SMARTRA
SMARTRA (SMARt TRansponder Antenna) is a passive challenge-response immobiliser system developed for HMC (Hyundai Motor Company) by Bosch. On the GK platform, version 2 is used, called SMARTRA2.
Not much information can be found online about version 2 of SMARTRA. However, version 3 is backwards compatible and thanks to the FCC, it's protocol specification document is available. SMARTRA3 was assigned the FCC identificator LXP-VIMA01.
Simplified overview of the system
SMARTRA system is composed of three elements, each being vital to it's operation:
- Keyfob transponder
- SMARTRA Control Unit (CU), integrated into the Body Control Module
- Engine Control Unit (ECU/ECM)
In simple terms:
Keyfob stores it's unique identificator ("32 bit identifier"/"Pre Secret Encryption Key") and the 6 byte encryption key.
BCM doesn't store any SMARTRA-related data! BCM is essentially a interface between ECU and the transponder. It doesn't validate transferred data or perform any other checks.
ECU stores unique identificators of up to 4 keys (transponders) and a 6 byte DPN (Diagnostic PIN Number) which is used as the encryption key.
So, in short: Keyfob transponders are paired to ECUs. BCMs are not paired nor contain any transponder data.
Keyfob transponder
SMARTRA system is heavily based on the Hitag2 encryption protocol. A Hitag2 transponder made by NXP can be found integrated into the key: PCF7936 (click for datasheet).
PCF7936 provides a 32 bit unique identifier which is also referred to as "Pre Secret Encryption Key". This is the value that's stored in the ECU EEPROM. A 6 byte encryption key is stored in the transponder's memory.
BCM is packaging RF data in/out of transponder into the SMARTRA Protocol over W-Line while being semi-transparent in this process, it doesn't verify the data.
Using the antenna mounted around the ignition switch, BCM communicates with the transponder unit on 125kHz, ASK modulation. More information can be found in the PCF7936AS datasheet
Engine Control Unit
ECU communicates with transponder through BCM over the W-Line. It stores all registered transponders/keys unique identifiers and the 6 byte DPN (Diagnostic PIN Number). DPN is used both as the encryption key and password to access immobilizer functions (teaching keys, neutralizing etc).
Upon the start of a ignition cycle, ECU will request the identification number of the transponder. If it's registered (taught), the ECU will then generate 4 random bytes (challenge) and send them to the transponder along with inverted first 4 bytes of the keystream (see: Hitag2). Using this data, the transponder shall respond with the encrypted challenge. ECU will now perform the same operation using the Hitag2 encryption protocol and compare the results. If they're a match, vehicle can be started.
Encryption key
Also known as "immo pin" or "DPN (Diagnostic PIN Number)", it's the 6 digit number you use to program new keys or neutralize the immobilizer. It can be derived from last 6 characters of your VIN - while the algorithm is not publicly known at the moment, there are some calculators available and websites that'll compute it for a fee.
These 6 digits are part of the actual Hitag2 encryption key, which is composed like so:
0xFFFFxxxxxxFF (xxx - DPN)
Additionally, every PIN computed from VIN is dividable by 16 - that gives us precisely 65535 available combinations (instead of 12^16 that Hitag2 offers).
