Fiat Punto Low- Car Radio Decoding
Hi!
I got a “Fiat Punto Low” car radio today to my service for repairing. Exactly, the problem was does the device was locked. The car owner was in a service garage, where the mechanical technicians disconnected the car battery but did not realized does the radio have a security mechanism. When he put back the battery terminals then he sow does the radio ask for the code. What he was done? Tried a fever attempt to unlock the radio but see what happened after entering a fever time the wrong code:
Do you know why this “WAIT” is on the screen?
It is on the screen because the unprofessional, mechanical technicians tried several times to unlock the radio without the good code. The radio has a security mechanism in the firmware, which will count more and more time to let enter the code again.
This type of security is to avoid of so called “brute-force attack” unlocking.
Brute force attacking is a hacking technique to crack the code by systematically change and trying the code like this: 0000, 0001, 0002…0010,..0011,..0100,..until the code is 1111. Let’s say the pin code is 1111. If the device have no anti brute-force attack mechanism then it is possible to easy crack the code.
In this case, the anti brute-force cracking mechanism is the time shifting technique.
What this mean? Lets se on the next diagram what I made for you:
If you enter the first time, the wrong code then you will get “WAIT” on the screen for 1 min. If you put the second time again a wrong code the you have to wait 2 min. If you enter the wrong code after a 10 time too then you have to wait 12 hour until the device let you again enter the code. On most of device, if you entered 12 times the wrong code, then they will go into a “SAFE” mode and you can wait a life long to get again the chance to enter the code.
The customer asked me to unlock his radio if it is possible but not to wait several hours or so. I said ok. Let the unit by me for 1 hour and I will finish the job.
What I have to do is to find the eeprom inside the device and reprogram it with content where I know the code and the time counter is set to zero.
After I opened the device, I found the tiny IC so called 95160 eeprom.
It is an SMD ( Surface Mounted Device ) and I have to desolder them from the main board.
Let’s check the pictures:
This is the inside of the radio from top, when you remove the top cover.
The bottom side of the radio.
Right and Left side. You have to take out these two bolts.
Remove the front cover gently.
Separate the mechanism of the cassette player from the main board-see the above picture:
This is the PCB without the cassette player mechanism.
This is the close up picture of the eeprom and his orientation on the board.
Now I have to remove this tiny eeprom from the board and put it into my favorite Seeprog eeprom programmer. Take care how you remove the IC because of other small components around. I will use my SMD rework station with hot air for this purpose. Please focus on the other side of the PCB on the part under the eeprom. If you lost this component, than maybe, the radio is damaged or something won’t work.
Here is my home made SMD to DIL adapter:
I made it years ago, and this is working well today and never made any mistake. I used a DIL8 IC socket, a peace of HDD data cable and nothing else.
This is the DIL8 IC socket This is the targeted 95160 eeprom
As you can see, I solder the SMD IC to the blank wire of the HDD cable. I used many times that famous SMD crocos but that made to me too much problem with the contact. I had time-to-time worse contact and that drive me crazy. I decide to solder the target IC to the wire and the end.
After I reprogrammed the eeprom and put it back to the PCB. Pressed the power button and entered the code, the radio came back to life without to waiting a couple of hours.
This is a long story got short, but I hope this tutorial will be helpful and save lot of repair time for someone. I can remember the time, when I started with stuff like this, how many hours I spent to solve small and simple problems. These are stuff what wee never will learn in the school. Now I decide to share knowledge and experience as good as I can.
This article was prepared for you by Christian Robert Adzic from Novi Knezevac-Serbia.
Please give a support by clicking on the social buttons below. Your feedback on the post is welcome. Please leave it in the comments.
P.S- If you enjoyed reading this, click here to subscribe to my blog (free subscription). That way, you’ll never miss a post. You can also forward this website link to your friends and colleagues-thanks!
Note: You can check his previous post in the below link:
https://www.jestineyong.com/how-to-measure-the-voltage-rating-of-a-zener-diode/
(141)Dislikes
(0)
18 Comments
Leave a Reply
Cancel reply
Albert van Bemmelen
September 22, 2015 at 9:13 pm
You are quite an expert in Hacking and reprogramming Eeproms obviously.
But after reading your very interesting article I still do not exactly understand what you did with the Brute Force part of Hacking the Device. I know that you searched for the code where the time counter in the Eeprom is set to zero. I take it that you read the Mnemonic code (Assembly code) in the .bin or .hex file? But you sadly didn't show how in this case the program code really looked like. And that would make it a much better explanation. I don't know about the Seeprog programmer you used either. So your tutorial really isn't very helpful as you hoped it to be now. (I do not mean to be vicious at all but all I'm saying is that you left out the most important part of your tutorial).
Cheers.
Chris
September 23, 2015 at 4:49 am
Albert thank you for supporting my article.
It's hard to make a tutorial which should be well explained in a short version like this. I wrote one tutorial about cracking where I well explained in nutshell how stuff works. You can read this article:
https://www.jestineyong.com/the-basics-of-electronic-security-bypassing/
I don't used the brute force attack technique on the audio equipment because it is impossible to crack it whit that type of cracking method. I described does the car radio have an algorithm witch will guard the car radio from a brute force attacker.
I wrote what you have to do to unlock and avoid the time counter.
"What I have to do is to find the eeprom inside the device and reprogram it with content where I know the code and the time counter is set to zero."
What I don't know is it legal to share eeprom content's on this site? but if somebody need that content for his/her repair I will share it with. Just contact me through the admin of this site.
In some country it is illegally to share content which can bypass security stuff and firmware contents.
Here is the Seeprog:
http://www.elnec.com/products/specialized-programmers/seeprog/
It is my best friend when it comes to reading/writing eeproms.
I don't read the mnemonics in this case. So I have nothing to show about that.
You can not get any mnemonics/ASM codes from eeprom. You can revers a uC and get the firmware in ASM code but before you can do that you have to know which type of disassemble you have to use. It is not same if your desired uC is a Motorola or an Intel.
Eeproms stores setup data's, in the case of this article it is the code and the time lock counter. Of course here are the memorized radio channels, RDS setup, clock/date etc. No mater is it a bin or hex file for me.
To crack a software, radio code or credit card you can use simply a hex editor and a reader/writer hardware.
sometime there are no enough time to read the content, saving that to a file, than translate it to mnemonic code or so called Assembler code, then analyzing all that, then making the modification or whatever, then recompiling...too much time consuming. It is faster to read the content, change it and write it back.
I do not mean you are vicious of course. We are here to share our knowledge with each other.
The most important of this article what could be for the most reader is here:
Q: what you should avoid if you got a car with a radio of this type?
A: avoid to disconnect the car battery until you know the code and informed the car owner about the possibility to loose his/her radio.
Q: how can you in shortest time repair this type of radio?
A: find the eeprom, reprogram it with another eeprom content of the same radio where you know the code and the time counter is in zero state.
Q: how can I disassemble the radio?
A: read this article.
Q: Where is the eeprom and which one IC is the eeprom?
A: read this article.
Q: Where can I find a good working eeprom content for this radio?
A: sometime Google is your best friend. If this dos not work let me know through the admin of this site.
Q: what is meaning the "WAIT" and what the "SAFE" option?
A: read this article.
Q: How much time should I wait until I got a new chance to enter the code?
A: check the table in this article.
Q: How can I enter the code to the radio?
A: this is not described in this article, as well not described how to soldering or desoldering components.Don't forget to use search engines before you make a tons of why and how.
g wells
September 22, 2015 at 9:42 pm
smart man
tyasomussa
September 22, 2015 at 10:23 pm
thanks!am interested with your tutorial,am a beginner in electronics and still studing at engineering college!pls help me to get materials according to my level.wish u all the best.
sagar sen
September 22, 2015 at 10:42 pm
affff.. Simply great i have no words...
Joe
September 22, 2015 at 11:54 pm
Very interesting article. I would it wait for the 24 hours lock-up period to be over instead of going thru all of this.. I cant imagine what kind of work those car technician do at their car shop if they cant figure it out a simple code. For the most part, all codes are written in the car manual, search the internet or a sticker inside the glove compartment. Thanks for sharing!!
Chris
September 23, 2015 at 1:59 pm
Joe:
Thank you for supporting my article.
For the waiting option:
Most of cars have a so called "Economy mode" which means if you let a consumer
on like the car radio, the main ECU will it turn off after 10-15-30min and all
the computers in the car will go to sleep.
The car is running in economy mode until the shut down time.
You have no option to wait for even 1h.
Lot of now days car radio are connected to the entertainment computer in the car,
if you disconnect the radio from the car and try to power on on your bench without
connected to the car you will see a message on the lcd does the radio is not
connected to the car.Like a message "NO CAN COMMUNICATION".
In this scenario you can wait a life time.
The other problem is, in most of case the user didn't know about the time
counter protection and did not count how much time he/she entered the code.
In this scenario nobody knows how much time you should wait.
Code in the user manual:
This type of car radio or any other OEM audio equipment have no separated user
manual.It is put together with the user manual of the car which in most case are
lost.
Don't forget does this type of audio equipment is an OEM part of the car and you
wont get any support from the car radio manufacturer. In the case of this article
it is a car radio from a Fiat car but the manufacturer is Blaupunk.
If you contact blaupunkt about a lost code they will refuse your request. You have
to visit an authorized Fiat garage and then they will empty your wallet for the code.
The car radio original code is always written on separate card which should be in
the case together with the user manual of the car but, from my experience the code
card which looks like a credit card or the manual are lost in time.
The code is never written on the body of the radio. If you do that than you don the
same think as you left your car on a parking place, lock the doors and put the
car key on the roof of you car.
But I appreciate your thinking logic, and the user should check all the possibilities
before, or remember the code or find it or whatever before they made the steps to
pay for unlocking his/her equipment.
Don't forget, we are repairer and not private investigators.
We have to repair the users tools what we do for money.
Robert Calk
September 23, 2015 at 2:29 am
Good job, Chris. Thanks for the article. You can go to Ebay and get yourself a SOP8 to DIP8 programmer adapter socket - it will make the job much easier. Here is the link.
http://www.ebay.com/sch/i.html?_from=R40&_trksid=p4712.m570.l1313.TR0.TRC0.H0.XSop8+to+DIP8+programmer+adapter+socket.TRS0&_nkw=Sop8+to+DIP8+programmer+adapter+socket&_sacat=0
Robert Calk
September 23, 2015 at 2:32 am
Something is wrong with the website. I'll try to post the link again
or just search the words.
http://www.ebay.com/sch/i.html?_from=R40&_trksid=p4712.
m570.l1313.TR0.TRC0.H0.XSop8+to+DIP8
+programmer+adapter+socket.TRS0&_nkw=Sop8+to+DIP8+
programmer+adapter+socket&_sacat=0
Chris
September 23, 2015 at 1:28 pm
Robert:
the link's are ok. I opened the first and the second too.
That's a nice tool. I ordered right now a several of them and I will make maybe
an article when it arrive.
Thanks again.
James
September 23, 2015 at 1:32 pm
It was a very good article and had a vast amount of good information.
From telling us in the first place it used an eeprom chip for it's
security purposes and some info on reprogramming them. And since most
of us now days are pretty good at finding more information from the
information you provided, it helps a great deal.
P.S. I am not certain but maybe some other countries can not get
to eBay because of the war situations right now.
beh
September 23, 2015 at 2:40 pm
HI Chris
thanks for this super article.and your support about
KIA PRIDE HORN repair . sure i am making a car fuse
tester with help of LED s upon your suggestions and
very soon i will let you know the results
beh
Albert van Bemmelen
September 24, 2015 at 2:21 am
Thanks for your reply with explanation after my questions Chris.
I will read your previous article on this subject again.
I hope it will enable me to do the things you can do with electronic devices.
But since reading and analyzing the Eeprom data in Hex code is the hard part,
it probably still will not work for me. The assembler Hi low Byte change between
comparing Motorola Code against Intel I'm aware of. (I See Someone didn't like
my asking questions twice?).
I know my way with Flowcode, a bit of Java, C, and I own a degree in Basic (Bascom).
And I also know how Assembler works but fluently understanding Mnemonics is another
thing.
Hope to read and understand more about your next article about these matters.
Chris
September 25, 2015 at 12:22 am
Let as mate drink a beer.
Ok, let as clear 2 thinks:
1. the data stored in the eeprom ( even in a satellite in the orbit ) is some
setup parameters. Let say on a radio you save to the memory the radio station
what is now playing under the button no 3 on the radio. That info is saved in
some format into the eeprom of the radio. The CPU knows where is the start and end
offset address for that task. Than the CPU have a logic ( format ) how it will be
saved to the memory location in the eeprom. The smallest information what is
possible to write to the eeprom is 1 byte but you can use one bit info too like
this: the radio have 4 mem. station and the info should now be 4 byte long yes?
that would be space wasting. You can write this info into 2 byte like this:
"12 34 00 00 00 00 00 00" and now the CPU knows the first 2 bytes are the numbers
of the mem stations and every single bit are the number of that station.
Ok, I will stop here. maybe I will write an article about these stuff.
2. only the firmware can be dissembled whit a dissembling tool for the exactly CPU.
And the firmware is only in the CPU and not in the eeprom. There is no dissembling
tool for an eeprom. But, I'm on the road to write an article how I dissemble
the eerpom if I have to got the information, that is mush complicated then reading
the mnemonics. 🙂
I live with mnemonics over 25 years and I used a lot until the war time in my
country in the time period 1995-1999. I don't like to remember that time...
I can realize you do something with AVR's? or with MCS-51? and with PIC uC.
I appreciate you, please don't think I'm angry or whatever.
Sorry if I hurt somehow.
Ulises Aguilar Pazzani
September 24, 2015 at 12:19 pm
nice hint , thks for shareing
Albert van Bemmelen
September 26, 2015 at 9:14 pm
Thanks Chris for the additional explanation. I get the big picture but doing it in detail is the difficult part. So if your new article on these matters is ready I will love to read more about it.
I am not much of a Beer drinker though but I get your point. To me you are a Whizzkid by hacking those Eeproms. Although I once hacked a Sony Vaio NoteBook myself that didn't Boot anymore because the Password Login code was lost by the owner. But overwriting one of the 24C02 serial flashable Eeproms fixed that. Which was easy because it was explained in Chinese on a Eastern website. And Google Chrome Helped me to translate the Chinese text into understandable English.
albert
September 26, 2015 at 9:32 pm
Damn!! Good job...great article!!
antonio hernandez garcia
July 18, 2016 at 2:24 pm
hello good, my problem radio is not anything on the screen and if the radio is heard. I need to know what the problem is, the screen or a capacitor or diode. Thank you