Key Cloning and coding on a BMW X6 (F16) 2016
Background
So a bit of background here, I ordered a BMW X6 M50d in June 2016, and it arrived end of October 2016. Two months later I have a dodgy guy sitting outside of my house at 8pm at night, smoking a cigarette, waiting for *something* The moment I used my car key fob to open the the boot, he dumps his cigarette and drives off.This lead me to believe he had cloned my car key.
A quick trip to BMW the next day and the service agent there assures me, it shouldn't be possible unless they had access to the ECU/OBD2 port, but my car had the latest updates. But if they are determined, they will steal the car anyway. Great!
Key Cloning
Key types
So there are different types or keys. Passive Keyless Entry (think comfort access and not pressing a button to unlock the car doors), and your standard radio key door which opens when you press a button.
There are several attack vectors to each type of key.
PKE - Radio amplification attack.
Radio - Replay attack.
Most keys either work on the 868Mhz , 433MHz and 315Mhz and blanks can be bought off the internet from chinese websites or even Ebay.
OBD
Cloning can be done via the OBD port, and there can be a max of 10 keys programmed into the ECU. After that a new ECU is needed. This is one of the easiest attacks. Smash a window, plug a laptop into the OBD port, and clone the key onto a blank.
Coding
ESys
This is the software that enables you to do coding that, for example modifies the car software so that, it recognises you've installed a non-factory fit item like bluetooth or something.
FDL Coding
This enables to personalise the car for you. I will be disabling the start/stop feature, or at least telling it to remember the setting before the car was turned off.
There are many tutorials for hacking BMW and plenty of ways to obtain it.
There are many tutorials for hacking BMW and plenty of ways to obtain it.
