Pre-coded keys (BMW)

Probably an easy figure to encode, covers any possible usage criteria the vehicle is likely to be involved plus allows for lost keys

*bangs head against wall*

I think, for those struggling with the concept, that we've discovered that it's a 10 memory limit in the car's ECU, and absolutely f*ck all to do with physical keys, or even transponder 'codes'.

I'm astonished at the stupidity and complete lack of any kind of rational thought often exhibited by the average Brit, though.

[...]

I'm not; I've got used to it.

Chris

I thought so, but thanks for confirming.

Yes, I know someone who has it.

This is where I came in on the Fiat 500 thread, I was buying number plates on-line, and the plate manufacturer wanted this documentation (originals) physically sent to them.

The BMW dealers also have to take copies of the documents, before they order the new part, and keep the copies, for how long, the regulation doesn't state.

David

Of course one wonders why you can't make 2 identical keys.

Simple, many immobiliser systems now employ rolling code sequencing , the key is precoded then mapped to the ecu . Each time the key is inserted and successfully used the code rolls over.

This means the copied key coding would be out of step the ecu would reject the sequencing and the car wouldnt start.

That bit I've got, but given access to the car I doubt it's particularly insurmountable. Thereagain losing all ten keys must take some effort, presumably the ECU is unable to be updated due to the embarrassing ease with which the last one could be hacked.

You can reprogramme the ecu , you can even ave the immobilisation feature switched off.

Dealerships do not have the expertise to do this, its easier to plug in a new ecu

[...]

I can only speak for Ford systems, and they don't work like that.

The rolling code is only part of the remote unlocking, and does indeed change with each button press. To allow for the button being presses accidentally when out of range of the car, codes within a certain range are accepted. (This is why it's a bad idea to let your kids play with the keys!)

The 'code' for the immobiliser within the key *cannot* change. It's passive. Only the ECU's 'knowledge' of that particular code can be changed.

Within my proviso above, that's not true. The car would not *unlock* remotely, but would still start.

Chris

BMWs system goes back over 20 years so probably goes back to when EPROM memory was quite expensive and didn't give you a lot of bytes.

As a side effect (maybe intentional) it also means you can't keep throwing combinations at the ECU in a brute force attack.

Thats why its relatively easy to clone a ford key.

The chip in my relay van (fiat system) has this facility thats why its a pain to replace keys £260 for the remote about £140 for a standard its a sip key with a phillips transponder

I can run 4 keys which have to be programmed into the ecu via a laptop computer each channel has to be matched to a specific key and harmonised via a pin

AFAIK, any key which uses a 'transponder chip' which is separate to the remote plip bit of the key (but can still be physically in the same body) will be a passive, fixed, transponder. This includes the FIAT key

- and it's usually limited to cars where you still need to insert the key to start them.

The difference comes with keyless start systems - and this is where BMW came across issues, as you could hack the ECU to start the car without any key present - something which couldn't be done with the more traditional passive transponder systems.

nearly all vehicle transponders are passive they are only powered from an energising coil either around or near the ignition system , because they are passive does not mean they do not roll coding over on board.

The fiat keys use either phillips or megamos chips in the large vans usally an id48 . keys are crypto and the megamo carry a unique identification code which needs to be matched to the vehicle.

To match keys you either need dealer supplied key which will come preprogrammed from the manufacturer then matched via dealer available software or something like touchclone.

Fiat/ citoen /pug keys if supplied via a locksmith will probably need the ecu or immobiler removed and a track desoldered and the transponder precoding written manually via touchclone or something similar, the track resoldering and key matched

All 10 keys can be in use at any time, so BMW ECU has 10 different rolling codes.

If you have an out of step key there is usually some sequence that can be used to re-synch it.

Horrible number to encode

1010

Something that happens when software is specified and written by unqualified people.

16 or 8 are sensible for computers (counting 0 to 7 or 0 to 15). 0000 0001 0010 0011 0100 0101 0110 0111

1000

1001 1010 = 10 1011 1100 1101 1110 1111

Index from 1 wastes a location 0000.

10 indexes 0 - 9 is just as bad as 1 - 10. 0 - 1001 or 0001 to 1010? Really offensive.

The only reason for BMW to have to store a database of 10 key codes would be if all 10 key codes are precoded on the ECU at manufacture. Can't be removed or overwritten or invalidated. Then BMW's firewall must be getting some serious hacker attention to acquire that database.

If the codes aren't precoded on ECU then any code could be used for a new transponder and the dealer just writes that new code in the new key data slot.

Each of the 10 keys has it's own rolling code, get a fresh key code and it's not started rolling. Get that database, most BMW's you would be in and driving away on the 3rd try.

The BMW derived immobiliser module on the R56 Mini (2006-> ) can have lost / misplaced keys removed at the dealer such that the ECU no longer knows anything about them. That certainly implies some degree of *re*writing rather than just writing.

New immobiliser keys, supplied against V5C + proof of address + photographic proof of identity presented at a dealer, were programmed by a specialist department somewhere at BMW UK (their location is mentioned on the supplied documentation but it's in another country right now) They arrive in a couple of days at the dealer and work 'out of the box' and you certainly don't need a working key to enable a new one nor access to any diagnostic kit to code them on site to the vehicle. All 'user' configuration needs setting up on the vehicle so time / temperature / distance / fuel is all to pot with a new key.

YBMWMV :)