Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-03-18 21:02:14

datatype
Contributor
Registered: 2019-03-18
Posts: 4

Controlling the reader field

Hi,

Maybe a stupid question: Is there a way to keep the reader field active after a "hf 15 cmd raw" as it seems to be possible  in "hf 14a..."?

Background:
I am playing around with a SLIX-L tag which is in a so called "privacy mode".
This means it will not respond to no ISO15693 command except "Get random number".
The tag will respond with a 2Byte random number, and with this you can "unlock" the chip by sending the 4Byte password XOR 2 times the previous received random number. (This means no security at all, I dont really understand the purpose of the XOR...)
After that the chip will reply to all defined 15693 commands like inventory and give Access to the memory.

I have sniffed the communication with the original application, and was able to capture the "secret" password.
(Thanks for adding hf 15 snoop by the way…).

My problem now is, I can send "hf 15 cmd raw -c 02B204" to it and get the random number, but as I understand, the proxmark here turns the rf on, sends the command, awaits the response and turn the rf off after receiving the answer…
So in communication with a SLIX this means the random number is invalidaded.
Even if this would not be the case and I would sucessfully unlock the tag with "hf 15 cmd raw -c 02B3...", turning off the reader field afterwards would mean the unlocked SLIX would immediately lock again…

So is there a way to manually control the reader field?

Thanks,
   datatype

Offline

#2 2019-03-19 18:53:35

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Controlling the reader field

In fact all 'hf 15 cmd' had left the field on in previous releases to allow what you are requesting. This has been removed after reports on RDV4 overheating. See http://www.proxmark.org/forum/viewtopic.php?id=5506:

* Continuously usage will cause overheating, so try not to use it under crazy conditions (Under the sun or extreme condition)
* Official Repo will cause overheating, since it is quite lax in turning off the antenna.

I am hesitating to re-enable this option and risk RDV4 damage. On the other hand there are still commands which leave the field on if required (emv commands. hf 14a raw) - and so far no RDV4 user had complained damage so far.

Any idea how to handle this?

Offline

#3 2019-03-19 20:08:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Controlling the reader field

the 14a raw commands have a -p option to leave the field on after command.  we could use a similar switch for the same effect.  no?

Offline

#4 2019-03-19 21:14:29

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Controlling the reader field

Sure. But what about the RDV4.0 owners? Do we simply ignore the overheating issue? Or display a warning when leaving the field on, e.g. like "on RDV4: use at your own risk"? Or add a switch like

proxmark3.exe com3 -allow_hf_field_constantly_on_despite_overheating_risk_and_yes_I_know_what_I_am_doing

?

Offline

#5 2019-03-19 22:10:28

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Controlling the reader field

A warning could be put in the cmd help.  But from what I recall it had to be left on a long time to be of concern.   I believe iceman did some tests around this, but I can't remember the exact outcome...

Last edited by marshmellow (2019-03-19 22:16:08)

Offline

#6 2019-03-20 08:30:38

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Controlling the reader field

I have never seen any statement how long it takes to overheat and if there is just heat or irreversable damage. What you remember is probably my post about this issue http://www.proxmark.org/forum/viewtopic.php?id=5842 - but this was about a respective test for the other board revisions (non RDV4.0).

Offline

Board footer

Powered by FluxBB