Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-07-22 00:07:39

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

OSDP traffic

Not directly related but has anyone tried to look at OSDP traffic and hack on the protocol?  There are some interesting exploits and the encryption is...:-(  Getting the conversation started!

Offline

#2 2021-07-24 17:59:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: OSDP traffic

there are some interesting exploits

   ??  care to share some information or links to source for that?

Offline

#3 2021-10-02 18:33:46

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: OSDP traffic

Don't have links but one interesting thing...the BUSY signal from the PD (reader) can be sent unencrypted back to the panel even if secure-channel is enabled.  With the current specification, the BUSY signal can be sent unencrypted indefinitely making the APU (panel) think that nothing at all is wrong.  It's a way to respond to a poll that was sent over secure channel without responding with a secure response. Additionally, some manufacturer's devices (Cypress-based) can be reset from the bus, making the reader jump back to RS485 Address 0 with Secure channel disabled and reset to the default base key.  This reset process is also accepted unencrypted.  A perfect way to inject a man-in-the middle attack to scan swipes without the panel knowing about it with a very simple circuit just added to the bus.  There's more...

Last edited by hkplus (2021-10-02 18:39:22)

Offline

#4 2021-10-02 18:36:37

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: OSDP traffic

Iceman, I need a favor...I could not find the bit and parity structure of HID Corp 1000 48 bit format with a search...do you have this offhand?  Also looking for how to generate the checksum of Securikey, but I don't think anyone but the manufacture knows that calculation.  I am sure I can find the Corp 1000 48 bit format someplace...

Last edited by hkplus (2021-10-02 18:37:45)

Offline

Board footer

Powered by FluxBB