A few years after the first transponder-based vehicle keys appeared, the first transponder cloning device went on the market. As soon as that happened, a race began between the auto manufacturers and the cloning device manufacturers - a race that continues today. The auto manufacturers had already discovered that transponder keys provided a brand new revenue stream for the dealers, and wanted the consumers to continue coming back to the dealerships for duplicate transponder keys. The manufacturers of the cloning devices were providing a way for locksmiths, hardware stores, big box stores, etc. to compete in this new market, without investing huge sums of money in programmers and training for their employees. With one of the early cloners, a high school kid working part time at a hardware store could produce a working transponder key for many vehicles at a price that was significantly less than the dealership, with almost no training.
The auto manufacturers immediately tried to stop cloning with a new generation of transponders with proprietary software, protected by copyright laws and patents. The cloner manufacturers soon came up with work-arounds to bypass the copyright and patent laws with things like battery-powered printed circuits that mimicked transponder operation without violating the patents and copyrights. Next, the vehicle manufacturers went to more and more complex transponders that they hoped would be impossible to clone. The cloners became more sophisticated devices, some even connected over the internet to “Super Computers” that could provide the computing power necessary to crack sophisticated encryption algorithms, while keeping the operation of the cloners themselves as simple as possible.
As the race for complexity continued, the cloner manufacturers came up with an ingenious way to compete and lower costs at the same time. Instead of designing new keys every time the technology changed, some adopted a two-part transponder key system. This consists of a blade with a “U” shaped head and a transponder module that could be more or less permanently attached to any of the different key blades. With this system, the key manufacturers were able to deal with new systems at a greatly reduced cost just by changing the hardware and software in the transponder module. It was just a matter of time before cloneable heads were able to offer “universal” compatibility, where a single head module could be used to clone transponders from many different manufactures.
The most recent attempt by the vehicle manufacturers to force the consumer to return to the dealership for keys is the “Proximity Fob.” These systems allow the owner of the car to enter the vehicle, start the vehicle, shut down the vehicle, exit and lock the vehicle, all without having to remove the “Prox Fob” from their pocket or purse. Already, some cloners offer the ability to clone some prox fobs and more are on the way. Some of the early attempts even include the use of the same “universal” head modules already developed for vehicles that use keys. It’s going to be interesting to see what strategy the vehicle manufacturers try next to prevent cloning.
Of course, there have been unintended consequences from each new development. As the complexity of the systems has increased, so has the failure rate. The skyrocketing cost of keys, both at the dealership and for clones, is causing a backlash from consumers. (My doctor recently told me that she would “Never own another BMW” after she paid over $600 for a new key at the dealership.) And now, the so-called “Black Box Attack” (see sidebar) has prompted some insurance companies to notify their policyholders that own vehicles with proximity systems, to keep their prox fobs wrapped in aluminum foil, or keep them in “RF-Blocking” pouches or purses, and only take them out when they enter and start their vehicles. That pretty much eliminates the convenience factor from proximity systems and I’m waiting to see how the vehicle manufacturers respond.
With all of this in mind, let’s take a look at some of the newest developments in cloning technology.
Xhorse VVDI Key Tool
The VVDI Key Tool from Xhorse (Photo 1) is a hand-held cloner and a lot more. It not only clones keys, but it can also generate a wide variety of remotes by way of a built-in database of more than 1,200 types of remotes. More remotes are being added with each free update, by way of the new Xhorse updater tool. It can be used as a transceiver coil detector and tester to help in troubleshooting and system identification. In addition, it can read and manipulate data on most transponders, allowing you to “unlock” many transponders that have been “locked” including the Xhorse special 4D and 46 transponders as well as all 7935 transponders.
The VVDI Key Tool currently supports offline cloning of the following types of transponders:
- 36/46 Original or aftermarket chips
- 4D-40 bit 60, 63, 83, 67, 69, series chips
- 11/12/13/4c/30/33/42 chips
The VVDI Key Tool also supports online cloning (internet connection required) of the following types of transponders:
- Toyota 72-G chips
- Hyundai / KIA 70(4D-80) 80 bit chips
- Ford 83 80-bit chips
- All 48 chips
The VVDI Key Tool user manual is provided as a pdf file, and is well laid out and easy to use. I found it much easier to read and understand than many other manuals provided with Chinese-made devices. I do recommend printing out the manual and keeping it handy as a reference. The VVDI Key Tool simply has so many cool features that you won’t discover by simply “muddling through” the menus.
The Xhorse VVDI Key tool is available through many US suppliers.
Keyline USA 884 Decryptor Ultegra & 884 Mini
Both of these machines (Photo 2) have been on the market for several years, but their capabilities keep increasing thanks to their ability to be upgraded via the internet. In the recent past, updates have become available for cloning Megamos® Crypto (ID48) and Megamos® fixed code transponders used on VW Porsche, Audi and other vehicles (TKM Xtreme Kit), cloning Toyota “G” keys (no-cost upgrade), and a series of versatile OEM-style cloneable glass encapsulated transponders and “Carbon Wedge” cloneable transponders.
The most recent upgrade for the 884-series machines is the EEPROM EXRA Kit. This kit allows the user to produce a clone of a lost or missing key from a “BIN” file pulled from the vehicle. (A separate EEPROM reader, or some other type of device that can copy the key information from an instrument cluster or module, is required.) This cost-effective solution allows an automotive locksmith to produce a working key for many high-end vehicles when all of the keys have been lost or are missing. One of the great features of using the EEPROM EXTRA Kit is that it does not change any of the data in the vehicle itself, so if the lost or missing key is found or returned, both keys will still operate the vehicle.
Some of the standard features of both the 884 Ultegra and the 884 Mini include the ability to clone Philips Crypto (Second Generation) keys, Texas Instruments fixed code and encrypted keys, TK24, TK40, TK50, TK60 and TK100 electronic heads, and also works with the T2, T5, and TK1 single piece cloneable keys from various manufacturers. The full-featured keyboard supports manual code entry when needed as well as simple read / write cloning.
The TK40 / TK100 and the TK50 Electronic Universal Heads include a true transponder that does not require a battery and can mimic the functions of a wide variety of OEM transponders, both fixed code and encrypted. The TK40 / TK100 and the TK50 Electronic Heads can be mated with a variety of key blades. The TK40 / TK100 head is even compatible with many motorcycles as well and blades are also available for those applications. A complete listing of the current applications for the TK100 Universal Electronic Head can be downloaded at https://keyline-usa.com/uploads/file_uploads/upload_en_US_20180606095532.pdf
Keyline also offers several heads that allows the user to clone not only the transponder functions, but also the remote functions of almost all Ford vehicles found in the US. The RFD100 head offers the ability to clone both the transponder functions and the remote control functions on Ford vehicles using any type of fixed code transponders, Texas Crypto transponders and second generation Philips Crypto transponders. The RFD80 heads include an original Ford / Texas Instruments 80-bit transponder that can be programmed into the vehicle with a diagnostic device (or onboard if two working keys are available) along with a remote head that can be programmed into the vehicle with onboard programming. Three different key blades are available for the RFD100 and RFD80 heads that allow the locksmith to duplicate almost all Ford 8-cut keys, the new HU101 style side-milled keys used on many new vehicles and the Tibbe keys used on the Transit Connect from 2010 -2013. More information on these remote control heads can be found at: http://www.keyline.it/eng/catalog/transponder-technology/remote-controls/rfd100-rfd80.html
KeyDIY KD-X2 Tool
This tool shares many of the same features as the Xhorse Key Tool, and can be used as a hand-held cloner, remote cloner, remote generator, and more. The KD-X2 (Photo 3) is compatible with both iPhone and Android smartphones via Bluetooth. In conjunction with the phone app, the KD-X2 is easy to operate, easy to update both the operating software and the firmware, and gives the locksmith access to a huge and rapidly growing database of remotes and key systems.
When I first got my hands on the KD-X2, I wasted a fair amount of time looking for a user manual. As it turned out, I had failed to read part of the brochure that came along with the tool! There is no user manual in the traditional sense, but a user’s guide and complete instructions are included in the phone app. The KD-X2 does have some stand-alone functions such as transceiver ring detection and transponder chip identification and simple cloning, but most of the functions are controlled through the phone app. This gives the manufacturer the ability to provide updates on an on-going basis and fix “bugs” quickly when they are discovered.
The KD-X2 is powered by a 3.8 volt 2600 mAh lithium ion rechargeable battery that is charged through the USB port. A quick check online showed me that replacement batteries are not only readily available at a reasonable price, but that certain Samsung Galaxy phones also use the same battery, so replacements should be available for many years to come.
The KD-X2 has the ability to clone most transponders including the ID48 transponders used by VW, Audi and Porsche. The KEYDIA KD-X2 is available through most US distributors.
Ilco RW4 Plus with SNOOP
This standalone machine (Photo 4) does not need a computer for day to day use, but can be easily updated via the Internet. Ilco provides free software updates for a period of one year from the date of purchase. After that, most updates are available for a nominal charge. Some updates for new features are provided free of charge for registered owners. A free update was introduced in April of 2018 that added the ability to clone Texas 80-bit transponders used by Ford, Toyota, Hyundai / KIA and Subaru. This software also includes the ability to “pre-clone” 80-bit chips specifically for Subaru, which can then be used just like an OEM key for programming with a diagnostic tool equipped with the proper software.
Requirements for using the new 80 Bit cloning software include an internet connection and the “M-Box” adapter of the RW4 Plus. You will also need the new “Texas 80 Bit Plus” transponders or the “GTHT80 Plus Modular Head,” which is compatible with all Ilco “EB3 Modular Blades.” The transponders are compatible with most “Chipless” keys as well as the Ilco “Look-Alike™” or “Smart4Car™” keys.
The RW4 Plus is a fifth generation tool with the ability to clone all fixed code keys, Texas Instruments encrypted keys, as well as Philips encrypted keys. Ilco also produces a full line of modular electronic keys that are all compatible with the RW4 Plus. The RW4 Plus can also clone many one piece and two piece cloneable keys from other manufacturers.
The RW4 Plus features a keyboard for manual data entry when needed as well as for archiving. There is also a 12VDC power supply for use in vehicles. The RW4 Plus is also equipped with software for automatic code generation for pre-cloning operations.
One of the unique features of the RW4 Plus is the SNOOP module. This innovative device can be attached to a key and then used in a customer’s vehicle to help decode systems like the GM Circle Plus system (Philips encrypted). An easy to read LED indicator tells the user when enough information has been obtained to clone the key. This device can save you multiple trips to the vehicle or having to hook up a machine in the customer’s car. After the SNOOP has been used in the vehicle, it is inserted into the RW4 Plus and the information needed to clone the key is downloaded to the RW4 Plus. That information is then used to clone the key in a single pass, where some other machines may require multiple trips to the car.
For more information on the RW4 Plus go to: http://www.kaba-ilco.com/key-systems/products/automotive-key-tools-equipment-and-remotes/cloning/857872/rw4-plus.html
The Black Box Attack
Several years ago, police departments began receiving an increasing number of stolen vehicle reports on late model vehicles equipped with proximity fobs. As the number of stolen vehicles grew, witnesses began telling stories about a thief carrying a small box (lunchbox or briefcase size) simply getting into the cars and driving off as if they had a key. Eventually, security cameras recorded a few of these thefts and in the video, the thief seemingly did nothing but get into the car while carrying a box and drive away.
All manner of email warnings started appearing about the “Mysterious Black Box” that could let a thief simply get into a car and drive away. Urban legends were born and TV news reporters covered the increasing thefts as if they were some sort of great mystery.
The police, insurance companies, and the manufacturers soon figured out what was going on. The manufacturers tried to suppress the story, but the insurance companies soon issued warnings to the owners of high-end cars equipped with proximity systems to wrap their prox fobs in aluminum foil when not in use.
The “Black Box Attack” turned out to be a very simple, two-man procedure that security experts had predicted. One person with a device would simply hang around places that people with high end cars frequented. That device would then send out the “Query” signal used by various vehicles to locate and identify proximity fobs. This would trigger any prox fobs, which were in range, to reply with the coded information that allows the vehicle to identify the registered fob. That signal is very weak and normally cannot be detected more than a few yards away, but the same device that sent the query signal also had a very sensitive receiver that would pick up even faint signals. When the signal was received, it would be amplified and sent via a cellular connection to the device that the other thief was carrying.
The second device would then broadcast the identification signal at a much higher power than the fob would use. This signal would be received by every vehicle in range. If the second thief was in range of one of the cars whose owner was also in range of the first device, that car would unlock as it was designed to do when it received that signal. In many cases this would also flash the car lights, which helped the thief home in on the target. If the lights did not flash, all the thief had to do was pull the outside handle or push the button built into the handle and the vehicle would unlock. Once the vehicle was unlocked, all the thief had to do was get into the car and push the “Start” button and drive away.
RF blocking pouches are available to prevent this type of attack, but very few people take the time to use them, or to wrap their fobs in aluminum foil, so these thefts continue. Supposedly, the manufacturers are addressing the situation, but if they have come up with a way to prevent this type of theft, they have not made it public.