An ignorant question on keyless security

[old man]

(I got a bit side-tracked, when I suddenly started picking up the TPMS signals from my neighbour's cars instead of my fob )

Hopefully he's got a nice Bentley you can steal

[PhilHornby]

I want to probe the fob's inner workings, so I'm building a Hyundai emulator ...I've got as far as capturing the signal(s) sent when you press the door handle - I just need to perfect the hardware needed to recreate it.

Mission accomplished .

The results are quite interesting, because I can reproduce what I was seeing with the car and I can also reproduce what everyone else has seen . As a 'new kid on the block', I'm wondering if Hyundai have made some subtle changes as time has gone by, that might explain the difference.

Anyway, with a FOB-4P25 (aka 95440-N9022 (NX4) Fob and a November '22 car, I have observed the following:

When queried with a 125KHz signal (containing a fixed 30bit identifier), the Fob responds some 34mS later with a 'blast' of 433MHz UHF. This is similar to the action it takes, when you press one of its buttons. I've decoded the response sufficiently, to tell my two Key fobs apart.

If this 125KHz signal is sent to the Fob repeatedly (I was doing it every 5 secs, which seemed representative of the car's action), then the Fob does not sleep. (So far, I've waited 5 hours and it's still going strong).
However, if the 'probing signal' is removed for (around) 3 minutes, the Fob does stop responding.

This is reproducible at will.

(EDIT: Updated the timeout, in light of further tests)

I can only think that the other signals on the car (the ones for the auto-mirror folding and tailgate opening) were keeping the Fob awake, when I initially did my tests. (No, I don't really know why it's not been seen before with the Tucson - but the Polestar owners have certainly encountered it )

What was very enlightening, was the fact that I was able to wake it up again by waving my hand above it. I did not move it - I did not touch it; simple proximity of my hand woke it up.

This is something that I cannot reproduce. Once the Fob has 'gone to sleep', it will 'wake' with the slightest movement - but it does have to be moved.

What I would really like to do, is come up with an easy way of confirming that my fob is sleeping, while it is hanging on its hook near the front door (i.e. not involving stools, plastic jugs and a very tedious wait!).

Easy peasy

[alan sh]

Phil,

Scenario 1. My key has been hung up all night about 40 feet from the car in the house. I assume it's gone to sleep. How do I know?
Scenario 2. I pick up my key and walk to the car. The mirrors move out when I get close. Who has initiated the transaction? The fob or the car. If it's the car, is it constantly transmitting that 125Khz signal? If not, how does it know the fob has got near. If it's the fob, is IT constantly transmitting? If not, how does it know when it's near my car?

Alan

[old man]

Phil,

Scenario 1. My key has been hung up all night about 40 feet from the car in the house. I assume it's gone to sleep. How do I know?

You do a test the same as some of us have done, to make sure your fob does go to sleep, after which you trust to luck that the fob goes to sleep every time it's left undisturbed.

Scenario 2. I pick up my key and walk to the car. The mirrors move out when I get close. Who has initiated the transaction? The fob or the car. If it's the car, is it constantly transmitting that 125Khz signal? If not, how does it know the fob has got near. If it's the fob, is IT constantly transmitting? If not, how does it know when it's near my car?

The fob. The fob has been asleep whilst left undisturbed in the house, but as soon as you pick it up, it comes alive and begins transmitting again and the car reads it as you approach.
I don't know why you beat yourself up about it. If you have any doubt that the fob doesn't sleep, then just put it in a Faraday product. It's what I do.
I know from testing that my fob does go to sleep, but I don't fully trust it to do it every time, plus, it's an electronic gadget capable of breaking down.




Alan

[PhilHornby]

Scenario 1. My key has been hung up all night about 40 feet from the car in the house. I assume it's gone to sleep. How do I know?

I suppose the purist's answer is: "You don't". Being pragmatic; if you've managed to demonstrate the 'sleep' function (reliably), there is no real reason to suspect it's not working. In my case, I couldn't demonstrate it and was getting nothing like the supposed results (but now I know why!). I'd publish the details of my test rig, but I don't know how specific it is to my car and fobs. I guess I'll have to wait for the next Hyundai/Kia courtesy car to come my way, to find out.

I'm inclined to trust that both my fobs 'sleep' at somewhere around the 3 minute mark (since they do that on my test rig - even if not when near the car). Regarding reliability, it would be nice to know exactly how the 'motion sensing' is implemented - then an informed judgement of the component involved could be made. The only real candidate is the IC marked "U3", but I still can't tell what it is .

Scenario 2. I pick up my key and walk to the car. The mirrors move out when I get close. Who has initiated the transaction? The fob or the car. If it's the car, is it constantly transmitting that 125Khz signal? If not, how does it know the fob has got near. If it's the fob, is IT constantly transmitting? If not, how does it know when it's near my car?

The car.

Though it is transmitting repeatedly, it's not transmitting constantly IYSWIM . Each transmission only lasts about 15mS and there is about 0.5 seconds between them (so 3% duty cycle). The power consumed will be minimal - my test rig is using a maximum of 100mW and achieving 60cm or so. My next experiment might be to see how far I can push that. (Radio 4 LW manages quite a range and the frequency's not that far off )

[alan sh]

Thanks Phil. It makes sense that the car does the transmission - it has a much bigger battery to rely on.

[PhilHornby]

Further tests reveal, that both my key Fobs 'sleep' THREE MINUTES after last moving, or hearing the car's RF signal. Quite why they ever timed out when I tested on the car itself, I can't explain.

The fact that querying the Fob keeps it awake, has slightly scuppered my plans for a gizmo to hang next to it, to show its 'sleep status'. (It's a bit like prodding the person in bed next to you and saying "Are you awake?" - because you always get the answer "I am now!" )

Answers from an Electronics forum, indicate that the Fob is using an Accelerometer (that U3 component) to detect motion. I'd expected an Accelerometer to be a bigger component than that.



The Fob in the video is initially 'asleep'. It hasn't been moved for at least three minutes, nor has it heard the 125KHz signal from the circuit.

The RED led signals that the circuit is sending 125KHz queries to the fob. The GREEN led shows that it received an answer.

Initially, there is no answer - until the fob is moved. When the fob is taken out of range, the response stops. When the fob is returned the response resumes.

Once awake, the fob will respond (for at least 5 hours), until the circuit is powered off (for at least 3 minutes).

[jarvis]

Thanks for investigating this so that the rest of us can rest easier at night!

That querying the fob keeps it awake as well as moving it does make sense - you wouldn't want the fob to sleep when sitting in traffic.

[PhilHornby]

Thanks for investigating this so that the rest of us can rest easier at night!

You're welcome - though that wasn't necessarily my motive

It's worth noting that I have only tested two fobs (both Part # 95440-N9022) - others may behave differently. (This sleep feature is not documented or described anywhere by Hyundai (or Kia). In 2019 they said they were "working on it", but until recently some of their vehicles released in the US still didn't even have an immobiliser...My dealer hadn't heard anything, so who knows which variants or fobs have it.)

That querying the fob keeps it awake as well as moving it does make sense - you wouldn't want the fob to sleep when sitting in traffic.

It does; there's a warning message that you can induce fairly easily, that says "Warning key is not in car", which implies that it's normal for this question-and-answer dialogue to be ongoing. What's odd is that my fobs would sleep when near the car, but only after 45mins and 1hr 25 mins respectively. Other people say they have experienced much shorter timeouts. There's still some unexplained 'oddities', but I might be done with 'fobs' . (There's a 12V battery issue calling me )

[jarvis]

The other thing Hyundai might do is have the car produce a "keep awake" variation of the signal from the transmitters inside the car (or when the ignition is on) and a different "can sleep" variation from the outside transmitters (or when ignition is off). Could be done within the encoded data or just by varying how often the car queries the fob.

The fob could reset its sleep timer when it gets the one variation or gets queried rapidly but keep that timer ticking while it receives the other variation or is queried at a lower frequency.

You've proved there is a difference between your 2 fobs but is your vehicle doing the same as others'?