Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Ok guys, the project is: make an Identifier for RFIDs (starting from ISO15693 tags) with many functions dedicated to the identified device.
We need your contribute, so if you are interested, let's contribute, even if you don't have my reader.
I have an SL500 reader produced by Stronglink.
This reader is very cool. see its functionalities here:
http://www.stronglink-rfid.com/en/rfid- … sl500.html
This reader can use standard commands and it could even bypass the driver, writing directly on the tag (pass-thru functionality)
WHAT WE DID:
Me and Asper made a tool that, using a text settings file, identifys scanned tags, decoding the UID.
This means that we need to expand our database, so if you have info about your tag like model and producer and uid, send us these 3 information.
The tool even uses the standard get_system_information, and allows you to save the content of the tag BLOCKS.
The settings file (or you can call it "database") is structured in a standard way and allows us to identify more tags simply adding a row in it.
Here it is the settings file structure:
####################################################
# RF-ID Identifier Settings File #
# #
# Note: hash tag (#) identifies comments, #
# square brakets ([]) identifies sections #
# and commas (,) identifies fields separator #
####################################################
#
#
###################################
# COM port number and baud rate #
###################################
[COM]
PortNumber=5
BaudRate=115200
#
#
###########################################################
# PRODUCERS LIST #
# #
# FIELDS: producer code, producer name, #
# model code bit start, model code bit stop, #
# model subcode bit start,model subcode bit stop, #
# serial number bit start,serial number bit stop, #
# customer id bit start, customer id bit stop #
# #
# Note1: The LSB is the bit 1 (on the right) and #
# the MSB is the bit 64 (on the left) #
# Note2: The producer code is in hexadecimal, #
# the bits number is expressed in decimal. #
# Empty fields are not evaluated. #
###########################################################
[PRODUCERS]
01,Motorola(UK),,,,,,,,
02,STMicroelectronics SA (France),,,,,,,,
03,Hitachi Ltd(Japan),,,,,,,,
04,NXP Semiconductors(Germany),41,48,37,37,1,40,,
05,Infineon Technologies AG (Germany),,,,,,,,
06,Cylink(USA),,,,,,,,
07,Texas Instrument(France),,,,,,,,
08,Fujitsu Limited(Japan),,,,,,,,
09,Matsushita Electronics Corporation/Semiconductor Company(Japan),,,,,,,,
0A,NEC(Japan),,,,,,,,
0B,Oki Electric Industry Co. Ltd(Japan),,,,,,,,
0C,Toshiba Corp.(Japan),,,,,,,,
0D,Mitsubishi Electric Corp.(Japan),,,,,,,,
0E,Samsung Electronics Co. Ltd(Korea),,,,,,,,
0F,Hynix/Hyundai(Korea),,,,,,,,
10,LG-Semiconductors Co. Ltd(Korea),,,,,,,,
11,Emosyn-EM Microelectronics(USA),,,,,,,,
12,INSIDE Technology(France),,,,,,,,
13,ORGA Kartensysteme GmbH(Germany),,,,,,,,
14,SHARP Corporation(Japan),,,,,,,,
15,ATMEL(France),,,,,,,,
16,EM Microelectronic-Marin SA(Switzerland),43,47,,,1,32,33,42
17,KSW Microtec GmbH(Germany),,,,,,,,
18,ZMD AG(Germany),,,,,,,,
19,XICOR Inc.(USA),,,,,,,,
1A,Sony Corporation(Japan),,,,,,,,
1B,Malaysia Microelectronic Solutions Sdn. Bhd(Malaysia),,,,,,,,
1C,Emosyn(USA),,,,,,,,
1D,Shanghai Fudan Microelectronics Co.Ltd.P.R.(China),,,,,,,,
1E,Magellan Technology Pty Limited(Australia),,,,,,,,
1F,Melexis NV BO(Switzerland),,,,,,,,
20,Renesas Technology Corp.(Japan),,,,,,,,
21,TAGSYS(France),,,,,,,,
22,Transcore(USA),,,,,,,,
23,Shanghai belling corp.ltd.(China),,,,,,,,
24,Masktech Germany Gmbh(Germany),,,,,,,,
25,Innovision Research and Technology Plc(UK),,,,,,,,
26,Hitachi ULSI Systems Co.Ltd.(Japan),,,,,,,,
27,Cypak AB(Sweden),,,,,,,,
28,Ricoh(Japan),,,,,,,,
29,ASK(France),,,,,,,,
2A,Unicore Microsystems/LLC (Russian Federation),,,,,,,,
2B,Dallas Semiconductor/Maxim(USA),,,,,,,,
2C,Impinj Inc.(USA),,,,,,,,
2D,RightPlug Alliance(USA),,,,,,,,
2E,Broadcom Corporation(USA),,,,,,,,
2F,MStar Semiconductor Inc (Taiwan)/ROC,,,,,,,,
30,BeeDar Technology Inc.(USA),,,,,,,,
31,RFIDsec(Denmark),,,,,,,,
32,Schweizer Electronic AG(Germany),,,,,,,,
33,AMIC Technology Corp(Taiwan),,,,,,,,
34,Mikron JSC(Russia),,,,,,,,
35,Fraunhofer Institute for Photonic Microsystems(Germany),,,,,,,,
36,IDS Microchip AG(Switzerland),,,,,,,,
37,Kovio(USA),,,,,,,,
38,HMT Microelectronic Ltd(Switzerland),,,,,,,,
39,Silicon Craft Technology(Thailand),,,,,,,,
3A,Advanced Film Device Inc.(Japan),,,,,,,,
3B,Nitecrest Ltd(UK),,,,,,,,
3C,Verayo Inc.(USA),,,,,,,,
3D,HID Global(USA),,,,,,,,
3E,Productivity Engineering Gmbh(Germany),,,,,,,,
3F,Austriamicrosystems AG -reserved- (Austria),,,,,,,,
40,Gemalto SA(France),,,,,,,,
41,Renesas Electronics Corporation(Japan),,,,,,,,
42,3Alogics Inc(Korea),,,,,,,,
43,Top TroniQ Asia Limited (Hong Kong),,,,,,,,
44,Gentag Inc(USA),,,,,,,,
#
#
###########################################################
# MODELS LIST #
# #
# FIELDS: producer code, model code, model subcode, #
# model name #
# #
#Note: the producer code is in hexadecimal, the model #
# code and subcode are in binary. #
# Empty fields are not evaluated. #
###########################################################
[MODELS]
16,01000,,EM4033(Read Only)
16,00001,,EM4034(Read/Write)
16,00011,,EM4035(Read/Write - replaced by EM4233)
16,00111,,EM4133(Read/Write)
16,xxxxx,,EM4135(Read/Write - replaced by EM4233)
16,00110,,EM4006(Read Only)
16,01001,,EM4233(Read/Write)
16,01010,,EM4233SLIC(Read/Write)
04,00000001,0,SL2 ICS2001(ICODE SLI)
04,00000001,1,SL2 S2002/SL2 S2102(ICODE SLIX)
04,00000010,0,SL2 ICS5301/SL2 ICS5401(ICODE SLI-S)
04,00000010,1,SL2 S5302/SL2 S5402(ICODE SLIX-S)
04,00000011,0,SL2 ICS5001/SL2 ICS5101(ICODE SLI-L)
04,00000011,1,SL2 S5002/SL2 S5102(ICODE SLIX-L)
Now we are starting writing custom proprietary commands but we need complete datasheets, with custom commands explanation and your help.
Up to now we implemented the reading of the block's protection status, the "write with password", "read with password" for the NXP SL2 ICS5301/SL2 ICS5401(ICODE SLI-S), EM4233 \ EM4233SLIC \ EM4133 \ EM4035 \ EM4034.
We also added a "password bruteforce" attack on last revision, in order to let you test your tags and your password before to choose your system technology. This will allow you to test the security of your system and, eventually, to increase your protection.
Let's work with us.
Note: Before to use the annexed tool, you must agree the following:
1)You will not use this tool for illegal purposes
2)Your contribute will not be for illegal purposes
3)You will share with us scanned tags (blocks data and tag information)
If you do not agree these points leave this page and you are not authorized to use this tool.
You can download last version of the tool on one of the last posts..
Here 3 screenshots of the tool in use.
Before to use the tool, first ask us how to use it, how it works and what it does.
Last edited by gaucho (2013-05-28 18:42:39)
Offline
I can say gaucho is a really skilled programmer and this tool came to life to make ISO standards understanding lot easier for newbies.
Information contained in datasheets are always very detailed but sometimes it can be hard to "find a way out" of a technical sheet (some are also really hard to find, someothers are under NDA while someothers are not available at all and we must reverse all the commands).
(above picture: internals and differences between RS232 and USB version)
SL500F (version F is important because F is the only "Multi Standard ISO14443A/B-ISO15693 reader/writer") and it's software, ICTransfer.exe, natively support, with some limitations, the following 13.56 tags:
in particular, directly form ICTransfer.exe (version 4.3 Released in January 2013):
As you can see the "pass_thorugh" function allows you to directly send commands (APDUs) to a specific tag, and receive back the answers, ONLY in ISO14443B and ISO15693 format (ISO14443A direct commands is not supported at least with NXP tags because they uses proprietary bit-commands that SL500F is not able to send); CRCs are automatically calculated by the reader.
In original ICTransfer.exe some supported tags are missing some functions; for example SRIX4K (ISO14443B) is supported in almost all it's functions but there is no FF block support (write access control block), so you need to manually code something to show/modify the information contained in that specific block; we would like to fill those kind of ICTransfer.exe "gaps" bringing SL500F to it's extreme capabilites !
SL500F comes with a quite good SDK with sources in BC, C#, Delphi, PB, VB, VB.NET and VC (written mainly for mifare) that you can freely download from their site.
We hope to increase the amount of supported tags using your contribution starting but not limited to ISO15693 !
EDIT: we are in no way involved with Stronglink ! We do this only for passion !
Last edited by asper (2014-01-18 18:19:01)
Offline
Can you tell me what the other two ICs are on the USB model?
Can you directly access the CLRC632 or is it abstracted away somehow?
Offline
USB Version
NXP CLRC632 01T (Multiple protocol contactless reader IC)
NXP P89V51RD2FBC (64K flash microcontroller)
SILABS CP2102 (USB to UART bridge)
=============================================================================================
RS232 Version
NXP CLRC632 01T(Multiple protocol contactless reader IC)
Winbond W78E058B (ver.2006) - Winbond W78E058B (ver.2009) (8-BIT Microcontroller)
MAX202 (5V Dual RS-232 Line Driver/Receiver)
This version (RS232) has an RJ45<-->RS232 cable like the following one (but with 1 PS2 replaced by an RJ45 that plugs inside the reader/writer):
and you can easily use it with an USB-to-serial adapter providing proper power source (es. PS2 to USB adapters):
+
=============================================================================================
I think the CLRC632 is "drived" by the NXP P89V51RD2FBC in USB version and by Winbond W78E058B in the RS232 version; the case is really easy to open (screws [4] are under rubber pads) and I don't think it will be difficult to directly connect the CLRC with some external wires; years ago I asked StrongLink for the Winbond firmware but they (obviously ^_^') told me they cannot give it out.
Last edited by asper (2013-09-10 16:47:56)
Offline
wow. Detailed. Thank you.
I find it very interesting that most (if not all) reader manufacturers abstract the RFID/NFC IC away from the developer therefore (in most cases) removing features / functionality.
I've noticed the SDK is only for Windows developers.
Offline
Detailed information help people to better understand everything
I don't know if there are limitations in hardware functionalities, I know there are in ICTransfer.exe software but they are not real "limits", they simply are partial implementation of the full command set of specific tags that can be solved using "pass_through" function (in most cases).
Yes, only Windows sources officially available but if you are interested someone tryed to reverse the SL500F hardware communication protocol to use it with linux; you can see the results at this google code page; you can find a pdf with reversed protocol information here and also a source code for mifare.
Last edited by asper (2013-04-19 08:04:08)
Offline
hi
with this tool can we read icode-1 cards?
the icode-1 cards are ISO15693 tags but they work different, they have their own standard.
if you need information and you want to developed ICODE-1 i upload all the documentation and software from philips
https://dl.dropboxusercontent.com/u/23920467/icode1.rar
Offline
I-CODE1 seems to be an old Philips/NXP technology (it is not ISO15693) and it is suppoerted by CLRC632 IC but I don't know if SL500F can correctly handle it, you can try to send basic pass_through commands and see if the tag answers. Aletrnatively try to send an email to Stronglink service and ask if it is supported via pass_through: please share the answer with us
@0xFFFF:
...removing features / functionality.
This can be an example of hardware limitation !
EDIT:
A curious thing I want to share; this site sells a quite similar (if not identical) reader/writer interface and I can confirm that their demo software (RfidViewer.exe) works with SL500F; the weird fact is that there is an I-CODE1 datasheet in the download section (the one linked in this post) so maybe they uploaded the wrong PDF (it should be I-CODE-SLI and not ICODE-1) or it is really supported.
Last edited by asper (2013-04-19 08:24:21)
Offline
I can see that there is pass-through in the win api but it looks like the registers etc... can not be accessed.
I've got CLRC632's at home. I should make my own PCB for them.
Offline
I can see that there is pass-through in the win api but it looks like the registers etc... can not be accessed.
I've got CLRC632's at home. I should make my own PCB for them.
You mean you can add some schematics to add hardware features/access to SL500F ?
Offline
Sorry 0xFFFF, i'm a newbye in rfid, could you shortly explain why do you need to access "registers"? with pass-thru you can send ISO15693 commands (standard and custom) directly to the tag. Why do you need more? It's clear that if you want to sniff data between another reader and a tag, this device is not the right choice cause it's not portable (and these functionalities are not supplied by the manufacturer).
p.s.: Which is the protocol of the I-CODE1 ? if it is not a standard ISO14443A, ISO14443B or ISO15693 i think SL500 can not speak with it.
Offline
i have send and email to Stronglink
I don´t have SL500F i have and onmikey 5321 and this reader detect the tag, i also have the SLRC400 PEGODA from philips this is reader and the software that i have upload and i used to read the tags.
i have upload this powerpoint
https://dl.dropboxusercontent.com/u/23920467/i_code_all.pps
Offline
Well, I-CODE1 seems to be quite "proprietary" because I am not able to find any specific tag command, only generic memory map structure; anyway, if you Omnikey 5321 is able to detect it (UID?other?) there are chances that it can be SL500F compatible using pass_through commands or even using I-CODE SLI interface; maybe possible command codes can be the same as the old Philips SL2 ICS20 (that is not ISO15693).
Some other infos can be recovered here but documents mentioned at page 11 seems not to be available to the public.
Here is a quite extended list of NXP RFID products.
Last edited by asper (2013-04-19 11:22:48)
Offline
0xFFFF wrote:I can see that there is pass-through in the win api but it looks like the registers etc... can not be accessed.
I've got CLRC632's at home. I should make my own PCB for them.You mean you can add some schematics to add hardware features/access to SL500F ?
I can add RF range (not sure how far) and I can talk to iClass. But I was referring to a separate PCB altogether. Separate from the SL500.
BTW - you could directly access the CLRC632 using a buspirate (Dangerous Prototypes / Seeed Studio).
Sorry 0xFFFF, i'm a newbye in rfid, could you shortly explain why do you need to access "registers"? with pass-thru you can send ISO15693 commands (standard and custom) directly to the tag. Why do you need more? It's clear that if you want to sniff data between another reader and a tag, this device is not the right choice cause it's not portable (and these functionalities are not supplied by the manufacturer).
If you can access registers, etc... on the CRLC632, it can be used to talk to and do interesting things with iClass cards.
Offline
If you can access registers, etc... on the CRLC632, it can be used to talk to and do interesting things with iClass cards.
Sorry 0xFFFF but I cannot find iClass support in CLRC632 datasheet... am I missing something ? Any doc/pdf ?
Offline
Hey Guys,
Interesting project!
However, it seems that the (old) OpenPCD, version 1, would be perfect for this (~80$). It uses a RC632 and runs an open software stack/firmware that supports ISO14443A/B and ISO15693. It runs on the exact same uC as the proxmark, so you could (re)use code (like the CDC stack/boot-loader) from the proxmark repository.
Anyway, you could also do all the stuff you want the proxmark, but it may requires some additional skills (like FPGA designing).
Cheers,
Roel
Offline
If you can access registers, etc... on the CRLC632, it can be used to talk to and do interesting things with iClass cards.
Sorry 0xFFFF but I cannot find iClass support in CLRC632 datasheet... am I missing something ? Any doc/pdf ?
It might not be in any public documentation but it definitely works with iClass. The cardman 5321 can be used to program iClass cards (contains the CLRC632).
Offline
Hey Guys,
Interesting project!
However, it seems that the (old) OpenPCD, version 1, would be perfect for this Roel
We could share tha same settings.txt file.
Have you seen how is it formatted?
Each time we add the identification of a new tag we just need to add a row in the text settings file.
Here it is the file (i hope it will appears well-formatted on the forum):
####################################################
# RF-ID Identifier Settings File #
# #
# Note: hash tag (#) identifies comments, #
# square brakets ([]) identifies sections #
# and commas (,) identifies fields separator #
####################################################
#
#
###################################
# COM port number and baud rate #
###################################
[COM]
PortNumber=5
BaudRate=115200
#
#
###########################################################
# PRODUCERS LIST #
# #
# FIELDS: producer code, producer name, #
# model code bit start, model code bit stop, #
# model subcode bit start,model subcode bit stop, #
# serial number bit start,serial number bit stop, #
# customer id bit start, customer id bit stop #
# #
# Note1: The LSB is the bit 1 (on the right) and #
# the MSB is the bit 64 (on the left) #
# Note2: The producer code is in hexadecimal, #
# the bits number is expressed in decimal. #
# Empty fields are not evaluated. #
###########################################################
[PRODUCERS]
01,Motorola(UK),,,,,,,,
02,STMicroelectronics SA (France),,,,,,,,
03,Hitachi Ltd(Japan),,,,,,,,
04,NXP Semiconductors(Germany),41,48,37,37,1,40,,
05,Infineon Technologies AG (Germany),,,,,,,,
06,Cylink(USA),,,,,,,,
07,Texas Instrument(France),,,,,,,,
08,Fujitsu Limited(Japan),,,,,,,,
09,Matsushita Electronics Corporation/Semiconductor Company(Japan),,,,,,,,
0A,NEC(Japan),,,,,,,,
0B,Oki Electric Industry Co. Ltd(Japan),,,,,,,,
0C,Toshiba Corp.(Japan),,,,,,,,
0D,Mitsubishi Electric Corp.(Japan),,,,,,,,
0E,Samsung Electronics Co. Ltd(Korea),,,,,,,,
0F,Hynix/Hyundai(Korea),,,,,,,,
10,LG-Semiconductors Co. Ltd(Korea),,,,,,,,
11,Emosyn-EM Microelectronics(USA),,,,,,,,
12,INSIDE Technology(France),,,,,,,,
13,ORGA Kartensysteme GmbH(Germany),,,,,,,,
14,SHARP Corporation(Japan),,,,,,,,
15,ATMEL(France),,,,,,,,
16,EM Microelectronic-Marin SA(Switzerland),43,47,,,1,32,33,42
17,KSW Microtec GmbH(Germany),,,,,,,,
18,ZMD AG(Germany),,,,,,,,
19,XICOR Inc.(USA),,,,,,,,
1A,Sony Corporation(Japan),,,,,,,,
1B,Malaysia Microelectronic Solutions Sdn. Bhd(Malaysia),,,,,,,,
1C,Emosyn(USA),,,,,,,,
1D,Shanghai Fudan Microelectronics Co.Ltd.P.R.(China),,,,,,,,
1E,Magellan Technology Pty Limited(Australia),,,,,,,,
1F,Melexis NV BO(Switzerland),,,,,,,,
20,Renesas Technology Corp.(Japan),,,,,,,,
21,TAGSYS(France),,,,,,,,
22,Transcore(USA),,,,,,,,
23,Shanghai belling corp.ltd.(China),,,,,,,,
24,Masktech Germany Gmbh(Germany),,,,,,,,
25,Innovision Research and Technology Plc(UK),,,,,,,,
26,Hitachi ULSI Systems Co.Ltd.(Japan),,,,,,,,
27,Cypak AB(Sweden),,,,,,,,
28,Ricoh(Japan),,,,,,,,
29,ASK(France),,,,,,,,
2A,Unicore Microsystems/LLC (Russian Federation),,,,,,,,
2B,Dallas Semiconductor/Maxim(USA),,,,,,,,
2C,Impinj Inc.(USA),,,,,,,,
2D,RightPlug Alliance(USA),,,,,,,,
2E,Broadcom Corporation(USA),,,,,,,,
2F,MStar Semiconductor Inc (Taiwan)/ROC,,,,,,,,
30,BeeDar Technology Inc.(USA),,,,,,,,
31,RFIDsec(Denmark),,,,,,,,
32,Schweizer Electronic AG(Germany),,,,,,,,
33,AMIC Technology Corp(Taiwan),,,,,,,,
34,Mikron JSC(Russia),,,,,,,,
35,Fraunhofer Institute for Photonic Microsystems(Germany),,,,,,,,
36,IDS Microchip AG(Switzerland),,,,,,,,
37,Kovio(USA),,,,,,,,
38,HMT Microelectronic Ltd(Switzerland),,,,,,,,
39,Silicon Craft Technology(Thailand),,,,,,,,
3A,Advanced Film Device Inc.(Japan),,,,,,,,
3B,Nitecrest Ltd(UK),,,,,,,,
3C,Verayo Inc.(USA),,,,,,,,
3D,HID Global(USA),,,,,,,,
3E,Productivity Engineering Gmbh(Germany),,,,,,,,
3F,Austriamicrosystems AG -reserved- (Austria),,,,,,,,
40,Gemalto SA(France),,,,,,,,
41,Renesas Electronics Corporation(Japan),,,,,,,,
42,3Alogics Inc(Korea),,,,,,,,
43,Top TroniQ Asia Limited (Hong Kong),,,,,,,,
44,Gentag Inc(USA),,,,,,,,
#
#
###########################################################
# MODELS LIST #
# #
# FIELDS: producer code, model code, model subcode, #
# model name #
# #
#Note: the producer code is in hexadecimal, the model #
# code and subcode are in binary. #
# Empty fields are not evaluated. #
###########################################################
[MODELS]
16,01000,,EM4033(Read Only)
16,00001,,EM4034(Read/Write)
16,00011,,EM4035(Read/Write - replaced by EM4233)
16,00111,,EM4133(Read/Write)
16,xxxxx,,EM4135(Read/Write - replaced by EM4233)
16,00110,,EM4006(Read Only)
16,01001,,EM4???(Read/Write)
04,00000001,0,SL2 ICS2001(ICODE SLI)
04,00000001,1,SL2 S2002/SL2 S2102(ICODE SLIX)
04,00000010,0,SL2 ICS5301/SL2 ICS5401(ICODE SLI-S)
04,00000010,1,SL2 S5302/SL2 S5402(ICODE SLIX-S)
04,00000011,0,SL2 ICS5001/SL2 ICS5101(ICODE SLI-L)
04,00000011,1,SL2 S5002/SL2 S5102(ICODE SLIX-L)
Offline
Stronglink send me an email " that is not possible to read icode-1"
with onmikey 5321 apdu software give me the information that the tag is icode-1 that mean that omnikey has to read the tag, The only thing is make the software.
the program you have make works with omnikey5321??
Offline
my tool runs on microsoft windows and speaks directly with Stronglink DLL library.
Any other reader up to now is not implemented. But, as i said, we can have 2 executables with the same settings file. You can make the second executable and we can add on the settings even your icode-1 (obviously on the stronglink reader it will not be recognized).
we added custom commands for EM tags (bruteforce etc..). and new row on the settings file for a new EM tag model. Soon the new version will be online.
Offline
I uploaded new version. You can find it on the first post with new screenshots.
What's new in vers.1.12:
-added support for Electronic Marines tags custom commands (read blocks protection status, read/write with password and password bruteforce.
-corrected write section to allow the user to choose the option flag.
-updated appereance
-corrected bruteforce bugs
-many minor bugs fixed
Offline
@thefkboss: I also have an Omnikey 5321, if gaucho will have some time maybe we will add support for it; if you are able to code you can try those source samples to help us (you should have them in your Omnikey software folder); you can find the Omnikey Developer Guide here.
Last edited by asper (2013-04-22 19:25:00)
Offline
il someone of u can write a class in vb.net i can add the support for your reader.
the class should be structuresd as it follows:
on 'new' statement it will be started the connection to the reader .
on 'send message' the message will be sent to the tag by appending the crc.
Offline
Here is a link to another good sample code for Omnikey 5321 (only mifare).
Last edited by asper (2013-04-23 13:13:25)
Offline
Hey hey hey!
What's the hardware difference between SL500L -USB and SL500F -USB? I think both have CLRC632
Offline
Hey hey hey!
What's the hardware difference between SL500L -USB and SL500F -USB? I think both have CLRC632
SL500L is designed for ISO14443A only, dunno if it has a CLRC632 inside, probably not because of the ISO15693/ISO14443B missing support, probably it has a cheaper IC.
Offline
Since I couldn't find the password (i tried numbers, upper letters and lower letters) now i decided to go in RANDOM mode!
the passwords to try are too much to test them all in a reasonable time.. so i added the "random mode" where passwords are selected in a random way from any possible password. This way you can even test your luck. huahahaha.
Here the exe and a screenshot.
Offline
Hi guys, We updated the RFID Identifier.
Now it scans for ISO15693 and ISO14443B tags.
Many tags added to database
We will soon make even the identification for ISO14443A tags.
Pressing SCAN button, every tag/protocol will be scanned and automatically identified.
Added passthru function for all protocols.
Credit goes to Asper to be a pain in my butt. This makes possible this tool to evolve.
you can find the exe on one of the last posts wrote by me
Last edited by gaucho (2014-02-20 20:54:49)
Offline
Well done Gaucho !
About ISO14443A I already have all the easy-to-understand documentation ready, it is also really easy to implement (a total of only 3 bytes to read from 2 different commands) I will send it to you as soon as you send me the "OK, I CAN CODE NOW" ! ^_^
About ISO14443A pass-through I don't know if it works, I tryed with mifare card but it seems not to be good to communicate with them (mifare are not full ISO14443A compatible); anyway I can now do more tests thanks to this new implementation !
I think there is no need to add "set AT88RF02" because it should work with ISO14443B pass through commands (I can test only when I will find a working tag).
Today I studied all SL500F error codes, I will send you them as soon as I get back home because with them all hardware answers can be correctly handled (I also found an "Hidden Working Command" so I think there will be others to find (I have a very easy idea to spot them relating to error codes, I will explain you later).
About the "pain in the ass" well.... I agree I am !
EDIT: are the manufacturer logos still there ?
Last edited by asper (2013-05-28 19:20:41)
Offline
Really nice job people. I'll give it a try and get back to you
Offline
Really nice job people. I'll give it a try and get back to you
Thank you C0Y0-Ck3r ! We are mainly interested in adding new tags, If you find some "unknown" please report to us.
Offline
hi, I have this tag EM4233 with password enable.
Could i find with this software the password, I know the answer, I mean how may passwords/seconds try the software ?
what is the best the usb or the rs232 model comparing stability, speed, fails.......? because I will buy one.
thanks
Offline
USB is better. Bruteforcing password can take months (or more, Gaucho knows the tries per seconds limit 6/7 if I well remember).
Last edited by asper (2013-11-23 22:13:49)
Offline
Thanks asper for your answer.
the tag EM4233 is supported for cracking with the software??
where i can find the full datasheet of that card?
someone knows if the reader send the key in clear text??is possible to sniff the communication with proxmark??
I have read this in the web
•Secure privacy mode controlled by a 96 bit secret key and a high secure crypto engine (this mean that when you insert the correct key the data inside the card is different?????)
• Alternatively possibility to select a lower level of the security mode based on login command and a 32 bit password or as a plain text memory. (how do you know if you are in 96 or 32 bit password???)
• Password protected Destroy function to deactivate forever the label '????? I don´t know what is the meaning of this, special command, too many wrong keys, how do you destroy the card.......?????
if some one have the datasheet, let me know, thanks
Offline
Yes bruteforcing is supported for that tag but can take years to test all possible passwords (the software doesn't crack password, only try to bruteforce it testing all possible ones).
Sniffing communication is possible, search un this forum. Sniffing commands should let you know what kind of situation you have (kind of security).
Datasheet is public: http://www.emmicroelectronic.com/webfiles/product/rfid/ds/EM4233SLIC_DS.pdf
It is for the "reduced version" calle SLIC that is missing some functions but I think you can find all other answers you need there.
Last edited by asper (2013-11-24 12:01:59)
Offline
thanks asper
I understand that em4233slic used the same command for auth E4 command?
so the key is transmitted in clear text (hex)???
do you know some shop where I could buy this card??
thanks
Offline
You told you already have that card... anyway no, I don't know where to buy blank ones; google is your friend
Offline
i have a card but is alredy with password.
i would like a one new card without password to try commands to know exactly how it works, to be sure.
may be some one know a good shop to buy online.
thanks
Offline
Hi gaucho,
I'm trying to use your RFID Identifier tool but it doesn't seem to work in my case. I have a sl500f reader.
I have a Mifare card and when I press Scan the RFID Identifier says Error - No UID found (or more than one Tag is near the reader).
I can read the same card with the ICTransfer tool (Stronglink) so I assume drivers are OK.
I'm trying to identify some cards I have and Identifier would be perfect for that ... but I can get him to work.
Do you think you can help me ?
Thanks a lot.
Offline
Try to execute .exe as administrator; it should work fine under XP and 7, not tested in vista and 8.
Remember also to disconnect serial port in ICTransfer before using the tool (when you close it the program should automatically close the serial port).
Offline
Hi,
i tried on both W7 and XP ... same problem .
Also run the program as admin ... no luck.
Before starting the tool I closed any other program that would have used the com port.
Will try to reinstall the driver.
In your case .. you just press scan and it's fine ?
I've no clue what else to do ..
Offline
no luck with the drivers .. any way i can check the software is communicating with the reader ?
Offline
hi geod,
i received your email.
so you are not able to detect any tag with our tool?
do you have other kind of tags to try?
click the info button and check what version of the tool you are using.
when you first open the tool, on the status bar (bottom part) you can read the status of the tool.
if you are able to read on that bar "Ready!" it means that i could successfull open the serial port. This doesn't means that the reader has been detected. it just means that i opened the serial port..
when you press SCAN button, the first thing that i try to do is to disable the antenna, to set the protocol and to power on again the antenna.
If the reader is not connected or it is not working as expected, i show a popup error "ANTENNA RF OFF FAIL!".
If you get this popup, don't read the status bar, but check in the file "Settings.txt" the used COM port parameter (PortNumber).
if you instead don't get any of the previously mentioned errors, and you only get the status bar "Error - no UID found or more than one tag is near the reader" it means that i tries to scan for tags using all the protocols and i didn't get a valid response from the tag.
in this case, if you did all the requested checks, you found a bug, and we need to find and solve it.
let me know the results of the tests.
remove the tag from the reader each time you do these debug tests.
p.s.:i think you don't need to reinstall the drivers. they just need to be in the same folder of the tool.
p.s.s.: write here even which steps you follow in the icTransfer tool in order to read the tag.
Last edited by gaucho (2014-01-16 19:20:02)
Offline
hi thefkboss,
i'm interested in your studies about EM4233.
please let me know your study results, if you will get any.
I tested the bruteforce with these tags, but of course i found that i'm not lucky as my mother always told me. too many passwords to test.
If we live in the same country, it is possibile that our EM4233 comes from the same site.
Thank you.
Bye.
Last edited by gaucho (2014-01-16 19:38:26)
Offline
hi,
thanks for your reply.
Version I have is 2.4.4896.32557
It's a strange behavior depending on the card i try to scan, I'll explain.
ISO14443A (MIFARE 1K)
I can scan this card with ICTransfer, and I can get card data just fine.
Same card CAN'T be scanned by RFID Identifier. Error message ... Error - no UID ...
I thought it was something wrong with the card and got about 6 different ones (different vendors as well).
So my conclusion so far is that is either not scanning Mifare cards or there is a problem with the communication protocol ISO14443A.
I don't know how to test further one or the other to identify the problem.
If you have any ideas I'm glad to help.
ISO15693 (Tag-it)
First I scanned this card with RFID Identifier and it worked flawlessly.
So something is working .
I scanned the same card with ICTransfer and got the same result.
I then tried another card and this one is working as well.
The card i have is Texas Instruments (France) (code07)
Model: Tag-it HF-I Plus Inlay.
I wanted to use the pass-thru but don't not sure it's working or I know how to use it properly ... i'm new to this.
I first press SETISO15693
and in the request box I enter a code (01 - which should be Inventory) and press enter.
I get an error .. unknown error 162 (decimal).
I tried to use the pass-thru on ICTtransfer tool and it fails as well.
So I believe it might be a problem with my understanding and not the tools.
Below are cards spec ... maybe you can have a look and tell me what I'm doing wrong.
http://www.ti.com/lit/ug/scbu003a/scbu003a.pdf
Thanks a lot for your help.
Offline
ISO14443
I confirm there is a bug in version 2.4.4896.32557. This bug (ISO14443A not recognized) is not present in 2.5 test version you sent me Gaucho.
ISO15693
The correct pass-thru command to send for ISO15693:
inventory: 260100
get system information: 022B
read single block: 0220+1byte block number
Other supported commands can be found at page 6 of the datasheet you posted.
You can find further info on commands using proxmark windows client under ISO15693 -> 15693 CMD -> "Send Raw Commands" (you can open it even if you don't have a proxmark3). For further info please refere to ISO15693 standard pdf files.
Pass-Thru
Pass-thru commands works only with PURE ISO (14443A/14443B/15693) standard tags, if a command is proprietary and it DOES NOT FOLLOW ISO STANDARDS (ex. mifare porpietary commands, some of them do not need crc while others are 7bit only insted of 8) it CAN NOT WORK with SL500F (SL500F is not able to manage 7bit commands and I am pretty sure you cannot disable auto-crc calculation and appending; this is also the reason why it is IMPOSSIBLE to crack mifare using SL500F or a mobile phone - those limits are in nfc chip firmware not in software).
Last edited by asper (2014-01-18 13:31:15)
Offline
hi asper,
thanks for your reply.
I'm a noob .. can you please explain how you converted the command code.
In the document mentioned the inventory code is 0x01
The code that you provided for inventory is 260100, and it works with the app.
Same for get sys info.
Book: 0x2B
Yours: 022B
I would appreciate if you can let me know how you converted from hex.
Would it be possible to post version 2.5 of RFID Identifier ?
I don't have a proxmark unfortunately ... do you mind posting the link where I can get the windows client you mentioned, i would like to play more with pass-thru.
thanks a lot again.
Offline
It's not so easy to tell you why those are the commands, you need to study ISO15693-3 datasheet (ISO15693 anticollision & transmission protocol part) and familiarize with "flags" (for commands description look at page 21 but read also previous pages).
Sources and compiled .exe belongs to Gaucho, if he want to release another version (bug-free) he will decide to.
proxmark3 Windows Client (for help on this please refere to this thread).
Last edited by asper (2014-01-17 15:54:35)
Offline
thanks for the info. will look into the docs you mentioned. I hope I can see the link .
Offline
asper, i can't remember now the differences.
i hope that the following version has no bugs inside.
EDIT: search on one of the last posts the link to the package
i have also a newer version, inside a folder named "test".. but i can't remember the differences..
i think that this version will work.
let me know, geod.
Last edited by gaucho (2014-02-20 20:56:13)
Offline