Car Key Emulation

This is the same info I found with the exception of the cloned key 1:1 not kicking out the old key. A new key (not 1:1 clone) reprograms the match and would kick the old key out. I’ve been able to confirm that part from aftermarket suppliers so curious why it doesn’t line up? Or did I misunderstand what you wrote?

Either way, this particular device isn’t geared for this application. The Flipper as it is now won’t ever be a device to load a keyless key onto, and it never claimed it would be. I haven’t found anything closer on the market either. Probably because of all the MFG variation.

Definitely a cool concept for another device that’s less of pen testing and more of a wireless key wallet. That’s what I’m personally after. Maybe I should patent it if that hasn’t been done already!

Thanks for the info, greatly appreciated.

1 Like

Depends specifically on what and which system you’re talking about here but easiest way I can put it is imagine an incremental rolling code sequence the moment you use the new key the sequence will be advanced beyond the other key. When you go back to the original key it will be sending old and used codes.
There are devices on the market which can emulate various keys for the different systems ready to be programmed. There’s even a watch that does this.

That’s not how it works with car keys. If it were, then I couldn’t have two keys for the same vehicle or the first key wouldn’t work anymore. And there wouldn’t be any aftermarket solutions to clone a second key without having to reprogram the vehicle. Not here to argue, but those can’t both be true… Gotta be something missing.

There’s also the issue I have with my current car key - it reads the incorrect key ID all the time and then works again. If it had to be sequential, my key would be toast as soon as it jumped ahead.

Can you send the watch info/link please? I haven’t been able to find anything that looked promising (hardware + customizable software/programs)

This is how it works with some car keys, but you can have more than one programmed. Cloning a key and programming a key are two very different things.
Again depends on which element of the key you’re talking about and which system.
Volkswagen-audi cars (previous generation) use a rolling code system for remote locking.
Old BMW ews3 systems use a rolling code for ignition (and cannot be usefully cloned for this reason).
The watch wouldn’t be useful as a consumer. It needs to be prepared as a key for the right car then programmed diagnostically.

Thanks again for the info, greatly appreciated. Still curious about the watch to see if there are any other applications other than controlling TV’s.

There might be some miscommunication since I 100% agree and found the same info on cloning vs. programming a new key. These question might help: if I have a legitimate key and want to duplicate it, what barriers are there to cloning it? Let’s keep that to dealer/aftermarket.

Second, do you see any additional barriers to cloning a key onto an emulation device - like having to emulate the entire circuit board via software. Asking because I could fairly easily get the key data, but have zero experience in individual components on a board talking to each other and don’t know how to get the info to write that code. that’s the watch. You wouldn’t be able to control TVs with it. It only emulates cars keys. It needs preparing with a tool then programming into the car via diagnostics.

Right I think the issue here might be terms so in order for me to answer your questions can you let me know:

  1. when you say key fob do you mean a smart key for a push button start, a transponder key or a remote? (Be even better if you can give me a make, model and year)
  2. when you say clone - what specifically do you mean? I think this might be the miscommunication. To me cloning would mean specifically copying data from one key to the other so that the car can’t tell the two apart. This is different to how the dealership, for example, would prepare a new key. They would just program another key into the system.

I think we’re mostly on the same page with #2 - cloning would be creating a 1:1 duplicate key and doesn’t require reprogramming the car. Could be Dealer or third party cloning the key. For a 2018 Nissan Rouge I can get a clone made more cheaply than getting a new key programmed and significantly cheaper than replacing my currently working key with two newly paired.

Where I think is fuzzy is that as I see it, cloning a key wouldn’t kick out the original whereas programming a new key would. Also that rolling codes can’t be purely predefined and sequential or else duplicate keys wouldn’t work - I assume it’s more of a seed and reply the next-in-sequence, possibly run through an algorithm of the unique key or similar (that’s the case I am familiar with, but it’s not specific to cars).

For #1 I’m not entirely sure how to answer. I have a smart key that has a backup for push to start with no battery in the fob that I assume runs off the key’s unique key (the physical key can unlock the door, but the housing actually OK’s the push to start). Backup option only and the fob needs to be literally on top of the start button for this to work.

When paired with some rolling code I can unlock the doors within proximity and this only works with the battery in. This also OK’s the normal push to start operation from my pocket.

Then there’s the pressing the remote start/hatchback/lock/unlock keys that also only work with battery. There’s nothing in this post about this scenario I am currently trying to utilize. Assuming the handshake works similarly to the above scenario.

Also on same page about Dealership allowing you to program a flipper. I’ve probably referred to true Dealerships and independents as Dealerships at some point in this post for simplicity but recognize the difference. We’ll assume I have an independent that would let me try and load key data on a flipper as long as I paid a little over their standard key cloning rate XD

And thank you for the watch link! I will def check it out.

Ok bare with me I’ll just go over my terminology to hopefully make anything I say a little less fuzzy.

Yeh as you said dealers do not clone keys. For keyless ignitions nobody clones keys, for some makes the backup transponder could be cloned however I’m unaware of any solution that clones a full keyless key. You can get another key programmed in addition to yours by an independent or the dealer (doesn’t require tossing the original).

Nissan rogue I think is x-trail in my market so it’s PCF7953M HITAG AES. Theres some information in the above pdf. But the basics of it are the key has an ID and a seed and response system like you said. When programming a key it’s ID is added to the vehicles white list of accepted keys and the secret key of the car is loaded onto the key (it’s the actual start button on your car that does this on yours).

As you go over, theres 3 elements at play all controlled by the one chip. The proximity part (normally 125khz), the remote part (normally 315/433/868/915 depending on make/model/market) and the backup transponder (again 125khz but much lower power has to be basically touching, this part is actually powered parasitically and not by the key) The remote may well still be a (signed) rolling code as I believe this will only be one way communication. When you get close enough to the to the vehicle you’ll be using the proximity part, when touching the key directly to the button, if the key has no battery for example, then you’re using the passive backup transponder.

Flipper has hardware that would be able to send the remote locking signals, if you knew what to send, but with this likely being some form of rolling code you’ll advance the code kicking out the original at least until it catches up or is resynchronised.
I’ve not really looked at how flipper is doing the RFID implementation but I’d be surprised if it allows us the granular control to emulate the protocol for the transponder in this case
(however some other systems are very similar to more normal RFID tags) and I don’t think it’ll have anything able to do the keyless entry.

Seeing that programming, in the case of your nissan rogue, is done through the passive element/backup transponder of the key I’m not sure how it could be separately programmed as a remote even.

Hope this helps. Any questions on your car/in generally happy to help so fire away.


[RFID/RF/BLE/USB/IR/key-fob/ flipperzero

Yeah I tried to capture and use and instead got my fob to stop working. 2017 VW Jetta… Flipper worked once to unlock but then the fob doesn’t function HOWEVER my car accepts the key for driving and unlocking physically

tried to capture my 2016 Toyota Prius and a ford explorer but nutting not even the remote for are community gate can be read or analyzed


Rolling codes can give that issue. I captured my key fob and it worked once (rolling codes) but then my fob stopped working. Key still operates my ignition but I have no wireless unlock/lock function


The issue would be how could the flipper emulate the proper signals?

What I mean by this is yes, with the proper equipment you can program the flipper, but I think someone would have to make a plugin to emulate the prox car key (Unlock, lock, start?)

1 Like

Here is a link to my talk about the replay attacks. There are a handful of vehicles that do not roll code or at least it doesn’t matter such as the Nissan Armada. You can replay codes but you will not be able to start them because of a relationship between the fob and the LF transponder. That is a whole different talk. If you have n Armada give it a try we even did it to 2022 versions.

Yeah I tried to capture and use and instead got my fob to stop working. 2017 VW Jetta… Flipper worked once to unlock but then the fob doesn’t function HOWEVER my car accepts the key for driving and unlocking physically

Did you manage to resolve this. That can happen on some VW/Audi systems. If I remember correctly there’ll be a DTC in the central electric module you just have to clear that and should work again. If not try clearing and programming the remote again. If you have vcds you’ll be able to do this.

This was a question I had regarding the Passive Keyless Entry. I think it may be challenging to emulate, given the challenge/response on both the RFID and the UHF channels.

Screenshot 2022-05-17 at 12.31.42 PM


I have a simpler scenario that I’m not had any luck with. I just want to detect the presence of my keys leveraging the (passive?) keyless entry LF RFID. [Yes, I lost my keys in the house somewhere.] I was hoping to use the flipper to mimic the signal the car sends when I poke the button on the door handle. I’m assuming that causes the car to send a signal and this signal powers up something on the key fob to send a response. I want to detect that response. I understand the range is small but I was hoping to wave this around my closets and drawers. I have detected a 415MHZ signal when I sniff near the car but haven’t been successful at getting the keys to response without the car.

FCC ID seems to indicate that the FOB uses 315MHz. The range from the door is about 4ft but I can’t reliably detect the 315 signal in the Flipper frequency analyzer. Nor can I use the flipper to read or even detect my existing key.

Can the flipper read 125kHz signal of pke keyfob?

It could not read my fob. Not sure if that’s because it doesn’t transmit unless it like the signal it first received.