Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2015-07-28 13:43:36

Sixkay
Contributor
Registered: 2015-03-18
Posts: 14

Hitag S Challenge CRC?

Hello,

the 8bit CRC cheksum of the answer to the Challenge request is not build the same way as every other CRC in the protocol.
Its not known which Bytes/bits goes into to the CRC i tried every possible combination and still didnt get it right. The Challenge request is the only packet that the reader sends without a CRC so i think the CRC of the response could use them.

The CRC-Function and protocol is in http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf and here
are some traces:

+     90:   45:     01  15  c1  14  65  38               00000  22b8228c a7   
+    209:   44: TAG fc! a9! 34  0f! fc! 60!              1111   ca9340ff c6       
+     90:   64:     44  33  22  11  ba  e9  e7  9f       4byte rnd + 4byte       
+    209:   44: TAG f0! 6a! d2! b1! ef  70               06ad2b1e f7(CRC)

+     90:   45:     01  15  c1  14  65  38             
+    209:   44: TAG fc! a9! 34  0f! fc! 60!           
+     90:   64:     55  44  33  22  22  e6  80  d6             
+    209:   44: TAG f6! c6! 43  10  31  60!            16(CRC)

+     90:   45:     01  15  c1  14  65  38             
+    209:   44: TAG fc! a9! 34  0f! fc! 60!           
+     90:   64:     66  55  44  33  bf  58  64  2c             
+    193:   44: TAG f2  bd! 23  ba  85  c0!              5c(CRC)

Can someone please help me out on how the CRC's 0xf7, 0x16 and 0x5c are calculated?

*edit*: i found out that the 4 bytes of the last message are the last bytes that are calculated to the crc and that the first 4 byte of the message befor doesnt matter

Last edited by Sixkay (2015-08-03 23:03:41)

Offline

Board footer

Powered by FluxBB