How to clone a black remote fob ....

Eric355, could you be so kind to tell the name of the manufacturer of the remote that you used.
It is quite nice that it looks exactly like the ferrari remote.
Could you buy it as a single part, or did you have to buy a complete alarm system.

 

I appear to be in the same boat as Thibaut. One black remote and no pin code!

It's amazing that Ferrari themselves cannot come up with such an elegant solution - they just tried to charge me $2,700 with the vague possibility of a discount, to which I laughed like a madman and left the showroom gasping for air.

 

Stand by all electronically challenged ones. The force will soon be with you!

The remotes are factory Ferrari remotes, and we may be able to make them available at a very competitive price.

 

the 993 Porsche had what looked like the same system "Porsche drive block"
the remote looks the same too. My 993 only had one remote when I bought it.

if you had the key code you could "teach" a new remote by entering the key codein by the ignition.
I did it once. wonder if the remotes are the same as Porsche.
Sunset Porsche sold the remote at cost plus 15%.

 

GC,

They way I read ylshih's post is that the Red fob and the Black fob have different serial numbers, making them unique and separate.
Did I get this correct?

 

I don't know the answer to that for sure. I do not think that the remotes would be different as being distinct. I could possibly see different S/N's to identify the master, but the code sequence would have to be the same.

I would think also that there has to be some means by which the alarm system reports back to each remote as it has been used to let the other remotes know who has been there last. Otherwise, it would seem that the process of the most frequently used remote would lock out the non-used remotes!

I think we need to analyze the sequence of events with the remotes, and as soon as TonyC and I have that chance in early January to read and review the code we will have a better understanding of the whole process. TonyC is very sharp with this.

I was hoping Chris Lee would chime in, because he's quite adept with understanding RF sequencing. He may, so to speak, "hold the key"!

 

Again, the Bosch system could be different in specifics; but most of these work in similar ways. If it follows the KeyLoq system, then each key fob has a different fixed serial number and its own changing counter value, but all 3 share the same encryption key (usually derived from the PIN that's entered into the receiver).

When the receiver "learns" the red key fob, it picks up the cipher key (either deriving it from the PIN or because the red fob sends additional data to allow generation of the cipher key) and the red fob serial number/counter value at that time. When the the receiver "learns" each of the other two black fobs, it picks up those serial numbers/counter values, but it doesn't need the cipher key since those should be the same as the red fob. At the time it learns the fobs, it creates an entry for each serial number in its memory and adds the current counter value for that serial number. Every time each fob is used thereafter, it looks up the serial number in its memory tables and the receiver is able to check for the current "acceptable" counter value for that entry after decryption of the message takes place. So each fob can be used as often or as little as you like, since the receiver tracks the counters of each one separately.

However, when 2 of the key fobs share the same serial number, you could get into a situation where one of the counter values becomes unacceptable, since the whole purpose of the counters is to prevent someone from saving a recording and playing back an old value.

These systems are one way. Key fob => Car receiver. I know there are no receiver components on the fob PCBA - I looked.

I would be happy to help, but I think we need some detective work in analyzing the messages and EEPROM contents to better understand how the Bosch system works. If I had my old lab, up I would sample a few messages from a full set of 3 fobs on a logic analyzer, then dump the EEPROM contents and then start looking for common values between EEPROM contents and message contents to try to parse the values, then see where that leads in reverse engineering this system.

P.S. If we make any progress on this, the details of any investigation probably should be kept to a small group as we're potentially making it easier for some unknown to outwit our alarm systems.

 

Yin,

Everything you posted is quite valuable and makes very logical sense. All very much appreciated.

As to your P.S, I fully agree and Neither TonyC nor myself would make broad public disclosures for the exact reasons you stated.

I think we can figure this out so that it is fully functional for those who need it and so that it is fully safe for all of us.

Once we read that code many answers should be forth coming.

Stay tuned.

 

Ylshih,
You are the first person that I know of, who came with a sensefull explaination for the functions of the several fobs.
It makes sense that the receiver keeps track of the various ser. numbers/counters and of the single the decryption code.
Only the right combination of ser nr/counter/code will lead to a response, and each combination can only be used once.
The question that I still have is: If the red transmitter is able to "learn" the receiver the decryption code, it would imply that you can open every ferrari with one and the same red fob, which I very much hope is not the case.
Hans

 

Greg, I was out of town this week and just got back.
This is a very interesting thread as I am also one of those people who have only one black FOB.

I do not know much about the ‘Rolling Code’ skim, as my specialty is in RF, analog and some digital hardware design.
However, what Yin brought up makes a lot of sense since the rolling code stops one from spoofing the over the air transmitted code by changing the counter. My understanding of Keeloq is that the transmitted code changes every time by XORing remote’s unique SN and counter with a pseudo random number which is known by both the remote and alarm unit. If a thief spoofs and sends the same code, the alarm will reject the spoofed code.

The interesting thing here is that we are cloning not spoofing the system. Cloning actually clones the original remote’s unique SN and the counter, which can be used to generate genuine valid code to the alarm unit.
The question is – as Yin brought up – what would happen if the original remote is used after the cloned remote has been used for awhile (the counter has been advanced).
I am guessing that the alarm will do either 1) rejects so the old remote is no longer usable, or 2) rejects the code but allows the system to re-sync so can be used again once re-synchronization is completed.

One can do a quick test to confirm this without cloning any remote.
Take a known working remote and move away far enough so that the alarm can no longer listen to the remote.
Advance the counter by pressing the FOB button (say 100, 200 or 500 times) so the counter is completely out of the window of sequence (I think the Keeloq system has a window of counter it looks for).
Bring the FOB back within the range and try if the system works.
If the counter has been advanced enough, the system should not work at the first try.
Re-synchronize the system by pressing the FOB button for a few seconds and try if the alarm unit response. If it works we know we can clone and use both remotes safely. Otherwise you will have to look for your RED remote to relearn your alarm system.


Maybe we should wait to see if Eric has already done some research and anything to report back since he already has cloned remotes.

I think Porsche 993 uses the same system from Bosch (http://cgi.ebay.com/ebaymotors/PORSCHE-993-KEYLESS-ENTRY-REMOTE-KEY-FOB-LXP-RKY-112_W0QQcmdZViewItemQQcategoryZ33723QQihZ016QQitemZ260033153104QQrdZ1QQsspagenameZWD1V) since they both have the same FCCID number. One might be able to get the fob made for Porsche at possible lower cost(?).

 

Same situation here, 1 black remote and that's it. No code either. HELP!!! I'm a mechanical / materials engineer, so this electrical discussion is well beyond what I want to get into. Replace the clutch? no prob. De-soldering chips? not for me.

But if you guys can sort out a safe way to clone a black remote, sign me up!

 

Hi guys,
I also may be in the situation of 1 remote and no code. I do seem to have a small metal plate that seems to have been attached to the key with a letter and 4 digits. Is this the code for the alarm?

Bob

 

I have everything, one red, two blacks, PIN tags, but one of the black remotes went through the wash. The LED lights, no corrosion on the board, but no response from the car. I followed the instructions in the manual, but without success.

Do you think my one dead black remote can be saved/reporgramed?

 

Chris,

Thanks for adding in here. I am in La Jolla, and I forgot to check this thread.

I'll go through it and when I get back I'll examine what you offered. I am waiting for TonyC to get back next week as well, and then we'll examine the software side of this.

Once we read the code we may have a few answers. I think we may try to read the master eeprom as well as there may be clues here.

I still believe the system is able to decipher the pulses from all the remotes, but that's my speculation at this point.

Ferraridriver,

I think you can consider that washed fob as toast at this point!

 

Hi All,

Having read through all the explanations about disassembling and reprogramming one black remote from another and personally not being electronically inclined, I'm wondering if there's anyone who might be willing to do this for other ferrarichat members?

I too have one black remote and currently no PIN code (although I plan to get this myself from Ferrari at some point). I'm thinking of maybe contacting Bruce at Security Unlimited who cut my gray Enzo key (awesome key, great locksmith) since he's a f-car enthusiast and locksmiths are likely to have some experience with PIN codes and remotes.

I think the last post to this thread was on 12/26. Just wondering if anyone's learned anything more about this, tried it, etc. since then. I'm concerned about having only one remote, but even more concerned that it could cost $1500 or more to have to order all new remotes and have the dealer do the work.

Any success stories out there?

Thx,

JTW

 

Stand by, because we are working on perfecting this process. It has atkena while to get the equipment and to refine the read and write process.

It looks like we will be able to do it.

Stay tuned.

 

Thanks Greg, that sounds really encouraging. I just bought a used, black remote on e-bay (not sure if I was bidding against any f-chat members), so I'm hoping this solution will work. I'll keep an eye on this thread.

Thx,

JTW

 

Yes you were, and yes we can use that remote to reprogram.

 

Greg,

Oh no, was that you (dynam_tech_group)? If so, sorry about that. I guess I wanted it exactly $1 more than you did. But I guess great minds (or Ferrari owners with only one remote left) think alike!

Is there another source for black remotes other than random used ones and Ferrari dealers who sell them (I think) only in sets?

Thx,

JTW

 

No problem. At least we know it's going to a good cause!

I will have more coming from Italy very soon.

 

Thanks Eric, I don't currently have a PIN code so I'll have to wait, plus I'd like to see confirmation from GCALO to see if this is easily replicable. Also not quite sure if I want to risk mailing my only two remotes to France! LOL!

We'll see what the guys from Northern California can do....

JTW

P.S. I am in Southern California