Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-11-07 18:53:38

bob12x
Contributor
Registered: 2019-10-27
Posts: 4

ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello,

Im new with Proxmark and learning much.

I understand now to use "GET RANDOM NUMBER" and "SET PASSWORD " commands, but fail with "WRITE PASSWORD" command.


Could someone explain the correct sequence and proxmark command?

Offline

#2 2019-11-27 23:18:14

grspy
Contributor
Registered: 2019-11-26
Posts: 2

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Everything you ask is in the datasheets.

GET RANDOM NUMBER (B2h):

hf 15 raw -c <FLAGS> B2 <IC Mfg code> <reversed UID>

e.g. for a SLIX2 tag with UID E0040102030405AB ->

hf 15 raw -c 22 B2 04 AB050403020104E0

SET PASSWORD (B3h):
This is essentially the authentication for a specific functionality (see Password identifier) which uses the response of the last "GET RANDOM NUMBER" command.

hf 15 raw -c <FLAGS> B3 <IC Mfg code> <reversed UID> <Password identifier> <XOR password>

where:
XOR_Password[31:0] = Password[31:0] XOR {Random_Number[15:0],Random_Number[15:0]}
Password identifier = 01h for Read, 02h for Write, 04h for Privacy, 08h for Destroy and 10h for EAS/AFI
e.g.

hf 15 raw -c 62 B3 04 AB050403020104E0 10 01020304

WRITE PASSWORD (B4h):
After you have set a correct password for a specific functionality, you can write a new one using this command.

hf 15 raw -c <FLAGS> B4 <IC Mfg code> <reversed UID> <Password identifier> <Password>

e.g.

hf 15 raw -c 62 B4 04 AB050403020104E0 10 11223344

Offline

#3 2019-12-19 22:54:44

Gambrius
Contributor
From: germany
Registered: 2019-10-28
Posts: 25
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hi grspy,

Thanks for your detailed description. I am trying for a while right now to get the „WRITE PASSWORD“ working. Although the documentation of nxp is not to bad i do not get it to work.

„Flags":
In you example you use the flag 62, which is a combination of „Data Rate High (1)“, „Addressed (5)“ and „Option 6“.
What does option 6 stand for?

„IC Mfg code":
Yoe are using "IC Mfg code“ = 4.
In the documentation there is only 1 for "Select Mode" and 2 for "Addressed Mode" mentioned. What does 4 stand for? According to the flags you used the value 2 would be correct, or? (I tried the 4 and 2! Both do not work for me!)

I am stuck right now. I do not get it to work. All the iso15693 cards i have work with the „random number“ just fine. And therefore i am guessing the privacy mode should work as well. But it does not!

I need some help! What should I do next to try this?

Regards,
Gambrius

P.S.: in an earlier version I wrote my text in german. Sorry for that.
Thanks Iceman for the reminder.

Last edited by Gambrius (2019-12-23 16:08:17)


I do a lot with tonies. If you like to read more:

My Blog (Gambrius Tech-Blog): http://www.gt-blog.de

Offline

#4 2019-12-20 16:50:01

iceman
Administrator
Registered: 2013-04-25
Posts: 6,689
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

@gambrius,    we have a strict language rule on the forum where we use english.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2020-01-08 18:59:37

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Good evening, I tried the magic changer uid card, I rewrote all the blocks, not possible to write the dump because my card has 80blocks. Does not work. Otherwise here are more examples on my card, I put X to hide my card because I'm still in the mountains LOL.
[usb] pm3 --> hf 15 raw -c 22 AB 04 XXXXXXXX080104E0
[=] received 10 octets         
[+] 00 00 00 00 7F 35 00 00 DC D4
[usb] pm3 --> hf 15 raw -c 22 BD 04 XXXXXXXX080104E0
[=] received 35 octets         
[+] 00   [ 5E 83 AA EA 77 75 13 EF 56 DD 82 14 3C 42 84 E5 EA 70 A2 11 DC 74 EF 52 FF 70 E4 04 99 A7 E7 63 ]    (3A 81) ? 
[usb] pm3 --> hf 15 raw -c 22 AB 04 XXXXXXXX80104E0
[=] received 10 octets         
[+] 00 00 00 00 7F 35 00 00 DC D4
[usb] pm3 --> hf 15 raw -c 22 B3 04 XXXXXXXX080104E0
[=] received 4 octets         
[+] 01 0F 68 EE 
Tomorrow I will try to snort the reader, not easy but I will try. Good evening.

Last edited by fazer (2020-01-08 20:51:43)

Offline

#6 2020-01-10 13:17:39

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello Gambrius, I read the manufacturer's doc there are no flags 62 for my card. However how to obtain (IC signature public key name: NXP ICODE SLIX2 / DNA). Because with this commend hf 15 raw -c 22 BD 04 XXXXXXXX080104E0 I get (TAG IC Signature). With the command inventory read A0h I get nothing & fast inventory read A1h same. Good day.
IC mfg code ='04' NXP semiconductor  Germany

I try again to sniff reader, not easy .

Last edited by fazer (2020-01-10 17:50:11)

Offline

#7 2020-01-16 15:30:46

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello, today I tried to sniff the reader without success. But I can tell you that the key
  Signature Tag
     IC signature public key name: NXP ICODE SLIX2 / DNA
     IC signature public key value:
it is identical for all the cards I have.
Have a good day.

ah yes the rdv4 battery works very well & for a long time.

Last edited by fazer (2020-01-16 15:33:54)

Offline

#8 2020-01-19 05:51:57

Gambrius
Contributor
From: germany
Registered: 2019-10-28
Posts: 25
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hallo bob12x,

I managed to get the PRIVACY MODE mode to work with an own password.
To set your own password with WRITE PASSWORD command 0xB4h you have to do the following sequence:

GET RANDOM NUMBER
SET PASSWORD 
WRITE PASSWORD

Within the SET PASSWORD command you have to use the default set password of NXP wich is „0F0F0F0F“.
Within the WRITE PASSWORD command I used the flag 22 which demands that you use the UID within the command for addressed mode.

The PRIVACY MODE is only supported by SLIX2 or SLIX-L chips. As the iso15693 magic UID cards as of now are all SLIX only, they do not support the PRIVACY MODE.

Regards,
Gambrius


I do a lot with tonies. If you like to read more:

My Blog (Gambrius Tech-Blog): http://www.gt-blog.de

Offline

#9 2020-01-19 14:11:12

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello Gambrius, thank you for the procedure. I'm looking at my privacy mode card. I think we don't have the same card.
Good Sunday.
  Features:         
      * User memory password protection supported         
      * Counter feature supported         
      * EAS ID supported by EAS ALARM command         
      * EAS password protection supported         
      * AFI password protection supported         
      * Extended mode supported by INVENTORY READ command         
      * EAS selection supported by extended mode in INVENTORY READ command         
      * READ SIGNATURE command supported         
      * Password protection for READ SIGNATURE command not supported         
      * STAY QUIET PERSISTENT command supported         
      * ENABLE PRIVACY command supported         
      * DESTROY command supported         
      * Additional 32 bits feature flags are not transmitted

  Tag Signature         
    IC signature public key name  : NXP ICODE SLIX2 / DNA         
    IC signature public key value : 04 XX 78 XX A2 XX EE XX 36 XX F2 XX A0 XX BD XX F9 XX 11 XX E2 XX 96 XX 8B XX EF XX 9C XX 6E XX       F0           
        Elliptic curve parameters : NID_secp128r1         
                 TAG IC Signature : XX 18 XX 53 XX 3C XX 80 XX BF XX B5 XX B7 XX C8 XX FA XX 56 XX 58 XX D7 XX AF XX D4 XX 1E XX 59           
    Signature verification successful

Last edited by fazer (2020-01-19 14:16:52)

Offline

#10 2020-01-19 15:25:34

Gambrius
Contributor
From: germany
Registered: 2019-10-28
Posts: 25
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hallo fazer,

As far as I can tell from your log you attached in your post, our cards are from the same type. They are SLIX2. Do not know how you can tell that our cards are different.

The procedure I was referring to is from the NXP data sheet for the SLIX2 chip. It just took me a while to get it with the preset password right.

Or are you telling me that you have an SLIX2 card WITH a changeable UID? Than your card IS different to mine.

Regards,
Gambrius


I do a lot with tonies. If you like to read more:

My Blog (Gambrius Tech-Blog): http://www.gt-blog.de

Offline

#11 2020-01-19 16:25:10

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hallo Gambrius, re no I do not have a slix2 card with an editable UID it is an original card from last week in the Alps. I am not saying that my card & different I thought you were working on card 15693 magic uid. Good evening.
I will try your procedure.

Last edited by fazer (2020-01-19 16:27:05)

Offline

#12 2020-01-19 18:18:23

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello Iceman, I don't know if I can put the key on the forum
     IC signature public key name: NXP ICODE SLIX2 / DNA. This key is for my card, maybe for others too.
Good night.

Offline

#13 2020-01-19 21:28:24

iceman
Administrator
Registered: 2013-04-25
Posts: 6,689
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

send email,   maybe add something for iso15 to authenticate?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2020-01-20 11:36:00

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hi Iceman, email send .
Have nice day.

Offline

#15 2020-01-21 10:36:37

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hello Iceman, did you receive the email.
Have a good day.

Offline

#16 2020-01-21 16:43:44

iceman
Administrator
Registered: 2013-04-25
Posts: 6,689
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

yes. I got it.

The tag signature is a signed piece of data with the private key from NXP ICODE.
You would use the public key to verify that the signed data is correct.

Nothing secret with that,  just normal asymmetric crypto signing.
That public key is in the source code. https://github.com/RfidResearchGroup/pr … f15.c#L211


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#17 2020-01-21 17:23:06

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Re Iceman, ok thank you I prefer to ask. So when I pass the badge in front of a reader in assembly this key is used to verify that the card does not have a wholesale clone?.
Good evening.
sorry i use google translate

Last edited by fazer (2020-01-21 17:24:28)

Offline

#18 2020-01-21 18:48:44

iceman
Administrator
Registered: 2013-04-25
Posts: 6,689
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

originality check just means that the reader can verify that the card is an original card from the supplier / manufacturer.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#19 2020-01-21 20:20:50

fazer
Contributor
Registered: 2019-03-02
Posts: 69

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hi iceman, ok thanks you.

Offline

#20 2020-03-02 23:49:59

loren
Contributor
Registered: 2012-11-30
Posts: 6

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hi all, this is mainly a message for Gambrius as there seemed to be success with setting passwords there. But anyone with any success using any on the extended functionality of these tag please do chime in.

I would like to experiment and set set passwords and destroy a tag etc. I keep getting 0x0F errors when it comes to issues the extending methods supported by the NXP IDCODE2/SLIX2 tags. Here is what I have been doing.

Get the tag UID

[usb] pm3 --> hf search
[-] Searching for ISO15693 tag...             
[+]  UID  : E0 04 01 08 11 A9 72 1F         
[+]  TYPE : NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX) ICS2602(SLIX2)          
          
[+] Valid ISO15693 tag found 

Use the UID to get fetch a random number

[usb] pm3 --> hf 15 raw -c 22 B2 04 1f72a911080104e0
[=] received 5 octets          
[+] 00 7C 06 9E FA 

Then i use this random number to generate the XOR password:

XOR_Password[31:0] = Password[31:0] XOR {Random_Number[15:0], Random_Number[15:0]}.

The password in this case should be default: 0x0F0F0F0F

I generate the XOR password given the random number above:

0x0F0F0F0F | 0x7C067C06 = 0x73097309

Set "DESTROY" password command

[usb] pm3 --> hf 15 raw -c 62 B3 04 1f72a911080104e0 08 73097309
[=] received 4 octets          
[+] 01 0F 68 EE  

As you can i get an error flag of 0x0F. Same error when setting other passwords or trying pretty much anything.

Am i misinterpreting the results here? Is there a reverse byte ordering for portions of the payload?

Any help is greatly appreciated smile

Offline

#21 2020-03-03 00:14:22

Gambrius
Contributor
From: germany
Registered: 2019-10-28
Posts: 25
Website

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Hallo Loren,
Your steps are looking good. The only thing that does not work is the actual implementation within the command structure of the proxmark3. Out of safety reason (mainly overheating of the RDV4), the RF field of the reader is turned off after each command. Theirfor the random numbers do not work for the set password command anymore.
I worked my self through this problem by modifying my fw to not turn off the RF field. And I am working with arduino projects using the pn5180 rfid reader. There I developed my own toolchain to handle these kind of operations.
Within the latest firmware of rrg/iceman repo there should be an option within the command for the random number which prevents from shutting down the rf field as well. I am not sure which one it is, but should be shown if you look into the help option (—h).

Hope I could help you.
Regards,
Gambrius

P.S.: please let uns know if it worked.
...or if you have further questions.

Last edited by Gambrius (2020-03-03 00:20:25)


I do a lot with tonies. If you like to read more:

My Blog (Gambrius Tech-Blog): http://www.gt-blog.de

Offline

#22 2020-03-03 00:23:03

loren
Contributor
Registered: 2012-11-30
Posts: 6

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

Thank you!

This make complete sense! The random number is no longer valid by the time I send the next command as the the tag loses power between these commands.

Now, how to implement a fix in the proxmark. Did you modify the client or recall how to implement this on the command line as suggested?

I'm on the latest proxmark version, also comfortable with modifying, compiling and flashing if  you point me in the right direction. Maybe implementing a "SLIX2" sub command to encapsulate these calls requiring authentication.

          
  ██████╗ ███╗   ███╗ ████╗            
  ██╔══██╗████╗ ████║   ══█║           
  ██████╔╝██╔████╔██║ ████╔╝           
  ██╔═══╝ ██║╚██╔╝██║   ══█║     iceman@icesql.net          
  ██║     ██║ ╚═╝ ██║ ████╔╝    https://github.com/rfidresearchgroup/proxmark3/          
  ╚═╝     ╚═╝     ╚═╝ ╚═══╝  pre-release v4.0          
          

 [ Proxmark3 RFID instrument ]           

 [ CLIENT ]           
  client: RRG/Iceman          
  compiled with GCC 8.3.0 OS:Linux ARCH:x86_64          

 [ PROXMARK3 RDV4 ]           
  external flash:                  present           
  smartcard reader:                present           

 [ PROXMARK3 RDV4 Extras ]           
  FPC USART for BT add-on support: present           
          
 [ ARM ]
  bootrom: RRG/Iceman/master/257a722c-dirty-unclean 2020-02-10 14:16:04
       os: RRG/Iceman/master/257a722c-dirty-unclean 2020-02-10 14:16:14
  compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 281740 bytes (54%) Free: 242548 bytes (46%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory  

Offline

#23 2020-03-03 18:14:13

loren
Contributor
Registered: 2012-11-30
Posts: 6

Re: ISO15693 ICODE SLIX Family (WRITE PASSWORD command B4h)

@Gambrius

I did notice a the "-p" flag for the raw command to leave the field on.

[usb] pm3 --> hf 15 raw -h
Usage: hf 15 raw  [-r] [-2] [-c] <0A 0B 0C ... hex>
          
Options:
   -r   do not read response          
   -2   use slower '1 out of 256' mode
   -c   calculate and append CRC      
   -p   leave the signal field ON  

I still get the same result however when issuing the set password. Where you successfully in using this flag or did you need to further modify the client?

cmdhf15.c shows the -p being parsed:

...
case 'p':
case 'P':
   leaveSignalON = true;
   break;
...
if (!leaveSignalON)
   DropField();

My results:

[usb] pm3 --> hf 15 raw -p -c 22 B2 04 1F72A911080104E0
[=] received 5 octets          
[+] 00 43 92 59 1D           
[usb] pm3 --> hf 15 raw -p -c 62 B3 04 1F72A911080104E0 08 4C9D4C9D
[=] received 4 octets          
[+] 01 0F 68 EE  

The Proxmark is getting a little warm now. Do you see an issue with flags or anything else?

Offline

Board footer

Powered by FluxBB