dlevi67

The way I understand it, the code is changed by the car once a successful opening attempt is made, and a signal is sent to the remote control to say "change the code" to the next in the sequence. Same approach as RSA SecurID (two streams of pseudo-random numbers that get matched), except that it is asynchronous rather than time based. Which is why brute force attacks sending code streams may work - but if cypher or code lenght is of the order of 40 bits, it would still take days to crack it.

Locksmythe

If I locked my key in the car I would much prefer the locksmith used this instead of bending the door or forcing a gap in the window to slip a tool in.

Bimmer32

Is this 40-bit encryption the same as Microsoft Excel/Word 40 bit encryption? I have a program that cracks the 40 bit in about 12 days using a Pentium 4 2.4 ghz. If I break it into 3 segments (using 3 computers), I can usually crack the file encryption code in 3 days are less (theoretically 4 days, but the code are almost never at the end of any 1/3 segments).

So on a car/key, were does the encrypted code located? Or rather, does the key or the car generate the different codes?

aybeesea

No, not the pairings since you can't reselect with (n P r). But until you drew my attention to it, I didn't understand that there were dedicated right and left key halves.

I assume that's rhetorical because nowhere has anyone been unclear about the 1111 to 2222 combinations and sloppy tolerances.

All clear - 16^2.

Quote: "I've had enough public debate on combinatorics - and I assume so has most everybody else".
I didn't want it to go as far as it did, unfortunately it can be the nature of these things. As you may have seen much earlier I did suggest that since we ended up agreeing on your original 256 that we should forget the logic and maths.

Shall we?

On topic: I've known someone lose their only remote control key ending up with a mechanical one. The dealer took a "blank" remote key and did something not too lengthy under the bonnet and lo and behold the blank remote key had become the new key for the car.

Is it that easy?

ABC

nicke60gre

No they cannot start the engine but they can drive the car towed, as the steering wheel lock will unlock

colejl

I can't believe the car signals the remote? This has the potential for all sorts of handshake problems?

amigo525

Love the article.

dlevi67

Doing a quick net search, I found at least a chip (TI) that can act both ways, without requiring particular precautions, and some references to two-way signalling (without mentioning specific implementations).

However, it seems that the most common technique does not use two-way signalling, but rather it stores a number of possible values for the rolling code (16 in the MicroChip implementation, 256 x 4 in the TI) and it recognises as valid any of those. What happens if the transmitter cycles more than that number of times without getting a hit varies. The TI chipset requires manual resynchronization. The MicroChip chipset relies on two pieces of information, including a unique ID for each receiver (which gets stored in the transmitter), and it will reset if a) the ID matches and b) if two consecutive codes from the transmitter match the expected sequence. However, this presents a possible security risk (all you need to know is the ID number), and this is why the MicroChip implementation encrypts part of the pulse sequence.

Please note: I have no idea if BMW uses either of these chipsets, so take everything above with a large pinch of salt.