Save Big by Hacking Your Car Keys

Three hundred bucks for a new car key? Nonsense! When you lose your keys or want to have an extra made for that new teen driver, don’t let the stealership lighten your wallet. Just pull the ECU and hack some hex to add the new keys.

The video below is a whirlwind tour of the process [speedkar9] uses to reprogram Toyota ECUs to allow new keys to pass the security test on your new(er) car. Since the early 2000s or so, most manufacturers have included RFID chips in their keys so that only known keys will start a car. In Toyotas, this is done by an RFID reader in the steering column that passes the inserted key’s code to the engine control unit. If the 8-byte key code matches one of three values stored in the ECU, the car will start. Clearing the EEPROM in the ECU is the focus of [speedkar9]’s process, which connecting to the EEPROM and reading the contents. His rig includes an RS-232 serial connection, so the hardest part of this hack might be rounding up a PC with a DB-9 jack, but once you’ve got that covered, it’s just a little bit-bashing to “virginize” the ECU to ready it for reprogramming.

The details of the procedure will vary by manufacturer, of course, and cars of a more recent vintage will likely have even more security to worry about. Might you even run afoul of DRM like you would by hacking a tractor? Perhaps. But $300 is $300.

Thanks for [darkspr1te] for the heads up on this one.

67 thoughts on “Save Big by Hacking Your Car Keys

  1. You can also simply tape the RFID chip from an existing key inside the steering column, within range of the reader, and then duplicate the metal key. You can also find 3D printable replacement key housings on thingiverse if your plastic key is broken.

    1. Good luck making an insurance claim if your car is stolen because the thief was able to bypass the lock thanks to leaving the immobilizer chip inside the car…

        1. Scrape your car, fix it yourself, their car, pay them at the road side.
          Stolen, gps tracker, steal it back. It’s only really worth claiming if you’ve got a decent car and it ends up totally destroyed.

  2. On at least some cars it is easier to use plain metal keys and mount the RFID one inside the steering column.
    A continuous loop of wire with small loops around the key and around the ignition can take care of range issues.

  3. I’m not seeing any boards pulled here.

    https://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/
    “This clear vulnerability in [wireless] keys facilitates the work of thieves immensely,” reads a post in German about the researchers’ findings on the ADAC website. “The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner.”

    That car key hack is far from new: Swiss researchers published a paper detailing a similar amplification attack as early as 2011. But the ADAC researchers say they can perform the attack far more cheaply than those predecessors, spending just $225 on their attack device compared with the multi-thousand-dollar software-defined radios used in the Swiss researchers’ study. They’ve also tested a larger array of vehicles and, unlike the earlier study, released the specific makes and models of which vehicles were susceptible to the attack; they believe that hundreds of thousands of vehicles in driveways and parking lots today remain open to the wireless theft method.

    The Vulnerable Makes and Models

    Here’s the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW’s 730d, Citroen’s DS4 CrossBack, Ford’s Galaxy and Eco-Sport, Honda’s HR-V, Hyundai’s Santa Fe CRDi, KIA’s Optima, Lexus’s RX 450h, Mazda’s CX-5, MINI’s Clubman, Mitsubishi’s Outlander, Nissan’s Qashqai and Leaf, Opel’s Ampera, Range Rover’s Evoque, Renault’s Traffic, Ssangyong’s Tivoli XDi, Subaru’s Levorg, Toyota’s RAV4, and Volkswagen’s Golf GTD and Touran 5T. Only the BMW i3 resisted the researchers’ attack, though they were still able to start its ignition. And the researchers posit—but admit they didn’t prove—that the same technique likely would work on other vehicles, including those more common in the United States, with some simple changes to the frequency of the equipment’s radio communications.

  4. I’m torn on this one. On the one hand, my mom lost her spare Toyota key and did with just one for a year before she finally decided it was worth the ridiculous $400 price to not get hopelessly stranded if you misplaced the second key. So I definitely see the incentive to behind this. But if you brick the ECU that’s a lot more than $400 once you also throw in that you’ve voided the warranty. Still an awesome hack though.

      1. My 2012 Kia came with an integrated remote-control-frob / popout key arrangement. After both of them had the keys break off near the (fairly weak) hinge joint, I grudgingly took it in to the hardware store, which had a new ChipKey machine that makes keys for $75 instead of the $200-300 the dealer charges.

        Turns out the Kia isn’t a chip-key. It’s just a mechanical key, no RFIDs, and integrating it with the radio frob is just to have a nice package that fits neatly in your pocket and annoy you if you want to go surfing (because the radio frob doesn’t like salt water) or keep a spare key somewhere. So a bunch of $2 metal keys later, I’ve now got spares, and the radio frob is still on my keyring for remote control use, without worrying about carrying it around if I’m going to be in some non-electronics-friendly environment.

  5. This defiantly not for anyone or any vehicle, the earlier cars used a simple mechanism like this to lock you out. Later model cars get a bit tricky and keep the code in different modules which all have to match. As an example my wife’s VW Amarok recently had the instrument cluster replaced (don’t get me started on why) as a result both keys needed to be re validated with the car.

    Warranty would not likely be an issue on a 17 year old car either.

    The best way to go about it would be to obtain an appropriate ECU from the wreckers make the modifications to that and then keep the original ECU in a safe place.

    1. That’s what many locksmiths do, clone an existing key instead of programming a new one to the ECU. It’s mainly a workaround to going to the stealership if you only have one key. Since the later 90’s the systems all require two working keys in order for the end-user to be able to program key #3 and higher.

      Depending on the make and model, there may be free software that works with many USB 2 to OBD 2 code scanners to program new keys if you only have one, or no keys. For some vehicles it can also ‘marry’ a replacement ECU to other modules so you don’t need to have the car hauled to a dealer.

      What’s very useful about this is some manufacturers are not requiring (or are not allowing!) their dealers to perform these services on older vehicles. For Ford if it’s over 10 years old you can forget having keys programmed or cut, even if they’re “dumb” keys for things like the tailgate and tonneau cover on a 2002 Sport Trac. Again, this is where the key cloning services come into play.

      For programmed keys vehicles typically have a limit of 4 or 5. For cloned keys there’s no limit, the system just thinks they’re all the same key.

      Now there’s a thing for a crime TV show. The prosecution has evidence the suspect used their car at a certain time due to the ECU recording the last key used. But the real murderer got the original key and had a locksmith clone it to use the vehicle and frame the owner for the murder.

  6. This is a wonderful video. Quick, clear and useful.

    One small correction. It looks like the key values are 8 nibbles not 8 bytes, so that’s 4 bytes which is 65,536 combinations rather than 15^8 = 2,562,890,625 combinations. (and 15^8, where did that come from?)

    This is just a small correction. I think the project is very well documented. Thanks for making the video and posting it.

    1. two bytes give 65536 combinations. Eight nybbles = 32 bits = 2^32 combinations = 4,294,967,296. Or alternatively 16 possibilities per nybble, raised to the power eight (number of nybbles) Not sure why the video says 15^8 rather than 16^8, I’ve not watched it yet, maybe a typo or maybe each nybble doesn’t use a reserved value like 0x0 or 0xF.

  7. For a lot of Toyotas there is a complicated procedure you can do while in the car without any special equipment to “program” a new key. On my Highlander I have to do this convoluted process of opening/closing the door turning and half turning the key; when its over the car will beep and the new key I bought off ebay works perfectly. You can usually find the process for your specific model by googling the toyota nation forums. I mean I looked like an idiot in the drive way closing my door repeatedly, but I saved $300. I don’t know if other manufacturers so a similar thing, or why they would bother to put it in there in the first place if they weren’t going to tell anyone.

    1. My Hyundai has a similar procedure of insanity, however it requires two already-programmed keys plus the new ‘blank’ key to be programmed into memory.
      I assume the car came new with two original keys, however I bought it used and it only came with one so I can’t add a new key to the system myself now :/
      Worse, I would need to buy two new keys (at least one from the dealer) to ensure I could perform the reprogramming procedure of insanity if I ever lost one in the future.

      But I was pleasantly surprised to find the procedure of insanity to program new keys fairly clearly documented in the user manual.

    2. Similar process here. Involves the brake pedal and some patience, or I just bring it to my dealer and pay 20 bucks for a new key and activation while they attempt to get me to purchase another vehicle; worth it!

      Cool hack though.

    3. Also, if someone is pulling an ECU and dumping hex, why aren’t they providing the hex dump so someone can figure out what the CANbus messages the official programming procedure uses are?

  8. Curtis makes 2 types of replacement keys: permanently serialized, like the factory keys, and programmable serials.

    The pre-serialized keys are $11, the programmable keys a $34.

    Any decent locksmith has the scan-tool required to program new keys into a car ECU. The going rate is usually about $90.

    The locksmith makes more money programming your car than selling you a cloned key, even though the cloned key is more convenient for you.

    1. You have been mislead. I am a locksmith and I assure you I am more than “decent”, but I don’t touch automotive other than simple key duplications and the occasional on-board programming for well known clients. The cost of entry for an auto locksmith is prohibitive to the tune of 10’s of thousands of dollars, so those that do generally specialize in just automotive work. There is no one tool for all makes and models and some require manufacturer-specific tools that have to be purchased from the factory and registered to the locksmith. You are not paying for the key, you are paying for the EQUIPMENT they needed to make that key for you.

      It’s not worth it for me and there are enough of them out there trying to be a dollar cheaper than the next guy.

      I would love to see a diligent hacker reverse engineer the CAN bus communication between the programming tools and ECU and produce an OSHW version. There are one or two companies (off the top of my head) that hold a near monopoly on this market and one them is token-based usage. Buy the $4,000 tool, but you still have to pre-purchase USE of the tool at $40 a pop. Read the EEPROM? Token. Remove lost key? Token. Program new key? Token.

      The Chinese have done it, obviously, and introduced fakes and clones into the market at a fraction of the cost and that don’t require tokens. But may God have mercy on your soul if the lockjock community catches wind that you’re running that equipment.

      1. donniedarko – see jadams comments. I live in [near] Jacksonville, FL. Not a HUGE city, but not the boonies either. I called every single locksmith in the area, and not a one of them would make me a key for less than $175. Since I had one working key, I offered to bring the vehicle to them, but of all the locksmiths in the area (about 20 I think) not a single one of them has an office that I could go to. Every last one of them is ‘mobile’ now and insisted on coming to me. So that accounts for part of the cost. And as jadams points out, he has to pay a $40 licensing fee every time he uses his very expensive equipment. There’s more of the cost. The dealership though, doesn’t have those costs and yet they also charge $175. Walmart sells duplicate keys for the bargain(?) price of $75, but their keys just clone the RFID number of your existing key, so no programming of the vehicle is necessary. ** SCAM **

        1. ” I live in [near] Jacksonville, FL. Not a HUGE city,”

          Huh? I heard somewhere that Jacksonville, Florida, was the largest (in terms of square miles) in the United States.
          B^)

          1. Largest in the continental US. I think Fairbanks, Alaska is supposedly bigger. And Jacksonville, being so physically large (747sq mi) without being really populus (866K), means Jacksonville actually is kinda “the Boonies”. It’s the least dense of the major cities (1120 per sq mi). There is certain no shortage of rednecks and trailer trash here. It takes about 2 hours to drive from end to end of city limits, mostly at highway speed, and you pass thru large tracts of forest, still within city limits.
            The sad part is, there are no makerspaces or hacker groups in this area. A few have started, but all have failed.

    1. Plus, the complicated door, brake, gas pedal procedure hasn’t worked for programming new keys since 2006. You can still program the keyless entry remote using the door procedure but it does not register the RFID tag.
      2 spare keys, cable and a little time was still cheaper than paying the $200+ price tag on a single new key from the dealer.

      1. It worked on my 2007, but I can’t speak to later models than that. I agree with you on the mvci cable. I was under the impression that only worked if you had the techstream software though (don’t remember how much the subscription costs). While it is easy enough to get on torrents some people may not be comfortable pirating the program.

        1. You can find the software in the normal places with minimal effort. Plus I think there is a 48 hr techstream subscription for ~$30. However this does not help you in the case where you lost the master key which is needed to add new keys. There is a immobilizer reset capability in techstream, but it is protected with a challenge/response code which you need to get from toyota after proving you are a locksmith. I ended up spending a week reverse engineering the software and making a excel spreadsheet to calculate the response code

          1. Hmm…. I don’t think I ran into that issue. Erased all logged keys, then logged the original as a master with no issues.

            I started by erasing everything as there were key logged that I did not receive from the dealer. This was on a 2007 rav4.

  9. My 32 Coupe doesn’t have a key. You just push a button. I’ve been hoping someone would steal it so I can buy a truck, but even with the windows left down, no one has stolen it in 17 years… P.S. No keys to lose :-)

  10. Luke said, under the Consumer Guarantees Act, a manufacturer must guarantee reasonable availability of spare parts. Toyota had breached that, he said.

    “I am satisfied that the price charged by Armstrongs was not a price whereby Toyota New Zealand could say the keys as spare parts are reasonably available.

    “The part is simply not reasonably available when what is being charged is more than 10 times its manufacturing cost and that cost is likely to grow to some 10 per cent to 20 per cent of the value of the vehicle within the reasonable lifetime of the vehicle.”

    http://www.stuff.co.nz/business/90293847/raging-businessman-takes-toyota-to-tribunal-over-525-key

  11. Where I am located we only have one toyota dealer in the entire country, they wanted $400 for a set of two keys, we used this video and new keys from a online agent at $55 for 3 keys (two are remote unlock, one is valet, no button) , the lock smith agents wanted $300, most of our vehicles are JDM and over 4 years old at least, so they either are just out of the ‘easy open door’ reprogramming window or never saw it at all.

    1. well yes and no, my time is worth money but there were other costs we saved, main one is having to tow the car to the locksmith (we dont have visiting locksmiths here) , also they could not do the works same day, we already had the keys and just needed them coded. all round we did save money and learned a few things at the same time.

  12. I bought a used ’03 Ford which only came with one key. Cost me $175 at the dealership to get a second key. And I called every dealership and locksmith within a 150 mile radius. I was furious and determined this was not gonna happen again. On my Ford (and this is true from about ’98 onward) if you have 2 working keys (and the second is not just a clone of the first) then you can easily program additional keys yourself, up to 8. https://www.fordf150.net/howto/patskey.php I ordered 4 blank keys from that e-site for $6 apiece (Colored to match my vehicle!), had them cut at H.D. for $1 each, and programmed all of them. I can now lose up to 4 keys, and still have 2 left to program in more. Murphy’s law: Since I am now prepared, I haven’t lost a single one of them.
    Since most people only have 2 keys, once you lose your spare, the one remaining key is not enough. Be proactive and get and program additional keys while it is still easy and cheap!

  13. While a fun hack, check with a local locksmith. I was able to get a new chipped key for my Acura for $40 and that included cutting the key with the factory keying numbers instead of duplicating my very worn down key.

  14. I am a specialist Automotive Locksmith and would like to clear a few things up.
    The video is demonstrating an ECU reset on a Toyota, most likely an older USA spec vehicle. This is something that Locksmiths do when we have new master keys to code. UK/European vehicles use different parts to USA vehicles as due to US laws their vehicles use much simpler/older security.
    This does not work for newer cars, cars from the rest of the world, cars from other manufacturers.
    I regularly charge £500+ to code keys to newer Toyota vehicles, the above procedure doesn’t work for these, the dealer cannot program new keys either, they replace the ECU and immobiliser (which are separate) and code new keys to these.
    We take out the immobiliser, read the chip and write the new key data directly into the encrypted file on the immobiliser chip. The dealer charge £1,800+ to do the same.
    In order to become an Automotive Locksmith there are startup costs of £30,000 for “reasonable” coverage and a good Locksmith will have invested closer to double that amount with at least £5,000 every year on new equipment, software, licensing etc. We all run at least one 3-axis CNC key machine, to make keys when the old ones are not available, these are not cheap as you can imagine.
    This does mean the costs to make a new key seem high, and many people buy keys from eBay, copy leads from China, second hand remotes, all to try to save money. In the rare cases where this works then a saving has been made. We as businessmen have to recoup our costs and so we charge more for the cars that can’t be done with cheap keys, overall we make the same amount of money, and we can continue to offer a mobile, lower priced than the dealer, service.

    One thing that crops up a lot is “I already have the key, can you cut/program it” my answer is always “get it cut/programmed by the person who sold it to you” There are sellers who’s only expense is buying £1 Chinese copy keys then reselling them from their bedroom for £5. Customers think that it costs £2 for a key to be cut and £10 for programming, a new key for >£20 and I am robbing them with my key prices. It is not possible, but it’s hard for the public to see why.
    The Chinese keys are hard steel, poorly made, and contain no transponder chip.
    I would not risk my £100+ cutters on such keys and so use quality European keys that are brass or nickel silver, these cost more. I then have to supply a transponder chip, for Mazda these are £35 trade cost just for the chip. Programming usually requires a pin code, where these cannot be read from the vehicle they need to be purchased and cost up to £40 to obtain from the dealer.
    There are situations where the physical key costs £65 at trade price to me, security codes cost £40, secure delivery of the key costs £11, it is a 30 mile journey to the vehicle, I have to cut the key in my £10,000 machine and program with my £18,000 programmer. The dealer charges £400 for their service, I quote £200 to be told “that’s expensive, there is a key on eBay for £5, I’ll just buy that”

    1. I completely understand that you have to cover your expenses with a profit margin to keep your buisness running. Still, charging £200 or £500+ for a key is still robbery. It is not your fault, it’s robbery by proxy by over charging you. £18,000 for a programmer? Really? And the licensing on top of that. What would you charge if a programmer cost £180 and all other prices where divided by 10 or so?

  15. The prices I charge are set by market forces, I would charge the same even if i got the parts and equipment for free.
    No one is forced to pay for anything, if you want £5 keys then drive a pre 1995 car.
    Anyone who feels aggrieved at paying “robbery” prices should take their custom to somewhere that the prices are to their liking. If it turns out that the price is the same everywhere then that is the price set by the free market.
    If you feel that £18,000 for a programmer that will earn 20 times that is a robbery then make your own and sell it at a lower price.

    Ultimately the market sets the prices.

    1. You’re kind of right, you fu$#ing crook. The dealership exploits customers for the most they can.

      They know the locksmiths will want to charge less and offer them equipment to this end, but are careful to keep most of the profits for themselves. The programmer can be sold for a good profit at $500, but they’re significantly more and use tokens/license fees to simply push the profits back.

      Here’s what you do. Purchased a RFID programmer for wallet sized cards ~$50. Clone the transponder in your key to the card. Taped the card behind the dash near the cylinder and just use non-chipped keys. Works like a treat.

      Again…. F U Crooks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s