BMW Lock Pick tools
#21
![Default](https://5series.net/forums/images/icons/icon1.gif)
all very nice but what about confort access? Read somewhere about a study by some university guys about RF remote controls used on a lot of car brands and their main dependance on a Texas Instruments encryption chip using 40-bits DES keys. They went to prove that this was easily broken on this paper.
So my question is, to anyone who's familiar to this topic, what's the authentication and encryption mechanism used by BMW for the confort access?
So my question is, to anyone who's familiar to this topic, what's the authentication and encryption mechanism used by BMW for the confort access?
#22
Contributors
Join Date: Jul 2006
Location: Oxfordshire, UK
Posts: 1,180
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: E61 535d Apr 05. UK spec + Media Pack, Luxury Pack & Visibility Pack
![Default](https://5series.net/forums/images/icons/icon1.gif)
For those of us that don't understand permutations, you cannot use the same symbol (or physical item) AGAIN once it has been chosen
So, 00, 11, 22 ... 99 are EXCLUDED in the calculation of permutations. Ir's not surprising that there are 90 permutations when these occurrences are removed.
I'm not sure where using permutations in the explanation of number bases is taking us.
ABC
So, 00, 11, 22 ... 99 are EXCLUDED in the calculation of permutations. Ir's not surprising that there are 90 permutations when these occurrences are removed.
I'm not sure where using permutations in the explanation of number bases is taking us.
ABC
The permutation formula you have used applies to cases where you want to identify the number of subsets that can be extracted from one set without repetition, hence the restriction on "cannot use the same symbol". It was originally developed by Pascal to work out gambling probabilities - amongst other things, and in a pack of cards you only have one ace of spades. But here you have two sets: left and right halves, so you can choose the same element (in the 1111 to 2222 sequence) on either side.
#23
Contributors
Join Date: Jul 2006
Location: Oxfordshire, UK
Posts: 1,180
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: E61 535d Apr 05. UK spec + Media Pack, Luxury Pack & Visibility Pack
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by Dragonii' post='371142' date='Dec 26 2006, 04:13 PM
all very nice but what about confort access? Read somewhere about a study by some university guys about RF remote controls used on a lot of car brands and their main dependance on a Texas Instruments encryption chip using 40-bits DES keys. They went to prove that this was easily broken on this paper.
So my question is, to anyone who's familiar to this topic, what's the authentication and encryption mechanism used by BMW for the confort access?
So my question is, to anyone who's familiar to this topic, what's the authentication and encryption mechanism used by BMW for the confort access?
Which is great in a lab, but not so great on the street. Don't know about you, but I rarely leave my car parked in the same spot for 60 days in a row... and if you open it, the code changes, so it's back to square one.
#24
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by dlevi67' post='371153' date='Dec 26 2006, 04:42 PM
The permutation formula you have used applies to cases where you want to identify the number of subsets that can be extracted from one set without repetition
I still find the last bit of "This gives exactly 240 permutations + 16 cases where the same "sequence" is picked twice, once for left, once for right." impenetrable. But that's just my feeble brain.
ABC
#25
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by dlevi67' post='371154' date='Dec 26 2006, 04:52 PM
.. and if you open it, the code changes, so it's back to square one.
eg my wife doesn't use my e60 for say 20 of my lock/open sequences, then her key can open it.
And it doesn't take it 60 days.
ABC
#26
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by dlevi67' post='371154' date='Dec 26 2006, 10:52 AM
Yes, you can break down a 40-bit code easily. Assuming each 40-bit code cycle takes 10us, then in about 60 days on average you'll get there by brute force...
Which is great in a lab, but not so great on the street. Don't know about you, but I rarely leave my car parked in the same spot for 60 days in a row... and if you open it, the code changes, so it's back to square one.
Which is great in a lab, but not so great on the street. Don't know about you, but I rarely leave my car parked in the same spot for 60 days in a row... and if you open it, the code changes, so it's back to square one.
![Unsure](https://5series.net/forums/images/smilies/imported/unsure.gif)
#27
Contributors
Join Date: Jul 2006
Location: Oxfordshire, UK
Posts: 1,180
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: E61 535d Apr 05. UK spec + Media Pack, Luxury Pack & Visibility Pack
![Default](https://5series.net/forums/images/icons/icon1.gif)
It's EXACTLY the structure of the problem here. You can ONLY use a single key half ONCE (1 out of 16) on each of TWO sides and when it's used, it's GONE and no longer features so, as I said (16 P 1) = 16 choices for one side. The result has to be squared to consider the complementary set of key halves.
To begin with you came up with a nPr proposition of (16, 2). Which would mean out of one set of 16 keys, how many pairs can we pick. Answer: 240 useless pairs, because they are all left or right halves. Then you proposed (32, 2), which would mean out of 32 keys, how many pairs can we have. Answer: 992, of which 752 are not physically workable in the lock because they are either pairings of lefts or rights, or they are a "wrong" pair with the left on the right or viceversa. Neither of which is the right answer.
To wriggle your way out and keep some nPr formula in there, now you propose to use a banal case (16, 1), but you still need to use an exponent to make things work out, as there are two halves to each key. And it still does not explain where the "16" came from. How did the tool makers know to make 16 keys? The problem is not how to select the keys. It's how to pick the lock.
Yep. Interesting problem. I don't know for sure, but I suspect the key actually sends two signals: one that says "I'm key number xxxx", and a second one that says "This is my code yyyy". A bit like user ID and password.
#28
Contributors
Join Date: Nov 2004
Location: Essex, UK
Posts: 2,325
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by dlevi67' post='371193' date='Dec 26 2006, 07:07 PM
Yep. Interesting problem. I don't know for sure, but I suspect the key actually sends two signals: one that says "I'm key number xxxx", and a second one that says "This is my code yyyy". A bit like user ID and password.
I always presumed they worked on some sort of public/private key combination like RSA SecurID's? (But that would need some form of time base on the key?)
#30
Contributors
Join Date: Dec 2005
Location: Chippenham, Wiltshire UK
Posts: 1,261
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: F11 535i M-Sport,, Silver, Black Leather, LED Adaptive headlights
Model Year: 2015
Engine: N55
![Default](https://5series.net/forums/images/icons/icon1.gif)
There are legitimate uses for this kit, motoring organisations, breakdown companies, locksmiths etc.
Trouble is, the bad guys get to use them as well.
A bit like the old American saying, 'guns don't kill people, people kill people'.
Trouble is, the bad guys get to use them as well.
A bit like the old American saying, 'guns don't kill people, people kill people'.