Hope that apple helps push this to every lock, cars, houses, etc.
Old metal keys are so easy to copy or bypass. We need a future with crypto keys
For my 6 year old car I can buy a replacement key with remote to unlock the doors and transponder to start the ignition for less than 20€ including shipping from China.
At least the manufacturers of this aftermarket keys must know the algorithms used.
If the hardware of the flipper is enough to transmit the correct signals I don’t know.
The keys of course only work after pairing them with the car using an original key.
2 Likes
Can you please share a link? I def want to do some additional background research on this to see what info they need to accomplish this. I am assuming from your post that you didn’t have to mail your key in to them? How does it get programmed and do they take care of all of it or are there steps the user has to take once they receive it?
Thanks!
Interesting discussion, but I’m curious, would this work with older cars? I know encryption on keys has gotten MUCH better in the last decade, but what about older 2000-2010 vehicles (or even 90s)?
4 Likes
So I work in this field.
I don’t think cloning a keyless key would be a great idea - would knock out your original key once it’s used. Could possibly emulate a key but you would have to have it programmed by someone with the correct equipment (dealers will laugh at you…a friendly independent might help) however at that point just get another key? Some stuff like the fords the remote side of the key (not keyless ignition) can be programmed by a manual procedure so emulating one could be possible and useful. Aftermarket keys exist so the algo is out there.
Might be able to go down the route of emulating the override transponders.
Obviously there’s a lot of variance between different manufacturers on how the keys are implemented.
One of the more common transponders is Philips 7936/7946 which operates at 125khz. This is used as the transponder for a lot of vehicles with a mechanical key and as the override for some cars with a keyless key (they all have a backup of some type for if the battery in the key is dead).
A simplified view on this system all you really need is the crypto key for the key/vehicle and the id of the key and you can make a 1 to 1 copy. Theres tools on the market that do this that require you to capture 3 handshakes.
A lot of info here
Of course if you go to really early systems you have some fix code transponders easily copied - same kind of thing you see on cheap gate access systems etc.
7 Likes
Is it possible to capture a couple of keys to generate their algorithm for the future applying?
1 Like
This is the same info I found with the exception of the cloned key 1:1 not kicking out the old key. A new key (not 1:1 clone) reprograms the match and would kick the old key out. I’ve been able to confirm that part from aftermarket suppliers so curious why it doesn’t line up? Or did I misunderstand what you wrote?
Either way, this particular device isn’t geared for this application. The Flipper as it is now won’t ever be a device to load a keyless key onto, and it never claimed it would be. I haven’t found anything closer on the market either. Probably because of all the MFG variation.
Definitely a cool concept for another device that’s less of pen testing and more of a wireless key wallet. That’s what I’m personally after. Maybe I should patent it if that hasn’t been done already!
Thanks for the info, greatly appreciated.
1 Like
Depends specifically on what and which system you’re talking about here but easiest way I can put it is imagine an incremental rolling code sequence the moment you use the new key the sequence will be advanced beyond the other key. When you go back to the original key it will be sending old and used codes.
There are devices on the market which can emulate various keys for the different systems ready to be programmed. There’s even a watch that does this.
That’s not how it works with car keys. If it were, then I couldn’t have two keys for the same vehicle or the first key wouldn’t work anymore. And there wouldn’t be any aftermarket solutions to clone a second key without having to reprogram the vehicle. Not here to argue, but those can’t both be true… Gotta be something missing.
There’s also the issue I have with my current car key - it reads the incorrect key ID all the time and then works again. If it had to be sequential, my key would be toast as soon as it jumped ahead.
Can you send the watch info/link please? I haven’t been able to find anything that looked promising (hardware + customizable software/programs)
This is how it works with some car keys, but you can have more than one programmed. Cloning a key and programming a key are two very different things.
Again depends on which element of the key you’re talking about and which system.
Volkswagen-audi cars (previous generation) use a rolling code system for remote locking.
Old BMW ews3 systems use a rolling code for ignition (and cannot be usefully cloned for this reason).
The watch wouldn’t be useful as a consumer. It needs to be prepared as a key for the right car then programmed diagnostically.
Thanks again for the info, greatly appreciated. Still curious about the watch to see if there are any other applications other than controlling TV’s.
There might be some miscommunication since I 100% agree and found the same info on cloning vs. programming a new key. These question might help: if I have a legitimate key and want to duplicate it, what barriers are there to cloning it? Let’s keep that to dealer/aftermarket.
Second, do you see any additional barriers to cloning a key onto an emulation device - like having to emulate the entire circuit board via software. Asking because I could fairly easily get the key data, but have zero experience in individual components on a board talking to each other and don’t know how to get the info to write that code.
https://www.xhorsetool.com/wholesale/xhorse-smart-watch.html that’s the watch. You wouldn’t be able to control TVs with it. It only emulates cars keys. It needs preparing with a tool then programming into the car via diagnostics.
Right I think the issue here might be terms so in order for me to answer your questions can you let me know:
- when you say key fob do you mean a smart key for a push button start, a transponder key or a remote? (Be even better if you can give me a make, model and year)
- when you say clone - what specifically do you mean? I think this might be the miscommunication. To me cloning would mean specifically copying data from one key to the other so that the car can’t tell the two apart. This is different to how the dealership, for example, would prepare a new key. They would just program another key into the system.
I think we’re mostly on the same page with #2 - cloning would be creating a 1:1 duplicate key and doesn’t require reprogramming the car. Could be Dealer or third party cloning the key. For a 2018 Nissan Rouge I can get a clone made more cheaply than getting a new key programmed and significantly cheaper than replacing my currently working key with two newly paired.
Where I think is fuzzy is that as I see it, cloning a key wouldn’t kick out the original whereas programming a new key would. Also that rolling codes can’t be purely predefined and sequential or else duplicate keys wouldn’t work - I assume it’s more of a seed and reply the next-in-sequence, possibly run through an algorithm of the unique key or similar (that’s the case I am familiar with, but it’s not specific to cars).
For #1 I’m not entirely sure how to answer. I have a smart key that has a backup for push to start with no battery in the fob that I assume runs off the key’s unique key (the physical key can unlock the door, but the housing actually OK’s the push to start). Backup option only and the fob needs to be literally on top of the start button for this to work.
When paired with some rolling code I can unlock the doors within proximity and this only works with the battery in. This also OK’s the normal push to start operation from my pocket.
Then there’s the pressing the remote start/hatchback/lock/unlock keys that also only work with battery. There’s nothing in this post about this scenario I am currently trying to utilize. Assuming the handshake works similarly to the above scenario.
Also on same page about Dealership allowing you to program a flipper. I’ve probably referred to true Dealerships and independents as Dealerships at some point in this post for simplicity but recognize the difference. We’ll assume I have an independent that would let me try and load key data on a flipper as long as I paid a little over their standard key cloning rate XD
And thank you for the watch link! I will def check it out.
Ok bare with me I’ll just go over my terminology to hopefully make anything I say a little less fuzzy.
Yeh as you said dealers do not clone keys. For keyless ignitions nobody clones keys, for some makes the backup transponder could be cloned however I’m unaware of any solution that clones a full keyless key. You can get another key programmed in addition to yours by an independent or the dealer (doesn’t require tossing the original).
Nissan rogue I think is x-trail in my market so it’s PCF7953M HITAG AES. Theres some information in the above pdf. But the basics of it are the key has an ID and a seed and response system like you said. When programming a key it’s ID is added to the vehicles white list of accepted keys and the secret key of the car is loaded onto the key (it’s the actual start button on your car that does this on yours).
As you go over, theres 3 elements at play all controlled by the one chip. The proximity part (normally 125khz), the remote part (normally 315/433/868/915 depending on make/model/market) and the backup transponder (again 125khz but much lower power has to be basically touching, this part is actually powered parasitically and not by the key) The remote may well still be a (signed) rolling code as I believe this will only be one way communication. When you get close enough to the to the vehicle you’ll be using the proximity part, when touching the key directly to the button, if the key has no battery for example, then you’re using the passive backup transponder.
Flipper has hardware that would be able to send the remote locking signals, if you knew what to send, but with this likely being some form of rolling code you’ll advance the code kicking out the original at least until it catches up or is resynchronised.
I’ve not really looked at how flipper is doing the RFID implementation but I’d be surprised if it allows us the granular control to emulate the protocol for the transponder in this case
(however some other systems are very similar to more normal RFID tags) and I don’t think it’ll have anything able to do the keyless entry.
Seeing that programming, in the case of your nissan rogue, is done through the passive element/backup transponder of the key I’m not sure how it could be separately programmed as a remote even.
Hope this helps. Any questions on your car/in generally happy to help so fire away.
3 Likes
[RFID/RF/BLE/USB/IR/key-fob/ flipperzero
Yeah I tried to capture and use and instead got my fob to stop working. 2017 VW Jetta… Flipper worked once to unlock but then the fob doesn’t function HOWEVER my car accepts the key for driving and unlocking physically
tried to capture my 2016 Toyota Prius and a ford explorer but nutting not even the remote for are community gate can be read or analyzed
2 Likes
Rolling codes can give that issue. I captured my key fob and it worked once (rolling codes) but then my fob stopped working. Key still operates my ignition but I have no wireless unlock/lock function
2 Likes
The issue would be how could the flipper emulate the proper signals?
What I mean by this is yes, with the proper equipment you can program the flipper, but I think someone would have to make a plugin to emulate the prox car key (Unlock, lock, start?)
1 Like
Here is a link to my talk about the replay attacks. There are a handful of vehicles that do not roll code or at least it doesn’t matter such as the Nissan Armada. You can replay codes but you will not be able to start them because of a relationship between the fob and the LF transponder. That is a whole different talk. If you have n Armada give it a try we even did it to 2022 versions.
