i had to build a new coil so i could send and receive data from the very small Hitag S transponder. but im still not
able to understand the responses. here are some example with my 2 keys
(key1 real uid is 8157cfbf and key2 uid is 82e57ff8):
proxmark3> lf hitag reader 21
#db# Starting Hitag reader family
#db# List identifier in password mode
#db# Configured for hitag2 reader
#db# Uknown frame length: 68
#db# frame received: 2
#db# All done
proxmark3> lf hitag list
recorded activity:
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 5: c8
+ 210: 68: TAG fc! ff! ff! 2f f3! 33! fc! aa! b0
proxmark3> lf hitag reader 21
#db# Starting Hitag reader family
#db# List identifier in password mode
#db# Configured for hitag2 reader
#db# Uknown frame length: 67
#db# frame received: 2
#db# All done
proxmark3> lf hitag list
recorded activity:
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 5: c8
+ 210: 67: TAG ff! fc! ab ff! ff! cb 3c! aa! c0!
recorded activity:
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 5: 30
+ 211: 61: TAG 2f e5 9e 55! 59! 66! 55! 78!
i think it is because the hitag2.c file sets the coding to Manchester but in the Hitag1 protocol this command has to be send in AC coding.
does someone know how to change this properly?
my lock is a Winkhaus BlueSmart cylinder
http://www.winkhaus.com/de-de/~/media/images/content/products/800x389/bluesmart_zylinder_typ_01_xl.jpg
and the Transponder is a passiv hitag1 (the tags have a very weak signal and short range):
http://www.winkhaus.com/de-de/~/media/images/content/products/800x389/schluessel_bluesmart_xl.jpg
with my proxmark3 and RFIDler v22 i wasnt able to sniff a transaction.
i send some requests with my TS-RW38 reader/writer to a hitag1 tag and sniffed with lf hitag snoop:
+ 166248: 5: c8
+ 117: 65: TAG 99! 99! 55! 5f! 95! f9! e7! 99! 80
+ 141003: 4: 90
+ 116: 65: TAG 99! 99! 55! 5f! 95! f9! e7! 99! 80
why do i sniff all the data from the reader right but not the answer from the tags?
i already found out how i read/write pages, get the uid and the config settings.
i also found that there a 2 types of encryption methods:
-with a password which ist transmitted in plaintext at the beginning
-32bit key with crypto algorithm
because of the way my rfid lock is build its not possible for me to sniff the transaction without destroying it.
so i wanted to brute force the 32bit key but i have no idea how the request has to look