Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-03-26 17:58:39

eychei
Contributor
Registered: 2018-03-25
Posts: 2

HitagS problem

Hi everyone.

first thx to iceman for showing me the documents to read for the proxmark3.

I did look into the wiki and the threads here but do still have problems.

When trying to read a HitagS chip I do not get any response from the chips I have.

Maybe someone can help me out.

This is my firmware and hardware version: (proxmark3 easy elechouse)
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-351-g51d51c6-suspect 2018-02-26 15:13:40
os: master/v3.0.1-351-g51d51c6-suspect 2018-02-26 15:13:44
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 199577 bytes (76%). Free: 62567 bytes (24%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory


Doing a hw tune gives me this:

# LF antenna: 24.06 V @   125.00 kHz
# LF antenna: 16.09 V @   134.00 kHz
# LF optimal: 28.05 V @   118.81 kHz
# HF antenna: 19.64 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

So antennas look fine.

I do a lf search

NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:


nothing...

lf read i get this:


proxmark3> lf read
#db# LF Sampling config:
#db#   [q ] divisor:           95
#db#   [b ] bps:               8
#db#   [d ] decimation:        1
#db#   [a ] averaging:         1
#db#   [t ] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 7f 81 85 7f 7e 87 81 81 ...
Reading 39999 bytes from device memory

Data plot just gives me noise, or so it seems.

Trying if hitag read 02 0 gives me :

proxmark3> lf hitag read 02 0
#db# Authenticating using key:
#db# 00 00 00 00 00 00
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button

When looking at the data with lf hitag list i get this:

lf hitag read 02 0
#db# Authenticating using key:
#db# 00 00 00 00 00 00
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
proxmark3> lf hitag list
recorded activity (TraceLen = 0 bytes):
ETU     :nbits: who bytes
---------+-----+----+-----------
+      0:    5:     c0
+     90:    5:     c0
+     90:    5:     c0
+     90:    5:     c0
+     90:    5:     c0
+     90:    5:     c0
+     90:    5:     c0
+     90:    5:     c0
etc....

So the reader is sending c0 which should return the UID. But there is nothing.

The Hitag chip does not use any protection / password / key etc.

Hope someone can help me out.


-e

Offline

Board footer

Powered by FluxBB