Key Fob Programming

[Fileark] has instructions for reprogramming keyless entry devices for your car. His demonstration video, which you can see after the break, shows how to make one key fob work for two different vehicles. In this case he’s working on a couple of Chevrolet trucks but there are instructions for GM, Ford, Dodge, Toyota, and Nissan. If you need to reprogram one of these you may find this useful, but we’re wondering how it can be incorporated into a project. If you can sniff out the communications that are going on during the programming you should be able to build and pair your own devices with a vehicle. Wouldn’t it be nice to incorporate your keyless entry into your wristwatch?

[youtube=http://www.youtube.com/watch?v=WxrKq0aI0iM]

57 thoughts on “Key Fob Programming

  1. These use KeeLoQ, a system owned by Microchip (makers of our happy line of PIC microcontrollers that we see in the Basic Stamp). KeeLoQ has supposedly been broken, though I haven’t personally seen the ‘sploit.

  2. Also, as an aside, Mike – I used to wince when i saw your articles. I didn’t realize until the last couple of days how good we’ve had it. Keep up the good work. This may not be the hackettyest hack ever, but it’s a damn sight better than an article that’s simply fraught with inaccuracies and an author who lies about the research they’ve done.

    Thanks for keeping the spirit and standards high.

  3. Forget putting this into a wrist watch (well maybe not forget as that would be cool as hell), let’s see it as a BlackBerry or Iphone App….. Oh then tie it into your clock and calender, alarm goes off wakes you up and starts your car waits X mins for you to get your coffee then unlocks the doors. Oh how winter mornings in morning Zombie mode would improve.

  4. These are just field programmable PM emitters. When you start working with field programmable passive transponders that use challenge/response systems like TI DST you have to have the cars ECM.

    Car ECM ASICs had efuse before any consumer electronics did to prevent bus sniffing and flashing probing payloads. This is news cause nobody reverse engineers these systems cause their metal coffins require them.

    1. I have a question as to whether it is possible to get an after market keyless entry set and instead of needing to have the key fob, match it to a key from a dealer with the fob integrated into the key. People keep telling me no, but surely there must be a way to do that, even if you have to take the new key apart and change components? I have a 2015 Jeep wrangler and I hate automatic windows, and just want power locks.

  5. Clever use of programming two vehicles for the same transmitter. That could be handy. What I’d like to see is a device that could transmit all the codes on all the frequencies (like one of those universal garage door openers that cycles through the codes for a particular brand of garage door opener, or like a TV-B-Gone). I know something like this is both do-able, and likely extremely illegal in some areas, but this past Friday when the guy I work for had his truck keys locked in his truck by another employee, it would have been a lot handier to just pop the door lock than using my jigglers and slim jim.

  6. @Lucky – I don’t think the radio involved is one that can be easily emulated by careful fiddling of say, the Bluetooth or WiFi transceiver. Having this happen entirely in a mobile platform application seems unlikely, as a result. That said, building a dongle to do this kind of thing seems reasonable, particularly as the public documentation on KeeLoQ readily describes implementation details.

  7. @Dosbomber

    It’s something I’ve talked about for a while, but don’t have the knowledge or skills to do.

    But there’s no reason it wouldn’t be possible. It probably wouldn’t even be that hard.

  8. @Mike – Looking back over my second comment, it was way more aggressive than I’d intended. Safely ignore the damning criticism and hold on tightly to the takeaway message: You’re doing a good job. This is well-researched and correct.

    That should be the very minimum standard to which articles adhere – when an article falls well short of that mark, it’s really going to show, particularly with a readerbase that has quite a lot of technical knowledge and ability across the entire group.

  9. Good job explaining this, I really like your site its very informative and easy to understand. I have been working with electronics and oomputers for 15 years so I am not usually easily impressed, refreshing to see someone explain this stuff where anyone can understand. Check his site out, its pretty good.

  10. One other thing, this guy can be glad he has vehicles that make this reprogramming easier. Modern Fords that I know of require you to cycle the Acc mode with your ignition 8 times, and even that’s easy..

    On mine, I had to take the inner panels of the trunk apart, find a loose pair of wires with a molex connector which has no other purpose in life but for this reprogramming system. Shunt those two wires with a paper clip or a wire, THEN you’re ready to start the ignition and keyfob steps. Which side is the wire on, left or right? That seems to depend on your make, model, and year of your car, and there doesn’t seem to be any written record to save you some time.

    Who came up with this “hidden dangling wire” system??

  11. That last comment was supposed to end with a line about slapping a Ford engineer, but apparently this forum doesn’t like brackets.

    @Rob:
    I don’t think it would be difficult, if I did some research into the KeeLoq system and built a microcontroller-driven signal transmitter. I’ve already build a “universal” garage door opener that cycled through all the possible combinations. Really easy. Generally this would be pretty short range, too, so it’s not like you’d be randomly setting off keyfob panic button alarms across a huge parking lot……….

    …..hmmmmm……

  12. @Dosbomber: Yeah that’s a field programmable passive transponder with a DST type protocol. The ECM programs the units, and usually requires 2 additional transponders for verification.

    That is just on modern economy cars too, it’s slightly more complex on high-end cars.

  13. A real hack would be doing this with 8th gen honda. You need a PC + a voodoo doll and sacrifice a chicken to program a keyfob for a current honda car.

    P.S: doing simple GM or Ford keyfob programming is NOT A HACK.. it’s something that most people in car circles have done for centuries (maybe even thousands of years) and is easily found online.

    P.S. doing this makes your local car dealer cry as they cant charge $250.00 an hour to do it in 30 seconds and then make you wait 30 minutes to charge you $125.00…

    Car dealers = Thieves.

  14. “Its fairly easy to program a replacement keyless entry remote. Even better, what if you have two vehicles the same make, can they use the same remote? Absolutely!”

    Somehow I don’t think this is a good idea. If the cars are usually parked next to each other, how to you prevent a command from affecting both vehicles. I can see myself driving off and leaving the other car unlocked unintentionally.

  15. @fartface I have to agree with you there , not sure who was the bigger thief the dealer I bought the car used from who doesn’t mention the only key they have is a single valet key until after all paperwork is signed and check is handed over or the Honda service department who charges me $220+ to have two keys made and programmed…

  16. I did the same thing with the Subaru Outback cars I drive. Interestingly, if I spend a lot of time using only one of the cars out of range of the other car, the key fob stops working on the unused one until I’ve driven that car a few times.

    Regarding the problem with accidentally leaving the other car unlocked: Most cars will ignore key fobs once the key is in the ignition, so my trick is to put the key in, and then use the lock button.

    All-in-all, it sure beats carrying two bulky key fobs.

  17. the fact that it stops working on the rarely used car fits perfectly with the rolling window the PDF i linked explains
    its part of the protect against repeating old transmisions

  18. @Sparkinium: That’s usually caused because the ECU only calculates 256 code-hopping codes (previous 256? next 256? 256 in all? I forget), and you may have crossed the threshold of acceptable codes that it is expecting.

    You generally have to press the button a few times for your fob to advance to a code that the ECU is expecting.

  19. Nice video. Does anyone know how to program a second chip key for a Dodge Caravan. My wife bought one and it only came with one key. The dealer wants something like $90 to program a second one. They have them cheap on Ebay but it looks like you need 2 keys to program a third.

    Anyone know how to program a spare with only one original?
    http://cgi.ebay.com/ebaymotors/04-07-DODGE-CARAVAN-TRANSPONDER-CHIP-KEY-UNCUT-_W0QQcmdZViewItemQQhashZitem1c12d06718QQitemZ120574732056QQptZMotorsQ5fCarQ5fTruckQ5fPartsQ5fAccessories

  20. For 2000 – 2005 VWs, most of the time you can adapt the remote by putting one key in the ignition, turning ignition on but don’t start the engine. Now get out of the car and shut the door, put a second key in the door handle, then turn and hold in the lock position, while holding in the lock position, press the lock button on the remote you wish to add.

    I’ve got two 2004 Jetta wagons that each use the same key. I’m going to add a 2004 R32 as well, just need to order the tumbers. Starting in 2002, VW and Audi came out with Immobilizer 3, in which once a key is adapted to a car (Immobilizer serial number), it gets locked down. I had to pull my wifes instrument cluster out of her car and adapt it to my car, return it to her car and adapt the ECM to the instrument cluster. If you scan her car, it pulls up my VIN and Immobilizer info. I will do the same with the R32.

    2000 and 2001 models use Immobilizer 2 and the keys are not locked down, so it is a matter of just changing the locks then adapting new keys to the immobilizer system.

    1. Got a VW Golf 2.0 stationwagon here, production year 1993 but ‘model 2003’ according to the Swedish DMV. The instructions in the manual for key programming (hold down a button, let go, turn key in door either way, done) didn’t work at all. I have two keys with working transponders. Remotes are original VW too.

      What FINALLY worked was a modification on the above: Put working key w/ working remote in the ignition, turn it all the way on but do not start engine. Step outside, windows closed, close driver side door. Put key #2 (the one I want to sync) in the door lock. Press ‘lock’ on its remote for a couple of seconds. Nothing happens, and nothing’s supposed to happen. Let go of button, turn key to Lock (central locking should now lock all doors), turn key to Unlock (central locking should now open all doors again).

      After this, finally, I have two working remotes again. This must’ve been the thirtieth site or so I futilely looked for help in. *pant*
      (Don’t care much if one key loses sync now, when I at last have the Magic Sequence to re-sync the other up. :D )

  21. About hacking together your own transmitter and/or receiver: no can do. I only know the specifics of the KeeLoq version – but I’m fairly confident all keyless stuff works similarly these days – and the idea is that everything in the system has to possess a secret key which you cannot discover by sniffing the traffic. Well, not unless the particular method was broken and you know how to implement that attack. So basically no amount of spec-reading and Arduino-toting is gonna let you hack stuff like that (but it might make one look less… erm… uninformed).

  22. I sniffed and decoded my late model Nissan fob. 315 MHz pwm encoding, uses keeloq. 32 cipher bits 28 bit serial 4 bit function 2 bit verify. Everything you need can be found on the FCC website. Keeloq manufacturers code can be broken from differential power analysis of receiver on rolling code type implementation. Can also be brute forced (with optimizations) on challenge/response implementation (like prius). Once you have manufacturers code, 64 bit key can be derived from plaintext serial ( sent over the air).

  23. Lol, this is not a hack. What a pointless exercise. JUST GUESS what happens when you use the key fob on one car a specified number of times when it is out of range of the other vehicle? IT STOPS WORKING. All you have to do to make your key fob stop working on your car is take it out of range and hit the unlock button about 50 times. This is a completely pointless exercise, and I don’t understand why this was even published.

    Again, I say, this is NOT a hack. Do-it-yourself remote programming has been common knowledge since the internet was the internet, users have been programming their own key fobs since cars had the freaking things.

    Show me a key fob that has been hacked to mimic two different key fobs, WITHOUT LOSING SYNC, and I will acknowledge THAT as a hack.

    The only hack here is whomever thought this was actually a hack. Sorry. Truth hurts.

  24. Hi Jake,

    Even though this isn’t something that someone working at a car dealership doesn’t already know I find it interesting how this stuff works. You bring up an interesting point about the fob not working after some time though. I didn’t realize that the fobs had two way communication.

    The other thing that I could see being a pain is when both vehicles are in the driveway you will unlock both of them when you get into one of them and you will have to remember to lock the other one before you drive off.

  25. Yeah sorry for getting all worked up about it. No offense to the HAD guys. This just doesn’t make any sense, I think someone needs to work on a dual-identity keyfob instead of this silliness.

  26. Even though the key fob does have a rolling key, it seems to work fairly well on this 2003 and 2004 Silverado. Of course I was kind of lucky to have two vehicles that use the same model of key fob. Even when I go to work and the wife goes to town and we end up clicking the remotes about 5-10 times it only takes one extra click to get the vehicles back in sync with the fob.
    I think the convenience is worth it. If I do go on a road trip it and they do get out of sync it will take me a whole minute to re pair the fob to a vehicle.
    Obviously the dual vehicle with a single remote thing is not perfect and will not work on all makes and models.
    I also would like to mention that it may be common knowledge how to program a remote if you work for a car dealer but most people have never done it nor did I find any helpful videos on the web.

  27. If i understand this correctly you could program two fobs into a vehicle and only one of them in the other.
    One fob would open both and the other only one.
    Like a master key. You could say unlock you kids cars with your fob, without giving them access to yous.
    This is where the potential for all sorts of nasty things creep in.
    I.E.
    You have temporary access to someones keys and fob. Maybe you borrowed there car, maybe you lifted them from there desk while they were asleep, maybe they made the mistake of letting you wait in the car with the A/C on. You could then reprogram there fob and yours into there vehicle. Return there fob/keys and no one is the wiser. Congratulations you now have access to there car.

  28. @Wifiguy: That’s why most of the ignition system require a 2:1 cloning process on-board. If you just have one key and one cut key with a unprogrammed transponder it’s useless. Unless it’s a TI system and you have a JET smartclone. Then 1:1 is possible.

    Some fixed code systems also work with the JET unit. My 2010 RX8 has two keys, one is Megamos chip and the other is Phillips. They have different crypto. TI uses DST protocol which has been reverse engineered in industrial and academic circles.

  29. @Wifiguy

    It will only work for a short time. The remote will lose sync with the other vehicle once the remote buttons have been pressed a sufficient number of times while out of range of the other vehicle.

    I’m telling you guys, someone needs to make a multi-identity remote. THAT would be cool, and would definitely qualify as a hack!

  30. does any body know where i can learn how to program a remote keyfob for a 1998 Jeep Grand Cherokee? its supposed to be a dealer or locksmith only job, but they want $45 to do it. if my jeep was still in good shape it might be worth it, buts its not. I have trouble setting off the alarm opening it with just the key. im thinking there has to be a way to access te information in the computer with a scan tool, but i dont know what it is, where to look for it, or what to do with it once i found it.

  31. I have two wireless key fobs. One that came with my car and the other with the installation of Bulldog Auto Start. Is there a way to buy a keyfob with Autostart button already available and combine the two key fobs into one?

  32. Hey, so I bought a used Infiniti and it came with only one keyfob. I know I can buy an aftermarket one and program it, but I profess ignorance: to start the car I have to insert the pointed end into the lock. If I bought an aftermarket keyfob with a similar look, will it start the car? Is the real reason why the car starts the electronics in the keyfob?

  33. Is there something similar I can do to program a fob for a 1999 Olds 88? I looked up a way to use an out/plug under the dash and use a little jumper wire. but I don’t feel safe thinking it may short something using a jumper wire in that way.

Leave a Reply to karlCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.