Key fob programming

[Fileark] has instructions for reprogramming keyless entry devices for your car. His demonstration video, which you can see after the break, shows how to make one key fob work for two different vehicles. In this case he’s working on a couple of Chevrolet trucks but there are instructions for GM, Ford, Dodge, Toyota, and Nissan. If you need to reprogram one of these you may find this useful, but we’re wondering how it can be incorporated into a project. If you can sniff out the communications that are going on during the programming you should be able to build and pair your own devices with a vehicle. Wouldn’t it be nice to incorporate your keyless entry into your wristwatch?

Comments

  1. freekyfrogy says:

    Do they have the frequencies for Lamborghini’s?

  2. James says:

    These use KeeLoQ, a system owned by Microchip (makers of our happy line of PIC microcontrollers that we see in the Basic Stamp). KeeLoQ has supposedly been broken, though I haven’t personally seen the ‘sploit.

  3. James says:

    Also, as an aside, Mike – I used to wince when i saw your articles. I didn’t realize until the last couple of days how good we’ve had it. Keep up the good work. This may not be the hackettyest hack ever, but it’s a damn sight better than an article that’s simply fraught with inaccuracies and an author who lies about the research they’ve done.

    Thanks for keeping the spirit and standards high.

  4. Mike Szczys says:

    @James: Um… thanks?

    Really, take is easy with the criticism. Be constructive and we’ll listen.

  5. Lucky says:

    Forget putting this into a wrist watch (well maybe not forget as that would be cool as hell), let’s see it as a BlackBerry or Iphone App….. Oh then tie it into your clock and calender, alarm goes off wakes you up and starts your car waits X mins for you to get your coffee then unlocks the doors. Oh how winter mornings in morning Zombie mode would improve.

  6. David S says:

    That’s pretty sweet.

  7. xorpunk says:

    These are just field programmable PM emitters. When you start working with field programmable passive transponders that use challenge/response systems like TI DST you have to have the cars ECM.

    Car ECM ASICs had efuse before any consumer electronics did to prevent bus sniffing and flashing probing payloads. This is news cause nobody reverse engineers these systems cause their metal coffins require them.

  8. Dosbomber says:

    Clever use of programming two vehicles for the same transmitter. That could be handy. What I’d like to see is a device that could transmit all the codes on all the frequencies (like one of those universal garage door openers that cycles through the codes for a particular brand of garage door opener, or like a TV-B-Gone). I know something like this is both do-able, and likely extremely illegal in some areas, but this past Friday when the guy I work for had his truck keys locked in his truck by another employee, it would have been a lot handier to just pop the door lock than using my jigglers and slim jim.

  9. James says:

    @Lucky – I don’t think the radio involved is one that can be easily emulated by careful fiddling of say, the Bluetooth or WiFi transceiver. Having this happen entirely in a mobile platform application seems unlikely, as a result. That said, building a dongle to do this kind of thing seems reasonable, particularly as the public documentation on KeeLoQ readily describes implementation details.

  10. Rob says:

    @Dosbomber

    It’s something I’ve talked about for a while, but don’t have the knowledge or skills to do.

    But there’s no reason it wouldn’t be possible. It probably wouldn’t even be that hard.

  11. James says:

    @Mike – Looking back over my second comment, it was way more aggressive than I’d intended. Safely ignore the damning criticism and hold on tightly to the takeaway message: You’re doing a good job. This is well-researched and correct.

    That should be the very minimum standard to which articles adhere – when an article falls well short of that mark, it’s really going to show, particularly with a readerbase that has quite a lot of technical knowledge and ability across the entire group.

  12. Kyle says:

    Good job explaining this, I really like your site its very informative and easy to understand. I have been working with electronics and oomputers for 15 years so I am not usually easily impressed, refreshing to see someone explain this stuff where anyone can understand. Check his site out, its pretty good.

  13. Dosbomber says:

    One other thing, this guy can be glad he has vehicles that make this reprogramming easier. Modern Fords that I know of require you to cycle the Acc mode with your ignition 8 times, and even that’s easy..

    On mine, I had to take the inner panels of the trunk apart, find a loose pair of wires with a molex connector which has no other purpose in life but for this reprogramming system. Shunt those two wires with a paper clip or a wire, THEN you’re ready to start the ignition and keyfob steps. Which side is the wire on, left or right? That seems to depend on your make, model, and year of your car, and there doesn’t seem to be any written record to save you some time.

    Who came up with this “hidden dangling wire” system??

  14. Dosbomber says:

    That last comment was supposed to end with a line about slapping a Ford engineer, but apparently this forum doesn’t like brackets.

    @Rob:
    I don’t think it would be difficult, if I did some research into the KeeLoq system and built a microcontroller-driven signal transmitter. I’ve already build a “universal” garage door opener that cycled through all the possible combinations. Really easy. Generally this would be pretty short range, too, so it’s not like you’d be randomly setting off keyfob panic button alarms across a huge parking lot……….

    …..hmmmmm……

  15. xorpunk says:

    @Dosbomber: Yeah that’s a field programmable passive transponder with a DST type protocol. The ECM programs the units, and usually requires 2 additional transponders for verification.

    That is just on modern economy cars too, it’s slightly more complex on high-end cars.

  16. davo says:

    i think its quite clever

  17. fartface says:

    A real hack would be doing this with 8th gen honda. You need a PC + a voodoo doll and sacrifice a chicken to program a keyfob for a current honda car.

    P.S: doing simple GM or Ford keyfob programming is NOT A HACK.. it’s something that most people in car circles have done for centuries (maybe even thousands of years) and is easily found online.

    P.S. doing this makes your local car dealer cry as they cant charge $250.00 an hour to do it in 30 seconds and then make you wait 30 minutes to charge you $125.00…

    Car dealers = Thieves.

  18. amishx64 says:

    I can see this being incorporated into another project of mine. Thanks!

  19. timmah! says:

    “Its fairly easy to program a replacement keyless entry remote. Even better, what if you have two vehicles the same make, can they use the same remote? Absolutely!”

    Somehow I don’t think this is a good idea. If the cars are usually parked next to each other, how to you prevent a command from affecting both vehicles. I can see myself driving off and leaving the other car unlocked unintentionally.

  20. @fartface I have to agree with you there , not sure who was the bigger thief the dealer I bought the car used from who doesn’t mention the only key they have is a single valet key until after all paperwork is signed and check is handed over or the Honda service department who charges me $220+ to have two keys made and programmed…

  21. mike says:

    http://atmel.com/dyn/resources/prod_documents/doc2600.pdf

    this PDF explains how to write the software for a keyfob that includes AES signing on the packets and all the basics of how the security works, i assume the keyfobs for most cars work on the same basic principles

    (for more information, its ‘AVR411: Secure Rolling Code Algorithm for Wireless Link’ from http://atmel.com/dyn/products/app_notes.asp?family_id=607)

  22. Sparkinium says:

    I did the same thing with the Subaru Outback cars I drive. Interestingly, if I spend a lot of time using only one of the cars out of range of the other car, the key fob stops working on the unused one until I’ve driven that car a few times.

    Regarding the problem with accidentally leaving the other car unlocked: Most cars will ignore key fobs once the key is in the ignition, so my trick is to put the key in, and then use the lock button.

    All-in-all, it sure beats carrying two bulky key fobs.

  23. mike says:

    the fact that it stops working on the rarely used car fits perfectly with the rolling window the PDF i linked explains
    its part of the protect against repeating old transmisions

  24. Shadyman says:

    @Sparkinium: That’s usually caused because the ECU only calculates 256 code-hopping codes (previous 256? next 256? 256 in all? I forget), and you may have crossed the threshold of acceptable codes that it is expecting.

    You generally have to press the button a few times for your fob to advance to a code that the ECU is expecting.

  25. anon says:

    Programming Honda Fit Key (might work with other Hondas)

    http://www.fitfreak.net/forums/fit-diy-repair-maintenance/30638-programming-oem-fit-sport-key.html

    I bought my key fob off ebay and saved $150

  26. Sam says:

    Anyone know how to do this for a Benz? (without bending over and taking it real hard at the dealership)

  27. Alan Parekh says:

    Nice video. Does anyone know how to program a second chip key for a Dodge Caravan. My wife bought one and it only came with one key. The dealer wants something like $90 to program a second one. They have them cheap on Ebay but it looks like you need 2 keys to program a third.

    Anyone know how to program a spare with only one original?

    http://cgi.ebay.com/ebaymotors/04-07-DODGE-CARAVAN-TRANSPONDER-CHIP-KEY-UNCUT-_W0QQcmdZViewItemQQhashZitem1c12d06718QQitemZ120574732056QQptZMotorsQ5fCarQ5fTruckQ5fPartsQ5fAccessories

  28. Pencilneck says:

    For 2000 – 2005 VWs, most of the time you can adapt the remote by putting one key in the ignition, turning ignition on but don’t start the engine. Now get out of the car and shut the door, put a second key in the door handle, then turn and hold in the lock position, while holding in the lock position, press the lock button on the remote you wish to add.

    I’ve got two 2004 Jetta wagons that each use the same key. I’m going to add a 2004 R32 as well, just need to order the tumbers. Starting in 2002, VW and Audi came out with Immobilizer 3, in which once a key is adapted to a car (Immobilizer serial number), it gets locked down. I had to pull my wifes instrument cluster out of her car and adapt it to my car, return it to her car and adapt the ECM to the instrument cluster. If you scan her car, it pulls up my VIN and Immobilizer info. I will do the same with the R32.

    2000 and 2001 models use Immobilizer 2 and the keys are not locked down, so it is a matter of just changing the locks then adapting new keys to the immobilizer system.

  29. Max says:

    About hacking together your own transmitter and/or receiver: no can do. I only know the specifics of the KeeLoq version – but I’m fairly confident all keyless stuff works similarly these days – and the idea is that everything in the system has to possess a secret key which you cannot discover by sniffing the traffic. Well, not unless the particular method was broken and you know how to implement that attack. So basically no amount of spec-reading and Arduino-toting is gonna let you hack stuff like that (but it might make one look less… erm… uninformed).

  30. Elliot says:

    I sniffed and decoded my late model Nissan fob. 315 MHz pwm encoding, uses keeloq. 32 cipher bits 28 bit serial 4 bit function 2 bit verify. Everything you need can be found on the FCC website. Keeloq manufacturers code can be broken from differential power analysis of receiver on rolling code type implementation. Can also be brute forced (with optimizations) on challenge/response implementation (like prius). Once you have manufacturers code, 64 bit key can be derived from plaintext serial ( sent over the air).

  31. Radar says:

    Sparkinium do you have the programming instructions for Outbacks ?

  32. Jake says:

    Lol, this is not a hack. What a pointless exercise. JUST GUESS what happens when you use the key fob on one car a specified number of times when it is out of range of the other vehicle? IT STOPS WORKING. All you have to do to make your key fob stop working on your car is take it out of range and hit the unlock button about 50 times. This is a completely pointless exercise, and I don’t understand why this was even published.

    Again, I say, this is NOT a hack. Do-it-yourself remote programming has been common knowledge since the internet was the internet, users have been programming their own key fobs since cars had the freaking things.

    Show me a key fob that has been hacked to mimic two different key fobs, WITHOUT LOSING SYNC, and I will acknowledge THAT as a hack.

    The only hack here is whomever thought this was actually a hack. Sorry. Truth hurts.

  33. Alan Parekh says:

    Hi Jake,

    Even though this isn’t something that someone working at a car dealership doesn’t already know I find it interesting how this stuff works. You bring up an interesting point about the fob not working after some time though. I didn’t realize that the fobs had two way communication.

    The other thing that I could see being a pain is when both vehicles are in the driveway you will unlock both of them when you get into one of them and you will have to remember to lock the other one before you drive off.

  34. Jake says:

    Yeah sorry for getting all worked up about it. No offense to the HAD guys. This just doesn’t make any sense, I think someone needs to work on a dual-identity keyfob instead of this silliness.

  35. Fileark says:

    Even though the key fob does have a rolling key, it seems to work fairly well on this 2003 and 2004 Silverado. Of course I was kind of lucky to have two vehicles that use the same model of key fob. Even when I go to work and the wife goes to town and we end up clicking the remotes about 5-10 times it only takes one extra click to get the vehicles back in sync with the fob.
    I think the convenience is worth it. If I do go on a road trip it and they do get out of sync it will take me a whole minute to re pair the fob to a vehicle.
    Obviously the dual vehicle with a single remote thing is not perfect and will not work on all makes and models.
    I also would like to mention that it may be common knowledge how to program a remote if you work for a car dealer but most people have never done it nor did I find any helpful videos on the web.

  36. Wifiguy says:

    If i understand this correctly you could program two fobs into a vehicle and only one of them in the other.
    One fob would open both and the other only one.
    Like a master key. You could say unlock you kids cars with your fob, without giving them access to yous.
    This is where the potential for all sorts of nasty things creep in.
    I.E.
    You have temporary access to someones keys and fob. Maybe you borrowed there car, maybe you lifted them from there desk while they were asleep, maybe they made the mistake of letting you wait in the car with the A/C on. You could then reprogram there fob and yours into there vehicle. Return there fob/keys and no one is the wiser. Congratulations you now have access to there car.

  37. xorpunk says:

    @Wifiguy: That’s why most of the ignition system require a 2:1 cloning process on-board. If you just have one key and one cut key with a unprogrammed transponder it’s useless. Unless it’s a TI system and you have a JET smartclone. Then 1:1 is possible.

    Some fixed code systems also work with the JET unit. My 2010 RX8 has two keys, one is Megamos chip and the other is Phillips. They have different crypto. TI uses DST protocol which has been reverse engineered in industrial and academic circles.

  38. Jake says:

    @Wifiguy

    It will only work for a short time. The remote will lose sync with the other vehicle once the remote buttons have been pressed a sufficient number of times while out of range of the other vehicle.

    I’m telling you guys, someone needs to make a multi-identity remote. THAT would be cool, and would definitely qualify as a hack!

  39. thlip says:

    @radar

    found a guide on how to do it. Someone told me that the directions are in some user manuals as well.

    http://www.subaruoutback.org/forums/65-parts-accessories-performance/18655-new-key-fob-programming-button-location.html

  40. I am totally into this!

  41. Dusty says:

    so will this work on a 09 chevy? Or does that only work on the 06 chevys?

  42. Matt says:

    Interesting concept. I had a hard time finding the correct keyless entry programming instructions for my truck

  43. johnjohn says:

    does any body know where i can learn how to program a remote keyfob for a 1998 Jeep Grand Cherokee? its supposed to be a dealer or locksmith only job, but they want $45 to do it. if my jeep was still in good shape it might be worth it, buts its not. I have trouble setting off the alarm opening it with just the key. im thinking there has to be a way to access te information in the computer with a scan tool, but i dont know what it is, where to look for it, or what to do with it once i found it.

  44. kira says:

    I have two wireless key fobs. One that came with my car and the other with the installation of Bulldog Auto Start. Is there a way to buy a keyfob with Autostart button already available and combine the two key fobs into one?

  45. karl says:

    @kira glue them together, so u haf 1 xD

  46. Sean says:

    Hey, so I bought a used Infiniti and it came with only one keyfob. I know I can buy an aftermarket one and program it, but I profess ignorance: to start the car I have to insert the pointed end into the lock. If I bought an aftermarket keyfob with a similar look, will it start the car? Is the real reason why the car starts the electronics in the keyfob?

  47. Mike H says:

    Is there something similar I can do to program a fob for a 1999 Olds 88? I looked up a way to use an out/plug under the dash and use a little jumper wire. but I don’t feel safe thinking it may short something using a jumper wire in that way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,467 other followers