 Next up we have Kevin2600 doing the grand theft auto with a digital key hacking. Please give him a warm packing hacking village. Welcome. Yeah, thanks for attending my talk. It's my first time's DevCon speech, so bear with me. Yeah, so today I'd like to share with you my research results regarding one of the digital cocky system. Yeah, okay, let's do it. My name is Kevin. Yeah, you can follow me on Twitter, quick Kevin2600. I'm a security researcher from InGeek Security Consultants based in Shanghai, China, and we are focused on automotive securities. For my area, I'm focused on wireless and the embedded systems. Right, so yeah. Today's agenda going to be like this. First, I would run a very quick introduction on KeyFox 101, and then I will walk through the structure and functionality of this our target today, which is called the army key. It's like actually here. And then I will talk about how am I analyzing and what kind of attack factors I found for this army keys, right? So like for example, we got to talk about a phone physical layer, RF layer, and up to applications, and then eventually we can see how can we sniff in the Bluetooth traffic, and eventually we decrypt the encryptions. Okay, so introduction. So I think KeyFox is one of the most common items we can find in our pocket. It starts with a very simple. It's just a mechanism. In the early days, it's only just mechanical keys, and then they implement some kind of remote control. In the very beginning, they start with infrared, and then there's RF with a fixed code, and then RF with a rolling code. So they also have some kind of passive entry. So basically they put an RFID chip inside your car keys, so for authentication reason. Now here nowadays, they come a new game changer, because nowadays you can actually use in your mobile phone as your car keys. And for example here, the Tesla Model 3, if you buy in one of these, you're not going to have any physical keys. They could only give you RFID tag, and then also you can download the mobile phone app to actually to start engine unlock your cars. And Tesla is not the only one doing it. I think probably everybody is going to have this feature in the any other manufacturers. So let's talk a little bit about what has been done in the past. So in the past few years, many researchers have found the vulnerabilities dedicated to KeyFox. So for example, one of the loading codes, Algorithm KeyLock has been cracked, and some researcher has been working on a high-tech tool. Yeah, but for the latest, if you notice that in 2015, there's one of researchers who has found the vulnerability in BNW Connected Drive. And also another researcher from Pentas Partners, they found the issues on Wi-Fi access point from the Mitsubishi Outlanders. And those two are the new attack vectors. It's not just dedicated to KeyFox anymore. They actually, there's more technology involved. So yeah, let's talk, let's take a look at more details. And so this one is for the BNW Connected Drive. So basically, a German researcher, he found, he able to set up a fake base station to, and then the main issue here is the BNW rely on HTTP to communicate with backend server. So basically, the researcher can set up a big fake base station, and once he reversed engineer of entire protocols, he able to send and replay. Okay, and then another example here is the Pentas Partners researcher, they found the Wi-Fi access point provided by Mitsubishi Outlanders is so easy to crack. So they can connect to it and reverse engineer controlling protocols. So, and then they can just turn on and off at conditional heatings and even a long system, right? So those are the new attack vectors. So I say, if when the new trends, new technology, even when it being implemented, there are always going to be some kind of new hacks, right? Okay, so let's, let's walk through our main target today. Like this, that's very simple. Yeah, it's called an AMI Key, it's a digital car keys. It's invested by a company called Xiaomi in China. So basically, this one is able to enable people with the old model of the cars, which don't have those fancy features. So if you still want to use, to control your car doors with mobile phones, you can use it just connecting this little device to your car and then you're good to go, right? So, and here are some features, the highlights. So yeah, it's basically, it's rely on Brutus Low Energy and we can unlock, lock your cars. And the, now one of the interesting features here is the remote key sharing, right? And this, I think is a good feature, is really distinguishing with traditional car keys because if you want to share your cars with your friends, you can, you can do that in different countries, right? For AMI Key, they limited, they only can limit to up to 20 users. So you see this little picture here is basically, you're just connecting your AMI Key to the keyhole here and you have to left there, right? You unlock it and then once you come back, you can lock and unlock it, do the normal thing, right? So here are just the components. You see, as you can see, it's very simple. You come with a blank key and also this is the actual main board here. We're going to look at more details in this, this one. And here is another square little box across key sensors. Yeah, sensors, yeah. So here's how you're going to get to that work. First, you, we download the application from AMI Key and then we do the normal process like we, we're duplicating the keys and then we, we need to scan in the bar code for the AMI Key and to, in order to get a activation code. Now once we get action code, activation code, when we put it in the application, then we activate it. Once it's activated, we can lock and unlock it, right? And you know, just like, like if you lost your key, you go to a car dealers, you need to register your key with a new key to the vehicles. So we, we need to do the same here. We need to register our AMI Key to the, to the cars, right? Very simple. Also, as AMI Key claim, they support many models of the cars. So, so as you can see, you, you find like Ford, Volkswagen, Toyota, Hyundai, yeah, all those cars. Pretty, pretty much, probably maybe everyone. Yeah, so now we take a look at more details, right? The, the, the first thing when you, when we talk about marketing, the word is engine, the, the embedded systems, most, the first stage is to, to do some recon, right? So we, at this stage, we try to get as much as possible, the information as much as possible. So first, um, I received these car keys. I, I'm not sure what's inside it. So I want to see more details, right? But sometimes the manufacturer may have some kind of protection mechanism, uh, preventing us to open it, right? If, if you open it, may, may, may damage the, er, er, erase the firmware automatically. We don't know yet. So what I will do is I go, I suggest we can, if we possible, we go to using some kind of x-ray machine, we take pictures, take a look inside, then we can make sure there's nothing to permit us to open it, right? So, yeah, that's the case. The AMI Key didn't have anything, uh, inside, so let's go ahead and open it. Okay, so now we, once we open it, we see actually there's actually two boards inside. One, the yellow board here, and then there's a green one here. So, uh, the middle one here is just backside of the, backside of the, uh, the green board. So we can use this, uh, connector to connect into each other, right? So, yeah. Um, so, if any of us have done much, uh, reverse engineer embedded system, then we would know the first steps. We like to just take a look the, uh, to find out the, the model of the chip, right? So, for this one, um, it's called CC2640. Once I, I googled it, and I found out this, okay, this is actually the BDLE module to all the produce. And the other, the green board is from NSP, and that's the one to actually, uh, emulate the, uh, lock and unlock command through RF. And also, uh, when, when, when we're dealing with our wireless devices, usually, uh, they will come with the FCC ID. But since this one is only dedicated to Chinese market, they're using a similar system called a C, uh, CMIT ID. Well, it's, it's really just same, same, same thing, right? So, now there's one thing interesting. Remember I mentioned that there's a square, uh, little square box there. It's called, uh, sensors. Now, I don't know why they, they have there, because I would not, I read the manuals, I read, uh, our official website, and even just for the official applications, there's no, no sign of how can we use it and what, what are really for, what, what are really for. So, yeah, functionalities are known. Um, but still, I, I like to find out more. Um, so I take, uh, open it, um, even using the, uh, produce to connect into it. Um, yeah, as you can see, it is really, you mentioned that this is a smart key sensor and then we can find out your ID here, but still we don't know what to do with it, right? So I look at it a little bit more. Um, I check out the data sheet, I try to connect into it, uh, through your art board or through, uh, try to talk to the spy. Um, but still, not much useful information, but anyway, uh, since this, uh, key sensor here not, not, we will not bother, uh, you won't affect any other general, uh, normal operations. So I'll just leave that for the, for the moment. Maybe in the future I find out more details. I can always just come back to, to, to do more research. Okay, so let's take a look at, uh, uh, our, uh, module at the green board. So on the back side of it, is there's a crystal here. We can, we can see the, um, the value is a 13.56 MHz. So when, when known, we can do a very simple math. We can find out the B rate, uh, and potential of the frequency range, right? Very simple. And now we need a way to verify it. So I set up a very simple SDR, uh, environment. We're just using a, uh, hacker IF here and then connect to antenna and I just keep pressing the button to see if we can find anything. Right? So yes, um, we can see clearly, uh, it is within the 433 MHz, uh, ISN band range, right? There's a, there's peaks here. Um, yeah. Um, oh, I also take a look at, uh, uh, yellow, uh, yellow board. This is a, uh, Bluetooth board. Uh, now when I connect into it, using light blue or not enough connected, it doesn't matter. Um, the, what we can see here is the, uh, you constantly broadcast these MAC address, right? So basically maybe it is, uh, I can see, okay, this is maybe the way we can track you because this is a unique MAC address here. And also, uh, most interesting thing is those, uh, you, what kind of UID they have provided, right? Uh, okay. So, if we wanted to do more interactive with your, uh, I mean key here, we, we not just, we, we can also use in, uh, some tool called GATU and then in Linux. Um, yeah. So here's a picture. I connect into it. I list all the UID here. So, if you've ever done, uh, Bluetooth hacking, then you will know the UID is actually the, uh, one of the most, uh, important, uh, information you need to find out. And, yeah. So, and also if we want to see more details, um, we can enable the, um, function for Android phones that which is in develop, in developer mode, we can actually dump all the, uh, BTLE traffic, and then we can, uh, wrote this log file into a wire shock and start to analyze every steps of the, uh, traffic, right? So if you come here, I request the battery level and then we'll just tell you how, how many battery still left, right? So, okay. The mobile application is going to be like this. Uh, uh, part of it is actually in Chinese, but it's actually, it's, I don't know, translate and it's very simple. First, you need, you need to contact, connect to your car, uh, a mickey. And then once you connect it, there's a couple function here, just, uh, lock or unlock it, right? And also there's a key sharing feature here. So, let's take a look more. Um, just like, uh, every, probably everyone else, they don't bother to hardening your APK files, so it's easy. We can just, uh, actual, uh, a Java by code. I almost like reading the source code here. So, for example, this type, uh, here is just, um, how, how they generate those UIDs. Uh, okay. Now, sometimes, uh, developer go to, go for, uh, go too far. Um, yeah, so, uh, okay, um, so here they, they leak, leak some, uh, sensitive information inside their code. So basically this, this, they have this web page inside the code, but when I tried to access it, it actually mentioned, this is like, uh, their internal systems is, uh, if you are not employee, you shouldn't be access it. So, so what, what's the point you live there, right? Uh, and then also, well, if you, you're able to understand Chinese, this is, they, they, they left some, so way, so many, uh, in finding comments like, what the hell here? Yeah, yeah. He actually say, what the hell? I don't know. Maybe he, he's in a, uh, she or he not in a very good mood. Uh, okay. Now, now even getting more, uh, uh, more fun. So when I try, when we try to, uh, try to, to investigate some, uh, systems, we usually, uh, do some, uh, main and middle, uh, using main and proxy or a verb, we can do the same. Uh, the, the, actually the first thing I, I expected, I expected is, uh, to see if the application has enabled, uh, search pending or not. But turns out we don't need, uh, all the, uh, uh, spotters to, to all of the last because it is completely rely on HTTP, right? Um, so, so we all understand, once, once your software go HTTP, so everything is going to be in plain text. So, yeah, if we able to see if in, in, in your network, and then we able to find out some information regarding your devices. For example, this is key information, uh, you probably not can see, but it's actually IMEI numbers. Uh, yeah. So the leaking, uh, are you able to find out some information? So here's one more. Here, when, when we register, register with a system, um, you, when you, when you register account, you, usually they, they will ask you some, set up some security questions. Um, in order to, in case you are, uh, lost your, uh, password, you can always have a way to get it back. So, yeah, you, if they go through all this process through HTTP, you, you will, when we sniffing it, we are able to find out, uh, um, all your answers. So maybe in the future we can, yeah, find a way to hijacking your, your, uh, account. Right. So, uh, there's a summary here. Really, uh, I mean key application, communicate with back and server, complete real-time HTTP. So, yeah, no more PRAC. Um, but there's more here. Uh, I was going to talk about later. Um, I'll show you how actually it can, leading us to compromising, uh, the, the, the I mean key. So, there must be some encryption, right? Because, uh, in their manual, they actually put, uh, specific mention, um, their product is using Brutus, uh, 4.0 technology, but they are using very, very secure, unique, uh, I mean, own proprietary inquiries. So, all right, cool. Um, this picture I, I borrowed from, uh, uh, their official website. As you can see, they, they put all the fancy words there, right? Maybe just, I don't know, try to scale you off maybe. Right. So, but still, I, I, I, I, when I look at the, the, this picture, oh, I, I was getting impressed. Oh, wow, they, they are, they, they are send much, uh, efforts in their product, right? But anyway, that's, that's, yeah. Let, let's, let's find out if this is true or not. So first, I'd like to do some physical access. Now remember, um, the I mean key by request, we have to left the key inside the car. Right. So, maybe those theft will not, um, can, a simple way to do just breaking your glass by force and get your key. They have the key. However, they cannot connect in to your key to, to, to, to, to start engine, for example. Um, but what we can do here is we, we get a blank key, um, we replace the chip, uh, from an RF module, from an ARMY key to, to the, uh, brand key one. And then that way we can actually just re-unlocking your, uh, uh, the low vehicles. Right. So here I would like to play, uh, very simple, uh, uh, video just to prove my point that I will work. Yeah. The car is right now is locked. Um, yeah. So no, we just using a blank key with the chip replaced. Yeah. Very simple. Yeah. It's, it's working. However, this process, uh, it involves, uh, kind of violence. You need to actually break in, uh, just let me go back to the, uh, you, you need to, to break in the glass. Right. So I don't like this, uh, method, but it actually works. So, okay, let's do some RF jamming, right? Um, so when, when we start, um, I start to research a little bit more, and I found out that that's quite popular in the theft world, maybe. L, l, l, those thefts like to using the device called car key jammer. So basically, uh, they can actually make a lot of, uh, money from it, even just by selling those, uh, key file jammers. So the way the works is very simple. When, when the, the theft will just simply wait in the car park. Uh, they, they, they can't turn on a key jammer. And then say some written lawyer, maybe in a rush, they've, uh, they just simply press the lock button and then you run away. They, they didn't notice that actually your car, it doesn't actually lock. So the, the theft and then you can just go, go, get in, um, take, take your goods from you. Right. So, but since I mean key is a smart key, right? So I wonder, does the only key smart enough to detect, to avoid in this kind of, uh, attack? So, um, turns out maybe it's not. Because, um, I mean key is actually one way communication. It's really just use same, uh, you're using your mobile phone, send a command to the Bluetooth board and Bluetooth will send trigger, uh, uh, your green RF module to, to send, uh, unlocking or lock command here. There's no, uh, response from, from a green board say if it's, it's working or not. So here I, I gonna play another very simple, um, demo, right? So yeah, okay, just go over it quick. Yeah, well, you see when I press the, the button here, we can see the, the, the signal is, so that means that, that, that everything's working fine, okay. Um, sorry, just go too quick. And then I, I using, uh, uh, yard sticker to sending out the, uh, the jamming signals, right? And we're back to the, the sponsor analyzer, we can see clearly as, uh, your frequency band is already occupied. Now, let's see again when, when we press the, uh, button here, the LED, you gonna light up, means that, uh, RF module is working, it's sending out the signal, but actually it's, it's not working. And from application, um, we have no sign of it. So we, we cannot tell if it's working or not, right? Really. So, yeah. The amicur would not able to help to avoid the jamming attack. Okay. Right. Now, so what's next? Uh, next, uh, I really, I, I recommend you check out the semi-concursor talk. He, he gave a presentation, uh, a couple years ago regarding, uh, called, uh, drive it like you're hacking it. So basically he found a way, uh, called a roller jammer so you can use it not to bypass the, uh, uh, key-roading, uh, a road-roading code, uh, this, uh, mechanism. Um, yeah. However, um, the amicur, the RF module is, is going to be varied from different models. So because, um, for example, the one I, I, I have is a talk dedicated to Honda. Um, but it doesn't mean if my, uh, you, you want to play with the, uh, uh, maybe Volkswagen, they have different RF module here. So which means if I, I, my, but my goal here is actually come, I want to complete, complete, uh, compromise the key. But if they have different modules, I, I won't have the source to buy every one of them. So yeah, I, I did, I, so I start this stage, but yeah, I recommend, I recommend this if you want each one to hack more in RF. Um, yeah, but let's, let's look at the key sharing, right? Since this is a very cool features. Um, the way it works is very simple. We can create, uh, uh, a name for the key you want to share. And then there's a timing here. You can, you can set, uh, permanently or you can, uh, say, uh, the time, set a little time limit. And then the key, as I mentioned, it's only up to 20 users. And once you reach that point, uh, the application will not allow you to go any further. So once you create the, the, the key you want to share, then there's the own, uh, couple ways you can distribute it to the, to the, to your friends, right? So one is that you can just, it will generate a barcode. You can just scan it and then get the key. And then there's, you can send the key through, uh, text message, or you can just copy control, uh, copy to, to your friend. And there's one, one interesting way here is actually you can send your key to your, uh, through WeChat. Now WeChat, okay, WeChat is one of the popular, uh, IM software in China. So probably everyone has one of them. So once, so, so basically once your friend get those keys, you can simply, again, you type into the activation window and simply activate it and, and then you're good to go. So what could possibly go wrong here? Remember I mentioned that, uh, there are traffic completely on HTTP. So basically when, when, when they send out, uh, there's, uh, uh, interesting behavior begin, uh, in the very first stage, when they try to distribute your code to, to your friend, they're actually going to send the code, the complete code in plain text to one of the website. And then website will respond with a shorter, uh, URL. So maybe that, that way it's easier to, to share instead of a very, a very long key, right? Now really inside the URL, just, you're going to return back an, uh, entire key anyway. So yeah, if we can do some man in the middle and we can simply sniff it and we got the key. Now from client side of it, we can also do, um, uh, when we, when we receive the, the key you send by the owner, it's actually there's a barcode here. Uh, we can, once we decode it, then we get another URL here and really again is, we have all the, uh, actual keys inside. So that means if we sniffing it, we're able to unlocking cars. So here I, uh, just play one more video to, for the, for the, for my point here. Oh, sorry. Yeah. So yeah, here you get the key for, uh, by sniffing it. There's no man in the middle. So, and then, and then you can, we can just type this URL to the browser and we're leading us to, uh, active activation page for the army key applications. Now once we register, we set any name will work. Just set a simple name for your key to remember. Okay. Um, we got it. We got it working. We, we try to, to lock and lock the light up. So that means if we simply by sniffing your code, key code, that will work. Right? So, yeah. Okay. Um, yeah. Again, we, we can see, let's say no from it. So just, yeah, it will work. Now. So once you, if you're a car owner, when you find out that your car been stolen, what's the reasonable, uh, what's the reasonable next move? We want to cancel it, right? Okay. Ah, sorry. We're just, haha. Uh, yeah. So let's see, uh, the cancel, cancel, when we try to cancel the car, this key, what, what will happen? So, right? I tried, I gonna cancel it. So, alright. Cancel it. So now, you see, you see, if we're still able to, to lock and lock your keys, what happens? So I could, maybe it's because we're connected to it. So I, now I disconnected it and reconnected again. Still connected. And we still can turn off your keys. So what the hell going on here? Let's go back to the, uh, uh, owner's application. You see, you actually mentioned here is the way the work, the update, you, we need to, uh, from the owner's side, we have to, uh, to sync night with, uh, um, the key in order to update the cancellation. You see what I mean here? The logic is really, if you lost your cars, you lost your keys, how can you can reconnect your key to cancel it? Right? So you're never able to cancel it. Um, so if you cannot cancel it, what about, let's just wait until expire. Right? Will that work? Uh, yeah, another video. So when, when I try to do, uh, try to, to research a little bit on timing, I try to bypass this. So by, by doing that, I, uh, unpopulated set, set about the time back to a few days ago to achieve, uh, it will not work. Right? So, so here's the, uh, career set, the car is already expired. And the time, uh, it's like 1.30, the time, uh, the car expired, expired. Right? No. Even the car, it's career set, it's expired, but still work, it's still connected to it. Um, yeah, locking, unlock command works. But what's, what's going on here? Even the car owners on the screen says it's already expired, but actually it was still, from user side, we still can able to, uh, operate in like, I mean keys. Right? Yeah, still work. So, um, just further to confirm, the time is 1.40 now, 1.43. So, yeah, it's already, it should, it should be just expired. So, again, in order to let the timing actually expired, we have to connect into L army keys. Right? We have to update this information to your army key. Now again, if, if you, if you share a key, you know, people, uh, other people have your key and they have your car, how can you connect into, to, to, to, to, to, to say it's expired? You can't. So, that means you're expired, you, the key will never expired. Right? So, I think they have done very funny, uh, logic, um, this kind of, uh, key shareings. Okay. So, what about booties? They, as they keep mention, they have very strong secure, uh, encryptions. Let's find out if that's true. Uh, so, again, I, when I analyze it, it's from the beginning. Uh, this, uh, I will, I will see some traffic. They keep sending, uh, same, same, uh, same command to, uh, direct request to the, uh, particular UID. Not UID, we'll response you some kind of random number here. But for now we don't know what that is, what that's do. So, and then the following will be another 70 bytes of the long, long, uh, random strings. Again, we have no idea what's that, what, what's that. Um, but finally here, and if you, you have ever done a, uh, uh, research, you will know, uh, what way, if you want to open, uh, smart locks or any sort of, uh, virtual device, we can just simply write a, a value to your, uh, uh, UIDs. Right? Um, now, sometimes, they, job can be easier because they always constantly write a fixed code. So once we have this fixed code, probably much, just can, it's, can over. Um, but now, um, amicky, they actually send in two, uh, fixed code here. I, I think this, uh, one is actually simulating that they'll press the button, the other one is to release it. So actually it's two movement here. Um, the reason why I know this is a, uh, unlocking command because I, I actually press three times and I see three identical card, uh, uh, same, same code, um, uh, inside of this lock file. So, can, are we, is it going over yet? Can we just simply write these two code to the UID and get it unlocked car? Unfortunately, the first attempt failed. So what's going on? What happened is there is, uh, they, they, actually in, in order to lock and unlock your amicky, you, there's some kind of logins, uh, process involved. So you have to lock in first, then do the rest of it. So, um, I take a look at the code again. Um, we, I check the code here, it's called a locking record package. So from here we, we were able to find out how much, uh, what kind of parameter we need to, um, to provide to, to, to create a locking packet, right? So then I check the, uh, that's super secure algorithm. What we see here is XOR, our over the place. So really there just rely on XOR to, uh, with the different parameters. That's their secret, uh, formula, right? So, here's how this is the locking protocols. Remember the first, uh, I mentioned that you, uh, in the very beginning they will send, uh, fixed, uh, command to, to key and it will get back some kind of, uh, random value. And that's the seed to, to get it from new key to, to encrypt it with your, uh, to, to generate another encryption code. So once we have an encryption code, we're able to create, uh, locking packets to log into it. And that's where you see a lot, very long 70 bytes. And that's, uh, uh, locking packets there. So once we are logging in, we can send, uh, those two fixed commands to unlock the car. And if, if we success, we will gonna, we, we, we're going to get a response packet that was to, uh, OXAA. Um, yeah, so here it's really that we need to find out where's the, how do we find out this, uh, encryption code? So once we look at the code again, we will be able to see, uh, it's actually the, the way it works is the, we get a random key from the ME, a key, random value here. Um, and then we act, again it's XOR with the secret key here. The secret key is a fixed random, uh, D word number again from the device initializations. Um, but turns out it's the secret key, they only, only one byte. Right? Um, now here's the locking packet and they, they have all these, uh, parameters that we're gonna need to create one, to create a, a locking packet. Right? So I notice one of the here is called encrypted data. Right? Uh, so, uh, date. So I check the date, how they generate the date. As you can see, they, they actually see the, uh, characters. So, and then they have a secret, uh, method here. So you're using current character, current of date to minus 2000 and then you get the, uh, the key value and then you, uh, convert to the, uh, OX, uh, convert to the hex and that is your one byte equation key. Right? So, for that we can, uh, so for example, uh, for example, uh, this year is 2018, we minus 2000, we get 18 and convert to, to hex and we get 12. So that is our, uh, encryption key here. Um, and, and then once we do that, we can, um, create our, uh, with our, our, our value was need from Bluetooth, through Bluetooth traffic, we're able to create our own locking packet. So here's the, um, I probably cannot see the query, but yeah. So, uh, the Python code, very simple PLC here to, uh, communicate to, to create our own packets and then try to unlock the code. So, but it's interesting here, seeing, I, it's a surprise I didn't expect is that we, remember I mentioned if, in order to get a code work, I suppose to see, uh, AA back, but in the response, I, I, I, I actually just see the OX 6T6. So what's going on here? Um, I spent, I spent many nights to, to, to try to figure out what's going on. Uh, the algorithm is so easy to understand why it's still not work. Eventually, um, we take a look the, uh, uh, the firmware that, uh, provided inside the IPK file is, is for, for the Bluetooth module. And we, we find out that OX 6T6 code is actually means, um, um, that, that error code, that error code it indicates. Um, here is, we actually need to, uh, fully, we actually need to have this put everything back in one piece. Remember when I do the research, I take the, those two boards apart, right? So if, uh, apparently, uh, uh, I mean key has firmware function here, error code says here, if you, we take the part, it will not work, right? So we have to put, put it back together. Okay. That's, that's fine. We put it back together. Yeah. We, we got the locking pockets working fine. So, now, remember, um, as, those, uh, locking pockets, we, we got, it's actually from the, uh, uh, Bluetooth log file dump. Um, in, in, in the protocol, we, we know, we're not able to do that. So an easy way with, in order to get those information is to, to sniff in the pocket. So, but that's easy to do. We can use in, uh, by using this application here called a TI SMART RF, SMART sniff. So you can see we sniff all the, um, those 70 bytes of the encryption, uh, uh, data and also the command not, uh, unlocking the, all cards. So yeah, again, we, we can get exactly the same details with the, from, from the dump files, right? So once we have those info, enough information, we, we, we can just create our, uh, the, the, the login pockets, right? So really, um, the one byte encryption key is not secure, right? And O S O R again is not secure. And if we can easily to get, to get access to those information, it's not secure. So here I'm going to play one final demo. Uh, just prove my point. It will work here. Right? Yeah. So I have a running, this person, I send this three times. As you can see, we log in successfully and then we send it unlocking commands and you will just burp, burp three times. And that, that means that's where everything is working fine. Right? Yeah. Okay. Right. So, as a responsible disclosure, I like to contact the, the Avengers, uh, maybe just tell them, uh, or maybe just apply a CV if possible. However, uh, I can't tell them a couple of times through the telephone numbers here and emails. I got no reply at all. Right? So, yeah. Anyway, this conclusion here is that security by obscurity is not, definitely not going to work. Um, yeah, we really, we have to test our product, uh, uh, in a good way before actually going on the market. Right? So, yeah, that's my puns and thank you. Thanks.