ICP Permit
Webmail
Newsletters
SupportAs my car currently has only 1 key, I thought I’d do a little bit of research into getting another one.
BMW quoted 2000rmb, which although understandable, is a little bit expensive. That doesn’t include the remote functionality in the current key either.
A check of taobao shows that you can buy blanks for slightly less – in the 30rmb range.
Mine is a 3 button remote, rather than a 2 button remote.
Images of both below:
Yes, I realise that these are just keys, and don’t contain the remote stuff either, but as a spare, its all I really need.
There is a fly in this ointment though. All European cars post 94 are mandated to include anti-theft immobilizers, which in BMW’s case involves checking for a transponder, so a key won’t start the car.
BMW calls this system EWS – Electronic Watchdog System.
A datasheet aimed at BMW workshop staff on EWS is here BMW EWS Overview and Worksheet
The infrastructure looks something like this:
I could buy a small board to bypass the EWS (about 130rmb), but I like the idea of having the anti-theft still working.
So, how does the EWS2 do the immobilization in my car?
A little bit of research shows that my current BMW (a 96 E36 import from German) uses BMW’s EWS2 for antitheft. This appears to be based on a motorola chipset ( XC424114CFN ) for the immobilizer side, and its relatively easy to read out or reflash the existing data from the chip if necessary should I need to do so.
eg if I lost all my keys, and needed to start from scratch. There are 3rd party tools galore that go into that eg CarProg, so not much point looking at that for me.
Lets look at the transponder side.
The transponder in my current key is a Philips PCF7930
This comes in a series – PCF7930, PCF7931, and PCF7935, and PCF7936
The main differences between the transponders are as follows:
PCF7930 – can read / write data.
PCF7931 – write once (one time programmable), read data.
PCF7935 – it has 2 area’s of memory general, and shadow memory, and both are read / write.
PCF7936 – it adds a crypto mode to the 7935 functionality.
The PCF7936 is also referred to as a Hitag2.
This is also the transponder current generation of BMW’s are using eg the E90/E92/E94′s
They’re quite simple devices really, a datasheet for them is here – PCF7930 / 31 / 35 Datasheet
They essentially have a few bytes of memory to work with.
32 bytes for control, and 80 bytes for user data.
Physically they’re about half the size of a fingernail and a few mm thick.
They look something like this –
A quick search on taobao shows that a PCF793x sells for between 17-20rmb or so.
So, so far I can get the key for about 30 odd, and the transponder for about 20rmb or so.
I still need to be able to program the transponder though, so whats available for that?
Another quick google shows that there is a common windows tool called anahtar which works with quite a few programmers.
As you can see, it supports quite a few pieces of hardware. Anahtar does need some hardware to talk to the transponder though, so I also need a transponder programmer.
A search for a normal RFID programmer is pretty polluted with car remote programmer spam sites.
That said, the usual result for BMW’s is the AK90 programmer. This is a bit on the expensive side – its around 1500rmb, and I really only need to do this once, so lets look for other options.
Ideally we’re looking for a low frequency rfid programmer.
If possible, I’d like to have something that does other chips too, so something that can cope with the below may be handy at some point, if only so I can steal peoples cars play with it.
RWProg looks interesting, as it has a lot of support for other rfid chips – http://www.bicotech.com/?page=prod_rwprog&lg=en.
Unfortunately a search for that on Taobao shows no results. RFID reader’s on the other hand are dirt cheap, with the cheapest usb ones going for 35rmb or so.
The specs for the PCF793x series don’t actually say what frequencies it runs off unfortunately, so its a little hard to find an appropriate device quickly.
I do note that there appear to be a disproportionate amount of card writers advertised on Taobao which claim to do Mifare, which not co-incidentally is similar enough to what is being used on the metro here in China in most cities for travel cards. I guess that means there probably are lots of fake ones around…
If I check whats usually used for programming the PCF793x series, Philips (NXP) pushes their PCF7991, while Philips doesn’t write what frequency that runs on either, this chinese site says 125khz http://www.docin.com/p-74627587.html
So, its a 125khz programmer.
Unfortunately those are 500bucks on tabao, so I keep looking.
…and Bingo, I can find a BMW key programmer which will do it for 350rmb.
Sounds good.
350 for the transponder reader/writer, 20 odd for the transponder, and 30 odd for a key.
400RMB total, and new copies of the keys will cost about 50rmb each vs the 2000rmb bmw wants.
Its a win!
Next up, what frequency does the remote use, so I can get a replacement for that…
My remote frequency is 433.92Mhz, as I have a Europe car.
I’ll guess it would probably be 315MHz if it was a US, CN or SA built car.
As I’ve had some negative comments about this all being possible, added some photos of the tool I bought to successfully clone my keys.
The box full of goodies.
Box contents
Key Cloning tool
Key Cloning tool side view
Key Cloning tool MCU adaptor side view
Box contents
Cloned keys (original on far left)
Software Side:
Installing hardware drivers
Device is a standard FTDI usb serial chip based product, needs 2 drivers installed, the first for the serial chip, then a second for the device driven by the usb to serial chip.
Installing software
Software running
Do you like this article? Share It!
40 Comments to “BMW Keys and Transponders E36 E38 E46 etc (EWS2)”
Post comment
Archives
- May 2012
- April 2012
- March 2012
- December 2011
- November 2011
- October 2011
- September 2011
- July 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
Categories
- Apple
- Arcade Machines
- Badges
- BMW
- China Related
- Cool Hunting
- Exploits
- Firmware
- Food
- General Talk
- government
- IP Cam
- iPhone
- Lasers
- legislation
- MODx
- MySQL
- requirements
- Reviews
- Service Issues
- Tao Bao
- Technical Mumbo Jumbo
- Things that will get me censored
- Travel
- Uncategorized
- Useful Info
Most Popular Posts
- Samsung N310 (Samsung Go) Hackintosh Installation on Snow Leopard (11712)
- IPCam Hacking - pt#2 (9305)
- eFrontWPI - Wordpress integration Plugin for eFront (7577)
- BMW Keys and Transponders E36 E38 E46 etc (EWS2) (7131)
- IP Cam Hacking – pt#5 (6178)
Tags
Recent Comments
-
HenryX: If you have any problems about motocycle , I can answer you. I am a local Shanghaier with a 5 years’...
-
Johnny E: Hi Lawrence.. i have a 1999 Bmw E46 320i, i had to change the engine because it was broken, and now i...
-
Lawrence Sheed: Zoneminder is a video monitoring capture system. I have an IP Camera pointed at the entrance, and...
-
Shaun Wallace: That is pretty cool, and cheap too! I may order one thanks to your recommendation. What is zone...
-
Hector: My country doesn’t require a license for MOPEDS & no highway sticker. Liability and the cost of...
Recent Trackbacks
- eFront Blog: 5 things you (perhaps) don’t know about eFront
- SISTEMAS O.R.P: Recuperar una cámara Zaapa CIP-RW después de un fallo de actualización
- Blog - DO Bots: Brookstone Rover AC13
- How can I stop Pop3 Brute Force attacks: need to create a regex, and add it to fail2ban Here is a guide....
- shanghailoz is our latest member! -:
PHOTOSTREAM
Magnificent investigation! Would be interesting to know if the remote worked correctly. I had problems with my transponder so i am looking to disable the EWS so i can get rid of that annoyance.
I’ll write a followup on this with what i bought / used (bought the 7935 chip as thats backwards compatible and the older ones aren’t produced anymore)
any update on your progress? i might do the same thing on my e36. the transponder on my 3 button key doesnt seem to work anymore. your write up could help a lot on e36 users if it is a success..
I’ll be following up with the remote also
Learning remote for 130rmb (for decent one), blank shell, and transponder, and I have new working remote (in theory)…
Haven’t done the remote part yet, thats next, but transponder works.
congratulations lawrence.. i really need your help on this. could you please tell me which programmer you are using. with that programmer, is it possible to copy the codes on my existing master key and create a copy from it. im planning for a spare key but in low budget.. thanks a lot.
congratulations lawrence. i really need your help on this. please tell me which programmer are you using. can i copy the codes on my existing master key and send those codes to a new transponder? or copy the codes to the blank keys which they sell on ebay? the blank key which im talking about is the small one without the remote. also, i am having difficulty on browsing at taobao site since it is on chinese language. i highly appreciate your response.. thanks..
Hi Bryant, will probably make a pack of everything and instructions, and you can order from me
as soon as possible please.. thanks
Nice work, are you an engineer of some kind?
Thanks for the info..
I’ve got the same problem, only one key – but all 10 keys have been issued so I can get no more from a dealer either!
Been looking how to get more keys coded up to the EWS – without spending too much…
One thing though – the way the keys work you have to read the EWS memory to get the fixed and current rolling value, or I guess if you’re writing a new key to read the fixed part and FF:FF in the rolling part for a new key?
If you simple copy your key then it will work, but the old one won’t as the rolling value will be out of sync.
Did I miss where you described that? You’re right that there are a number of products which claim to be able to read the EWS eeproom in the 68HC11 – including on the 68HC11s with protected EEPROM (which is zeroed if you try to read it)
I have a hardware device to read / reprogram the EWS unit.
I’ll take photos at some point as people do keep asking.
Short story – it worked, and I can use my new keys and it programmed the transponder fine.
Cost was about 600rmb total for 3 keys – mostly as I needed to buy a programmer for 400odd, and then spent 30 on keys and 15 on transponders, then spend another 100 at the keycut place to cut them (which was expensive, but they all work, so I’m happy).
I can unlock and start the car with them. Haven’t done the remote side yet, but will work on that at some point.
Saved me tons of money vs BMW though, as they wanted 2000rmb for a plain key w/out remote. So, i’m happy hehe
Hi there
Did you need to pull out the EWS ECU to do this, or could you do it all from the original key?
Thanks
Hi Lawrence,
I bought a new key from BMW 4 yrs ago and recently it couldn’t start my E36. Now I have 2 “dead” keys. Can I “resurrect” them by programming and inserting new transponders into them? Or do I have to buy a new transponder and a new blank key?Kindly give me the link to where I can buy a genuine transponder. I would be willing to get the programming details from you.
Kind regards
Dear Lawrence, It is great someone is doing research into the key replacement for my BMW 318ti, 1998 Series 3, I have only 1 key supplied with my second hand BMW purchased in Australia and wish to purchase a spare key at an affordable price.
Although the remote is not important the starting is, I purchased a new key yesterday without remote or starting capability from a large key specialist, the key set me back $42.50au only opens car doors but naturally wont start the car, they wanted $350au extra to start the car, as I thought this was a rip off I was eager to contact you to see where you are up to at this stage.
Will you be at a stage where you will be able to copy my key in the future.
All the best from Charles
Thanks Lawrence. Do you know the difference between the PCF7931XP and 7931AS? I was looking for the chip on taobao but I couldn’t find the XP chip and they are all 7931AS 7935AS…
Hi Luis,
The XP has been discontinued, and the AS is the replacement version. Should be fine to buy.
Hi Lawrence,
I’m very interrested in this thread, as i recently bought my 1997 Touring E36. Naturally – only one key with transponder left… I cannot purchase any more key from dealer – i tried, but the key i’ve ordered was not working (was able to open the doors, but could not start the car). In my country the transponder chip cost is about 10 USD, but any key-service i’ve contacted want not less than 200USD for key programming (without cutting the key itself). Maybe you could please write a solution step by step, how to programm the transponder, using which hardware and software? That would help a lot, i assume not only me…
Thanks in advance and hugs from Poland!
Buying the plastic valet from the dealer would have given you a preprogrammed chip that you could have put into a remote shell. Then buying a used remote on ebay you could have programmed that in by hand. The only problem is getting someone to cut the key for you.
The key information can not be passed from rfid to rfid. The EWS uses a rolling code table to change the info everytime the car is started. Writing info from one to the other would mean that the next key to start the car would receive the next rolling code. Making the ither key useless. The only way to create the spare key is to write it into the ews module or take existing key data from it and put that into the new key. You need another tool for that and rework skills to remove the processor on an EWS2 module. So either go through all this trouble or just fork over the money to BMW or an advanced autolocksmith. The cost of damaging the module usually runs about $2500 USD to replace vs $225 US for a preprogrammed key from the dealer. Its a no-brainer.
I beg to disagree.
Dealer wanted 2000rmb for a key. I made 3 of my own for less than 500rmb. They work.
Getting keys cut wasn’t hard, getting blanks wasn’t hard, getting the rfid transponders wasn’t hard. Nor was sourcing the programming unit.
All the keys work too. So not sure why you’re being so negative. I saved myself a substantial amount with a few hours of research, and some online purchases. Sure, time is money, but even at my usual hourly rates I saved money.
I beg to differ because there is no way you only used this equipment in your post to do so. You have nothing to read the data file from the EWS module nor did you mention any eeprom reader that would unlock the processor nor any reworking tools to remove it. Feel free to prove me wrong but seeing that I’ve taught several dozen classes on the subject I doubt you can. I’m not being negative but hate to think people misinform others for no reason. I have to follow up and repair many vehicles where people have read something online that was completely false.
Another point would be that i personally know the creator of the Anhatar software and hardware. What you have downloaded is pirated software and using it makes you a thief. The time an effort put into developing it was extensive and not without cost.
I’ll beg to disagree with you. This is my blog, not yours.
I haven’t used the Anhatar software, I saw it listed on some sites and it looks like a common tool. My programmer came with its own software.
I’ll take some photos now to show, but really. Calling me a liar, and being flat out negative tsk tsk.
I share what I do for the most part. Its asshats like you that want to hoard useless information about subjects like this that are the problem, not me.
Are you retarded? Hoarding useless information? What kind of moron lies about shit like this? Take a video step by step and show us the pictures of all the stuff you used and prove me wrong. Or are you hoarding useless information? Blogs were invented by tools like you for tools like you.
I claim that I have working spare keys that I programmed myself.
My 3 series 96 era German E36 OBDI BMW thinks so also.
As you are obviously so correct, and I am so so wrong, photos added as per request.
Your move.
Hello
My son has a 1995 BMW 318i convertible, he bought it a week ago..
the car came with just one key (one center button to turn on a light), we became aware that we can’t lock or unlock the car from the outside with the key, only i could lock it from the inside.
he took the car to the dealer and find out that there is a 10 key limmit a car can have made and this car has already reach the 10 key limit. So if we want new key, the dealer needs to replace many things (can’t remember already) = very expensive.
i would like to know how i can solve the problem of locking and unlocking the car and also having a 2nd key as a backup.
the car is E36 and the last 8 caracters of the VIN are SED17855
WE DON’T KNOW IF THIS CAN CAN USE A KEYLESS ENTRY EITHER.
if you could shine some light at this matter, will be most aprreciated.
thank you all
You can reset the ecu limit (and also reprogram new keys) using BMW hardware or 3rd party hardware (like above).
When you have it ready to sell contact me. Thanks
Interesting blog article – thanks. I don’t own any BMW products, but my vehicles (Dodge and Ford) also use transponders. I will have to research if there are similar tools available to me.
hey i had a key programmed for my bmw e36 1997 model after losing my original key the car drove for about a month now my car dont want to start.it just crank i get fuel and spark but it just dont want to start. would like to know is it possible that the replica key would stop corresponding with the ews and is it possible for the key not to work any more, any answer on this would be appreciated
You may need to bypass the EWS system.
Around the keyhole there is a metal receiver – that hooks into the EWS to read the transponder.
It can be bypassed. Google for that info, or bug me to find it. Or you can buy a chip off ebay to bypass also.
now u can get a special tool to program bmw keys without removing eeproms from immobilizer module.the machine will program the key automatically,but the price is 5500usd.u have to b a locksmith so ur investment turns into profit.believe this tool is a bomb within minutes u program the bmw keys,so easy ,but the price is a killer.
Hey Jason i was wondering which tool you were talking about that can duplicate the keys without the removal of the EEPROMs from the immobilizer?
Hi Lawrence,
Nice job, you seem to be the only person that actually gives you a shopping list for this operation.
I was wondering though, do you have to remove the EWS or ECU to program the keys or does it just copy the information it needs from the original key?
Thanks,
Calvin.
Short answer – it depends.
The equipment I used, yes, I needed to remove the EWS (the yellowish box under the glove compartment), and connect up the programmer to read the chip.
This depends on the equipment used in the car – different area’s used different stuff depending on year/region/model.
Newer models however can be replicated without doing so (as Jason stated below).
is there a way to just bypass the anti theft???… my 98 328i cranks but has no spark or fuel and gives me a cofe for the key…..
Do you sell a device or software that could bypass the code or deactivate code on my BMW X5, 2005 diesel. It cranks but keeps cutting off fuel supply. It’s asking for code but I bought it second hand in Nigeria but it’s an Europe model and there is no BMW dealer in Nigeria that can help.
Thanks Lawrence for a very informative article which was a great help for my own research on this subject. Here in Australia the cost of an e46 key from the dealer was some $600. I purchased a blank valet key ($14) and remote fob key ($59) from ebay. These both had unprogrammed PCF7935 chips in them. Add the AK90 programmer ($150 from ebay) and cost to cut both keys ($40 each) and I will have two new keys for half the cost of the one key from the dealer.
My son has only the one key for his recently purchased e46 325ci. When I queried the EWS via diagnostics it seems that the two previous owners between them have lost some 5 keys as only 4 ‘fresh’ keys remain.
When programming the new keys, I’d like to err on the side of caution and only read the data from the EWS eeprom to create the new keys (ie, not write back to disable lost keys etc ). I believe that using this technique I can program the new keys with the data from the next two new key slots. Since so many keys have already been issued I would like though to clone keys for two of the lost ones. My questions then are if I take this approach;
1. Using the AK90 can I just read from the EEPROM and not write anything back?
2. Will the cloned key work, ie have the correct rolling code?
3. Assuming the above ok, will this mean that the lost keys become useless (for starting the vehicle) once the cloned keys are used (ie, recieve a new rolling code).
cheers,
Ron
I bought the AK90 programmer and tried to read data directly from my EWSII chip without success, even though videos on Yutube indicate that it reads directly. I removed the chip from the board and still the programmer couldn’t read. Now I don’t believe in all the crap about key programming.
As a follow up to my previous post I had the new keys cut but hung off doing the coding with the AK90. What I was concerned about was somehow trashing the EWS and having a non starting vehicle (my son would have been displeased). My plan was to then leave it till a time when I really needed to do it.
The other day looking at the AK90 unit still sitting in my study, I decided to seek out a used EWS unit so I could test the programmer. Via ebay picked up the exact same EWSIII for some $30 and connected this to the AK90. One side of the chip had some of the sealing laquer on it so I carefully scraped it off all the legs. At first attempt the AK90 would not read and I then realised the socket needed to be pushed more firmly down so it locked on the chip.
All good from there. I could read data from the EWS. I changed the mileage and then wrote back to the EWS. Confirmed that the new value was written by another read. I had previously verified that the AK90 could read the key so I’m all set to go now to code the keys for real.
Re Ken’s problem possibly his AK90 was a dud (after all these are chinese knock offs). I purchased mine from ebay seller ob2diag and see he is now selling them even cheaper ($135 USD).
cheers,
Ron
Well done.
So much for the negative comments saying this isn’t possible, even though I did it, and you have too…
Hi Lawrence.. i have a 1999 Bmw E46 320i, i had to change the engine because it was broken, and now i have replaced a used engine from a 2000 E46 325i, with all the harness and ecu, but the engine wouldent start with ecu from the used 325, so now i am driving with a 320 ecu thats original for the car, is there anything i can do to take away the EWS2 coding… so i can use the car whit the 325 ecu, Johnny