Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-11-07 18:53:38

bob12x
Contributor
Registered: 2019-10-27
Posts: 4

ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello,

Im new with Proxmark and learning much.

I understand now to use "GET RANDOM NUMBER" and "SET PASSWORD " commands, but fail with "WRITE PASSWORD" command.


Could someone explain the correct sequence and proxmark command?

Offline

#2 2019-11-27 23:18:14

grspy
Contributor
Registered: 2019-11-26
Posts: 2

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Everything you ask is in the datasheets.

GET RANDOM NUMBER (B2h):

hf 15 raw -c <FLAGS> B2 <IC Mfg code> <reversed UID>

e.g. for a SLIX2 tag with UID E0040102030405AB ->

hf 15 raw -c 22 B2 04 AB050403020104E0

SET PASSWORD (B3h):
This is essentially the authentication for a specific functionality (see Password identifier) which uses the response of the last "GET RANDOM NUMBER" command.

hf 15 raw -c <FLAGS> B3 <IC Mfg code> <reversed UID> <Password identifier> <XOR password>

where:
XOR_Password[31:0] = Password[31:0] XOR {Random_Number[15:0],Random_Number[15:0]}
Password identifier = 01h for Read, 02h for Write, 04h for Privacy, 08h for Destroy and 10h for EAS/AFI
e.g.

hf 15 raw -c 62 B3 04 AB050403020104E0 10 01020304

WRITE PASSWORD (B4h):
After you have set a correct password for a specific functionality, you can write a new one using this command.

hf 15 raw -c <FLAGS> B4 <IC Mfg code> <reversed UID> <Password identifier> <Password>

e.g.

hf 15 raw -c 62 B4 04 AB050403020104E0 10 11223344

Offline

#3 2019-12-19 22:54:44

Gambrius
Contributor
From: germany
Registered: 2019-10-28
Posts: 14

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hi grspy,

Thanks for your detailed description. I am trying for a while right now to get the „WRITE PASSWORD“ working. Although the documentation of nxp is not to bad i do not get it to work.

„Flags":
In you example you use the flag 62, which is a combination of „Data Rate High (1)“, „Addressed (5)“ and „Option 6“.
What does option 6 stand for?

„IC Mfg code":
Yoe are using "IC Mfg code“ = 4.
In the documentation there is only 1 for "Select Mode" and 2 for "Addressed Mode" mentioned. What does 4 stand for? According to the flags you used the value 2 would be correct, or? (I tried the 4 and 2! Both do not work for me!)

I am stuck right now. I do not get it to work. All the iso15693 cards i have work with the „random number“ just fine. And therefore i am guessing the privacy mode should work as well. But it does not!

I need some help! What should I do next to try this?

Regards,
Gambrius

P.S.: in an earlier version I wrote my text in german. Sorry for that.
Thanks Iceman for the reminder.

Last edited by Gambrius (2019-12-23 16:08:17)

Offline

#4 2019-12-20 16:50:01

iceman
Administrator
Registered: 2013-04-25
Posts: 6,074
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

@gambrius,    we have a strict language rule on the forum where we use english.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2020-01-08 18:59:37

fazer
Contributor
Registered: 2019-03-02
Posts: 32

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Good evening, I tried the magic changer uid card, I rewrote all the blocks, not possible to write the dump because my card has 80blocks. Does not work. Otherwise here are more examples on my card, I put X to hide my card because I'm still in the mountains LOL.
[usb] pm3 --> hf 15 raw -c 22 AB 04 XXXXXXXX080104E0
[=] received 10 octets         
[+] 00 00 00 00 7F 35 00 00 DC D4
[usb] pm3 --> hf 15 raw -c 22 BD 04 XXXXXXXX080104E0
[=] received 35 octets         
[+] 00   [ 5E 83 AA EA 77 75 13 EF 56 DD 82 14 3C 42 84 E5 EA 70 A2 11 DC 74 EF 52 FF 70 E4 04 99 A7 E7 63 ]    (3A 81) ? 
[usb] pm3 --> hf 15 raw -c 22 AB 04 XXXXXXXX80104E0
[=] received 10 octets         
[+] 00 00 00 00 7F 35 00 00 DC D4
[usb] pm3 --> hf 15 raw -c 22 B3 04 XXXXXXXX080104E0
[=] received 4 octets         
[+] 01 0F 68 EE 
Tomorrow I will try to snort the reader, not easy but I will try. Good evening.

Last edited by fazer (2020-01-08 20:51:43)

Offline

#6 2020-01-10 13:17:39

fazer
Contributor
Registered: 2019-03-02
Posts: 32

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello Gambrius, I read the manufacturer's doc there are no flags 62 for my card. However how to obtain (IC signature public key name: NXP ICODE SLIX2 / DNA). Because with this commend hf 15 raw -c 22 BD 04 XXXXXXXX080104E0 I get (TAG IC Signature). With the command inventory read A0h I get nothing & fast inventory read A1h same. Good day.
IC mfg code ='04' NXP semiconductor  Germany

I try again to sniff reader, not easy .

Last edited by fazer (2020-01-10 17:50:11)

Offline

#7 2020-01-16 15:30:46

fazer
Contributor
Registered: 2019-03-02
Posts: 32

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello, today I tried to sniff the reader without success. But I can tell you that the key
  Signature Tag
     IC signature public key name: NXP ICODE SLIX2 / DNA
     IC signature public key value:
it is identical for all the cards I have.
Have a good day.

ah yes the rdv4 battery works very well & for a long time.

Last edited by fazer (2020-01-16 15:33:54)

Offline

Board footer

Powered by FluxBB