Hi,
Despite fairly trained in the uControler / WiFi world I am new in the broader radio world. And I just received the FZ.
As a training exercise, I’d like to duplicate my car key which many locksmith failed to duplicate and is now my last key.
I am not talking about the FOB, subGhz remote open/close. I am interested on the passive RFID chip inside the key that unlock the engine immobilizer when you insert the key to start the engine.
The car is from 2002, no keyless autostart or other fancy stuff, just the basic immobilizer using RFID.
It seems that the vast majority of vehicles from this period uses HiTag2 NXP chips.
It’s a 125kHz RFID chip with internal cypher.
First the key id is known from the car.
Then there is some encrypted challenge taking place which make the identification secure and not easy to clone.
But here is a paper from Verdult / Garcia / Balasch explaining how Hitag2 works, vulnerability they discovered and attack methods to clone an Hitag2 transponder and fake it to a car:
There is 3 different methods and multiple steps to achieve it. The authors use Proxmark III and a microcontroller to achieve the hack so I suspect it could be implemented on a FZ. Am I right ?
If so it seems a good exercise to learn how to tweak the FP.
Let see.
First it seems that the car will send an Authentication message request to the transponder which should answer back with his unencrypted id.
Could you point me to ressources to help me achieve this first step ?
The stock firmware only allow to read common passive tag like Mifare uid. An Hitag2 will not answer to that basic read request. It needs to receive a specific authentication command: “11000” according to the paper.
Two options I could see to extract the transponder ID:
-
simulating the car reader by using the 125khz module on the FZ, send an authentication message 11000, listen for the transponder response.
-
get in the car, insert the key, and sniff everything on 125khz using the FZ.
Could you point me on how to achieve one and/or the other ?
Thanks !