: Megane 1 IR key reprogramming


forlix
30th June 2012, 05:40 PM
I have a Megane IR key fob where I replaced the battery and probably took too long to put in the new one (can someone confirm that this makes the key unusable??). Now with each button press the red LED in the key lights up longer than before, and the IR LED does not transmit anything anymore. So I'm guessing the key is "erased"... I think there was someone on this forum claiming to be able to reprogram these keys, but I just cant find the post anymore. If anyone has any info at all about the microchip inside (S105078003/SC428995CDW) please share it... there is absolutely no datasheet on the web for it, so no chance for me to figure out how to program it, even though I have the tools and expertise :(

Prickleypear
2nd July 2012, 06:07 AM
How sure are you that the the IR Led isnt working, have you looked at it trough a digital camera?
It could be that it just lost sync with the car

Have a look here for the resync procedure:
http://www.renaultforums.co.uk/showthread.php?t=18638&highlight=key+resync
or here
http://www.renaultforums.co.uk/showthread.php?t=56571&highlight=key+resync

forlix
2nd July 2012, 01:13 PM
Yes I've checked it via camera. Also, the red LED lights up for about 1.5 seconds - on my other, working key, its much shorter than that. Something is definitely wrong with the key. I'm going to buy a random one on ebay for a few bucks, just to see if I can reproduce what caused this, to bring some clarification if taking out the battery for too long (thus emptying the small capacitor on the PCB) really makes these keys unusable. I thought that the individualization of the key electronics (the code printed in the casing) is stored in a permanent memory in the chip, but now it occurred to me that it might as well be stored in a memory that loses its information with power loss, as the capacitor under normal circumstances is enough to bridge the time for a battery change, unless you press the button with the batteries out... the manual doesn't say anything about a time restriction when swapping batteries, however.

I must admit, I fiddled with an ohmmeter to check some of the PCB traces (the key's IR LED had come loose, but its soldered back on now), and since this applies about 2.5 volts to wherever you measure, I might have triggered something in the chip, maybe a reset or something.

Prickleypear
3rd July 2012, 05:58 AM
I must admit, I fiddled with an ohmmeter to check some of the PCB traces (the key's IR LED had come loose, but its soldered back on now), and since this applies about 2.5 volts to wherever you measure, I might have triggered something in the chip, maybe a reset or something.

That sounds more reasonable, the key will go out of sync when the battery is out too long but it should work again after being sync'ed, check if there arent any other loose tracks on the key's pcb or if you haven put the LED on the wrong way

forlix
10th October 2012, 01:03 PM
This strange key still isnt working... the LED is definitely soldered on correctly and working. I found out a number of funny "states" the key chip can be in. Changing between them is somehow done by cycling power to the PCB, while also pressing the button. Since I have no idea I just did this randomly, and by chance I found these states that the key remains in at least until the batteries are disconnected and the PCB is completely de-energized (capacitors):

Known PLIP states:


Pressing the button does nothing (no red LED, no IR transmission, batteries are FINE and PCB is energized!!)
Pressing the button causes red LED to light up for 1.5 seconds, no IR transmission
Normal state - pressing the button lights up the red LED for a short time, causes an IR transmission, while the third press in a 1.5 sec interval causes a different (longer) IR transmission and the red LED to light up longer (probably this transmission is needed for the resyncing procedure)
Pressing the button causes red LED to light up short and cause an IR transmission as in normal state (3), but subsequent key presses will not do anything unless the key is left unpressed for at least 5 seconds

Remarks:
When de-energizing the PCB, eg. disconnecting it from the batteries and leaving it to discharge (or discharging the capacitors forcefully), then restoring power, I usually find the key in state 2.

My other (working) key was in this state 2 for a short time with me being shocked "damn I ruined my only working key", but somehow I managed to get it back to state 3 and it worked again with the car immediately without resyncing. This happened because up to now I never *had* to do the resync for the working key - I even had the car sitting in the garden for a month without power, and after reconnecting the battery the good key worked without resyncing - so I wanted to force the good key out of sync by taking out its batteries and discharging the PCB, but still no resync was required :confused:...

Contrary to that, my bad key mentioned first in this post is totally impossible to resync, in none of the mentioned states. The casing of the key has the same code inscribed as my good key, which leaves the very unlikely possibility that one of the previous owners put in a different PCB from another car, and obviously that wouldnt work.

I bought the car with the two keys, one of them being wrapped with sticky tape labeled "inoperative" - after opening the key the IR led had a broken leg. After fixing this, I arrived at the above :(

If the PCB in the broken key is still the original one, I tend to go with the following assumption:
State 2 is a programming state, from which the key can be programmed to a car by somehow pressing the button/holding it pressed and cycling power to the PCB. Some kind of code is entered this way (perhaps the emergency code, perhaps the code inscribed in the key), either manually or by hooking the key up to some electronic equipment which does the power cycling. After this procedure, the key will go into state 3, and can be (re)synced to the car successfully.
I assume this, because I am able to get the key from state 2 to state 3 by random button presses and power cycling, however I am then unable to resync the key with my car, probably because I entered some random code via my random actions, programming the key for something not my car. :(
So the conclusion is: I wish I knew this secret programming procedure that I'm assuming exists :d

I might as well go to a dealer with the key in state 2 and ask what the hell that is, maybe they see that it can be programmed again, but probably they will just say its broken, which I refuse to believe - digital electronics can either work or be broken, and this key behaves completely normal with all its in and outputs, just transmitting the wrong IR codes. I even looked at the IR transmissions by using a photodiode on a digital storage oscilloscope, comparing the transmissions with those of my working key - the 1s and 0s of the transmission were similar, and the transmission timing was identical.

Another final remark:
With the bad key in normal state, pressing the button a few times trying to lock/unlock my car and then taking the good key, I have to press the good key about 5 to 10 times until it starts locking/unlocking the car again. So the car does receive the bad key's transmissions, and somehow they make it go slightly out of sync with the good key. Strangely though, after I had the bad key hooked up to triggering electronics so it would transmit once per second, and left it this way for several hours in the car, hoping the car might somehow resync that way, after stopping the bad key's transmissions and taking the good key again, it will again work after 5 to 10 presses, even though the bad key had sent a few thousand transmissions during the hours...

forlix
12th March 2013, 04:05 PM
Thanks - finally someone who can make use of my work!
Two identical keys will not work (I tried it) because the key codes are rolling and the car wont accept an old code. So whenever you press one key, the other ones next press would send this same old code. If you've used key 1 a hundred times with the car and want to change over to using key 2 now, you'd have to press key 2 at least a hundred times away from the car to get ahead in the sequence. The car also seems to have anti-flood measures - if it ever receives an old code, it jumps even farther ahead in the sequence so you cant just keep pressing, aiming at the car, hoping to get ahead in the sequence.

I have some stuff in the pipe in terms of information on the actual memory contents and my progress with that. I'll probably post that later today :)

Tinkerman
13th March 2013, 09:12 AM
forlix, all I can say is WOW! :jawdropping:
You've done some serious reverse engineering...
I'm also impressed by the programming jig you made probably with a CNC machine...it seems you're really committed to this project...
As for me, my target is much lower, just to clone my living key before it goes Kaput. No need for two keys to work concurrently.
Your programmer looks really nice too.
Re EEPROM corruption, AFAIK this is an inherent weakness in EEPROM technology, with a good explanation here:
http://support.atmel.com/bin/customer.exe?=&action=viewKbEntry&id=4

In the case of the PLIP, from my analysis I have found a probable explanation for the EEPROM corruption, but first, let's discuss normal operation which I have analyzed with the aid of a digital scope:

1. Normally the HC05 uP is powered at all times but is in sleep mode with it's clock halted to conserve power.
2. Pressing the button triggers a wake-up interrupt, the clock resumes and CPU resumes execution from where it halted.
3. The uP calculates the next rolling code, stores it in EEPROM and transmits it via the LED (a heavy power consumer).
4. The uP goes back to sleep mode turning the clock back off.

So when you press the button with the batteries disconnected, the above process repeats, but this time running off the small on-board storage capacitor. Now guess what happens when the voltage falls below EEPROM writing spec while the current code is still being written to EEPROM?...:d (yep, data corruption...:eek::crazy:).

I agree with your conclusion about not pressing the button with the batteries out, but it's hard (actually impossible) not to touch that button while pulling the PCB out of the case...

IMO, key failure while changing batteries should be a pretty wide-spread scenario, yet another Renault design bug that their poor customers are forced to pay extortionate prices "to repair", while Renault is to blame...if they would have offered cheap reprogramming of the "defective" PLIP I'd say they would have been fair.

BTW, this wouldn't have happened if Renault had used a device supporting also OTP memory that can't be erased for the key ID parts and saved only the rolling code in EEPROM, but they wanted to keep it cheap...
On the other hand, thanks to their design bug we can hopefully revive our "dead" PLIPS.
I hope that at least the immobilizer has non-erasable memory for it's CAR ID code storage...
Keep up the good work! :beer:

Tinkerman
15th March 2013, 05:59 AM
LOL, "while pressing the button like a maniac"...if you were a REAL maniac, you'd add another circuit to press the button for you...:d

Re just changing batteries, you're right, but my scenario is different - I connected external power to the PCB and played with power-up (like a maniac too :d) until the PLIP started to behave normally (it would be difficult to do this repetitively fast in the case and with batteries installed while pressing the button too...), then transferred it to the key shell and added batteries as fast as I could and went to try to sync it with the car immobilizer.

Tinkerman
18th March 2013, 11:40 AM
Again, my applause for your persistence and achievements...lucky for Renault that this system is long gone...nowadays, even the thieves :devil: aren't interested in these cars, so anything you do might help the poor Renault owners...(such as you and me :d).
Actually I have other cars but I kinda like having this robust mule around as long as it runs. I like the strong rear hatch, good for loading several bikes on top, as well as non-attractiveness for thieves. And now that I've taken care of the gear problem (a common nightmare not only for Renault but also other European cars) with the help of a gear mechanic friend and done it right, I want to iron out other weaknesses such as the PLIP. As long as it's working, I'm fine with it, just not fall into the hands of the RR's (Renault ripoffs...:d). The motor is actually pretty good.

forlix
28th April 2013, 09:05 PM
Exactly, and there isnt really any "IR coding circuitry"... the IR-LED is switched by a single transistor which in turn is switched by the controller... its all digital, it either works or its broken. Its very unlikely for the controller to malfunction (that would mean the software isnt working right... again very unlikely as it is mask-programmed).

Actually I'm not sure how much tolerance the car allows in the timing (something I could find out of course...). It might be fixed, but the cars receiver might even take the first few pulses of the signal for speed synchronization and if that was the case then it would allow a great deal of timing deviation without failing.

hondo
29th April 2013, 12:40 PM
Some time has been spent by the Admin / Mod team. We are rather concerned that in the wrong hands some of what was the above posts could be useful for less than honest purposes.

Therefore post have been removed & the thread is now closed.

http://www.renaultforums.co.uk/view.php?pg=rules