Holden BCM and Key Fobs

Information and discussion of EFI hardware and specifications
User avatar
Posts: 1509
Joined: Tue Apr 26, 2011 9:52 pm

Holden BCM and Key Fobs

Postby psyolent » Wed Jan 16, 2019 3:56 pm

yep. mr minit does that near us.
i spoke to the guys son who is much more tech literate.

they did get a new key fob BUT he didn't connect to the car ala tech 2 style. he used a number off the BCM and programmed it that way.
like the car stereos and the pin codes ; the dude has some software which must calculate based on the serial number maybe of the BCM?

i guess someone at some stage took a whole heap of RFID scans and then ran them against rainbow tables and reverse engineered the logic?
Cheers,
Greg aka Sir Burnie Tanington

VX1 Berlina V6, VT1 Berlina V6 (Track), VN1 S V6, Hilux RN105 GMV8, Ford XP 170.

Site Admin
User avatar
Posts: 5835
Joined: Sat Feb 28, 2009 8:34 pm

Holden BCM and Key Fobs

Postby antus » Wed Jan 16, 2019 4:04 pm

This is not a subject I know about, but I just read the snapon docs here https://www.snapontools.com.au/__data/a ... ctions.pdf and it states


Code: Select all
On VR, VS, VT and VX series Keys are added in one of two ways:
1) “KEY CODE (EXTRA KEY)” adds a new key when there is a valid key existing
2) “KEY CODE (NEW KEY)” is used when there are no keys programmed to the BCM.
(For example all keys have been lost or a new BCM has been fitted.)
EXTRA KEY requires a valid key to disarm the Theft Deterrent to allow the new key to
be programmed.
On VY and VZ models there is only one method of adding a key to the BCM > KEY
CODE (NEW KEY).

Important Note for VT, VX, VY and VZ:
The BCM Security Code is required for “KEY CODE (NEW KEY)”. . This
Security number can be retrieved by selecting the “DISPLAY SECURITY
NUMBER” test found under the Key Code Test Menu.


Perhaps they write the serial number from the sticker in to their BCM, and it does the thing? Im pretty sure people have figured out how to clone BCMs. Maybe its as simple as that. Even if that is possible, then maybe someone reverse engineered the code in the BCM. I think that'd be more likely than a rainbow tables style approach.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

User avatar
Posts: 1509
Joined: Tue Apr 26, 2011 9:52 pm

Holden BCM and Key Fobs

Postby psyolent » Wed Jan 16, 2019 4:17 pm

.....they do have those crude BCM simulators so - i think you might be right there actually.
Cheers,
Greg aka Sir Burnie Tanington

VX1 Berlina V6, VT1 Berlina V6 (Track), VN1 S V6, Hilux RN105 GMV8, Ford XP 170.

Online
User avatar
Posts: 4157
Joined: Mon Jan 04, 2010 10:23 am

Holden BCM and Key Fobs

Postby The1 » Wed Jan 16, 2019 10:04 pm

The snapon instructions are for the snapon scantool which connects to the OBD Port,

The "extra key" command just sends a string to the BCM, if security is disarmed already it will just write straight to the a new blank key in the cars ignition and good to go.

The "ALL New Key" one is for a brand new BCM that has no keys programmed, which requires the BCM Security pin, which traditionally Holden only knew, but if your smart enough you can find it if you request the right string from the BCM and do an algo on a byte in the string. Not sure why Holden did it this way.

The key fob serial eeprom only stores 6 bytes of data, ive compared various BCM's code, security pin codes, key codes and serial numbers but i never found any way of linking them, the keys have a rolling code though, ive read and read keys one after the other and the bytes all change, so each BCM must have it's own rolling key system that changes every time it's used in the car.

But yeh id say what Antus has said is likely the case.

User avatar
Posts: 266
Joined: Sun Jan 25, 2015 4:21 pm
Location: Sydney

Holden BCM and Key Fobs

Postby j_ds_au » Thu Jan 24, 2019 1:30 am

The1 wrote:The key fob serial eeprom only stores 6 bytes of data, ive compared various BCM's code, security pin codes, key codes and serial numbers but i never found any way of linking them, the keys have a rolling code though, ive read and read keys one after the other and the bytes all change, so each BCM must have it's own rolling key system that changes every time it's used in the car.

I think the BCM generates a new rolling key code, each time the key is inserted into the reader and that's then stored by the key for remote functions. Once in a blue moon, this goes wrong and the remote functions won't work, but inserting the key gets it a new rolling code and then it all works again. A separate rolling code would be used for each key paired to the BCM.

But there must also be an ID required, either the BCM stores the key ID or the key stores the BCM ID (from the above story, it sounds like it's the latter) or both. This would constitute the BCM-key pairing and be validated for key start and probably also for remote functions.

Now, the key fob micro is unpowered if it's not in the reader and none of the buttons are pressed, so RAM doesn't play a part in storing any ID's or rolling key codes. If the micro ROM is a masked type, then the ROM can't have any ID stored in it, and obviously, no rolling key code. If it's an OTP type, it could store a key ID (factory programmed), but not a BCM ID, however as the above story suggests a BCM ID is stored in the key fob, that would mean that the micro ROM has no involvement in storing such (or rolling key codes, of course).

So that all implies that any BCM ID and rolling key code must both be contained within those six bytes you mention in the EEPROM, probably encrypted. Since multiple keys are supported by the BCM and each would need its own rolling key code, this implies that each key has a unique ID, which might also be stored within those EEPROM bytes, or if the micro ROM is an OTP type, it might be stored there (unlikely).

Joe.
Last edited by j_ds_au on Fri Mar 29, 2019 9:47 am, edited 1 time in total.

Online
User avatar
Posts: 4157
Joined: Mon Jan 04, 2010 10:23 am

Holden BCM and Key Fobs

Postby The1 » Thu Jan 24, 2019 8:34 pm

i went and found the keys i used to check, the keys i used had atmel 93C46C from factory, i did a dead bug style with a socket on the key so i could remove and read and write.

Yeh i found this out, it seems the key you use all the time is fine, the other key that maybe hasn't been used since the other key maybe 100 times it didn't seem to remote, once it was connected with IGN on then it was updated and had the correct codes again.

User avatar
Posts: 266
Joined: Sun Jan 25, 2015 4:21 pm
Location: Sydney

Holden BCM and Key Fobs

Postby j_ds_au » Sat Jan 26, 2019 12:19 am

Strange about the unused remote temporarily losing its remote capability this way. I wonder if the BCM stores a list of assigned rolling key codes, with a finite capacity, of course, so forgets very stale ones? But I can't see a reason for doing it that way. If the key fob lost the rolling code, the same would occur, but there's no reason why it should lose the code from EEPROM.

Joe.

Online
User avatar
Posts: 4157
Joined: Mon Jan 04, 2010 10:23 am

Holden BCM and Key Fobs

Postby The1 » Sun Jan 27, 2019 4:54 pm

i would think it would be so if you lost your key then it would stop someone eventually finding it and being able to open your car, though it will work and update itself once used in the ignition, so BCM must have some kind of timer or last X number of rolling codes only stored, key may still retain a master value that works in the barrel so it can disarm to get a new rolling code, perhaps that's what these people have worked out via the BCM serial number.

User avatar
Posts: 5034
Joined: Sat Feb 28, 2009 8:38 pm
Location: Wellington NZ

Holden BCM and Key Fobs

Postby delcowizzid » Sun Jan 27, 2019 6:09 pm

I can see it transmit on my sdr at 304mhz wonder if I can decode the data hmm
20190127_210404.jpg
If Its Got Gas Or Ass Count Me In.if it cant be fixed with a hammer you have an electrical problem

Online
User avatar
Posts: 4157
Joined: Mon Jan 04, 2010 10:23 am

Holden BCM and Key Fobs

Postby The1 » Sun Jan 27, 2019 7:39 pm

New Topic made for this instead of in enhanced mod

PreviousNext

Return to Hardware

Who is online

Users browsing this forum: No registered users and 1 guest