Hyundai NFC Key Card

I’ve got a Proxmark3 RDV4.0, but most of my experience is w/ LF cards and such. More than happy to sniff comms/pairing/authorization, but I’d be a bit out of my depth. Any suggestions on the commands I should be running to grab what you need?

You can pair the NFC card in vehicle without the app. My experience is with the US models, it’s possible this varies by market.

Models with navigation use the vehicle settings section on the radio to enter pairing mode. Models without navigation use steering wheel controls to enter the pairing mode on the digital cluster. Once you’re in pairing mode you place the NFC card on the wireless charger to pair.

I have a 23 Hyundai Tucson and a NFC card. I ordered a proxmark3 easy, arriving on Tuesday. Happy to help out, would be great to get this working.

I’d be a little worried about the viability of an implant. The NFC card needs to have contact with the door handle in order to read and unlock the car. I’m not sure if this is a limitation of the NFC antenna in the door or some limitation with the NFC card. When I scanned my card with my iPhone I needed to scan the card edge while making contact with the card.

If cloning this became possible, I’d be up to do an implant and see how it reads.

Edit for clarity: The NFC card cannot be read through a plastic card holder. It needs to be directly on the door handle.

Sounds like the cards are quite garbage. That’s surprising. If they truly did put the reader into the door handle itself, then it might not be well suited for reading large cards actually. They might actually be much better suited for reading transponders with smaller antennas that fit better within the magnetic field it generates. I’m super curious about this whole situation.

Actually come to think of it, they might have done this on purpose. If you have to make contact with the card then it should in theory protect against key card sniffing through wallets and back pockets.

Huh, so I finally got around to pairing the card with my car (Ioniq 5 Limited) and ran another Full Taginfo. Running a compare in Notepad++ showed me no change (except for the scan date at the top).

It took almost no time to add, so I suspect it’s not installing anything, just registering existing info on the card. Is it possible they’re installing a Javacard app and/or private key on these from the factory instead of at pairing-time? When I messed around with my Fidesmo card in the past, I recall it taking a while to install an app and I think it changed its Taginfo behavior?

What card type does TagInfo show?
TagInfo only reads the card information and NDEF, at least on iOS.
If it’s a smartCard with a javacard app on it, you won’t see a change

@ZeGerman I uploaded the TagInfo dump from an Android phone above

I was expecting the car to install a new app to the list. I imagine “Visa Card Manager” is one of the currently installed JavaCard/Global Platform apps? Maybe that’s involved in the current Authorization process without any new install needed?

Oh goodness no - we’ll do it ourselves.

Do you happen to have a compatible car too?

Nah, it can only find apps it knows about - ones with “known” AIDs. Anyway, most devices don’t install in the field apps - Apex is the outlier here.

Edit: I called Hyundai locally and they don’t have stock of this in Australia - but were happy to chat to me about it. Parts guy had heard of the Tesla implant and thought it was a cool idea, and thought Hyundai Head Office might send me one to test with!

3 Likes

Well, this is great news. Once you receive your PM3 easy, send me a message and we’ll start data collection. Ideally we will get you some kind of unlocked javacard as well so I can have you test applets.

Regarding talking to Hyundai’s head office…
Looking at the CCC Board page, I wonder if it’d be a good or bad idea to try reaching out to Scott Bone. He’s the primary board member from Hyundai’s side, as well as a Product Engineering Manager (and was a Senior Engineer before that) at Hyundai Kia America Tech Center. If anyone would know what’s going on w/ the JavaCard comms, or at least know who does, I imagine it’d be him.

https://carconnectivity.org/members/#car-connectivity-consortium-officers

1 Like

From his linkedin, i find this:
Lead and manage a cross-functional engineering team responsible for validation of hardware, software & systems related to ADAS and Digital Key Validation.

I’ve sent a connection invitation.

1 Like

Would be interesting to see if he’s willing to talk, might be under an NDA. It might be best to refer to the CCC specs that are available online during the discussion and ask some probing questions not specific to the Hyundai brand.

Hyundai currently has a lot of bad press because they didn’t put immobilizers in their lower trim cars, anyone could copy a key or jam a screwdriver in there and steal a car. I wonder if being too specific would throw up some red flags. I’m sure they want to protect their security platform, it would be a bad look if the cards were clonable.

I used to work with a US dealer group and had access to Hyundai’s dealer-facing OEM portals. Information on digital keys is almost nonexistent. It’s the same info you’d find in the owner’s manual.

The only thing that was mentioned in their guides is the procedure to activate the Identity Authentication Module (IAM) before a digital key could be paired. Most cars came activated and the steps involved their diagnostic system, it’s all completed by the software.

Any troubleshooting that couldn’t be resolved using basic tests involving installing a replacement and then ship to the old unit back to Hyundai.

I’ll see if I can get an old contract to check for any updated information. I doubt it’ll turn up anything beneficial, they’re very closed lip about the whole thing.

They’ve also switched to a newer CCC digital key spec on the 2023 models.

If anyone wants an interesting read, their new head unit was reverse-engineered.

It was also discovered Hyundai used a very well know for testing RSA key.

https://programmingwithstyle.com/posts/howihackedmycar/

As a rule, what we’re doing isn’t a card clone. That’s why they use JavaCard, as the card can generate an on-chip keypair and then pair that with the car, and that’s a remarkably secure way to do it as the secret is near impossible to extract when the card is sufficiently hardened (and most are as a matter of course).

Gotcha, thank makes sense!

hah! found this funny…

The Engineering Mode was secured by a 4 digit pin. This guide helped my figure out the pin was “2400”.

2400… someone there has a sense of humor. Old phone phreaks will know what this means.

… holy shit …

The RSA key was from a fucking tutorial?!

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8Dbv8prpJ/0kKhlGeJY
ozo2t60EG8L0561g13R29LvMR5hyvGZlGJpmn65+A4xHXInJYiPuKzrKUnApeLZ+
vw1HocOAZtWK0z3r26uA8kQYOKX9Qt/DbCdvsF9wF8gRK0ptx9M6R13NvBxvVQAp
fc9jB9nTzphOgM4JiEYvlV8FLhg9yZovMYd6Wwf3aoXK891VQxTr/kQYoq1Yp+68
i6T4nNq7NWC+UNVjQHxNQMQMzU6lWCX8zyg3yH88OAQkUXIXKfQ+NkvYQ1cxaMoV
PpY72+eVthKzpMeyHkBn7ciumk5qgLTEJAfWZpe4f4eFZj/Rc8Y8Jj2IS5kVPjUy
wQIDAQAB
-----END PUBLIC KEY-----
  
 -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAy8Dbv8prpJ/0kKhlGeJYozo2t60EG8L0561g13R29LvMR5hy
vGZlGJpmn65+A4xHXInJYiPuKzrKUnApeLZ+vw1HocOAZtWK0z3r26uA8kQYOKX9
Qt/DbCdvsF9wF8gRK0ptx9M6R13NvBxvVQApfc9jB9nTzphOgM4JiEYvlV8FLhg9
yZovMYd6Wwf3aoXK891VQxTr/kQYoq1Yp+68i6T4nNq7NWC+UNVjQHxNQMQMzU6l
WCX8zyg3yH88OAQkUXIXKfQ+NkvYQ1cxaMoVPpY72+eVthKzpMeyHkBn7ciumk5q
gLTEJAfWZpe4f4eFZj/Rc8Y8Jj2IS5kVPjUywQIDAQABAoIBADhg1u1Mv1hAAlX8
omz1Gn2f4AAW2aos2cM5UDCNw1SYmj+9SRIkaxjRsE/C4o9sw1oxrg1/z6kajV0e
N/t008FdlVKHXAIYWF93JMoVvIpMmT8jft6AN/y3NMpivgt2inmmEJZYNioFJKZG
X+/vKYvsVISZm2fw8NfnKvAQK55yu+GRWBZGOeS9K+LbYvOwcrjKhHz66m4bedKd
gVAix6NE5iwmjNXktSQlJMCjbtdNXg/xo1/G4kG2p/MO1HLcKfe1N5FgBiXj3Qjl
vgvjJZkh1as2KTgaPOBqZaP03738VnYg23ISyvfT/teArVGtxrmFP7939EvJFKpF
1wTxuDkCgYEA7t0DR37zt+dEJy+5vm7zSmN97VenwQJFWMiulkHGa0yU3lLasxxu
m0oUtndIjenIvSx6t3Y+agK2F3EPbb0AZ5wZ1p1IXs4vktgeQwSSBdqcM8LZFDvZ
uPboQnJoRdIkd62XnP5ekIEIBAfOp8v2wFpSfE7nNH2u4CpAXNSF9HsCgYEA2l8D
JrDE5m9Kkn+J4l+AdGfeBL1igPF3DnuPoV67BpgiaAgI4h25UJzXiDKKoa706S0D
4XB74zOLX11MaGPMIdhlG+SgeQfNoC5lE4ZWXNyESJH1SVgRGT9nBC2vtL6bxCVV
WBkTeC5D6c/QXcai6yw6OYyNNdp0uznKURe1xvMCgYBVYYcEjWqMuAvyferFGV+5
nWqr5gM+yJMFM2bEqupD/HHSLoeiMm2O8KIKvwSeRYzNohKTdZ7FwgZYxr8fGMoG
PxQ1VK9DxCvZL4tRpVaU5Rmknud9hg9DQG6xIbgIDR+f79sb8QjYWmcFGc1SyWOA
SkjlykZ2yt4xnqi3BfiD9QKBgGqLgRYXmXp1QoVIBRaWUi55nzHg1XbkWZqPXvz1
I3uMLv1jLjJlHk3euKqTPmC05HoApKwSHeA0/gOBmg404xyAYJTDcCidTg6hlF96
ZBja3xApZuxqM62F6dV4FQqzFX0WWhWp5n301N33r0qR6FumMKJzmVJ1TA8tmzEF
yINRAoGBAJqioYs8rK6eXzA8ywYLjqTLu/yQSLBn/4ta36K8DyCoLNlNxSuox+A5
w6z2vEfRVQDq4Hm4vBzjdi3QfYLNkTiTqLcvgWZ+eX44ogXtdTDO7c+GeMKWz4XX
uJSUVL5+CVjKLjZEJ6Qc2WZLl94xSwL71E41H4YciVnSCQxVc4Jw
-----END RSA PRIVATE KEY-----

I wonder if this key might also be used in their java card applet hahah!

1 Like

*2600

1 Like

Yeah! Someone probably copied it straight from stackoverflow, slapped a logo on it and called it a day. Unbelievable.

Side note, In case anyone wants it, the newer models use 3802 for the variant coding submenu. Changes on that screen can be dangerous and will wipe presets and saved devices.

I got my pm3 easy yesterday and did some scans. I’m pretty into tech but new the RFID tinkering, if anyone has some suggestions I’m open to them.


Here’s the data I’ve scanned so far:

hf search

[+] UID: 95 D1 A3 15
[+] ATQA: 00 04
[+] SAK: 28 [1]
[+] Possible types:
[+] SmartMX with MIFARE Classic 1K
[=] -------------------------- ATS --------------------------
[+] ATS: 0C 78 80 B0 02 73 C8 40 00 00 90 00 [ e5 00 ]
[=] 0c… TL length is 12 bytes
[=] 78… T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
[=] 80… TA1 different divisors are NOT supported, DR: , DS:
[=] B0… TB1 SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 11 (FWT = 8388608/fc)
[=] 02… TC1 NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+] 73C84000009000

[+] Prng detection: hard
[#] Auth error

hf mf chk

[=] No key specified, trying default keys
*Default keys omitted for brevity*
[=] Start check for keys…
[=] …
[=] time in checkkeys 3 seconds

[=] testing to read key B…

[+] found keys:

[+] |-----|----------------|—|----------------|—|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|—|----------------|—|
[+] | 000 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 001 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 002 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 003 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 004 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 005 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 006 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 007 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 008 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 009 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 010 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 011 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 012 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 013 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 014 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 015 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] |-----|----------------|—|----------------|—|
[+] ( 0:Failed / 1:Success )

hf 14a sniff
Engine Start (Before Un-pairing NFC card to car)

# Engine Start (Before Un-pairing NFC card to car)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26(7)                                                                    |     | REQA
       2244 |       4612 | Tag |04  00                                                                   |     | 
     542048 |     544512 | Rdr |93  20                                                                   |     | ANTICOLL
     545700 |     547044 | Tag |95  01                                                                   |     | 
     674592 |     685056 | Rdr |93  70  95  d1  a3  15  f2  19  fa                                       |  ok | SELECT_UID
     686308 |     689828 | Tag |28  b4  fc                                                               |     | 
     810736 |     821200 | Rdr |93  70  95  d1  a3  15  f2  19  fa                                       |  ok | SELECT_UID
    1491024 |    1492080 | Rdr |26(7)                                                                    |     | REQA
    1493268 |    1495636 | Tag |04  00                                                                   |     | 
    2033600 |    2036064 | Rdr |93  20                                                                   |     | ANTICOLL
    2037252 |    2043140 | Tag |95  d1  a3  15  f2                                                       |     | 
    2167168 |    2177632 | Rdr |93  70  95  d1  a3  15  f2  19  fa                                       |  ok | SELECT_UID
    2178884 |    2182404 | Tag |28  b4  fc                                                               |     | 
    2854976 |    2859744 | Rdr |e0  60  3f  94                                                           |  ok | RATS
    2861828 |    2878084 | Tag |0c  78  80  b0  02  73  c8  40  00  00  90  00  6d  e5                   |  ok | 
    3398560 |    3420608 | Rdr |02  00  a4  04  00  0a  a0  00  00  03  50  43  4b  01  01  01  00  c3   |     | 
            |            |     |9b                                                                       |  ok | 
    3565652 |    3586516 | Tag |02  34  33  41  e8  7f  76  f4  bc  f2  d1  52  00  00  90  00  5d  c2   |  ok | 
    4906320 |    4959472 | Rdr |03  90  7c  01  00  25  63  33  01  b0  35  20  73  dd  3c  ca  cd  bd   |     | 
            |            |     |f4  85  9b  0f  04  80  c0  e4  bf  9c  d7  9a  be  d4  a4  a6  00  d9   |     | 
            |            |     |9c  fd  1d  28  bb  00  00  00  a0  58                                   |  ok | 
    5507300 |    5507300 | Tag |03  34  36  41  e8  7f  76  f4  bc  f2  d1  52  32  8e  40  b0  2a  71   |     | 
            |            |     |72  aa  f9  38  41  4c  71  b6  e6  e4  f1  ef  e2  8f  83  62  84  0f   |     | 
            |            |     |73  f0  eb  d5  fe  0d  32  f6  7d  75  44  2b  f0  0c  8e  cf  f9  0a   |     | 
            |            |     |0e  df  e1  3e  f3  4e  88  d5  5d  1e  5b  90  00  76  d6               |  ok | 
    7222176 |    7238464 | Rdr |02  90  7c  01  00  05  63  36  01  00  00  00  ae  f8                   |  ok | 
    7282644 |    7293076 | Tag |02  34  37  00  00  90  00  b0  9a                                       |  ok | 
    8176608 |    8180160 | Rdr |c2  e0  b4                                                               |  ok | 
    8183972 |    8187492 | Tag |c2  e0  b4                                                               |     |


Re-pairing NFC Card to Car
# Re-pairing NFC Card to Car

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26(7)                                                                    |     | REQA
       3060 |       4532 | Tag |ff  03!                                                                  |     | 
     551776 |     554240 | Rdr |93  20                                                                   |     | ANTICOLL
     556580 |     561316 | Tag |d1  a3  15  f2                                                           |     | 
     684928 |     695392 | Rdr |93  70  95  d1  a3  15  f2  19  fa                                       |  ok | SELECT_UID
     699444 |     700148 | Tag |1f(4)                                                                    |     | 
    1359232 |    1364000 | Rdr |e0  60  3f  94                                                           |  ok | RATS
    1366084 |    1367300 | Tag |0c                                                                       |     | 
    1917264 |    1939312 | Rdr |02  00  a4  04  00  0a  a0  00  00  03  50  43  4b  01  01  01  00  c3   |     | 
            |            |     |9b                                                                       |  ok | 
    2082052 |    2084676 | Tag |02  34  03!                                                              |     | 
    2099220 |    2099412 | Tag |01(0)                                                                    |     | 
    3451120 |    3504208 | Rdr |03  90  7c  01  00  25  63  33  10  ab  7c  8f  c2  50  0c  2c  5a  1f   |     | 
            |            |     |9f  70  4c  cd  0a  10  a3  8e  26  bf  b5  a8  ce  38  14  f3  ca  5e   |     | 
            |            |     |2d  87  a3  6c  95  00  00  00  1c  ff                                   |  ok | 
    4000004 |    4006724 | Tag |03  34  34  21  28  71!                                                  | !crc| 
    4041108 |    4046228 | Tag |84! 06! 7c  ef  01                                                       |     | 
    9368256 |    9368256 | Rdr |02  90  7c  01  00  6a  63  34  01  60  ed  ed  a7  6a  0b  93  a2  6f   |     | 
            |            |     |51  2f  6a  a8  3e  04  f9  32  1f  04  7b  29  da  1a  18  0b  b1  ee   |     | 
            |            |     |38  41  f2  06  2a  fa  9b  c0  2c  aa  ae  b3  95  20  73  58  b8  18   |     | 
            |            |     |e7  73  11  e7  e6  4f  e7  0d  c7  98  9b  e3  db  b6  a6  65  9e  2b   |     | 
            |            |     |87  a4  34  d2  8e  a6  aa  e0  5b  3d  de  4f  17  95  95  c1  26  20   |     | 
            |            |     |e7  bf  3d  7d  61  2c  af  13  f7  e5  0e  6c  a3  37  60  cd  72  85   |     | 
            |            |     |f7  36  00  00  00  15  03                                               |  ok | 
   10321504 |   10322560 | Rdr |00(7)                                                                    |     | 
   10325856 |   10326784 | Rdr |00(6)                                                                    |     | 
   10327648 |   10329088 | Rdr |02  00!                                                                  |     | 
   11413344 |   11416896 | Rdr |c2  e0  b4                                                               |  ok | 

Engine Start (After re-paring NFC Card to car)
Engine Start (After re-paring NFC Card to car)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26(7)                                                                    |     | REQA
       2244 |       4612 | Tag |04  00                                                                   |     | 
     545968 |     548432 | Rdr |93  20                                                                   |     | ANTICOLL
     551584 |     552640 | Rdr |0f(7)                                                                    |     | 
     554656 |     555456 | Rdr |0e(5)                                                                    |     | 
     674608 |     685072 | Rdr |93  70  95  d1  a3  15  f2  19  fa                                       |  ok | SELECT_UID
    1363376 |    1368144 | Rdr |e0  60  3f  94                                                           |  ok | RATS
    1370228 |    1374772 | Tag |0c  78  80  b0                                                           |     | 
    1375264 |    1377600 | Rdr |40  06!                                                                  |     | MAGIC WUPC1
    1379360 |    1380544 | Rdr |00!                                                                      |     | 
    1381920 |    1382336 | Rdr |00(2)                                                                    |     | 
    1385956 |    1386276 | Tag |03(1)                                                                    |     | 
    1920832 |    1942880 | Rdr |02  00  a4  04  00  0a  a0  00  00  03  50  43  4b  01  01  01  00  c3   |     | 
            |            |     |9b                                                                       |  ok | 
    2089204 |    2092340 | Tag |02  34  33!                                                              |     | 
    2095008 |    2096704 | Rdr |4f  02                                                                   |     | 
    2103332 |    2104036 | Tag |1f(4)                                                                    |     | 
    2106916 |    2107620 | Tag |1f(4)                                                                    |     | 
    3550384 |    3603472 | Rdr |03  90  7c  01  00  25  63  33  01  95  7f  06  ee  1a  85  b0  07  9f   |     | 
            |            |     |db  2b  7f  ea  c6  eb  48  4f  d1  bf  15  81  2f  45  a6  b6  64  25   |     | 
            |            |     |0b  d2  17  37  4a  00  00  00  47  d1                                   |  ok | 
    4156100 |    4159748 | Tag |03  34  36  01                                                           |     | 
    4161904 |    4163600 | Rdr |4f  02                                                                   |     | 
    4174516 |    4181364 | Tag |23  66  08  32  49  e0                                                   | !crc| 
    4195700 |    4196020 | Tag |03(1)                                                                    |     | 
    4216628 |    4223988 | Tag |a3! db! c5! ae  f8! 0f! 04                                               | !crc| 
    4227252 |    4227444 | Tag |01(0)                                                                    |     | 
    4234996 |    4235188 | Tag |01(0)                                                                    |     | 
    5649664 |    5665952 | Rdr |02  90  7c  01  00  05  63  36  01  00  00  00  ae  f8                   |  ok | 
    5710404 |    5712004 | Tag |02  04                                                                   |     | 
    6754544 |    6758096 | Rdr |c2  e0  b4                                                               |  ok | 
    6763956 |    6765428 | Tag |d1! 03!                                                                  |     | 
2 Likes

image

Bonus points to you for a super tidy post :+1:

4 Likes

I suspect this is unlikely.

I will begin work on these scans. I see the sniff you sent has unlock as well.

EDIT: what the fuck. I think the response length byte the reader uses is in decimal… is this fucking amateur hour?

Alright i’ve managed to work out the basic command structure, thankfully engine starts and door unlocks seem the same. I’m waiting on another pairing read - it got mangled as proxmark sniffs can do.

EDIT 2: I’ve uploaded some details to the github for hyundai-keycard, based on the data I was able to collect out of the sniffs provided by @JamesRy - 32 bytes input, 53 bytes output - i suspect it’s a 48 byte output with 5 bytes of random padding provided by the card - this would make it an EC384 based asymmetric keypair, which makes a fair bit of sense.