Browsing all articles from February, 2011

Flattr this!

As my car currently has only 1 key, I thought I’d do a little bit of research into getting another one.
BMW quoted 2000rmb, which although understandable, is a little bit expensive. That doesn’t include the remote functionality in the current key either.

A check of taobao shows that you can buy blanks for slightly less – in the 30rmb range.
Mine is a 3 button remote, rather than a 2 button remote.

Images of both below:

Yes, I realise that these are just keys, and don’t contain the remote stuff either, but as a spare, its all I really need.

There is a fly in this ointment though. All European cars post 94 are mandated to include anti-theft immobilizers, which in BMW’s case involves checking for a transponder, so a key won’t start the car.
BMW calls this system EWS – Electronic Watchdog System.
A datasheet aimed at BMW workshop staff on EWS is here BMW EWS Overview and Worksheet

The infrastructure looks something like this:

I could buy a small board to bypass the EWS (about 130rmb), but I like the idea of having the anti-theft still working.

So, how does the EWS2 do the immobilization in my car?

A little bit of research shows that my current BMW (a 96 E36 import from German) uses BMW’s EWS2 for antitheft. This appears to be based on a motorola chipset ( XC424114CFN ) for the immobilizer side, and its relatively easy to read out or reflash the existing data from the chip if necessary should I need to do so.
eg if I lost all my keys, and needed to start from scratch. There are 3rd party tools galore that go into that eg CarProg, so not much point looking at that for me.

Lets look at the transponder side.
The transponder in my current key is a Philips PCF7930

This comes in a series – PCF7930, PCF7931, and PCF7935, and PCF7936

The main differences between the transponders are as follows:

PCF7930 – can read / write data.
PCF7931 – write once (one time programmable), read data.
PCF7935 – it has 2 area’s of memory general, and shadow memory, and both are read / write.
PCF7936 – it adds a crypto mode to the 7935 functionality.

The PCF7936 is also referred to as a Hitag2.
This is also the transponder current generation of BMW’s are using eg the E90/E92/E94’s

They’re quite simple devices really, a datasheet for them is here – PCF7930 / 31 / 35 Datasheet

They essentially have a few bytes of memory to work with.
32 bytes for control, and 80 bytes for user data.

Physically they’re about half the size of a fingernail and a few mm thick.

They look something like this –

A quick search on taobao shows that a PCF793x sells for between 17-20rmb or so.

So, so far I can get the key for about 30 odd, and the transponder for about 20rmb or so.

I still need to be able to program the transponder though, so whats available for that?

Another quick google shows that there is a common windows tool called anahtar which works with quite a few programmers.

As you can see, it supports quite a few pieces of hardware. Anahtar does need some hardware to talk to the transponder though, so I also need a transponder programmer.

A search for a normal RFID programmer is pretty polluted with car remote programmer spam sites.

That said, the usual result for BMW’s is the AK90 programmer. This is a bit on the expensive side – its around 1500rmb, and I really only need to do this once, so lets look for other options.

Ideally we’re looking for a low frequency rfid programmer.
If possible, I’d like to have something that does other chips too, so something that can cope with the below may be handy at some point, if only so I can steal peoples cars play with it.

RWProg looks interesting, as it has a lot of support for other rfid chips –

Unfortunately a search for that on Taobao shows no results. RFID reader’s on the other hand are dirt cheap, with the cheapest usb ones going for 35rmb or so.

The specs for the PCF793x series don’t actually say what frequencies it runs off unfortunately, so its a little hard to find an appropriate device quickly.

I do note that there appear to be a disproportionate amount of card writers advertised on Taobao which claim to do Mifare, which not co-incidentally is similar enough to what is being used on the metro here in China in most cities for travel cards. I guess that means there probably are lots of fake ones around…

If I check whats usually used for programming the PCF793x series, Philips (NXP) pushes their PCF7991, while Philips doesn’t write what frequency that runs on either, this chinese site says 125khz

So, its a 125khz programmer.

Unfortunately those are 500bucks on tabao, so I keep looking.

…and Bingo, I can find a BMW key programmer which will do it for 350rmb.
Sounds good.

350 for the transponder reader/writer, 20 odd for the transponder, and 30 odd for a key.
400RMB total, and new copies of the keys will cost about 50rmb each vs the 2000rmb bmw wants.

Its a win!

Next up, what frequency does the remote use, so I can get a replacement for that…

My remote frequency is 433.92Mhz, as I have a Europe car.
I’ll guess it would probably be 315MHz if it was a US, CN or SA built car.

As I’ve had some negative comments about this all being possible, added some photos of the tool I bought to successfully clone my keys.

The box full of goodies.
EWS II Key Cloning Box

Box contents
EWS II Key Cloning Box Contents

Key Cloning tool
EWS II Key Cloning Tool

Key Cloning tool side view
EWS II Key Cloning Box Front

Key Cloning tool MCU adaptor side view
EWS II Key Cloning Box (For reading MCU if necessary)

Box contents
EWS II Key Cloning Box contents

Cloned keys (original on far left)

Software Side:

Installing hardware drivers
Device is a standard FTDI usb serial chip based product, needs 2 drivers installed, the first for the serial chip, then a second for the device driven by the usb to serial chip.

Installing software

Software running

Flattr this!

Had a client ask about some .cn stuff over Skype, so proceeded to give him the whole this is what is needed now haha fun story
i.e but no, theres more, you also need this…. and this…. and this… and don’t forget the photo in front of the sign..

While we do have our own list of requirements in this blog, I did google to see if there was something less dry, and discovered a little blog post which mirrored our own experiences quite similarly. Its a good read too –

Read this, then follow on below, as this was intended to be posted as a comment on that post, but their blog comments appear to be borked at the moment.

I’ve fleshed it out a little, and it still seems semi relevant here.

Do remember that while anything I say can and will be used against me as evidence, I never said it. Got that? Good, now read on.

Glad to see I wasn’t the only one that had to go through all that, and again in October last year.

I also fondly remember the shut down their site stuff.

First we made a ICP warning page, then a blank page, and then I got creative and started mapping the IP for the domain to the server – you never know, maybe they’ll shut down their site!

Apparently although this was amusing, it also wasn’t enough, and we too had to vanish the DNS into nothingness NOW
(which is also hard, as explaining that things take 1-2 days to propagate doesn’t seem to sink in with the telecom people)
Mind you, the threat from the terrori^H Telecom people to shut off their site didn’t really have the same effect when its already shut off dammit!

Then there are the clients who ask why do we have 4 icp addresses?
Well, because the government decided that you could only have 1 per login when we did them in 2005. However client just has 1 site, and they point .com .cn et al to the same place. and Telecom INSISTS that you have an ICP for all of them, even though its the same site. Luckily they seem to have fixed that now, although we still have the odd site with 3 or 4 icp’s just because you can’t seem to get them to accept they’re all the same site dammit, just let us register them to the one ICP, please!

…and then there are the mysteriously disappearing ICP numbers of doooom, where the telecom people says that ICP is invalid. Its fake I tell you, FAKE!
Although you could swear that the ICP is real as you did all that darn paperwork the last time around, plus you have an email from miibeian which has that number, and domain, so please please recheck… but they still say thats impossible, it doesn’t exist in their system.
Why, why, why, would we possibly have a bazs.cert for the domain together with the icp and the url tucked away in our files if we didn’t receive it from them?, but no, we have to do it all again because their system is buggy, and these aren’t the droi^Hnumber’s you’re looking for.

At least they seem to have dropped that requirement now for the bazs.cert file to be uploaded to all sites now. I shouldn’t say that too loud though, someone up high will probably smack their head now, and say, I knew there was some other hoop we forgot to get people to jump through now, erm, I mean new legislation thats not clearly thought out so people have to work out the hard way what we want, er no, thats not right either, forget what I said…

Or the good old China optimistic scheduling / planning with regards to implementation dates?

i.e. You have 2 weeks to get all of your 700+ client registrations completed in triplicate, filed with CNNIC, registrar, and local telecom authority or we shut their site off…. What do you mean you need some kind of notice.
Jump NOW! We say how high.

Ah, the good old days.

At least the clients are understanding when you tell them hey, the government changed the rules again, we need more stuff, come for photos, bring your id’s, and business licences, and do it asap, or you lose the domain.

It’s at time like this when I think back to what should have been the slogan for the Shanghai expo and the thing with 5 circles up in Beijing (just prior to the big bonfire and marshmallows thing at the CCTV building that I didn’t get invited to).

China. – We invented bureaucracy.