BMW E90 Cas3/Cas3+ key learning

[BLP89]

Hello there,

The recent theft and return of my 2007 E91 led me to explore car security software. The car always had only one key, so I decided it would be educative to try and program one myself.
Therefore I purchased several tools and already found some information on the internet.
The tools I have purchased:

- Hitag2
- R270
- E/F Scanner (only for E models, I know it’s a clone, but the real deal is a bit expensive for hobby).
- Several keys with blanc PCF7945 EEPROM chips.
- a 12 volt power supply for the car (more than 40 amps).
- BMW Tools (inpa/ista etc).
- A descent soldering kit (is still need practice)

I already succeeded in programming the blanc key trough the Hitag2. I figured programming the key tot the car would be pretty straight forward from there on, but I ran into some obstacles, which led to some questions.

• Cas3 or Cas3++

The car being from 2007, I figured the cas module would be a non-encrypted Cas3 module, which should be programmable with the E/F scanner. Connecting the E/F scanner shows the CAS part number 9287535, which seems to be a 2012/2013 CAS3+ module. When I connect the E/F scanner and press key learning, it suggests “Update ECU?”, the internet already thought that there a lot of risks involved programming a CAS (especially with non original/clone hardware), so I did not dare to continue. I have looked around all over the internet, but I could not find any writing of anyone who actually clicked “yes”. So I have some questions:

• Is the 9287535 cas indeed a CAS3+ module, or is it just a CAS3?
• How can I tell whether or not the cas is encrypted with Ista-p 45+?
• What happens when I would actually click “yes”?

The car was stolen by OBD key programming (no signs of the cas being removed or loosened, but they did not bother putting back the loose door handle). I have a gut feeling that the key they used for stealing it was already programmed to the car before I purchased it. The previous owner also tampered with the mileage in a way that gave no tamper dot and similar mileage in all the ecu’s when we tried to check it with Carly.

• Given this car most likely has a CAS3+ / Istap-p 45, would it have been possible to program a new key trough OBD, and if so, how? VVDI2 claims it can do it, but is it actually reliably possible through OBD?
• This being a hobby and a bit of a challenge, what would be the way to go to program a new key? At this moment, removing the CAS and using a bench to get a EEPROM dump to program an existing key file into a new key seems to be the most sensible. Is that correct?

I do not lazily hope that you provide me with all the answers without doing any research myself. I tried to figure the above out, but I do not seem to find any reliable answers.

Thanks to anyone who can help me.

[jacek77]

9287535 it's a cass3++ simple google search with that number brings lots of dead cas posts.

take the cas out and and do it on the bench. Read data and use the file to make the key. plug into the car and start with a new key.

VVDI2 claims they can do it. You might get lucky and it will downgrade cas but it may also damage cas. I wouldn't risk doing this OBD.

[fred77]

Hello there,

The recent theft and return of my 2007 E91 led me to explore car security software. The car always had only one key, so I decided it would be educative to try and program one myself.
Therefore I purchased several tools and already found some information on the internet.
The tools I have purchased:

- Hitag2
- R270
- E/F Scanner (only for E models, I know it’s a clone, but the real deal is a bit expensive for hobby).
- Several keys with blanc PCF7945 EEPROM chips.
- a 12 volt power supply for the car (more than 40 amps).
- BMW Tools (inpa/ista etc).
- A descent soldering kit (is still need practice)

I already succeeded in programming the blanc key trough the Hitag2. I figured programming the key tot the car would be pretty straight forward from there on, but I ran into some obstacles, which led to some questions.

• Cas3 or Cas3++

The car being from 2007, I figured the cas module would be a non-encrypted Cas3 module, which should be programmable with the E/F scanner. Connecting the E/F scanner shows the CAS part number 9287535, which seems to be a 2012/2013 CAS3+ module. When I connect the E/F scanner and press key learning, it suggests “Update ECU?”, the internet already thought that there a lot of risks involved programming a CAS (especially with non original/clone hardware), so I did not dare to continue. I have looked around all over the internet, but I could not find any writing of anyone who actually clicked “yes”. So I have some questions:

• Is the 9287535 cas indeed a CAS3+ module, or is it just a CAS3?
• How can I tell whether or not the cas is encrypted with Ista-p 45+?
• What happens when I would actually click “yes”?

The car was stolen by OBD key programming (no signs of the cas being removed or loosened, but they did not bother putting back the loose door handle). I have a gut feeling that the key they used for stealing it was already programmed to the car before I purchased it. The previous owner also tampered with the mileage in a way that gave no tamper dot and similar mileage in all the ecu’s when we tried to check it with Carly.

• Given this car most likely has a CAS3+ / Istap-p 45, would it have been possible to program a new key trough OBD, and if so, how? VVDI2 claims it can do it, but is it actually reliably possible through OBD?
• This being a hobby and a bit of a challenge, what would be the way to go to program a new key? At this moment, removing the CAS and using a bench to get a EEPROM dump to program an existing key file into a new key seems to be the most sensible. Is that correct?

I do not lazily hope that you provide me with all the answers without doing any research myself. I tried to figure the above out, but I do not seem to find any reliable answers.

Thanks to anyone who can help me.

Noooooo your car was not CAS3+/Istap-p 45 as thieves would have had to remove ECU.
...unless you left car with big flashing sign saying you were leaving car for whole day unprotected.

*** Go into the CAS system (most cheap diagnostics tools offer feature - or call autolocksmith) and disable stolen key slot.
INFACT Disable all key slots except the keys you have!
AND
*** Now use your BMW hacked dealer tool and re-flash your CAS to Istap-p 45 if it lets you
(with 14V supply)



Personally you'd be better off calling an autolocksmith or BMW garage who knows BMWs
As these cars are easy to f**kup especially with cheap tools expect like that E/F scanner

Basically Don't go playing around if your only form of transport!! Otherwise have fun
and learn - but you need better kit.

Just to put things in perspective ... this is my next purchase. Your 12V won't work and is damn dangerous
https://www.ebay.co.uk/itm/Battery-C...T/202726924850

[PixelsFixed]

As Fred says, it almost certainly wasn't stolen by OBD programming - even downgraded allowing a key to be made by OBD, 9287535 needs a working key or the correct ISN. It *can* be done by OBD - I do them all the time - but not in moments - it'll take around 30 to 45 minutes with a working key and a lot longer without it.

My advice too is to let someone else do it - let them take any risk - and ask them to disable all the keys except the ones in your possession.

[TERMINATOR1000]

....9287535 needs a working key or the correct ISN. It *can* be done by OBD - I do them all the time

what tool you use ? CGDI BMW & VVDI2 can't do it by OBD2 , first fail & car is OK .... VVDI2 kill the CAS !!!
I refuse lot of Mini with "9287535" part number , to much work for me ...

[Jimmy07]

Never understood people dabbling with key programming as a hobby. Spending stupid money on cloned software to do one key. Plug into a CAS unit with dodgy kit and it could be a very expensive hobby.

Hire a locksmith who knows what he’s doing it will be cheaper and safer

[p1et]

If someone wants to then go ahead, but do not expect much of a help from actual locksmiths if you treat it as a hobby

[BLP89]

Thank you to everyone for the response. I actually still have some questions.

- The car was broken open with a simple and crude cilinder puller. Why would someone who has a functional key do this?
- Is the cas 9287535 a Cas3++ by default or does it have to be updated by the dealer/ista-p45+ to become encrypted?
- Can I see whether or not this cas has been downgraded?
- Is it in any way possible to achieve a casdump by obd with this model Cas, assuming it is not downgraded?
- Is it in any way possible to achieve a casdump by obd with this model cas, assuming the thief downgraded it?
- The cas writes data to the key PCF chip including the mileage. Would a Casdump with the key data show the actual mileage or the mileage since the key had been last used?
- Is there any way to tell which key that was coded to the cas was used in a certain time?

I am still persuing generating my own spare key in any way (I have time on my hands and I like mingling about).

- Would it be possible to simply obtain an older Cas3 model with to keys an program it to the car/ecu, or is the ECU also encrypted and would it therefore not be possible to simply install a new cas and program the vin number etc?.

I am asking certain questions to comfort my own hunch. I have the feeling that the previous owner had something to do with the theft, I am curious whether or not something in the data would clearly hint that he did.

For all the professional locksmiths, take pride in the fact that people admire your job. Perhaps I will brick the entire car, and even give professionals like you the chance to make some money.

Thank you again.

[evss]

couple of questions, 1/ was the vehicle moved from where you left it?
2/was the steering lock operational or broken?
if it was moved , and as you say the door was broken into by using a cylinder puller, i would expect they moved it by recovery (front end lifted) or broke steering lock to tow it.

cant see someone having a spare key and damaging door just to start it up and drive it away, unless the door key doesnt match the steering lock.

as said just for peace of mind get a spare programmed and delete others on the system.

then fit a alarm.

of course the other option is how long were they able to work on the vehicle without worry of being disturbed? 10 mins,30, a day or longer all effect how it was stolen

[tomvleeuwen]

Off coarse it is fun to learn about security.

And off coarse there are many risks involved, so I would just advice to buy a second-hand CAS on eBay, it's only a couple of bucks. Only if you can read and write this CAS reliably on the bench and it still works you can start considering to read your own CAS.
You should not do this to save a few bucks, but I think that is clear already.

- The car was broken open with a simple and crude cilinder puller. Why would someone who has a functional key do this?
Because he needs to open the door to be able to create a functional key.... Edit: Or he only had a transponder programmed and not a remote key.

- Is the cas 9287535 a Cas3++ by default or does it have to be updated by the dealer/ista-p45+ to become encrypted?
It has to be updated to become 9287535, it was released on 27.05.2013. Some people say that it will become encrypted, but I don't know if that's true. It doesn't matter either if it is encrypted since you have a working key and a Hitag2 so it can easily be decrypted once you have a dump.

- Can I see whether or not this cas has been downgraded?
You can try to read the UIF with WinKFP and your INPA cable. Google is your friend. But the UIF is not always updated by those key programming tools.
If you read the P-flash with R270 you can know for sure, but again I would not touch your CAS before you have more experience. (reading UIF with WinKFP is 100% safe)

- Is it in any way possible to achieve a casdump by obd with this model Cas, assuming it is not downgraded?
- Is it in any way possible to achieve a casdump by obd with this model cas, assuming the thief downgraded it?
Possible yes, but very risky, see all posts above. Especially with Chinese clone tools. Even if it is already downgraded, reading the dump is not just an API function...

- The cas writes data to the key PCF chip including the mileage. Would a Casdump with the key data show the actual mileage or the mileage since the key had been last used?
CAS keeps track of actual mileage in the car and writes it to the keys so the dealer can read it out when the customer enters the store. There is no "mirror" of the key in the CAS, it's synced the other way around. CAS and KOMBI are authoritative w.r.t. the mileage in your car, if one is higher than the other they will both jump to whatever value is higher and store that value. (so do not put the second hand CAS in your car without zeroising the mileage)

- Is there any way to tell which key that was coded to the cas was used in a certain time?
Not AFAIK. But I think you can ask BMW dealers which keys have been provided for this car and you can see in INPA which keys have been used, so if a key is used that was never provided by BMW you know that it was programmed.

[TERMINATOR1000]

Thank you to everyone for the response.
.

Thank you again.

1°)hello read CAS3 on table https://www.youtube.com/watch?v=zQ_7wvi8TkA
2°)read working key with HITAG2 https://www.youtube.com/watch?v=ucUpt-fTvhE
3°) if anyone have " CAS3+ editor "he can hepl you to generate new key

BMW sell key for 150£

[PixelsFixed]

what tool you use ? CGDI BMW & VVDI2 can't do it by OBD2 , first fail & car is OK .... VVDI2 kill the CAS !!!
I refuse lot of Mini with "9287535" part number , to much work for me ...

CGDI does do it by OBD - that's what I use - never had an insurmountable problem. Even on Minis. Though stripping the dash out is not a joyous 45 minutes.

[BLP89]

Thank you again to everyone for the updates.
New answers generate new questions....
For me it is long clear that I should not try to program a key by obd nor that I should downgrade the cas by obd.... purely to speculate on the fact whether the previous owner had anything to do with the theft (I am not goint to press charges or anything, it is just for my own curiosity ), I have the following questions:

Inpa shows the cas to be 9287535. The internet has thought me that 9287535 is in some cases actually a cas software update preventing the cas from being written by obd.The mechanic would have had to update the cas throug insta-p or other software. Updating the cas changes the cas number when being red through obd/inpa etc.. Taking that into account, I can still see the 9287535 part numbert when connecting to the cas with inpa/ista/other software.

- Does this mean the cas has not been downgraded and that it still has the 9287535 extra secured anti obd writing software?
- Is it by any means possible not taking any risk into account to program a new key to a cas running on 9287535 software without a downgrade?

Thank you in advance.

[TERMINATOR1000]

Thank you ...

- Does this mean the cas has not been downgraded and that it still has the 9287535 extra secured anti obd writing software?
- Is it by any means possible not taking any risk into account to program a new key to a cas running on 9287535 software without a downgrade?

Thank you in advance.

you can't add key by OBD2 , simply read CAS3 on table .... 30 minutes job & you know number of key stored in CAS3

[crankycarl]

you can AKL or add key too cas3++istap by obd ive done it several times
bridge wake-up terminal of dme to battery w/ 10amp use
read dme isn over obd
downgrade cas
add key with dme isn
update cas
job done

Most of the time I backup cas before downgrade
sometimes i dont
never had to restore

I think you can make key by backup...
but customers dont want old keys able to unlock and run the car so whats the point