@El Toro Could this be made a sticky I am slowly moving away from the forum and posting useful info as I find it. This relates to the 848/1098/1198 and shows how the bypass and key codes are recovered from the dash. The key codes need converting for programming to blank keys. Info on how to do this is on the digital Kaos forum.
******UPDATED****** There is a difference that bikes with the red key and bikes with the two black keys/code card store the transponder details in the immo chip on the dash. Red key bikes - store the last 6 bytes of the transponder code and the recovered data for the key transponders needs to be prefixed BE FA ** ** ** ** ** ** and then converted to 7D 5F ** ** ** ** ** ** I have a device that does the conversion so can help out if necessary. For example Key code identified as 00 00 01 42 F7 7F from dash This is BE FA 00 00 01 42 F7 7F The data required to program a T5 Transponder is 7D 5F 00 00 80 42 EF FE This data can be inputted manually using the likes of a Zedbull Mini If you have an Android device there is an app called Transponder Tiris Converter. Costs £1.18. This will convert the data from the immo chip (BE FA) to the format for use with the key programmer (7D 5F) If you like a challenge, then do it manually https://www.mri-auto-diagnostics.com/wp-content/uploads/2020/11/4C_INFO.pdf To convert the transponder info you do the following The BE FA needs to be converted from Hex to Binary. The bit that needs converting is 01 42 F7 7F. The zero of 01 will always be 0000 in binary and will be ignored using an online converter. So 01 = 00000001 (where 0001=1), 42=01000010, F7=11110111, 7F=01111111 To convert to Tiris the binary needs to be reversed and converted back to hex. So 10000000=80, 01000010=42, 11101111= EF, 11111110=FE. That will give you the 80 42 EF FE required to add to 7D 5F 00 00 to program a T5 transponder. For the bikes with the two black keys/code card - they store the full 8 bytes of the transponder code. In the PDF the hex dump shows one of the keys as E6 00 00 00 00 34 D6 8F. In order to program this info to a transponder then some conversion is required. The conversion uses the binary value of the hex. For example E6 = 1110 0110 This is then reversed = 0111 0110 The position of these bits are reversed = 0110 0111 This then converted to hex = 67 This is done to all hex values So E6 00 00 00 00 34 D6 8F = 67 00 00 00 00 2C 6B F1 I am still trying to identify how the bypass code can be calculated from the key transponder info read by the Zedbull. *****Update********* Bypass code calculation now cracked for the bikes with 2 black keys and code card
For red key bikes This process also applies to other dashes that use the 24C16 eeprom. However, to access the chip requires the removal of tacho and speedo needles, so care is required. The dash also needs to be powered up before the needles are refitted so they align correctly. Ducati will tell you that if you lose the code card it cannot be replaced. There is a solution. On the earlier dash using the red programming key then the bypass code can be calculated from the recovered hex code. The first code is always the red key. The bypass code card is calculated from the last five digits, where 1 to 9 remain the same and A=1,B=2,C=3,D=4,E=5,F=6 and 0=7 In the above if 00 00 01 42 F7 7F was the first code listed then 2F77F will give the bypass code. This would give 2=2, F=6, 7=7, 7=7, F=6. The bypass code is therefore 26776. If you have a Zedbull then the red key transponder code can be read from the key. The Zedbull will display it in the format 5F 00 00 ** ** ** ** 7D. It just moves the first digits to last, ignore the 7D. Using the info from the first post 80 42 EF FE this needs converting from Tiris (hex) to binary, the binary reversed, and then converted back to hex. The reverse of the instruction in the first post. That will give 01 42 F7 7F, just use the last five digits to calculate the code
I have created an excel tool to help with converting key transponder readings from a Zedbull Mini to a format suitable for calculating the bypass code. it has been over 10 years since I did any excel work, so forgive it being rough and ready. Use 06 00 00 00 C0 B5 D0 7D to play with it Change file from pdf to xlsx
An even newer version. Just enter the Transponder Code Again, use 06 00 00 00 C0 B5 D0 7D to test Also try 03 00 00 00 60 D8 E8 38 (this was an anomaly found reading one key, it takes an additional 1 bit left to convert)
I have refined the excel tool (probably to the extent of my excel skills). Enter the transponder code as read by the Zedbull Mini Check the results for "Dash Code" Enter the last five digits of that code to replace the XXXXX, press enter Code should be generated Again use 06 00 00 00 C0 B5 D0 7D and 03 00 00 00 60 D8 E8 38 to test Change file from pdf to xlsx
Thought I would add a calculator for the earlier Red Key, 2 black keys and code card bikes Use 7D 5F 00 00 80 42 EF FE to test Should convert to BE FA 00 00 01 42 F7 7F (code 26776) Change file from pdf to xlsx
Chris, as you suggested I went to take a look at your Excel sheets to check their computational "Health" but found that I cannot view columns B through P because the workbook is protected in the Red Key version
Just a little update on this for bikes using the I2K immo (2 keys, code card). A recent assist to a forum member I did, identified there is another anomaly with how the transponder is sometimes read by the likes of a Zedbull Mini. This results in the realigned transponder code being 01 00 00 00 xx xx xx xx Or 19 00 00 00 xx xx xx xx For the one starting 01 00 00 00 then enter that in the calculator and generate the results. Look down the left hand column of the results for the one starting 06 (06 00 00 00 xx xx xx xx). Make a note of this. Then use the calculator again with the 06 data and that should produce the required result. For the one starting 19 00 00 00 then enter that in the calculator and generate the results. Look down the left hand column of the results for the one starting 33 (33 00 00 00 00 xx xx xx, note there are 4 sets of 00). Make a note of this. Then use the calculator again with the 33 data and that should produce the results at Shift 1.
Further update A recent assist has identified the the I2K immo systems used across the Ducati range are not the same. My process does not work on Streetfighter using the MAE Electronics dash. The immo chip in this dash is PIC and not the 24C16 on which my research was based. For I2K bikes the process only works if you have the below key type
Very useful since I'm in a sticky situation - my 1198s died completely a couple of days ago. The negative battery cable sheared off completely, but before it did the instruments & lights flickered out a few times. Methinks the cable must have fractured and then juddered together again a few times causing a surge? Anyway, as soon as I put a fuse in the instruments part of the fuse box it blows straightaway so clearly shorting somewhere. I've stripped the bike and all connector blocks checked & cleaned so I'm guessing either instruments relay or within the clocks themselves. Is this the kind of thing you could check @chrisw ? If so, where are you based? For the first time in years I'm a but stumped with a bike issue, dang! Cheers, jamess
Sorry. Not something I can help with. Does sound like you have a short somewhere. If you can get access to another 848/1098/1198 then you could install your dash to test. Remove the immo antenna and put your key in the hole so the chip is read and use the bike’s key to turn the ignition on. Alternatively give Mark at Scorpio Electronics a call.
Update I believe I have cracked the MAE dash I2K bypass code. Have been working with a guy in Germany and have managed to calculate the code for their bike. I had to use some key programming software called ZedQX to do the calculations. My next job is to work out the mathematics involved so I can create an excel calculator.
