Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-02-08 08:16:57

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

HITAG2 sniff

Another system in our company is based on HITAG2. I read that the support from iceman is not the best because he has no reader and tags to try. I found in the documentation of the system that it would use the challenge sequence for data exchange. To prepare for the brute force which needs at least two challenges I started sniffing the communication between reader and tag...

In every sniff sequence with the Proxmark between the reader and an accepted token I got the same data from the reader but no challenge sequence or data from the token but the reader is reacting to it. I also tried another antenna (125 kHz only) but the result was the same.

Can anyone tell me what I was capturing from the reader?

[fpc] pm3 --> lf hitag snif

[#] Starting Hitag2 sniffing
[#] Hitag2 sniffing finish. Use `lf hitag list` for annotations
[fpc] pm3 --> lf hitag list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 5837 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] Hitag1 / Hitag2 / HitagS - Timings in ETU (8us)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |          0 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |<empty trace - possible error>                                           |     | 
   16777216 |   16777216 | Rdr |<empty trace - possible error>                                           |     | 
     262144 |     262144 | Rdr |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
            |            |     |04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00   |     | 
            |            |     |01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00   |     | 
            |            |     |00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00   |     | 
            |            |     |00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00   |     | 
            |            |     |00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00   |     | 
            |            |     |00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00   |     | 
            |            |     |00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00   |     | 
            |            |     |00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04   |     | 
            |            |     |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00                                                           |     | 
          0 |       1024 | Rdr |<empty trace - possible error>                                           |     | 
        256 |        256 | Rdr |<empty trace - possible error>                                           |     | 
          4 |        260 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          4 | Rdr |<empty trace - possible error>                                           |     | 
          1 |          1 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          1 | Rdr |<empty trace - possible error>                                           |     | 
   67108864 |   67108864 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
            |            |     |04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00   |     | 
            |            |     |01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00   |     | 
            |            |     |00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00   |     | 
            |            |     |00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00   |     | 
            |            |     |00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00   |     | 
            |            |     |00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00   |     | 
            |            |     |00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00   |     | 
            |            |     |00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04   |     | 
            |            |     |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
          0 |          4 | Rdr |<empty trace - possible error>                                           |     | 
          1 |          1 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          1 | Rdr |<empty trace - possible error>                                           |     | 
   67108864 |   67108864 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
            |            |     |04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00   |     | 
            |            |     |01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00   |     | 
            |            |     |00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00   |     | 
            |            |     |00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00   |     | 
            |            |     |00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00   |     | 
            |            |     |00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00   |     | 
            |            |     |00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00   |     | 
            |            |     |00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04   |     | 
            |            |     |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
          0 |          4 | Rdr |<empty trace - possible error>                                           |     | 
          1 |          1 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          1 | Rdr |<empty trace - possible error>                                           |     | 
   67108864 |   67108864 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
            |            |     |04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00   |     | 
            |            |     |01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00   |     | 
            |            |     |00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00   |     | 
            |            |     |00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00   |     | 
            |            |     |00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00   |     | 
            |            |     |00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00   |     | 
            |            |     |00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00   |     | 
            |            |     |00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04   |     | 
            |            |     |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
          0 |          4 | Rdr |<empty trace - possible error>                                           |     | 
          1 |          1 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          1 | Rdr |<empty trace - possible error>                                           |     | 
   67108864 |   67108864 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          0 | Rdr |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
            |            |     |04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00   |     | 
            |            |     |01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00   |     | 
            |            |     |00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00   |     | 
            |            |     |00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00   |     | 
            |            |     |00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00   |     | 
            |            |     |00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00   |     | 
            |            |     |00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00   |     | 
            |            |     |00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04   |     | 
            |            |     |00  00  00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01   |     | 
            |            |     |00  00  00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00   |     | 
            |            |     |00  00  04  00  00  00  00  01  00  00  00  00  00  00  00  04  00  00   |     | 
            |            |     |00  00  01  00  00  00  00  00  00  00  04  00  00  00  00  01  00  00   |     | 
            |            |     |00  00  00  00  00  04  00  00  00  00  01  00  00  00  00  00  00  00   |     | 
          0 |          4 | Rdr |<empty trace - possible error>                                           |     | 
          1 |          1 | Rdr |<empty trace - possible error>                                           |     | 
          0 |          1 | Rdr |<empty trace - possible error>                                           |     | 
   67108864 |   67108864 | Rdr |<empty trace - possible error>                                           |     | 

Offline

#2 2021-02-08 18:19:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,505
Website

Re: HITAG2 sniff

Hitag2 sniff and sim commands needs some serious love on RRG/Iceman repo.   
However on official repo it should work better.  Try it and collect your needed data...

Online

#3 2021-02-09 09:17:07

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

Re: HITAG2 sniff

iceman wrote:

Hitag2 sniff and sim commands needs some serious love on RRG/Iceman repo.   
However on official repo it should work better.  Try it and collect your needed data...

Two questions @iceman:

I installed your fork with homebrew. Can I parallel install the official repo with homebrew?

Switching between yours and the official one means reflashing the Proxmark every time I switch between the two versions or?

Offline

#4 2021-02-09 10:35:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,505
Website

Re: HITAG2 sniff

Sadly not on homebrew,

Online

#5 2021-02-11 15:00:31

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

Re: HITAG2 sniff

iceman wrote:

Hitag2 sniff and sim commands needs some serious love on RRG/Iceman repo.   
However on official repo it should work better.  Try it and collect your needed data...

I installed the official firmware manually after compiling from source. Seems that HITAG is working there worser than in your fork. Reading HITAG is nearly impossible.  Want to have a look? roll

./client/proxmark3 /dev/cu.usbmodem1454401
Prox/RFID mark3 RFID instrument          
bootrom: RRG/Iceman/master/b60daea 2021-01-11 16:59:49
os: /-suspect 2021-02-11 09:05:33
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2020/03/05 at 19:09:39
SmartCard Slot: available
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 207672 bytes (40). Free: 316616 bytes (60).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#db# Unknown frame length: 1          
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#db# Unknown frame length: 2          
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> 
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#db# Unknown frame length: 4          
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID          

Its totally sh** mad

Offline

#6 2021-02-11 15:20:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,505
Website

Re: HITAG2 sniff

well...  you said sniffing....

Online

#7 2021-02-15 16:17:56

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

Re: HITAG2 sniff

iceman wrote:

well...  you said sniffing....

Ok. Today I visited the reader to snoop the traffic. This had worked fine. Im wondering what of the output would be the nR and the aR. Every reading produced 5 lines of data:

proxmark3> lf hitag snoop
proxmark3> #db# Starting Hitag2 snoop          
lf hitag snoop      list
recorded activity (TraceLen = 58145400 bytes):          
 ETU     :nbits: who bytes          
---------+-----+----+-----------          
 +      0:    3:     80             
 +   3188:    4:     80             
 +   3187:    4:     80             
 +    947:    5:     c0             
 +   3186:    4:     80             
 +   3186:    4:     80             
 +    947:    5:     c0             
 +   3188:    4:     80             
 +   3187:    4:     80             
 +   3189:    4:     80             
 +   3187:    4:     80             
 +   3186:    4:     80             
 +   3188:    4:     80             
 +   3186:    4:     80             
 +   3186:    4:     80             
 +    949:    5:     c0             
 +   3186:    4:     80             
 +   3189:    4:     80             
 +   3188:    4:     80             
 +   3188:    4:     80             
 +   4728:   63:     86  13  1f  3e  87  6e  36  56             
 +   3186:    4:     80             
 +   4723:   63:     0e  26  3c  7f  53  58  f0  54             
 +   3190:    4:     80             
 +   4727:   63:     1c  4e  78  fc  c6  4f  2c  52             
 +   3186:    4:     80             
 +   4726:   63:     38  9c  f1  f9  3d  59  a1  64             
 +   3187:    4:     80             
 +   4725:   63:     71  39  e1  f0  4a  91  cc  2c             
 +   3188:    4:     80             
 +   3189:    4:     80             
 +    949:    5:     c0             
 +   3188:    4:     80             
 +   4722:   63:     e0  71  c3  e2  d0  17  c6  f0             
 +    948:    5:     c0             
 +   4726:   63:     c0  e1  85  c7  18  44  cc  20             
 +   3187:    4:     80             
 +   4725:   63:     81  c3  09  8f  af  06  7f  42             
 +    948:    5:     c0             
 +   4721:   63:     03  86  13  1f  ac  7f  18  34             
 +    948:    5:     c0             
 +   4723:   63:     05  0e  26  3c  37  c4  bf  ae             
 +   3188:    4:     80             
 +    947:    5:     c0             
 +   3188:    4:     80             
 +   4725:   63:     08  1c  4e  79  f2  00  7d  f6             
 +    948:    5:     c0             
 +   4725:   63:     12  38  9c  f0  29  db  f4  b6             
 +   3188:    4:     80             
 +   4720:   63:     26  71  39  e0  00  da  40  70             
 +   3189:    4:     80             
 +   4722:   63:     4c  e0  71  c3  11  a8  e0  52             
 +   3188:    4:     80             
 +   4728:   63:     9b  c0  e1  84  e4  e1  38  d4             
 +   3188:    4:     80             
 +   3187:    4:     80             
 +   3189:    4:     80             
 +   4728:   63:     35  81  c3  08  c7  72  d6  60             
 +   3188:    4:     80             
 +   4723:   63:     6b  03  86  13  04  46  27  32             
 +   3186:    4:     80             
 +   4723:   63:     d4  05  0e  27  36  e5  1e  8a             
 +   3188:    4:     80             
 +   4722:   63:     aa  08  1c  4e  e6  d4  0d  4a             
 +   3189:    4:     80             
 +   4728:   63:     54  12  38  9d  7e  16  ac  1c             
 +   3188:    4:     80             
 +   3187:    4:     80             
 +   3188:    4:     80             
 +   4728:   63:     aa  26  71  38  d6  ac  27  3c             
 +    949:    5:     c0             
 +   4728:   63:     56  4c  e0  70  15  26  e6  da             
 +   3186:    4:     80             
 +   4726:   63:     ac  9b  c0  e0  fb  92  b3  5a             
 +   3187:    4:     80             
 +   4726:   63:     59  35  81  c2  6a  dd  b6  0e             
 +   3188:    4:     80             
 +   4722:   63:     b2  6b  03  87  a9  1b  dd  4c             

Offline

Board footer

Powered by FluxBB