Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-04-29 01:56:18

Gambrius
Contributor
From: germany
Registered: 2019-10-28
Posts: 25
Website

New ICODE SLIX-L Magic Tag in town?

Hallo,

I was looking for some NXP ICODE SLIX-L tags and bought some samples from a Chinese seller.

At first these tags looked perfect and worked like a charm. Later on after a bit of usage within the development process of my reader hardware, some features of the tag stoped working.

Some information about the NXP ICODE SLIX-L chip:
The SLIX-L tag is kind of special, because it has only 32 Byte of memory (8 Blocks with 4 Bytes per Block), an UID that is always starting with "E0 04 03..." and a privacy mode that once it is enabled to tag is not "visible" for any reader. With an enabled privacy mode the tag is just reacting to one custom command (random number) and keeps silent for all other standard commands like INVENTORY. With the random number and a preset password another custom command can be used to disable the privacy mode. After disabling this feature the tag is acting to al the standard commands like INVENTORY, READ or WRITE.

I figured out, that removing the tag from the reader rf field while sending the "enable privacy mode" command, lets the chip break which shows in a changing IC value of the chip from "03" to "01". That means after this special situation the chip is not behaving as a chip with an IC value of "03" which stands for the SLIX-L chip, but like a chip with an IC value of "01" which stands for an SLIX chip.
The SLIX chip does not support a privacy mode at all but has a memory size of 28 Blocks with 4 Bytes each compared to 8 Blocks of the SLIX-L chip.
That means the former tag with an SLIX-L chip is acting now as a tag with a SLIX chip including all specifications.

My answer to this is that this is a fake Chinese chip and not an original NXP ICODE SLIX-L chip. This chip has the ability to be whatever the seller wants it to be by changing the IC value of the chip. In addition there must be the possibility of changing the UID as well. Because within the specification it says, that the first three Bytes of a SLIX-L UID are "E0 04 03..." and the first three Byte of a SLIX UID are "E0 04 01...". This change has do be done in an own step, because the UID is still the same like before. Therefore must be a change feature for the UID available.

The accidental change of the IC value must be a bug. But now I am curious to know how to reset the IC value to "03" or get to know how to change the UID.

The commands for the magic tag that is already known within this forum do not work on this chip. I tried that already.
Does someone know some other commands used within the Chinese chip industry? Or has a clue how to reverse engineer these commands?

Regards,
Gambrius


I do a lot with tonies. If you like to read more:

My Blog (Gambrius Tech-Blog): http://www.gt-blog.de

Offline

#2 2020-04-29 15:06:30

fazer
Contributor
Registered: 2019-03-02
Posts: 61

Re: New ICODE SLIX-L Magic Tag in town?

Hello Gambrius, thank you for this info of your research on this Chinese chip, it is interesting to go from 8 blocks to 28 blocks. I do not know this Chinese chip, for my part I am looking for chips of 80 blocks which & used in France .Good luck for the future.
Fazer.

Offline

Board footer

Powered by FluxBB