#1 2017-02-14 18:02:28

Best Antenna form for Snooping

Hello guys!

Thanks again for your amazing help so far! I am now able to read and write to the Em4170 chip. I got some writable transponder chips and can set new pins and the user memory. I would be glad if I can contribute these routines.

To fully understand how the key fob talks with the car, I want to snoop on the communication. There is, however, a problem:
I built an antenna that is wound right around the key to be able to communicate with the transponder inside the key.

But when I want to snoop, my antenna + proxmark activate the key transponder and it doesn't react to the car immobilizer properly. My car won't start.
If I take the antenna farther away , the immobilizer algorithm works, but my trace is way to noisy.

Is there a good antenna for for the snooping purpose? I can think of either a large antenna that is too large to load the key transponder on its own. Or a small antenna very close but not around the key. But will these be able to sense the small modulations of the key transponder?

Does anyone know what the Hitag2 people used, or where I can read up on this?

This is the trace for only the immobilizer without key fob.
Zoomed in:

This is the snoop of the communication with my antenna up close:

This is the snoop with my antenna farther away:
Zoomed in: Snoop_far_close.pngbild upload

Thanks for any help!


#2 2017-03-04 20:21:36

Re: Best Antenna form for Snooping

Looks like I have to answer my own question.

Ok, I had really good experience by using miniscule coils manufactured here:
They even send you free samples.
One has to calculate what inductance is needed, for example I arrived at 1.4 mH for my proxmark to get to 130 Hz. They don't deliver exactly this inductance but I combined two coils with 0.7 mH each. The soldering can be a bit tricky, but it is certainly doable.
Pay attention to how the coils are arranged when soldering the antenna together so that the two induced voltages don't cancel each other.

The advantage of the small coils is that you can bring them close to car key even in the restricted space of your car. also they don't generate a large enough field to charge the key transponder on their own, which can confuse your proxmark triggers.

Since they look very similar to the key coil they are probably also useful to simulate a key tag, though I am not yet at that poiint.



