Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-01-27 10:45:46

scroggyg
Contributor
Registered: 2012-09-07
Posts: 14

Cotag Analysis

I have been looking at the security of Cotag. There have been 2 generations of Cotag, the first was an active tag, and used a battery and dedicated silicon. The second is passive and I suspect uses standard silicon.
The passive tag operates solely at 132KHz and the tag will not respond until the following sequence is sent by the Reader.
4 pulses at 132 Khz. The first burst  is 800 microseconds, a gap of 2.2msecs, a burst of 3.6 mSecs, a gap of 2.2 mSecs, a burst of 800uSecs, a gap of 2.2 mSecs, and then a pulse of 3.6mSecs. If no response the reader waits 17mSecs, and the resend the wake up sequence.
Looking at the ATA5577 data sheet the closest mode is Answer on Reset (AOR) but this seems to imply sending a password, but the burst seem too short for a password.
Using the proxmark I then captured a trace using the following sequence
lf config q 89 b 8
lf snoop
data samples 40000
data plot
data save <filename>
I will attach the captured file, which seemed to show amplitude modulation.
Any thought and input would be appreciated.

Offline

#2 2017-01-27 11:25:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Cotag Analysis

Perfect!
I've push an initial (test) of adding the cotag start sequence, to read samples from a Cotag into icemanfork.

You can test it so I can adapt it to how your cotag reader sends.

Offline

#3 2017-01-31 16:51:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Cotag Analysis

Got the tags today.
I think I got the reader sequence up,  and it collects some tag responses now.  Looks like PSK.
Bad signal,

Offline

#4 2017-01-31 23:38:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Cotag Analysis

At least the cotag-tag is talking,   https://www.sendspace.com/file/pgxa2y

Offline

#5 2017-02-03 14:23:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Cotag Analysis

I've added COTAG detection to iceman fork.

I suggest @OP edits the subject and add [solved] to it in the beginning.

Offline

#6 2017-02-03 16:41:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Cotag Analysis

iceman has done some great work making this demod.

Below is what we found out about Cotag:

his tag had these printed #'s: 161-333593

the cotag requires a wake-up command of sorts which others have kindly snooped and iceman was able to mimic
the first traces he captured were very weak and he had to select a larger antenna (still investigating)
the traces he then captured could not catch the entire repeating message as it was longer than 40k samples. 
I identified the message as ASK modulation with manchester encoding but with a VERY low bitrate (high clock) RF/768

we also were able to identify that the printed number is in the data we got but in LSB order.  without any form of encryption (as outlined below)

Because of the bitrate and the fact we cannot collect enough samples to get to the end of the message iceman had to build a realtime demod on the deviceside.

with the demod built we were able to get the full repeating binary string for his tag:

1001110011000001 10000101 00000000 10000101 00000000 01111011 10000001 10100000 10000000 00000000 00000000 00000000 00000000 00000000 00000000

  16 bytes total in LSB order
reverse the bits and we get this pattern:

[leading 0's]
00000000 00000000 00000000 00000000 00000000 00000000
[unknown][cs/parity][unknown][unknown][ FC?   ][  FC   ][  FC?  ][  FC   ][Card# (without leading 3)]
00000001  00000101  10000001 11011110 00000000 10100001 00000000 10100001 1000001100111001
                                                  161               161         33593

the CS/Parity is unknown but appears to be the only other changing data from card to card. 

Iceman has built an auto detection and demod of this tag now that will print the full binary of the tag so we can further investigate this checksum and it can be found in his fork as well as mine.  it is tied into `lf search` in these forks.

happy testing!

Offline

#7 2017-03-11 18:33:25

Noclafasm
Contributor
Registered: 2014-11-17
Posts: 10

Re: Cotag Analysis

Hi, I have 3 active cotag tags and I have just finished creating an antenna tuned for 132 kHz (hopefully). This is all tested with iceman fork version v1.7.0.

# LF antenna: 24.89 V @   125.00 kHz
# LF antenna: 37.40 V @   134.00 kHz
# LF optimal: 38.64 V @   131.87 kHz

When using lf cotag read, I get the following (tag present)

pm3 --> lf cotag read
Sending bytes to proxmark failed
DEBUG: Error - COTAG too many errors: 65

When using lf cotag read 2, I get:
lfread2.jpg

Data: http://pastebin.com/88ufbNdQ

I am a little lost on how to go from here as I have little understanding of the physics behind RFID and the low level modulation protocols.

Last edited by Noclafasm (2017-03-11 18:34:57)

Offline

#8 2017-03-13 11:49:32

Noclafasm
Contributor
Registered: 2014-11-17
Posts: 10

Re: Cotag Analysis

So using the same commands as OP, I tried to capture the reader activation sequence. This sequence repeats and repeats and I have captured this with my makeshift antenna from around 10cm away from the reader.
reader_activation.png
http://pastebin.com/SkKPAMye

Offline

#9 2018-06-28 08:57:22

Sentinel
Contributor
Registered: 2012-11-26
Posts: 190

Re: Cotag Analysis

Cotag PR-500 C1 Card Reader
uCdrOWW.jpg

Offline

#10 2018-06-28 09:25:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Cotag Analysis

nice.  Now some traces or sniffs from it in order to enhance current cotag functionality smile

Offline

Board footer

Powered by FluxBB