SwedeSpeed - Volvo Performance Forum banner
1 - 13 of 13 Posts

·
Registered
Joined
·
1,284 Posts
Discussion Starter · #1 ·
The most bizarre thing just happened and I need some explanations... I posted the story on UK forum but just to warn others from locking the key inside the car but its not an unexpected turn of events that I cannot understand and will appreciate brainstorming...

short recap:
Car is 2006 S40 1.6 Diesel belonging to my colleague
- My work colleague managed to lock the car and loose the only working key (key A) on Thursday. In the evening locksmith came over and opened his car by lock-picking, so drivers door were opened, while rest of door were closed shut and deadlocked (no opening from inside etc). Alarm was blaring ofcourse for a good while.
Key was not inside as hoped, and spare key (key B) he had was NOT working - putting it in ignition made car alarm going off and nothing was happening. Key B was also not opening/closing doors with fob and it had no blade so is basically a piece of plastic that either never worked before or is from another car. It was actually never confirmed working before.

Anyway,car was on our work parking lot with disconnected battery until this morning. With all doom&gloom ("tow it to Volvo, spend a week and pay with a kidney") that I was expecting. But independent car key specialist was called over this morning, and now I am looking at a ebay-version copy of a key with a physical blade that OPENS the door and STARTS the car... Remote opening doesnt work though.

With no working keys to copy from, without moving car off the premises and without using Volvo dealership... His van was here for about 10 minutes today. thats all....

It costed him 150e with call out fee, I was quoted 100e for replacement key to my car if I come over and wait at the shop for an hour or 2 (just called that shop to confirm)...

can someone please tell me how it is possible?

Finger Electronic device Technology Thumb Gadget


Finger Technology Thumb Nail Plastic
 

·
Premium Member
Joined
·
9,303 Posts
That little square plug at the tip of the "new" key is mighty suspicious. To me it appears someone milled out the RFID and inserted something else. Maybe there's a backdoor keycode.

If you're brave, try starting your car with his key.
 

·
Registered
Joined
·
1,284 Posts
Discussion Starter · #3 ·
That little square plug at the tip of the "new" key is mighty suspicious. To me it appears someone milled out the RFID and inserted something else. Maybe there's a backdoor keycode.

If you're brave, try starting your car with his key.
interestingly, OEM one has that aswell! its less visible as my key is a bit worn, but also looks like something "pullable".
Might try this key on my car but seriously doubt that could work, Im more inclined to think that this is somehow a clone of Key A , so car does not distinguish this from the lost Key A, but how can you pull out those codes from car and program blank chip? (if thats the way it was done)...
 

·
Premium Member
Joined
·
9,303 Posts
Well he clearly didn't clone Key A because it's lost (for now). And the way RFID works, the car has no idea what the contents of Key A are. All the car knows is that Key A provided the correct response to its challenge. Clearly, Key C does this too. So, I'm intrigued, as well.
 

·
Registered
2007 S40 2.4i / 2007 C70 T5
Joined
·
1,119 Posts
That little square is the holder of the RFID chip for the ignition. it looks like this:



That holder slides in from the inside of the remote and it's glued in the back.

Sent from my iPhone using Tapatalk
 

·
Registered
2007 S40 2.4i / 2007 C70 T5
Joined
·
1,119 Posts
Plot twist: The locksmith found the key and didn’t tell your friend, instead he sold him a cloned one!

Ok, not joking anymore.

I would try to start the car with the key of another car or even better a key without RFID, a empty shell, basically.
If it starts the car, then the locksmith somehow managed to disable the immobilizer and in that case the car can be started with any key. Definitely NOT GOOD!

If not like sklooner said. Check how many keys there are programmed by checking the settings in the car.

If there’s still 2 keys, he may disabled the immobilizer or he programmed a new key, BUT, at least in VIDA, you program a key and the remote at the SAME TIME, it makes no sense to do it without the remote. Unless he did it with another program.

I know about disabling the immobilizer because my dad had a Renault Scenic that from one day to another did not recognize both keys and ended up taking the car to a mechanic who did that work


Sent from my iPhone using Tapatalk
 

·
Registered
Joined
·
1,284 Posts
Discussion Starter · #8 ·
Well he clearly didn't clone Key A because it's lost (for now). And the way RFID works, the car has no idea what the contents of Key A are. All the car knows is that Key A provided the correct response to its challenge. Clearly, Key C does this too. So, I'm intrigued, as well.
Wait, I thought RFID chip contain a constant code (lets call it "random 128digit number") that is simply read by cars antennae. If that number corresponds with number that is programmed into car's CEM, it means its a matching key and immobiliser can be deactivated. If that was the case, there would be a place in car's memory that would contain that number and it could be read from...
atleast that was my thoughts

- gonna check car's keys in the waterfall today afternoon, when he arrives. Problem is I dont know how many it used to be, he never checked, me neither. But I will also try to start it with my key and will see what will happen. I tried starting my friend's 2008 car once and I know exactly it shouldnt even 'BZZT' on the wrong key.

Locksmith couldnt have found the key (haha, I though of that aswell!) as it was different one to the fella that came over and opened the car in the first place. BTW I wish I know how he did it as obviously it takes 4 minutes of work and deadlocked car can be opened by picking the barrell, I saw cctv ffootage of him working the car (from a distance) and I know exactly how quick it went. So the second locksmith came over while car was already opened and no key inside (searched thoroughly). I doubt he used Vida but cant rule it out. He defo went into the car with some device but again - too far to see properly.
some side questions that comes to mind:
- how did he manage to cut the key blade? Obviously he must have access to some database and based on VIN got the blank blade cut to shape? I know it takes like a week for Volvo key to come from Sweden but it also comes already cut so that must be the same data access yea?
- would the same alleged database contain programming codes for immobiliser?
- how do you power up CEM to connect any device (vida/OBD) if car is still under "ALARM - I AM BEING STOLEN!!" ? does that not somehow defies the purpose of any safety features if you can just call up a locksmith that will show up with pre-cut blade and program the key to your alarm-blaring car? I would really have less problems understanding this situation if car had atleast 1 working key present and wasnt deadlocked&alarmed, but this? :D
 

·
Premium Member
Joined
·
9,303 Posts
Well, licensed individuals, and car thieves, have access to tools that we mortals don't, I guess.
 

·
Registered
Joined
·
437 Posts
The blade can be cut by "decoding" the lock and then cutting a key to that spec. Basically a measuring device is put into the keyway that pushes against the pins to measure each of them. This is a known exploit of the sidewinder type lock. Also, sidewinder stuff is fairly forgiving on the cut (ie: there is some slop, especially in the door lock cylinders), so the cut doesn't even need to be that precise.

Now the Immobilizer part is more difficult. If it isn't VIDA w/up-link then it is an aftermarket software exploit that force-injects the new key into the whitelist, with the appropriate encoding or encrypting to suit. You'd be surprised, but the security of these immobilizer systems often aren't all that extravagant. Weak keys, reversible hashes, back doors, etc.
 

·
Registered
Joined
·
1,284 Posts
Discussion Starter · #11 ·
The blade can be cut by "decoding" the lock and then cutting a key to that spec. Basically a measuring device is put into the keyway that pushes against the pins to measure each of them. This is a known exploit of the sidewinder type lock. Also, sidewinder stuff is fairly forgiving on the cut (ie: there is some slop, especially in the door lock cylinders), so the cut doesn't even need to be that precise.

Now the Immobilizer part is more difficult. If it isn't VIDA w/up-link then it is an aftermarket software exploit that force-injects the new key into the whitelist, with the appropriate encoding or encrypting to suit. You'd be surprised, but the security of these immobilizer systems often aren't all that extravagant. Weak keys, reversible hashes, back doors, etc.
True that, afterall its still a chip with software, same as PC or DVD player, it all can be accessed and modified with right tools and enough knowledge. I still havent checked the key qty in the car, as he came to work after I was gone yesterday, but I am planning on getting a spare key for myself this Sat so i will know more based on my personal experience.

re- blade cutting, you are probably right but I still think the "vin coded key cut" is easier way to go and defo possible (same thing was for Fiat, you order key based on vin number and it came already cut). providing that database is accessible for licenced locksmiths or as tmtalpey rightfully said - for "other" people :) it should be possible to obtain a coded key without even seeing a car. Dunno, will try to find out on Saturday aswell.

re- immobiliser: I was thinking, if you take a physical RFID chip from the tip of the key and put it into blank Ebay key, it will work and start the car, right? So in the same time, if you can replicate that same chip into another, you are ultimately creating a clone of the same chip with the same data and serial no or whatever it has. Car should see no difference between those 2, atleast thats my guess. Fob operates on complicated rolling code similar to shared authorisation key on PC, hence it needs coding&pairing, but RFID chip is probably much more "dumb". I think that could be easier way than trying force-code new key to car ECU, but I may be just guessing here.

Will try to find out as much as I can while doing replacement, its just now my personal curiosity, but I doubt I will be told much.
 

·
Registered
Joined
·
1,284 Posts
Discussion Starter · #12 ·
Update: after checking on waterfall display, I can confirm that car lists 2 keys programmed in, not 3.
Also, I tried to start the car with my key and it didnt even "bzzt" so immobiliser is still active and recognising only newly made key.
 

·
Registered
Joined
·
1,284 Posts
Discussion Starter · #13 ·
...Aaaaaand to finish this thread with a nice summary for future, hopeful readers - I went on Sat to get my spare key just to be told after 1hr that "sorry, cant be done" :facepalm::p

Had a chat with the fella, got some interesting info just to satisfy my curiosity, but thats all he could do. If it worked, the new key would be an identical clone of existing one - he doesnt "add" another key to system, car still think its key A you are using. It is obviously possible to extract this info either by connecting to car or by reading out signal between chip and antennae, and then programming it to blank chip. Knowledge & special equipment, ant it would work IF my car was "normal". But as I suspected from the beginning, there has to be some diffrerences as for key programming between 4pot and 5pot cars. In Ireland, when you hear S40/V50 its automatically 1.6D, maybe 1.8 petrol or 2.0D if you are lucky. Nobody think of P1 car as 5pot car with Volvo engine and ECU... I am almost certain the same would happen with D5 and 2.4i version.

anyway - ended up with spare key blade cut so atleast now I have some backup in case of unfortunate emergency, but that conclude my "cheap spare key" quest.
 
1 - 13 of 13 Posts
Top