Loving this live dev log! It’s so interesting to see how the cake is made.
2 Likes
Can’t get the Hyundai updater software to bloody run. Very annoying.
Edit: turns out there’s maintenance today. Urgh.
Edit 2: Turns out i managed to find the Digital Key Spec v3 on the CCC website.
Edit 3: Very informative it may be, but I don’t think the CCC spec is how the key is interfacing with the car.
2 Likes
Do you just need the update package? Hyundai took down a lot of their update tools/packages for “maintenance” after the infotainment system post got out.
Their display audio non-navigation updates are usually put out through an online zip download instead of the updater. The updater just checks a VIN, finds the latest update and unzips it to a flash drive. Last week you could use the direct link to the zip, seems like they removed it from their AWS and placed a small invalid zip in its place.
I saved a zip of the 22 Tucson (NX4) update package, I’ll link it here.
https://f002.backblazeb2.com/file/public-file-store/2022-tucson-nx4-update-package.zip
I’d love to see what the software the car’s identity authentication module is running. Maybe I can find one at a salvage yard for cheap and open it up, might be possible to dump the firmware.
I’m going to see about getting my hands on equipment to sniff the CAN bus traffic and see what’s being passed to the module when a paring request is initiated.
I’ve been spending most of the evening trying to decompile the libmfjava.so - and the current step is trying to get the dynamic linker to fire up while Frida watches for JNI calls. Not easy. First on an emulator, then on an arm emulator, and now on a nvidia jetson dev board I have sitting here that can somehow run LineageOS - sorta. It’s crashlooping systemUI, ffs.
If it helps, I can upload the latest (April) nav update package for the Ioniq 5, it’s a hefty boy though, nearly 32GB! I’d need to find a place online that’d host it! 
Here’s a link to a Google Drive upload someone posted for the Ioniq 5 back in April.
https://f002.backblazeb2.com/file/public-file-store/ionic-5-update-package.zip
Ooh nice, that’s almost certainly what mine is as well!
fyi, i am pulling these down and putting them up on backblaze b2 so they don’t get lost… links to follow.
1 Like
Did you try ghidra? Trying to decompile as in decompilation fails or as in you cant understand the garbage it produces yet? If there’s something I can help with lmk.
Honestly at this point, who knows… it might actually!
Yeah, I’m using Ghidra. Can’t understand the nonsense as i never learned assembly.
Like I said, trying to resolve the dynamic linking for the Java Native Interface - it appears whoever built this didn’t want it disassembled.
Edit: Now i’m building Lineage from source.
1 Like
hm the pseudo code from ghidras decompiler should at least be a bit better than plain asm
but I see
It’s unfortunately not very easy to decomp it appears. It is a little better, but until I have JNI entrypoints I’m blind.
Edit: After fighting for a good 36 hours, trying to get the Lineage source to build, it’s finally doing so. It’s bloody hammering my 3970x though. Turns out WSL2 has severe mounted local Windows disk bottlenecking and the whole NTFS case sensitivity thing caused further problems that required a whole source re-download onto the internal storage of WSL2.
3 Likes
Keep up the fine work friend! 
2 Likes
I hate to revive a months old thread, but wanted to know if we hit a wall with this development of if the conversation moved elsewhere.
Appreciate the work thats been done and documented so far.
Sorry to dig up this thread. Is a conversion possible?
yeah looks like it
maybe? i’ve not seen one of the cards yet… though it looks like the chip is an Infineon… odd capacitance… probably an odd package type as well… no idea until I get one to play with.
no idea until I get one to play with
Hell, more than happy to buy and ship one your way if you want! I know I started this post, but my knowledge around reverse-engineering an app/card like this is pretty low.
Also, I think one of the challenges with this particular use-case is that the internal reader is particularly inconvenient to use if this is an implant, since you have to put the card into a little cubby in the center console, but also press the start button at the same time. You could probably use your left hand for the latter, but it’s a bit of a stretch. 
Personally I probably wouldn’t implant one, but I just want a different form-factor than the card.
Yeah I plan to get an Ioniq 6 and it seems like I’ll end up using my phone.