Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2015-04-24 14:38:52

Sixkay
Contributor
Registered: 2015-03-18
Posts: 14

Hitag 1 Authentication?

i have a Hitag1 tag where i want to read the encryted data on it
but there a no paper in which they tell how the requests for a authentication have to look.

i already found out how i read/write pages, get the uid and the config settings.
i also found that there a 2 types of encryption methods:
-with a password which ist transmitted in plaintext at the beginning
-32bit key with crypto algorithm

because of the way my rfid lock is build its not possible for me to sniff the transaction without destroying it.
so i wanted to brute force the 32bit key but i have no idea how the request has to look

Offline

#2 2015-04-26 09:14:53

proxmarkzzz
Contributor
Registered: 2014-04-23
Posts: 12

Re: Hitag 1 Authentication?

Can you share more information about your lock? Can you post some pictures of the lock and the key and information from its origin. In principle you should be able to sniff the transaction even when you can not access the contact/socket physically. The signals will most likely be available on the outside of the lock. It would be nice if you can record some samples and plot a few figures.

Offline

#3 2015-04-26 16:55:29

Sixkay
Contributor
Registered: 2015-03-18
Posts: 14

Re: Hitag 1 Authentication?

i have made some progress with my look.
i found the paper http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HT1protocol.pdf
and know how the protocol has to look.
i also modified the /armsrc/hitag2.c file so that the proxmark sends 00110 which the tags in range should
reply with 1[32 bit uid].
but when i send 30 (00110 filled with zeroes)
i get something different:

recorded activity:         
ETU     :nbits: who bytes         
---------+-----+----+-----------         
+      0:    5:     30             
+    211:   61: TAG 2f  e5  9e  55! 59! 66! 55! 78!

i think it is because the hitag2.c file sets the coding to Manchester but in the Hitag1 protocol this command has to be send in AC coding.
does someone know how to change this properly?

my lock is a Winkhaus BlueSmart cylinder
http://www.winkhaus.com/de-de/~/media/images/content/products/800x389/bluesmart_zylinder_typ_01_xl.jpg
and the Transponder is a passiv hitag1 (the tags have a very weak signal and short range):
http://www.winkhaus.com/de-de/~/media/images/content/products/800x389/schluessel_bluesmart_xl.jpg
with my proxmark3 and RFIDler v22 i wasnt able to sniff a transaction.

i send some requests with my TS-RW38 reader/writer to a hitag1 tag and sniffed with lf hitag snoop:

+ 166248:    5:     c8             
+    117:     65: TAG 99! 99! 55! 5f! 95! f9! e7! 99! 80 

+ 141003:    4:     90             
+    116:     65: TAG 99! 99! 55! 5f! 95! f9! e7! 99! 80
why do i sniff all the data from the reader right but not the answer from the tags?

Offline

#4 2015-04-30 13:29:30

Sixkay
Contributor
Registered: 2015-03-18
Posts: 14

Re: Hitag 1 Authentication?

i just found out that there are 2 transponders in my tag.
in the tip of the key is a Hitag S transponder and in the middle of the key a larger Hitag1 transponder.

i had to build a new coil so i could send and receive data from the very small Hitag S transponder. but im still not
able to understand the responses. here are some example with my 2 keys
(key1 real uid is 8157cfbf and key2 uid is 82e57ff8):

proxmark3> lf hitag reader 21
#db# Starting Hitag reader family                 
#db# List identifier in password mode                 
#db# Configured for hitag2 reader                 
#db# Uknown frame length: 68                 
#db# frame received: 2                 
#db# All done                 
proxmark3> lf hitag list
recorded activity:         
ETU     :nbits: who bytes         
---------+-----+----+-----------         
+      0:    5:     c8             
+    210:   68: TAG fc! ff! ff! 2f  f3! 33! fc! aa! b0             
proxmark3> lf hitag reader 21
#db# Starting Hitag reader family                 
#db# List identifier in password mode                 
#db# Configured for hitag2 reader                 
#db# Uknown frame length: 67                 
#db# frame received: 2                 
#db# All done                 
proxmark3> lf hitag list
recorded activity:         
ETU     :nbits: who bytes         
---------+-----+----+-----------         
+      0:    5:     c8             
+    210:   67: TAG ff! fc! ab  ff! ff! cb  3c! aa! c0!

Offline

Board footer

Powered by FluxBB