Explore and Implement writing of BMW CAS3 remote data - Producing BMW CAS3 remote

[tusker-tools]

During analysis of Hitag2 V3.1 tool, it was found out that crypto data for remote is stored in block 15, which is read protected for 5WK49125 (for older 5WK49121 possible to read out by using special, already implemented procedure).

However, it is not possible to write block 15 by using normal BMW EE write command. It seems that for writing remote data in block 15, special procedure is required.

For producing a key with working remote, "write remote data" procedure has to be explored. We need a capture of this procedure from an available tool. Then we can implement that also for Hitager.

If anyone has the possibility to capture the ABIC communication during remote generation, please post it here. I can analyze and implement it.

[tusker-tools]

Just tryed to write some dummy remote data to a used key. The tool gave an error "Wrong transponder answer!", but nevertheless I was able to capture a sequence:

Dummy remote data:

Capture: HiTag2_v3_1_Write_Remote_Data.dsl.csv

Analysis: Tool-->Key: 11000 (Read IDE) Key-->Tool: BB 09 4E 97 Tool-->Key: 01000 (Enter XMA State) Key-->Tool: FF FF FF E8 Tool-->Key: 10010+inv Tool-->Key: 01 23 45 67 (Remote Secret Key low) Tool-->Key: 10010+inv Tool-->Key: 00 00 89 AB (Remote Secret Key high) Tool-->Key: 10010+inv Tool-->Key: 0A 1A 2A 3A (Synchronization) Tool-->Key: 10010+inv Tool-->Key: 1C 2C 00 00 (Key Number) Tool-->Key: 10010+inv Tool-->Key: 4A 5A 6A 7A (Configuration) Tool-->Key: 10010+inv Tool-->Key: 00 00 00 12 (???) Tool-->Key: 11111+inv

[tusker-tools]

It is not clear, what the 00 00 00 12 message represents. In order to find out, I did some more testswith different remote control data. Below my observation:

Key Number , Secret Key high , Secret Key low , Sync , Conf ---> Result Message

00 00, 00 00, 00 00 00 00, 00 00 00 00, 00 00 00 00 ---> 00 00 00 00 00 01, 00 00, 00 00 00 00, 00 00 00 00, 00 00 00 00 ---> 00 00 00 01 00 02, 00 00, 00 00 00 00, 00 00 00 00, 00 00 00 00 ---> 00 00 00 02 00 FF, 00 00, 00 00 00 00, 00 00 00 00, 00 00 00 00 ---> 00 00 00 FF 00 00, 00 00, 00 00 00 00, 00 00 00 00, 00 00 00 01 ---> 00 00 00 01 FF FF, 00 00, 00 00 00 00, 00 00 00 00, 00 00 00 00 ---> 00 00 00 00 FF FF, FF 00, 00 00 00 00, 00 00 00 00, 00 00 00 00 ---> 00 00 00 FF 01 02,00 00, 00 00 00 00, 00 00 00 00, 00 00 00 00 ---> 00 00 00 03 01 02,04 08, 10 20 40 80, 00 00 00 00, 00 00 00 00 ---> 00 00 00 FF

Currently I do not understand the algorithm behind. Hope anybody else does.

[tusker-tools]

Just tried some of the collected test data in a Online CKS calculator Online Checksum Calculator.

Success!!! The last "magic" byte is a Checksum8 XOR. Seems that all bytes simply need to be XORed

Now implementation in Hitager can begin

[tusker-tools]

Awaiting functional test with a real key. If anybody tried it out, pls. post the corresponding hitager log here.

[forsbergemil]

I tried to read remote key data from 5WK49125. It is real key and i have reseted it to virgin and with other tool i read the KeyID: DF0129 log_read_remote_bmw_7945c.txt 91

When i try with this tool i can see in log it captures KeyID but not showing it in GUI.

Sending: f RFOFF Sending: o adapt target:1C

adapt samplingT:BA

adapt readval:FF

RFON Sending: i05C0 transfer ISRcnt:3F

X RESP:DF012991 EOF Sending: f RFOFF Sending: o Please reset reader! Sending: i0540 Please reset reader! Send cmd, try 2 Sending: i0540 Please reset reader! Send cmd, try 3 Sending: i0540 transfer ISRcnt:54

[tusker-tools]

Thank you very much for testing and providing detailed information.

But the number you are refering to as KeyID is actually the Hitag2 Transponder ID, not the Remote ID. Therefore it is not display in the BMW remote data window. As I mentioned in the initial Post, it is not possible to read remote ID for 5WK49125.

If you want to read Hitag2 ID you need to use Hitag2 Tab (first tab).

However, this issue is intended for WRITING remote data. Did you try this feature? If you have the possibility to renew keys, testig the generatiom of a remote would be a big help.

[forsbergemil]

Yes i can renew this key many times and try write.

EDIT

Here is log and picture of software showing error. I compared virgin key with after writing key and only 00 was added on last line. TEST-WRITE-LOG.txt

[tusker-tools]

Ok, seems that there is still a bug in the write remote functionality. This needs to be corrected.

Btw., the last datablock is not valid for the 5WK49125. This is indicated by b1 b1 b1 b1. It is read protectes. The change you observed seems to be a reading error. Actually no data has been written due to the mentioned bug.

[tusker-tools]

Here is log and picture of software showing error.

The finding should now be fixed. Plase check out the new release v1.1.0 and let me know if writing remote data is successful now (providing log would be helpful).

[forsbergemil]

BMWREADANDWRITE.txt

It does not work yet if you look at the log. Sorry for not testing earlier

[tusker-tools]

Thanks for trying it out!

Looking into your posted log, the behavior of the Arduino looks strange.

RESP:DF012991
EOF
Sending: f
RFOFF
Sending: o
Please reset reader!
Sending: i0540

For some reason when switching RF on, the Arduino does not respond anymore. I never saw this behavior.

Anyway, in the meanwhile I got a renewed key for trying myself. And now for me it's working. Look into the following log: AESHitager_log_write_remote_success.txt

After writing remote data, I read it again with Hitag2 v3.1 which I was surprised that it's possible (seems that the remote page is only locked after lock bit in Hitag Page 3 data is set). And the data read was exactly the same I wrote with AESHitager ;-) So the basic algorithm seems working now!

Nevertheless I have to admit that for my setup, I had to try remote data writing several times until it finally passed till the last last block. The problem was that after sending the 10010+inv command, somtimes I got a response different from the expected 9340. But this is for sure due to the unstability of my reading setup. This is another thing we need to improve.

I will upload a new hitager release today, also arduino part. Please try again using this.

[tusker-tools]

With c70e02aadb6e76bc1ec608e1c04bb50935e5c0cd I was now able to write the remote data many times without any error. Reading back the data (possible in case lock bit in Hitag2 Page 3 was not set before) showed that they were written correctly every time.

Plase try latest AESHitager and Hitaguino I released today.

Looking forward to your test experience.