New BMW's getting stolen using blank BMW keys
Discussion
cptsideways said:
Would the mirrors by any chance be linked into the live CAN BUS wiring system??
No, but do I see what you are getting at.http://wds.spaghetticoder.org/en/svg/sp/SP00000267...
cptsideways said:
Would the mirrors by any chance be linked into the live CAN BUS wiring system??
That's what I was thinking. We know that some cars have been taken without smashing the window, is there some means of either bypassing the alarm or dropping the window via the connections in the back of the mirror?RK1D said:
That's what I was thinking. We know that some cars have been taken without smashing the window, is there some means of either bypassing the alarm or dropping the window via the connections in the back of the mirror?
I know of one method of making the car drop the windows that the thieves are using, but it has nothing to do with the wing mirrors. Sorry for being vague, but obviously I don't want to broadcast it. However, from what people have written on this thread about the details of their car's theft, it is quite often the method of entry.
So as not to alarm people unnecessarily, the damage done by the method is obvious and unmissable, you would know if someone had tried it on your car.
I have a couple of thoughts I hope others can help with.
In the YouTube vid, the car is pushed off the drive. Why did they do this and not just get in, start it and drive off?
Do all bmw cars with push-start (pre-11) allow a key to be reprogrammed when the car is off? (if so, surely this puts to rest the line that BMW are spouting; that 05/06 cars are not affected?)
Lastly has anyone else tried any other unconventional ways to secure their cars? The lilo in the driver's seat idea suggested earlier made me laugh!
In the YouTube vid, the car is pushed off the drive. Why did they do this and not just get in, start it and drive off?
Do all bmw cars with push-start (pre-11) allow a key to be reprogrammed when the car is off? (if so, surely this puts to rest the line that BMW are spouting; that 05/06 cars are not affected?)
Lastly has anyone else tried any other unconventional ways to secure their cars? The lilo in the driver's seat idea suggested earlier made me laugh!
flashnazia said:
I have a couple of thoughts I hope others can help with.
In the YouTube vid, the car is pushed off the drive. Why did they do this and not just get in, start it and drive off?
Do all bmw cars with push-start (pre-11) allow a key to be reprogrammed when the car is off? (if so, surely this puts to rest the line that BMW are spouting; that 05/06 cars are not affected?)
Lastly has anyone else tried any other unconventional ways to secure their cars? The lilo in the driver's seat idea suggested earlier made me laugh!
They pushed the car off the drive to reduce the noise travelling to the house when they started it. most people would recognise the sound of their own car starting up and it could cause suspicion.In the YouTube vid, the car is pushed off the drive. Why did they do this and not just get in, start it and drive off?
Do all bmw cars with push-start (pre-11) allow a key to be reprogrammed when the car is off? (if so, surely this puts to rest the line that BMW are spouting; that 05/06 cars are not affected?)
Lastly has anyone else tried any other unconventional ways to secure their cars? The lilo in the driver's seat idea suggested earlier made me laugh!
contracttor said:
cptsideways said:
Would the mirrors by any chance be linked into the live CAN BUS wiring system??
No, but do I see what you are getting at.http://wds.spaghetticoder.org/en/svg/sp/SP00000267...
On the E46 you could fold the wing mirrors from the fob (Press and hold the lock button on the key)
On the E9x that option was not activated/available from the factory,however it can be activated by coders or Indi's with Autologic.I had mine activated by the latter,and I can now fold the mirrors from the fob (same way as the E46)
So if you can lock the car,and fold the mirrors from the fob,is there not a link somewhere in the wiring of the wing mirrors that can unlock the doors and turn off the alarm?
Does the above theory hold water,or am I missing something?
Edited by don'tbesilly on Monday 17th September 13:38
don'tbesilly said:
This is a thought I've had (possible weakness in the electric mirrors).
On the E46 you could fold the wing mirrors from the fob (Press and hold the lock button on the key)
On the E9x that option was not activated/available from the factory,however it can be activated by coders or Indi's with Autologic.I had mine activated by the latter,and I can now fold the mirrors from the fob (same way as the E46)
So if you can lock the car,and fold the mirrors from the fob,is there not a link somewhere in the wiring of the wing mirrors that can unlock the doors and turn off the alarm?
Does the above hold water,or am I missing something?
That's some pretty far reaching logic - yes there will be a link from the folding mirrors to the ECU and from the ECU to the locks and windows, but not all cars have folding mirrors (and so the link may well not be there and the thief won't know either way until they've attempted to locate it) and it seems unlikely that there will be way to talk to the ECU through the link even when it is there - you need access to very particular cables to talk to the ECU.On the E46 you could fold the wing mirrors from the fob (Press and hold the lock button on the key)
On the E9x that option was not activated/available from the factory,however it can be activated by coders or Indi's with Autologic.I had mine activated by the latter,and I can now fold the mirrors from the fob (same way as the E46)
So if you can lock the car,and fold the mirrors from the fob,is there not a link somewhere in the wiring of the wing mirrors that can unlock the doors and turn off the alarm?
Does the above hold water,or am I missing something?
So, why would a thief bother with the above when they could either smash the window or drill the door lock and know that they'll definitely have immediate access to the OBD II port?
don'tbesilly said:
WeirdNeville said:
You can even code one key to multiple cars.
I'm not doubting what you've stated there WN,but how can that be the case?Now, it shouldn't be possible to do that but it is ,and who knows what the 'hack' actually does, but with a compatible key you pair it to the car and it works.
Lets say you have 2 2007 bmw's beside one another. You take the key from one and pair it to the other with your cunning device in the ODB. Both cars will now lock and unlock with the remote from that first car on the button press. And they key will start either vehicle - it's a trusted key for both cars. The coding process changes nothing on the key .I've been told that it can't. There's nothing 'codeable' on the key at all, it's a hardware chip with an embedded code. (yes, it's probably firmware and an elite haxx0r could probably play with it). The induction readers you see in the videos read the code out of the key and then pair it with the car.
youngsyr said:
don'tbesilly said:
This is a thought I've had (possible weakness in the electric mirrors).
On the E46 you could fold the wing mirrors from the fob (Press and hold the lock button on the key)
On the E9x that option was not activated/available from the factory,however it can be activated by coders or Indi's with Autologic.I had mine activated by the latter,and I can now fold the mirrors from the fob (same way as the E46)
So if you can lock the car,and fold the mirrors from the fob,is there not a link somewhere in the wiring of the wing mirrors that can unlock the doors and turn off the alarm?
Does the above hold water,or am I missing something?
That's some pretty far reaching logic - yes there will be a link from the folding mirrors to the ECU and from the ECU to the locks and windows, but not all cars have folding mirrors (and so the link may well not be there and the thief won't know either way until they've attempted to locate it) and it seems unlikely that there will be way to talk to the ECU through the link even when it is there - you need access to very particular cables to talk to the ECU.On the E46 you could fold the wing mirrors from the fob (Press and hold the lock button on the key)
On the E9x that option was not activated/available from the factory,however it can be activated by coders or Indi's with Autologic.I had mine activated by the latter,and I can now fold the mirrors from the fob (same way as the E46)
So if you can lock the car,and fold the mirrors from the fob,is there not a link somewhere in the wiring of the wing mirrors that can unlock the doors and turn off the alarm?
Does the above hold water,or am I missing something?
So, why would a thief bother with the above when they could either smash the window or drill the door lock and know that they'll definitely have immediate access to the OBD II port?
Once inside the car,glass intact,alarm not activated (I get the blindspot in the alarm/motion sensors),you then have access to the OBD port.
WeirdNeville said:
The key is a 'solid state' device - it's not particularly clever, it has an embedded code and a radio transmitter. The car does all the hard work - encryption and authentication of that code. So once the code is inserted into the Car Acess and Security module, it is in effect a trusted key for the car and works it as normal.
Now, it shouldn't be possible to do that but it is ,and who knows what the 'hack' actually does, but with a compatible key you pair it to the car and it works.
Lets say you have 2 2007 bmw's beside one another. You take the key from one and pair it to the other with your cunning device in the ODB. Both cars will now lock and unlock with the remote from that first car on the button press. And they key will start either vehicle - it's a trusted key for both cars. The coding process changes nothing on the key .I've been told that it can't. There's nothing 'codeable' on the key at all, it's a hardware chip with an embedded code. (yes, it's probably firmware and an elite haxx0r could probably play with it). The induction readers you see in the videos read the code out of the key and then pair it with the car.
Thanks WN,I've clearly misunderstood some aspects of how this is happening,lets hope what BMW have allegedly come up with something that solves the problem,but my OBD port will remain hidden after any security update has been installed.Now, it shouldn't be possible to do that but it is ,and who knows what the 'hack' actually does, but with a compatible key you pair it to the car and it works.
Lets say you have 2 2007 bmw's beside one another. You take the key from one and pair it to the other with your cunning device in the ODB. Both cars will now lock and unlock with the remote from that first car on the button press. And they key will start either vehicle - it's a trusted key for both cars. The coding process changes nothing on the key .I've been told that it can't. There's nothing 'codeable' on the key at all, it's a hardware chip with an embedded code. (yes, it's probably firmware and an elite haxx0r could probably play with it). The induction readers you see in the videos read the code out of the key and then pair it with the car.
Lets face it,BMW have denied any such problem exists,which is why I'm less than comfortable with what we are being told now.
don'tbesilly said:
youngsyr said:
don'tbesilly said:
This is a thought I've had (possible weakness in the electric mirrors).
On the E46 you could fold the wing mirrors from the fob (Press and hold the lock button on the key)
On the E9x that option was not activated/available from the factory,however it can be activated by coders or Indi's with Autologic.I had mine activated by the latter,and I can now fold the mirrors from the fob (same way as the E46)
So if you can lock the car,and fold the mirrors from the fob,is there not a link somewhere in the wiring of the wing mirrors that can unlock the doors and turn off the alarm?
Does the above hold water,or am I missing something?
That's some pretty far reaching logic - yes there will be a link from the folding mirrors to the ECU and from the ECU to the locks and windows, but not all cars have folding mirrors (and so the link may well not be there and the thief won't know either way until they've attempted to locate it) and it seems unlikely that there will be way to talk to the ECU through the link even when it is there - you need access to very particular cables to talk to the ECU.On the E46 you could fold the wing mirrors from the fob (Press and hold the lock button on the key)
On the E9x that option was not activated/available from the factory,however it can be activated by coders or Indi's with Autologic.I had mine activated by the latter,and I can now fold the mirrors from the fob (same way as the E46)
So if you can lock the car,and fold the mirrors from the fob,is there not a link somewhere in the wiring of the wing mirrors that can unlock the doors and turn off the alarm?
Does the above hold water,or am I missing something?
So, why would a thief bother with the above when they could either smash the window or drill the door lock and know that they'll definitely have immediate access to the OBD II port?
Once inside the car,glass intact,alarm not activated (I get the blindspot in the alarm/motion sensors),you then have access to the OBD port.
No-one on this thread has reported the wing mirror missing on their stolen recovered car and we do know there are other ways to get in, so I'm assuming the wing mirror issue is a red herring - perhaps someone nudged it when walking/driving past. I've even seen a drunk person kick one off a car he was passing for no apparent reason.
youngsyr said:
Oh right, I see. On the E9X series at least the "proper" way to remove the wing mirror involves removing the door card from the inside. However, if you're not bothered about wrecking the door/mirror, there's probably a way to do it from outside. Whether you can do it without setting the alarm off, or can access the OBD II once it's off, I don't know.
No-one on this thread has reported the wing mirror missing on their stolen recovered car and we do know there are other ways to get in, so I'm assuming the wing mirror issue is a red herring - perhaps someone nudged it when walking/driving past. I've even seen a drunk person kick one off a car he was passing for no apparent reason.
Take the glass out of it's housing and you can access the wires.No-one on this thread has reported the wing mirror missing on their stolen recovered car and we do know there are other ways to get in, so I'm assuming the wing mirror issue is a red herring - perhaps someone nudged it when walking/driving past. I've even seen a drunk person kick one off a car he was passing for no apparent reason.
don'tbesilly said:
WeirdNeville said:
The key is a 'solid state' device - it's not particularly clever, it has an embedded code and a radio transmitter. The car does all the hard work - encryption and authentication of that code. So once the code is inserted into the Car Acess and Security module, it is in effect a trusted key for the car and works it as normal.
Now, it shouldn't be possible to do that but it is ,and who knows what the 'hack' actually does, but with a compatible key you pair it to the car and it works.
Lets say you have 2 2007 bmw's beside one another. You take the key from one and pair it to the other with your cunning device in the ODB. Both cars will now lock and unlock with the remote from that first car on the button press. And they key will start either vehicle - it's a trusted key for both cars. The coding process changes nothing on the key .I've been told that it can't. There's nothing 'codeable' on the key at all, it's a hardware chip with an embedded code. (yes, it's probably firmware and an elite haxx0r could probably play with it). The induction readers you see in the videos read the code out of the key and then pair it with the car.
Thanks WN,I've clearly misunderstood some aspects of how this is happening,lets hope what BMW have allegedly come up with something that solves the problem,but my OBD port will remain hidden after any security update has been installed.Now, it shouldn't be possible to do that but it is ,and who knows what the 'hack' actually does, but with a compatible key you pair it to the car and it works.
Lets say you have 2 2007 bmw's beside one another. You take the key from one and pair it to the other with your cunning device in the ODB. Both cars will now lock and unlock with the remote from that first car on the button press. And they key will start either vehicle - it's a trusted key for both cars. The coding process changes nothing on the key .I've been told that it can't. There's nothing 'codeable' on the key at all, it's a hardware chip with an embedded code. (yes, it's probably firmware and an elite haxx0r could probably play with it). The induction readers you see in the videos read the code out of the key and then pair it with the car.
Lets face it,BMW have denied any such problem exists,which is why I'm less than comfortable with what we are being told now.
The thief's chosen method is obviously quick and quiet enough for them to take the risk on the off chance - leaving you with an insurance claim and a repair bill for £X,XXX even if your car doesn't go missing.
The same issue is there with an alarm, sure it stops the car going missing, but will it stop them attempting a forced entry on the off chance?
If your car is visible from the road and/or you're in a high risk area, I'd suggest fitting (and routinely using) some other form of visible security until this method of theft (hopefully) dies out with the software update.
WeirdNeville said:
I should really focus on my brevity.......
No need WN,whilst Gowmonsters explanation was very short and conveyed the message very succintly,your post was very imaginative and detailed,and beautifully written.Keep up the good work
,do you get marks for the reports you write from your superiors?I'm hoping my disklok will be enough to deter them, criminals can pick on loads of Bimmers on the estate I live on; my oil burning alpine white model only has to be the one of the hardest ones to nick right? A recent walk round showed that mine was the only car to wear a disklok - that's not only BMW, but only car.
I've strapped my OBD Connector in a place that is a real bugger to reach, as well as switching a couple of the inputs, and I'm doing something a little unique with the wifes old rape alarm and the OBD cover, so it even if the port is opened my very quiet street will all know about it - might have to warn Mr BMW about that in 8 weeks. I also set my car stereo on something bass heavy and reasonably loud, so should anyone put a working key in - it makes some more noise.
I think it'd be fair to say this isn't what I expected from BMW ownership.
I've strapped my OBD Connector in a place that is a real bugger to reach, as well as switching a couple of the inputs, and I'm doing something a little unique with the wifes old rape alarm and the OBD cover, so it even if the port is opened my very quiet street will all know about it - might have to warn Mr BMW about that in 8 weeks. I also set my car stereo on something bass heavy and reasonably loud, so should anyone put a working key in - it makes some more noise.
I think it'd be fair to say this isn't what I expected from BMW ownership.
Edited by dasbimmerowner on Monday 17th September 15:35
Gassing Station | BMW General | Top of Page | What's New | My Stuff