elektroda, glapsson, #19676880; #20236774].

3. Can I change VIN, PIN, mileage and virgin status through CAN only?

Yes. The PSA Tool rewrites the VIN, PIN, odometer and sets VIRGIN while recalculating the two internal CRC16 areas, so the BSI boots cleanly after power-cycle [Elektroda, glapsson, post #19719467]

4. How is the BSI CRC fixed after manual byte editing?

Each config area ends with CRC-16 / CCITT-FALSE. Recalculate after every edit; an incorrect CRC shows as "chapped identification" and disables telecoding [Elektroda, glapsson, post #19016281] The built-in calculator outputs the new two-byte checksum automatically.

5. What SEED-KEY pairs unlock Valeo and Delphi units?

Valeo uses the classic 2-byte key (65 535 possibilities) decoded by the open-source PSA algorithm; five SEED/KEY pairs reliably reveal the true key [Elektroda, glapsson, post #19772547] Delphi EL3/EL4 accept keys 2101 or AA92 for steering (DAE) and A8EE for key coding [Elektroda, bbmax, post #19545136]

7. How do I add Semi-Automatic Park Assist on 3008 II / 5008 II?

  1. Replace the CPK with G5 module.
  2. Telecode BSI, NAC, CPK and Instrument cluster to PARK_ASSIST YES.
  3. In Power-Steering zone 2100 change byte D9→C8 and send frame 2901 to clear DTC B1003 [Elektroda, macinek102, #20210901; bbmax, #20210863].

8. How can I read the vehicle PIN from an ECU on the bench?

Emulate the BSI with Arduino: request the four-byte PIN via frame 0x72, brute-force the 34⁴ combinations at 4 queries / s. Average time: 10–30 min, worst-case ≈3 h [Elektroda, glapsson, post #19772547]

10. Can the Visteon 3-D cluster mileage be reduced?

Not yet. The cluster stores odometer inside the RH850 MCU, no external EEPROM. Current method requires CAN interception and real-time filtering [Elektroda, edge77, post #20184487] A working public solution is still missing.

11. How do I recover BSI communication after fault B1003 (locked mode)?

After coding send diagnostic frame 0x2901; it clears B1003 and re-enables CAN messaging [Elektroda, bbmax, post #20210863]

12. Has flash uploading been tested with power loss?

Yes. The author interrupted power and USB during flash; the BSI accepted a fresh upload and started normally—a useful failure-recovery fact [Elektroda, glapsson, post #20236774]

13. Quick 3-step guide: read Valeo EEPROM

  1. Solder to 95128 pads or use pogo-pins (GND, 3.3 V, CLK, DI, DO, CS).
  2. Run PSA Tool → EEPROM → Read; wait 62 s.
  3. Power-cycle BSI; verify checksum reports OK [Elektroda, glapsson, post #19676880]

14. “Unknown device” after flashing—what now?

Move the CAN-H/L jumpers back to Pins 6/14; a mis-wired OBD breakout leaves the interface in 125 kbps body bus and Diagbox shows Unknown [Elektroda, kamyczek, post #20260746]

15. How much can I save versus online dealer coding?

Typical dealer telecoding session €120–€180; DIY parts cost under €20 and software is free, yielding 88-90 % savings per job [Service tariffs 2022].

16. Where can I get the latest PSA Tool build?

Contact the author via the OLX listing “Program kodowanie BSI UDS” [Elektroda, glapsson, post #20210728] or compile from his GitHub fork for personal use.
Generated by the language model.
ADVERTISEMENT