Hey all,

I was wondering if anyone is willing to share the algorithm used to derive the DST40 key from publicly readable transponder data? I know of a related work for DST80 (the "Dismantling DST80-based Immobiliser Systems" paper) where it's based on pg1, pg2, and serial, but was unable to find anything concrete for DST40 devices.

Any pointers will be greatly appreciated!

Bumping the topic up, as this might be of general interest to everyone.

Anyone have info on this

Hey all,

I was wondering if anyone is willing to share the algorithm used to derive the DST40 key from publicly readable transponder data? I know of a related work for DST80 (the "Dismantling DST80-based Immobiliser Systems" paper) where it's based on pg1, pg2, and serial, but was unable to find anything concrete for DST40 devices.

Any pointers will be greatly appreciated!


this algorithm is one-way, so it is not possible to reverse the function to obtain the cryptokey, decoding the cryptokey is done using a different method.