Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-02-18 14:27:53

bigfoot
Contributor
Registered: 2017-02-16
Posts: 5

Snooping inventory command

I am analyzing the communication between a reader and a ISO15693 tag (EM4233SLIC - not iClass, but using proxmark iclass). A snoop command at the moment when the reader first has access to the tag returns (I have changed some of the values, so CRC will not match):

         0 |         0 | Rdr | 26  01  00  f6  0a                                         |     | ? # Inventory request (Cmd 01) with flags 0x26
         0 |         0 | Tag | 00  00  e4  cf  6f  9a  07  45  16  e0  b1  65             |  ok | # ID (in reversed order)
         0 |         0 | Tag | 00  01  30  fc  e9  83  f9  4b                             |  ok | # BLOCK 0
         0 |         0 | Tag | 00  01  0b  2e  00  26  9d  05                             |  ok | # BLOCK 1
         0 |         0 | Tag | 00  01  6c  89  78  85  fa  9b                             |  ok | # BLOCK 2
         0 |         0 | Tag | 00  01  c5  56  c8  d2  1d  64                             |  ok | # BLOCK 3

My question? Is it possible that several blocks are read without the reader asking for it? According to the documentation an inventory command should only get the UID as response. Where do the further readings come from? Am I missing a Rdr command or is it possible to "program" the tag to return further data upon inventory?

(I have played around with the position of the antenna, now the readings are quite reproducible.)

Thanks for any help.

Offline

#2 2017-02-18 17:13:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Snooping inventory command

Given there is only one reader requests,  and the rest is tag responses I'd to say you are missing many reader requests.

Offline

#3 2017-02-20 09:16:44

bigfoot
Contributor
Registered: 2017-02-16
Posts: 5

Re: Snooping inventory command

Thanks @iceman, the problem is I really cannot get further Rdr requests. Any tip how to improve that? Is it only about the antenna placement or is there maybe a timeout or something like that in the code, so that messages that come to fast are not snooped?

Offline

#4 2017-02-20 11:46:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Snooping inventory command

I suggest having debuglevel set to  1 (hf mf dbg 1)   and making sure I have a strong HF antenna. 
Besides that, its down to placement I guess.

Offline

#5 2017-02-21 18:25:20

bigfoot
Contributor
Registered: 2017-02-16
Posts: 5

Re: Snooping inventory command

By trying many times with different antenna placements I did manage to capture at least one read command, but still only one out of many tag responses. My HF antenna seems to be quite strong according to hw tune (about 20 V). The suggested command to increase debuglevel applies to mf, anything similar for iclass?

Offline

Board footer

Powered by FluxBB