LS1GTO Forums banner

1 - 10 of 10 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Hi!
I've recently tinkered a lot with GTO's BCMs and keyfobs. I wanted to make a backup keys for my cars, and since I have a total of four GTOs on my lot and I was not keen on spending dollars on new key fob for every car.
First of all, none of the cars had the original security card with BCM code, so I started looking and found GNXClone post about the code being stored ad 0x52 in the BCM's EEPROM.
However, I had no luck and the code retrieved from the EEPROM didn't work.
Then I reached out to 06phantom, the creator of BCM code tool. He was very helpful and pointed out to me that the code is indeed at 0x52, but it's three bytes long!
So, for future reference the BCM security code is an uint24 at 0x52, stored as Little-endian.

I had a working BCM codes, but I did not stopped at that. Since I had the BCMs apart, I mapped the rest of the data I could, and the result is attached VZ GTO BCM.xdf file, that can be used in TunerPro to read and edit BCM calibration. I attached it as .txt, just change the extension to .xdf after you download.
vzbcm.png


Going back to the keys, normally the fobs are designed as one time programmable. But I had three fobs laying around from donor cars, so I tried making them reusable :)

Here is how to do that:
First of all, you have to open the OEM case, which is tricky. I had good luck heating the edges up with hot air soldering iron set to 150°C
503556


Then, pry the case open starting at the key blade slot:
503557


The printed circuit board inside has two chips. The smaller of them is a 93S46 Microwire EEPROM with write protection. I marked the number one pin, and a note that instead of usual dot on number 1 pin, the chip has ST logo as the marker.
503558

With my LT866 programmer I read the contents of the EEPROM. Unfortunately I had to desolder it to read properly, but you need to do that anyway because the EEPROM has protected area that cannot be reprogrammed.

The contents of EEPROM from a used, programmed key looked like this:
503560

The first two words are rolling key memory as their value changed with every key press.
Memory protection was set at word 3 (0x04), so the values starting at 0x06 are some kind of ID hash from BCM programmed once.

Anyway, I soldered a new, unprogrammed 93S46 and it did not work! Unsoldered the memory again and saw that the first two words changed, but the rest was still unprogrammed.
So I copied the values from the old key to the new EEPROM (as above), but left the protection inactive. Tried again and IT WORKED! :D

Out of curiosity I read the EEPROM again after successful programming, and here it is:
503561

As you can see, only the two words at 0x6 and 0x8 changed. (I did not press any key after programming.) This leads me to thinking that the word at 0x0A is some kind of key ID, and the changed data at 0x06 is number generated by BCM from VIN (or other ID stored in BCM) and key ID.

So, there you have it, a little piece of information about BCM and keyfobs from my reverse-engineering experiences.
And just to recap, if you have a programmed key and want to reuse it: open it, replace the eeprom with a new one (with something random programmed at 0x0A) and you are ready to program it to your car again.
 

Attachments

·
GR-RRR!
Joined
·
5,842 Posts
So, who is going to be around in the future to install pre-programmed EEPROMs into my key fob so I can reprogram them to my car after the batteries crap out? Or do the EEPROMs keep their settings even when the battery is removed and then replaced? At the very least we have a way to reuse a previously programmed fob. Folks have been selling used fobs for years even though there was not an easy or direct way to program them to a different car. I wonder how many people where taken by these crooks?
 

·
Registered
Joined
·
2 Posts
Discussion Starter #6
So, who is going to be around in the future to install pre-programmed EEPROMs into my key fob so I can reprogram them to my car after the batteries crap out? Or do the EEPROMs keep their settings even when the battery is removed and then replaced?
EEPROM by it's nature is a non-volatile memory, so it keeps its contents even without power.
So, you can replace the battery in a fob without any worries, or transfer the EEPROM chip to another fob board if one dies.

And if you are curious, the new 93S46 costs around 28 cents ;) The downside is you have to program it. I hoped I could just solder a new one and be done with it, but unfortunately that's not the case.
 

·
GR-RRR!
Joined
·
5,842 Posts
Unfortunately, I doubt too many of us have a way to program a new EEPROM.

I have one old fob that gave up the ghost. Not even a new battery helped that one. Maybe it just needs a new EEPROM?
 

·
Registered
Joined
·
1,143 Posts
Nice writeup! If only there were a way to program the BCM in the car.
 

·
Registered
Joined
·
90 Posts
Nice work figuring this out!
Would you happen to know anything about the main chip on the FOB?
Identifying it could open up some possibilities to make changes/custom FOBs.
I believe Toyota's in Australia also used this chip in their remotes in the early 2000's.
 

·
Registered
Joined
·
767 Posts
As an IT guy, I enjoyed this and it makes a lot of sense to me.

As someone who cannot solder, I'll just sit here and sigh about this knowledge that I wish I could leverage. :)
 
1 - 10 of 10 Posts
Top