Gone in 360 seconds: Hitag2 attack implementation

Despite fairly trained in the uControler / WiFi world I am new in the broader radio world. And I just received the FZ.

As a training exercise, I’d like to duplicate my car key which many locksmith failed to duplicate and is now my last key.

I am not talking about the FOB, subGhz remote open/close. I am interested on the passive RFID chip inside the key that unlock the engine immobilizer when you insert the key to start the engine.

The car is from 2002, no keyless autostart or other fancy stuff, just the basic immobilizer using RFID.

It seems that the vast majority of vehicles from this period uses HiTag2 NXP chips.

It’s a 125kHz RFID chip with internal cypher.

First the key id is known from the car.
Then there is some encrypted challenge taking place which make the identification secure and not easy to clone.

But here is a paper from Verdult / Garcia / Balasch explaining how Hitag2 works, vulnerability they discovered and attack methods to clone an Hitag2 transponder and fake it to a car:

There is 3 different methods and multiple steps to achieve it. The authors use Proxmark III and a microcontroller to achieve the hack so I suspect it could be implemented on a FZ. Am I right ?
If so it seems a good exercise to learn how to tweak the FP.

Let see.

First it seems that the car will send an Authentication message request to the transponder which should answer back with his unencrypted id.

Could you point me to ressources to help me achieve this first step ?

The stock firmware only allow to read common passive tag like Mifare uid. An Hitag2 will not answer to that basic read request. It needs to receive a specific authentication command: “11000” according to the paper.

Two options I could see to extract the transponder ID:

  1. simulating the car reader by using the 125khz module on the FZ, send an authentication message 11000, listen for the transponder response.

  2. get in the car, insert the key, and sniff everything on 125khz using the FZ.

Could you point me on how to achieve one and/or the other ?

Thanks !

Ok seems the work has already started:


I’m extremely curious to see where this goes. I’m very engaged with the locksmith community. I’m not sure if the Proxmark has better hardware or if it’s simply more mature on a software level but the Flipper is not as capable a device at this time. I’ve been wanting to do some research in the 125khz band myself. I came to the conclusion that a cheap SDR and an upconvertor like the Hamitup would work well. You could look into those options.

I recall someone interacted with Classic using RTL-SDR v3. Unfortunately, details are lost in my memory.

For some pupposes it is hardware that matters, e.g. easier Nested, better emulation. But most are just software, IIUC. And it can’t be reused due to MCU<->FPGA interactions.

Any news on this ?