From some other sources i got the informations that only one module in PATS carries the actual key-IDs and the others only uses a "hash" or "sync" values. It looks like BCM (in case of cars having traditional keys) or KVM (in case of cars having Keyless-Go) carries the keydata. Besides of this all modules have "pairing key codes" of each other like:
PCM carries codes of ABS and BCM/KVM
BCM/KVM carries codes of ABS and PCM
ABS carries codes of PCM and BCM/KVM
That might reflect the process of "Synchronize PATS" from IDS?!
Copy keys (PATS II) from ABS to other
Re: Copy keys (PATS II) from ABS to other
Just an idea, did anyone try to just flash the regular ABS with the firmware from IVDC one?
Re: Copy keys (PATS II) from ABS to other
Interesting idea...
Re: Copy keys (PATS II) from ABS to other
@Syntax: I did, didn't worked, the valves are different
-
DGAlexandru
- Pro
- Posts: 364
- Joined: 04 Aug 2019, 22:47
Re: Copy keys (PATS II) from ABS to other
Only IC from FF2; 2 versions.Go4IT wrote: ↑02 Apr 2023, 09:25 But great, another thing that's clearified! So there is no encryption involved, at least on the CAN and the EEPROM level!
Do you know how the key code data on FF2 looks like? I'm shure they are the same on FM4.
And we can learn a lot if looking at FF2. There are potentially much more information to find than for FM4...
I'll come back with a FF2 CAN Sniff for IC and PCM where we can see the PATS data exchange and maybe one for FF2 with KeyLess - IC, PCM and RKE.
You do not have the required permissions to view the files attached to this post.
-
DGAlexandru
- Pro
- Posts: 364
- Joined: 04 Aug 2019, 22:47
Re: Copy keys (PATS II) from ABS to other
FLASH, EEPROM and RAM dump from a FF2 / Kuga KVM (this one is paired only with PCM and Electrical Steering Column Lock)
As you can see, the KEY ID's are saved unencrypted in EEPROM, the same as they are in the EEPROM of FF2 IC.
The RAM contents can't be saved with USBDM in only one file, you need 4-5 reads (three for the 3 RAM Pages - 4k each, and one (1x8k) or two (2x4k) for the 8K one which is fixed), but I've been able to combine them in a Motorola S19 format manually. The USBDM cfg file I've added for reading the RAM has to be edited - to exclude the first 5 lines, then the Target Initialization option should be used for each RAM Page: (16,FB) for the lower one, then (16,FC) for the next one and so on until the last one (16,FF).
I'll come back with the dumps of a Mondeo 4 PreFl KVM, as this one is still readable by BDM. The ones for FaceLift (after 05.2010) are secured and for now, as my xProg Clone has issues, I can't unlock them.
The dumps were done using USBDM - thanks Go4IT for the hint & tutorial about this interface.
Some information about this KVM that can be read using ELMConfig:
MC9S12XDT384 Mapings:
As you can see, the KEY ID's are saved unencrypted in EEPROM, the same as they are in the EEPROM of FF2 IC.
The RAM contents can't be saved with USBDM in only one file, you need 4-5 reads (three for the 3 RAM Pages - 4k each, and one (1x8k) or two (2x4k) for the 8K one which is fixed), but I've been able to combine them in a Motorola S19 format manually. The USBDM cfg file I've added for reading the RAM has to be edited - to exclude the first 5 lines, then the Target Initialization option should be used for each RAM Page: (16,FB) for the lower one, then (16,FC) for the next one and so on until the last one (16,FF).
I'll come back with the dumps of a Mondeo 4 PreFl KVM, as this one is still readable by BDM. The ones for FaceLift (after 05.2010) are secured and for now, as my xProg Clone has issues, I can't unlock them.
The dumps were done using USBDM - thanks Go4IT for the hint & tutorial about this interface.
Some information about this KVM that can be read using ELMConfig:
MC9S12XDT384 Mapings:
Code: Select all
EEPROM:
Xprog BIN -> USBDM MotoS19
0000:03FF -> FC0800:FC0BFF - EPage FC
0400:07FF -> FD0800:FD0BFF - EPage FD
0800:0BFF -> FE0800:FE0BFF - EPage FE
0C00:0FFF -> FF0800:FF0BFF - EPage FF = 0C00:0FFF w/o EPage
FLASH:
Xprog BIN -> USBDM MotoS19
008000:00BFFF -> E08000:E0BFFF - PPage E0
018000:01BFFF -> E18000:E1BFFF - PPage E1
028000:02BFFF -> E28000:E2BFFF - PPage E2
038000:03BFFF -> E38000:E3BFFF - PPage E3
048000:04BFFF -> E48000:E4BFFF - PPage E4
058000:05BFFF -> E58000:E5BFFF - PPage E5
068000:06BFFF -> E68000:E6BFFF - PPage E6
078000:07BFFF -> E78000:E7BFFF - PPage E7
088000:08BFFF -> F08000:F0BFFF - PPage F0
098000:09BFFF -> F18000:F1BFFF - PPage F1
0A8000:0ABFFF -> F28000:F2BFFF - PPage F2
0B8000:0BBFFF -> F38000:F3BFFF - PPage F3
0C8000:0CBFFF -> F48000:F4BFFF - PPage F4
0D8000:0DBFFF -> F58000:F5BFFF - PPage F5
0E8000:0EBFFF -> F68000:F6BFFF - PPage F6
0F8000:0FBFFF -> F78000:F7BFFF - PPage F7
108000:10BFFF -> F88000:F8BFFF - PPage F8
118000:11BFFF -> F98000:F9BFFF - PPage F9
128000:12BFFF -> FA8000:FABFFF - PPage FA
138000:13BFFF -> FA8000:FABFFF - PPage FB
148000:14BFFF -> FB8000:FBBFFF - PPage FC
158000:15BFFF -> FD8000:FDBFFF - PPage FD = 4000:7FFF w/o PPage (1K / 2K / 4K or 8K Protected Sector at begining)
168000:16BFFF -> FE8000:FEBFFF - PPage FE = 8000:BFFF w/o PPage
178000:17BFFF -> FF8000:FFBFFF - PPage FF = C000:FFFF w/o PPage (2K / 4K / 8K or 16K Protected Boot Sector at end)
RAM:
BIN -> USBDM MotoS19
0000:0FFF -> FB1000:FB1FFF - RPage FB
1000:1FFF -> FC1000:FC1FFF - RPage FC
2000:2FFF -> FD1000:FD1FFF - RPage FD
3000:3FFF -> FE1000:FE1FFF - RPage FE = 2000:2FFF w/o RPage
4000:4FFF -> FF1000:FF1FFF - RPage FF = 3000:3FFF w/o RPage
You do not have the required permissions to view the files attached to this post.