Something I’d not thought of before, but are car transponder keys (not push to start, but the keys you still insert and turn with a transponder) cloneable in the same way we do with access cards, ie with a Proxmark? And if so, are “writeable” keys available?
I can’t seem to find much useful information on this, as they seem to mostly offer programming them to the car itself as a service, and I don’t have my Proxmark with me to test offhand.
AFAIK the Dodge Caravan 2008 uses a so called “Philips 46” transponder chip. They are ID46 class and can probably be ‘copied’ with a cn900 mini or equivalent.
Please take this with a grain of salt and do your own research, I could be completely wrong here
I know very little about these particular systems, I just know that SOME types of cards aren’t cloneable and some are, but then the second part, so I just needed some basic ideas if it would work or not, ya know?
Thank you @anon7067117! And yes, definitely, I’m not rushing out to buy a new key just yet, but this is for a family member who has bad luck with such things, and as I sat here at dinner tonight I figured it would be a nice idea to give it a go.
Plus, making the thread will also kill the stone of reminding me about it, lol.
I just updated my first post, to include this…
It will give you an idea of what you may be getting yourself in for
Some testing you will need to do is, checking whether or not the chip needs to be “always present” or just on starting.
This you can do by disassembling your / their key and removing the transponder, Present it on startup and remove once started, ensure the car still runs.
If you go down the implant path, you may need to move the transponder antenna to a more ergonomic location ( Under the steering column??? ) remember you will be limited in the length of your cabling.
But First, if you can confirm what @anon7067117 has found for you, that will be a good start.
Probably uses the NXP PCF7936 imobilizer transponder:
Link to datasheet: Here
or PCF7936AS__3851__C,1.pdf (165.9 KB)
I think it includes a lot of useful info that could help you in your quest with the Proxmark.
The CN900 mini I know from a car locksmith. It’s more of a “dumbed down” solution for less technical folks (so its a specialized device with its own pricetag - about 170$ - does pretty much everythibg for you, including cracking the encryption if compatible and applicable). IDK if it works for your purpose.
Also consider that immobilizer transponders are usually either in in a wedge format (bout 3mm thick, potted in reisin in a plastic shell), or in a something similar to an “x series” that is intented to be slotted into a glass mould (DO NOT IMPLANT THIS, NOT BIOSAFE, also pretty large).
Edit: I realize now that you probably don’t intend to implant this. but still, useful.
In this case, just interested in trying to find a cheaper way to have replacement keys available in the house, fortunately, especially since the car requires the key to be physically turned in a cylinder (even if it’s one of those “fob keys”). Although it would be really nice to have the ability to clone it to an implant, lol.
And yes, I’m definitely going to do some reading on what @anon7067117 said, I’m hoping to do a scan next weekend when I’m back here. If it requires a specific device to copy these keys, then there’s not much point for me, and similarly, it would have to be available in a writeable format in the same form factor for me to consider it a useful idea. Otherwise I might as well just let them go to a regular locksmith that already has the tool and probably get them two keys for the price of one unit (even if it could be useful later).
Im that case my advice probably won’t help you a ton since you would still need a locksmith to cut the physical key (unless you have access to the appropriate key-cutting machinery of course).
It doesn’t have a physical key blade, it’s just a fob, but the fob still plugs into the socket and turns it, but all plastic body. But I would have an emergency physical key cut so it can be accessed without the battery. But that’s not for starting.
Interesting! I hope this is right:
I found a site that sells blank fobs (no guarantee of corectness of course ) here. They also have some interesting instructions for programming it if you already have 2 working, programmed keys.
Lots of places say stuff like that, but I dunno, I’ve never had luck in the past trying similar things. Not that I’d be opposed to it, either. And yes, fortunately, I do have the two keys available!
Well, I don’t know how much a replacement from a locksmith would cost you, but if I were you, I’d find a reputable vendor and risk the however many dollarydoos it would take for a blank fob (prices seem to vary a lot if you take the ones with less buttons - probably quite a bit less then going to a locksmith - could be a good learning experince as well). Worst case, you could always return it and rethink your strategy. Just my 2 cents.
True enough. If it were anything more than some cheap emergency spares for people who tend to wander into the ocean with their keyfob in their pocket while 2 hours from home, or misplace everything then blame it on the “freaks” in the house (ie, the goblins that spirit away everything important that gets lost), I’d definitely go locksmith or dealership. Especially because some of the cheapies tend to have problems.
Eh, it’s probably exactly the same manifacturer that the locksmith uses (they usually use aftermarket parts - which are often all made by the same factory - sometimes these ‘aftermarket’ parts you see floating around are actually OEM but B-stock or with poor QC that ‘fell of a truck’). If you want ‘real reliability’, you have to go with the dealership, and that usually costs a pretty penny.
Well, after having to wait an extra week because I’m an idiot who can’t even walk down stairs right, I finally did it. Besides a sprained ankle, I’m fine.
I don’t know how much it will help as to clone the key would only clone it for starting, not programming it as a remote, but rather than leaving off unfinished, I thought I’d post back to let you know what I found in case anyone else stumbles on the thread.
Anyway, it reads back as a Hitag with an lf search, and so pushing it for a bit more information, I get this:
[usb] pm3 → lf hitag info
[=] — Tag Information ---------------------------
[=] -------------------------------------------------------------
[+] UID: 65877064
[+] TYPE: PCF 7941
[=] -------------------------------------------------------------
I’m guessing that with some kind of dummy plug to turn the barrel, one could use an xHT for an implantable key if they really wanted. As long as the keys are writeable chips, too, I think it’d be easy enough to clone it over.
Well, as mentioned in the datasheet above, it is a hitag
the problem is that it uses a challenge-response mechanism, so I personaly don’t know how easy it would be to clone using a Proxmark
Kind of reminds me of the time I “hacked” that system:
The full story...
I bought a 2001 Ford Focus for my son, only came with one key (a chipped key).
Knowing my son would probably lose the key, I thought it would be a good idea to get him (and myself) a spare. Dealership wanted a couple hundred to program and lock smiths weren’t any cheaper. I decided to pull the chip out and epoxy it in a location (on the antenna inside steering column) where it could be read full time. By doing this no other chipped key could start the car because apparently (on that particular model) if it reads more than one chip in the proximity the security module won’t let it start. The work around was that any new keys cut for the car would also need their chip removed before they would work. Not just anyone would have access to this knowledge so it was actually just as secure. (Not that anyone would want that old clunker)
lol, yes, yes, you did share that, but you didn’t count on my hilariously short memory!
Actually, the problem is more that I simply had my mind so set on bringing the Proxmark and running the scan, and got excited to have another successful read, I got ahead of myself and plum forgot about the datasheet you dug up for me!
Don’t hate me because I have a goldfish brain, hate me because I’m beautiful!
Anyway, that’s a good point, and something beyond my meager knowledge. You’re probably right, because I always imagined that there had to be something there to do with some kind of method for the key and car to know that it hadn’t just been duplicated.
@ItaBeAight, I’d heard of people doing that back in the day with some transponder based cars, and it’s a pretty good idea actually. Nice work!
I still have the spare ones that I removed in with my test cards.
I have done that also in the past, I found another option at the time, but didn’t want to wait the 6 weeks to arrive ( Aliexpress ) , this option was used “recently” by @darthdomo
