Car Key Emulation

It would be amazing if one could use the Flipper as a backup car key, not to mention a huge money saver compared to buying another key from the dealership.

Potentially multiple frequencies. Unclear if there is a use case for push to start literally pressing on the ignition vs. the other key functions (former works with no battery in FOB).

Info on RF modulation and if it’s possible to store multiple “keys” to use the Flipper as a backup key - broadly I think that captures it and would be a HUGE money saver

I’m not sure on the last one, but the only other category calling out other frequencies didn’t look best suited at a glance.

There’s a complication of “Rolling Codes” used by car keys that I don’t fully understand how difficult it would be to emulate a key using a Flipper. Unclear if you could brute force it to work or if a single incorrect “reply” starts the entire process over again.

You can’t.
The best you could do is a replay attack, that would work only once.
You cant’t just clone a key that uses rolling codes without knowing the algorithem and seed.
The flipper is no magic “watch dogs” hacker tech.
The radio’s inside aren’t that expansive so if you could bruteforce car keys with the flipper, car keys would be useless.

I agree, the most feasible is to capture using the flipper, jam the same code signal so it doesn’t reach the car and then replay it, and there’s no guarantee that would work.
That would only work once (if at all), and we’re assuming there is no handshake between the key and the car.

I’d assume that newer push-start cars would probably do a handshake to confirm the the key is present.
That way capture and replay wouldn’t work (because theives have been known to use it to drive off with a car).

Ryan if you are interested in RF hacking this is a good talk: https://www.youtube.com/watch?v=1RipwqJG50c
It also discusses carkeys

Thanks for the reference link.

The replay may be feasible for starting the car as I believe that functions a little differently (works with no battery, but the key has to be basically on top of the push button). That scenario is pretty worthless though as the car would have to remain unlocked even if it would work. Not interested in the capture/block/replay single use route as that isn’t practical at all.

No one said anything about magic. However, there are other devices that can do this and if it’s only a matter of decryption, then with enough time one could still use a device like a flipper to read, process, and send the code IF it also had the right radio frequencies. Let’s pretend for this case that I could get the data to program a key and just need a device to house/process/transmit…

Thanks again!

Most of the times when you see car key emulations it is with the car brand repair tools that have leaked from some repair shop and it is badly used.

In movies it’s pretty simple, but as they told you, if you don’t have the private keys you will enter lockdown protocols after a few attempts.

If any kid with a Wi-Fi chip could get in a car with an arduino or raspberry pi, or even a laptop, that was meaning that car privacy was very primitive.

This was kind of true some years ago, but not anymore.

I am looking specifically for the case where I have the private key and need it cloned, not to get into any vehicle off the street.

The lockdown doesn’t happen. I get invalid key ID all the time with my legit key from the Dealership and every once in a while many many times in a row - at least a dozen on one occasion and frequently 3-4 times. Seems to be when there is other stuff in my pocket besides just the key.

Anyways, this was supposed to be about device support, not software support or providing universal access to any car - I agree that if that were easily possible than we’d be in a bit more trouble.

You don’t have the hash function even if you have the private key, you would need to have access to car manufacture source code.

I’m not sure if you could make something that could intermittently work based off known values, depending on how long the hash is. I running off the assumption that it’s not practical to truly determine based on testing. Doesn’t take many characters to make something practically useless

In my case I am assuming access to the same equipment used at a car dealership - the guy there doesn’t know any technical detail, just what buttons to press to clone a key. So the really cool thing about this would be that once I get a single set of working data, I wouldn’t have to do that again and could copy my own keys.

The data/specialized programming equipment is mostly what you pay for at a Dealership. They upcharge the physical key a ton also even though it’s dirt cheap to produce. If I could offset the key cost via a Flipper, that’s even better (and cool!). Gonna see if I can talk to a guy that knows a guy and see if he’d let me use their toys with something other than a key.

Also sounds like I’ve got some extra homework to do to see if I could read the data off an existing key. All the info I need is in my key, but I have no clue how to get it off to load elsewhere. It would be super cool if a Flipper could catch all the wireless programming code while a key was legit duplicated (if wirelessly programmed; not sure). Still though, in my case I would be trying to use the same process as regular keys just physically with a Flipper - unless I can find a way to get the data off my existing key

I’m not an expert on the subject, but I think that most of the used car keys, you can’t simply copy one to another, what you normally do is program the car to accept the new key.

You can look of what’s needed to emulate a key to see if you can make the car believe that the flipper is your key.

Also, look at what apple is making with iPhones emulating car keys by NFC. That would be probably easier since it’s using standard signals from iPhones.

I’ll try searching for the iPhone NFC emulation as I haven’t heard a peep about that - I would be all over it though! I wonder how they would get that to work… You have a link or any other info on how to find current progress? (thanks in advance!)

The one thing I do know about “keyless” keys is that it is much simpler to copy an existing key because then you don’t have to reprogram the car as well.

Ex - if you lose your key and have a new pair made, they have to program the new keys alongside the car. The old key is then rendered useless even if you find it later. Not the best link, but close enough for my case: https://lost-car-keys-replacement.com/nissan/program/

Thanks! Looks like it’s only for a small selection of BMW cars for the moment, but the future may be sooner than later XD. Very cool

Hope that apple helps push this to every lock, cars, houses, etc.

Old metal keys are so easy to copy or bypass. We need a future with crypto keys

For my 6 year old car I can buy a replacement key with remote to unlock the doors and transponder to start the ignition for less than 20€ including shipping from China.
At least the manufacturers of this aftermarket keys must know the algorithms used.

If the hardware of the flipper is enough to transmit the correct signals I don’t know.

The keys of course only work after pairing them with the car using an original key.

Can you please share a link? I def want to do some additional background research on this to see what info they need to accomplish this. I am assuming from your post that you didn’t have to mail your key in to them? How does it get programmed and do they take care of all of it or are there steps the user has to take once they receive it?

Thanks!

Interesting discussion, but I’m curious, would this work with older cars? I know encryption on keys has gotten MUCH better in the last decade, but what about older 2000-2010 vehicles (or even 90s)?

So I work in this field.
I don’t think cloning a keyless key would be a great idea - would knock out your original key once it’s used. Could possibly emulate a key but you would have to have it programmed by someone with the correct equipment (dealers will laugh at you…a friendly independent might help) however at that point just get another key? Some stuff like the fords the remote side of the key (not keyless ignition) can be programmed by a manual procedure so emulating one could be possible and useful. Aftermarket keys exist so the algo is out there.

Might be able to go down the route of emulating the override transponders.
Obviously there’s a lot of variance between different manufacturers on how the keys are implemented.
One of the more common transponders is Philips 7936/7946 which operates at 125khz. This is used as the transponder for a lot of vehicles with a mechanical key and as the override for some cars with a keyless key (they all have a backup of some type for if the battery in the key is dead).
A simplified view on this system all you really need is the crypto key for the key/vehicle and the id of the key and you can make a 1 to 1 copy. Theres tools on the market that do this that require you to capture 3 handshakes.
A lot of info here

Of course if you go to really early systems you have some fix code transponders easily copied - same kind of thing you see on cheap gate access systems etc.

Is it possible to capture a couple of keys to generate their algorithm for the future applying?