Smart key Fob hack -Proxmark3-

I’ve been working on hacking my car’s key fob by Proxmark3.

I’ll show you how to view the waveform of the LF signal.

TOC

Goal

Reading the LF communication between Smart Key Fob and the vehicle.

Environment

  1. PC: Dell XPS 13(9360)
  2. OS: Kali Linux(on Virtual box)
  3. Device: Proxmark3 RDV4(https://hackerwarehouse.com/product/proxmark3-rdv4-kit/)
  4. Vehicle: Honda Vezel(HR-V) 2016

What is Proxmark3?

Proxmark3 is a valuable tool for reading LF(low frequency) signals, such as NFC and RFID.

Proxmark3 is a reader for the LF (125 kHz) and HF (13.56 MHz) frequency bands.

This tool is suitable for reading information from contactless IC cards such as Hitag.

Hitag2 was used for Smart keys a long time ago, and some papers have shown that it can be read by Proxmark3[1] [2].

According to a survey[3], the specification of the Honda Vezel (2016) Smart Key Fob is Hitag3.

It is not clearly indicated whether Hitag3 is readable by Proxmark3.

Experiment Preparation

Smart Key Fob analysis

First, I take apart the Smart Key fob and remove the battery.

Why do I remove the battery?

This is because I would like to read the communication between the Smart Key Fob and the vehicle.

The specific method is described below.

When the Smart Key Fob is placed close to the engine start button, the Smart Key Fob communicates with the vehicle (ID verification).

preparation for reading the LF waveform

As mentioned above, I read the communication between the Smart Key Fob and the car when the engine start button is pressed.

The execution environment is Kali Linux.

Start PowerShell and type “pm3″ to start Proxmark3.

Type “lf config” to see a list of LF Sampling configurations.

Here, set “lf config -t 20″.

After configuring, type “lf sniff” to put lf in a read-waiting state.

Type lf sniff and the light next to Proxmark3 will flash red.

Now you are ready.

Take the Smart Key Fob you just disassembled and get into your car!

Experiment Results

Push the engine start button

The Smart key Fob has just been disassembled with the battery removed, so the car cannot recognize that the Key is there.

Therefore, when the engine start button is pressed, the meter will display the following.

It indicates that please touch the switch with the key fob

Touch the engine start button with the Smart Key Fob on Proxmark3


After performing the above steps, the standby status will end and the red light will turn off.

Type “data plot” to display the read waveform data.

Waveforms were successfully displayed.

References

[1]https://tches.iacr.org/index.php/TCHES/article/view/8289

[2]https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final95.pdf

[3]https://www.honrow.com/product-4458.html

Let's share this post !

Author of this article

I am an engineer working for an automotive company in Japan.

Comments

List of comments (5)

To comment

TOC
閉じる