To make a long story short
I purchased a brand new 520 august 2016 and in august 2017 the car was stolen from our driveway , crashed in neighbors house and then dumped in a river about 5km away from our house. There were whiteness that did see the car drive into the river and did call the police that case very fast. About 30 min after the call they had identified the owners and did knock on our door 2am while we were sleeping.
Since then I have had a 2 years long fight with the insurance company as they have denied me compensation. I had both keys at home when the Police came but as one key has registered activities during the theft (i.e the error codes after the crash at neighbors house) and an update in the key 01:30am , the insurance company claims that the key must have been in the car during the theft.
After that the police was at our house to inform about the car I went to the site and I did see the car under water. The lights were still on and I tried to get a reaction by clicking on all the key buttons. I wonder if the key and car might have synchronized at that time which might explain the info on the key. Is it possible? I was there about 3am though and not 1:30 as the key shows.
I am now trying to find any proof that can help me to explain what is going on. I have had the water damaged CAS (gen 4) read and have a bin file but donīt know what to do with it.
BMW do not want to help and I have not found anybody in Sweden to help me with this matter.
Would it be possible for you to read the file and give me ANY info that you might find. Mileage, times, happenings etc..
is it possible to get time stamps on from the keys to see for example at what time the error codes were registered etc? Any ideas of how the data can have ended in my keys?
I would be more than happy to compensate you for this work.
I am sharing the bin file from the CAS , the info received from the key , as well as a photo of the car. It can be accessed through the link below
https://www.dropbox.com/sh/gcd0qa1ba...8sSbLeb7a?dl=0
Thank you
Navid
Last edited by 530m; 04-09-2020 at 05:39 PM.
Your post was moved to this discussion area. Good luck on getting help for your situation.
04M3 TiAg 69k slick-top 3 pedal
99M3 Cosmos 61k S50B32 euro 6Spd
88M3 AW 43k miles Project FS
WTB: 3.5" Eurosport/Conforti CAI
I have heard of tools that can read keys from a distance (as in inside the house) to clone from outside and then make a 'new' key and drive the car away.
-Abel
- E36 328is ~210-220whp: Lots of Mods.
- 2000 Z3: Many Mods.
- 2003 VW Jetta TDI Manual 47-50mpg
- 1999 S52 Estoril M Coupe
- 2014 328d Wagon, self-tuned, 270hp/430ft-lbs
- 2019 M2 Competition, self-tuned, 504whp
- 2016 Mini Cooper S
yup, good point abel - similarly, there are even tools that will simply amplify the signal from a key inside the house and allow access to the vehicle which can then lead to cloning, new key setups, etc.
it's fun to play with rf!
unfortunately, i don't have any other suggestions for the poster here.
abel - do you know of any way to read the bin file? is that even possible? would it even be useful?
'95 325iS - auto to manual swap done!
Untitled.pngHey, so this is a tricky situation. The most likely scenario is that a relay attack was used to detect your key inside the house, and repeat that key signal inside the car to allow starting. This is one of the more common theft techniques for high-end cars.
The simplest proof of this is your car displays a higher mileage than your key does. This is because the key was used to steal the car via repeater, but was not present for the drive.
Your CAS4 d-flash dump diplays a mileage of 34420km, while your key displays a mileage of 34415km.
The key also shows last key update from 1:30 on August 20 2017.
What was the date of the theft/crash? Was is Aug 20th 2017?
The ACSM4 airbag module keeps detailed records from a collision, there may be something of use there.
Last edited by RocketSurgeon; 04-10-2020 at 01:28 PM.
i'm curious - isn't there a lag between the CAS and key mileage reporting? or, no? i keep thinking i read that there is a lag - but, can't recall where i read that now, or the details....
anyway - agreed that a relay attack is absolutely in the realm of the possible or even likely.
'95 325iS - auto to manual swap done!
Thank you Rocketsurgeon
yes, the theft was on august 20th 2017. The whitness that did see the car drive down in the water did call the Police 01:44:44. The Police was there 01:54
I attach the map of out street. We belive that the car was stolen about 15-20 min prior to being dumped in the water. The thiefs made a wrong turn when there were driving out of our neighborhood and as they were driving high speed they crashed into our neighbors stone wall (airbag did not deploy,) they did continue the trip and DID PASS PUR HOUSE once again.
please see map below
https://www.dropbox.com/s/mmr1pk4j8z...treet.jpg?dl=0
so 01:30 can be accurate and I was wondering if the crash registered in the car was transferred to the key as the passed our house (narrow street, not more than 3m to the key especially if they have amplifier in the car)
the problem is that the key shows the crash at 34408 and the key shows last update 34415
another hypothesis is if the key was synced once I went down to the river but then it does not explain the time on the key
As Shadowpuck asked, I am also curious if there is a lag in reporting between the cas and the key.
Does the ACSM4 airbag module keep the info even if not deployed? I could ask the local BMW dealer to try to extract the info
the distance from our house to the river is about 5 kilometers so 34420 can be correct. Thank you for extracting that.
I donīt know much about the BMW system and are 100% sure that it was a Relay attack but just need to give an explanation for the update in the key. The insurance company claims as the key was updated t is proof that it has been in the car throughout the trip.
If you can leave two black stripes from the exit of one corner to the braking zone of the next, you have enough horsepower. - Mark Donohue
We have lawyered up and the case will be in court end of May. Our problem is that the insurance company has "technical evidence" based on the info from the keys and that is the reason they deny compensation. We have at this moment nothing technical, but rather just a "theory" of what might have happened. We have been in contact with at least 10 different organisations asking for technical help (the Forensic center for the Police, The BMW repairshop, BMW Sweden and so on..) and everyone has turned down our request due to that they either not have time, the right tools or competence, or interest to help up. We are prepared to pay for this help so it is not matter of payment, but rather that we need to fins someone with the right competence that can give us some additional information from the car or the keys (or at least a technical explanation of what is possible and not possible with the BMW system) that can proof my innocence. Otherwise I am looking at loosing about $60.000 for the car and another $30.000 in lawyer fees (my costs above what my insurance covers for legal expenses and the lawyer fees of the insurance company if i lose case)
have you reached out to any local/in-country hacker/cybersecurity communities. there's been plenty of research done on amplification attacks.
i would posit - sadly, without evidence - that a relay amplification attack may very well lead the system to report the presence of a key inside the vehicle as it would interpret the presence of the signal to mean the key is in range so allow entry, start, etc.
'95 325iS - auto to manual swap done!
Bookmarks