Hyundai NFC Key Card

Hi! I appreciated the Tesla implant from a while back and was wondering if you folks could do a similar thing for Hyundai’s NFC Card? In perfect transparency, I’m not necessarily going to implant it, but I’d love to get it decapped and encased in something like the TeslaFlex or FlexClass formfactor instead? Since it needs to stay on the reader while I drive, having a smaller formfactor that I could integrate into a set of keys/Keyport or other little fob would be incredibly useful. It might be a little problematic to leave a body part resting on the reader the entire time I drive :sweat_smile: !

Alternatively, if it was possible to reverse-engineer and install on the Fidesmo platform, I’d be ecstatic.

Any chance I could interest you folks in such a project or possibly a direction to another group who would be? More than happy to pay for custom work!

So what happens if you turn and the card slides off the reader, or if you hit a bump and it decouples? Does the car just shut off?

1 Like

Could you scan that card with TagInfo or similar

and if you are comfortable doing so

if you don’t want to post the info, can you tell us what it says under
IC INFO - IC Type

I am also interested in knowing what happens if the card is removed from the reader, that will help with some ideas that I have for you.

2 Likes

Looks like you only need it on the reader when starting the car. This is talking about using the NFC on a phone, but I assume the card is the same.

1 Like

I made that assumption after watching a couple of videos, It would make no sense, nor would it be safe if the car reacted adversely after authentication had occurred.

I may be able to do my own testing in a couple of days also

1 Like

Yeah so that basically confirms what I was curious about, and you wouldn’t need to keep your implant on the reader at all times while you drive, just when starting it :slight_smile:

Thanks! I’m waiting to get it, but I’ll run a TagInfo scan once it arrives! I suspect it can be removed from the reader after starting the car, considering the Digital Key allows that.

1 Like

Finally got my card today and kicked off a scan. (Maybe?) good news, it’s Java Card 2.2! Does that mean it might be possible to do a similar Fidesmo app to the Tesla one? Or at the very least maybe is good news on the decapping front?

I haven’t tried pairing it yet (and might purchase a different one to actually pair to my vehicle, although I imagine the pairing process likely installs an app w/ a unique cryptographic key, so perhaps sharing this isn’t really exposing me to any vulnerabilities?).

** TagInfo scan (version 4.25.5) 2022-08-27 19:06:19 **
Report Type: -- IC INFO ------------------------------

# IC manufacturer:
Infineon Technologies AG

# IC type:
Unknown IC implementing ISO/IEC 14443-4

# Card OS type:
Java Card

# MIFARE applications:
No known MIFARE applications found

# Application information:
Global Platform card manager present
Visa card manager

-- NDEF ------------------------------

# No NDEF data storage populated:

-- EXTRA ------------------------------

# MIFARE memory size:
1 kB
* 16 sectors, with 4 blocks per sector
* 64 blocks, with 16 bytes per block

# IC information:
MIFARE Classic emulation

# Global Platform information:
Java Card version 2.2
Global Platform version 2.2
GP Secure Channel Protocol: 02 option 55
Visa card manager
* FCI: 0x6F5B8408A000000003000000A54F734906072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040255650B06092A864886FC6B020103660C060A2B060104012A026E01029F6501FF |o[...........OsI..*.H..k.`...*.H..k...c...*.H..k.d...*.H..k..Ue...*.H..k...f...+....*.n...e..|

# Card Production Life Cycle data (CPLC):
IC Fabricator: Infineon
IC Type: [unknown]
OS ID: [unknown]
OS release date: 2017/05/22
OS release level: 0x4001
IC Fabrication Date: 2018/11/17
IC Serial Number: 0x0F264B65
IC Batch Identifier: 0x1B65
IC Module Fabricator: [unknown]
IC Module Packaging Date: [invalid]
ICC Manufacturer: [unknown]
IC Embedding Date: [not set]
IC Pre-Personalizer: [not set]
IC Pre-Perso. Equipment Date: [not set]
IC Pre-Perso. Equipment ID: 0x00000000
IC Personalizer: [not set]
IC Personalization Date: 2020/01/09
IC Perso. Equipment ID: 0x00000000
IC Personalizer: [unknown]
IC Personalization Date: 2020/01/09
IC Perso. Equipment ID: 0x00000000

# File Control Information:
Default selected AID
0x6F5B8408A000000003000000A54F734906072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040255650B06092A864886FC6B020103660C060A2B060104012A026E01029F6501FF |o[...........OsI..*.H..k.`...*.H..k...c...*.H..k.d...*.H..k..Ue...*.H..k...f...+....*.n...e..|

# TagInfo Version:
Version :4.25.5

# Device Info:
Device Model :Google ( Pixel 5 )
Android OS Version :13

-- FULL SCAN ------------------------------

# Technologies supported:
ISO/IEC 7816-4 compatible
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NfcA, android.nfc.tech.MifareClassic, android.nfc.tech.NdefFormatable]
* Maximum transceive length: 65279 bytes
* Default maximum transceive time-out: 618 ms
* Extended length APDUs supported
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms

# Detailed protocol information:
ID: D7:A6:DE:D4
ATQA: 0x0400
SAK: 0x28
ATS Historical bytes: 0x73C84000009000 |s.@....|

# MIFARE memory content:
Sector 0 (0x00)
[00] r--  D7 A6 DE D4 7B 28 04 00 1C 00 00 00 00 00 00 00 |....{(..........|
[01] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[02] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[03] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 1 (0x01)
[04] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[05] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[06] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[07] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 2 (0x02)
[08] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[09] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0A] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0B] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 3 (0x03)
[0C] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0D] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0E] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0F] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 4 (0x04)
[10] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[11] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[12] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[13] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 5 (0x05)
[14] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[15] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[16] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[17] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 6 (0x06)
[18] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[19] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[1A] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[1B] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 7 (0x07)
[1C] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[1D] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[1E] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[1F] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 8 (0x08)
[20] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[21] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[22] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[23] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 9 (0x09)
[24] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[25] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[26] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[27] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 10 (0x0A)
[28] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[29] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[2A] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[2B] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 11 (0x0B)
[2C] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[2D] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[2E] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[2F] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 12 (0x0C)
[30] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[31] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[32] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[33] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 13 (0x0D)
[34] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[35] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[36] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[37] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 14 (0x0E)
[38] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[39] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[3A] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[3B] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

Sector 15 (0x0F)
[3C] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[3D] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[3E] rwi  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[3F] wxx  FF:FF:FF:FF:FF:FF FF:07:80 00 FF:FF:FF:FF:FF:FF
          Factory default key           Factory default key (readable)

r/R=read, w/W=write, i/I=increment,
d=decr/transfer/restore, x=r+w, X=R+W
data block: r/w/i/d:key A|B, R/W/I:key B only,
  I/i implies d, *=value block
trailer (order: key A, AC, key B): r/w:key A,
  W:key B, R:key A|B, (r)=readable key
AC: W implies R+r, R implies r

--------------------------------------

D7-A6-DE-D4_2022-08-27 19-06-19_taginfo_scan.txt
Displaying D7-A6-DE-D4_2022-08-27 19-06-19_taginfo_scan.txt.```

It’s a Java card with mifare emulation running and it looks like nothing is going on with the mifare bit. Chances are it’s a Java card application happening.

That’s good news maybe.

Can you sniff comms between the card and car with a proxmark3?

1 Like

Amal put me onto this and it’s piqued my interest. I will have a look at reverse engineering the app to see where we can get. If you’re Australian and are in Brisbane or will be in Melbourne in November, I can do a scan with my PM3.

Nothing you included in the Key Card details has, at least from my visibility, any details that would make your car vulnerable.

Edit 1: I’m creating a github Gist with info found on the topic.

Edit 2:
Goddamn it appears they may use the Mifare emulation, but I doubt it’s required as a lot of phones can’t read Crapto1

Edit 3:

I don’t think they use Mifare emulation - ideally I need an authentication sniff and a pairing sniff. I’m going to buy a keycard from the local Hyundai dealer tomorrow, and I’ve put the beacon out to see if I can find anyone local to me with one.

4 Likes

If you have a local dealer you might be able to ‘test drive’ one of the cars and get all the sniffing you need.

To do that, I’d need to have them show me the keycard functionality (not standard), plus let me put my kit in the middle. They won’t be impressed, I imagine.

I’m keeping an eye out for anyone I know with one, though.

1 Like

Oh weird, every time I’ve test driven a car they let me do anything I want for an hour un-supervised. But it might be different in different areas.

You need to register with Hyundai online to get access to the app and pair it with the car - the app is required to pair a NFC card.

I have a bmw keycard which I thought was mifare but after seeing this it is clear it is Java. I am in Brisbane if it is something you can use to work stuff out…

my programming abilities finished around the commodore 64so I doubt I am any help beyond passing you a drink…

1 Like

Now we need to get both companies on board with developing applets for the Apex…

1 Like

Ooh, I how this topic has blown up! I’ll respond to a few of these threads shortly!

I’m wondering if all of this might be more standardized across manufacturers than some people think! I was chatting to another person recently and ran across the “Car Connectivity Consortium” of which Hyundai and BMW (among others) are all members of. Their digital key 3.0 spec seems to describe some of the setup that we’re seeing perhaps?

edit, a second link as well:
https://www.electronicdesign.com/markets/automotive/article/21244486/electronic-design-readytouse-invehicle-soc-delivers-secure-car-access

1 Like

I’ve got a Proxmark3 RDV4.0, but most of my experience is w/ LF cards and such. More than happy to sniff comms/pairing/authorization, but I’d be a bit out of my depth. Any suggestions on the commands I should be running to grab what you need?

You can pair the NFC card in vehicle without the app. My experience is with the US models, it’s possible this varies by market.

Models with navigation use the vehicle settings section on the radio to enter pairing mode. Models without navigation use steering wheel controls to enter the pairing mode on the digital cluster. Once you’re in pairing mode you place the NFC card on the wireless charger to pair.

I have a 23 Hyundai Tucson and a NFC card. I ordered a proxmark3 easy, arriving on Tuesday. Happy to help out, would be great to get this working.

I’d be a little worried about the viability of an implant. The NFC card needs to have contact with the door handle in order to read and unlock the car. I’m not sure if this is a limitation of the NFC antenna in the door or some limitation with the NFC card. When I scanned my card with my iPhone I needed to scan the card edge while making contact with the card.

If cloning this became possible, I’d be up to do an implant and see how it reads.

Edit for clarity: The NFC card cannot be read through a plastic card holder. It needs to be directly on the door handle.