Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2015-03-21 23:00:42

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

proxmark3>  hf 14a raw -p -T 26
timeout while waiting for reply.  
proxmark3>  hf 14a raw -a -p -T 26
received 0 octets          
proxmark3> 
proxmark3>  hf 14a raw   -p -a   -b 7 26
received 2 octets          
00 0C           
proxmark3> 
proxmark3>  hf 14a raw -p -T -c 78 00 00 00 00 00 00
received 0 octets          
proxmark3> 

The -T parameter seems not to be working at all.

And hf topaz snoop/list is this:

proxmark3> hf topaz snoop
proxmark3> 
proxmark3> #db# cancelled by button                 
proxmark3> #db# COMMAND FINISHED                 
proxmark3> #db# maxDataLen=10, Uart.state=0, Uart.len=0                 
proxmark3> #db# traceLen=11844, Uart.output[0]=00000043                 
proxmark3> hf list topaz  
Recorded Activity (TraceLen = 11844 bytes)          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |      38112 | Rdr | f0  1e  d4  00  7d  9d  f6  82  dc  30  f9  80  ab  d9  00  00  |     |           
            |            |     | 00  32  46  66  6d  01  01  11  03  02  00  13  04  01  96  a3  |     |           
            |            |     | f5                                                              | !crc| ?          
     141376 |     142432 | Rdr | 26                                                              |     | REQA          
     143620 |     145988 | Tag | 00  0c                                                          |     |           
     153744 |     168880 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
     170068 |     179348 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
     252576 |     267696 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
     268884 |     278164 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
     527760 |     542896 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
     544084 |     553364 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
     634432 |     661872 | Rdr | 10  00  00  00  00  00  00  00  00  00  35  8f  93  00  06  28  |  ok | RSEG          
     663044 |     682948 | Tag | 00  35  8f  93  00  00  10  25  00  e1  10  3f  00  01  03  f2  |     |           
            |            |     | 30  33  02  03  f0  02  03  03  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  55  55  aa  aa  12  4c  06  |     |           
            |            |     | 00  01  e0  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  f8  8b                                                      |  ok |           
    1475744 |    1490880 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
    1492068 |    1501348 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
    1607936 |    1622992 | Rdr | 00  00  00  35  8f  93  00  cb  db                              |  ok | RALL          
    1624244 |    1636084 | Tag | 12  4c  35  8f  93  00  00  10  25  00  e1  10  3f  00  01  03  |     |           
            |            |     | f2  30  33  02  03  f0  02  03  03  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  55  55  aa  aa  12  4c  |     |           
            |            |     | 06  00  01  e0  00  00  00  00  00  00  50  af                  |  ok |           
    2188192 |    2215632 | Rdr | 02  0f  00  00  00  00  00  00  00  00  35  8f  93  00  2e  36  |  ok | READ8          
    2216820 |    2229556 | Tag | 0f  00  00  00  00  00  00  00  00  cf  27                      |  ok |           
    2349904 |    2377344 | Rdr | 02  10  00  00  00  00  00  00  00  00  35  8f  93  00  d5  59  |  ok | READ8          
    2378532 |    2391268 | Tag | 10  00  00  00  00  00  00  00  00  73  4e                      |  ok |           
    2482960 |    2510416 | Rdr | 02  11  00  00  00  00  00  00  00  00  35  8f  93  00  78  5c  |  ok | READ8          
    2511604 |    2524340 | Tag | 11  00  00  00  00  00  00  00  00  8e  03                      |  ok |           
    2621312 |    2648752 | Rdr | 02  12  00  00  00  00  00  00  00  00  35  8f  93  00  8f  52  |  ok | READ8          
    2649924 |    2662724 | Tag | 12  00  00  00  00  00  00  00  00  89  d5                      |  ok |           
    2794768 |    2822224 | Rdr | 02  13  00  00  00  00  00  00  00  00  35  8f  93  00  22  57  |  ok | READ8          
    2823396 |    2836196 | Tag | 13  00  00  00  00  00  00  00  00  74  98                      |  ok |           
    2938976 |    2966432 | Rdr | 02  14  00  00  00  00  00  00  00  00  35  8f  93  00  61  4f  |  ok | READ8          
    2967604 |    2980340 | Tag | 14  00  00  00  00  00  00  00  00  96  71                      |  ok |           
    3076736 |    3104176 | Rdr | 02  15  00  00  00  00  00  00  00  00  35  8f  93  00  cc  4a  |  ok | READ8          
    3105364 |    3118100 | Tag | 15  00  00  00  00  00  00  00  00  6b  3c                      |  ok |           
    3226800 |    3254240 | Rdr | 02  16  00  00  00  00  00  00  00  00  35  8f  93  00  3b  44  |  ok | READ8          
    3255428 |    3268228 | Tag | 16  00  00  00  00  00  00  00  00  6c  ea                      |  ok |           
    3382736 |    3410192 | Rdr | 02  17  00  00  00  00  00  00  00  00  35  8f  93  00  96  41  |  ok | READ8          
    3411380 |    3424180 | Tag | 17  00  00  00  00  00  00  00  00  91  a7                      |  ok |           
    3542784 |    3570240 | Rdr | 02  18  00  00  00  00  00  00  00  00  35  8f  93  00  bd  74  |  ok | READ8          
    3571412 |    3584212 | Tag | 18  00  00  00  00  00  00  00  00  b9  31                      |  ok |           
    3692272 |    3719728 | Rdr | 02  19  00  00  00  00  00  00  00  00  35  8f  93  00  10  71  |  ok | READ8          
    3720900 |    3733700 | Tag | 19  00  00  00  00  00  00  00  00  44  7c                      |  ok |           
    3826576 |    3854032 | Rdr | 02  1a  00  00  00  00  00  00  00  00  35  8f  93  00  e7  7f  |  ok | READ8          
    3855204 |    3867940 | Tag | 1a  00  00  00  00  00  00  00  00  43  aa                      |  ok |           
    3971408 |    3998864 | Rdr | 02  1b  00  00  00  00  00  00  00  00  35  8f  93  00  4a  7a  |  ok | READ8          
    4000052 |    4012788 | Tag | 1b  00  00  00  00  00  00  00  00  be  e7                      |  ok |           
    4106304 |    4133744 | Rdr | 02  1c  00  00  00  00  00  00  00  00  35  8f  93  00  09  62  |  ok | READ8          
    4134932 |    4147732 | Tag | 1c  00  00  00  00  00  00  00  00  5c  0e                      |  ok |           
    4241184 |    4268640 | Rdr | 02  1d  00  00  00  00  00  00  00  00  35  8f  93  00  a4  67  |  ok | READ8          
    4269812 |    4282612 | Tag | 1d  00  00  00  00  00  00  00  00  a1  43                      |  ok |           
    4384288 |    4411744 | Rdr | 02  1e  00  00  00  00  00  00  00  00  35  8f  93  00  53  69  |  ok | READ8          
    4412916 |    4425652 | Tag | 1e  00  00  00  00  00  00  00  00  a6  95                      |  ok |           
    4516864 |    4544320 | Rdr | 02  1f  00  00  00  00  00  00  00  00  35  8f  93  00  fe  6c  |  ok | READ8          
    4545492 |    4558228 | Tag | 1f  00  00  00  00  00  00  00  00  5b  d8                      |  ok |           
    4654112 |    4681504 | Rdr | 02  20  00  00  00  00  00  00  00  00  35  8f  93  00  a5  b6  |  ok | READ8          
    4682756 |    4695556 | Tag | 20  00  00  00  00  00  00  00  00  de  46                      |  ok |           
    4790208 |    4817600 | Rdr | 02  21  00  00  00  00  00  00  00  00  35  8f  93  00  08  b3  |  ok | READ8          
    4818836 |    4831636 | Tag | 21  00  00  00  00  00  00  00  00  23  0b                      |  ok |           
    4925712 |    4953104 | Rdr | 02  22  00  00  00  00  00  00  00  00  35  8f  93  00  ff  bd  |  ok | READ8          
    4954340 |    4967076 | Tag | 22  00  00  00  00  00  00  00  00  24  dd                      |  ok |           
    5079376 |    5106752 | Rdr | 02  23  00  00  00  00  00  00  00  00  35  8f  93  00  52  b8  |  ok | READ8          
    5108004 |    5120740 | Tag | 23  00  00  00  00  00  00  00  00  d9  90                      |  ok |           
    5226608 |    5254000 | Rdr | 02  24  00  00  00  00  00  00  00  00  35  8f  93  00  11  a0  |  ok | READ8          
    5255252 |    5268052 | Tag | 24  00  00  00  00  00  00  00  00  3b  79                      |  ok |           
    5369744 |    5397120 | Rdr | 02  25  00  00  00  00  00  00  00  00  35  8f  93  00  bc  a5  |  ok | READ8          
    5398356 |    5411156 | Tag | 25  00  00  00  00  00  00  00  00  c6  34                      |  ok |           
    5524016 |    5551408 | Rdr | 02  26  00  00  00  00  00  00  00  00  35  8f  93  00  4b  ab  |  ok | READ8          
    5552644 |    5565380 | Tag | 26  00  00  00  00  00  00  00  00  c1  e2                      |  ok |           
    5661312 |    5688704 | Rdr | 02  27  00  00  00  00  00  00  00  00  35  8f  93  00  e6  ae  |  ok | READ8          
    5689940 |    5702676 | Tag | 27  00  00  00  00  00  00  00  00  3c  af                      |  ok |           
    5802704 |    5830080 | Rdr | 02  28  00  00  00  00  00  00  00  00  35  8f  93  00  cd  9b  |  ok | READ8          
    5831332 |    5844068 | Tag | 28  00  00  00  00  00  00  00  00  14  39                      |  ok |           
    5960496 |    5987888 | Rdr | 02  29  00  00  00  00  00  00  00  00  35  8f  93  00  60  9e  |  ok | READ8          
    5989140 |    6001876 | Tag | 29  00  00  00  00  00  00  00  00  e9  74                      |  ok |           
    6095456 |    6122848 | Rdr | 02  2a  00  00  00  00  00  00  00  00  35  8f  93  00  97  90  |  ok | READ8          
    6124100 |    6136900 | Tag | 2a  00  00  00  00  00  00  00  00  ee  a2                      |  ok |           
    6233936 |    6261328 | Rdr | 02  2b  00  00  00  00  00  00  00  00  35  8f  93  00  3a  95  |  ok | READ8          
    6262564 |    6275364 | Tag | 2b  00  00  00  00  00  00  00  00  13  ef                      |  ok |           
    6372416 |    6399808 | Rdr | 02  2c  00  00  00  00  00  00  00  00  35  8f  93  00  79  8d  |  ok | READ8          
    6401044 |    6413780 | Tag | 2c  00  00  00  00  00  00  00  00  f1  06                      |  ok |           
    6513232 |    6540608 | Rdr | 02  2d  00  00  00  00  00  00  00  00  35  8f  93  00  d4  88  |  ok | READ8          
    6541860 |    6554596 | Tag | 2d  00  00  00  00  00  00  00  00  0c  4b                      |  ok |           
    6661680 |    6689072 | Rdr | 02  2e  00  00  00  00  00  00  00  00  35  8f  93  00  23  86  |  ok | READ8          
    6690324 |    6703124 | Tag | 2e  00  00  00  00  00  00  00  00  0b  9d                      |  ok |           
    6800176 |    6827568 | Rdr | 02  2f  00  00  00  00  00  00  00  00  35  8f  93  00  8e  83  |  ok | READ8          
    6828820 |    6841620 | Tag | 2f  00  00  00  00  00  00  00  00  f6  d0                      |  ok |           
    6942784 |    6970176 | Rdr | 02  30  00  00  00  00  00  00  00  00  35  8f  93  00  75  ec  |  ok | READ8          
    6971412 |    6984212 | Tag | 30  00  00  00  00  00  00  00  00  4a  b9                      |  ok |           
    7084224 |    7111600 | Rdr | 02  31  00  00  00  00  00  00  00  00  35  8f  93  00  d8  e9  |  ok | READ8          
    7112836 |    7125636 | Tag | 31  00  00  00  00  00  00  00  00  b7  f4                      |  ok |           
    7220368 |    7247760 | Rdr | 02  32  00  00  00  00  00  00  00  00  35  8f  93  00  2f  e7  |  ok | READ8          
    7248996 |    7261732 | Tag | 32  00  00  00  00  00  00  00  00  b0  22                      |  ok |           
    7361232 |    7388608 | Rdr | 02  33  00  00  00  00  00  00  00  00  35  8f  93  00  82  e2  |  ok | READ8          
    7389860 |    7402596 | Tag | 33  00  00  00  00  00  00  00  00  4d  6f                      |  ok |           
    7493888 |    7521264 | Rdr | 02  34  00  00  00  00  00  00  00  00  35  8f  93  00  c1  fa  |  ok | READ8          
    7522516 |    7535316 | Tag | 34  00  00  00  00  00  00  00  00  af  86                      |  ok |           
    7628288 |    7655680 | Rdr | 02  35  00  00  00  00  00  00  00  00  35  8f  93  00  6c  ff  |  ok | READ8          
    7656932 |    7669732 | Tag | 35  00  00  00  00  00  00  00  00  52  cb                      |  ok |           
    7763888 |    7791280 | Rdr | 02  36  00  00  00  00  00  00  00  00  35  8f  93  00  9b  f1  |  ok | READ8          
    7792516 |    7805252 | Tag | 36  00  00  00  00  00  00  00  00  55  1d                      |  ok |           
    7897712 |    7925104 | Rdr | 02  37  00  00  00  00  00  00  00  00  35  8f  93  00  36  f4  |  ok | READ8          
    7926340 |    7939076 | Tag | 37  00  00  00  00  00  00  00  00  a8  50                      |  ok |           
    8034480 |    8061872 | Rdr | 02  38  00  00  00  00  00  00  00  00  35  8f  93  00  1d  c1  |  ok | READ8          
    8063108 |    8075844 | Tag | 38  00  00  00  00  00  00  00  00  80  c6                      |  ok |           
    8173008 |    8200416 | Rdr | 02  39  00  00  00  00  00  00  00  00  35  8f  93  00  b0  c4  |  ok | READ8          
    8201652 |    8214388 | Tag | 39  00  00  00  00  00  00  00  00  7d  8b                      |  ok |           
    8310960 |    8338352 | Rdr | 02  3a  00  00  00  00  00  00  00  00  35  8f  93  00  47  ca  |  ok | READ8          
    8339588 |    8352388 | Tag | 3a  00  00  00  00  00  00  00  00  7a  5d                      |  ok |           
    8444800 |    8472176 | Rdr | 02  3b  00  00  00  00  00  00  00  00  35  8f  93  00  ea  cf  |  ok | READ8          
    8473428 |    8486228 | Tag | 3b  00  00  00  00  00  00  00  00  87  10                      |  ok |           
    8578064 |    8605440 | Rdr | 02  3c  00  00  00  00  00  00  00  00  35  8f  93  00  a9  d7  |  ok | READ8          
    8606692 |    8619428 | Tag | 3c  00  00  00  00  00  00  00  00  65  f9                      |  ok |           
    8714272 |    8741648 | Rdr | 02  3d  00  00  00  00  00  00  00  00  35  8f  93  00  04  d2  |  ok | READ8          
    8742900 |    8755636 | Tag | 3d  00  00  00  00  00  00  00  00  98  b4                      |  ok |           
    8849888 |    8877280 | Rdr | 02  3e  00  00  00  00  00  00  00  00  35  8f  93  00  f3  dc  |  ok | READ8          
    8878532 |    8891332 | Tag | 3e  00  00  00  00  00  00  00  00  9f  62                      |  ok |           
    8985504 |    9012896 | Rdr | 02  3f  00  00  00  00  00  00  00  00  35  8f  93  00  5e  d9  |  ok | READ8          
    9014132 |    9026932 | Tag | 3f  00  00  00  00  00  00  00  00  62  2f                      |  ok |           
   10814544 |   10829664 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   10830852 |   10840132 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   12600944 |   12616064 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   12617252 |   12626532 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   14386624 |   14401760 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   14402932 |   14412212 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   16170384 |   16185520 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   16186708 |   16195988 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   17954944 |   17970080 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   17971268 |   17980548 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   19739712 |   19754848 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   19756020 |   19765300 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   21524080 |   21539216 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   21540404 |   21549684 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   23328672 |   23343808 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   23344996 |   23354276 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   25129984 |   25145104 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   25146292 |   25155572 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   26933232 |   26948368 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   26949556 |   26958836 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   28738320 |   28753456 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   28754644 |   28763924 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   30539280 |   30554416 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   30555604 |   30564884 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   32397920 |   32413040 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   32414228 |   32423508 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   34197344 |   34212480 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   34213652 |   34222932 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   35987488 |   36002608 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   36003796 |   36013076 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   37777104 |   37792240 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   37793428 |   37802708 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   39572176 |   39587296 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   39588484 |   39597764 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
   41374384 |   41389504 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
   41390692 |   41399972 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
proxmark3> 

This one seems ok !!

Last edited by asper (2015-03-21 23:01:15)

Offline

#52 2015-03-22 10:26:13

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

If you don't get a response to WUPA, the subsequent commands will fail (and this is OK).

Maybe I should have been more specific. The WUPA brings the tag into Ready state. Without it, it will not accept commands. This means, that the field needs to stay on (option -p) and the tag needs to remain in the field (don't remove it) after WUPA.

And the usual advice still holds: don't place the tag directly on the antenna, leave a certain distance.

If you still have problems, please provide a hf list topaz after the WUPA and after the RID (it builds up until the field is switched off).

Offline

#53 2015-03-22 18:00:18

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

hf 14a raw -p -T 26
No answer

The wupa with T option does not work while it does without T, how can i make it to work?

Can you please provide a command sequence i can test without commit any error?

Offline

#54 2015-03-22 18:33:20

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

You need the -a option (switch on HF field) with the WUPA if it is the first command:

hf 14a raw -a -p -T 26

I checked the code again and again and can't find an error yet. What does hf list topaz show after the unsuccessful WUPA?

btw: I have ordered some Topaz tags last Friday evening. If we are lucky I will have them available tomorrow evening and will not need to bother you for debugging the basic functionalities...

Offline

#55 2015-03-23 08:29:48

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

You are noth bothering me, i am happy to test i just only have little time those weeks wink

Offline

#56 2015-03-23 08:37:48

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

proxmark3>  hf 14a raw -a -p -T 26
received 0 octets          
proxmark3> 
proxmark3>  hf list topaz f
Recorded Activity (TraceLen = 10 bytes)          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1312 | Rdr | 26                                                              |     | REQA          
proxmark3> 
proxmark3>  hf 14a raw   -p -a   -b 7 26
received 2 octets          
00 0C           
proxmark3>
proxmark3>  hf list topaz f
Recorded Activity (TraceLen = 21 bytes)          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr | 26                                                              |     | REQA          
      1056 |      2228 |     | fdt (Frame Delay Time): 1172          
       2228 |       4596 | Tag | 00  0c                                                          |     |           
proxmark3> 

Last edited by asper (2015-03-23 12:55:31)

Offline

#57 2015-03-23 10:09:13

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

What's the difference between the two hf list topaz?

Offline

#58 2015-03-23 10:21:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

The latter has a tag response 00 0c..

Offline

#59 2015-03-23 10:34:00

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

Thanks, I had seen that  roll . Rephrasing the question: what did you do before the second hf list topaz?

Offline

#60 2015-03-23 12:56:00

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

Updated the code, sorry I pasted it only partly.

Offline

#61 2015-03-23 15:49:20

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

From the duration (1312 compared to 1056) in the first list I would conclude that this is transferred 8 bits with parity (i.e. not in Topaz protocol which would be 7 bits and no parity)

I hardly dare to ask: did you flash the Proxmark with the recent version?

Offline

#62 2015-03-23 16:01:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

Don't know about Asper,  but I have flashed,  and get the time 1056,  but with -T no answer from tag.  and with -b -7,  I get 000c response.

Offline

#63 2015-03-23 20:37:58

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

My Topaz tags arrived today. I was eager to debug my code and did a first test. And guess what? Worked like a charm!

proxmark3> hf 14a raw -a -p -T 26
received 2 octets
00 0C
proxmark3> hf 14a raw -p -c -T 78 00 00 00 00 00 00
received 8 octets
12 4C 8D BD 64 00 92 DA
proxmark3> hf 14a raw -p -c -T 00 00 00 8D BD 64 00
received 124 octets
12 4C 8D BD 64 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55
 55 AA AA 12 4C 06 00 01 E0 00 00 00 00 00 00 D0 0D
proxmark3> hf list topaz
Recorded Activity (TraceLen = 366 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr | 26                                                              |     | REQA
       2228 |       4596 | Tag | 00  0c                                                          |     |
  238438784 |  238496288 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID
  238497460 |  238506804 | Tag | 12  4c  8d  bd  64  00  92  da                                  |  ok |
 1003075456 | 1003132960 | Rdr | 00  00  00  8d  bd  64  00  99  5d                              |  ok | RALL
 1003134132 | 1003146036 | Tag | 12  4c  8d  bd  64  00  00  10  25  00  e1  10  3f  00  01  03  |     |
            |            |     | f2  30  33  02  03  f0  02  03  03  00  00  00  00  00  00  00  |     |
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |
            |            |     | 00  00  00  00  00  00  00  00  00  00  55  55  aa  aa  12  4c  |     |
            |            |     | 06  00  01  e0  00  00  00  00  00  00  d0  0d                  |  ok |
proxmark3>

I have no idea what happened at your side. Maybe do a make clean before compiling?

Offline

#64 2015-03-23 21:21:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

yup, compiled and flashed your branch.  Worked better than mine with this new -T command.

still on a sidenote, I can still hardly use the "hf" commands anymore for all "collisions" and "can't select tag" / "iso1443a card select failed". 
[Edit] I copied the *.bit files from your branch,  seem to working better now.  not perfect, but at least working.

Last edited by iceman (2015-03-23 22:19:28)

Offline

#65 2015-03-23 22:54:35

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

Piwi dunno what happend but you were right, I reflashed with a make clean and it works !

proxmark3>  hf 14a raw -a -p -T 26
received 2 octets          
00 0C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 78 00 00 00 00 00 00
received 8 octets          
12 4C 35 8F 93 00 C0 5C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 00 00 00 35 8F 93 00
received 124 octets          
12 4C 35 8F 93 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 55 AA AA 12 4C 06 00 01 E0 00 00 00 00 00 00 50 AF           
proxmark3> 
proxmark3>  hf list topaz
Recorded Activity (TraceLen = 456 bytes)          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr | 26                                                              |     | REQA          
       2228 |       4596 | Tag | 00  0c                                                          |     |           
  122576768 |  122634272 | Rdr | 78  00  00  00  00  00  00  d0  43                              |  ok | RID          
  122635444 |  122644724 | Tag | 12  4c  35  8f  93  00  c0  5c                                  |  ok |           
  226454016 |  667334048 | Rdr | 00  00  00  8d  bd  64  00  99  5d  00  00  00  35  8f  93  00  | !crc| RALL          
  667339904 |  667348064 | Rdr | cb  db                                                          |     | ?          
  667349300 |  667361140 | Tag | 12  4c  35  8f  93  00  00  10  25  00  e1  10  3f  00  01  03  |     |           
            |            |     | f2  30  33  02  03  f0  02  03  03  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  |     |           
            |            |     | 00  00  00  00  00  00  00  00  00  00  55  55  aa  aa  12  4c  |     |           
            |            |     | 06  00  01  e0  00  00  00  00  00  00  50  af                  |  ok |           
proxmark3> 

Great ! I am sorry you had to buy some tags.

Last edited by asper (2015-03-23 22:55:08)

Offline

#66 2015-03-23 22:59:42

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

@iceman: 1st you tested with option -T ("no answer from tag"), then compiled and flashed my branch, then copied the *.bit files. I am quite confused. How can you get it piece by piece when a git clone or git pull gives you everything at once? On which commit are you testing?

Offline

#67 2015-03-23 23:21:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

Nay, not that hard.  I git pull the whole branch, but only pick point out some stuff over to my own branch via a merge software.
That works very well.  But binaries seems not to work as well as wanted.  The git branches and me doesn't work very well.
I did a fresh recompile from you branch this time, and used your client.   Fixes the topaz issue.  You did a great job implementing it without a tag to test smile

Offline

#68 2015-03-24 08:45:29

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

Doesn't seem to be a good idea IMHO because

  • You create a version with both your and my bugs plus bugs introduced by merging. Not a good basis for testing...

  • Git will not be aware of your merge software, i.e. you create separate commits for the same change. When you and me will merge our branches to master, every code change (well, at least my code changes and any other you are "merging" this way from other repositories) will appear twice in the git log.

iceman wrote:

still on a sidenote, I can still hardly use the "hf" commands anymore for all "collisions" and "can't select tag" / "iso1443a card select failed". 
[Edit] I copied the *.bit files from your branch,  seem to working better now.  not perfect, but at least working.

I will pull your repository and check...

Offline

#69 2015-03-24 09:51:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

Normally I merge from Pm3 master via git, I get all your  commited code.  After that I can start commit code aswell,  but the thing is I have my branch, then I want to test some code from Marshmellow and from you in one place,  that leaves me with merging nevertheless.

Since I know your high quality patches usually is godsent,  regarding the fpga / arm,  I usually want it as fast a possible.  == merging into my fork.  Same goes for Holimans patches.    But now I fear the fpgacode (I can't compile it, since I dont have the verilog compiler installed) is out of sync.   Ie pulling Pm3 master is different from yours.

Offline

#70 2015-03-25 15:07:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

@Piwi,   when I revert my fpga_hf.bit  to one from january 2015,  my HF commands starts working again.
That indicates something didn't go as planned in later versions.

Offline

#71 2015-03-25 23:09:46

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

Pushed another commit to my repository. Implemented hf topaz reader. This is still WIP but you may please test, comment and suggest improvements.

Offline

#72 2015-04-03 12:42:47

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

Hi piwi ! I saw you changed some stuff in the topaz command; can you list the new commands so I can update the gui ? Thank you !

Offline

#73 2015-04-04 15:45:36

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

Welcome back asper. This is still work in progress and on my repository only. I had waited for you to test my latest modifications before I proceed. Available up to now are

  • hf list topaz

  • hf topaz snoop

  • hf topaz reader

But this list of commands will change (also depending on your feedback) and I therefore think it is too early to modify the gui.

Offline

#74 2015-04-04 21:28:55

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

It was a busy week my friend tongue ...
Is your topaz branch updated with the latest 2.0.0 code ? If so I am going to test it just tomorrow ! If not I will need to downgrade the bootrom and firmware; let me know if you can.

Last edited by asper (2015-04-04 21:30:09)

Offline

#75 2015-04-04 21:36:18

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: TOPAZ

Oh, we should tag the bootrom change as a new version! I'm out travelling right now though...

Offline

#76 2015-04-05 09:47:02

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

Mmmmmmm I just compiled the piwi topaz branch code and fpgaimage.elf is still present so I think I cannot flash the fullimage with bootrom 2.0.0... can I ?

Offline

#77 2015-04-05 19:40:33

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

I have merged master into my topaz branch. It should now be safe to flash the os only.

@holiman: the bootloader itself didn't change. But it indeed needs to be linked and flashed anew because of the changed os start address. I don't think that this justifies a new version tag.

Offline

#78 2015-04-05 20:18:26

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: TOPAZ

I meant since it's not backwards-compatible, not that it's a major feature...?

Offline

#79 2015-04-05 20:58:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

I agree with holiman.
I will test the new 2.0.0 compatible topaz branch tomorrw, thank you piwi !!

Offline

#80 2015-04-05 22:15:31

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

I tested ALL the available commands and, as predicted, they are ALL supported by my Topaz:

Note: If you do not erase a byte (commands write-but-not-erase) it will not change so write with no erase seems to work with value 00 only (must be verified!)

proxmark3>  hf 14a raw -a -p -T 26
received 2 octets          
00 0C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 78 00 00 00 00 00 00
received 8 octets          
12 4C 35 8F 93 00 C0 5C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 00 00 00 35 8F 93 00
received 124 octets          
12 4C 35 8F 93 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 55 AA AA 12 4C 06 00 

01 E0 00 00 00 00 00 00 50 AF           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 010000358F9300
received 4 octets          
00 35 69 69           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 010100358F9300
received 4 octets          
01 8F 60 6A           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 011A00358F9300
received 4 octets          
1A 00 A6 67           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 531ABB358F9300
received 4 octets          
1A BB FE 6C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 011A00358F9300
received 4 octets          
1A BB FE 6C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 531A00358F9300
received 4 octets          
1A 00 A6 67           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 011A00358F9300
received 4 octets          
1A 00 A6 67           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 1A1ABB358F9300
received 4 octets          
1A BB FE 6C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 1A1A00358F9300
received 4 octets          
1A BB FE 6C           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 531A00358F9300
received 4 octets          
1A 00 A6 67           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 100F0000000000000000358F9300
received 131 octets          
0F 35 8F 93 00 00 10 25 00 E1 10 3F 00 01 03 F2 30 33 02 03 F0 02 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 55 AA AA 12 4C 06 00 01 

E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 72 C8           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 02FF0000000000000000358F9300
received 11 octets          
FF 00 00 00 00 00 00 00 00 D6 0D           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 54FF1122334455667788358F9300
received 11 octets          
FF 00 00 00 00 00 00 00 00 D6 0D           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 1BFF1122334455667788358F9300
received 11 octets          
FF 00 00 00 00 00 00 00 00 D6 0D           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 540A1122334455667788358F9300
received 11 octets          
0A 11 22 33 44 55 66 77 88 EE 21           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 1B0A0000000000000000358F9300
received 11 octets          
0A 11 22 33 44 55 66 77 88 EE 21           
proxmark3> 
proxmark3>  hf 14a raw -p -c -T 540A0000000000000000358F9300
received 11 octets          
0A 00 00 00 00 00 00 00 00 D7 55           
proxmark3> 

I think your code is fully working piwi !

Last edited by asper (2015-04-05 23:56:30)

Offline

#81 2015-04-05 23:58:02

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

Oh another curiosity: commands 10 should return 130 bytes while in my topaz it gives back 131 bytes... dunno why !

EDIT
Sorry, I was wrong, datasheet (page19 says 131 bytes...)

Last edited by asper (2015-04-06 00:00:46)

Offline

#82 2015-04-06 03:11:14

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

Any comments on hf topaz reader? Do we need more output or is it already "too much NFC"?

Offline

#83 2015-04-06 03:17:08

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

And regarding the latest discussion on coding at device or client side: I made only minimum changes in ARM code (just enough to support the low level Topaz protocol). All of hf topaz reader is implemented on client side. Comments?

Offline

#84 2015-04-06 08:08:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

I think yr division of code is good. If someone later on wants to simulate a topaz, they can implement it on the deviceside

Offline

#85 2015-04-06 08:54:21

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

piwi wrote:

Any comments on hf topaz reader? Do we need more output or is it already "too much NFC"?

The more info the better in my opinion ! I will add all those info to other reader commands where applicable !!

ATQA : 0c 00
HR0  : 12 (a Topaz tag (capable of carrying a NDEF message), dynamic memory map)
HR1  : 4c
UID  : 25 10 00 00 93 8f 35
       UID[6] (Manufacturer Byte) = 25, Manufacturer: Innovision Research and Technology Plc UK

Static Data blocks 00 to 0c:
block# | offset | Data                    | Locked?
  0x00 |  0x00  | 35 8f 93 00 00 10 25 00 |   yes
  0x01 |  0x08  | e1 10 3f 00 01 03 f2 30 |   no 
  0x02 |  0x10  | 33 02 03 f0 02 03 03 00 |   no 
  0x03 |  0x18  | 00 00 00 00 00 00 00 00 |   no 
  0x04 |  0x20  | 00 00 00 00 00 00 00 00 |   no 
  0x05 |  0x28  | 00 00 00 00 00 00 00 00 |   no 
  0x06 |  0x30  | 00 00 00 00 00 00 00 00 |   no 
  0x07 |  0x38  | 00 00 00 00 00 00 00 00 |   no 
  0x08 |  0x40  | 00 00 00 00 00 00 00 00 |   no 
  0x09 |  0x48  | 00 00 00 00 00 00 00 00 |   no 
  0x0a |  0x50  | 00 00 00 00 00 00 00 00 |   no 
  0x0b |  0x58  | 00 00 00 00 00 00 00 00 |   no 
  0x0c |  0x60  | 00 00 00 00 00 00 00 00 |   no 

Static Reserved block 0d:
  0x0d |  0x68  | 55 55 aa aa 12 4c 06 00 |   n/a

Static Lockbits and OTP Bytes:
  0x0e |  0x70  | 01 e0 00 00 00 00 00 00 |   n/a

Capability Container: e1 10 3f 00
  e1: NDEF Magic Number
  10: version 1.0 supported by tag
  3f: Physical Memory Size of this tag: 512 bytes
  00: Read access granted without any security / Write access granted without any security

Lock Area of 48 bits at byte offset 0x7a. Each Lock Bit locks 8 bytes.

Reserved Memory of 2 bytes at byte offset 0x78.

I think a command to fully dump the tag will be useful.

Offline

#86 2015-05-02 23:27:16

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: TOPAZ

Hey Asper,

Earlier in the thread you mentioned that the Nintendo Amiibo use TOPAZ. How did you determine this? All my testing indicates that they are mifare ultralight-c.

Thanks!

Offline

#87 2015-05-03 09:31:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

If you have an amiibo, you can test it with the topaz commands,  if it answers back then you know.

Offline

#88 2015-05-03 17:46:28

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: TOPAZ

Well, iceman, as per the other thread... amiibos may actually be some variation of Ultralight EV1 (they are not MF0UL11 or MF0UL21). They respond to EV1's GET_VERSION and PWD_AUTH commands just fine. This is why I wanted to ask Asper how he'd come to the conclusion of them being TOPAZ. I'll try piwi's branch with TOPAZ support and test, but amiibos being EV1s seems more probably at this time.

Offline

#89 2015-05-03 17:56:50

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: TOPAZ

I take my previos statement back. Amiibos (at least Megaman and Sonic) are NTAG215.

The reply to GET_VERSION matches that of the NTAG215 as per this datasheet:

https://dangerousthings.com/wp-content/uploads/2013/12/NTAG213_215_216.pdf

proxmark3> hf 14a raw -s -c 60
received 7 octets
04 1A 9B 82 C2 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9E

Offline

#90 2015-10-25 13:09:27

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: TOPAZ

Hi, wanted to follow up on this.

The Jewel/Topaz toys are pre-Amiibo NFC toys used for the 2013 Wii U game Pokemon Rumble U / Pokemon Scramble U.

Official site: http://www.pokemonrumble.com/RumbleU/en/nfc/

Full list of figures: http://www.serebii.net/rumbleu/figures/figures.shtml

As asper noted, some blocks seem consistent between figures:

Block 0 is the UID (4 bytes), I've seen the next two bytes be 0010 or 0002, and then consistently 2500
Block 1 always seems to be e1113f00 0103f230
Block 2 always seems to be 330203f0 020303ff, except in asper's post, where the last byte is 00.
Block 3 always seems to be 014ec500 00000148, except in asper's post, where it's all 00.

Block 13 always seems to be 5555aaaa 124c0600
Block 14 always seems to be 01e00000 00000000, except in asper's post, where the last two bytes were 50af, which I'm not sure how it's possible if it's always locked
Block 15 always seems to be 00000000 0000ffff), except in asper's post, where the last two bytes were 0000

I have data on two figures that are the same, but there don't seem to be any bytes that are the same between them, but different between other figures, to identify a figure model number.  I don't have a Wii U, so I can't try emulating it and flipping bits.

asper, what figures do you have, and can I get dumps of them?

Offline

#91 2015-10-26 08:46:37

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

Amiibos had been totally reversed, look at this thread in the forum (I suppose the topaz content can be decrypted the same way as the ntag content - not tested).

Last edited by asper (2015-10-26 08:48:38)

Offline

#92 2015-10-26 17:07:46

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: TOPAZ

asper wrote:

(I suppose the topaz content can be decrypted the same way as the ntag content - not tested).

Not tested.  smile

I'm putting together some dumps for testing, and if you have any figures, they would be helpful.  It's not the same memory size or data layout as the NTAG215 figures, so a naive decryption attempt with amiitool doesn't work.

Offline

#93 2015-10-27 08:51:57

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: TOPAZ

Added a topaz dump (found on the web) to the 1st post. Encrypted data are only a part (big part) of the NTAG and TOPAZ; the encryption should be the same.

I also think to have an explanation for the 1st 4 "reserved" bytes... iceman ? smile

Last edited by asper (2015-10-27 10:12:20)

Offline

#94 2015-10-27 10:41:11

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

there is somewhere a datamap or?  I don't remember anymore.

Offline

#95 2015-10-27 12:54:57

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: TOPAZ

This reminds me of my Topaz branch which is still dormant in my repository. I currently don't find the time to add more commands  but will raise a Pull Request so that others can better contribute to it.

Offline

#96 2015-11-01 10:16:47

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: TOPAZ

Ah, that explains why I couldn't get it working through iceman's branch.

I just pulled down piwi's topaz branch, compiled it, flashed the bootrom and OS, but it's not giving me the same results you were seeing:

proxmark3> hf topaz reader
Error: couldn't receive ATQA          


proxmark3> hf list topaz
Recorded Activity (TraceLen = 10 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |        992 | Rdr | 52                                                              |     | WUPA          


proxmark3> hf 14a raw -a -p -T 26
received 0 octets          


proxmark3> hf list topaz
Recorded Activity (TraceLen = 10 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr | 26                                                              |     | REQA          


proxmark3> hf 14a raw -p -c -T 00 00 00 d2 f4 21 00
received 0 octets          


proxmark3> hf list topaz
Recorded Activity (TraceLen = 100 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr | 26                                                              |     | REQA          
 -1782418048 | -1782360608 | Rdr | 00  00  00  d2  f4  21  00  c0  98                              |  ok | RALL          

What am I missing?

Offline

#97 2015-11-01 12:19:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

piwi's topaz commands is in my fork..  it should work, @asper verified and tested them....

Offline

#98 2015-11-01 13:53:24

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: TOPAZ

Hrm.  Okay, pulled down the latest from iceman's fork, rebuilt, flashed bootrom and OS.  Same issue:

pm3 --> hf topaz reader
Error: couldn't receive ATQA          
pm3 --> hf list topaz
Recorded Activity (TraceLen = 10 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |        992 | Rdr |52                                                               |     | WUPA          
pm3 --> hf 14a raw -a -p -T 26
received 0 octets          
pm3 --> hf list topaz
Recorded Activity (TraceLen = 10 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr |26                                                               |     | REQA          
pm3 --> hf 14a raw -p -c -T 00 00 00 d2 f4 21 00
received 0 octets          
pm3 --> hf list topaz
Recorded Activity (TraceLen = 100 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       1056 | Rdr |26                                                               |     | REQA          
  162938240 |  162995680 | Rdr |00  00  00  d2  f4  21  00  c0  98                               |  ok | RALL  

Could something have broken it?  Should I try a build from piwi's fork from April or May?  Or am I just missing something else?

Offline

#99 2015-11-01 14:08:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: TOPAZ

doesn't look like a topaz..

Offline

#100 2015-11-03 15:11:04

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: TOPAZ

Okay, turns out I was just having antenna issues.  Using iceman's latest branch I now get:

pm3 --> hf topaz reader
ATQA : 0c 00          
HR0  : 12 (a Topaz tag (capable of carrying a NDEF message), dynamic memory map)          
HR1  : 4c          
UID  : 25 10 00 00 21 f4 d2          
       UID[6] (Manufacturer Byte) = 25, Manufacturer: Innovision Research and Technology Plc UK          
          
Static Data blocks 00 to 0c:          
block# | offset | Data                    | Locked?          
  0x00 |  0x00  | d2 f4 21 00 00 10 25 00 |   yes          
  0x01 |  0x08  | e1 11 3f 00 01 03 f2 30 |   no           
  0x02 |  0x10  | 33 02 03 f0 02 03 03 ff |   no           
  0x03 |  0x18  | 01 4e c5 00 00 00 01 48 |   no           
  0x04 |  0x20  | 47 40 a8 ea 3a ff d6 6e |   no           
  0x05 |  0x28  | 3b e7 ae e9 a3 8d a6 31 |   no           
  0x06 |  0x30  | 1b 13 7a 6d f4 4e cf 28 |   no           
  0x07 |  0x38  | f1 8a 6e 35 48 d9 a4 80 |   no           
  0x08 |  0x40  | 4e 4f 46 54 01 00 00 00 |   no           
  0x09 |  0x48  | fd 34 53 69 b4 86 13 18 |   no           
  0x0a |  0x50  | 31 49 ca 22 4c e4 dd ee |   no           
  0x0b |  0x58  | a7 67 dd b3 64 99 30 b4 |   no           
  0x0c |  0x60  | 25 96 6a 4f 34 8d e0 1a |   no           
          
Static Reserved block 0d:          
  0x0d |  0x68  | 55 55 aa aa 12 4c 06 00 |   n/a          
          
Static Lockbits and OTP Bytes:          
  0x0e |  0x70  | 01 e0 00 00 00 00 00 00 |   n/a          
          
Capability Container: e1 11 3f 00          
  e1: NDEF Magic Number          
  11: version 1.1 supported by tag          
  3f: Physical Memory Size of this tag: 512 bytes          
  00: Read access granted without any security / Write access granted without any security          
          
Lock Area of 48 bits at byte offset 0x7a. Each Lock Bit locks 8 bytes.          
          
Reserved Memory of 2 bytes at byte offset 0x78.          

I have also successfully used

raw -T

to perform READ-8 and WRITE-8.

Offline

Board footer

Powered by FluxBB