Ok, so I’m talking about the passive transponder in a key, not the active transponders that can be “walkie-talkied” here. I believe they are 125khz, not 433khz like in the active transponders.
So we have a 2015 jeep Wrangler, like zero features or security, but one thing we have noticed is our spare key will start the car for about 2 sec, then turn off, the other key starts and runs no problem. So I’m assuming this has to be a key without (or without being programmed) a transponder.
Can these transponders be read by the proxmark? Has anyone cloned one of these? (They clone them at home depot, right? So it can’t be that hard).
The reason I ask, is I was looking at used cars and one is an early 2k Mercedes and someone lost the keys for it. I was wondering if brute forcing the transponder data would be possible, estimated time, etc.
Try an LF Search ( at a guess it is a HiTag, but could equally be something else but that is where I would start )
Was going to, but found an easier option ( Will be below )
I can’t answer that for you, but when you have the correct key loading tools, it is very simple, so If they have one, then no, its not difficult
You other option would be go to a “Jeep” dealership, they will be able to do it for you, although it will likely cost a bit more but
I am not familiar with what Mercedes is using, but if it is HiTag there has been some new work done “recently” with hiTag, and i’m pretty sure there are some specific PM3 sniff commands
??? lf hitag sniff list…or something along those lines
Cars tend to use specific car tags that have shit 40bit challenge response “security” built in… nxp makes some, as do Texas Instruments… but while this is easily cracked, you need a working tag to cap a few transactions to crack it.
The other issue is that the t5577 doesn’t have a way to emulate this behavior either… so cracking can be useful to emulate with active electronics, but I don’t know of any passive transponders that can do this.
You might be better off taking it to a dealer to get a replacement key added to the ECU
I’m an automotive Locksmith and have just started tinkering with the Proxmark3.
Most Mercedes Benz keys actually use IR, not RFID. Earlier models use a Rolling ID33 Transponder, which even my expensive equipment can’t clone. We need to read the data directly from the Immobiliser Unit and generate a transponder using that data - so way more complex than what you’re probably thinking.
There are many cheap cloners available, but the Xhorse Key Tool Mini is a good option and cost effective for standard transponders.
For example a Jeep Wrangler from 2007-2018 uses a HITAG 2 Philips NXP PCF7936 Transponder, which has 6 bytes of data as an encryption key, a 4 byte Transponder ID and other configuration pages.
It needs to read the transponder, then sniff a response from the antenna coil, where it will then decrypt online to display the secret/encryption key.
The most popular transponder types for Car Keys is HITAG 2, HITAG 3, Megamos ID48, Texas Instruments DST40 and DST80, but there are many more.
)