RFID tag in car/motorcycle key

Did some probing, it turns out to be 133kHz signal. SO it looks like i will be making my own pick up and transmitter circuit based on MCU

In recent cars, the communication is via certificates and keys (sic). Record and playback will (hopefully for car owners) not work.

If you succeed, record and document it and you'll have a speaking spot on the next Black Hat conference.

Probing showed static data.

So it does not look to be anything fancy. One fancy thing is that in excitation stage, it does generate some data. That can be that if only this data is present, key RFID chip will send back any data to motorcycle.

In this scenario, it is perfectly safe, since you can't read key and replay it off the motorcycle, but if you are at the coil when you normally unlock motorcycle with RFID, you will know what data was send, and what data was replayed. And you just need to replay data you capture after excitation ping.

So as safety logic goes, if you already have good key in correct location, where is no point of doing any scrambling/rolling code generation, since that means you have original key. But if you try to copy it outside motorcycle, you will need to generate correct key to do it. Where is 20bit code, and it is send around 100ms, that means in order to copy code, you have to probe it 100 000s or 30minutes.

I would say it is perfectly safe. It would be more safe is key would generate ther data on different ping message, in that case, you will have to replay all messages, it would take days of work to unlock it..

Ping message:

Ok, I am at total lost now. As far as I understand, this is nothing more than HITAG2 chip because is most commonly used by automakers. Now ok, it says 125Khz, perfect with what I see.

Part I don't understand is how they are communicating. I attached scope to coil antenna so I can see signals that ECU is seeing. problem is, I don't see any response from key-fob, while Motorcycle do acknowledges key and allows you to start the engine. Also, where is no battery in remote, or even worse, I use special key they is designed only emergency and from BMW it cost only 50$, so no way any RF circuitry is inside.



Look at this waveform. This is successful unlock of motorcycle using RFID key. If key is transmitting data, it should produce lower amplitude signal, not a perfect one as for exatation. If key is shorting magnetic field, it would not go to zero.

So what a hell ? How they are communicating ?

Is is bit by bit exploded view of signal:



So, can any one tell me how it's doing communication ? I need to make hardware that captures this response and replays back, but if I don't know what going on, it is impossible....

Usually, these keys are powered from the radio signal emitted from the car.

They have RF circuitry on board and a little bit of intelligence - a low power tiny microcontroller. Or the two combined on a small flack of silicon.

I need to make hardware that captures this response and replays back, but if I don't know what going on, it is impossible....

Yes. 2 reasons. The main reason is that re-sending a previously recorded reply will not work. It's not a remote control.

2nd reason - not relevant because of the 1st one above - I believe your setup doesn't succeed in showing the signals from key to car.

I know that it uses RF for normal operation, so i would not see this on scope, but i am probing coil and i can't see anything, only data from ECU at very high voltage.

So I don't know whats doing on here. IS it really uses RF somehow ?

Data is static, does not change, does not have any roiling code, every single time is the same, so I can replay it and it should work. Problem I don't see any response from key, while motorcycle does see message from key. Maybe I have to use spectrum analyzer or something to get this working...

Very strange

It has to use RF. If there's no contact, and no infrared sender / receiver, it has to be a radio signal.

In essence the RF tag is more of a disturber than a radio. It will cause modulations on the signal emitted by the sender, by modifying the impedance of its own RF circuit.

The sender coil and token coil are closely coupled when near each other, so that impedance change in the tag antenna RF circuit impacts (agitates) the sender RF circuit.

The sender has to detect those modulations and interpret them.

If you are looking for a reply of the token, after the motorcycle sent its signal, you will not find it because it's not there.

The reply is imposed upon the original signal.

I would expect is is doing something to magnetic field with shorting or doing something similar. In this case I would expect signal like this :

In this case, you can clearly see that master is generating waveform, and tag is modifying quality of coil (and in this case resonating voltage will be lower that can be picked up) , and you can clearly see data transmitted.

But in my case, I see nothing like that. I see perfect 125kHz data burst and no response. If my key is modulating quality of exciter coil, signal WOULD NOT GO TO ZERO.

So how does key is communicating with motorcycle... Only thing that left is transmitting 315MHz RF that my scope can't capture in that timescale... I just don't see any other way

The key does not generate a clearly visible change. It modulates the original signal but that may be subtle. It would not be a amplitude modulation I'd expect.