Maserati Key - $650 Replacement Cost
41 - 58 of 58 Posts
Joined
·
5,349 Posts
The transponder has nothing at all to do with the alarm. Its only function is to disarm the immobiliser.
C
Joined
·
5,349 Posts
Dollars to donuts that if correctly cloned the car will start but the alarm won't shut off.
The alarm / central locking and immobiliser systems are completely separate.
C
Hi,
This may help some of you in need of duplicate keys for your 2004-2007 Gran Sport, 2007-2012 Gran Turismo, or 2004-2011 Quattroporte.
This has been covered in aspects by prior posters.
I'm simply consolidating other's advice with a procedure that works:
1) There are three independent functions to the Maserati Key of this era.
A. The mechanical key - for the key cylinder in the driver's door, the trunk (boot), and the steering column.
B. The transponder - an RFID glass capsule (embedded in the key shell) with a fixed 96-bit binary code that is transmitted to the NBC139 (Body Control Node) when polled by a transceiver wrapped around the steering column key cylinder.
Upon receiving a valid binary code (factory programmed to the car (for each key)) - the NBC enables the ECU to energize the injectors and ignition (and perhaps other funcs).
This security system comprises the "Immobilizer".
C. The 3-button Key FOB - communicates with the NBC via a binary code (modulated via ASK) on a 433.92 MHz carrier - to lock/unlock doors and trunk.
(And open or close windows and sunroof with 4 second key presses.)
The FOB appears to use an HCS rolling code - making it likely pointless to clone - more on that in a minute.
Creating a new key that will unlock and start the car requires only Attributes A and B:
For Attribute A: duplication requires an SIP22 (Fiat) blank and preferably your Mechanical Key code (but can be cut without).
(The mechanical key code is on a card that came with the Owner's Manual Kit - if you don't have one (I did not) then any Maserati Dealer will reproduce it for $10 if you prove ownership (e.g. present a copy of the Title.))
The dbl sided key-way is milled on a laser cutter (the laser is for point to point position/key-way mapping; the actual cutter is an end mill).
This is a job easily performed by a competent locksmith and costs about $20 per mechanical key. (the laser cutter is about $1.5K)
The mechanical key will turn all the cylinders - but it won't start the car (or disable the alarm).
For Attribute B: there are two options (we are concerned with Option i.)
Option i. CLONE an existing key (specifically clone its transponder) -
Due to the recent advent of some lower priced equipment - cloning the transponder is now easy and affordable.
(the real milestone making 'Option i' even possible was the reverse engineering published in 2013 of the specific encryption algorithm used in our cars (and other exotics) - journal article is attached; hint - not all 96 bits are used; sometimes only half of them)
Option ii. GENERATE a New Transponder Code and program it into the NBC (not possible without $$ equipment and expertise)
(I do not recommend using a local Locksmith for this latter operation unless they have done Maserati keys/cars of this era before - the reason being it can (and has) brick(ed) the NBC and require(d) a new NBC (and/or ECU) - at a cost of up to $8K).
For Attribute C: Cloning a useful FOB from the original is possibly pointless.
I am still investigating this - but I believe it is not possible to make a CLONE that does not negate the FOB fnc of the original.
Instead I think FOBs need to be Generated and Added - E.g. deleting all keys from the NBC and then adding (programming) back the originals and newly Generated (FOB] spare(s). (Specifically: minus specialty equipment - if one needs the FOB to work - it requires a Dealer visit to buy and add a key to NBC. Because while it is likely possible to Clone the FOB to a Blank FOB (copy the encryption seed and algorithm) I think this would render only one functioning FOB as the codes roll forward on whichever (orig or clone) is next used (making the unused FOB code unrecognized by the NBC for the next handshake).
If it works after I do it (FOB clone) - I'll post an update.
Procedure (that I used to make a spare to manually unlock and start the car (no FOB functionality (yet))):
1) Buy an Xhorse Mini Key Tool ($109 on EBay; $130 on Amazon; $120 from Xhorse)
2) Choose one of the following (I chose a. and b. and made two spares):
a. A VVDI Super Chip XT27A ($35 for ten) and a SIP22TE Key Blank ($20 cut)
b. A Maserati 3 button Flip Key - with FOB, key blank, and ID48 Transponder capsule ($55-75 on Amzn; $50 on EBay)
(note: this era Maserati uses the Megamos Crypto ID48 Transponder and the T48 subtype - don't worry - a different subtype does not appear to prevent a valid write - and the Blank Super Chip appears to clone all of the variations T6, T33, T48, -A , -K, ...).
c. An Xhorse (or equivalent) flip key with a SIP22 blank and a Super Chip
3) Get the blank key cut at a locksmith
4) Download the Xhorse app to your Android or IPhone; create an account
5) Connect via BT to the Mini Key Tool; update its firmware
6) Sit in your car
7) Select Transponder Clone from the App Menu; insert original Key; read Key - it will return a HEX ID and say Locked and Cloneable
8) Tap 'Clone'
9) Place the new key/transponder (what you selected (a,b,c) above) in the Mini tool - it will confirm that it is Writeable
10) Place the Mini tool near the ignition cylinder - then with the Original Key turn the ignition On then Off a total of 8 times - removing and reinserting the key each time - this is called Sniffing.
11) The App will take the sniffed data and upload it to a server that will crack the 96-bit binary code (takes about 2 minutes).
12) You will then be instructed to place the blank into the Mini and it will write the Transponder code and Lock it.
13) You now have a spare key. Total cost - about $155-200 for the first key (this includes the price of the $120 Mini tool) and ~$30 per key thereafter - and you can do all your friends cars - and your other cars (the Mini tool will clone or generate a variety of keys - including Smartkeys).
Note: If the car is locked and you lose your key - deploying the spare into the door cylinder will trigger the alarm.
No worries - as soon as you place the key in the ignition and turn it On - the alarm will be deactivated.
It will briefly display a warning that a 'break in was detected' then clear itself.
Hope this helps,
Mark
This may help some of you in need of duplicate keys for your 2004-2007 Gran Sport, 2007-2012 Gran Turismo, or 2004-2011 Quattroporte.
This has been covered in aspects by prior posters.
I'm simply consolidating other's advice with a procedure that works:
1) There are three independent functions to the Maserati Key of this era.
A. The mechanical key - for the key cylinder in the driver's door, the trunk (boot), and the steering column.
B. The transponder - an RFID glass capsule (embedded in the key shell) with a fixed 96-bit binary code that is transmitted to the NBC139 (Body Control Node) when polled by a transceiver wrapped around the steering column key cylinder.
Upon receiving a valid binary code (factory programmed to the car (for each key)) - the NBC enables the ECU to energize the injectors and ignition (and perhaps other funcs).
This security system comprises the "Immobilizer".
C. The 3-button Key FOB - communicates with the NBC via a binary code (modulated via ASK) on a 433.92 MHz carrier - to lock/unlock doors and trunk.
(And open or close windows and sunroof with 4 second key presses.)
The FOB appears to use an HCS rolling code - making it likely pointless to clone - more on that in a minute.
Creating a new key that will unlock and start the car requires only Attributes A and B:
For Attribute A: duplication requires an SIP22 (Fiat) blank and preferably your Mechanical Key code (but can be cut without).
(The mechanical key code is on a card that came with the Owner's Manual Kit - if you don't have one (I did not) then any Maserati Dealer will reproduce it for $10 if you prove ownership (e.g. present a copy of the Title.))
The dbl sided key-way is milled on a laser cutter (the laser is for point to point position/key-way mapping; the actual cutter is an end mill).
This is a job easily performed by a competent locksmith and costs about $20 per mechanical key. (the laser cutter is about $1.5K)
The mechanical key will turn all the cylinders - but it won't start the car (or disable the alarm).
For Attribute B: there are two options (we are concerned with Option i.)
Option i. CLONE an existing key (specifically clone its transponder) -
Due to the recent advent of some lower priced equipment - cloning the transponder is now easy and affordable.
(the real milestone making 'Option i' even possible was the reverse engineering published in 2013 of the specific encryption algorithm used in our cars (and other exotics) - journal article is attached; hint - not all 96 bits are used; sometimes only half of them)
Option ii. GENERATE a New Transponder Code and program it into the NBC (not possible without $$ equipment and expertise)
(I do not recommend using a local Locksmith for this latter operation unless they have done Maserati keys/cars of this era before - the reason being it can (and has) brick(ed) the NBC and require(d) a new NBC (and/or ECU) - at a cost of up to $8K).
For Attribute C: Cloning a useful FOB from the original is possibly pointless.
I am still investigating this - but I believe it is not possible to make a CLONE that does not negate the FOB fnc of the original.
Instead I think FOBs need to be Generated and Added - E.g. deleting all keys from the NBC and then adding (programming) back the originals and newly Generated (FOB] spare(s). (Specifically: minus specialty equipment - if one needs the FOB to work - it requires a Dealer visit to buy and add a key to NBC. Because while it is likely possible to Clone the FOB to a Blank FOB (copy the encryption seed and algorithm) I think this would render only one functioning FOB as the codes roll forward on whichever (orig or clone) is next used (making the unused FOB code unrecognized by the NBC for the next handshake).
If it works after I do it (FOB clone) - I'll post an update.
Procedure (that I used to make a spare to manually unlock and start the car (no FOB functionality (yet))):
1) Buy an Xhorse Mini Key Tool ($109 on EBay; $130 on Amazon; $120 from Xhorse)
2) Choose one of the following (I chose a. and b. and made two spares):
a. A VVDI Super Chip XT27A ($35 for ten) and a SIP22TE Key Blank ($20 cut)
b. A Maserati 3 button Flip Key - with FOB, key blank, and ID48 Transponder capsule ($55-75 on Amzn; $50 on EBay)
(note: this era Maserati uses the Megamos Crypto ID48 Transponder and the T48 subtype - don't worry - a different subtype does not appear to prevent a valid write - and the Blank Super Chip appears to clone all of the variations T6, T33, T48, -A , -K, ...).
c. An Xhorse (or equivalent) flip key with a SIP22 blank and a Super Chip
3) Get the blank key cut at a locksmith
4) Download the Xhorse app to your Android or IPhone; create an account
5) Connect via BT to the Mini Key Tool; update its firmware
6) Sit in your car
7) Select Transponder Clone from the App Menu; insert original Key; read Key - it will return a HEX ID and say Locked and Cloneable
8) Tap 'Clone'
9) Place the new key/transponder (what you selected (a,b,c) above) in the Mini tool - it will confirm that it is Writeable
10) Place the Mini tool near the ignition cylinder - then with the Original Key turn the ignition On then Off a total of 8 times - removing and reinserting the key each time - this is called Sniffing.
11) The App will take the sniffed data and upload it to a server that will crack the 96-bit binary code (takes about 2 minutes).
12) You will then be instructed to place the blank into the Mini and it will write the Transponder code and Lock it.
13) You now have a spare key. Total cost - about $155-200 for the first key (this includes the price of the $120 Mini tool) and ~$30 per key thereafter - and you can do all your friends cars - and your other cars (the Mini tool will clone or generate a variety of keys - including Smartkeys).
Note: If the car is locked and you lose your key - deploying the spare into the door cylinder will trigger the alarm.
No worries - as soon as you place the key in the ignition and turn it On - the alarm will be deactivated.
It will briefly display a warning that a 'break in was detected' then clear itself.
Hope this helps,
Mark
Attachments
Joined
·
450 Posts
That's a pretty awesome write up, and probably deserves its' own thread... I've been wanting to tackle this for some time now.
Sounds like the technical piece here that really makes this work, is being able to clone the transponder chip. That's the part that nobody local seems to want to mess around with.
Sounds like the technical piece here that really makes this work, is being able to clone the transponder chip. That's the part that nobody local seems to want to mess around with.
Indeed, a great write up by Mark.
That said, I believe laws vary from state to state , but in Ca. cloning a car’s transponder chip ( UNLESS YOU ARE THE CAR’S OWNER ) is not just a misdemeanor, but a felony ! It‘s intended to apply to criminals who do that so they can steal cars, but not sure if the letter of the law distinguishes them form someone who just wants to help clone a friend‘s or a customer’s key, whether you have proof of ownership or not. I would think most other states have similar laws to Ca’s since car manufacturers are spending a lot of money lobbying to see these laws are enacted and enforced. No business owner ( locksmith , etc. ) in their right mind is going to take a chance doing that ..you might find an individual with the technical ability to clone your keys / fob etc. who is willing to take the risk, because after all, who’s going to say anything, but the safest thing is to do that yourself…if you’re able. Even with the comprehensive description of the process in the above post, I’d never be able to tackle that task. Maybe easy for others though …
Thanks Mrbobdou and DSGT (Dan).
Exactly. By Cloning rather than Generating the Transponder, you don't need to access the NBC (i.e. Program it).
So no risk of NBC/ECU damage and no need for $$ specialty equipment (Dealer or specialty Locksmith).
If you start with one original key and Clone it, the car still only knows of only One key. The transponder code is fixed (does not roll or hop) so this method works.
But if you have no original (referred to as 'All Keys Lost' in the industry) then it's a Dealer trip to buy Maserati keys and have them added to the NBC.
(this is why having the Code Card with you is important (outside the locked car), because with it you can get a Key cut, unlock the car, and then use the Electronic Pin sequence on the card to start the car and drive to the Dealer (otherwise a tow would be required).
BTW the FOB code rolls/hops which is why Cloning probably won't work for the FOB buttons (but I'm going to try it and report back.)
Regarding the time and difficulty. It was super easy in practice but I had spent many hrs researching to determe if it would work before the Mini tool arrived. After it arrived (yesterday afternoon), I made the two spares in 30 minutes total. Really easy. The app guides you even though the instructions are in pidgin English.
Regarding the legality, I'm in WA and TX so not sure of rules here. I would assume if I have owners permission all OK at least here.
These older Maseratis are much more secure than the newer Smart Key cars (push button start). The transponder clone requires the original key in your possession and the Id48 transponder is a complex hack needing the sniffing and the server. It is not possible to steal these without a mechanical key and correct transponder.
Smartkey cars are comparatively easy to steal. Their rolling code can be captured from a distance and relayed to the car to open and start it. It's a disaster frankly and I presume was really a cost saving move disguised as a 'Feature' (no key required, just great). So glad our cars are very secure.
Thanks again and glad this helps,
Mark
Exactly. By Cloning rather than Generating the Transponder, you don't need to access the NBC (i.e. Program it).
So no risk of NBC/ECU damage and no need for $$ specialty equipment (Dealer or specialty Locksmith).
If you start with one original key and Clone it, the car still only knows of only One key. The transponder code is fixed (does not roll or hop) so this method works.
But if you have no original (referred to as 'All Keys Lost' in the industry) then it's a Dealer trip to buy Maserati keys and have them added to the NBC.
(this is why having the Code Card with you is important (outside the locked car), because with it you can get a Key cut, unlock the car, and then use the Electronic Pin sequence on the card to start the car and drive to the Dealer (otherwise a tow would be required).
BTW the FOB code rolls/hops which is why Cloning probably won't work for the FOB buttons (but I'm going to try it and report back.)
Regarding the time and difficulty. It was super easy in practice but I had spent many hrs researching to determe if it would work before the Mini tool arrived. After it arrived (yesterday afternoon), I made the two spares in 30 minutes total. Really easy. The app guides you even though the instructions are in pidgin English.
Regarding the legality, I'm in WA and TX so not sure of rules here. I would assume if I have owners permission all OK at least here.
These older Maseratis are much more secure than the newer Smart Key cars (push button start). The transponder clone requires the original key in your possession and the Id48 transponder is a complex hack needing the sniffing and the server. It is not possible to steal these without a mechanical key and correct transponder.
Smartkey cars are comparatively easy to steal. Their rolling code can be captured from a distance and relayed to the car to open and start it. It's a disaster frankly and I presume was really a cost saving move disguised as a 'Feature' (no key required, just great). So glad our cars are very secure.
Thanks again and glad this helps,
Mark
Thanks and really good point Catmanv2.
BTW I did this on a 2009 QP-S (the impetus being to hide a cheap spare for emergencies.)
Since the Gransport and Granturismo of that vintage also use the ID48 transponder, I am assuming they also use the SIP22 key blank. I should have stated that in the original post.
Thanks,
Mark
Thank you very much - so glad we have a solution.
I'm hopeful it can help us with other cars too.
Esp the newer ones that can run >$1K for a new key.
Mark
PS: Pics attached...
My duplicates -
1) A cut SIP 22 key blank and VVDI Super Chip (XT27A) Transponder (written from the original key); ($20 blank-cut + $4 chip).
2) An aftermarket 3 button FOB + embedded blank ID48 + SIP22 key blank from Amazon ($55); (FOB buttons not programmed to car).
PPS: Just found the Xhorse Mini tool for $95
Xhorse VVDI MINI Key Tool / Cloner & Remote Generator
XHS-MINI-KT Xhorse MINI Key Tool Function: Transponder Editing & CloningDetect most immobilizer transponders, edit and clone common transponders in the market. Transponder GeneratingSupport TP transponders & parts of special transponders more than 700 vehicle models, reduce the stock of...
www.uhs-hardware.com
Attachments
Joined
·
5,349 Posts
I would assume so. Nice that someone (else) understands the system
I wonder whether you'd be prepared to repost this on Sports Maserati? Or let me copy / paste?
C
Please - 100% - re-post it Catmanv2.I would assume so. Nice that someone (else) understands the system
I wonder whether you'd be prepared to repost this on Sports Maserati? Or let me copy / paste?
C
Hope it helps there too.
Thanks,
Mark
"All that is not given is lost"
Joined
·
5,349 Posts
Quick Update:
I was able to clone the Key FOB (3 buttons).
However - the Cloned FOB is 'single use' - by this I mean you can perform only 1 activation for each button in any order:
Door Lock, Door Unlock, Trunk Unlock
The reason for this is thus:
The VVDI Mini Tool was able capture the FOB code for each original button and assign it to the respective 'clone FOB' button (e.g. Unlock Door Key Press on Original FOB is Cloned to same button on the Blank FOB).
However the Mini Tool was not able to determine either (or both) the Seed Value or Cryptographic Hash Algorithm that is required to generate the next code in the sequence that the car will authenticate (the next rolled or hopped code).
Procedure:
Program the new FOB well away from the car - so that the car does not detect the key presses of the Original FOB. The codes associated with these key presses are recorded on your new FOB for use at a later time - but just once.
This is effectively a 'Rolljam attack' (where a 3rd party transceiver receives a valid FOB code (a roll) and prevents the car from receiving it (a jam)) - the code is authentic (it came from the Original FOB) and is available for later transmission to the car.
The Blank FOB I used (but any XK Model will work; $12): Xhorse VVDI Universal Wired Flip Remote Key 3 Buttons DS Type XKDS00EN
It takes 5 minutes to do the Clone.
Creates useful FOB in case of an emergency - but the Cut and Cloned Transponder Key ( prior post) is all you need.
For me it was more of an interesting exercise to see if it could be done.
I would expect more of the algos will become available and a proper clone that rolls may be possible in future.
Thanks,
Mark
I was able to clone the Key FOB (3 buttons).
However - the Cloned FOB is 'single use' - by this I mean you can perform only 1 activation for each button in any order:
Door Lock, Door Unlock, Trunk Unlock
The reason for this is thus:
The VVDI Mini Tool was able capture the FOB code for each original button and assign it to the respective 'clone FOB' button (e.g. Unlock Door Key Press on Original FOB is Cloned to same button on the Blank FOB).
However the Mini Tool was not able to determine either (or both) the Seed Value or Cryptographic Hash Algorithm that is required to generate the next code in the sequence that the car will authenticate (the next rolled or hopped code).
Procedure:
Program the new FOB well away from the car - so that the car does not detect the key presses of the Original FOB. The codes associated with these key presses are recorded on your new FOB for use at a later time - but just once.
This is effectively a 'Rolljam attack' (where a 3rd party transceiver receives a valid FOB code (a roll) and prevents the car from receiving it (a jam)) - the code is authentic (it came from the Original FOB) and is available for later transmission to the car.
The Blank FOB I used (but any XK Model will work; $12): Xhorse VVDI Universal Wired Flip Remote Key 3 Buttons DS Type XKDS00EN
It takes 5 minutes to do the Clone.
Creates useful FOB in case of an emergency - but the Cut and Cloned Transponder Key ( prior post) is all you need.
For me it was more of an interesting exercise to see if it could be done.
I would expect more of the algos will become available and a proper clone that rolls may be possible in future.
Thanks,
Mark
Attachments
For remote start:
Cool idea but the transponder must then reside within the car - near the key cylinder.
This means if someone breaks in - they can possibly torque the cylinder and steal the car - though the alarm may go off as they drive away.
Best,
Mark
41 - 58 of 58 Posts
Join the discussion
