Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#51 2015-03-21 23:00:42
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
proxmark3> hf 14a raw -p -T 26
timeout while waiting for reply. proxmark3> hf 14a raw -a -p -T 26
received 0 octets
proxmark3> proxmark3> hf 14a raw -p -a -b 7 26
received 2 octets
00 0C
proxmark3>
proxmark3> hf 14a raw -p -T -c 78 00 00 00 00 00 00
received 0 octets
proxmark3> The -T parameter seems not to be working at all.
And hf topaz snoop/list is this:
proxmark3> hf topaz snoop
proxmark3>
proxmark3> #db# cancelled by button
proxmark3> #db# COMMAND FINISHED
proxmark3> #db# maxDataLen=10, Uart.state=0, Uart.len=0
proxmark3> #db# traceLen=11844, Uart.output[0]=00000043
proxmark3> hf list topaz
Recorded Activity (TraceLen = 11844 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 38112 | Rdr | f0 1e d4 00 7d 9d f6 82 dc 30 f9 80 ab d9 00 00 | |
| | | 00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 a3 | |
| | | f5 | !crc| ?
141376 | 142432 | Rdr | 26 | | REQA
143620 | 145988 | Tag | 00 0c | |
153744 | 168880 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
170068 | 179348 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
252576 | 267696 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
268884 | 278164 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
527760 | 542896 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
544084 | 553364 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
634432 | 661872 | Rdr | 10 00 00 00 00 00 00 00 00 00 35 8f 93 00 06 28 | ok | RSEG
663044 | 682948 | Tag | 00 35 8f 93 00 00 10 25 00 e1 10 3f 00 01 03 f2 | |
| | | 30 33 02 03 f0 02 03 03 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 55 55 aa aa 12 4c 06 | |
| | | 00 01 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 f8 8b | ok |
1475744 | 1490880 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
1492068 | 1501348 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
1607936 | 1622992 | Rdr | 00 00 00 35 8f 93 00 cb db | ok | RALL
1624244 | 1636084 | Tag | 12 4c 35 8f 93 00 00 10 25 00 e1 10 3f 00 01 03 | |
| | | f2 30 33 02 03 f0 02 03 03 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 55 55 aa aa 12 4c | |
| | | 06 00 01 e0 00 00 00 00 00 00 50 af | ok |
2188192 | 2215632 | Rdr | 02 0f 00 00 00 00 00 00 00 00 35 8f 93 00 2e 36 | ok | READ8
2216820 | 2229556 | Tag | 0f 00 00 00 00 00 00 00 00 cf 27 | ok |
2349904 | 2377344 | Rdr | 02 10 00 00 00 00 00 00 00 00 35 8f 93 00 d5 59 | ok | READ8
2378532 | 2391268 | Tag | 10 00 00 00 00 00 00 00 00 73 4e | ok |
2482960 | 2510416 | Rdr | 02 11 00 00 00 00 00 00 00 00 35 8f 93 00 78 5c | ok | READ8
2511604 | 2524340 | Tag | 11 00 00 00 00 00 00 00 00 8e 03 | ok |
2621312 | 2648752 | Rdr | 02 12 00 00 00 00 00 00 00 00 35 8f 93 00 8f 52 | ok | READ8
2649924 | 2662724 | Tag | 12 00 00 00 00 00 00 00 00 89 d5 | ok |
2794768 | 2822224 | Rdr | 02 13 00 00 00 00 00 00 00 00 35 8f 93 00 22 57 | ok | READ8
2823396 | 2836196 | Tag | 13 00 00 00 00 00 00 00 00 74 98 | ok |
2938976 | 2966432 | Rdr | 02 14 00 00 00 00 00 00 00 00 35 8f 93 00 61 4f | ok | READ8
2967604 | 2980340 | Tag | 14 00 00 00 00 00 00 00 00 96 71 | ok |
3076736 | 3104176 | Rdr | 02 15 00 00 00 00 00 00 00 00 35 8f 93 00 cc 4a | ok | READ8
3105364 | 3118100 | Tag | 15 00 00 00 00 00 00 00 00 6b 3c | ok |
3226800 | 3254240 | Rdr | 02 16 00 00 00 00 00 00 00 00 35 8f 93 00 3b 44 | ok | READ8
3255428 | 3268228 | Tag | 16 00 00 00 00 00 00 00 00 6c ea | ok |
3382736 | 3410192 | Rdr | 02 17 00 00 00 00 00 00 00 00 35 8f 93 00 96 41 | ok | READ8
3411380 | 3424180 | Tag | 17 00 00 00 00 00 00 00 00 91 a7 | ok |
3542784 | 3570240 | Rdr | 02 18 00 00 00 00 00 00 00 00 35 8f 93 00 bd 74 | ok | READ8
3571412 | 3584212 | Tag | 18 00 00 00 00 00 00 00 00 b9 31 | ok |
3692272 | 3719728 | Rdr | 02 19 00 00 00 00 00 00 00 00 35 8f 93 00 10 71 | ok | READ8
3720900 | 3733700 | Tag | 19 00 00 00 00 00 00 00 00 44 7c | ok |
3826576 | 3854032 | Rdr | 02 1a 00 00 00 00 00 00 00 00 35 8f 93 00 e7 7f | ok | READ8
3855204 | 3867940 | Tag | 1a 00 00 00 00 00 00 00 00 43 aa | ok |
3971408 | 3998864 | Rdr | 02 1b 00 00 00 00 00 00 00 00 35 8f 93 00 4a 7a | ok | READ8
4000052 | 4012788 | Tag | 1b 00 00 00 00 00 00 00 00 be e7 | ok |
4106304 | 4133744 | Rdr | 02 1c 00 00 00 00 00 00 00 00 35 8f 93 00 09 62 | ok | READ8
4134932 | 4147732 | Tag | 1c 00 00 00 00 00 00 00 00 5c 0e | ok |
4241184 | 4268640 | Rdr | 02 1d 00 00 00 00 00 00 00 00 35 8f 93 00 a4 67 | ok | READ8
4269812 | 4282612 | Tag | 1d 00 00 00 00 00 00 00 00 a1 43 | ok |
4384288 | 4411744 | Rdr | 02 1e 00 00 00 00 00 00 00 00 35 8f 93 00 53 69 | ok | READ8
4412916 | 4425652 | Tag | 1e 00 00 00 00 00 00 00 00 a6 95 | ok |
4516864 | 4544320 | Rdr | 02 1f 00 00 00 00 00 00 00 00 35 8f 93 00 fe 6c | ok | READ8
4545492 | 4558228 | Tag | 1f 00 00 00 00 00 00 00 00 5b d8 | ok |
4654112 | 4681504 | Rdr | 02 20 00 00 00 00 00 00 00 00 35 8f 93 00 a5 b6 | ok | READ8
4682756 | 4695556 | Tag | 20 00 00 00 00 00 00 00 00 de 46 | ok |
4790208 | 4817600 | Rdr | 02 21 00 00 00 00 00 00 00 00 35 8f 93 00 08 b3 | ok | READ8
4818836 | 4831636 | Tag | 21 00 00 00 00 00 00 00 00 23 0b | ok |
4925712 | 4953104 | Rdr | 02 22 00 00 00 00 00 00 00 00 35 8f 93 00 ff bd | ok | READ8
4954340 | 4967076 | Tag | 22 00 00 00 00 00 00 00 00 24 dd | ok |
5079376 | 5106752 | Rdr | 02 23 00 00 00 00 00 00 00 00 35 8f 93 00 52 b8 | ok | READ8
5108004 | 5120740 | Tag | 23 00 00 00 00 00 00 00 00 d9 90 | ok |
5226608 | 5254000 | Rdr | 02 24 00 00 00 00 00 00 00 00 35 8f 93 00 11 a0 | ok | READ8
5255252 | 5268052 | Tag | 24 00 00 00 00 00 00 00 00 3b 79 | ok |
5369744 | 5397120 | Rdr | 02 25 00 00 00 00 00 00 00 00 35 8f 93 00 bc a5 | ok | READ8
5398356 | 5411156 | Tag | 25 00 00 00 00 00 00 00 00 c6 34 | ok |
5524016 | 5551408 | Rdr | 02 26 00 00 00 00 00 00 00 00 35 8f 93 00 4b ab | ok | READ8
5552644 | 5565380 | Tag | 26 00 00 00 00 00 00 00 00 c1 e2 | ok |
5661312 | 5688704 | Rdr | 02 27 00 00 00 00 00 00 00 00 35 8f 93 00 e6 ae | ok | READ8
5689940 | 5702676 | Tag | 27 00 00 00 00 00 00 00 00 3c af | ok |
5802704 | 5830080 | Rdr | 02 28 00 00 00 00 00 00 00 00 35 8f 93 00 cd 9b | ok | READ8
5831332 | 5844068 | Tag | 28 00 00 00 00 00 00 00 00 14 39 | ok |
5960496 | 5987888 | Rdr | 02 29 00 00 00 00 00 00 00 00 35 8f 93 00 60 9e | ok | READ8
5989140 | 6001876 | Tag | 29 00 00 00 00 00 00 00 00 e9 74 | ok |
6095456 | 6122848 | Rdr | 02 2a 00 00 00 00 00 00 00 00 35 8f 93 00 97 90 | ok | READ8
6124100 | 6136900 | Tag | 2a 00 00 00 00 00 00 00 00 ee a2 | ok |
6233936 | 6261328 | Rdr | 02 2b 00 00 00 00 00 00 00 00 35 8f 93 00 3a 95 | ok | READ8
6262564 | 6275364 | Tag | 2b 00 00 00 00 00 00 00 00 13 ef | ok |
6372416 | 6399808 | Rdr | 02 2c 00 00 00 00 00 00 00 00 35 8f 93 00 79 8d | ok | READ8
6401044 | 6413780 | Tag | 2c 00 00 00 00 00 00 00 00 f1 06 | ok |
6513232 | 6540608 | Rdr | 02 2d 00 00 00 00 00 00 00 00 35 8f 93 00 d4 88 | ok | READ8
6541860 | 6554596 | Tag | 2d 00 00 00 00 00 00 00 00 0c 4b | ok |
6661680 | 6689072 | Rdr | 02 2e 00 00 00 00 00 00 00 00 35 8f 93 00 23 86 | ok | READ8
6690324 | 6703124 | Tag | 2e 00 00 00 00 00 00 00 00 0b 9d | ok |
6800176 | 6827568 | Rdr | 02 2f 00 00 00 00 00 00 00 00 35 8f 93 00 8e 83 | ok | READ8
6828820 | 6841620 | Tag | 2f 00 00 00 00 00 00 00 00 f6 d0 | ok |
6942784 | 6970176 | Rdr | 02 30 00 00 00 00 00 00 00 00 35 8f 93 00 75 ec | ok | READ8
6971412 | 6984212 | Tag | 30 00 00 00 00 00 00 00 00 4a b9 | ok |
7084224 | 7111600 | Rdr | 02 31 00 00 00 00 00 00 00 00 35 8f 93 00 d8 e9 | ok | READ8
7112836 | 7125636 | Tag | 31 00 00 00 00 00 00 00 00 b7 f4 | ok |
7220368 | 7247760 | Rdr | 02 32 00 00 00 00 00 00 00 00 35 8f 93 00 2f e7 | ok | READ8
7248996 | 7261732 | Tag | 32 00 00 00 00 00 00 00 00 b0 22 | ok |
7361232 | 7388608 | Rdr | 02 33 00 00 00 00 00 00 00 00 35 8f 93 00 82 e2 | ok | READ8
7389860 | 7402596 | Tag | 33 00 00 00 00 00 00 00 00 4d 6f | ok |
7493888 | 7521264 | Rdr | 02 34 00 00 00 00 00 00 00 00 35 8f 93 00 c1 fa | ok | READ8
7522516 | 7535316 | Tag | 34 00 00 00 00 00 00 00 00 af 86 | ok |
7628288 | 7655680 | Rdr | 02 35 00 00 00 00 00 00 00 00 35 8f 93 00 6c ff | ok | READ8
7656932 | 7669732 | Tag | 35 00 00 00 00 00 00 00 00 52 cb | ok |
7763888 | 7791280 | Rdr | 02 36 00 00 00 00 00 00 00 00 35 8f 93 00 9b f1 | ok | READ8
7792516 | 7805252 | Tag | 36 00 00 00 00 00 00 00 00 55 1d | ok |
7897712 | 7925104 | Rdr | 02 37 00 00 00 00 00 00 00 00 35 8f 93 00 36 f4 | ok | READ8
7926340 | 7939076 | Tag | 37 00 00 00 00 00 00 00 00 a8 50 | ok |
8034480 | 8061872 | Rdr | 02 38 00 00 00 00 00 00 00 00 35 8f 93 00 1d c1 | ok | READ8
8063108 | 8075844 | Tag | 38 00 00 00 00 00 00 00 00 80 c6 | ok |
8173008 | 8200416 | Rdr | 02 39 00 00 00 00 00 00 00 00 35 8f 93 00 b0 c4 | ok | READ8
8201652 | 8214388 | Tag | 39 00 00 00 00 00 00 00 00 7d 8b | ok |
8310960 | 8338352 | Rdr | 02 3a 00 00 00 00 00 00 00 00 35 8f 93 00 47 ca | ok | READ8
8339588 | 8352388 | Tag | 3a 00 00 00 00 00 00 00 00 7a 5d | ok |
8444800 | 8472176 | Rdr | 02 3b 00 00 00 00 00 00 00 00 35 8f 93 00 ea cf | ok | READ8
8473428 | 8486228 | Tag | 3b 00 00 00 00 00 00 00 00 87 10 | ok |
8578064 | 8605440 | Rdr | 02 3c 00 00 00 00 00 00 00 00 35 8f 93 00 a9 d7 | ok | READ8
8606692 | 8619428 | Tag | 3c 00 00 00 00 00 00 00 00 65 f9 | ok |
8714272 | 8741648 | Rdr | 02 3d 00 00 00 00 00 00 00 00 35 8f 93 00 04 d2 | ok | READ8
8742900 | 8755636 | Tag | 3d 00 00 00 00 00 00 00 00 98 b4 | ok |
8849888 | 8877280 | Rdr | 02 3e 00 00 00 00 00 00 00 00 35 8f 93 00 f3 dc | ok | READ8
8878532 | 8891332 | Tag | 3e 00 00 00 00 00 00 00 00 9f 62 | ok |
8985504 | 9012896 | Rdr | 02 3f 00 00 00 00 00 00 00 00 35 8f 93 00 5e d9 | ok | READ8
9014132 | 9026932 | Tag | 3f 00 00 00 00 00 00 00 00 62 2f | ok |
10814544 | 10829664 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
10830852 | 10840132 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
12600944 | 12616064 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
12617252 | 12626532 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
14386624 | 14401760 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
14402932 | 14412212 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
16170384 | 16185520 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
16186708 | 16195988 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
17954944 | 17970080 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
17971268 | 17980548 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
19739712 | 19754848 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
19756020 | 19765300 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
21524080 | 21539216 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
21540404 | 21549684 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
23328672 | 23343808 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
23344996 | 23354276 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
25129984 | 25145104 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
25146292 | 25155572 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
26933232 | 26948368 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
26949556 | 26958836 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
28738320 | 28753456 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
28754644 | 28763924 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
30539280 | 30554416 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
30555604 | 30564884 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
32397920 | 32413040 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
32414228 | 32423508 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
34197344 | 34212480 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
34213652 | 34222932 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
35987488 | 36002608 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
36003796 | 36013076 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
37777104 | 37792240 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
37793428 | 37802708 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
39572176 | 39587296 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
39588484 | 39597764 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
41374384 | 41389504 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
41390692 | 41399972 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
proxmark3> This one seems ok !!
Last edited by asper (2015-03-21 23:01:15)
Offline
#52 2015-03-22 10:26:13
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
If you don't get a response to WUPA, the subsequent commands will fail (and this is OK).
Maybe I should have been more specific. The WUPA brings the tag into Ready state. Without it, it will not accept commands. This means, that the field needs to stay on (option -p) and the tag needs to remain in the field (don't remove it) after WUPA.
And the usual advice still holds: don't place the tag directly on the antenna, leave a certain distance.
If you still have problems, please provide a hf list topaz after the WUPA and after the RID (it builds up until the field is switched off).
Offline
#53 2015-03-22 18:00:18
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
hf 14a raw -p -T 26
No answer
The wupa with T option does not work while it does without T, how can i make it to work?
Can you please provide a command sequence i can test without commit any error?
Offline
#54 2015-03-22 18:33:20
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
You need the -a option (switch on HF field) with the WUPA if it is the first command:
hf 14a raw -a -p -T 26I checked the code again and again and can't find an error yet. What does hf list topaz show after the unsuccessful WUPA?
btw: I have ordered some Topaz tags last Friday evening. If we are lucky I will have them available tomorrow evening and will not need to bother you for debugging the basic functionalities...
Offline
#55 2015-03-23 08:29:48
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
You are noth bothering me, i am happy to test i just only have little time those weeks 
Offline
#56 2015-03-23 08:37:48
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
proxmark3> hf 14a raw -a -p -T 26
received 0 octets
proxmark3>
proxmark3> hf list topaz f
Recorded Activity (TraceLen = 10 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1312 | Rdr | 26 | | REQA
proxmark3> proxmark3> hf 14a raw -p -a -b 7 26
received 2 octets
00 0C
proxmark3>
proxmark3> hf list topaz f
Recorded Activity (TraceLen = 21 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr | 26 | | REQA
1056 | 2228 | | fdt (Frame Delay Time): 1172
2228 | 4596 | Tag | 00 0c | |
proxmark3> Last edited by asper (2015-03-23 12:55:31)
Offline
#57 2015-03-23 10:09:13
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
What's the difference between the two hf list topaz?
Offline
#58 2015-03-23 10:21:23
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
The latter has a tag response 00 0c..
Offline
#59 2015-03-23 10:34:00
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
Thanks, I had seen that 
. Rephrasing the question: what did you do before the second hf list topaz?
Offline
#60 2015-03-23 12:56:00
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Updated the code, sorry I pasted it only partly.
Offline
#61 2015-03-23 15:49:20
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
From the duration (1312 compared to 1056) in the first list I would conclude that this is transferred 8 bits with parity (i.e. not in Topaz protocol which would be 7 bits and no parity)
I hardly dare to ask: did you flash the Proxmark with the recent version?
Offline
#62 2015-03-23 16:01:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
Don't know about Asper, but I have flashed, and get the time 1056, but with -T no answer from tag. and with -b -7, I get 000c response.
Offline
#63 2015-03-23 20:37:58
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
My Topaz tags arrived today. I was eager to debug my code and did a first test. And guess what? Worked like a charm!
proxmark3> hf 14a raw -a -p -T 26
received 2 octets
00 0C
proxmark3> hf 14a raw -p -c -T 78 00 00 00 00 00 00
received 8 octets
12 4C 8D BD 64 00 92 DA
proxmark3> hf 14a raw -p -c -T 00 00 00 8D BD 64 00
received 124 octets
12 4C 8D BD 64 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55
55 AA AA 12 4C 06 00 01 E0 00 00 00 00 00 00 D0 0D
proxmark3> hf list topaz
Recorded Activity (TraceLen = 366 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr | 26 | | REQA
2228 | 4596 | Tag | 00 0c | |
238438784 | 238496288 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
238497460 | 238506804 | Tag | 12 4c 8d bd 64 00 92 da | ok |
1003075456 | 1003132960 | Rdr | 00 00 00 8d bd 64 00 99 5d | ok | RALL
1003134132 | 1003146036 | Tag | 12 4c 8d bd 64 00 00 10 25 00 e1 10 3f 00 01 03 | |
| | | f2 30 33 02 03 f0 02 03 03 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 55 55 aa aa 12 4c | |
| | | 06 00 01 e0 00 00 00 00 00 00 d0 0d | ok |
proxmark3>I have no idea what happened at your side. Maybe do a make clean before compiling?
Offline
#64 2015-03-23 21:21:14
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
yup, compiled and flashed your branch. Worked better than mine with this new -T command.
still on a sidenote, I can still hardly use the "hf" commands anymore for all "collisions" and "can't select tag" / "iso1443a card select failed".
[Edit] I copied the *.bit files from your branch, seem to working better now. not perfect, but at least working.
Last edited by iceman (2015-03-23 22:19:28)
Offline
#65 2015-03-23 22:54:35
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Piwi dunno what happend but you were right, I reflashed with a make clean and it works !
proxmark3> hf 14a raw -a -p -T 26
received 2 octets
00 0C
proxmark3>
proxmark3> hf 14a raw -p -c -T 78 00 00 00 00 00 00
received 8 octets
12 4C 35 8F 93 00 C0 5C
proxmark3>
proxmark3> hf 14a raw -p -c -T 00 00 00 35 8F 93 00
received 124 octets
12 4C 35 8F 93 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 55 AA AA 12 4C 06 00 01 E0 00 00 00 00 00 00 50 AF
proxmark3>
proxmark3> hf list topaz
Recorded Activity (TraceLen = 456 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr | 26 | | REQA
2228 | 4596 | Tag | 00 0c | |
122576768 | 122634272 | Rdr | 78 00 00 00 00 00 00 d0 43 | ok | RID
122635444 | 122644724 | Tag | 12 4c 35 8f 93 00 c0 5c | ok |
226454016 | 667334048 | Rdr | 00 00 00 8d bd 64 00 99 5d 00 00 00 35 8f 93 00 | !crc| RALL
667339904 | 667348064 | Rdr | cb db | | ?
667349300 | 667361140 | Tag | 12 4c 35 8f 93 00 00 10 25 00 e1 10 3f 00 01 03 | |
| | | f2 30 33 02 03 f0 02 03 03 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 00 00 00 00 00 00 00 00 00 00 55 55 aa aa 12 4c | |
| | | 06 00 01 e0 00 00 00 00 00 00 50 af | ok |
proxmark3> Great ! I am sorry you had to buy some tags.
Last edited by asper (2015-03-23 22:55:08)
Offline
#66 2015-03-23 22:59:42
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
@iceman: 1st you tested with option -T ("no answer from tag"), then compiled and flashed my branch, then copied the *.bit files. I am quite confused. How can you get it piece by piece when a git clone or git pull gives you everything at once? On which commit are you testing?
Offline
#67 2015-03-23 23:21:04
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
Nay, not that hard. I git pull the whole branch, but only pick point out some stuff over to my own branch via a merge software.
That works very well. But binaries seems not to work as well as wanted. The git branches and me doesn't work very well.
I did a fresh recompile from you branch this time, and used your client. Fixes the topaz issue. You did a great job implementing it without a tag to test 
Offline
#68 2015-03-24 08:45:29
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
Doesn't seem to be a good idea IMHO because
You create a version with both your and my bugs plus bugs introduced by merging. Not a good basis for testing...
Git will not be aware of your merge software, i.e. you create separate commits for the same change. When you and me will merge our branches to master, every code change (well, at least my code changes and any other you are "merging" this way from other repositories) will appear twice in the git log.
still on a sidenote, I can still hardly use the "hf" commands anymore for all "collisions" and "can't select tag" / "iso1443a card select failed".
[Edit] I copied the *.bit files from your branch, seem to working better now. not perfect, but at least working.
I will pull your repository and check...
Offline
#69 2015-03-24 09:51:13
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
Normally I merge from Pm3 master via git, I get all your commited code. After that I can start commit code aswell, but the thing is I have my branch, then I want to test some code from Marshmellow and from you in one place, that leaves me with merging nevertheless.
Since I know your high quality patches usually is godsent, regarding the fpga / arm, I usually want it as fast a possible. == merging into my fork. Same goes for Holimans patches. But now I fear the fpgacode (I can't compile it, since I dont have the verilog compiler installed) is out of sync. Ie pulling Pm3 master is different from yours.
Offline
#70 2015-03-25 15:07:43
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
@Piwi, when I revert my fpga_hf.bit to one from january 2015, my HF commands starts working again.
That indicates something didn't go as planned in later versions.
Offline
#71 2015-03-25 23:09:46
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
Pushed another commit to my repository. Implemented hf topaz reader. This is still WIP but you may please test, comment and suggest improvements.
Offline
#72 2015-04-03 12:42:47
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Hi piwi ! I saw you changed some stuff in the topaz command; can you list the new commands so I can update the gui ? Thank you !
Offline
#73 2015-04-04 15:45:36
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
Welcome back asper. This is still work in progress and on my repository only. I had waited for you to test my latest modifications before I proceed. Available up to now are
hf list topaz
hf topaz snoop
hf topaz reader
But this list of commands will change (also depending on your feedback) and I therefore think it is too early to modify the gui.
Offline
#74 2015-04-04 21:28:55
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
It was a busy week my friend 
...
Is your topaz branch updated with the latest 2.0.0 code ? If so I am going to test it just tomorrow ! If not I will need to downgrade the bootrom and firmware; let me know if you can.
Last edited by asper (2015-04-04 21:30:09)
Offline
#75 2015-04-04 21:36:18
- holiman
- Contributor
- Registered: 2013-05-03
- Posts: 566
Re: TOPAZ
Oh, we should tag the bootrom change as a new version! I'm out travelling right now though...
Offline
#76 2015-04-05 09:47:02
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Mmmmmmm I just compiled the piwi topaz branch code and fpgaimage.elf is still present so I think I cannot flash the fullimage with bootrom 2.0.0... can I ?
Offline
#77 2015-04-05 19:40:33
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
I have merged master into my topaz branch. It should now be safe to flash the os only.
@holiman: the bootloader itself didn't change. But it indeed needs to be linked and flashed anew because of the changed os start address. I don't think that this justifies a new version tag.
Offline
#78 2015-04-05 20:18:26
- holiman
- Contributor
- Registered: 2013-05-03
- Posts: 566
Re: TOPAZ
I meant since it's not backwards-compatible, not that it's a major feature...?
Offline
#79 2015-04-05 20:58:58
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
I agree with holiman.
I will test the new 2.0.0 compatible topaz branch tomorrw, thank you piwi !!
Offline
#80 2015-04-05 22:15:31
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
I tested ALL the available commands and, as predicted, they are ALL supported by my Topaz:
Note: If you do not erase a byte (commands write-but-not-erase) it will not change so write with no erase seems to work with value 00 only (must be verified!)
proxmark3> hf 14a raw -a -p -T 26
received 2 octets
00 0C
proxmark3>
proxmark3> hf 14a raw -p -c -T 78 00 00 00 00 00 00
received 8 octets
12 4C 35 8F 93 00 C0 5C
proxmark3>
proxmark3> hf 14a raw -p -c -T 00 00 00 35 8F 93 00
received 124 octets
12 4C 35 8F 93 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 55 AA AA 12 4C 06 00
01 E0 00 00 00 00 00 00 50 AF
proxmark3>
proxmark3> hf 14a raw -p -c -T 010000358F9300
received 4 octets
00 35 69 69
proxmark3>
proxmark3> hf 14a raw -p -c -T 010100358F9300
received 4 octets
01 8F 60 6A
proxmark3>
proxmark3> hf 14a raw -p -c -T 011A00358F9300
received 4 octets
1A 00 A6 67
proxmark3>
proxmark3> hf 14a raw -p -c -T 531ABB358F9300
received 4 octets
1A BB FE 6C
proxmark3>
proxmark3> hf 14a raw -p -c -T 011A00358F9300
received 4 octets
1A BB FE 6C
proxmark3>
proxmark3> hf 14a raw -p -c -T 531A00358F9300
received 4 octets
1A 00 A6 67
proxmark3>
proxmark3> hf 14a raw -p -c -T 011A00358F9300
received 4 octets
1A 00 A6 67
proxmark3>
proxmark3> hf 14a raw -p -c -T 1A1ABB358F9300
received 4 octets
1A BB FE 6C
proxmark3>
proxmark3> hf 14a raw -p -c -T 1A1A00358F9300
received 4 octets
1A BB FE 6C
proxmark3>
proxmark3> hf 14a raw -p -c -T 531A00358F9300
received 4 octets
1A 00 A6 67
proxmark3>
proxmark3> hf 14a raw -p -c -T 100F0000000000000000358F9300
received 131 octets
0F 35 8F 93 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 55 AA AA 12 4C 06 00 01
E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 72 C8
proxmark3>
proxmark3> hf 14a raw -p -c -T 02FF0000000000000000358F9300
received 11 octets
FF 00 00 00 00 00 00 00 00 D6 0D
proxmark3>
proxmark3> hf 14a raw -p -c -T 54FF1122334455667788358F9300
received 11 octets
FF 00 00 00 00 00 00 00 00 D6 0D
proxmark3>
proxmark3> hf 14a raw -p -c -T 1BFF1122334455667788358F9300
received 11 octets
FF 00 00 00 00 00 00 00 00 D6 0D
proxmark3>
proxmark3> hf 14a raw -p -c -T 540A1122334455667788358F9300
received 11 octets
0A 11 22 33 44 55 66 77 88 EE 21
proxmark3>
proxmark3> hf 14a raw -p -c -T 1B0A0000000000000000358F9300
received 11 octets
0A 11 22 33 44 55 66 77 88 EE 21
proxmark3>
proxmark3> hf 14a raw -p -c -T 540A0000000000000000358F9300
received 11 octets
0A 00 00 00 00 00 00 00 00 D7 55
proxmark3> I think your code is fully working piwi !
Last edited by asper (2015-04-05 23:56:30)
Offline
#81 2015-04-05 23:58:02
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Oh another curiosity: commands 10 should return 130 bytes while in my topaz it gives back 131 bytes... dunno why !
EDIT
Sorry, I was wrong, datasheet (page19 says 131 bytes...)
Last edited by asper (2015-04-06 00:00:46)
Offline
#82 2015-04-06 03:11:14
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
Any comments on hf topaz reader? Do we need more output or is it already "too much NFC"?
Offline
#83 2015-04-06 03:17:08
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
And regarding the latest discussion on coding at device or client side: I made only minimum changes in ARM code (just enough to support the low level Topaz protocol). All of hf topaz reader is implemented on client side. Comments?
Offline
#84 2015-04-06 08:08:13
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
I think yr division of code is good. If someone later on wants to simulate a topaz, they can implement it on the deviceside
Offline
#85 2015-04-06 08:54:21
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Any comments on hf topaz reader? Do we need more output or is it already "too much NFC"?
The more info the better in my opinion ! I will add all those info to other reader commands where applicable !!
ATQA : 0c 00
HR0 : 12 (a Topaz tag (capable of carrying a NDEF message), dynamic memory map)
HR1 : 4c
UID : 25 10 00 00 93 8f 35
UID[6] (Manufacturer Byte) = 25, Manufacturer: Innovision Research and Technology Plc UK
Static Data blocks 00 to 0c:
block# | offset | Data | Locked?
0x00 | 0x00 | 35 8f 93 00 00 10 25 00 | yes
0x01 | 0x08 | e1 10 3f 00 01 03 f2 30 | no
0x02 | 0x10 | 33 02 03 f0 02 03 03 00 | no
0x03 | 0x18 | 00 00 00 00 00 00 00 00 | no
0x04 | 0x20 | 00 00 00 00 00 00 00 00 | no
0x05 | 0x28 | 00 00 00 00 00 00 00 00 | no
0x06 | 0x30 | 00 00 00 00 00 00 00 00 | no
0x07 | 0x38 | 00 00 00 00 00 00 00 00 | no
0x08 | 0x40 | 00 00 00 00 00 00 00 00 | no
0x09 | 0x48 | 00 00 00 00 00 00 00 00 | no
0x0a | 0x50 | 00 00 00 00 00 00 00 00 | no
0x0b | 0x58 | 00 00 00 00 00 00 00 00 | no
0x0c | 0x60 | 00 00 00 00 00 00 00 00 | no
Static Reserved block 0d:
0x0d | 0x68 | 55 55 aa aa 12 4c 06 00 | n/a
Static Lockbits and OTP Bytes:
0x0e | 0x70 | 01 e0 00 00 00 00 00 00 | n/a
Capability Container: e1 10 3f 00
e1: NDEF Magic Number
10: version 1.0 supported by tag
3f: Physical Memory Size of this tag: 512 bytes
00: Read access granted without any security / Write access granted without any security
Lock Area of 48 bits at byte offset 0x7a. Each Lock Bit locks 8 bytes.
Reserved Memory of 2 bytes at byte offset 0x78.I think a command to fully dump the tag will be useful.
Offline
#86 2015-05-02 23:27:16
- borjaburgos
- Contributor
- From: New York, New York
- Registered: 2011-07-05
- Posts: 38
Re: TOPAZ
Hey Asper,
Earlier in the thread you mentioned that the Nintendo Amiibo use TOPAZ. How did you determine this? All my testing indicates that they are mifare ultralight-c.
Thanks!
Offline
#87 2015-05-03 09:31:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
If you have an amiibo, you can test it with the topaz commands, if it answers back then you know.
Offline
#88 2015-05-03 17:46:28
- borjaburgos
- Contributor
- From: New York, New York
- Registered: 2011-07-05
- Posts: 38
Re: TOPAZ
Well, iceman, as per the other thread... amiibos may actually be some variation of Ultralight EV1 (they are not MF0UL11 or MF0UL21). They respond to EV1's GET_VERSION and PWD_AUTH commands just fine. This is why I wanted to ask Asper how he'd come to the conclusion of them being TOPAZ. I'll try piwi's branch with TOPAZ support and test, but amiibos being EV1s seems more probably at this time.
Offline
#89 2015-05-03 17:56:50
- borjaburgos
- Contributor
- From: New York, New York
- Registered: 2011-07-05
- Posts: 38
Re: TOPAZ
I take my previos statement back. Amiibos (at least Megaman and Sonic) are NTAG215.
The reply to GET_VERSION matches that of the NTAG215 as per this datasheet:
https://dangerousthings.com/wp-content/uploads/2013/12/NTAG213_215_216.pdf
proxmark3> hf 14a raw -s -c 60
received 7 octets
04 1A 9B 82 C2 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9EOffline
#90 2015-10-25 13:09:27
- securitoys
- Contributor
- Registered: 2015-06-13
- Posts: 19
Re: TOPAZ
Hi, wanted to follow up on this.
The Jewel/Topaz toys are pre-Amiibo NFC toys used for the 2013 Wii U game Pokemon Rumble U / Pokemon Scramble U.
Official site: http://www.pokemonrumble.com/RumbleU/en/nfc/
Full list of figures: http://www.serebii.net/rumbleu/figures/figures.shtml
As asper noted, some blocks seem consistent between figures:
Block 0 is the UID (4 bytes), I've seen the next two bytes be 0010 or 0002, and then consistently 2500
Block 1 always seems to be e1113f00 0103f230
Block 2 always seems to be 330203f0 020303ff, except in asper's post, where the last byte is 00.
Block 3 always seems to be 014ec500 00000148, except in asper's post, where it's all 00.
Block 13 always seems to be 5555aaaa 124c0600
Block 14 always seems to be 01e00000 00000000, except in asper's post, where the last two bytes were 50af, which I'm not sure how it's possible if it's always locked
Block 15 always seems to be 00000000 0000ffff), except in asper's post, where the last two bytes were 0000
I have data on two figures that are the same, but there don't seem to be any bytes that are the same between them, but different between other figures, to identify a figure model number. I don't have a Wii U, so I can't try emulating it and flipping bits.
asper, what figures do you have, and can I get dumps of them?
Offline
#91 2015-10-26 08:46:37
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Amiibos had been totally reversed, look at this thread in the forum (I suppose the topaz content can be decrypted the same way as the ntag content - not tested).
Last edited by asper (2015-10-26 08:48:38)
Offline
#92 2015-10-26 17:07:46
- securitoys
- Contributor
- Registered: 2015-06-13
- Posts: 19
Re: TOPAZ
(I suppose the topaz content can be decrypted the same way as the ntag content - not tested).
Not tested.
I'm putting together some dumps for testing, and if you have any figures, they would be helpful. It's not the same memory size or data layout as the NTAG215 figures, so a naive decryption attempt with amiitool doesn't work.
Offline
#93 2015-10-27 08:51:57
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: TOPAZ
Added a topaz dump (found on the web) to the 1st post. Encrypted data are only a part (big part) of the NTAG and TOPAZ; the encryption should be the same.
I also think to have an explanation for the 1st 4 "reserved" bytes... iceman ?
Last edited by asper (2015-10-27 10:12:20)
Offline
#94 2015-10-27 10:41:11
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
there is somewhere a datamap or? I don't remember anymore.
Offline
#95 2015-10-27 12:54:57
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: TOPAZ
This reminds me of my Topaz branch which is still dormant in my repository. I currently don't find the time to add more commands but will raise a Pull Request so that others can better contribute to it.
Offline
#96 2015-11-01 10:16:47
- securitoys
- Contributor
- Registered: 2015-06-13
- Posts: 19
Re: TOPAZ
Ah, that explains why I couldn't get it working through iceman's branch.
I just pulled down piwi's topaz branch, compiled it, flashed the bootrom and OS, but it's not giving me the same results you were seeing:
proxmark3> hf topaz reader
Error: couldn't receive ATQA
proxmark3> hf list topaz
Recorded Activity (TraceLen = 10 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
proxmark3> hf 14a raw -a -p -T 26
received 0 octets
proxmark3> hf list topaz
Recorded Activity (TraceLen = 10 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr | 26 | | REQA
proxmark3> hf 14a raw -p -c -T 00 00 00 d2 f4 21 00
received 0 octets
proxmark3> hf list topaz
Recorded Activity (TraceLen = 100 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr | 26 | | REQA
-1782418048 | -1782360608 | Rdr | 00 00 00 d2 f4 21 00 c0 98 | ok | RALL What am I missing?
Offline
#97 2015-11-01 12:19:38
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
piwi's topaz commands is in my fork.. it should work, @asper verified and tested them....
Offline
#98 2015-11-01 13:53:24
- securitoys
- Contributor
- Registered: 2015-06-13
- Posts: 19
Re: TOPAZ
Hrm. Okay, pulled down the latest from iceman's fork, rebuilt, flashed bootrom and OS. Same issue:
pm3 --> hf topaz reader
Error: couldn't receive ATQA
pm3 --> hf list topaz
Recorded Activity (TraceLen = 10 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
pm3 --> hf 14a raw -a -p -T 26
received 0 octets
pm3 --> hf list topaz
Recorded Activity (TraceLen = 10 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
pm3 --> hf 14a raw -p -c -T 00 00 00 d2 f4 21 00
received 0 octets
pm3 --> hf list topaz
Recorded Activity (TraceLen = 100 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
162938240 | 162995680 | Rdr |00 00 00 d2 f4 21 00 c0 98 | ok | RALL Could something have broken it? Should I try a build from piwi's fork from April or May? Or am I just missing something else?
Offline
#99 2015-11-01 14:08:42
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: TOPAZ
doesn't look like a topaz..
Offline
#100 2015-11-03 15:11:04
- securitoys
- Contributor
- Registered: 2015-06-13
- Posts: 19
Re: TOPAZ
Okay, turns out I was just having antenna issues. Using iceman's latest branch I now get:
pm3 --> hf topaz reader
ATQA : 0c 00
HR0 : 12 (a Topaz tag (capable of carrying a NDEF message), dynamic memory map)
HR1 : 4c
UID : 25 10 00 00 21 f4 d2
UID[6] (Manufacturer Byte) = 25, Manufacturer: Innovision Research and Technology Plc UK
Static Data blocks 00 to 0c:
block# | offset | Data | Locked?
0x00 | 0x00 | d2 f4 21 00 00 10 25 00 | yes
0x01 | 0x08 | e1 11 3f 00 01 03 f2 30 | no
0x02 | 0x10 | 33 02 03 f0 02 03 03 ff | no
0x03 | 0x18 | 01 4e c5 00 00 00 01 48 | no
0x04 | 0x20 | 47 40 a8 ea 3a ff d6 6e | no
0x05 | 0x28 | 3b e7 ae e9 a3 8d a6 31 | no
0x06 | 0x30 | 1b 13 7a 6d f4 4e cf 28 | no
0x07 | 0x38 | f1 8a 6e 35 48 d9 a4 80 | no
0x08 | 0x40 | 4e 4f 46 54 01 00 00 00 | no
0x09 | 0x48 | fd 34 53 69 b4 86 13 18 | no
0x0a | 0x50 | 31 49 ca 22 4c e4 dd ee | no
0x0b | 0x58 | a7 67 dd b3 64 99 30 b4 | no
0x0c | 0x60 | 25 96 6a 4f 34 8d e0 1a | no
Static Reserved block 0d:
0x0d | 0x68 | 55 55 aa aa 12 4c 06 00 | n/a
Static Lockbits and OTP Bytes:
0x0e | 0x70 | 01 e0 00 00 00 00 00 00 | n/a
Capability Container: e1 11 3f 00
e1: NDEF Magic Number
11: version 1.1 supported by tag
3f: Physical Memory Size of this tag: 512 bytes
00: Read access granted without any security / Write access granted without any security
Lock Area of 48 bits at byte offset 0x7a. Each Lock Bit locks 8 bytes.
Reserved Memory of 2 bytes at byte offset 0x78. I have also successfully used
raw -Tto perform READ-8 and WRITE-8.
Offline