https://www.usenix.org/sites/default/files/sec15_supplement.pdf

Three years in the making.....here it is....


For your brainiacs out there. I don't know what to make of this lol.

I can see Tango adding this very very soon - and I bet this is why FLY said they will have a id48 copy box soon.

Hope nobody has brought AVDI FULL VAG for key programming recently.. because looks like VAG standard keys are now id46 clone kind of prices very soon.

Hope nobody has brought AVDI FULL VAG for key programming recently.. because looks like VAG standard keys are now id46 clone kind of prices very soon.

can you explain a little futher m8?

can you explain a little futher m8?

on id48 that for instance zed-bull can unlock eg. (They unlock with pincode - 00000000 or pincode AAAAAAAA btw)

1. You sniff one valid challenge / response from car;
2. You unlock transponder
3. Then write 0000 on word 4 (the first secret key memory block)
4. You replay challenge.

5. If the response is correct then 0000 is the first word of the secret key... if not correct you increment word 4 to 0001 and repeat until you find the correct 2 bytes

6. Once you find word 4 you do the same for word 5,6,7,8,9

Then you have the secret key.


So for all the transponders that can unlock with zed-bull all that is needed is a sniffing device to get the challenge/response then it will take two minutes for zed-bull and tango etc who have the challenge / response algo to add cloning of the unlocked transponders.

But also the pincode is only 4 bytes so I am not sure how fast you could brute force the pincode to unlock.

They also have another method which I've not looked at too much a lot of math to go through, but they show everything needed to get the key, seems miraclone was on the right track as I believe they had a method that worked but took far too long.. this paper they have a method they say does it within 30 minutes with one sniff


So wont be long at all for everyone including the chinese to bring out id48 cloning like id46 method.


*edit - just done the maths on brute forcing the pin and that is not going to happen if it is a random pin

I have been working on making another effi type program, and if I had an original zedbull I could probably use the challenge / repsonse from zed-bull to make zed bull be able to clone the unlocked id48 keys with a sniffed transaction. unfortunatly the clone zed-bull does not have the challenge/response commands in firmware.

just had a little play with Tango, it can unlock magic 2 id48 very quick with any pin code.

I also checked and unlocking does not alter the key at all.

So all Tango need is a sniffing device and they can add cloning id48 very easily - and the chips to clone already exist

This is all joyous wonderful news.

I got a leaflet from NW keys in the mail advertising some sort of Megamos 48 cloner yesterday too... I just disregarded it as only doing Magic 1 type or something. I assume its ~~~~? No idea.
CN900 and an ID 48 cloner will be just the ticket for many of us.

This is all joyous wonderful news.

I got a leaflet from NW keys in the mail advertising some sort of Megamos 48 cloner yesterday too... I just disregarded it as only doing Magic 1 type or something. I assume its ~~~~? No idea.
CN900 and an ID 48 cloner will be just the ticket for many of us.

This way is only for magic 2 which is the newer type as only magic 2 has the option to unlock via pin code.

It would also work for magic 1 but only if they did not lock the transponder.

But the other way described in the paper would probably be better as it may work for the new keys with built in transponders - Would be useful on the newer VAGs as you could get CS from the key

way it goes - would be good if FLY do a decent copy box :D
live in hope

either way everybody competes with Timsons, go figure who wins :(

Timpsons are great,

I have 5 Timpsons shops sending me everything they either can't or don't want to do ;)
They would rather pass it on than screw it up and that's a very professional attitude.