How to clone a black remote fob .... | FerrariChat

How to clone a black remote fob ....

Discussion in 'Technical Q&A' started by eric355, Dec 15, 2006.

This site may earn a commission from merchant affiliate links, including eBay, Amazon, Skimlinks, and others.

  1. eric355

    eric355 Formula 3
    Silver Subscribed

    Nov 30, 2005
    1,158
    Toulouse (France)
    Full Name:
    Eric DECOUX
    #1 eric355, Dec 15, 2006
    Last edited by a moderator: Sep 7, 2017
    This thread is for all the 355/360/456/550 owners who, like me, for whatever reason have only one black remote fob. Not a very comfortable situation, even with the PIN code. I didn't like the idea to have to turn the key more than 20 times (yes I have at least two "0" in my PIN code :-( ) before starting my car, if i lose my remaining remote. I have even never tried this method !! Don't like neither the cost of a new complete set ...

    So, I looked for and found a very cheap alternative. When looking at a black remote circuit (cf picture 1) one can mainly see two chips, the big one is a microcontroler, and the small one is a memory (serial EEPROM).

    My guess : the microcontrolers are the same for all remotes and contain the same program, all the genetic (specific) data are contained in the EEPROM. So if I copy the EEPROM content of the functionning remote to the EEPROM of another one (provided it has the same radio frequency : 433 MHz for Europe, 350 MHz for USA) It should work. And guess what? ....... IT WORKS !!!

    So here is the procedure:
    - you need a EEPROM programmer. Hopefully, it is of a very common type (93C46) and you can find (or even built, see mine in picture 3) very easily a programmer for such memory. Most difficult part to find was a suitable support for Surface Mounted Devices (SMD).Try google and ebay for hardware and freeware ...
    - The scary part, you have to unsolder safely the EEPROM from the functionning remote (cf picture 2) .... ouch !! .... Remember it is the only one operative remote ;-) . There are some tips to remove this kind of SMD component.
    - Place the EEPROM on the programmer (picture 3), read and save its content (picture 4)
    - Remove the EEPROM from the victim remote and program it with the data of operative remote
    - Re-solder the EEPROM's

    That's all. You have now 2 (or more :) !!!) identical remotes. Both will work equally. A remote which has not been used for sometimes will just need to be pressed several times in order to resynchronize the alarm ECU.
    Image Unavailable, Please Login
    Image Unavailable, Please Login
    Image Unavailable, Please Login
    Image Unavailable, Please Login
    Image Unavailable, Please Login
     
  2. gothspeed

    gothspeed F1 World Champ

    May 26, 2006
    10,244
    U.S.A.
    Full Name:
    goth
    You are the man!!
     
  3. Mark 328

    Mark 328 Formula Junior

    Nov 6, 2003
    510
    Orange, Ca
    Full Name:
    Mark Foley
    Great discovery and write-up!!
     
  4. GCalo

    GCalo F1 Veteran

    Sep 15, 2004
    7,645
    Northern California
    Full Name:
    Greg Calo
    Very, very clever and very, very cerebral.

    Is there any way to extract the data and to reprogram the device w/o desoldering and then resoldering it? Too much heat could cook it and then one is definitely SOL!!

    Any sources for the eeprom reader? I have an older one that ran on an 8088 computer!

    You definitely get the FChat wizard award for 2006!

    This could save many guys rears.
     
  5. rbf41000

    rbf41000 Formula Junior

    Nov 21, 2005
    676
    Charlotte NC
    Full Name:
    Russell
    Just wondering
    If the key for the 430 will fit the 360 and has the remote built into the key would it be possible to use this clone method to adapt the 430 key to work the 360 alarm and locks?
    I do find the black plastic alarm fob a real pain in the rear

    Russell
     
  6. LetsJet

    LetsJet F1 Veteran
    Owner

    May 24, 2004
    9,334
    DC/LA/Paris/Haleiwa
    Full Name:
    Mr.
    Great job.........

    But last time I tried and solder a circuit board it didn't go so well. Be careful......
     
  7. eric355

    eric355 Formula 3
    Silver Subscribed

    Nov 30, 2005
    1,158
    Toulouse (France)
    Full Name:
    Eric DECOUX

    I thought for some times to a way to read and program data without desoldering the EEPROM, but the only alternative solution is to cut the circuit tracks, solder some wires to the programmer, and then reconnect the tracks ... much more difficult IMO.
    The trip to desolder such a SMD component is to remove some solder with an absorbing braid, then, when heating each pin in turn, to slide progressively a razor blade or a feeler gauge between the board and the pins. This avoid the heated pins to resolder on the board. Very efficient.

    The programmer i use is there : http://col2000.free.fr/mwprog/index.htm
     
  8. eric355

    eric355 Formula 3
    Silver Subscribed

    Nov 30, 2005
    1,158
    Toulouse (France)
    Full Name:
    Eric DECOUX
    Sorry but I don't know at all the 430 remote. I would love to, but ....
    Almost a decade between the 355/360 techno and the 430 one, hope it is a completely different system.
     
  9. GCalo

    GCalo F1 Veteran

    Sep 15, 2004
    7,645
    Northern California
    Full Name:
    Greg Calo
    #9 GCalo, Dec 16, 2006
    Last edited by a moderator: Sep 7, 2017
    Excellent find and great that you are sharing.

    I have the red remote and I really do not need another remote, but I am intrigued to try the process to have one more remote.

    What about the software for the programmer? What are you using for that?

    TonyC has advised me this AM that 3M has an 8 pin clip that would clamp onto the 8 pins which could then be used to extract and to program the data w/o having to desolder/resolder the IC.

    If this works, it is an easy way to do the process w/o chancing damaging the IC.

    We know that a 15 watt soldering iron is probably about the max heat one should use for the process, as it is a tricky one. I would prefer to extract the info rather than risk damaging the device.

    You must have very good eyes!

    If TonyC gets this to work, I'll experiment with the process and then would be happy to do it for anyone who needs one.

    Here's a photo of the clip.
    Image Unavailable, Please Login
     
  10. GCalo

    GCalo F1 Veteran

    Sep 15, 2004
    7,645
    Northern California
    Full Name:
    Greg Calo
    We could certainly experiment with this. It might be possible. However, it could be that all functions are now in only one processor w/in the key.

    I have an Enzo key coming, and I could experiment with that as well.

    It's for sure there is a similarity as it's doubtful major changes would be made between models.
     
  11. eric355

    eric355 Formula 3
    Silver Subscribed

    Nov 30, 2005
    1,158
    Toulouse (France)
    Full Name:
    Eric DECOUX

    The link I provided covers both programmer hardware and software. Sorry, it is a french site.

    I know about this kind of clip, the problem is that when you try to read or program the EEPROM in situ you have to power it on. This will also power on the controller and you may have conflicts between the programmer imposed voltage levels to the EEPROM pins and the microcontroler levels. It may works or not, or even damage the controler if no care is taken to limit the programmer crurrent capability. I find this option too risky to try on my single remote.

    Indeed, with some practice on some rubbish boards of any kind, desoldering is not a problem. I have done 3 without any issue.
     
  12. GCalo

    GCalo F1 Veteran

    Sep 15, 2004
    7,645
    Northern California
    Full Name:
    Greg Calo
    I did not scan down to see the rest! DAH!

    We'll experiment with this and let you know.

    Many thanks.
     
  13. Dr Dave

    Dr Dave Karting

    Dec 11, 2006
    62
    Northern Virginia
    Full Name:
    Dave Kirk
    I'll jump in the mix as interested in the results. I just bought my F355 a few weeks ago and it only came with one remote.

    I do have the keycode, and have ordered a new set of remotes (one red and two black) through FoW. My mechanic there (I've dealt with him for years) seems to feel that with the keycode, we should be able to program this set of remotes. He was actually quite confident in his description of the process, and he's always been great to deal with and usually right.

    In reading this thread, I'm beginning to think people have had less success with this process than I would have thought after talking with him.

    If you have the keycode, and three new remotes (one of which is red), can you 'simply' reprogram the remotes?

    It's going to be painful if the answer is no because it's a non-refundable $415.
     
  14. GCalo

    GCalo F1 Veteran

    Sep 15, 2004
    7,645
    Northern California
    Full Name:
    Greg Calo
    This process will work with one good remote. So, there was no need for you to buy the whole set, but as long as you have one, more can be programmed and there is no need to buy a new alarm system.

    If you only have one black remote, you can have 2 or 3 more. With this process you don't need to buy a red remote unless you want to.

    TonyC and I are working on this, and we should have it resolved in a few weeks. We will both be away next week. So, it has to wait until the beg of January.

    We are confident we can do this and then can do it for anyone who needs it done.
     
  15. Dr Dave

    Dr Dave Karting

    Dec 11, 2006
    62
    Northern Virginia
    Full Name:
    Dave Kirk
    Thanks for the reply Greg. I should have been more clear in my original post. I was really asking if the new remotes could be programmed straight out without having to go through this EEPROM approach - as long as you had the key code. I got the impression from FoW that given the key code you could set up the red remote straight out and then program the other two from it.

    Either way, if FoW fails for some reason, it looks like my fall back will be the approach on this thread, and thereby be able to avoid the painful repurchase of the entire alarm system. So, I'll be watching for your results in January. Have a good holiday... Dave
     
  16. Dr Dave

    Dr Dave Karting

    Dec 11, 2006
    62
    Northern Virginia
    Full Name:
    Dave Kirk
    Being an electrical / computer engineer by trade (at least in the earlier stages of my career), I can indeed see some issues (as Eric points out) if the circuit is not somewhat isolated. However, I still think Greg's approach holds merit with perhaps one simple adjustment. Unsolder the power pin on the EEPROM, and isolate it from the circuit board (slide an insulator under the pin).

    If the battery is removed, and the Power pin is isolated, nothing else on the board should see power since the clip Greg is using attaches to the top of the chip / pins (used these clips all the time in the lab while we were testing circuits). This will avoid the possibility of different signal levels (originating from different 'powered-on' sources) hitting the same pin during reading or programming of the chip - which could damage parts or at a minimum result in incorrect programming of the EEPROM.

    This should result in the 'safety' of Eric's original approach, and the convenience and reduced risk resulting from avoiding the removal and re-installation of the chip in Greg's approach.

    Just a thought...
     
  17. ylshih

    ylshih Shogun Assassin
    Honorary Owner

    Mar 21, 2004
    19,803
    Northern CA
    Full Name:
    Yin
    #17 ylshih, Dec 20, 2006
    Last edited by a moderator: Sep 7, 2017
    I agree that lifting pin#8 (Vcc) of the 93C46 should allow "in-circuit" programming in a safe fashion.

    I took my red and black fobs apart and the COP822 (microprocessor) and PCB seem to have the same part/assy numbers. That suggests that the only difference between a red and black fob is the programming in the 93C46 (EEPROM) part, which means that you should also be able to "back up" the red fob with full functionality.

    Greg - that looks like a DIP package clip. An SOIC package clip looks like this.
    Image Unavailable, Please Login
     
  18. eric355

    eric355 Formula 3
    Silver Subscribed

    Nov 30, 2005
    1,158
    Toulouse (France)
    Full Name:
    Eric DECOUX
    I agree that insulating the Vcc pin is the minimum to do to try an in-situ programming. Then cutting the PCB track and resoldering it, is an option for a single track. It is worth to be tried in order to check that "off" impedances of the microcontroller do not perturbate the programmer.

    Interesting to see that the red fob has the same circuit than the black one. Hope it has also the same program in the controller. If you try to read their content, I would be glad if you can make me aware of data content of the red one. I know there are some virgin areas in the black one content, and would like to know if they are filled in the red one. May be an opportunity to reconstitute that way "my" red fob.
     
  19. Paul_308

    Paul_308 Formula 3

    Mar 12, 2004
    2,345
    I build a programmer for those chips some 15-20 years ago which ran off the parallel port of an XT computer. Wrote the program in basic. The chip must be powered with +5v & gnd and two inputs...one with data and the other to clock the data in/out. Speed was not an issue.

    Removing a surface mount chip is so easy that in situ programming with its danger of harming circuitry is silly. What is needed and most of you might not have is a static grounded solder-sucker. Using a temperature controller iron, heat 2 pins and such the solder from them. Repeat. Use 1/32" dia solder to replace the chip. Just don't make the mistake of forgetting to note which way the chip was mounted.

    I don't know that I kept any written data but I recall many articles in 'Nuts and Volts' magazine using the 46's. I was reprogramming handheld police radios but found that chip in other boxes as well.
     
  20. eric355

    eric355 Formula 3
    Silver Subscribed

    Nov 30, 2005
    1,158
    Toulouse (France)
    Full Name:
    Eric DECOUX
    #20 eric355, Dec 20, 2006
    Last edited by a moderator: Sep 7, 2017
    Dave, it seems you have in hand all the stuffs to reprogram your alarm ECU : old PIN code + new complete set of remotes and the associated new PIN code. Have you tried the procedure which is described in the WSM?
    Hope it will work for you. If not ... it will be possible to clone the new remotes from the old ;-) but would be a pity!
    Image Unavailable, Please Login
     
  21. Dr Dave

    Dr Dave Karting

    Dec 11, 2006
    62
    Northern Virginia
    Full Name:
    Dave Kirk
    Thanks for the reply Eric. No, I have not tried the process yet, as the remotes won't be in until early January. Ferrari of Washington did caution me that their is always the possibility that the original dealer did not record the key code correctly in which case I'd be SOL. However, with your approach, if my key code does not work, given that I still have the one working remote, I'll use the approach discussed here.

    BTW, as you pointed out, there are several EEPROM programmers for sale on e-Bay, most of wich support the 93Cxx series of chips. They seem to range from $69 to about $129.
     
  22. eric355

    eric355 Formula 3
    Silver Subscribed

    Nov 30, 2005
    1,158
    Toulouse (France)
    Full Name:
    Eric DECOUX
    Dave, I re-read the procedure to make the alarm ECU learn the new remotes. In fact, my understanding is that the old PIN code is not necessary, only the new one which must be entered with the key before to press the red remote then the black ones. Wonder if somebody here have already try this process and can help.


    There are ton of programmers on ebay and the web: eg

    http://cgi.ebay.fr/Enhanced-Willem-EPROM-Programmer-USB-BIOS-PIC-FWH-ATMEL_W0QQitemZ170062101986QQihZ007QQcategoryZ4661QQrdZ1QQcmdZViewItem

    This one is very cheap (33$) and ... powerfull. Not really necessary for what you would want to do but it can do the job. If you feel ready to try the EEPROM copy method, building your own programmer should not be a problem. Have a look to the link I provided, a LPT port connector, some wires, 1 resistor, and a support or a probe for the EEPROM and it is done ... for sure the simplest one!
     
  23. ylshih

    ylshih Shogun Assassin
    Honorary Owner

    Mar 21, 2004
    19,803
    Northern CA
    Full Name:
    Yin
    Just a concern that occurred to me after some more thought. Have you confirmed that the cloned fobs will work even after multiple uses? For example, take fob #1 and use it 30-40 times, then try to use fob #2.

    Here's why I'm asking. The basic algorithm used in many remote keys/controls is called "KeyLoq". In KeyLoq, every transmitter has a unique serial number, a serial use counter and a shared key with the receiver. The serial use counter is one of the pieces of info encrypted when a command is sent and it is incremented after each transmission. This ensures that every transmission is different, so that a RF signal capture/replay unit can't spoof the receiver. Since the transmitter can be pressed multiple times out of receiver range, KeyLoq checks for a range of advancing serial counter values before it tries to resync to a higher value; but it shouldn't allow reuse of old serial counter values until a long period of time expires. It should be keeping track of the serial counter values by each transmitter's serial number.

    Getting back to the cloned fobs, if the EEPROM is duplicated, then both the serial number and the serial counter of the two fobs are duplicated. That means that one of the fobs is going to generate old values that the receiver may think are spoof attempts. It's possible that Ferrari/Bosch uses a different system than KeyLoq, but it's probably similar enough that this needs to be checked.
     
  24. GCalo

    GCalo F1 Veteran

    Sep 15, 2004
    7,645
    Northern California
    Full Name:
    Greg Calo
    This does make a great deal of sense, but I'd have to believe thst the system has a way to clear itself.

    What I mean is that if we all use the black fobs regularly and then at some much later time use the red fob, according to what you suggest the red one should not work.

    So, while there certainly has to be a way to ensure reliability and an avoidance of errant signal capture, I would think that the system has to have a means to clear for the entire grouping of keys for that vehicle so what was suggested does not in fact occur.

    We may be looking at this in a more complicated way than it should be, but that's only speculation on my part.

    As to capturing the data, the suggestion to lift only the power lead makes great sense since the eeprom would only see 1/8th the heat of a solder iron. Great suggestion.

    TonyC and I will work on this and then let you know. I do not think it is overly complicated.

    As stated once we get this to work in a somewhat less complicated manner, I'd be happy to clone fobs for anyone. I may even be able to get the blank fobs at a very good price.

    More on this to come.

    All suggestions greatly appreciated.

    Where's Chris Lee on this one? He was a key in resolving the distance problem with the remotes by discovering how to pull the antenna away from the steel housing. I can tell you that works great.

    Chris, are you listening?
     
  25. thibaut

    thibaut Formula Junior

    Feb 28, 2004
    528
    London, UK
    Full Name:
    Thibaut A.
    Very interesting.
    I have a single blacck remote left and of course no code. Classic ferrari blackmail as they want to charge ££££ for new chip and full set of remotes.

    Looks like the solution for anyone with sufficient electronic skills.
    Being challenged in this area, I guess the only way out is still paying.

    Thibaut
     

Share This Page