Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
The paper concerning the keys and crypto of some of the 125KHz car-keys is finally released:
https://www.usenix.org/sites/default/fi … lement.pdf
Offline
I hope to see implemented in pm3
Offline
VERY VERY interesting !
Thanks for sharing the link !!
He says "we have developed an open source library for custom and proprietary RFID communication schemes that operate at an frequency of 125kHz": is it possible to see this open source library ? Any link ? Or is he referring to this forum ?
Last edited by asper (2015-08-16 21:56:33)
Offline
So Roel has an megamos crypto imp which can be used in the pm3 source. My guess is that he also has the functionality read/write for megamos but he will not publish it.
A datasheet on megamos,.
http://www.bicotech.com/doc/megamos_cr.pdf
Offline
You can read Roel's doctoral thesis "The (in)security of proprietary cryptography"
Offline
They never released the megomos crypto and imp ? ... Does someone have it?
Offline
See slide 2 of their presentation at Usenix: https://www.usenix.org/sites/default/fi … slides.pdf
IIRC the statement was roughly that they cannot publish more than that but they giving the lead they followed so that if anyone want to reproduce it, (s)he knows where to start.
Offline
I think you missed that the court lifted the ban last august.. which this whole thread is about.
Offline
...and I got some exciting news! A forum user has a working megamos imp for PM3! *yes!*
Offline
Fantastic!
Offline
...and I got some exciting news! A forum user has a working megamos imp for PM3! *yes!*
Hi
Is there any basic communication for PM3 available somewhere for the megamos? Read ID for example would be sufficient. I am just looking for some starting point to implement the rest of the commands.
Regards,
Steve
Offline
Hi,
Any news about megamos implementation in Proxmark and is it possible to get the firmware developped by the guys mentionned before ?
Offline
Hi,
I actually have a few of these I am trying to read just for fun.
From the papers, it seems these are based on (or are) the EM4170 transponders.
I've been modifying the firmware to support just reading the ID from these tags, but have ran into a few issues. I could start a new thread, but I just wanted to throw it out that I will contribute my work back.
I am able to find the LIW (listen window), although I haven't been able to read anything back from the card yet. It seems I am not sending the correct command, and the transponder goes back into standy mode as soon as I send the command.
If I just send the RM (Receive mode) I do see the transponder stop sending LIW for a period of time. So I believe there is a problem with the command I am sending ( 0 0 1 1 - Read ID)
Basically, we look for pulses (in RF periods):
80 +/- 10
80 +/- 10
flip polarity of edge detection
96 +/- 10
64 +/-10
--- Now we are at the spot in the 3rd LIW and need to send the RM command (two 0 bits) around 48 RF periods after the last pulse.
Wait 48 RF periods
Send 0 0 | Enter Receive mode (two 0 bits)
Send 0 0 1 1 (Read ID: 0 0 1 and then 1 parity bit)
Last edited by sirloins (2020-11-28 18:26:17)
Offline
Still no luck yet getting it to accept any commands..
I did look at the referenced papers, and they indicate that the LIW is different than that of a EM4170.
The thing I noticed, is that the EM4170 datasheet shows non-inverted signal where I believe based on my observations, the papers are showing the inverted signal. If you flip them, then the LIW seems to match what the EM4170 datasheet suggests.
Another paper mentions the commands being different, showing 0 0 0 1 as the command for reading ID. I also find this hard to believe since in other cases of the EM chips the last bit is a parity. The EM4170 command for read ID is listed as 0 0 1 1.
Offline
Just wanted to update this thread, I have been able to implement all of the EM4170/Megamos/ID48 commands that I am aware of (from datasheet). This should be available in the latest master branch of RRG Proxmark3 code. I will clarify, the papers mentioning the commands without the parity bit were correct so thanks to those that have paved the way.
I found the PM3 Easy antenna was the most reliable, I had a hard time with the communication using the PM3 RDV4 built-in antenna. So please let me know if you try it out.
This isn't some magical code that will clone car keys, all this will do is let you perform read/write/unlock and test authentication with the transponder. The cryptographic key and PIN for unlocking are write-only, they cannot be read. You would have to read them from your car immobilizer in order to clone a key.
Since some transponders use a default PIN, you may be able to unlock a used transponder and then add it to your car. Cars will not normally allow used keys to be programmed, so in this case, maybe it is useful.
Let me know if you have such a transponder and have tried it out. There may be some kinks to work out as I only had my 1 car key and some transponders from Aliexpress.
I'll try to add more improvements, and maybe if I learn some more math, I can implement a couple of the documented attacks on this transponder.
Last edited by sirloins (2020-12-13 01:27:31)
Offline