You can pair the NFC card in vehicle without the app. My experience is with the US models, it’s possible this varies by market.
Models with navigation use the vehicle settings section on the radio to enter pairing mode. Models without navigation use steering wheel controls to enter the pairing mode on the digital cluster. Once you’re in pairing mode you place the NFC card on the wireless charger to pair.
I have a 23 Hyundai Tucson and a NFC card. I ordered a proxmark3 easy, arriving on Tuesday. Happy to help out, would be great to get this working.
I’d be a little worried about the viability of an implant. The NFC card needs to have contact with the door handle in order to read and unlock the car. I’m not sure if this is a limitation of the NFC antenna in the door or some limitation with the NFC card. When I scanned my card with my iPhone I needed to scan the card edge while making contact with the card.
If cloning this became possible, I’d be up to do an implant and see how it reads.
Edit for clarity: The NFC card cannot be read through a plastic card holder. It needs to be directly on the door handle.
Sounds like the cards are quite garbage. That’s surprising. If they truly did put the reader into the door handle itself, then it might not be well suited for reading large cards actually. They might actually be much better suited for reading transponders with smaller antennas that fit better within the magnetic field it generates. I’m super curious about this whole situation.
Actually come to think of it, they might have done this on purpose. If you have to make contact with the card then it should in theory protect against key card sniffing through wallets and back pockets.
Huh, so I finally got around to pairing the card with my car (Ioniq 5 Limited) and ran another Full Taginfo. Running a compare in Notepad++ showed me no change (except for the scan date at the top).
It took almost no time to add, so I suspect it’s not installing anything, just registering existing info on the card. Is it possible they’re installing a Javacard app and/or private key on these from the factory instead of at pairing-time? When I messed around with my Fidesmo card in the past, I recall it taking a while to install an app and I think it changed its Taginfo behavior?
What card type does TagInfo show? TagInfo only reads the card information and NDEF, at least on iOS.
If it’s a smartCard with a javacard app on it, you won’t see a change
@ZeGerman I uploaded the TagInfo dump from an Android phone above
I was expecting the car to install a new app to the list. I imagine “Visa Card Manager” is one of the currently installed JavaCard/Global Platform apps? Maybe that’s involved in the current Authorization process without any new install needed?
Nah, it can only find apps it knows about - ones with “known” AIDs. Anyway, most devices don’t install in the field apps - Apex is the outlier here.
Edit: I called Hyundai locally and they don’t have stock of this in Australia - but were happy to chat to me about it. Parts guy had heard of the Tesla implant and thought it was a cool idea, and thought Hyundai Head Office might send me one to test with!
Well, this is great news. Once you receive your PM3 easy, send me a message and we’ll start data collection. Ideally we will get you some kind of unlocked javacard as well so I can have you test applets.
Regarding talking to Hyundai’s head office…
Looking at the CCC Board page, I wonder if it’d be a good or bad idea to try reaching out to Scott Bone. He’s the primary board member from Hyundai’s side, as well as a Product Engineering Manager (and was a Senior Engineer before that) at Hyundai Kia America Tech Center. If anyone would know what’s going on w/ the JavaCard comms, or at least know who does, I imagine it’d be him.
From his linkedin, i find this:
Lead and manage a cross-functional engineering team responsible for validation of hardware, software & systems related to ADAS and Digital Key Validation.
Would be interesting to see if he’s willing to talk, might be under an NDA. It might be best to refer to the CCC specs that are available online during the discussion and ask some probing questions not specific to the Hyundai brand.
Hyundai currently has a lot of bad press because they didn’t put immobilizers in their lower trim cars, anyone could copy a key or jam a screwdriver in there and steal a car. I wonder if being too specific would throw up some red flags. I’m sure they want to protect their security platform, it would be a bad look if the cards were clonable.
I used to work with a US dealer group and had access to Hyundai’s dealer-facing OEM portals. Information on digital keys is almost nonexistent. It’s the same info you’d find in the owner’s manual.
The only thing that was mentioned in their guides is the procedure to activate the Identity Authentication Module (IAM) before a digital key could be paired. Most cars came activated and the steps involved their diagnostic system, it’s all completed by the software.
Any troubleshooting that couldn’t be resolved using basic tests involving installing a replacement and then ship to the old unit back to Hyundai.
I’ll see if I can get an old contract to check for any updated information. I doubt it’ll turn up anything beneficial, they’re very closed lip about the whole thing.
They’ve also switched to a newer CCC digital key spec on the 2023 models.
As a rule, what we’re doing isn’t a card clone. That’s why they use JavaCard, as the card can generate an on-chip keypair and then pair that with the car, and that’s a remarkably secure way to do it as the secret is near impossible to extract when the card is sufficiently hardened (and most are as a matter of course).
Yeah! Someone probably copied it straight from stackoverflow, slapped a logo on it and called it a day. Unbelievable.
Side note, In case anyone wants it, the newer models use 3802 for the variant coding submenu. Changes on that screen can be dangerous and will wipe presets and saved devices.
I got my pm3 easy yesterday and did some scans. I’m pretty into tech but new the RFID tinkering, if anyone has some suggestions I’m open to them.
Here’s the data I’ve scanned so far:
hf search
[+] UID: 95 D1 A3 15
[+] ATQA: 00 04
[+] SAK: 28 [1]
[+] Possible types:
[+] SmartMX with MIFARE Classic 1K
[=] -------------------------- ATS --------------------------
[+] ATS: 0C 78 80 B0 02 73 C8 40 00 00 90 00 [ e5 00 ]
[=] 0c… TL length is 12 bytes
[=] 78… T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
[=] 80… TA1 different divisors are NOT supported, DR: , DS:
[=] B0… TB1 SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 11 (FWT = 8388608/fc)
[=] 02… TC1 NAD is NOT supported, CID is supported
I will begin work on these scans. I see the sniff you sent has unlock as well.
EDIT: what the fuck. I think the response length byte the reader uses is in decimal… is this fucking amateur hour?
Alright i’ve managed to work out the basic command structure, thankfully engine starts and door unlocks seem the same. I’m waiting on another pairing read - it got mangled as proxmark sniffs can do.
EDIT 2: I’ve uploaded some details to the github for hyundai-keycard, based on the data I was able to collect out of the sniffs provided by @JamesRy - 32 bytes input, 53 bytes output - i suspect it’s a 48 byte output with 5 bytes of random padding provided by the card - this would make it an EC384 based asymmetric keypair, which makes a fair bit of sense.