!!! Open Your Mercedes with your Pocket PC !!!

[Skalski]

Hello,
I have an idea and a question.
First the idea:
I would like to create a program that will open my (and other) mercedes for me, because i'm sick of looking for the key all the time. The only problem is that the mercedes key uses different IR frequences every time the car is closed. That means it enables me to get into the car with remote programs for my Pocket PC. But after that I cant do anything, because the code changes. So here are my questions:
+Do any of you know any software that would go through all the combinations ?
+If no - Would anybody be willing to help me in developing such a program ? (Maybe for a small ammount of money even)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NOTE - If You think I am a thief .. you are wrong --> Its just for my benefit of not having to look for the deamn key everytime I want to get one of my CDs from the car :lol:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NOTE 2 - FOR ALL YOU AMERICANS (AND OTHER PEOPLE WHO DONT KNOW) : Yes, here in Germany we DO HAVE cars with Infrared Keys and don't even try to tell me we don't - because I am in posession of one.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Best wishes - TOM

 

[jrz126]

So instead of looking for your keys, you will have to find your pocket-PC?

Chances are, Mercedes spent quite a bit of time developing this feature, so it is probably very difficult to break/hack. If it was simple to do, then there is no point in locking your doors.

NOTE: MOST OF US AMERICANS don't drive Mercades, so we wouldnt be able to do any tests or anything on it.

NOTE 2: And by the way, the new Z06 Corvette that is coming out has a little transmitter in the key FOB, so that once you get within 3 ft of the car it will unlock the doors on it's own. and once you get in, all you have to do is push a button to start it. No key required, but just have to have the key FOB in your pocket. No need to push any buttons

 

[Skalski]

Its an Old one

My Mercedes was built in 1990 when Bill Gates and God had Pocket PCs.
Security feats ? I don't think there are - the pocket PC just has to Emulate the Key ... that's it

 

[jrz126]

it changes the frequency, which is probably designed to be very random. you could probably make it so your Pocket PC just sweeps through a large range of frequencies, but that would probably take some time to for it to do.

 

[Skalski]

That would be my idea - to create some kind of a device like that.
Another thing to do would be check all the frequencies (of the key) out with some other program to see which frequencies need to be used in the program i want to make.

 

[Skalski]

L00king

I am really looking for somebody who would (help me) look in the source code of that IR program - So that we can find out how to set it on transmission of ALL the IR palette of wavelenghts ... who can help me ? PLEASE

 

[zachtheterrible]

one small problem skalski, i think that you are talking about using the IR port on ur pocket pc. cars don't use IR, they use RF . . . IR being a light beam and RF being radio :lol:

 

[Skalski]

THATS WHAT I AM TALKING ABOUT !!! - People who DO NOT KNOW GERMAN CARS ... It bothers me so much ... I could cry !
MY 1990 MERCEDES BENZ E200D HAS AN INFRARED KEY
I am NOT AMERICAN - I DO NOT LIVE IN AMERICA
People : GO OUT AND EXPLORE the world - learn something about a topic before you SAY SOMETHING or freakin CALL MERCEDES BENZ IN GERMANY AND ASK THEM!!!!
I just want to find somebody to help me with that *CRY*

 

[JimB]

cars don't use IR, they use RF . . . :lol:

Zack, some cars use IR, some cars use RF.

One big problem with RF, at least in the UK, when these things first became fashionable, many of the receivers were of poor design (ie cheap) and were susceptible to overloading from strong signals from nearby transmitters. Result was a lot of unhappy drivers locked out of their nice shiny new cars!

IR does not have this problem. But I guess on a winters day when the car is covered in snow and ice, you have to clean the windo before you can unlock the thing.

JimB

 

[Oznog]

I think you're going to be very hard pressed to find information on how that key works, because the system was wholly designed to prevent anyone from duplicating a key. i.e. they do not want anyone to ever know how to do what you want to do.

Technically the numerical key inside the physical key is the big secret. They designed it so you can't determine that key from looking at its response to queries. The very protocol and algorithm for query and response are usually well guarded secrets as well to keep people from getting started figuring out how to hack it and deduce the numerical key.

 

[Skalski]

Maybe you can help me if I post the Pictures

THX Oznog
Very interesting.
I just opened my key - it is not as complicated as it seems
I will post a detailed photo and also the numbers which are on the device.

 

[Skalski]

Here is the key - can you tell anything from that ?

 

[Roff]

I would guess that it uses rolling codes, like garage door openers do, and modulates an IR LED with that code. Changing IR wavelengths would require a different LED for each wavelength, unless someone has come up with a tuneable LED - which I seriously doubt.

 

[Skalski]

Question:

Another general question:
So how does this whole thing work ? How is it possible for a program like TV Remote for Pocket PC to save all the different codes for example of a TV with just one LED? Is it not different wavelenghts it sends? Is it more a code ? If it is a code - how can you figure all the possibilities out and make a program run through all of them to open the door ?
(like ex.: 100100110 - find the range and then run through all of em)

 

[evandude]

if it is for a car door lock, it is probably a very long code, or maybe even an encryption algorithm with multiple code sequences or something weird like that... but to be honest, if it is something like a 64-bit code... even if you could try 1000 combinations per second it would take you half a billion YEARS to try all of them :lol:

you would also have to look at a scope trace of one of the signals to find out the bit spacing/timing and all that. it's not the kind of thing that's likely to be worth it. I mean you can spend 30 seconds looking for your keys, or half a billion years pointing your code breaker at your car and waiting for it to open :wink:

 

[zevon8]

I would think even with rolling codes, one of the first defences would be to detect a similar code stream as an " attempted break-in " and lock down the system for a period of time, making repeated attempts a very long trial and error. Think along the lines of a banking ATM machine where you are only allowed 3 tries with a PIN code, then the card is either kept by the machine or reported.

The system may even remember the last code used, and base the next code on that.. and it could do this several layers deep, meaning that even stumbling onto the code pattern would not be of much use without knowing what code to use next. Even with several keys issued to a vehicle, it would be simple to store ( in the cars memory ) what codes have been used, and what to expect next.

I would imagine Mercedes has gone to great lengths to avoid simple work-arounds.

 

[zachtheterrible]

sry skalski :lol: yes, i havent traveled the world yet (im only 16), and have never ever heard of an IR beamcar door opener :lol:

no hard feelings

 

[gerty]

Zach , next time you're around a Jeep Grand Waggoneer look at the overhead console. You'll see a small (3/4 " dia ) dark dome just behind the rearview mirror, that's the ir reciever. My wife has a Jeep and I had to dissassemble the reciever to get a code number off one of the ics' to order a replacement transmitter, $95 ouch!! ..

 

[crust]

I cant read the number off of the big circuit, but the small one is a serial eeprom, which may contain the code or whatever for the car. When the person referred to the frequency, I dont think they meant the freq of the light, but rather the frequency of the pulsing. Having said that, my thought is that the frequency of the carrier is fixed and the bit pattern changes each time it is pressed, using some kind of rolling code technology.

I believe the trick to synchronizing rolling codes is a secret of microchip and others that have developed that technology. However, the rolling code methodology is well documented. I know for fact that it can be learned by other systems. My opener uses rolling code and my car is able to learn it. The process was to use the car to record the rolling code from the transmitter, then to have the receiver listen to the car transmitter. It has been working for a couple of years.

 

[Skalski]

THX people

Thank you for your posts.

If you are scared to work hard - go ahead and don't try to break the code.
BUT: If you WERE able to manage to get a device that works like the key, and that woul break the code, you could sell it to police and towing comanies.
You COULD sell it to the auto Mafia (which would probably be more or less suicidal) - this, i think, would be a bad idea.
You coulde also sell it to Locksmiths
This is a MULTI million dollar project that is just waiting for somebody very experienced in IR and computers to attempt.