Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#51 2013-12-04 23:14:10

fgo
Contributor
Registered: 2013-04-22
Posts: 14

Re: Skidata tickets (iso 15693)

Les contamines
kid E

Reading memory from tag UID=E016246608632043         
Tag Info: EM-Marin SA (Skidata)         
Block  0   D8 08 56 2B    ..V+         
Block  1   42 18 60 20    B.`           
Block  2   00 38 00 A0    .8..         
Block  3   1C 48 33 00    .H3.         
Block  4   1B 00 00 00    ....         
Block  5   00 00 00 00    ....         
Block  6   00 00 00 00    ....         
Block  7   00 00 00 00    ....         
Block  8   00 00 00 00    ....         
Block  9   00 00 00 00    ....         
Block 10   00 00 00 00    ....         
Block 11   00 00 00 00    ....         
Block 12   00 00 00 00    ....         
Block 13   00 00 00 00    ....         
Block 14   00 00 00 00    ....         
Block 15   00 00 00 00    ....         
Block 16   00 00 00 00    ....         
Block 17   00 00 00 00    ....         
Block 18   00 00 00 00    ....         
Block 19   00 00 00 00    ....         
Block 20   00 00 00 00    ....         
Block 21   00 00 00 00    ....         
Block 22   00 00 00 00    ....         
Block 23   00 00 00 00    ....         
Block 24   00 00 00 00    ....         
Block 25   00 00 00 00    ....         
Block 26   00 00 00 00    ....         
Block 27   00 00 00 00    ....         
Block 28   2A 80 53 42    *.SB         
Block 29   20 90 53 42     .SB         
Block 30   33 00 00 00    3...         
Block 31   00 00 00 00    ....         
Block 32   00 00 00 00    ....         
Block 33   00 00 00 00    ....         
Block 34   00 00 00 00    ....         
Block 35   00 00 00 00    ....         
Block 36   00 00 00 00    ....         
Block 37   00 00 00 00    ....         
Block 38   00 00 00 00    ....         
Block 39   00 00 00 00    ....         
Block 40   00 00 00 00    ....         
Block 41   00 00 00 00    ....         
Block 42   D0 0A 39 18    ..9.         
Block 43   C0 05 1B 13    ....         
Block 44   F9 F4 7E 89    ..~.         
Block 45   53 0F 6F 1A    S.o.         
Block 46   D0 94 0D AE    ....         
Block 47   16 00 00 00    ....         
Block 48   00 00 80 7B    ...{         
Block 49   00 38 3C 27    .8<'         
Block 50   00 00 00 00    ....         
Block 51   00 00 00 00    ....         
Tag returned Error 15: Unknown error.

Offline

#52 2013-12-04 23:38:37

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Consecutive dumps of the same tag are needed to better understand; anyway tomorrow I will try to compare what you just posted, thank you.

EDIT:
for each tag you should send the ISO15693 raw command:
hf 15 cmd sysinfo -2 u
and post the answer from the tag.

Also day and time are important so, if possible, when you use the tag with the turnstile, remember or write down somewhere date and time of the single passage (after a single passage you should read tag content [dump] to see what changes).

Last edited by asper (2013-12-05 10:06:32)

Offline

#53 2013-12-05 23:54:03

fgo
Contributor
Registered: 2013-04-22
Posts: 14

Re: Skidata tickets (iso 15693)

here is the result from  hf 15 cmd sysinfo -2 u

proxmark3> hf 15 cmd sysinfo -2 u
0F 43 20 63 08 66 24 16 E0 02 00 33 03 02
UID = E016246608632043
EM-Marin SA (Skidata)
DSFID supported, set to 02
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
4 (or 3) bytes/page x 52 pages
IC reference given: 02

I'll take my proxmark when going to ski this winter and check before after turnstile

Offline

#54 2013-12-06 07:19:34

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Good but you can also use an nfc capable mobile phone (really easier); there arevfree apps to read those tags.

Offline

#55 2014-01-07 15:38:31

oker
Member
Registered: 2014-01-07
Posts: 1

Re: Skidata tickets (iso 15693)

Hi

I ve been working in a ski resort in spain , they work with SKIDATA cards , provided by Electronica Marin ( ISO 15693 ) ,  basically this card can´t be emulated , the only way to do something is try to clone it ,  a cloned card works flawlessly , there only one requirement to work ,  the card id exist in the database , it doesn´t matter if this database is online or not , maybe shared with other ski resorts , if the card id exist the door is open.

For any further information , feel free to contact me.

Regards!!

Offline

#56 2014-01-07 17:03:00

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

hi oker,
thanks for sharing information.
many ski resorts use EM tags.
i have 2 types:
-one is EM4233
-and the other one has unknown model code 00101 (read it in binary)

what is your model?
do you have a proxmark or other reader?

you said that this card can't be emulated.
this is wrong.
maybe you meant "..this card today has no official firmware inside the proxmark able to emulate it"

what about the cloning? the uid is unique and not changeable. i don't know EM tags with changeable uid. do you?

Last edited by gaucho (2014-01-07 17:08:03)


Imagination is more important than knowledge.

Offline

#57 2014-01-10 11:40:43

timififilger
Contributor
Registered: 2012-08-28
Posts: 17

Re: Skidata tickets (iso 15693)

Hi there,
very interesting topic here.
I own PM3+10 "3 vallées skipass marin" with UIDs and information about date, hour...
I also own3 chamonix and les houches skidata pass,
all E016...
Let me know if i can help in anyway, except programming, i'm not able.

Offline

#58 2014-01-10 14:28:02

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: Skidata tickets (iso 15693)

Well,  I'm a bit curious about the EM tag and ski-data.   If you want an extra eye,  I'm at your disposal.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#59 2014-01-11 20:31:56

fgo
Contributor
Registered: 2013-04-22
Posts: 14

Re: Skidata tickets (iso 15693)

Hi all,
I would like to write things on an iso15693 card ( a skipass) , how can I do it with my proxmark? I always get the following message and nothing is written (I checked):
proxmark3> hf 15 cmd write -2  u 0 00 00 00 00
timeout: no answer - data may be written anyway 


It is possible to write block on this kind of cards? no need for any key like on a mifare card?
thx!

Offline

#60 2014-01-30 11:11:50

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

@fgo: you should check what is the model of your tag, find its datasheet on google, study it, and check if write password is enabled. in that case you must know the password before to write it.

Last edited by gaucho (2014-01-30 13:20:35)


Imagination is more important than knowledge.

Offline

#61 2014-02-01 20:16:41

XDjackieXD
Member
Registered: 2014-02-01
Posts: 1

Re: Skidata tickets (iso 15693)

Hi everyone!
I scanned 4 skidata cards Form an Austrian ski Ressort with my nexus5.
Herr the dumps:

First card:
** TagInfo scan (version 2.00) 2014-02-01 18:03:58 **

-- INFO ------------------------------

# IC manufacturer:
EM Microelectronic-Marin SA

# IC type:
EM4x3x

# Application information:
SKIDATA keycard
* Key number: xx-16147133534573084004-x

-- NDEF ------------------------------

# No NFC data set storage:

-- EXTRA ------------------------------

# Memory size:
208 bytes
* 52 blocks, with 4 bytes per block

# IC detailed information:
Supported read commands:
* Single Block Read
* Multiple Block Read
* Get Multiple Block Security Status
* Get System Information
AFI supported
DSFID supported
IC reference value: 0x02
Customer ID: 0x066

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 15693-3 compatible
ISO/IEC 15693-2 compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcV, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.NfcV
* Maximum transceive length: 253 bytes
No MIFARE Classic support present in Android

# Detailed protocol information:
ID: E0:16:24:66:05:06:BD:64
AFI: 0x00
DSFID: 0x02

# Memory content:
[00] . FC 08 34 78 |..4x|
[01] . 42 18 60 20 |B.` |
[02] . 00 38 00 10 |.8..|
[03] . 1C 48 33 00 |.H3.|
[04] . 1B 00 00 00 |....|
[05] . 00 00 00 00 |....|
[06] . 00 00 00 00 |....|
[07] . 00 00 00 00 |....|
[08] . 00 00 00 00 |....|
[09] . 00 00 00 00 |....|
[0A] . 00 00 00 00 |....|
[0B] . 00 00 00 00 |....|
[0C] . 00 00 00 00 |....|
[0D] . 00 00 00 00 |....|
[0E] . 00 00 00 00 |....|
[0F] . 00 00 00 00 |....|
[10] . 00 00 00 00 |....|
[11] . 00 00 00 00 |....|
[12] . 00 00 00 00 |....|
[13] . 00 00 00 00 |....|
[14] . 00 00 00 00 |....|
[15] . 00 00 00 00 |....|
[16] . 00 00 00 00 |....|
[17] . 00 00 00 00 |....|
[18] . 00 00 00 00 |....|
[19] . 00 00 00 00 |....|
[1A] . 00 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 2A 80 53 42 |*.SB|
[1D] . 1F 90 53 42 |..SB|
[1E] . 33 00 00 00 |3...|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 00 00 |....|
[29] . 00 00 00 00 |....|
[2A] . 7A 27 A8 19 |z'..|
[2B] . C0 05 1B 01 |....|
[2C] . 08 F0 4A 45 |..JE|
[2D] . 74 44 D4 D9 |tD..|
[2E] . D0 E3 12 07 |....|
[2F] . 12 00 00 00 |....|
[30] . 00 00 00 3D |...=|
[31] . 00 08 54 A7 |..T.|
[32] . 00 00 00 00 |....|
[33] . 00 00 00 00 |....|

  x:locked, .:unlocked

--------------------------------------

Second card:
** TagInfo scan (version 2.00) 2014-02-01 18:06:23 **

-- INFO ------------------------------

# IC manufacturer:
EM Microelectronic-Marin SA

# IC type:
EM4x3x

# Application information:
SKIDATA keycard
* Key number: xx-16147133534665950180-x

-- NDEF ------------------------------

# No NFC data set storage:

-- EXTRA ------------------------------

# Memory size:
208 bytes
* 52 blocks, with 4 bytes per block

# IC detailed information:
Supported read commands:
* Single Block Read
* Multiple Block Read
* Get Multiple Block Security Status
* Get System Information
AFI supported
DSFID supported
IC reference value: 0x02
Customer ID: 0x066

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 15693-3 compatible
ISO/IEC 15693-2 compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcV, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.NfcV
* Maximum transceive length: 253 bytes
No MIFARE Classic support present in Android

# Detailed protocol information:
ID: E0:16:24:66:0A:8F:C3:E4
AFI: 0x00
DSFID: 0x02

# Memory content:
[00] . 8C 08 73 3B |..s;|
[01] . 82 18 60 20 |..` |
[02] . 00 38 00 00 |.8..|
[03] . 1C 48 33 00 |.H3.|
[04] . 1B 00 00 00 |....|
[05] . 00 00 00 00 |....|
[06] . 00 00 00 00 |....|
[07] . 00 00 00 00 |....|
[08] . 00 00 00 00 |....|
[09] . 00 00 00 00 |....|
[0A] . 00 00 00 00 |....|
[0B] . 00 00 00 00 |....|
[0C] . 00 00 00 00 |....|
[0D] . 00 00 00 00 |....|
[0E] . 00 00 00 00 |....|
[0F] . 00 00 00 00 |....|
[10] . 00 00 00 00 |....|
[11] . 00 00 00 00 |....|
[12] . 00 00 00 00 |....|
[13] . 00 00 00 00 |....|
[14] . 00 00 00 00 |....|
[15] . 00 00 00 00 |....|
[16] . 00 00 00 00 |....|
[17] . 00 00 00 00 |....|
[18] . 00 00 00 00 |....|
[19] . 00 00 00 00 |....|
[1A] . 00 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 2A 80 53 42 |*.SB|
[1D] . 1F 90 53 42 |..SB|
[1E] . 33 00 00 00 |3...|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 00 00 |....|
[29] . 00 00 00 00 |....|
[2A] . 7A 27 27 1B |z''.|
[2B] . C0 05 1B 01 |....|
[2C] . 4E C2 9D 79 |N..y|
[2D] . E9 2C 39 A4 |.,9.|
[2E] . 20 71 DE E1 | q..|
[2F] . 00 00 00 00 |....|
[30] . 00 00 00 00 |....|
[31] . 00 00 00 00 |....|
[32] . 00 00 00 00 |....|
[33] . 00 00 00 00 |....|

  x:locked, .:unlocked

--------------------------------------

Third card:
** TagInfo scan (version 2.00) 2014-02-01 18:07:30 **

-- INFO ------------------------------

# IC manufacturer:
EM Microelectronic-Marin SA

# IC type:
EM4x3x

# Application information:
SKIDATA keycard
* Key number: xx-16147133534528909342-x

-- NDEF ------------------------------

# No NFC data set storage:

-- EXTRA ------------------------------

# Memory size:
208 bytes
* 52 blocks, with 4 bytes per block

# IC detailed information:
Supported read commands:
* Single Block Read
* Multiple Block Read
* Get Multiple Block Security Status
* Get System Information
AFI supported
DSFID supported
IC reference value: 0x02
Customer ID: 0x066

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 15693-3 compatible
ISO/IEC 15693-2 compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcV, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.NfcV
* Maximum transceive length: 253 bytes
No MIFARE Classic support present in Android

# Detailed protocol information:
ID: E0:16:24:66:02:64:B0:1E
AFI: 0x00
DSFID: 0x02

# Memory content:
[00] . 64 08 63 FF |d.c.|
[01] . 82 18 60 20 |..` |
[02] . 00 38 00 00 |.8..|
[03] . 1C 48 33 00 |.H3.|
[04] . 1B 00 00 00 |....|
[05] . 00 00 00 00 |....|
[06] . 00 00 00 00 |....|
[07] . 00 00 00 00 |....|
[08] . 00 00 00 00 |....|
[09] . 00 00 00 00 |....|
[0A] . 00 00 00 00 |....|
[0B] . 00 00 00 00 |....|
[0C] . 00 00 00 00 |....|
[0D] . 00 00 00 00 |....|
[0E] . 00 00 00 00 |....|
[0F] . 00 00 00 00 |....|
[10] . 00 00 00 00 |....|
[11] . 00 00 00 00 |....|
[12] . 00 00 00 00 |....|
[13] . 00 00 00 00 |....|
[14] . 00 00 00 00 |....|
[15] . 00 00 00 00 |....|
[16] . 00 00 00 00 |....|
[17] . 00 00 00 00 |....|
[18] . 00 00 00 00 |....|
[19] . 00 00 00 00 |....|
[1A] . 00 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 2A 80 53 42 |*.SB|
[1D] . 1F 90 53 42 |..SB|
[1E] . 33 00 00 00 |3...|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 00 00 |....|
[29] . 00 00 00 00 |....|
[2A] . 7A 27 27 1B |z''.|
[2B] . C0 05 1B 01 |....|
[2C] . A3 40 75 BF |.@u.|
[2D] . 36 F7 EB 4C |6..L|
[2E] . 60 7A 34 FE |`z4.|
[2F] . 00 00 00 00 |....|
[30] . 00 00 00 00 |....|
[31] . 00 00 00 00 |....|
[32] . 00 00 00 00 |....|
[33] . 00 00 00 00 |....|

  x:locked, .:unlocked

--------------------------------------

Fourth card:
** TagInfo scan (version 2.00) 2014-02-01 18:08:36 **

-- INFO ------------------------------

# IC manufacturer:
EM Microelectronic-Marin SA

# IC type:
EM4x3x

# Application information:
SKIDATA keycard
* Key number: xx-16147133534665934659-x

-- NDEF ------------------------------

# No NFC data set storage:

-- EXTRA ------------------------------

# Memory size:
208 bytes
* 52 blocks, with 4 bytes per block

# IC detailed information:
Supported read commands:
* Single Block Read
* Multiple Block Read
* Get Multiple Block Security Status
* Get System Information
AFI supported
DSFID supported
IC reference value: 0x02
Customer ID: 0x066

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 15693-3 compatible
ISO/IEC 15693-2 compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcV, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.NfcV
* Maximum transceive length: 253 bytes
No MIFARE Classic support present in Android

# Detailed protocol information:
ID: E0:16:24:66:0A:8F:87:43
AFI: 0x00
DSFID: 0x02

# Memory content:
[00] . FE 08 E7 A1 |....|
[01] . 82 18 60 20 |..` |
[02] . 00 38 00 00 |.8..|
[03] . 1C 48 33 00 |.H3.|
[04] . 1B 00 00 00 |....|
[05] . 00 00 00 00 |....|
[06] . 00 00 00 00 |....|
[07] . 00 00 00 00 |....|
[08] . 00 00 00 00 |....|
[09] . 00 00 00 00 |....|
[0A] . 00 00 00 00 |....|
[0B] . 00 00 00 00 |....|
[0C] . 00 00 00 00 |....|
[0D] . 00 00 00 00 |....|
[0E] . 00 00 00 00 |....|
[0F] . 00 00 00 00 |....|
[10] . 00 00 00 00 |....|
[11] . 00 00 00 00 |....|
[12] . 00 00 00 00 |....|
[13] . 00 00 00 00 |....|
[14] . 00 00 00 00 |....|
[15] . 00 00 00 00 |....|
[16] . 00 00 00 00 |....|
[17] . 00 00 00 00 |....|
[18] . 00 00 00 00 |....|
[19] . 00 00 00 00 |....|
[1A] . 00 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 2A 80 53 42 |*.SB|
[1D] . 1F 90 53 42 |..SB|
[1E] . 33 00 00 00 |3...|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 00 00 |....|
[29] . 00 00 00 00 |....|
[2A] . 7A 27 27 1B |z''.|
[2B] . C0 05 1B 01 |....|
[2C] . 94 FC A2 1E |....|
[2D] . 88 F4 52 00 |..R.|
[2E] . 40 EA 56 1D |@.V.|
[2F] . 00 00 00 00 |....|
[30] . 00 00 00 00 |....|
[31] . 00 00 00 00 |....|
[32] . 00 00 00 00 |....|
[33] . 00 00 00 00 |....|

  x:locked, .:unlocked

--------------------------------------

I hope I could help!

-Jakob

Offline

#62 2014-02-04 13:09:45

canard
Member
Registered: 2014-02-04
Posts: 7

Re: Skidata tickets (iso 15693)

Hi all,

i m back from holiday (France - Alpes), i couldn t succeed to write a valid ski pass.
i own dump for every reload done during the week. i found some block rules. this is for 'Por tes d u So leils' : Ea Marine 63 x 32 block.

i will soon go to "3 v all ées" (skidata 51*32), i see some commun structure and i would like to share our investment / dump to progress..

Note : i don t want to publish data on public thread, thanks to contact me in private.

Offline

#63 2014-02-19 16:57:10

vidra19300
Member
Registered: 2014-02-19
Posts: 2

Re: Skidata tickets (iso 15693)

hello everyone
I  success to read all data on the card
CAN SOMEONE HELP ME ?
I find two tipes of cards :
1: iso 15693 or icode sli with 52 block , and ICODE SLI-S with 40 blocks !
I use NFC-V READER android aplication to read/write data !
Card with 40 blocks can read all block and write .
Cards with 52 blocks can not write but can read !
I try to read all data from 40 block cards and write to another card .
When I tried to use on the born card was automaticly disactivated . I think that I write 0 block and i saw that each card have different 0 block. All card has 4 bytes on one block. Some blocks are the same everyday.

Only block 0 change with a different card and block 20,21,22 change when i charge my card everyday. On my card block 0 doesnt change only 20,21,22 and 23,24,25 when i change all day charging, halfday and different mountains(1 or 3 mountains)

Can someone tell me which block contain date,days and time of validity?

look this :
                    byte 1      byte 2     byte 3    byte 4
Block 20           B1            50

Offline

#64 2014-02-19 17:06:04

vidra19300
Member
Registered: 2014-02-19
Posts: 2

Re: Skidata tickets (iso 15693)

hello everyone
I  success to read all data on the card
CAN SOMEONE HELP ME ?
I find two tipes of cards :
1: iso 15693 or icode sli with 52 block , and ICODE SLI-S with 40 blocks !
I use NFC-V READER android aplication to read/write data !
Card with 40 blocks can read all block and write .
Cards with 52 blocks can not write but can read !
I try to read all data from 40 block cards and write to another card .
When I tried to use on the born card was automaticly disactivated . I think that I write 0 block and i saw that each card have different 0 block. All card has 4 bytes on one block. Some blocks are the same everyday.

Only block 0 change with a different card and block 20,21,22 change when i charge my card everyday. On my card block 0 doesnt change only 20,21,22 and 23,24,25 when i change all day charging, halfday and different mountains(1 or 3 mountains)

Can someone tell me which block contain date,days and time of validity?

look this :
                    byte 1      byte 2     byte 3    byte 4
Block 20           B1            50         CA        DA
block 21           F9            35          6D       3C
block 22          40             9A          08       E8
.......................................................................
ONLY THIS CODE CHANGE IN MY CARD BUT SOMETIMES WHEN I CHANGE ALL DAY VALIDITY THIS TOO

block 23          14             00           99       0D
block 24           00            00           40        9E
block 25          00             28            4C       18
and some other day on the same card :
only
block 23           00           00             C0        3F

and all of this block are for 3 mountains !

Can someone tell me more how it's work ?
Thanks best regard

Offline

#65 2014-03-10 18:48:59

makhco
Member
Registered: 2014-03-10
Posts: 4

Re: Skidata tickets (iso 15693)

HI
I saw an Icode-sli tag yesterday that its UID was changeable!
I tested it myself even. just I don't know its source.
did you hear/see about changeable UID(iso-15693) tag before?

Offline

#66 2014-03-11 08:05:05

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Skidata tickets (iso 15693)

I saw flying UFO last night. Can you prove it?

Offline

#67 2014-03-11 19:58:44

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

huahahaha.
@vivat: you're the best.
i asked to the "magic" mifare ultralight manufacturer if could he manufacture even these tags with changeable uid.
He said that he will see if he can do it.
I think that the first thing we should do is to teach PM3 to sniff on tournels.
Then we will see how to let him emulate these tags.
Of course always just as didactical matter.

Last edited by gaucho (2014-03-11 19:59:18)


Imagination is more important than knowledge.

Offline

#68 2014-04-01 14:02:09

Nester
Member
Registered: 2014-03-31
Posts: 2

Re: Skidata tickets (iso 15693)

My analysis is that these tags are similar to
http://www.emmicroelectronic.com/webfiles/product/rfid/ds/EM4233SLIC_DS.pdf

The one i have has write protected block 0 to 3 , and from 29 to 51.


Also they do respond to the B4 Command (EM Specific)  showing the bytes 04 (write protected) on the sector that i mention.

Therefore i assume to write these sectors write the E4 login command should be issued before with a 32 bit password.
Unfortunately i cannot get an error response from the E4 command (so i don't know if the card actuallly supports it).

I doubt tha tournels uses the login command, they will just read the password.

So i assume that the writer has the password and it might be also calculated on the UID.

Offline

#69 2014-04-26 14:37:18

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Skidata tickets (iso 15693)

Some ski-data dumps from a friends cards.

The first is an adult card
Number: 01-1614 7133 5346 0110 6064-6
Date issued 04-04-14
Other: TO5 17864 290314 1517 169,00

Second is a junior card
Number:01-1614 2029 1647 6936 3630-9
Date: 04-04-14
other: TO5 017894 290314 1520 118,00

proxmark3> hf 15 dumpmemory
Reading memory from tag UID=E016246606B25290          
Tag Info: EM-Marin SA (Skidata)          
Block  0   F0 08 27 2F    ..'/          
Block  1   82 18 40 20    ..@           
Block  2   00 38 00 00    .8..          
Block  3   1C 48 33 00    .H3.          ;1C - location of data
Block  4   1B 00 00 00    ....          ;1B - end location of this app?
Block  5   00 00 00 00    ....          
Block  6   00 00 00 00    ....          
Block  7   00 00 00 00    ....          
Block  8   00 00 00 00    ....          
Block  9   00 00 00 00    ....          
Block 10   00 00 00 00    ....          
Block 11   00 00 00 00    ....          
Block 12   00 00 00 00    ....          
Block 13   00 00 00 00    ....          
Block 14   00 00 00 00    ....          
Block 15   00 00 00 00    ....          
Block 16   00 00 00 00    ....          
Block 17   00 00 00 00    ....          
Block 18   00 00 00 00    ....          
Block 19   00 00 00 00    ....          
Block 20   00 00 00 00    ....          
Block 21   00 00 00 00    ....          
Block 22   00 00 00 00    ....          
Block 23   00 00 00 00    ....          
Block 24   00 00 00 00    ....          
Block 25   00 00 00 00    ....          
Block 26   00 00 00 00    ....          
Block 27   00 00 00 00    ....          
Block 28   2A 80 53 42    *.SB      ;2A - address of app_a, 80= 8 blocks in length, 5342 - static bytes?    
Block 29   1F 90 53 42    ..SB      ;1F - address of app_b, 90=9 blocks in length  
Block 30   33 00 00 00    3...      ;33 - last address of card 
Block 31   00 00 00 00    ....      ;start of app_b
Block 32   00 00 00 00    ....          
Block 33   00 00 00 00    ....          
Block 34   00 00 00 00    ....          
Block 35   00 00 00 00    ....          
Block 36   00 00 00 00    ....          
Block 37   00 00 00 00    ....          
Block 38   00 00 00 00    ....          
Block 39   00 00 00 00    ....          
Block 40   00 00 00 00    ....       ;end of app_b
Block 41   00 00 00 00    ....          
Block 42   60 13 64 1B    `.d.       ;start of app_a 
Block 43   C0 05 1B 01    ....          
Block 44   19 C0 33 A8    ..3.          
Block 45   1B 00 F1 A0    ....          
Block 46   30 7A A8 86    0z..          
Block 47   20 00 00 00     ...          
Block 48   00 00 40 BD    ..@.          
Block 49   00 20 C0 15    . ..          
Block 50   00 00 00 00    ....        ;end of app_a
Block 51   00 00 00 00    ....        ;end of card
Tag returned Error 15: Unknown error.          
proxmark3> hf 15 dumpmemory
Reading memory from tag UID=E00402005012C6AE          
Tag Info: Philips          
Block  0   9E 08 B2 D5    ....          
Block  1   82 18 40 20    ..@           
Block  2   1E 80 53 42    ..SB        ;1e 80 - app_a address 8 blocks length  
Block  3   14 20 53 42    . SB        ;14 20 - app_b address 2 blocks length
Block  4   0A 90 53 42    ..SB        ;0a 90 - app_c address 9 blocks length  
Block  5   27 00 00 00    '...          ;end of card
Block  6   00 00 00 00    ....          
Block  7   00 00 00 00    ....          
Block  8   00 00 00 00    ....          
Block  9   00 00 00 00    ....          
Block 10   00 00 00 00    ....         ;start of app_c 
Block 11   00 00 00 00    ....          
Block 12   00 00 00 00    ....          
Block 13   00 00 00 00    ....          
Block 14   00 00 00 00    ....          
Block 15   00 00 00 00    ....          
Block 16   00 00 00 00    ....          
Block 17   00 00 00 00    ....          
Block 18   00 00 00 00    ....          
Block 19   00 00 00 00    ....        ;end of app_c  
Block 20   00 00 00 00    ....       ;start of app_b    
Block 21   00 00 00 00    ....          
Block 22   00 00 00 00    ....       ;end of app_b   
Block 23   00 00 00 00    ....          
Block 24   00 00 00 00    ....          
Block 25   00 00 00 00    ....          
Block 26   00 00 00 00    ....          
Block 27   00 00 00 00    ....          
Block 28   00 00 00 00    ....          
Block 29   00 00 00 00    ....          
Block 30   60 13 64 1B    `.d.       ;start of app_a     
Block 31   C0 05 1B 01    ....          
Block 32   AD 8E 74 96    ..t.          
Block 33   C5 54 B8 87    .T..          
Block 34   70 7A 39 8C    pz9.          
Block 35   21 00 00 00    !...          
Block 36   00 00 00 3D    ...=          
Block 37   00 10 B4 15    ....          
Block 38   00 00 00 00    ....        ;end of app_a  
Block 39   00 00 00 00    ....        ;end of card  
Tag returned Error 15: Unknown error. 

Last edited by midnitesnake (2014-04-27 10:37:06)

Offline

#70 2014-07-02 22:12:01

leecher
Member
Registered: 2014-06-30
Posts: 1

Re: Skidata tickets (iso 15693)

Hi,

I wanted to share my assumptions about the format with you (the cards cannot
be abused anyway, so I don't see any problems with it).
Unfortunately most dumps in this thread don't have complete information
posted (buying date, expiration date, Skiing resort, card type, BS number),
so it's not easy to verify my assumptions.

First of all about the EM4233-2k cards used:
I guess that they are not using the "Low Security" code of the
card that does a write protection on blocks that can be unlocked
by a Password (0xE4 command), but using the "High security" mode of
the EM4233-2k.
This mode is further explained in the RFID Reader User Guide that
can be found here:
http://www.emmicroelectronic.com/products/rf-identification-security/rfid-tools-support/emdb410
Basically the High Security Mode uses the SIM (Security
Identification Module) EM4035 (http://html.alldatasheet.com/html-pdf/154634/EMMICRO/EM4035/293/1/EM4035.html)
to authenticate against the writing device.
The EM4233-2k features 3 extra commands compared with the EM4233SLIC:

--------------------------------------
Enable low security
Command Code = BC
Ic MFG = 16

Disable low security
Command Code = BD
Ic MFG = 16

Quiet Storage (Descr. see EM4133)
Command Code = AA
Ic MFG = 16
--------------------------------------

The security control commands only work if the user is authenticated
(logged on), therefore if the Tranponder is in high security mode, you
cannot set it back to low security mode without authentication.
So to sum it up: It seems to be nearly impossible to reuse the Cards
for your own purposes sad


Now for my assumptions about the encoding of the data on the card:
At least in Austrian skiing resorts, there is also a BS number printed
on the card which consists of 4 Parts:
[cardId]-[companyNumber]-[cashNumber]-[sequenceNumber]

i.e: 01-1021-07-75842

The companyNumber may identify the Skidata customer, i.e. the company
that runs the skiing resort.
The sequenceNumber is generated by the Coder that encodes and prints the card
prior to writing the card. Most likely, it's a consecutive number that just
increments with each card printed on this specific Coder.
The cashNumber may be the number of the Coder of the Company.

Block 42   FA 07 7E 1B    ..~.
Block 43   A0 05 1B 01    ....

First WORD is companyNumber on ticket (whatever it means) << 1

i.e.: *01-1021-07-75842

7FA = 2042 >> 1 = 1021

companyNumber identifies the skiing resort company, here is a list
of Austrian skiing resorts where I collected the IDs:

0009    Wildschoenau
0013    Dorfgastein
0018    Brandnertal
0018    Kitzbuehel
0021    Obergurgl Hochgurgl
0023    St. Jakob
0024    St. Johann in Tirol
0029    Schmittenhoehe, Zell am See - Kaprun
0030    Tauplitz
0036    Innerkrems
0039    Bergeralm (Steinach am Brenner)
0046    Skiwelt Wilder Kaiser Brixental
0054    Gastein
0058    Alpbach
0081    Nassfeld Hermagor
0093    Klippitztoerl
0094    Salzstiegl
0095    Turracher Hoehe
0098    Pitztal Gletscher
0108    Pillersee
0109    Fieberbrunn
0129    Loser
0133    Serfaus Fiss Ladis
0141    Ehrwalder Almbahn
0141    Zugspitze Tirol
0141    Tiroler Zugspitzbahn
0142    Berwang
0142    Biberwier
0142    Lermoos
0144    Wettersteinbahn (Zugspitzarena)
0146    Seefeld
0150    Leutasch Kreithlift
0150    Warth Schroecken
0154    Kreischberg
0160    Gerlitzen
0161    Goldeck
0164    Dreiländereck
0165    Anakogel Bergbahnen
0165    Grossglockner Resort
0165    Hochpustertal
0165    Moelltaler Gletscher
0170    Filzmoos
0171    Hochkönig
0171    Radstadt Altenmarkt
0171    Ski Amadé
0172    Flachauwinkl
0172    Zauchensee
0173    Eben
0174    Flachau
0175    Kleinarl
0176    Wagrain
0177    St. Johann - Alpendorf
0180    Hauser Kaibling
0180    Planai
0180    Reiteralm
0184    Galsterberg
0194    Schlick2000
1009    Lachtal
1011    Werfenweng
1013    Großarl
1021    Region Semmering
1025    Katschberg
1031    Lienz
1046    Falkert
1048    Bad Kleinkirchheim
1065    Schwabenberg Arena
1070    Axamer Lizum
1090    Kuehtai
1091    Soelden
1091    Tirol Snow Card
1094    Mariazeller Buergeralpe
1095    Moenichkirchen
1098    Mitterbach
1103    Hochoetz
1144    Jungholz
1151    Zillertal Arena
1154    Hochfuegen (Zillertal)
1154    Hochzillertal
1155    Spieljoch
1157    Finkenberg
1158    Hintertuxer Gletscher (Zillertal)
1159    Rastkogel Lanersbach
1160    Eggalm Tux
1160    Landersbach
1166    Mayrhofen im Zillertal
1166    Hirschenkogel
1166    Skiregion Ostalpen
1180    Riesneralm
2014    Kleinwalsertal
2061    3TaelerPass+Brandnertal
2115    Skicircus Saalbach Hinterglemm Leogang
2181    Praebichl
5000    Verditz Schwarzsee
5051    Dachstein West
5051    Feuerkogel
5051    Krippenstein
5051    Snow and Fun OOE


Next is Expiration date.

Example: Expires 30.04.2014
Block 42   FA 07 7E 1B    ..~.

7E... 01111110  - Low 5 bits are Day, high 3 bits may be Month
                  11110 = 30
                  011   = Jan + 3 = April

Assumption for month ( This is pure speculation!! ) :
- During summer, there is no skiing, so maybe skiing season is coded
   From Jan-April and Sept-Dec
   3 Bits:
   If MSB is 1, Time is calculated starting from September, Otherwise from January:

   000 = Jan
   011 = Jan + 3 = April
   100 = Sept
   101 = Sept + 1 = October

Example: Expires 05.10.2013
A5..  10100101  - 00101 = 05
                  101   = Sept + 1 = October


Next byte may be number of years since 1987. This would make
sense for most cards, but earlier in this thread, I saw cards where
year number was 2012 but with 18 at this place, whereas this should be
19 if my theory is true

1B... 1987 + 27 = 2014

Block 43   A0 05 1B 01    ....

Next byte may be the application number:
  A0...Point card
  C0...Day card (valid thru expiration date)
  D0...Single travel ticket

Next 2 Bytes are always 05 1B
Next byte seems to depend on country?
  01...Austria
  13...France


The rest is still unclear to me as it varies from card to card and
also seems to change when charging the card, it may be used to
verify the card UID against the stored data and check if the card
got copied or not, because the turngate also has to be able to
check validity of the card if it's offline, I guess.

Block 44   96 6B 46 B5    .kF.
Block 45   E6 B3 63 F0    ..c.
Block 46   B0 1B EA D5    ....
Block 47   E0 00 00 00    ....
Block 48   EE 00 FA 02    ....

Another thing I saw was the first byte in block 48 which I only
saw on point cards. Maybe it has something to do with the
points? And the last 2 bytes in Block 48 are may be some sort of
checksum for integrity check?

Regards.

Offline

#71 2014-07-09 06:00:10

random11
Member
Registered: 2014-07-09
Posts: 1

Re: Skidata tickets (iso 15693)

I have a few tickets from Australia, I will post them soon.

What is the latest on our ability to clone tickets via PM3 ?

Cheers

Offline

#72 2014-07-26 16:34:43

titanium520
Member
Registered: 2014-07-26
Posts: 1

Re: Skidata tickets (iso 15693)

Hi everybody,

I live in France and i always go skiing in the Alps.
I'm very interested in the rewriting and cloning ability for the skidata cards.
I have 50 skidata cards of the same place, if you want the dumps i can post them,
just ask !

Regards.

Offline

#73 2014-07-29 17:07:31

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Skidata tickets (iso 15693)

Yes, post it

Offline

#74 2014-09-27 13:07:50

exidez
Member
Registered: 2012-01-28
Posts: 8

Re: Skidata tickets (iso 15693)

I thought i would help with some data as i was working with this and then found this thread.
This was at Ski Dubai in the U.A.E. The only difference with the last two codes is one had a locker and the other did not (shared a locker with a friend). There does not seem to be any coded data integrity checks.

I only recorded the whole data (what was physically written on the card) with the first scan as i only started to realize how much easier it was going to be to analyse it later.

I will only post the blocks that had information:

0    43    8    0e    73
1    42    18    60    20
2    0    38    0    0
3    1c    48    33    0
4    1b    0    0    0
28    2a    80    53    42
29    1f    90    53    42
30    33    0    0    0
42    7a    0    19    1c
43    0    0    17    1e
44    12    3d    c0    4
45    14    ce    ae    5a
46    0    0    20    88

About the card above (2hr ski pass):
on back of card:
01-1614 7133 5345 8457 2593-7'

on front of card:
LOCKER 9/25/2014 6:49:19 PM MKN09 185718
SLOPE SESSION PASS ADULT

Valid on 5/09/14 205.00 AED

0    13    8    7d    12
1    42    18    60    20
2    0    38    0    0
3    1c    48    33    0
4    1b    0    0    0
28    2a    80    53    42
29    1f    90    53    42
30    33    0    0    0
42    7a    0    14    1c
43    0    0    17    1e
44    18    3d    c0    4
45    94    6a    39    39
46    0    0    d0    88

information about above card:
Snow boarding lesson (also gives 2 hours of slope access)
purchased 09/20/14 around 11:49 AM
Also with a locker

0    f5    8    f0    8
1    42    18    60    20
2    0    38    0    0
3    1c    48    33    0
4    1b    0    0    0
28    2a    80    53    42
29    1f    90    53    42
30    33    0    0    0
42    7a    0    5    1c
43    0    0    17    1e
44    4    3d    c0    4
45    94    ea    f9    65
46    0    0    d0    88

information about above card:
Snow boarding lesson (also gives 2 hours of slope access)
purchased 09/05/14 around 14:15
with lockaer

0    4b    8    b5    ff
1    42    18    60    20
2    0    38    0    0
3    1c    48    33    0
4    1b    0    0    0
28    2a    80    53    42
29    1f    90    53    42
30    33    0    0    0
42    7a    0    fd    1b
43    0    0    17    1e
44    4    3d    c0    4
45    14    2e    a3    64
46    0    0    20    88

information about above card:
Slope session pass adult
purchased 08/29/14 around 17:29
without locker

0    8f    8    31    f5
1    42    18    60    20
2    0    38    0    0
3    1c    48    33    0
4    1b    0    0    0
28    2a    80    53    42
29    1f    90    53    42
30    33    0    0    0
42    7a    0    fd    1b
43    0    0    17    1e
44    4    3d    c0    4
45    14    6e    a3    64
46    0    0    20    88

information about above card:
Slope session pass adult
purchased 08/29/14 around 17:29
with locker

Offline

#75 2014-10-13 14:23:44

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: Skidata tickets (iso 15693)

Norweigan skipass.

pm3 --> hf 15 cmd sysinfo -2 u
0F E8 81 C0 0A 66 24 16 E0 02 00 33 03 02
UID = E01624660AC081E8
EM-Marin SA (Skidata)
DSFID supported, set to 02
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
 4 (or 3) bytes/page x 52 pages
IC reference given: 02

pm3 --> hf 15 dumpmem
Reading memory from tag UID=E01624660AC081
Tag Info: EM-Marin SA (Skidata)
Block  0   9E 08 D2 A8    ....
Block  1   82 18 60 20    ..`
Block  2   00 38 00 00    .8..
Block  3   1C 48 33 00    .H3.
Block  4   1B 00 00 00    ....

Block 28   2A 80 53 42    *.SB
Block 29   1F 90 53 42    ..SB
Block 30   33 00 00 00    3...

Block 42   B0 04 42 1B    ..B.
Block 43   C0 05 1B 01    ....
Block 44   BF 6E 3A 33    .n:3
Block 45   3D FF D1 9A    =...
Block 46   30 9F 53 DD    0.S.
Block 47   18 00 00 00    ....
Block 48   00 00 00 BC    ....
Block 49   00 08 EC 17    ....

Swedish ski tag#1

pm3 --> hf 15 cmd sysinfo -2 u
0F 71 A9 EA 2A 00 00 07 E0 01 00 3F 03 8B
UID = E00700002AEAA971
Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit
DSFID supported, set to 01
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
 4 (or 3) bytes/page x 64 pages
IC reference given: 8B

pm3 --> hf 15 dumpmem
Reading memory from tag UID=E00700002AEAA971
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit

Block  8   02 9E 2B 02    ..+.
Block  9   F0 B4 20 25    .. %
Block 10   EE F7 BF 7D    ...}
Block 11   6C 3F 7A A8    l?z.
Block 12   25 F5 3F CE    %.?.
Block 13   0C 0F 22 DD    ..".
Block 14   63 BB DE 48    c..H
Block 15   AC 3B 2A 7D    .;*}
Block 16   6C 3B 2A 7D    l;*}
Block 17   6C 00 00 00    l...
Block 18   02 12 82 02    ....
Block 19   F0 00 00 00    ....

Block 28   02 12 82 02    ....
Block 29   F0 00 00 00    ....

Block 56   30 00 00 00    0...
Block 57   26 50 53 42    &PSB
Block 58   1C 40 53 42    .@SB
Block 59   12 30 53 42    .0SB
Block 60   08 20 53 42    . SB
Block 61   00 20 50 49    . PI
Block 62   00 00 00 00    ....
Block 63   16 5C A6 1B    .\..

Swedish ski tag#2

pm3 --> hf 15 cmd sysinfo -2 u
0F B6 95 7C 14 00 00 07 E0 01 00 3F 03 8B
UID = E0070000147C95B6
Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit
DSFID supported, set to 01
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
 4 (or 3) bytes/page x 64 pages
IC reference given: 8B

pm3 --> hf 15 dumpmem
Reading memory from tag UID=E0070000147C95B6
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit

Block  8   02 12 2B 02    ..+.
Block  9   F0 47 3F 21    .G?!
Block 10   B6 41 A4 79    .A.y
Block 11   7C C9 E1 17    |...
Block 12   66 41 24 F1    fA$.
Block 13   5C 24 36 5B    \$6[
Block 14   6C C8 31 79    l.1y
Block 15   3C C8 31 79    <.1y
Block 16   7C C8 31 79    |.1y
Block 17   7C 00 00 00    |...
Block 18   02 12 82 02    ....
Block 19   F0 00 00 00    ....

Block 28   02 12 82 02    ....
Block 29   F0 00 00 00    ....

I removed all blocks with all zeros.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#76 2014-11-20 00:06:44

slayercho
Contributor
Registered: 2014-11-19
Posts: 12

Re: Skidata tickets (iso 15693)

Hello all
i`m new in this community. I`m using skidata passes too and wont to help if i can. i have sl500 usb.

gaucho wrote:

I made the Asper tool for stronklink SL500 by myself. If someone want source code (.net) just ask.

Can you please send me source? I will try to write reading app in delphi and i have pos system and wont to use UID number for user identification (like keyboard).

Do you need other information about tickets? How can i help of this project?

Offline

#77 2014-12-12 23:23:45

slayercho
Contributor
Registered: 2014-11-19
Posts: 12

Re: Skidata tickets (iso 15693)

I have few new tickets not coded (virgin) big_smile. Is this topic actual ? Do you need any help to understand all blocks or this is already done? For reader i use sl500f.
If anyone what i can post here block information for this virgin cards before and after coding.....

Offline

#78 2014-12-13 10:59:58

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: Skidata tickets (iso 15693)

Welcome to the community.
go ahead and post your tag's data before and after smile  I think Asper wanted also date, time, place when the tags was used.   There is normally date&time stored on the tag so it can more easilly be found if we know it.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#79 2015-01-02 11:33:49

pavlik1
Contributor
Registered: 2013-08-22
Posts: 15

Re: Skidata tickets (iso 15693)

please find 12 card dumps and card front images

https://mega.co.nz/#!w5cTQBTZ!pF5MXaNc7dMOmuNwqN8SC2u2iAIXP_PTHhbGJz5P0R4

Offline

#80 2015-01-04 19:11:19

tarcisiomerlot
Member
Registered: 2015-01-04
Posts: 3

Re: Skidata tickets (iso 15693)

In Italy a lot of ski areas use the skidata tickets (keycard unlimited). Here's my experience. I tried to read the ticket with an OMNIKEY CardMan 5321 reader but no success. When I put the skidata ticket on the reader, it selects the card (I can read the ATR, mine is 3B 8F 80 01 80 4F 0C A0 00 00 03 06 0B 00 00 00 00 00 00 63, ISO 15693 - EM Microelectronic-Marin SA) but after a second it seems that the card goes offline, so the reader selects it again, but again the card goes offline, etc etc in an endless loop. So I'm not able to read the ticket.
Anyway I want to report here some interesting information about skidata. You can download for free the 0P0$ CA$H software from
http://www.skidata.com/en/mountain-destinations/point-of-sales.html
The program permits you to produce tickets with your own point of sales.
The program needs a registration in the skidata server (they really behave like a big brother...), during the registration they also send you the templates for your ticketing system (one day, one season, single way, amount of hours, families, discounts, groups,...). So you cannot execute the program without registration (even for a demo mode). You should also have a skidata coding device to produce tickets. Anyway it is a .net program, and you can decompile it with the freeware software Telerik JustDecompile. It seems that in the file skidata.devices.dll namespace skidata.devices.bll4 there is the rfid protocol, and in the namespace skidata.devices.oposio there is the read/write procedure. You can find also a lot of interesting routines (like EncryptMessage, ReadAck,...). Under Devices there is also a CoderSimulator, maybe to be used for testing purposes.
Hope it will be useful.

ciao

Offline

#81 2015-01-05 10:01:43

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Your card is not an EM card, it is an NXP tag, probably an I.CODE SLI. You should not use Omnikey to detect the card type, use another reader (nfc-capable-mobile+app or others); also with Omnikey software you are not able to normally/correctly communicate with those kind of tags because it uses it's own protocol (you must study it).
Rousseau site is good for SmartCard ATRs (even NFC SmartCards), not for RFID tags (they are not properly "smart", they usually are simple tags with some built-in features/commands and do not support real APDUs).

The encryption/decryption sequence you described seems to be about the messages sent<->received by software<->device (a kind of USB encrypted message with specific APDUs for the device), not for the data to be written on the tag; probably the algo is inside the reader/writer device firmware, not in the end-user software [but, hey, there are firmwares in the installation folder, but you need to figure out what ICs they are for wink - anyway I don't think they are so "smart" to leave the code inside].

Last edited by asper (2015-01-05 10:38:11)

Offline

#82 2015-01-05 14:04:43

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: Skidata tickets (iso 15693)

The crypto seems to be RC4 crypto.  They are known for their weaknesses.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#83 2015-01-05 14:58:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

So it is probably the software<->device communication protocol (USB or WiFi).

Offline

#84 2015-01-05 15:17:21

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

static Constants()
      {
        OposSecurity.Constants.OPOS_INIT_KEY1 = Encoding.ASCII.GetBytes("xxxxxxxxxxxxxxxxx");
        OposSecurity.Constants.OPOS_INIT_KEY2 = Encoding.ASCII.GetBytes("xxxxxxxxxxxxxxxxx");
        OposSecurity.Constants.OPOS = Encoding.ASCII.GetBytes("xxxx");
      }
tongue

Last edited by thefkboss (2015-01-05 15:31:24)

Offline

#85 2015-01-05 15:27:30

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Please, delete the keys value.

Last edited by asper (2015-01-05 15:28:13)

Offline

#86 2015-01-05 15:33:10

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

data integrity crc16
big_smile

Offline

#87 2015-01-05 15:44:07

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Thanks.

Offline

#88 2015-01-05 16:09:33

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

That is not the card key.....the card key is with serial and password...
maybe some one could chek if the card passwords are always de same with differents uid.
proxmark---sniff iclass----22Clearpasswordoffthecard online 5 seconds to get the password.....
If some one know the password of some card, let me know.

Offline

#89 2015-01-05 16:14:07

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

If you mean tag password not all the tags support the password command.
IRC at freenode #proxmark3

Offline

#90 2015-01-05 16:24:40

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

correct password command... i have one EM4233 from (skidata) from a parking it has writing password,

Offline

#91 2015-01-05 18:40:16

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

If some one has parking.logic software
http://www.skidata.com/fileadmin/user_upload/corporate/downloads/products/parking/parking-logic/ParkingLogic-1-0-en.pdf

Let me know.....

Offline

#92 2015-01-05 19:04:52

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

If you were able to sniff the password I think you only need to send the correct command to the tag in order to write it, no need of an external software, just proxmark.

Offline

#93 2015-01-05 19:29:58

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

yes, I could do that...but I want to know how password is generated (masterkey and diversification)..... and what is the info inside, I want to play

Offline

#94 2015-01-07 20:15:35

tarcisiomerlot
Member
Registered: 2015-01-04
Posts: 3

Re: Skidata tickets (iso 15693)

It seems that a lot of different cards are used with the application. Here's the list (without the obsolete items):

Namespace SkiData.Common.Identifications
    Public Enum ChipId
        Magnetic = 0
        SkidataFlexspace = 1
        Iso15693TexasInstrumentsCompatibleTicket = 2
        Iso15693InfineonCompatibleTicket = 3
        Iso14443AMifare = 4
        Iso14443B = 5
        HIDiClass = 6
        Felica = 7
        KeycardV4050 = 8
        RFU_9 = 9
        RFU_10 = 10
        SwatchV4050 = 11
        Barcode = 12
        Iso15693 = 13
        RFU_14 = 14
        Innovatron43B = 15
        RFU_16 = 16
        Reserved_17 = 17
        Legic = 18
        NFC = 19
        RFU_20 = 20
        SharedChip = 21
        Reserved_22 = 22
        Reserved_23 = 23
        RFU_24 = 24
        Iso15693InfineonEconomy = 25
        Iso15693DualEconomy = 26
        RFU_27 = 27
        RFU_28 = 28
        Iso15693DualUniversal = 29
        Iso15693DualPremium = 30
        RFU_31 = 31
        Barcode2D = 32
        RFU_33 = 33
    End Enum
End Namespace

You can easily spot the ChipId type by looking at the number printed on the card in the format xx-xxxx xxxx xxxx xxxx xxxx-x (ChipId-SerialNumber-LuhnNumber)
I have cards with ChipId=01 (keycard unlimited), 29 (keycard iso), 30 (keycard isodual). With Omnikey 5321 I realized that I am able to read ChipId=01. This is the card that I'm using now. I purchased it on 29/12/2014 with 15 hours, it expires on 01/05/2015. Now if I'm not wrong it should still contain 7h 36m. The card responds to command 'Get PICC memory size' (ff 30 04 00 00) showing a total of 51 blocks of memory. Each block has the 'security status' (ff 30 00 03 05 01 00 00 00 Block# 00) set to false. This is the dump of command 'read binary' (ff b0 00 00 00):

#00-01: C4 08 66 B9 42 18 40 20 
#02-03: 00 38 00 F0 1C 48 33 00 
#04-05: 1B 00 00 00 00 00 00 00 
#06-07: 00 00 00 00 00 00 00 00 
#08-09: 00 00 00 00 00 00 00 00 
#10-11: 00 00 00 00 00 00 00 00 
#12-13: 00 00 00 00 00 00 00 00 
#14-15: 00 00 00 00 00 00 00 00 
#16-17: 00 00 00 00 00 00 00 00 
#18-19: 00 00 00 00 00 00 00 00 
#20-21: 00 00 00 00 00 00 00 00 
#22-23: 00 00 00 00 00 00 00 00 
#24-25: 00 00 00 00 00 00 00 00 
#26-27: 00 00 00 00 00 00 00 00 
#28-29: 2A 80 53 42 1F 90 53 42 
#30-31: 33 00 00 00 00 00 00 00 
#32-33: 00 00 00 00 00 00 00 00 
#34-35: 00 00 00 00 00 00 00 00 
#36-37: 00 00 00 00 00 00 00 00 
#38-39: 00 00 00 00 00 00 00 00 
#40-41: 00 00 00 00 00 00 00 00
#42-43: 4A 13 01 1D 00 04 1B 01 
#44-45: B0 C7 F7 C3 48 FF C8 79 
#46-47: 40 77 6B D6 20 0C 20 01 
#48-49: CE 60 98 2D 00 30 90 15 
#50-51: 00 00 00 00 00 00 00 00 

It seems compatible to what Pavlik1 posted before. As soon as I will have more dumps with less hours/minutes remaining I will post again.
ciao

Offline

#95 2015-01-07 21:27:29

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Well, I think you are very lucky because I don't think those data are encrypted (or if there is an encryption it is really not hard). Pavlik1 dumps are different from your dumps (probably even "easier" than yours).

If you are going to post more dumps I will try to figure out the relationship.

If there is an encryption a full dump of the card will be needed (not only block dump).

About the "various" tags supported it depends on the hardware it is connected, not all hardware read all kind of tags.

Last edited by asper (2015-01-07 21:33:11)

Offline

#96 2015-01-12 15:02:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

@tarcisiomerlot: can you please share the commands you used to talk with your ISO15693 card using Omnikey reader ?

Offline

#97 2015-01-12 15:26:38

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Skidata tickets (iso 15693)

asper wrote:

@tarcisiomerlot: can you please share the commands you used to talk with your ISO15693 card using Omnikey reader ?

(ff b0 00 00 00)
try that one.
It worked on mine. and gave me similar output.

Offline

#98 2015-01-12 15:28:15

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Skidata tickets (iso 15693)

I got the same answers on all the cards I have...
try 0xFFB0000000

Offline

#99 2015-01-19 11:10:17

pavlik1
Contributor
Registered: 2013-08-22
Posts: 15

Re: Skidata tickets (iso 15693)

1421661763_davos_1_back.jpg
1421661790_davos_1_front.jpg

https://mega.co.nz/#!doM3RB6S!e3YbDw1my … ftiQsAwKFc

[== Undefined ==]
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?> 
- <InfoDump application="NFC TagInfo" version="1.12a">
- <Tag rfTechnology="Type V (ISO/IEC 15693 / Vicinity)">
- <GeneralInformation>
  <Value name="uid" description="UID">e01624660c238217</Value> 
  <Value name="rfTechnology" description="RF technology">Type V (ISO/IEC 15693 / Vicinity)</Value> 
  <Value name="tagType" description="Tag type">EM4x3x (for customer 066)</Value> 
  <Value name="manufacturer" description="Manufacturer">EM Microelectronic-Marin SA (Switzerland)</Value> 
  <Value name="afiString" description="Application family identifier (AFI)">all families and sub-families</Value> 
  <Value name="afi" description="AFI (numeric)">00</Value> 
  <Value name="dsfid" description="DSF Id">02</Value> 
  <Value name="responseFlags" description="Response flags">00</Value> 
  <Value name="icRef" description="IC reference">02</Value> 
  <Value name="targetTechClasses" description="Target technology classes (Android)">android.nfc.tech.NfcV</Value> 
  </GeneralInformation>
- <MemoryTag type="EM4x3x (for customer 066)">
- <GeneralInformation>
  <Value name="memorySize" description="Memory size">208 Byte</Value> 
  <Value name="blockSize" description="Block size">4 Byte</Value> 
  <Value name="numberOfBlocks" description="Number of blocks">52</Value> 
  </GeneralInformation>
- <Data unit="block">
  <Block index="0" locked="false" factoryLocked="false">530892be</Block> 
  <Block index="1" locked="false" factoryLocked="false">c2182400</Block> 
  <Block index="2" locked="false" factoryLocked="false">00380020</Block> 
  <Block index="3" locked="false" factoryLocked="false">1c483300</Block> 
  <Block index="4" locked="false" factoryLocked="false">1b000000</Block> 
  <Block index="5" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="6" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="7" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="8" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="9" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="10" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="11" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="12" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="13" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="14" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="15" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="16" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="17" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="18" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="19" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="20" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="21" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="22" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="23" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="24" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="25" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="26" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="27" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="28" locked="false" factoryLocked="false">2a805342</Block> 
  <Block index="29" locked="false" factoryLocked="false">1f905342</Block> 
  <Block index="30" locked="false" factoryLocked="false">33000000</Block> 
  <Block index="31" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="32" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="33" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="34" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="35" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="36" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="37" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="38" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="39" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="40" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="41" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="42" locked="false" factoryLocked="false">160ae01c</Block> 
  <Block index="43" locked="false" factoryLocked="false">c0051b01</Block> 
  <Block index="44" locked="false" factoryLocked="false">adf8eb2e</Block> 
  <Block index="45" locked="false" factoryLocked="false">4ebc92ab</Block> 
  <Block index="46" locked="false" factoryLocked="false">50185027</Block> 
  <Block index="47" locked="false" factoryLocked="false">0b80460e</Block> 
  <Block index="48" locked="false" factoryLocked="false">00008051</Block> 
  <Block index="49" locked="false" factoryLocked="false">00e01877</Block> 
  <Block index="50" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="51" locked="false" factoryLocked="false">00000000</Block> 
  </Data>
  </MemoryTag>
  </Tag>
  </InfoDump>

Offline

#100 2015-01-19 16:48:53

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

each year during winter we always return to this page. at least we have big passion for.. ski!

i used skipass with points on    do lo mi ti s up ers ki
these tags are
Producer=NXP Semiconductors(Germany) (code 04)
Model=SL2 S2002/SL2 S2102(ICODE SLIX)

the same tag model is used for one day skipass.

i verified that it is possible to reload point skipass.
the coding of the points is not so much complicate, and i found some method to change credit.
unfortunately i also found that turnstile are connected to a database that is syncronized, probabily each day. so after some time your tag is banned from the system and you will be not able to use it again.
this means that whatever we discover about these tags, we will never reload with real success a tag with a proxmark.

so i understood that the only possible attack to this system is the cloning of a tag with the proxmark.
(yes we know since many years..)

i tried then to record data exchanged between the turnstile and the tag, by means of the function hf iclass snoop and hf iclass list.

in order to get many samples i made a tool able to continuously send the snoop, wait for the "#db# COMMAND FINISHED" string and then send another snoop request.

after about 10 turnstiles i found that no message was logged on the proxmark log.

i also tested the snoop by reading a skipass with sl500 reader, in order to confirm that the snoop function was correclty working.

now there are 2 options:
1) i made some mistake during data snoop
2) the turnstile is using the fast comunication protocol mentioned on the datasheet of these tags.

in any case we need to find the correct communication protocol and to teach the proxmark to use it to clone a tag.

could someone confirm my tests with snoop on these tags?

EDIT:
consider that i'm actually using this revision of the proxmark (i hope that there was no update on the snoop function) :
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 845 2014-02-19 20:58:33                 
#db# os: svn 845 2014-02-19 20:58:37                 
#db# FPGA image built on 2014/02/19 at 11:41:11                 
uC: AT91SAM7S512 Rev A         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 512K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
proxmark3>

Last edited by gaucho (2015-01-19 16:58:40)


Imagination is more important than knowledge.

Offline

Board footer

Powered by FluxBB