BMW Lock Pick tools
#31
Contributors
Join Date: Jul 2006
Location: Oxfordshire, UK
Posts: 1,180
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: E61 535d Apr 05. UK spec + Media Pack, Luxury Pack & Visibility Pack
![Default](https://5series.net/forums/images/icons/icon1.gif)
And what if you push the button out of range? I presume the codes change each time you press the button...?
I always presumed they worked on some sort of public/private key combination like RSA SecurID's? (But that would need some form of time base on the key?)
I always presumed they worked on some sort of public/private key combination like RSA SecurID's? (But that would need some form of time base on the key?)
#32
Members
Join Date: Nov 2006
Location: Northern Virginia
Posts: 129
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: Alpine White 2007 550i
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by KAF' post='371243' date='Dec 26 2006, 05:15 PM
There are legitimate uses for this kit, motoring organisations, breakdown companies, locksmiths etc.
Trouble is, the bad guys get to use them as well.
A bit like the old American saying, 'guns don't kill people, people kill people'.
Trouble is, the bad guys get to use them as well.
A bit like the old American saying, 'guns don't kill people, people kill people'.
#33
Contributors
Join Date: Aug 2005
Location: Houston, Texas
Posts: 2,114
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 2005 BMW 545i, Silver Grey, Sport Package, R. Shades, Cold Pkg, Sat. Rad., Prem. Sound.
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by dlevi67' post='371154' date='Dec 26 2006, 10:52 AM
Yes, you can break down a 40-bit code easily. Assuming each 40-bit code cycle takes 10us, then in about 60 days on average you'll get there by brute force...
Which is great in a lab, but not so great on the street. Don't know about you, but I rarely leave my car parked in the same spot for 60 days in a row... and if you open it, the code changes, so it's back to square one.
Which is great in a lab, but not so great on the street. Don't know about you, but I rarely leave my car parked in the same spot for 60 days in a row... and if you open it, the code changes, so it's back to square one.
So on a car/key, were does the encrypted code located? Or rather, does the key or the car generate the different codes?
#34
![Default](https://5series.net/forums/images/icons/icon1.gif)
Then you proposed (32, 2), which would mean out of 32 keys, how many pairs can we have. Answer: 992, of which 752 are not physically workable in the lock because they are either pairings of lefts or rights, or they are a "wrong" pair with the left on the right or viceversa. Neither of which is the right answer.
Originally Posted by dlevi67' post='371193' date='Dec 26 2006, 07:07 PM
Sorry for being unclear. Perhaps, if you think of picking a pair of key halves as choosing a box in a square grid by specifying row and column, you'll see why. The "same row, column" choices end up on the diagonal - 16 cases in all. What's left is the different row, column choices - 240 as predicted by the nPr formula.
Quote: "I've had enough public debate on combinatorics - and I assume so has most everybody else".
I didn't want it to go as far as it did, unfortunately it can be the nature of these things. As you may have seen much earlier I did suggest that since we ended up agreeing on your original 256 that we should forget the logic and maths.
Shall we?
On topic: I've known someone lose their only remote control key ending up with a mechanical one. The dealer took a "blank" remote key and did something not too lengthy under the bonnet and lo and behold the blank remote key had become the new key for the car.
Is it that easy?
ABC
#35
Contributors
Join Date: Jun 2005
Location: Chalandri/Athina/Hellas
Posts: 2,799
Likes: 0
Received 1 Like
on
1 Post
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by 530i_msport' post='371090' date='Dec 26 2006, 01:49 PM
they will not be able to start the car.
But this video should be removed.![Whistling](https://5series.net/forums/images/smilies/imported/whistling.gif)
But this video should be removed.
![Whistling](https://5series.net/forums/images/smilies/imported/whistling.gif)
![Think](https://5series.net/forums/images/smilies/imported/think.gif)
#36
Contributors
Join Date: Nov 2004
Location: Essex, UK
Posts: 2,325
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by dlevi67' post='371262' date='Dec 26 2006, 11:13 PM
The way I understand it, the code is changed by the car once a successful opening attempt is made, and a signal is sent to the remote control to say "change the code" to the next in the sequence. Same approach as RSA SecurID (two streams of pseudo-random numbers that get matched), except that it is asynchronous rather than time based. Which is why brute force attacks sending code streams may work - but if cypher or code lenght is of the order of 40 bits, it would still take days to crack it.
![Think](https://5series.net/forums/images/smilies/imported/think.gif)
#38
Contributors
Join Date: Jul 2006
Location: Oxfordshire, UK
Posts: 1,180
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: E61 535d Apr 05. UK spec + Media Pack, Luxury Pack & Visibility Pack
![Default](https://5series.net/forums/images/icons/icon1.gif)
![Thumbsup](https://5series.net/forums/images/smilies/imported/thumbsup.gif)
However, it seems that the most common technique does not use two-way signalling, but rather it stores a number of possible values for the rolling code (16 in the MicroChip implementation, 256 x 4 in the TI) and it recognises as valid any of those. What happens if the transmitter cycles more than that number of times without getting a hit varies. The TI chipset requires manual resynchronization. The MicroChip chipset relies on two pieces of information, including a unique ID for each receiver (which gets stored in the transmitter), and it will reset if a) the ID matches and b) if two consecutive codes from the transmitter match the expected sequence. However, this presents a possible security risk (all you need to know is the ID number), and this is why the MicroChip implementation encrypts part of the pulse sequence.
Please note: I have no idea if BMW uses either of these chipsets, so take everything above with a large pinch of salt.
Thread
Thread Starter
Forum
Replies
Last Post
TroyE60
Private Member Classifieds
9
05-30-2019 05:01 PM