SMARTRA: Difference between revisions
No edit summary |
(w-line link) |
||
Line 34: | Line 34: | ||
=== Engine Control Unit === | === Engine Control Unit === | ||
ECU communicates with transponder through BCM over the | ECU communicates with transponder through BCM over the [[W-Line]]. It stores all registered transponders/keys unique identifiers and the 9 byte DPN (Diagnostic PIN Number). First 6 bytes of the DPN will be used as the encryption key. | ||
Upon the start of a ignition cycle, ECU will request the identification number of the transponder. If it's registered (taught), the ECU will then generate 4 random bytes (''challenge'') and send them to the transponder along with inverted first 4 bytes of the keystream (see: [[Hitag2]]). Using this data, the transponder shall respond with the encrypted ''challenge''. ECU will now perform the same operation using the [[Hitag2|Hitag2 encryption protocol]] and compare the results. If they're a match, vehicle can be started. | Upon the start of a ignition cycle, ECU will request the identification number of the transponder. If it's registered (taught), the ECU will then generate 4 random bytes (''challenge'') and send them to the transponder along with inverted first 4 bytes of the keystream (see: [[Hitag2]]). Using this data, the transponder shall respond with the encrypted ''challenge''. ECU will now perform the same operation using the [[Hitag2|Hitag2 encryption protocol]] and compare the results. If they're a match, vehicle can be started. |
Revision as of 09:08, 17 September 2023
SMARTRA (SMARt TRansponder Antenna) is a passive challenge-response immobiliser system developed for HMC (Hyundai Motor Company) by Bosch. On the GK platform, version 2 is used, called SMARTRA2.
Not much information can be found online about version 2 of SMARTRA. However, version 3 is backwards compatible and thanks to the FCC, it's protocol specification document is available. SMARTRA3 was assigned the FCC identificator LXP-VIMA01.
Simplified overview of the system
SMARTRA system is composed of three elements, each being vital to it's operation:
- Keyfob transponder
- SMARTRA Control Unit (CU), integrated into the Body Control Module
- Engine Control Unit (ECU/ECM)
In simple terms:
Keyfob stores it's unique identificator ("32 bit identifier"/"Pre Secret Encryption Key") and the 6 byte encryption key.
BCM doesn't store any SMARTRA-related data! BCM is essentially a interface between ECU and the transponder. It doesn't validate transferred data or perform any other checks. Possible confusion on this matter might be related either to the "limp home" function (which is independent from transponder) or the VIN number match check.
BCM does store pincode (for the limp home function) and DPN (see below) but for diagnostic (including new key registration) purposes. Erasing these values shouldn't affect the immobiliser system[verify].
ECU stores unique identificators of up to 4 keys (transponders) and a 9 byte DPN (Diagnostic PIN Number) of which first 6 bytes are used as the encryption key.
So, in short: Keyfob transponders are paired to ECUs. BCMs are not paired nor contain any transponder data, but they contain the VIN number which has to match with the ECU in order to start the engine.
Keyfob transponder
SMARTRA system is heavily based on the Hitag2 encryption protocol. A Hitag2 transponder made by NXP can be found integrated into the key: PCF7936 (click for datasheet).
PCF7936 provides a 32 bit unique identifier which is also referred to as "Pre Secret Encryption Key". This is the value that's stored in the ECU EEPROM. A 6 byte encryption key is stored in the transponder's memory.
BCM is packaging RF data in/out of transponder into the SMARTRA Protocol over W-Line while being semi-transparent in this process, it doesn't verify the data.
Using the antenna mounted around the ignition switch, BCM communicates with the transponder unit on 125kHz, ASK modulation. More information can be found in the PCF7936AS datasheet
Engine Control Unit
ECU communicates with transponder through BCM over the W-Line. It stores all registered transponders/keys unique identifiers and the 9 byte DPN (Diagnostic PIN Number). First 6 bytes of the DPN will be used as the encryption key.
Upon the start of a ignition cycle, ECU will request the identification number of the transponder. If it's registered (taught), the ECU will then generate 4 random bytes (challenge) and send them to the transponder along with inverted first 4 bytes of the keystream (see: Hitag2). Using this data, the transponder shall respond with the encrypted challenge. ECU will now perform the same operation using the Hitag2 encryption protocol and compare the results. If they're a match, vehicle can be started.