Transponder Cloning Technology Basics

Aug. 2, 2013
Before investing in equipment, make a list of the vehicles that you see on a regular basis. Then choose a machine that will serve your needs.

“Cloning” is one of those buzzwords that have crept into our daily language in this new age of technology.  More often than not, you hear the term used interchangeably with duplication, but in reality, a clone is much more than a simple duplicate.  In the biological world, clones are identical down to a microscopic level.  In our world of transponder keys, a clone key may look very different from the original, but the electronic information transmitted by the keys is identical to the point of being indistinguishable from one another.  Key cloning allows an unlimited number of keys because the vehicle cannot distinguish one clone key from another.

In order to understand the difficulty involved in the process of cloning, you must first understand the different types of transponders that can be cloned.  Most transponder keys fall into one of three broad categories: Fixed Code, Rolling Code, or Encrypted.  But, before we can understand how these types of transponders are different from each other and what is involved in cloning them, we need to understand basic transponder technology.

Automotive Transponder Basics

The first transponder system used on domestic vehicles was the Ford system, introduced in 1996.  That early system used a transponder contained in a glass cylinder that was inserted into a chamber in the head of the key during the manufacturing process.  The transponder inside the glass cylinder is a simple radio frequency (RF) transmitter / receiver connected to a tiny computer chip.  (The term “Transponder” is shorthand for Transmitter / Responder.)

When the transponder is exposed to an electromagnetic field of the proper frequency and strength, an electrical charge is induced in the antenna coil inside the transponder and stored in a capacitor until enough power is available to power the transmitter.  When the capacitor is charged, it then powers up the radio transmitter to broadcast a very weak signal back to the vehicle.  (The process of charging the capacitor and then broadcasting the information only takes milliseconds.)  That signal is then detected and analyzed by the theft-deterrent module (TDM) in the vehicle.  If the TDM detects an authorized signal, it sends a “Run” signal to the other computers in the vehicle that will allow the car to start.  If an incorrect signal or no signal is detected, the “Run” signal will not be sent and the vehicle will not start.

The technology has improved greatly and the information that is exchanged between the transponder and the TDM is now much more complex, but the basic system remains the same.  On most vehicles, the TDM is built into the transceiver ring that surrounds the ignition lock.   When the “Run” signal is transmitted to the vehicle computer, that computer can control several systems, including the starter, fuel pump, fuel injectors, and ignition system.

Cloning a transponder key is a two-step process that includes reading, analyzing and storing the information transmitted by the original key, and then programming the clone key to transmit information that is indistinguishable from the information transmitted by the original key.  But in transponder cloning, as in life, the devil is truly in the details.  The information transmitted by the transponder is incredibly complex, and that very complexity is patented and copyrighted, which brings legal issues as well as technological issues into any discussion of cloning.

Fixed Code Transponders

The earliest transponders are incredibly simple in comparison to most of the transponders in use today.  The information broadcast by these fixed code transponders is always the same.  In essence, each transponder has a unique serial number that it broadcasts whenever the transponder is exposed to the proper electromagnetic field.  The original Ford system used a Texas Instruments transponder that had the potential for 74 quadrillion different combinations.  For all intents and purposes, every fixed code transponder in this system has a unique code.

The process of cloning one of these fixed code transponders involves triggering the original transponder to broadcast its signal, recoding that signal, and then programming a new transponder to broadcast the same signal as the original.  Most first generation of transponder cloning devices were limited to cloning fixed code transponders.

Of course, a transponder cloning device also requires a key that has a programmable transponder that is capable of mimicking the behavior of the original transponder.  This is where the legal issues come into play.  While it is theoretically possible to clone any fixed code transponder, the technology to actually do it may violate patents and copyrights.  This is why the original Ford keys, which used the simplest technology, were not clonable for a very long time. 

Rolling Code Transponders

Rolling codes were the next step forward from fixed code transponders.  A rolling code transponder might be programmed with several hundred individual codes.  Every time the transponder is activated, it rolls to the next code in the series.  The vehicle would not only know every one of the codes, but also the proper sequence for the codes to be used.

This type of system is more prone to problems than the fixed code system and for that reason is not as popular with the manufacturers.  If a key is repeatedly exposed to the kind of signals that trigger it, such as military radar systems, the system can get out of sync.  Also, having multiple keys or a spare key that is rarely used will confuse the system occasionally.

This type of system would be much harder to clone.  The cloning device would have to force the original key to transmit all of the codes and record them in the correct sequence on the clone key.  And of course, the clone key would have to have a proper chip that can be programmed with this complex information and then mimic the operation of the original key without violating patents and copyrights.

Encrypted Systems

The transmissions from encrypted systems are much harder to clone, but at the same time present the manufacturers with fewer problems than the rolling code systems.  Encrypted systems work on a completely different principal than either fixed code or rolling code systems.  In an encrypted system, the information that the transponder broadcasts may never be the same twice.

Each encrypted transponder has a unique “Algorithm,” which is a step-by-step procedure for a series of calculations.  Basically, every time a transponder key is used, it takes a math test.  The vehicle computer will generate a random number and transmit it to the key.  When the transponder in the key receives the random number, it will then process that number through its algorithm and send back the result.  Since the vehicle computer knows the algorithm for each key and the random number, it also knows what to expect back from the key.  Only when the TDM receives the correct answer, will it send the “Run” signal.

The level of encryption is expressed as the number of “bits” used in the key needed to decrypt the transmission.  Early encrypted systems used a 40-bit encryption.  In order for a computer to “crack” a 40-bit encryption, it would have to try approximately a trillion different combinations.  (A trillion is about twice the population of humans on the entire Earth!)  A 40-bit encryption level is now considered to be a low level of encryption despite the fact that it is a much higher level of encryption than the military used only a few decades ago.  In fact, up until 2000, 40-bit encryption systems were the highest level of encryption that the U.S. government would allow to be exported.

The latest systems use an 80-bit encryption, but some are already talking about 128-bit encryption.  It’s hard to make an argument for these higher levels of encryption solely as an ant-theft issue.  Many believe that manufacturers are increasing the encryption level to prevent cloning.  Since transponder keys were first introduced, key duplication and replacement has gone from being a nuisance issue to becoming a profit center for many vehicle dealerships.  Ford in particular is encouraging dealerships to provide as much key service as possible while doing everything they can to convince owners that the only way to have a “Genuine Ford” key for their vehicle is to bring it back to the dealership.

As you might imagine, cloning encrypted keys makes everything that came before them look easy.  This also helps to explain why we are now in the fourth or fifth generation of cloning devices.  It also explains why so many new cloning devices either rely on an Internet connection or offer periodic updates for their software via the Internet.

Legal Issues

No automotive manufacturer actually wants their transponder keys to be cloned.  They have spent, and continue to spend, a great deal of money trying to prevent cloning, or make to it so difficult that it is not practical to clone their keys. 

The legal issues involved in cloning are as complicated as the technology mainly to prevent cloning.  Naturally, the transponders themselves are patented, and the software that allows them to operate is copyrighted.  But many locksmiths don’t seem to understand who owns these patents and copyrights.  To illustrate this, let’s look at the Texas Instruments encrypted transponder that is used in the STRATTEC 599114 key blanks.

Since this transponder is manufactured by Texas Instruments (TI), most assume that TI holds the patents and copyrights.  That is not exactly true.  While TI designed and developed this transponder, the work was actually done for the Ford Motor Corp.  Ford owns most of the patents and copyrights that apply to this particular transponder.  Texas Instruments manufactures the transponder exclusively for Ford, and Ford controls the distribution of the transponders.  In turn, Ford licensed STRATTEC as the sole manufacturer of key blanks that contained that transponder. 

Since cloning is not encouraged by the manufacturers, most of the research and development associated with developing cloning technology boils down to finding new and better ways to get around the patents and copyrights.  This work falls into two main categories – finding a way to mimic the software without violating copyrights and developing new transponders and transponder-like devices that don’t directly violate any patents.

One of the most obvious ways to clone a transponder without violating patents is to clone the functions of the transponder onto a device that is not technically a transponder but will perform the same function as the transponder.  This is where the “Electronic Keys” (EK Keys) come in.  These EK keys use a printed circuit much like those used in vehicle remotes to emulate the functions of the transponders that are protected by patents, without actually violating the patents.  In most cases, the EK keys provide a great alternative to expensive dealer-only keys, but they tend to be slightly larger, require a battery, and are generally more prone to damage than the keys they replace.  EK Keys, like remotes, generally don’t like to be dropped in the water, get stepped on, or left in extremely hot or cold places.

Another way to get around some patents is provided by the transponder manufacturers themselves.  Naturally they want to sell as many transponders as possible, so in some cases transponders that could not be sold legally to key manufacturers are sold in other industries, such as the shipping and veterinary industries.  The shipping industry uses transponders to track shipping containers, pallets, and individual cartons of high value merchandise.  The veterinary industry uses transponders for tagging and tracking cattle and other livestock as well as for microchipping  pets.  (My two dogs and my cat all have Texas Instruments glass cylinder transponders very similar to the ones used in the early Ford keys embedded between their shoulders.)

Many of the transponders used in other industries are designed to be “rewritten” many times so that the user can store individualized information on the transponders.  Enterprising souls in the locksmith world have made it their business to locate readily available rewritable transponders that can be used as substitutes for those used in OEM transponder keys.  Those transponders are then used in clonable keys.

Most transponders are manufactured in China and many Chinese industries are legendary for simply ignoring patents and copyrights.  Millions of transponders coming out of China are virtual clones of patented transponders.  Some are changed just enough to skirt around the patents and also provide the ability for the transponder to be rewritten.  Many of these chips find their way into clonable keys.

Cloning Devices

There are many cloning devices on the market today, and more are appearing all the time.  Naturally you want a machine that will clone the largest variety of transponder keys possible.  You also want to make sure that whatever machine you buy has the capability to be updated, since transponder technology is changing so rapidly.  You also want to choose a manufacturer that has a good reputation and track record.

Avoid machines made by companies you’ve never heard of, or companies that have no distribution network in the United States.  A transponder cloning machine is only as good as the supply of keys that it will work with.  Most conventional clonable keys will work with a variety of machines.  Many of the electronic / modular clonable keys can only be used with specific machines, however.

Another option to consider is whether you plan on doing motorcycle work.  In recent years, Harley Davidson, Honda, Kawasaki, Yamaha and others have begun offering transponder-based anti-theft systems.   Many of these systems are now clonable, so if you service motorcycles, you need to factor that into your planning.

In the early days of home computers, most experts advised people to decide on the software that they wanted to use first and then choose a computer that would run that software.  A similar situation now exists with cloning devices.  I would recommend that you first determine what keys you want to be able to clone, and then choose a cloning device based on your needs.  We all know our own individual markets and the types of vehicles that we will likely be working on.  Make a list of the vehicles that you see on a regular basis and then choose a machine that will serve your needs.

Below is a list of some of the more popular cloning devices, listed alphabetically by manufacturer.

Advanced Diagnostics 900 Pro Transponder Duplicating System (AD900 Pro).  Located in the UK with branches all over the world, Advanced Diagnostics (AD) has been producing transponder service equipment from the very beginning. While they do not manufacture key blanks, they do work closely with the major manufacturers. The AD900 Pro is designed to support the professional locksmith and support clonable keys. Software programs to clone transponder and electronic keys from a number of key blank manufacturers are offered.

Designed to be a standalone machine, the AD900 Pro can be used easily in the field without an Internet connection. Featuring a full keyboard as well as dedicated read and write controls, the AD900 Pro can be used for simple cloning, but also supports manual data input for “pre-cloning” operations.  With the proper software, it can clone all fixed code systems as well as many encrypted systems such as the Crypto 42 transponder and the Texas Instruments 4C and 4D transponders.

Software for the AD900 Pro is sold separately so you can buy only the software that you need. New software is constantly being introduced, and one of the most recent additions allow the user to clone some of the keys used on Volvo CAN vehicles. Some of the more advanced encrypted systems do require an Internet connection, however. The Internet connection allows the AD900 Pro to connect to a computer system with much greater power, which allows you to clone these encrypted keys much more efficiently than a stand-alone unit could.

The AD900 Pro also offers a complete listing of the applications for the AD900 Pro that can be downloaded from the Advanced Diagnostics website.

More Info: http://www.adusa.us/AD900.php

Keyline USA 884 Decryptor Ultegra . This standalone cloning device is designed to clone Philips Crypto (Second Generation) keys, Texas Instruments fixed code and encrypted keys, TK24, TK40, TK50, TK60 and TK100 electronic heads, and also works with the T2, T5, and TK1 single piece clonable keys from various manufacturers.  The full-feature keyboard supports manual code entry when needed as well as simple read / write cloning.

The new “TK100 Electronic Universal Head” has several new features including a true transponder that does not require a battery and can mimic the functions of a wide variety of OEM transponders, both fixed code and encrypted.  The TK100 Electronic Head can be mated with a variety of key blades that allow you to clone many vehicle keys without stocking a large assortment of transponders.  The TK100 head is even compatible with many motorcycles.  A complete listing of the current applications for the TK100 Universal Electronic Head can be downloaded at www.keyline.it/files/tk100-rk60/tk100-rk60_68667.pdf.

Keyline also offers the RK60 head that allows the user to clone not only the transponder functions, but also the remote functions of many vehicles keys.  At this time the applications for this technology are mostly for European vehicles that are not exported to the North America, but that may be changing soon.

Software updates are available and the machine can be updated via a USB connection as needed, but no computer is required for normal operation.  The 884 Decryptor Ultegra also features a 12VDC power option so that it can be operated from the cigarette lighter in the customer’s car.

The functionality of the 884 Decryptor Ultegra has recently been enhanced with the addition of new clonable fob kits for some BMW and Volvo vehicles.  At the time I am writing this, details of these new products are still sketchy, but this will be the first time that any BMW or Volvo transponder systems could be cloned in a cost-effective manner by locksmiths.

More Info: www.keyline.it

Ilco RW4 Plus Transponder Duplicator, with SNOOP  This is another standalone machine that does not need a computer for day to day use, but can be easily updated via the Internet.  Ilco provides free software updates for a period of one year from the date of purchase.  After that, updates are available for a nominal charge.

The RW4 Plus is a fifth generation tool with the ability to clone all fixed code keys, Texas Instruments encrypted keys, as well as Philips encrypted keys.  Ilco also produces a full line of modular electronic keys that are all compatible with the RW4 Plus. The RW4 Plus can also clone most one-piece and two-piece clonable keys from other manufacturers.

The RW4 Plus features a keyboard for manual data entry when needed as well as for archiving. There is also a 12VDC power supply for use in vehicles. The RW4 Plus is also equipped with software for automatic code generation for “pre-cloning” operations.

One of the unique features of the RW4 Plus is the SNOOP module. This innovative device can be attached to a key and then used in a customer’s vehicle to help decode systems like the GM Circle Plus system (Philips encrypted). An easy-to-read LED indicator tells the user when enough information has been obtained to clone the key. This device can save you multiple trips to the vehicle or having to hook up a machine in the customer’s car.

After the SNOOP has been used in the vehicle, it is inserted into the RW4 Plus and the information needed to clone the key is downloaded to the RW4 Plus. That information is then used to clone the key in a single pass, where some other machines may require multiple trips to the car.

In January of 2013, Kaba / Ilco introduced the EH3LB multi-system electronic head that is compatible with all existing Ilco modular blades. This electronic head does not require a battery and can mimic the functions of both the Texas Instruments and Phillips encrypted transponders.

More Info: www.kaba-ilco.com

Jet iClone (Intelli-Clone) The iClone machine

Jet Hardware manufactures a full line of transponder key blanks including clonables, modular clonable key blanks and chipless transponder key blanks for most transponder applications including those using Texas Instruments and Philips fixed and encrypted applications. The modular heads are available without transponder, which allows a locksmith to easily recover the transponder from a damaged or miscut key for reuse.

The Jet iClone machine is designed to operate all of their clonable transponder keys. This cloning machine does not require Internet connection for cloning encrypted transponders. The iClone has dedicated read and write controls and a full keyboard. Jet also offers product support for the iClone machine. They have a trade-in program for competitive cloners and incentive pricing. 

More Info: http://www.jetkeys.com

JMA TRS-5000 EVO. This standalone machine replaces the earlier TRS-5000 machine, and competitive trade-in programs are available. This machine features automatic updating whenever the machine is connected to the Internet, but no Internet connection is required for normal use. The TRS-5000 EVO uses a simplified two-button read/write control.

The TR-5000 EVO can clone all fixed code keys as well as Texas Instruments encrypted and Philips encrypted keys. In addition, the TRS-5000 EVO can clone the proprietary JMA TP05, TPX1, TPX2, and TPX4 transponders. These transponders allow the user to supply their customers with true transponder keys in place of larger modular electronic keys. These keys require no battery and the transponders themselves are waterproof.

JMA is the second largest key blank manufacturer in the world and offers a full line of domestic and import keys. All JMA transponder keys feature easily removed transponders and empty “shell keys” are readily available.  This allows a locksmith to easily recover the transponder from a damaged or miscut key for reuse.

More Info: www.jmausa.com

A final word of warning: Many of the transponder tools and transponder keys offered for sale on the Internet are illegal copies of legitimate products.  Some of these knock-off tools even use the same part numbers as the legitimate tools and will pop up in almost any Internet search.  As a general rule, these knock-off machines cannot be updated and have no warranty or support of any kind.  The manufacturers listed above have all spent a great deal of time and money developing tools for our industry.  As a security technician, I hope you realize that buying illegal tools and equipment hurts us all.  If you find a price on a copy of one of the machines listed here that seems too good to be true, I can assure you that it is.

Steve Young is the founder and former owner of Tech-Train Productions.  He has been making video training for locksmiths since 1988, and is the author of “Steve Young’s Quick Reference Automotive Manual.”  He is also the owner of AutoLockInfo.com.  You can reach Steve at [email protected]