How the security system works

If you have a Tip or Trick, some advice or you just want others to know something that is not specific to the fuel a Citroen C3 uses, please, post it here. Manual Gearbox, bodywork, interior, wheels and tyres are all welcome here.
Forum rules
Tips for any Citroen C3

Tips from forum members are encouraged and very welcome.

Questions are not to be posted in this section

No Engine tips

Think: Manual Gearbox, Bodywork, Lighting, Interior, Wheels, Steering, Brakes and Suspension
User avatar
My Name: Ozvtr

Moderator
Posts: 1079
Joined: Wed Jul 10, 2019 3:31 am
Model: C3 2002-2005, Original shape model
Year: 2003 (53)
Engine Size: 1.4 (8v)
Fuel Type: Petrol
Mileage: 80000
Trim Level: Other
Gearbox: Automatic PRND
DPF: No
LHD or RHD: RHD
Engine name: TU3 (75 PS)
Location: Brisbane, Australia.
Has thanked: 47 times
Been thanked: 314 times

Post

This post is very long and wordy, so I apologize in advance. So consuming this post a-bit-at-a-time might be more helpful.
The security system is defined as a series of anti theft and anti intrusion measures, both physically and cyber. They are designed around allowing only authorized access to the car and it's systems. Occasionally "authorized" precludes access by the genuine owner of the vehicle too!!
There are a number of components in the security chain and I will try to outline them.


The basic physical blocks of the electronic security system.
security.jpg

The key components of...the key.
key.jpg

The key blade:
The simplest part of the security system. I wont go into the operation, I think we all know how this works. The car can be secured if there is no power to the car or for some reason the doors wont lock electrically. There is a door lock in the drivers exterior door handle. Note: this lock IS NOT connected to the central locking system and is effectively for emergencies only. If you live in a country where the authorities salt the roads, I highly recommend checking and lubricating this lock REGULARLY!! It is known to rust up! ...and when you really need it...it wont work!! Each of the remaining passenger doors have a locking device adjacent to the mechanism in the door.
lock01.jpg
As an aside the rear tail gate can be opened from the inside by inserting a long thin probe, like a small screwdriver into the hole shown. Then pivot the probe sideways.
lock02.jpg
The RFID chip:
I am not going to go into the principals of operation of the RFID chip (because I don't know it LOL) but suffice to say it's externally powered and does not require a battery.
Around the barrel of the steering column lock is a Radio Frequency (RF) coil. This coil is connected to the COM2000 and sends signals backwards and forwards to the BSI from the RFID chip in the key.
When you turn the key in the barrel of the ignition lock, to start the car, a pulse of RF is sent out of this coil and is received by the RFID chip. The RFID chip picks up this pulse and sends back an RF code. This code is picked up by the RF coil and relayed via the COMS to the BSI. The BSI then interrogates the signal (I'll get to that later). The BSI then sends the code to the engine ECU. If the engine ECU recognizes the code it will begin managing the engine and your car runs. If the code is not recognized the engine ECU will do nothing. The engine will turn over by the starter, but it wont run.
When the key is brand new and first coded to the car, the RFID chip will be in an "unlocked" state. Once coded to the car the BSI will "lock" the RFID chip. I will outline in "The Rf transmitter" how this locking of devises works.
The RFID chip can be locked/unlocked by an RFID reader/programmer, like an Arduino or a key cloner. RFID chips can be read and reprogrammed. Meaning a chip can be copied. If you take your key to a lock smith they will make a copy (or clone) of the RFID chip and your car will think the two keys (the original and copy) are the same key and no coding to the car is required.
You can buy brand new unlocked RFID chips relatively easily and cheaply. Replacing and re-coding is relatively easy. So making a valet key is relatively easy. Note my gratuitous use of the word "relatively". You will need a car scanner or LEXIA or the like. Getting the central locking to work...well that's another kettle of fish. Read on McDuff!


The Rf transmitter:
This is the small circuit board contained in the key. When you press the [door] lock or unlock button on the key, it sends out an RF code which is received by the receiver on top of the COMS unit. The code is known as a "rolling" code. That is; the code generated by the key changes and "rolls" on to the next code and it never uses that code again. The BSI is synchronized to the key when the key is first coded into the car and can be re-synchronized at any time by the user and requires no special tools. The BSI will accept "future" codes but not "past" codes. Say you lock your car and move out of range of the receiver (your car). If you press the button on the fob you will "use up" a code but the Car will now not be synchronized to the fob, it didn't hear the signal and didn't move on. When you come back to the car and press the button, the car will not accept that code...straight away. However, the BSI will "look ahead" in the list of future codes. If the BSI recognizes the code it will open the doors. But it will only look so far ahead before it just wont accept the code anymore. So occasionally the fob and the BSI will get too far out of sync and you will need to go through the process of re-synchronizing the two.

"Why can I only code in MY old key(s) or a genuine BRAND NEW key to the current BSI and not other "old" keys"?

Oh boy!!! If you can stay with me on this one you are doing well. Now to be honest I am still trying to figure this one out but I'll tell you what I have surmised.
When you code in a NEW key both the RFID chip and the RF transmitter are in an "unlocked" state and are both coded into the BSI at the same time. You can not code a new transmitter by itself, It needs to be "paired" to a RFID chip but I'll get to that in a minute. You CAN code in just the RFID chip if you wish. After coding, the BSI then tells both the transmitter and the RFID tag to "lock". Both the RFID chip and the transmitter have a unique identifier, a serial number if you will. The BSI will commit both of those numbers to memory...forever! So for example if you need to change the engine ECU and you need to code the keys again, the BSI will "remember" the old key(s) and accept them despite them being locked. If the key has been "locked" but the BSI does not recognize the identifier, then the BSI will not accept the locked key(s) and not code them in.
But wait...there's more!!!! The rolling code used by the transmitter is based on the identifier of THE RFID CHIP. So the BSI is looking for the code transmitted by the transmitter associated with a particular RFID chip. So if you try to re-synchronize a transmitter that has the wrong RFID chip in the key...it wont work! Ordinarily it's not a problem, only if the key becomes de-synchronized and you need to re-code it. How could you get into this situation? OK, what if the buttons on your two old keys break and you decide to change the cases and you somehow mix up the internals? Then one day in the future one key de-syncs? Normally you only require the RFID chip to start the car OR the transmitter to open the car. They run independently. But to re-synchronize, the RFID and transmitter must match! HOWEVER if you re-code the whole key, that should go through the process of pairing the two. Note: I am not sure of that one it's just an assumption!
This is why changing the BSI is a pain, you can not code in your old, locked, keys. Because the "new" BSI won't recognize your old keys.

"Can I unlock my old keys"?

ER, yes and no. If you have an STM style programmer and a hack for the transmitter MPU...yes. Or if you read the The transmitter and RFID chip identifiers and hack the EEPROM in the BSI to get it to recognize them...yes.LOL! Have a look at the post script at the end of this post.
Apparently on later cars like the C1, the transmitter can be unlocked by pressing the lock and unlock buttons but I cant confirm that and the C1 is not really a PSA car.
I find this whole convoluted central locking transmitter stuff laughable. If a thief wanted something valuable left in your car...they would just smash a window and grab it!! This whole process is more of a pain to the owner than the thief! Or is some one trying to make some money? Hmm who is the thief here?



The COM2000:
This is the unit that has the wiper and turn indicator stalks on it. As far as the security features are concerned this receives RF information from either the transmitter or the RFID chip in the key (by two separate means). This information is then multiplexed and sent out on a "bus" line to the BSI.
coms.jpg
The engine ECU:
The engine ECU typically sits in the engine bay next to the battery. As far as security is concerned, it needs two pieces of information before it will run.
1) a four digit PIN code. Both the BSI and the engine ECU have this code and they must match. The PIN code in the BSI can be changed with a LEXIA (or whatever code reader) but the one in the engine ECU can not (not easily). Every time the BSI makes a request of the engine ECU it must divulge the PIN code.
2) The code generated the RFID chip. Again, if the code is not recognized the engine ECU will do nothing. At this point I am not sure that the code might even get to the engine ECU. The BSI must be satisfied that the RFID chip is kosher but more on that in a minute.
Once the engine is running however, the RFID chip is not needed. It is only polled to start the engine.
The engine ECU is not as finicky as the BSI and will accept ANY code to be programed in during the coding of the keys, new or old as long as it has the 4 digit code from the BSI. HOWEVER locked RFID chips are vetted by the BSI before being accepted and passed on to the engine ECU! Are you keeping up?
If you need to change the engine ECU you will need it's PIN code to load into the BSI. You can see dozens of engine ECU's on ebay. Without the PIN the ECU's are USELESS!!
The engine ECU remembers the code sent by each of the RFID chips, typically up to 5.

The BSI:
The BSI sits in the glove box (of right hand drive cars). The BSI is basically the brains of your car and is responsible for a lot of things.I'll just stick to the security stuff for the most part. The BSI holds the PIN code for the engine ECU and passes it on when requested, so that the engine ECU knows that it's in the right car. It holds the identifiers for the RFID chips but not the code they send out, the BSI just passes this onto the engine ECU. It receives information from the COM2000, processes it and confirms that it is valid then passes it on the engine ECU and performs other security stuff like disabling the alarm and unlocking the doors. It also holds the identifiers for the RF central locking transmitters and the keys to decoding the rolling cypher. I do not know how many RFID chips and RF transmitters the BSI will remember.

P.S. I had a lot of trouble researching this post and the information is scarce. A lot of this is in the area of general security and naturally kept quiet. A lot of this stuff comes under "cyber locksmithing" and verges on hacking( for the most part it IS hacking). So the people involved tend to hold onto their secrets or in the least don't make it common knowledge. Some people (companies) make a living from unlocking and hacking ECU's for reuse and they are not quick to part with their corporate knowledge. Fair enough.
So there were some areas where I could find no information and had to draw some conclusions. Like, how are the transmitter MPUs locked by the BSI when the RFID chip and the transmitter appear to run on different frequencies? And how is the RF transmitter locked when it doesn't appear to have a receiver section? Information on the RFID chips is relatively common but not easy to understand.
Consequently if I have made any factual mistakes I apologize and will stand corrected.
There are tutorials on YouTube about hacking the BSI and/or the engine ECU to get them to work in your car. HOWEVER I can find very little on getting the central locking RF transmitters hacked. It also appears that the Chinese knock-off central locking transmitters on Ebay don't usually work. There are all sorts of code generating algorithm and transmitting frequency issues to overcome and a lot of ducks to get lined up before you will find one that will work.
Wake up! You left the kettle boiling!
User avatar
My Name: Ozvtr

Moderator
Posts: 1079
Joined: Wed Jul 10, 2019 3:31 am
Model: C3 2002-2005, Original shape model
Year: 2003 (53)
Engine Size: 1.4 (8v)
Fuel Type: Petrol
Mileage: 80000
Trim Level: Other
Gearbox: Automatic PRND
DPF: No
LHD or RHD: RHD
Engine name: TU3 (75 PS)
Location: Brisbane, Australia.
Has thanked: 47 times
Been thanked: 314 times

Post

Handy dandy security tip #1
If you only have one key and find "obtaining" a second key expensive just buy a spare off Ebay and get the key blade cut. Be careful there are different kinds of blades so make sure yours matches.
It wont start the car but you will be able to get inside and unlock the steering column. Handy to help the driver of the tow truck to get your car home when you loose your one and only key. :D
User avatar
My Name: Ozvtr

Moderator
Posts: 1079
Joined: Wed Jul 10, 2019 3:31 am
Model: C3 2002-2005, Original shape model
Year: 2003 (53)
Engine Size: 1.4 (8v)
Fuel Type: Petrol
Mileage: 80000
Trim Level: Other
Gearbox: Automatic PRND
DPF: No
LHD or RHD: RHD
Engine name: TU3 (75 PS)
Location: Brisbane, Australia.
Has thanked: 47 times
Been thanked: 314 times

Post

Handy dandy security tip #2
If you received a card like this in your documentation package DON'T LOOSE IT!
If it hasn't already been scratched off, under the scratchy...er...stuff is the engine ECU PIN code.
This is the code the engine ECU will expect the BSI to divulge when the BSI makes requests of the engine ECU. Like:- adding new keys or "please Mr engine ECU will you make the engine run?". Umm.
Citroen will give you the code for a given VIN...for a price!
card 002.jpg
My Name: routemaster1

C3 Master
Posts: 216
Joined: Fri Mar 08, 2019 4:32 pm
Model: C3 2017-on. The new C3
Year: 2019 (19)
Engine Size: 1.2
Fuel Type: Petrol
Mileage: 300
Trim Level: Flair
Gearbox: Manual 6 speed
DPF: No
LHD or RHD: RHD (UK)
Engine name: EB2DT-EB2ADT PureTech 3-Cylinder (110 PS)
Been thanked: 63 times

Post

One query.

'The key blade:
The simplest part of the security system. I wont go into the operation, I think we all know how this works. The car can be secured if there is no power to the car or for some reason the doors wont lock electrically.'

Is this correct? My 3 C3s had no mechanical locking mechanism for doors or boot. Surely you can gain access but cannot secure the car.
User avatar
My Name: Arfur Dent

Guru
Posts: 3433
Joined: Sat Jul 23, 2011 3:47 pm
Model: C3 2002-2005, Original shape model
Year: 2002 (52)
Engine Size: 1.4 (16v)
Fuel Type: Diesel
Mileage: 100000
Trim Level: Exclusive
Gearbox: Manual 5 speed
DPF: No
LHD or RHD: RHD (UK)
Engine name: DV4 16-valve diesel (90 PS)
Has thanked: 318 times
Been thanked: 121 times

Post

routemaster1 wrote: Tue Aug 18, 2020 11:32 am One query.

'The key blade:
The simplest part of the security system. I wont go into the operation, I think we all know how this works. The car can be secured if there is no power to the car or for some reason the doors wont lock electrically.'

Is this correct? My 3 C3s had no mechanical locking mechanism for doors or boot. Surely you can gain access but cannot secure the car.
Yes, even on the 2019 C3.

According to the 2019 manual the boot release system is the same as all the other C3 models.


The door locking in the event of central locking failure is the same still, after all these years.
C3 2019 manual door locking when Central locking not functioning wrote:►Remove the black cap, located on the edge of the door, using the key.
► Insert the key into the socket without forcing it, then turn the latch towards the inside of the door.
► Remove the key and refit the black cap.
► Close the doors and check from the outside

Manual boot locking is actioned after it has been unlocked manually (climb over the back seats).

You can add an avatar to your account - Avatar or change your vehicle details - Car Bio or even add a signature to your posts - Signature. But this is not all you can do in the User Control Panel :)
My Name: routemaster1

C3 Master
Posts: 216
Joined: Fri Mar 08, 2019 4:32 pm
Model: C3 2017-on. The new C3
Year: 2019 (19)
Engine Size: 1.2
Fuel Type: Petrol
Mileage: 300
Trim Level: Flair
Gearbox: Manual 6 speed
DPF: No
LHD or RHD: RHD (UK)
Engine name: EB2DT-EB2ADT PureTech 3-Cylinder (110 PS)
Been thanked: 63 times

Post

Thanks for clarifying. Luckily I've never had any issues.
User avatar
My Name: cfrank

Experienced Member
Posts: 51
Joined: Tue Jun 09, 2020 8:24 pm
Model: C3 2017-on. The new C3
Year: 2020 (70)
Engine Size: NA
Fuel Type: Diesel
Mileage: 12000
Trim Level: Feel
Gearbox: Manual 5 speed
DPF: Yes
LHD or RHD: LHD (Europe)
Engine name: BlueHDi (100 PS)
Location: Germany
Has thanked: 30 times
Been thanked: 16 times

Post

Thanks Ozvrt! Interesting and fun to read (should I be worried? ;-) )

Some 20 years ago I was involved in analysing the source code of an ECU similar to BSI. Engineers made a big secret about anything involving locking and immobiliser and only a few guys knew everything about it. I did not have the impression it was about making money. They thought really hard about it to engineer a system which could not be overcome easily. It’s remarkable because back then IT security in car electronics was not something anyone really cared about. Instead every bit of RAM and Flash mem had to be justified due to mass-production costs.
User avatar
My Name: Ozvtr

Moderator
Posts: 1079
Joined: Wed Jul 10, 2019 3:31 am
Model: C3 2002-2005, Original shape model
Year: 2003 (53)
Engine Size: 1.4 (8v)
Fuel Type: Petrol
Mileage: 80000
Trim Level: Other
Gearbox: Automatic PRND
DPF: No
LHD or RHD: RHD
Engine name: TU3 (75 PS)
Location: Brisbane, Australia.
Has thanked: 47 times
Been thanked: 314 times

Post

cfrank wrote: Tue Aug 18, 2020 5:25 pm Thanks Ozvrt! Interesting and fun to read (should I be worried? ;-) )
LOL! I thought people would be bored to death!
cfrank wrote: Tue Aug 18, 2020 5:25 pm Some 20 years ago I was involved in analysing the source code of an ECU similar to BSI. Engineers made a big secret about anything involving locking and immobiliser and only a few guys knew everything about it. I did not have the impression it was about making money. They thought really hard about it to engineer a system which could not be overcome easily. It’s remarkable because back then IT security in car electronics was not something anyone really cared about. Instead every bit of RAM and Flash mem had to be justified due to mass-production costs.
Carprog and Xprog seem to be the weapon of choice to hack BSI's, engine ECU's, dash displays and air bag modules. I am quite surprised at the level of work put into these programmes and the range of cars/marques researched. There are even standalone programs to hack a very specific ECU if you are having problems.
I am in two minds with this whole "hacking" thing. On one hand it could be used for nefarious reasons but on the other, genuine users (like your local garage) should have the right to fix your car. In my opinion manufacturers are using security and "proprietary information" as an excuse to push independent repairers out of the market. The other thing is, manufacturers want us to throw hundreds of pounds(dollars) worth of equipment into landfill so they can make more money. It's not good for either the environment or my wallet!
My Name: Missing Lincs

Moderator
Posts: 844
Joined: Mon Mar 05, 2012 9:29 pm
Model: C3 2002-2005, Original shape model
Year: 2004 (04)
Engine Size: 1.1
Fuel Type: Petrol
Trim Level: Desire
Gearbox: Manual 5 speed
DPF: No
LHD or RHD: RHD (UK)
Engine name: TU3 (75 PS)
Location: United Kingdom
Has thanked: 46 times
Been thanked: 35 times

Post

Ozvtr wrote: Tue Aug 18, 2020 10:04 am Handy dandy security tip #1
If you only have one key and find "obtaining" a second key expensive just buy a spare off Ebay and get the key blade cut. Be careful there are different kinds of blades so make sure yours matches.
It wont start the car but you will be able to get inside and unlock the steering column. Handy to help the driver of the tow truck to get your car home when you loose your one and only key. :D
If you have the card with code mentioned above you can program additional keys using Lexia. If you don't fancy that route you can get a cloned key, an exact copy physically and RF chipped to match your original.
Auto-locksmiths can make clones as can quite a few high street key-cutters. It's a cheaper route with only one disadvantage that I know of, if you loose one of your 'identical' keys you can't have it deleted from the car as it thinks there is only the one key.
If at first you don't succeed, destroy all the evidence and pretend you never tried :lol:
User avatar
My Name: Ozvtr

Moderator
Posts: 1079
Joined: Wed Jul 10, 2019 3:31 am
Model: C3 2002-2005, Original shape model
Year: 2003 (53)
Engine Size: 1.4 (8v)
Fuel Type: Petrol
Mileage: 80000
Trim Level: Other
Gearbox: Automatic PRND
DPF: No
LHD or RHD: RHD
Engine name: TU3 (75 PS)
Location: Brisbane, Australia.
Has thanked: 47 times
Been thanked: 314 times

Post

Missing Lincs wrote: Wed Aug 19, 2020 7:11 am you can get a cloned key, an exact copy physically and RF chipped to match your original.
Yes, adding the chip wouldn't cost much more and would make going home with your tail between your legs more tolerable. :lol:
  • Similar Topics
    Replies
    Views
    Last post