Proxmark3 community

securitoys

Contributor

Registered: 2015-06-13

Posts: 19

Unknown 13.56MHz tag in toy, not found by hf search, suggestions?

There's this inexpensive toys-to-life game called Hero Portal.  No console needed, the reader plugs right into your TV and has a game built-in: http://www.jakks.com/hero-portal.html

The toys have an unknown (to hf search) 13.56MHz tag in them, per these FCC documents: https://fccid.io/OTA78433 and particularly this block diagram: https://fccid.io/document.php?id=2349804

This is the brief on the tag itself: http://www.sinomatrix.com/pdf/BriefHL5230.pdf which says it's read-only, 8-bit ID, which, okay, super boring, except for the fact that the PM3 doesn't even find it.

Also, I'm not sure the FCC documents are correct.  This other page: http://www.holylite.com.tw/demo.html (scroll down) lists a different IC for the toys, 5322: http://www.sinomatrix.com/pdf/BriefHL5322.pdf

The 5322 says it has a buzzer and an LED, controllable by the reader, which would be more interesting.  But, popping open a toy, it doesn't look like it has either, and the toy itself is opaque, so an LED would be useless.

Here's the hf search/list/search output:

pm3 --> hf search
          
Card doesn't support standard iso14443-3 anticollision          
ATQA : ba 00          
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = -10, Demod.sumQ = 4                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = -1, Demod.sumQ = -12                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = 12, Demod.sumQ = -3                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = 0, Demod.sumQ = -9                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = 0, Demod.sumQ = 11                 

no known/supported 13.56 MHz tags found
          
pm3 --> hf list raw
Recorded Activity (TraceLen = 60 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
pm3 --> hf search
          
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = 0, Demod.sumQ = 0                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = -8, Demod.sumQ = -2                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = 8, Demod.sumQ = -2                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = 0, Demod.sumQ = 0                 
#db# max behindby = 3, samples = 600002, gotFrame = 0, Demod.len = 0, Demod.sumI = -8, Demod.sumQ = -2                 

no known/supported 13.56 MHz tags found

(That ATQA output is sporadic at best, and doesn't always return the same data.)

Assuming it's just a 5230, what are my next steps in figuring how to identify the token and properly read the 8-bit ID?

Last edited by securitoys (2015-12-09 15:32:39)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: Unknown 13.56MHz tag in toy, not found by hf search, suggestions?

try to sniff the tag/reader communication using `hf snoop`

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Re: Unknown 13.56MHz tag in toy, not found by hf search, suggestions?

Do you see a voltage drop before and after positioning the toy over the antenna ? Can you show it ?

securitoys

Contributor

Registered: 2015-06-13

Posts: 19

Re: Unknown 13.56MHz tag in toy, not found by hf search, suggestions?

@marshmallow, I haven't picked up a reader yet, was wondering if there was anything else I could do prior to that.

@asper, yes:

# HF antenna: 13.12 V @    13.56 MHz          

# HF antenna: 12.02 V @    13.56 MHz          

There's effectively no voltage change with the LF antenna.

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Re: Unknown 13.56MHz tag in toy, not found by hf search, suggestions?

It is not ISO standard, probably a simple modulated 13.56MHz interface. You will need an oscilloscope or maybe the new pm3 function but i never used that because it is too recent.