Keys
#21
#22
#24
Ford Euro uses the 6-cut Tibbe key. Ford USA is different as shown in the photo. US Ford dealers do not have Tibbe key cutters.
Cutting the Tibbe keys is almost trivial. It is so easy, you could almost hand cut them with a small file. I am going to fabricate a small jig for cutting them myself.
Screw the locksmiths. I only need them for resetting key transponders and KES remotes.
Unfortunately, there does not seem to be a user reset procedure for the S-Type like there is for other vehicles when you have 2 working keys.
Cutting the Tibbe keys is almost trivial. It is so easy, you could almost hand cut them with a small file. I am going to fabricate a small jig for cutting them myself.
Screw the locksmiths. I only need them for resetting key transponders and KES remotes.
Unfortunately, there does not seem to be a user reset procedure for the S-Type like there is for other vehicles when you have 2 working keys.
Last edited by dpasek; 12-05-2012 at 03:10 AM.
#25
Rolling code:
Microchip makes the transponder chips and cranks them out like jelly beans very cheaply.
They are used by a wide range of manufacturers in many key styles.
These use a cryptographic algorithm that generates a pseudo-random number based on a seed that is loaded into the chip. The PRNgen keyspace is very large, but susceptible to hacking given certain known factors. The ECM generates a seed from a reduced keyspace and loads it into the transponder. Knowing that and the approximate number of iterations of the PRNgen gives a range of numbers that the current transponder code falls into. This allows the ECM to maintain sync with the transponder even if the chip has been cycled away from the synched ECM. The technique is described in detail on the web.
See: http://en.wikipedia.org/wiki/KeeLoq
This system is secure enough for all but a very determined hacker.
Mechanically, the Tibbe key is only a little more secure than a screwdriver slot. The 6-cut has 1296 permutations and the 8-cut only 512. They are easily manipulated with a suitable pick, and doing so disarms the alarm system. So a car prowl could take the contents of your car almost undetected.
Microchip makes the transponder chips and cranks them out like jelly beans very cheaply.
They are used by a wide range of manufacturers in many key styles.
These use a cryptographic algorithm that generates a pseudo-random number based on a seed that is loaded into the chip. The PRNgen keyspace is very large, but susceptible to hacking given certain known factors. The ECM generates a seed from a reduced keyspace and loads it into the transponder. Knowing that and the approximate number of iterations of the PRNgen gives a range of numbers that the current transponder code falls into. This allows the ECM to maintain sync with the transponder even if the chip has been cycled away from the synched ECM. The technique is described in detail on the web.
See: http://en.wikipedia.org/wiki/KeeLoq
This system is secure enough for all but a very determined hacker.
Mechanically, the Tibbe key is only a little more secure than a screwdriver slot. The 6-cut has 1296 permutations and the 8-cut only 512. They are easily manipulated with a suitable pick, and doing so disarms the alarm system. So a car prowl could take the contents of your car almost undetected.
Last edited by dpasek; 12-05-2012 at 03:18 AM.
#26
Rolling code:
Microchip makes the transponder chips and cranks them out like jelly beans very cheaply.
They are used by a wide range of manufacturers in many key styles.
These use a cryptographic algorithm that generates a pseudo-random number based on a seed that is loaded into the chip. The PRNgen keyspace is very large, but susceptible to hacking given certain known factors. The ECM generates a seed from a reduced keyspace and loads it into the transponder. Knowing that and the approximate number of iterations of the PRNgen gives a range of numbers that the current transponder code falls into. This allows the ECM to maintain sync with the transponder even if the chip has been cycled away from the synched ECM. The technique is described in detail on the web.
See: KeeLoq - Wikipedia, the free encyclopedia
This system is secure enough for all but a very determined hacker.
Mechanically, the Tibbe key is only a little more secure than a screwdriver slot. The 6-cut has 1296 permutations and the 8-cut only 512. They are easily manipulated with a suitable pick, and doing so disarms the alarm system. So a car prowl could take the contents of your car almost undetected.
Microchip makes the transponder chips and cranks them out like jelly beans very cheaply.
They are used by a wide range of manufacturers in many key styles.
These use a cryptographic algorithm that generates a pseudo-random number based on a seed that is loaded into the chip. The PRNgen keyspace is very large, but susceptible to hacking given certain known factors. The ECM generates a seed from a reduced keyspace and loads it into the transponder. Knowing that and the approximate number of iterations of the PRNgen gives a range of numbers that the current transponder code falls into. This allows the ECM to maintain sync with the transponder even if the chip has been cycled away from the synched ECM. The technique is described in detail on the web.
See: KeeLoq - Wikipedia, the free encyclopedia
This system is secure enough for all but a very determined hacker.
Mechanically, the Tibbe key is only a little more secure than a screwdriver slot. The 6-cut has 1296 permutations and the 8-cut only 512. They are easily manipulated with a suitable pick, and doing so disarms the alarm system. So a car prowl could take the contents of your car almost undetected.
I thought it was one-way. (When powered, the transponder transmits a unique but consistent non-changing code, like a serial number. This is how it is possible to duplicate an oem key with a programmable clone at locksmith shop.)
#27
#28
The constant code is the older, obsolete, non-secure system. That code can be easily captured and duplicated, surreptitiously, from several hundred feet away.
The rolling code system solves that problem, and is the one in current use. It is more complicated to synchronize rolling code transponders to the ECM, and *much* harder to to generate duplicate codes that fall into a given transponder's keyspace based on captured codes.
Once a transponder is synchronized to the ECM, communication is one way regardless of the coding system.
The rolling code system solves that problem, and is the one in current use. It is more complicated to synchronize rolling code transponders to the ECM, and *much* harder to to generate duplicate codes that fall into a given transponder's keyspace based on captured codes.
Once a transponder is synchronized to the ECM, communication is one way regardless of the coding system.
Last edited by dpasek; 12-07-2012 at 02:12 AM.
#29
I just got this email regarding code grabbing.
Is this for real,does such a device exist?
I always thought the codes were 'rolling'
How to Lock Your Car and Why
I locked my car. As I walked away I heard my car door unlock. I went back and locked my car again three times.
Each time, as soon as I started to walk away, I would hear it unlock again!! Naturally alarmed, I looked around and there were two guys sitting in a car next to the store. They were obviously watching me intently, and there was no doubt they were somehow involved in this very weird situation. I quickly chucked the errand I was on, jumped in my car and sped away. I went straight to the police station, told them what had happened, and found out I was part of a new, and very successful, scheme being used to gain entry into cars.
Two weeks later, my friend's son had a similar happening....While traveling, my friend's son stopped at a roadside rest to use the bathroom. When he came out to his car less than 4-5 minutes later, someone had entered his car and stolen his mobile phone, laptop computer, sat nav, briefcase......you name it. He called the police and since there were no signs of his car being broken into, the police told him he had been a victim of the latest robbery tactic – there is a device that robbers are using now to clone your security code when you lock your doors on your car using your remote locking device.
They sit a distance away and watch for their next victim. They know you are going inside of the store, restaurant, or bathroom and that they now have a few minutes to steal and run. The police officer said to manually lock your car with the key -- that way if there is someone sitting in a parking lot watching for their next victim, it will not be you.
When you lock up with the key upon exiting, it does not send the security code, but if you walk away and use the remote button, it sends the code through the airwaves where it can be instantly stolen.
This is very real.
Be wisely aware of what you just read and please pass this note on. Look how many times we all lock our doors with our remote just to be sure we remembered to lock them -- and bingo, someone has our code...and what ever was in our car.
Is this for real,does such a device exist?
I always thought the codes were 'rolling'
How to Lock Your Car and Why
I locked my car. As I walked away I heard my car door unlock. I went back and locked my car again three times.
Each time, as soon as I started to walk away, I would hear it unlock again!! Naturally alarmed, I looked around and there were two guys sitting in a car next to the store. They were obviously watching me intently, and there was no doubt they were somehow involved in this very weird situation. I quickly chucked the errand I was on, jumped in my car and sped away. I went straight to the police station, told them what had happened, and found out I was part of a new, and very successful, scheme being used to gain entry into cars.
Two weeks later, my friend's son had a similar happening....While traveling, my friend's son stopped at a roadside rest to use the bathroom. When he came out to his car less than 4-5 minutes later, someone had entered his car and stolen his mobile phone, laptop computer, sat nav, briefcase......you name it. He called the police and since there were no signs of his car being broken into, the police told him he had been a victim of the latest robbery tactic – there is a device that robbers are using now to clone your security code when you lock your doors on your car using your remote locking device.
They sit a distance away and watch for their next victim. They know you are going inside of the store, restaurant, or bathroom and that they now have a few minutes to steal and run. The police officer said to manually lock your car with the key -- that way if there is someone sitting in a parking lot watching for their next victim, it will not be you.
When you lock up with the key upon exiting, it does not send the security code, but if you walk away and use the remote button, it sends the code through the airwaves where it can be instantly stolen.
This is very real.
Be wisely aware of what you just read and please pass this note on. Look how many times we all lock our doors with our remote just to be sure we remembered to lock them -- and bingo, someone has our code...and what ever was in our car.
#30
Yes, it's for real. That's why the fixed code system is insecure.
The rolling code system defeats this exploit, as best case, it takes about two weeks to brute force recover a rolling code transponder from captured codes, best case. And, it takes multiple code captures to do it. (A valet would have sufficient access.)
The car prowls described in the letter were idiots. Someone who knew what they were doing would have waited until the owner was gone to unlock the car. A fixed code exploit will also start the ignition.
The rolling code system defeats this exploit, as best case, it takes about two weeks to brute force recover a rolling code transponder from captured codes, best case. And, it takes multiple code captures to do it. (A valet would have sufficient access.)
The car prowls described in the letter were idiots. Someone who knew what they were doing would have waited until the owner was gone to unlock the car. A fixed code exploit will also start the ignition.
Last edited by dpasek; 12-07-2012 at 11:18 AM.
#31
I believe our cars don't use the fixed system.
I'm a bit doubtful that any cars sold in the UK over the last 10 or so years do use it...
Thing is, you have to be stupid to leave laptop/etc in car as mentioned above, whether the code can be sniffed or not.
I'm a bit doubtful that any cars sold in the UK over the last 10 or so years do use it...
Thing is, you have to be stupid to leave laptop/etc in car as mentioned above, whether the code can be sniffed or not.
Last edited by JagV8; 12-07-2012 at 11:28 AM.
#32
JagV8, I think you are right that the fixed code system is more than 10 years obsolete. Key blanks and fobs for such vehicles can still be obtained, so anyone who buys one online needs to be aware.
We won't comment about people who leave valuables in plain sight other than to say that they are asking for a broken window.
BTW, there is a two way transponder communication system that is used for some applications. I don't know what cars use them, but there is a facility door keying system known as 'Vindicator' that uses it. It is also known as the 'crypto' system. It works using a secret, fixed number that is stored in the transponder and known to the authenticator. The authenticator sends a random challenge number to the transponder, which then convolves the fixed code with the challenge using a cryptographic algorithm to produce a response. The authenticator also makes the calculation, and both response results must match. The fixed code is never disclosed in the transaction and cannot be readily deduced from the challenge-response info, so this system is secure from evesdropping to the extent allowed by key lengths.
We won't comment about people who leave valuables in plain sight other than to say that they are asking for a broken window.
BTW, there is a two way transponder communication system that is used for some applications. I don't know what cars use them, but there is a facility door keying system known as 'Vindicator' that uses it. It is also known as the 'crypto' system. It works using a secret, fixed number that is stored in the transponder and known to the authenticator. The authenticator sends a random challenge number to the transponder, which then convolves the fixed code with the challenge using a cryptographic algorithm to produce a response. The authenticator also makes the calculation, and both response results must match. The fixed code is never disclosed in the transaction and cannot be readily deduced from the challenge-response info, so this system is secure from evesdropping to the extent allowed by key lengths.
#33
#35
Thread
Thread Starter
Forum
Replies
Last Post
philwarner
XJ XJ6 / XJ8 / XJR ( X350 & X358 )
28
07-11-2017 10:21 AM
Jzar
XJ XJ8 / XJR ( X308 )
11
09-27-2015 02:55 PM
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)