As my car currently has only 1 key, I thought I’d do a little bit of research into getting another one.
BMW quoted 2000rmb, which although understandable, is a little bit expensive. That doesn’t include the remote functionality in the current key either.
A check of taobao shows that you can buy blanks for slightly less – in the 30rmb range.
Mine is a 3 button remote, rather than a 2 button remote.
Images of both below:
Yes, I realise that these are just keys, and don’t contain the remote stuff either, but as a spare, its all I really need.
There is a fly in this ointment though. All European cars post 94 are mandated to include anti-theft immobilizers, which in BMW’s case involves checking for a transponder, so a key won’t start the car.
BMW calls this system EWS – Electronic Watchdog System.
A datasheet aimed at BMW workshop staff on EWS is here BMW EWS Overview and Worksheet
The infrastructure looks something like this:
I could buy a small board to bypass the EWS (about 130rmb), but I like the idea of having the anti-theft still working.
So, how does the EWS2 do the immobilization in my car?
A little bit of research shows that my current BMW (a 96 E36 import from German) uses BMW’s EWS2 for antitheft. This appears to be based on a motorola chipset ( XC424114CFN ) for the immobilizer side, and its relatively easy to read out or reflash the existing data from the chip if necessary should I need to do so.
eg if I lost all my keys, and needed to start from scratch. There are 3rd party tools galore that go into that eg CarProg, so not much point looking at that for me.
Lets look at the transponder side.
The transponder in my current key is a Philips PCF7930
This comes in a series – PCF7930, PCF7931, and PCF7935, and PCF7936
The main differences between the transponders are as follows:
PCF7930 – can read / write data.
PCF7931 – write once (one time programmable), read data.
PCF7935 – it has 2 area’s of memory general, and shadow memory, and both are read / write.
PCF7936 – it adds a crypto mode to the 7935 functionality.
The PCF7936 is also referred to as a Hitag2.
This is also the transponder current generation of BMW’s are using eg the E90/E92/E94’s
They’re quite simple devices really, a datasheet for them is here – PCF7930 / 31 / 35 Datasheet
They essentially have a few bytes of memory to work with.
32 bytes for control, and 80 bytes for user data.
Physically they’re about half the size of a fingernail and a few mm thick.
They look something like this –
A quick search on taobao shows that a PCF793x sells for between 17-20rmb or so.
So, so far I can get the key for about 30 odd, and the transponder for about 20rmb or so.
I still need to be able to program the transponder though, so whats available for that?
Another quick google shows that there is a common windows tool called anahtar which works with quite a few programmers.
As you can see, it supports quite a few pieces of hardware. Anahtar does need some hardware to talk to the transponder though, so I also need a transponder programmer.
A search for a normal RFID programmer is pretty polluted with car remote programmer spam sites.
That said, the usual result for BMW’s is the AK90 programmer. This is a bit on the expensive side – its around 1500rmb, and I really only need to do this once, so lets look for other options.
Ideally we’re looking for a low frequency rfid programmer.
If possible, I’d like to have something that does other chips too, so something that can cope with the below may be handy at some point, if only so I can
steal peoples cars play with it.
RWProg looks interesting, as it has a lot of support for other rfid chips – http://www.bicotech.com/?page=prod_rwprog&lg=en.
Unfortunately a search for that on Taobao shows no results. RFID reader’s on the other hand are dirt cheap, with the cheapest usb ones going for 35rmb or so.
The specs for the PCF793x series don’t actually say what frequencies it runs off unfortunately, so its a little hard to find an appropriate device quickly.
I do note that there appear to be a disproportionate amount of card writers advertised on Taobao which claim to do Mifare, which not co-incidentally is similar enough to what is being used on the metro here in China in most cities for travel cards. I guess that means there probably are lots of fake ones around…
If I check whats usually used for programming the PCF793x series, Philips (NXP) pushes their PCF7991, while Philips doesn’t write what frequency that runs on either, this chinese site says 125khz http://www.docin.com/p-74627587.html
So, its a 125khz programmer.
Unfortunately those are 500bucks on tabao, so I keep looking.
…and Bingo, I can find a BMW key programmer which will do it for 350rmb.
350 for the transponder reader/writer, 20 odd for the transponder, and 30 odd for a key.
400RMB total, and new copies of the keys will cost about 50rmb each vs the 2000rmb bmw wants.
Its a win!
Next up, what frequency does the remote use, so I can get a replacement for that…
My remote frequency is 433.92Mhz, as I have a Europe car.
I’ll guess it would probably be 315MHz if it was a US, CN or SA built car.
As I’ve had some negative comments about this all being possible, added some photos of the tool I bought to successfully clone my keys.
Installing hardware drivers
Device is a standard FTDI usb serial chip based product, needs 2 drivers installed, the first for the serial chip, then a second for the device driven by the usb to serial chip.