Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-07-25 16:56:54

noreg0
Contributor
Registered: 2019-07-23
Posts: 5

Car PKE snooping NCF2951

Hi all,

I'm new to RF and Proxmark but some experience with SDR.

Context:
Honda odyssey 2018 with smart entry. I assume it's using some form of LF to detect the key proximity and most likely it's using this chip:
https://www.nxp.com/docs/en/brochure/75017275.pdf
When the key detects the wake-up signal (once you touch/pull the door handle) the signal gets send to the key. Once the key recognizes the signal it will respond over UHF (433Mhz) and the door opens.

Using some googling the key https://fccid.io/KR5V2X but no mention of the LF part (which makes sense as it would be in the car and not the key ?) and it mentions NCF2951 as chip.

I'm trying to basically see what is the wake-up signal that the car sends. I tried a couple of options with the proxmark client but I've had 0 success hmm

I tried:
setting up for LF and HF (lf config b 8 L t 8 and lf config H...)

I tried reading with lf read, I tried snooping with lf snoop but nothing worked. Anything I'm missing ?

Thanks !

Offline

#2 2019-07-29 18:19:21

noreg0
Contributor
Registered: 2019-07-23
Posts: 5

Re: Car PKE snooping NCF2951

No one has ever tried that ? I thought doing lf snoop would enable me to see the wake-up message broadcasted by the car to the key.

Any help/pointers appreciated.

Offline

#3 2019-07-29 21:49:43

iceman
Administrator
Registered: 2013-04-25
Posts: 6,401
Website

Re: Car PKE snooping NCF2951

Is the system transfering over LF?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2019-07-30 23:40:51

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: Car PKE snooping NCF2951

@iceman: from the leaflet of NXP keyless entry:

How does keyless entry/go work?
As the driver enters the operating area of the keylessentry/go system and places their hand on the door handle,the car key receives a low-frequency signal from the vehicle and, if this signal matches the stored data, the key is ‘woken up’.

Once woken, the key analyzes the ‘challenge’ signal from the vehicle and returns an encrypted ‘response’ signal via the UHF transmitter. The vehicle then compares the response with internally stored information and, if authentication is successful, unlocks the door. Once the driver is inside the car, the engine can be started by simply pressing the start button. The system first checks that the key is inside the car and not somewhere else, such as on the roof, and then performs the same authentication procedure when the engine is started. The combination of LF challenge and UHF response delivers low power consumption and long battery life. A back-up mode enables the use of the keyless entry/go system even when the battery is low, with power being supplied to the key via an immobilizer basestation.

So the wakeup is possibly readable with proxmark ...

@noreg0:
you tried "lf read":
can you see some data exchange with "lf read", "data samples", "data plot" or only signal noise?

Offline

#5 2019-07-31 02:30:08

noreg0
Contributor
Registered: 2019-07-23
Posts: 5

Re: Car PKE snooping NCF2951

iceman wrote:

Is the system transfering over LF?

yes over 125khz ...

Offline

#6 2019-07-31 02:31:14

noreg0
Contributor
Registered: 2019-07-23
Posts: 5

Re: Car PKE snooping NCF2951

Mackwa wrote:

@iceman: from the leaflet of NXP keyless entry:

How does keyless entry/go work?
As the driver enters the operating area of the keylessentry/go system and places their hand on the door handle,the car key receives a low-frequency signal from the vehicle and, if this signal matches the stored data, the key is ‘woken up’.

Once woken, the key analyzes the ‘challenge’ signal from the vehicle and returns an encrypted ‘response’ signal via the UHF transmitter. The vehicle then compares the response with internally stored information and, if authentication is successful, unlocks the door. Once the driver is inside the car, the engine can be started by simply pressing the start button. The system first checks that the key is inside the car and not somewhere else, such as on the roof, and then performs the same authentication procedure when the engine is started. The combination of LF challenge and UHF response delivers low power consumption and long battery life. A back-up mode enables the use of the keyless entry/go system even when the battery is low, with power being supplied to the key via an immobilizer basestation.

So the wakeup is possibly readable with proxmark ...

@noreg0:
you tried "lf read":
can you see some data exchange with "lf read", "data samples", "data plot" or only signal noise?

I did try read with no luck. But accordingly to the NXP document it should broacast the wake-up message periodically but somehow I can't capture it.

Offline

#7 2020-04-16 07:30:40

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

hi, so interesting i am trying to capture the same thing with proxmark. have you had any success ? i am testing on a bmw x5 2019 G01.

I think the wake up is sent only once and the problem is since you have to run LF READ at the same time you get close to the handle we missing it by milliseconds. i am gonna try a few more things today.

i would be keen to know how far you got. with capturing the wakeup.

Offline

#8 2020-04-16 07:31:41

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

noreg0 wrote:

Hi all,

I'm new to RF and Proxmark but some experience with SDR.

Context:
Honda odyssey 2018 with smart entry. I assume it's using some form of LF to detect the key proximity and most likely it's using this chip:
https://www.nxp.com/docs/en/brochure/75017275.pdf
When the key detects the wake-up signal (once you touch/pull the door handle) the signal gets send to the key. Once the key recognizes the signal it will respond over UHF (433Mhz) and the door opens.

Using some googling the key https://fccid.io/KR5V2X but no mention of the LF part (which makes sense as it would be in the car and not the key ?) and it mentions NCF2951 as chip.

I'm trying to basically see what is the wake-up signal that the car sends. I tried a couple of options with the proxmark client but I've had 0 success hmm

I tried:
setting up for LF and HF (lf config b 8 L t 8 and lf config H...)

I tried reading with lf read, I tried snooping with lf snoop but nothing worked. Anything I'm missing ?

Thanks !

interestingly enough i have managed to dump NCF 2951 chips as well

Last edited by adameng (2020-04-16 07:31:54)

Offline

#9 2020-05-20 09:31:26

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

no one else had any further progress on this subject ?

Offline

#10 2020-05-28 20:15:15

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

hi

just an update on this, you cant use proxmark to sniff any vehicle 125khz as it seems to be a different bitrate and modulation to what proxmark is expecting.

i managed to make some sniffs using an SDR and after some research with my colleagues it seems that it's OOK modulation, carrier is 125kHz, bitrate is 7812Hz, synchronization sequence is 10101010101010111000

Offline

#11 2020-05-29 10:34:31

iceman
Administrator
Registered: 2013-04-25
Posts: 6,401
Website

Re: Car PKE snooping NCF2951

if its 125khz,  it shouldn't be any issue sniffing.   Decoding it is a different story.    Do you have samples to share?

lf read
data save

[edit] spelling


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#12 2020-05-29 11:23:42

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

its 125khz not 135khz

yes i have logs i will upload and share with you


125khz

Offline

#13 2020-05-29 11:36:53

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

so what i found strange while testing is that on the outside of vehicle (door handle) it would never detect anything on 125khz even the proxgrind wouldnt light up. but inside the vehicle in center console it the proxgrind would light up and proxmark would detect someting but data didnt look correct. i will send some videos i made as well

oh and just to be clear, there is 100% 125khz wake up signal on the outside as i detected it with SDR and active loop antenna.

Last edited by adameng (2020-05-29 11:37:48)

Offline

#14 2020-05-29 11:53:11

iceman
Administrator
Registered: 2013-04-25
Posts: 6,401
Website

Re: Car PKE snooping NCF2951

whats a proxgrind?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#15 2020-05-29 11:54:32

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

https://proxgrind.com/

Offline

#16 2020-05-29 16:10:50

adameng
Contributor
Registered: 2020-04-15
Posts: 20

Re: Car PKE snooping NCF2951

iceman wrote:

whats a proxgrind?

well what i actually meant by proxgrind is the RF field detector

Offline

Board footer

Powered by FluxBB