Proxmark3 community

rf_hack

Contributor

Registered: 2008-08-20

Posts: 16

No security in Tag-IT

Tag-IT got no security in it. This is a non secured chip with some options to lock write after personalisation

Secured chip from TI-RFID is name SpeedPass and has already been broken by students 2 or 3 years ago.

atrox

Contributor

Registered: 2010-01-08

Posts: 35

Re: No security in Tag-IT

afiak tag-it uses the iso15k standard - is there a way to modify the hi15reader-command so it also reads all the memory banks in the tag-it transponder?

iZsh

Contributor

Registered: 2010-01-02

Posts: 95

Re: No security in Tag-IT

During my stay in Berlin for 26c3, the Hotel I was staying at was using a RFID card I couldn't identify using the proxmark. So I brought one back home to identify it. And it was a tag-it one (see http://www.dropbox.com/gallery/4064278/ … 9?h=ae1eb6). So, needless to say, it's my next target (after I complete the code cleaning I'm currently doing)

Last edited by iZsh (2010-02-03 02:27:07)

iZsh

Contributor

Registered: 2010-01-02

Posts: 95

Re: No security in Tag-IT

I took a look at the Tag-it reference manual. It indeed seems to be using the ISO15693 standard, but with a dual subcarrier. From what I can see in the current proxmark's code, it's only supporting single subcarrier.

Not being a signal processing guy I'm not sure what need to be done to support dual subcarrier. I'll first need to learn some signal processing background I guess.

henryk

Contributor

Registered: 2009-07-27

Posts: 99

Re: No security in Tag-IT

IIRC the dual subcarrier should gracefully degrade to single subcarrier on the receiver side, if you correctly filter out the single subcarrier that you support. (It's been some time since I looked into 15693, so I might be wrong.)

iZsh

Contributor

Registered: 2010-01-02

Posts: 95

Re: No security in Tag-IT

Actually I take it back. The frames are not the same than ISO15693.

atrox

Contributor

Registered: 2010-01-08

Posts: 35

Re: No security in Tag-IT

here http://www.proxmark.org/forum/post/2883/#p2883 I modified the iso15k reader-command to access and print the memory pages. I'll will report back as soon as I know if they work on TagIT transponders.

atrox

Contributor

Registered: 2010-01-08

Posts: 35

Re: No security in Tag-IT

Actually there are two TAG-IT Standards:

"Tag-IT HF-I" (released by TI in 2001) which is ISO15693 compatible (64Bit UID)

"Tag-IT HF" is older and uses a proprietary protocol (32Bit UID)

atrox

Contributor

Registered: 2010-01-08

Posts: 35

Re: No security in Tag-IT

IIRC the dual subcarrier should gracefully degrade to single subcarrier on the receiver side, if you correctly filter out the single subcarrier that you support. (It's been some time since I looked into 15693, so I might be wrong.)

I agree, that should work. But as far as I understand, a full dual-carrier implementation should make transmissions more robust than single subcarrier... ?

I've tried the current  signal processing implementation in the iso15693.c with dual carrier transmissions and it does not cope very well. In fact, the error rate is so high you need quite luck to read something.  If we like to filter a subcarrier, the ideal place for that would be the FPGA, wouldn't it ?