Skidata tickets (iso 15693)

fgo · 2013-12-04 23:14:10

Les contamines
kid E

Reading memory from tag UID=E016246608632043
Tag Info: EM-Marin SA (Skidata)
Block 0 D8 08 56 2B ..V+
Block 1 42 18 60 20 B.`
Block 2 00 38 00 A0 .8..
Block 3 1C 48 33 00 .H3.
Block 4 1B 00 00 00 ....
Block 5 00 00 00 00 ....
Block 6 00 00 00 00 ....
Block 7 00 00 00 00 ....
Block 8 00 00 00 00 ....
Block 9 00 00 00 00 ....
Block 10 00 00 00 00 ....
Block 11 00 00 00 00 ....
Block 12 00 00 00 00 ....
Block 13 00 00 00 00 ....
Block 14 00 00 00 00 ....
Block 15 00 00 00 00 ....
Block 16 00 00 00 00 ....
Block 17 00 00 00 00 ....
Block 18 00 00 00 00 ....
Block 19 00 00 00 00 ....
Block 20 00 00 00 00 ....
Block 21 00 00 00 00 ....
Block 22 00 00 00 00 ....
Block 23 00 00 00 00 ....
Block 24 00 00 00 00 ....
Block 25 00 00 00 00 ....
Block 26 00 00 00 00 ....
Block 27 00 00 00 00 ....
Block 28 2A 80 53 42 *.SB
Block 29 20 90 53 42 .SB
Block 30 33 00 00 00 3...
Block 31 00 00 00 00 ....
Block 32 00 00 00 00 ....
Block 33 00 00 00 00 ....
Block 34 00 00 00 00 ....
Block 35 00 00 00 00 ....
Block 36 00 00 00 00 ....
Block 37 00 00 00 00 ....
Block 38 00 00 00 00 ....
Block 39 00 00 00 00 ....
Block 40 00 00 00 00 ....
Block 41 00 00 00 00 ....
Block 42 D0 0A 39 18 ..9.
Block 43 C0 05 1B 13 ....
Block 44 F9 F4 7E 89 ..~.
Block 45 53 0F 6F 1A S.o.
Block 46 D0 94 0D AE ....
Block 47 16 00 00 00 ....
Block 48 00 00 80 7B ...{
Block 49 00 38 3C 27 .8<'
Block 50 00 00 00 00 ....
Block 51 00 00 00 00 ....
Tag returned Error 15: Unknown error.

asper · 2013-12-04 23:38:37

Consecutive dumps of the same tag are needed to better understand; anyway tomorrow I will try to compare what you just posted, thank you.

EDIT:
for each tag you should send the ISO15693 raw command:
hf 15 cmd sysinfo -2 u
and post the answer from the tag.

Also day and time are important so, if possible, when you use the tag with the turnstile, remember or write down somewhere date and time of the single passage (after a single passage you should read tag content [dump] to see what changes).

Last edited by asper (2013-12-05 10:06:32)

fgo · 2013-12-05 23:54:03

here is the result from hf 15 cmd sysinfo -2 u

proxmark3> hf 15 cmd sysinfo -2 u
0F 43 20 63 08 66 24 16 E0 02 00 33 03 02
UID = E016246608632043
EM-Marin SA (Skidata)
DSFID supported, set to 02
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
4 (or 3) bytes/page x 52 pages
IC reference given: 02

I'll take my proxmark when going to ski this winter and check before after turnstile

asper · 2013-12-06 07:19:34

Good but you can also use an nfc capable mobile phone (really easier); there arevfree apps to read those tags.

gaucho · 2014-01-07 17:03:00

hi oker,
thanks for sharing information.
many ski resorts use EM tags.
i have 2 types:
-one is EM4233
-and the other one has unknown model code 00101 (read it in binary)

what is your model?
do you have a proxmark or other reader?

you said that this card can't be emulated.
this is wrong.
maybe you meant "..this card today has no official firmware inside the proxmark able to emulate it"

what about the cloning? the uid is unique and not changeable. i don't know EM tags with changeable uid. do you?

Last edited by gaucho (2014-01-07 17:08:03)

timififilger · 2014-01-10 11:40:43

Hi there,
very interesting topic here.
I own PM3+10 "3 vallées skipass marin" with UIDs and information about date, hour...
I also own3 chamonix and les houches skidata pass,
all E016...
Let me know if i can help in anyway, except programming, i'm not able.

iceman · 2014-01-10 14:28:02

Well, I'm a bit curious about the EM tag and ski-data. If you want an extra eye, I'm at your disposal.

fgo · 2014-01-11 20:31:56

Hi all,
I would like to write things on an iso15693 card ( a skipass) , how can I do it with my proxmark? I always get the following message and nothing is written (I checked):
proxmark3> hf 15 cmd write -2 u 0 00 00 00 00
timeout: no answer - data may be written anyway

It is possible to write block on this kind of cards? no need for any key like on a mifare card?
thx!

gaucho · 2014-01-30 11:11:50

@fgo: you should check what is the model of your tag, find its datasheet on google, study it, and check if write password is enabled. in that case you must know the password before to write it.

Last edited by gaucho (2014-01-30 13:20:35)

canard · 2014-02-04 13:09:45

Hi all,

i m back from holiday (France - Alpes), i couldn t succeed to write a valid ski pass.
i own dump for every reload done during the week. i found some block rules. this is for 'Por tes d u So leils' : Ea Marine 63 x 32 block.

i will soon go to "3 v all ées" (skidata 51*32), i see some commun structure and i would like to share our investment / dump to progress..

Note : i don t want to publish data on public thread, thanks to contact me in private.

vidra19300 · 2014-02-19 16:57:10

hello everyone
I success to read all data on the card
CAN SOMEONE HELP ME ?
I find two tipes of cards :
1: iso 15693 or icode sli with 52 block , and ICODE SLI-S with 40 blocks !
I use NFC-V READER android aplication to read/write data !
Card with 40 blocks can read all block and write .
Cards with 52 blocks can not write but can read !
I try to read all data from 40 block cards and write to another card .
When I tried to use on the born card was automaticly disactivated . I think that I write 0 block and i saw that each card have different 0 block. All card has 4 bytes on one block. Some blocks are the same everyday.

Only block 0 change with a different card and block 20,21,22 change when i charge my card everyday. On my card block 0 doesnt change only 20,21,22 and 23,24,25 when i change all day charging, halfday and different mountains(1 or 3 mountains)

Can someone tell me which block contain date,days and time of validity?

look this :
byte 1 byte 2 byte 3 byte 4
Block 20 B1 50

vidra19300 · 2014-02-19 17:06:04

hello everyone
I success to read all data on the card
CAN SOMEONE HELP ME ?
I find two tipes of cards :
1: iso 15693 or icode sli with 52 block , and ICODE SLI-S with 40 blocks !
I use NFC-V READER android aplication to read/write data !
Card with 40 blocks can read all block and write .
Cards with 52 blocks can not write but can read !
I try to read all data from 40 block cards and write to another card .
When I tried to use on the born card was automaticly disactivated . I think that I write 0 block and i saw that each card have different 0 block. All card has 4 bytes on one block. Some blocks are the same everyday.

Only block 0 change with a different card and block 20,21,22 change when i charge my card everyday. On my card block 0 doesnt change only 20,21,22 and 23,24,25 when i change all day charging, halfday and different mountains(1 or 3 mountains)

Can someone tell me which block contain date,days and time of validity?

look this :
byte 1 byte 2 byte 3 byte 4
Block 20 B1 50 CA DA
block 21 F9 35 6D 3C
block 22 40 9A 08 E8
.......................................................................
ONLY THIS CODE CHANGE IN MY CARD BUT SOMETIMES WHEN I CHANGE ALL DAY VALIDITY THIS TOO

block 23 14 00 99 0D
block 24 00 00 40 9E
block 25 00 28 4C 18
and some other day on the same card :
only
block 23 00 00 C0 3F

and all of this block are for 3 mountains !

Can someone tell me more how it's work ?
Thanks best regard

vivat · 2014-03-11 08:05:05

I saw flying UFO last night. Can you prove it?

gaucho · 2014-03-11 19:58:44

huahahaha.
@vivat: you're the best.
i asked to the "magic" mifare ultralight manufacturer if could he manufacture even these tags with changeable uid.
He said that he will see if he can do it.
I think that the first thing we should do is to teach PM3 to sniff on tournels.
Then we will see how to let him emulate these tags.
Of course always just as didactical matter.

Last edited by gaucho (2014-03-11 19:59:18)

Nester · 2014-04-01 14:02:09

My analysis is that these tags are similar to
http://www.emmicroelectronic.com/webfiles/product/rfid/ds/EM4233SLIC_DS.pdf

The one i have has write protected block 0 to 3 , and from 29 to 51.

Also they do respond to the B4 Command (EM Specific) showing the bytes 04 (write protected) on the sector that i mention.

Therefore i assume to write these sectors write the E4 login command should be issued before with a 32 bit password.
Unfortunately i cannot get an error response from the E4 command (so i don't know if the card actuallly supports it).

I doubt tha tournels uses the login command, they will just read the password.

So i assume that the writer has the password and it might be also calculated on the UID.

midnitesnake · 2014-04-26 14:37:18

Some ski-data dumps from a friends cards.

The first is an adult card
Number: 01-1614 7133 5346 0110 6064-6
Date issued 04-04-14
Other: TO5 17864 290314 1517 169,00

Second is a junior card
Number:01-1614 2029 1647 6936 3630-9
Date: 04-04-14
other: TO5 017894 290314 1520 118,00

proxmark3> hf 15 dumpmemory
Reading memory from tag UID=E016246606B25290          
Tag Info: EM-Marin SA (Skidata)          
Block  0   F0 08 27 2F    ..'/          
Block  1   82 18 40 20    ..@           
Block  2   00 38 00 00    .8..          
Block  3   1C 48 33 00    .H3.          ;1C - location of data
Block  4   1B 00 00 00    ....          ;1B - end location of this app?
Block  5   00 00 00 00    ....          
Block  6   00 00 00 00    ....          
Block  7   00 00 00 00    ....          
Block  8   00 00 00 00    ....          
Block  9   00 00 00 00    ....          
Block 10   00 00 00 00    ....          
Block 11   00 00 00 00    ....          
Block 12   00 00 00 00    ....          
Block 13   00 00 00 00    ....          
Block 14   00 00 00 00    ....          
Block 15   00 00 00 00    ....          
Block 16   00 00 00 00    ....          
Block 17   00 00 00 00    ....          
Block 18   00 00 00 00    ....          
Block 19   00 00 00 00    ....          
Block 20   00 00 00 00    ....          
Block 21   00 00 00 00    ....          
Block 22   00 00 00 00    ....          
Block 23   00 00 00 00    ....          
Block 24   00 00 00 00    ....          
Block 25   00 00 00 00    ....          
Block 26   00 00 00 00    ....          
Block 27   00 00 00 00    ....          
Block 28   2A 80 53 42    *.SB      ;2A - address of app_a, 80= 8 blocks in length, 5342 - static bytes?    
Block 29   1F 90 53 42    ..SB      ;1F - address of app_b, 90=9 blocks in length  
Block 30   33 00 00 00    3...      ;33 - last address of card 
Block 31   00 00 00 00    ....      ;start of app_b
Block 32   00 00 00 00    ....          
Block 33   00 00 00 00    ....          
Block 34   00 00 00 00    ....          
Block 35   00 00 00 00    ....          
Block 36   00 00 00 00    ....          
Block 37   00 00 00 00    ....          
Block 38   00 00 00 00    ....          
Block 39   00 00 00 00    ....          
Block 40   00 00 00 00    ....       ;end of app_b
Block 41   00 00 00 00    ....          
Block 42   60 13 64 1B    `.d.       ;start of app_a 
Block 43   C0 05 1B 01    ....          
Block 44   19 C0 33 A8    ..3.          
Block 45   1B 00 F1 A0    ....          
Block 46   30 7A A8 86    0z..          
Block 47   20 00 00 00     ...          
Block 48   00 00 40 BD    ..@.          
Block 49   00 20 C0 15    . ..          
Block 50   00 00 00 00    ....        ;end of app_a
Block 51   00 00 00 00    ....        ;end of card
Tag returned Error 15: Unknown error.          
proxmark3> hf 15 dumpmemory
Reading memory from tag UID=E00402005012C6AE          
Tag Info: Philips          
Block  0   9E 08 B2 D5    ....          
Block  1   82 18 40 20    ..@           
Block  2   1E 80 53 42    ..SB        ;1e 80 - app_a address 8 blocks length  
Block  3   14 20 53 42    . SB        ;14 20 - app_b address 2 blocks length
Block  4   0A 90 53 42    ..SB        ;0a 90 - app_c address 9 blocks length  
Block  5   27 00 00 00    '...          ;end of card
Block  6   00 00 00 00    ....          
Block  7   00 00 00 00    ....          
Block  8   00 00 00 00    ....          
Block  9   00 00 00 00    ....          
Block 10   00 00 00 00    ....         ;start of app_c 
Block 11   00 00 00 00    ....          
Block 12   00 00 00 00    ....          
Block 13   00 00 00 00    ....          
Block 14   00 00 00 00    ....          
Block 15   00 00 00 00    ....          
Block 16   00 00 00 00    ....          
Block 17   00 00 00 00    ....          
Block 18   00 00 00 00    ....          
Block 19   00 00 00 00    ....        ;end of app_c  
Block 20   00 00 00 00    ....       ;start of app_b    
Block 21   00 00 00 00    ....          
Block 22   00 00 00 00    ....       ;end of app_b   
Block 23   00 00 00 00    ....          
Block 24   00 00 00 00    ....          
Block 25   00 00 00 00    ....          
Block 26   00 00 00 00    ....          
Block 27   00 00 00 00    ....          
Block 28   00 00 00 00    ....          
Block 29   00 00 00 00    ....          
Block 30   60 13 64 1B    `.d.       ;start of app_a     
Block 31   C0 05 1B 01    ....          
Block 32   AD 8E 74 96    ..t.          
Block 33   C5 54 B8 87    .T..          
Block 34   70 7A 39 8C    pz9.          
Block 35   21 00 00 00    !...          
Block 36   00 00 00 3D    ...=          
Block 37   00 10 B4 15    ....          
Block 38   00 00 00 00    ....        ;end of app_a  
Block 39   00 00 00 00    ....        ;end of card  
Tag returned Error 15: Unknown error.

Last edited by midnitesnake (2014-04-27 10:37:06)

vivat · 2014-07-29 17:07:31

Yes, post it

exidez · 2014-09-27 13:07:50

I thought i would help with some data as i was working with this and then found this thread.
This was at Ski Dubai in the U.A.E. The only difference with the last two codes is one had a locker and the other did not (shared a locker with a friend). There does not seem to be any coded data integrity checks.

I only recorded the whole data (what was physically written on the card) with the first scan as i only started to realize how much easier it was going to be to analyse it later.

I will only post the blocks that had information:

0 43 8 0e 73
1 42 18 60 20
2 0 38 0 0
3 1c 48 33 0
4 1b 0 0 0
28 2a 80 53 42
29 1f 90 53 42
30 33 0 0 0
42 7a 0 19 1c
43 0 0 17 1e
44 12 3d c0 4
45 14 ce ae 5a
46 0 0 20 88

About the card above (2hr ski pass):
on back of card:
01-1614 7133 5345 8457 2593-7'

on front of card:
LOCKER 9/25/2014 6:49:19 PM MKN09 185718
SLOPE SESSION PASS ADULT

Valid on 5/09/14 205.00 AED

0 13 8 7d 12
1 42 18 60 20
2 0 38 0 0
3 1c 48 33 0
4 1b 0 0 0
28 2a 80 53 42
29 1f 90 53 42
30 33 0 0 0
42 7a 0 14 1c
43 0 0 17 1e
44 18 3d c0 4
45 94 6a 39 39
46 0 0 d0 88

information about above card:
Snow boarding lesson (also gives 2 hours of slope access)
purchased 09/20/14 around 11:49 AM
Also with a locker

0 f5 8 f0 8
1 42 18 60 20
2 0 38 0 0
3 1c 48 33 0
4 1b 0 0 0
28 2a 80 53 42
29 1f 90 53 42
30 33 0 0 0
42 7a 0 5 1c
43 0 0 17 1e
44 4 3d c0 4
45 94 ea f9 65
46 0 0 d0 88

information about above card:
Snow boarding lesson (also gives 2 hours of slope access)
purchased 09/05/14 around 14:15
with lockaer

0 4b 8 b5 ff
1 42 18 60 20
2 0 38 0 0
3 1c 48 33 0
4 1b 0 0 0
28 2a 80 53 42
29 1f 90 53 42
30 33 0 0 0
42 7a 0 fd 1b
43 0 0 17 1e
44 4 3d c0 4
45 14 2e a3 64
46 0 0 20 88

information about above card:
Slope session pass adult
purchased 08/29/14 around 17:29
without locker

0 8f 8 31 f5
1 42 18 60 20
2 0 38 0 0
3 1c 48 33 0
4 1b 0 0 0
28 2a 80 53 42
29 1f 90 53 42
30 33 0 0 0
42 7a 0 fd 1b
43 0 0 17 1e
44 4 3d c0 4
45 14 6e a3 64
46 0 0 20 88

information about above card:
Slope session pass adult
purchased 08/29/14 around 17:29
with locker

iceman · 2014-10-13 14:23:44

Norweigan skipass.

pm3 --> hf 15 cmd sysinfo -2 u
0F E8 81 C0 0A 66 24 16 E0 02 00 33 03 02
UID = E01624660AC081E8
EM-Marin SA (Skidata)
DSFID supported, set to 02
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
 4 (or 3) bytes/page x 52 pages
IC reference given: 02

pm3 --> hf 15 dumpmem
Reading memory from tag UID=E01624660AC081
Tag Info: EM-Marin SA (Skidata)
Block  0   9E 08 D2 A8    ....
Block  1   82 18 60 20    ..`
Block  2   00 38 00 00    .8..
Block  3   1C 48 33 00    .H3.
Block  4   1B 00 00 00    ....

Block 28   2A 80 53 42    *.SB
Block 29   1F 90 53 42    ..SB
Block 30   33 00 00 00    3...

Block 42   B0 04 42 1B    ..B.
Block 43   C0 05 1B 01    ....
Block 44   BF 6E 3A 33    .n:3
Block 45   3D FF D1 9A    =...
Block 46   30 9F 53 DD    0.S.
Block 47   18 00 00 00    ....
Block 48   00 00 00 BC    ....
Block 49   00 08 EC 17    ....

Swedish ski tag#1

pm3 --> hf 15 cmd sysinfo -2 u
0F 71 A9 EA 2A 00 00 07 E0 01 00 3F 03 8B
UID = E00700002AEAA971
Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit
DSFID supported, set to 01
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
 4 (or 3) bytes/page x 64 pages
IC reference given: 8B

pm3 --> hf 15 dumpmem
Reading memory from tag UID=E00700002AEAA971
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit

Block  8   02 9E 2B 02    ..+.
Block  9   F0 B4 20 25    .. %
Block 10   EE F7 BF 7D    ...}
Block 11   6C 3F 7A A8    l?z.
Block 12   25 F5 3F CE    %.?.
Block 13   0C 0F 22 DD    ..".
Block 14   63 BB DE 48    c..H
Block 15   AC 3B 2A 7D    .;*}
Block 16   6C 3B 2A 7D    l;*}
Block 17   6C 00 00 00    l...
Block 18   02 12 82 02    ....
Block 19   F0 00 00 00    ....

Block 28   02 12 82 02    ....
Block 29   F0 00 00 00    ....

Block 56   30 00 00 00    0...
Block 57   26 50 53 42    &PSB
Block 58   1C 40 53 42    .@SB
Block 59   12 30 53 42    .0SB
Block 60   08 20 53 42    . SB
Block 61   00 20 50 49    . PI
Block 62   00 00 00 00    ....
Block 63   16 5C A6 1B    .\..

Swedish ski tag#2

pm3 --> hf 15 cmd sysinfo -2 u
0F B6 95 7C 14 00 00 07 E0 01 00 3F 03 8B
UID = E0070000147C95B6
Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit
DSFID supported, set to 01
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
 4 (or 3) bytes/page x 64 pages
IC reference given: 8B

pm3 --> hf 15 dumpmem
Reading memory from tag UID=E0070000147C95B6
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit

Block  8   02 12 2B 02    ..+.
Block  9   F0 47 3F 21    .G?!
Block 10   B6 41 A4 79    .A.y
Block 11   7C C9 E1 17    |...
Block 12   66 41 24 F1    fA$.
Block 13   5C 24 36 5B    \$6[
Block 14   6C C8 31 79    l.1y
Block 15   3C C8 31 79    <.1y
Block 16   7C C8 31 79    |.1y
Block 17   7C 00 00 00    |...
Block 18   02 12 82 02    ....
Block 19   F0 00 00 00    ....

Block 28   02 12 82 02    ....
Block 29   F0 00 00 00    ....

I removed all blocks with all zeros.

slayercho · 2014-11-20 00:06:44

Hello all
i`m new in this community. I`m using skidata passes too and wont to help if i can. i have sl500 usb.

gaucho wrote:

I made the Asper tool for stronklink SL500 by myself. If someone want source code (.net) just ask.

Can you please send me source? I will try to write reading app in delphi and i have pos system and wont to use UID number for user identification (like keyboard).

Do you need other information about tickets? How can i help of this project?

slayercho · 2014-12-12 23:23:45

I have few new tickets not coded (virgin) . Is this topic actual ? Do you need any help to understand all blocks or this is already done? For reader i use sl500f.
If anyone what i can post here block information for this virgin cards before and after coding.....

iceman · 2014-12-13 10:59:58

Welcome to the community.
go ahead and post your tag's data before and after I think Asper wanted also date, time, place when the tags was used. There is normally date&time stored on the tag so it can more easilly be found if we know it.

pavlik1 · 2015-01-02 11:33:49

please find 12 card dumps and card front images

https://mega.co.nz/#!w5cTQBTZ!pF5MXaNc7dMOmuNwqN8SC2u2iAIXP_PTHhbGJz5P0R4

tarcisiomerlot · 2015-01-04 19:11:19

In Italy a lot of ski areas use the skidata tickets (keycard unlimited). Here's my experience. I tried to read the ticket with an OMNIKEY CardMan 5321 reader but no success. When I put the skidata ticket on the reader, it selects the card (I can read the ATR, mine is 3B 8F 80 01 80 4F 0C A0 00 00 03 06 0B 00 00 00 00 00 00 63, ISO 15693 - EM Microelectronic-Marin SA) but after a second it seems that the card goes offline, so the reader selects it again, but again the card goes offline, etc etc in an endless loop. So I'm not able to read the ticket.
Anyway I want to report here some interesting information about skidata. You can download for free the 0P0$ CA$H software from
http://www.skidata.com/en/mountain-destinations/point-of-sales.html
The program permits you to produce tickets with your own point of sales.
The program needs a registration in the skidata server (they really behave like a big brother...), during the registration they also send you the templates for your ticketing system (one day, one season, single way, amount of hours, families, discounts, groups,...). So you cannot execute the program without registration (even for a demo mode). You should also have a skidata coding device to produce tickets. Anyway it is a .net program, and you can decompile it with the freeware software Telerik JustDecompile. It seems that in the file skidata.devices.dll namespace skidata.devices.bll4 there is the rfid protocol, and in the namespace skidata.devices.oposio there is the read/write procedure. You can find also a lot of interesting routines (like EncryptMessage, ReadAck,...). Under Devices there is also a CoderSimulator, maybe to be used for testing purposes.
Hope it will be useful.

ciao

asper · 2015-01-05 10:01:43

Your card is not an EM card, it is an NXP tag, probably an I.CODE SLI. You should not use Omnikey to detect the card type, use another reader (nfc-capable-mobile+app or others); also with Omnikey software you are not able to normally/correctly communicate with those kind of tags because it uses it's own protocol (you must study it).
Rousseau site is good for SmartCard ATRs (even NFC SmartCards), not for RFID tags (they are not properly "smart", they usually are simple tags with some built-in features/commands and do not support real APDUs).

The encryption/decryption sequence you described seems to be about the messages sent<->received by software<->device (a kind of USB encrypted message with specific APDUs for the device), not for the data to be written on the tag; probably the algo is inside the reader/writer device firmware, not in the end-user software [but, hey, there are firmwares in the installation folder, but you need to figure out what ICs they are for - anyway I don't think they are so "smart" to leave the code inside].

Last edited by asper (2015-01-05 10:38:11)

iceman · 2015-01-05 14:04:43

The crypto seems to be RC4 crypto. They are known for their weaknesses.

asper · 2015-01-05 14:58:33

So it is probably the software<->device communication protocol (USB or WiFi).

thefkboss · 2015-01-05 15:17:21

static Constants()
{
OposSecurity.Constants.OPOS_INIT_KEY1 = Encoding.ASCII.GetBytes("xxxxxxxxxxxxxxxxx");
OposSecurity.Constants.OPOS_INIT_KEY2 = Encoding.ASCII.GetBytes("xxxxxxxxxxxxxxxxx");
OposSecurity.Constants.OPOS = Encoding.ASCII.GetBytes("xxxx");
}

Last edited by thefkboss (2015-01-05 15:31:24)

asper · 2015-01-05 15:27:30

Please, delete the keys value.

Last edited by asper (2015-01-05 15:28:13)

thefkboss · 2015-01-05 15:33:10

data integrity crc16

asper · 2015-01-05 15:44:07

Thanks.

thefkboss · 2015-01-05 16:09:33

That is not the card key.....the card key is with serial and password...
maybe some one could chek if the card passwords are always de same with differents uid.
proxmark---sniff iclass----22Clearpasswordoffthecard online 5 seconds to get the password.....
If some one know the password of some card, let me know.

asper · 2015-01-05 16:14:07

If you mean tag password not all the tags support the password command.
IRC at freenode #proxmark3

thefkboss · 2015-01-05 16:24:40

correct password command... i have one EM4233 from (skidata) from a parking it has writing password,

thefkboss · 2015-01-05 18:40:16

If some one has parking.logic software
http://www.skidata.com/fileadmin/user_upload/corporate/downloads/products/parking/parking-logic/ParkingLogic-1-0-en.pdf

Let me know.....

asper · 2015-01-05 19:04:52

If you were able to sniff the password I think you only need to send the correct command to the tag in order to write it, no need of an external software, just proxmark.

thefkboss · 2015-01-05 19:29:58

yes, I could do that...but I want to know how password is generated (masterkey and diversification)..... and what is the info inside, I want to play

tarcisiomerlot · 2015-01-07 20:15:35

It seems that a lot of different cards are used with the application. Here's the list (without the obsolete items):

Namespace SkiData.Common.Identifications
    Public Enum ChipId
        Magnetic = 0
        SkidataFlexspace = 1
        Iso15693TexasInstrumentsCompatibleTicket = 2
        Iso15693InfineonCompatibleTicket = 3
        Iso14443AMifare = 4
        Iso14443B = 5
        HIDiClass = 6
        Felica = 7
        KeycardV4050 = 8
        RFU_9 = 9
        RFU_10 = 10
        SwatchV4050 = 11
        Barcode = 12
        Iso15693 = 13
        RFU_14 = 14
        Innovatron43B = 15
        RFU_16 = 16
        Reserved_17 = 17
        Legic = 18
        NFC = 19
        RFU_20 = 20
        SharedChip = 21
        Reserved_22 = 22
        Reserved_23 = 23
        RFU_24 = 24
        Iso15693InfineonEconomy = 25
        Iso15693DualEconomy = 26
        RFU_27 = 27
        RFU_28 = 28
        Iso15693DualUniversal = 29
        Iso15693DualPremium = 30
        RFU_31 = 31
        Barcode2D = 32
        RFU_33 = 33
    End Enum
End Namespace

You can easily spot the ChipId type by looking at the number printed on the card in the format xx-xxxx xxxx xxxx xxxx xxxx-x (ChipId-SerialNumber-LuhnNumber)
I have cards with ChipId=01 (keycard unlimited), 29 (keycard iso), 30 (keycard isodual). With Omnikey 5321 I realized that I am able to read ChipId=01. This is the card that I'm using now. I purchased it on 29/12/2014 with 15 hours, it expires on 01/05/2015. Now if I'm not wrong it should still contain 7h 36m. The card responds to command 'Get PICC memory size' (ff 30 04 00 00) showing a total of 51 blocks of memory. Each block has the 'security status' (ff 30 00 03 05 01 00 00 00 Block# 00) set to false. This is the dump of command 'read binary' (ff b0 00 00 00):

#00-01: C4 08 66 B9 42 18 40 20 
#02-03: 00 38 00 F0 1C 48 33 00 
#04-05: 1B 00 00 00 00 00 00 00 
#06-07: 00 00 00 00 00 00 00 00 
#08-09: 00 00 00 00 00 00 00 00 
#10-11: 00 00 00 00 00 00 00 00 
#12-13: 00 00 00 00 00 00 00 00 
#14-15: 00 00 00 00 00 00 00 00 
#16-17: 00 00 00 00 00 00 00 00 
#18-19: 00 00 00 00 00 00 00 00 
#20-21: 00 00 00 00 00 00 00 00 
#22-23: 00 00 00 00 00 00 00 00 
#24-25: 00 00 00 00 00 00 00 00 
#26-27: 00 00 00 00 00 00 00 00 
#28-29: 2A 80 53 42 1F 90 53 42 
#30-31: 33 00 00 00 00 00 00 00 
#32-33: 00 00 00 00 00 00 00 00 
#34-35: 00 00 00 00 00 00 00 00 
#36-37: 00 00 00 00 00 00 00 00 
#38-39: 00 00 00 00 00 00 00 00 
#40-41: 00 00 00 00 00 00 00 00
#42-43: 4A 13 01 1D 00 04 1B 01 
#44-45: B0 C7 F7 C3 48 FF C8 79 
#46-47: 40 77 6B D6 20 0C 20 01 
#48-49: CE 60 98 2D 00 30 90 15 
#50-51: 00 00 00 00 00 00 00 00

It seems compatible to what Pavlik1 posted before. As soon as I will have more dumps with less hours/minutes remaining I will post again.
ciao

asper · 2015-01-07 21:27:29

Well, I think you are very lucky because I don't think those data are encrypted (or if there is an encryption it is really not hard). Pavlik1 dumps are different from your dumps (probably even "easier" than yours).

If you are going to post more dumps I will try to figure out the relationship.

If there is an encryption a full dump of the card will be needed (not only block dump).

About the "various" tags supported it depends on the hardware it is connected, not all hardware read all kind of tags.

Last edited by asper (2015-01-07 21:33:11)

asper · 2015-01-12 15:02:58

@tarcisiomerlot: can you please share the commands you used to talk with your ISO15693 card using Omnikey reader ?

app_o1 · 2015-01-12 15:26:38

asper wrote:

@tarcisiomerlot: can you please share the commands you used to talk with your ISO15693 card using Omnikey reader ?

(ff b0 00 00 00)
try that one.
It worked on mine. and gave me similar output.

app_o1 · 2015-01-12 15:28:15

I got the same answers on all the cards I have...
try 0xFFB0000000

pavlik1 · 2015-01-19 11:10:17

https://mega.co.nz/#!doM3RB6S!e3YbDw1my … ftiQsAwKFc

[== Undefined ==]
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?> 
- <InfoDump application="NFC TagInfo" version="1.12a">
- <Tag rfTechnology="Type V (ISO/IEC 15693 / Vicinity)">
- <GeneralInformation>
  <Value name="uid" description="UID">e01624660c238217</Value> 
  <Value name="rfTechnology" description="RF technology">Type V (ISO/IEC 15693 / Vicinity)</Value> 
  <Value name="tagType" description="Tag type">EM4x3x (for customer 066)</Value> 
  <Value name="manufacturer" description="Manufacturer">EM Microelectronic-Marin SA (Switzerland)</Value> 
  <Value name="afiString" description="Application family identifier (AFI)">all families and sub-families</Value> 
  <Value name="afi" description="AFI (numeric)">00</Value> 
  <Value name="dsfid" description="DSF Id">02</Value> 
  <Value name="responseFlags" description="Response flags">00</Value> 
  <Value name="icRef" description="IC reference">02</Value> 
  <Value name="targetTechClasses" description="Target technology classes (Android)">android.nfc.tech.NfcV</Value> 
  </GeneralInformation>
- <MemoryTag type="EM4x3x (for customer 066)">
- <GeneralInformation>
  <Value name="memorySize" description="Memory size">208 Byte</Value> 
  <Value name="blockSize" description="Block size">4 Byte</Value> 
  <Value name="numberOfBlocks" description="Number of blocks">52</Value> 
  </GeneralInformation>
- <Data unit="block">
  <Block index="0" locked="false" factoryLocked="false">530892be</Block> 
  <Block index="1" locked="false" factoryLocked="false">c2182400</Block> 
  <Block index="2" locked="false" factoryLocked="false">00380020</Block> 
  <Block index="3" locked="false" factoryLocked="false">1c483300</Block> 
  <Block index="4" locked="false" factoryLocked="false">1b000000</Block> 
  <Block index="5" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="6" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="7" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="8" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="9" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="10" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="11" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="12" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="13" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="14" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="15" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="16" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="17" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="18" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="19" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="20" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="21" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="22" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="23" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="24" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="25" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="26" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="27" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="28" locked="false" factoryLocked="false">2a805342</Block> 
  <Block index="29" locked="false" factoryLocked="false">1f905342</Block> 
  <Block index="30" locked="false" factoryLocked="false">33000000</Block> 
  <Block index="31" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="32" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="33" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="34" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="35" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="36" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="37" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="38" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="39" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="40" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="41" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="42" locked="false" factoryLocked="false">160ae01c</Block> 
  <Block index="43" locked="false" factoryLocked="false">c0051b01</Block> 
  <Block index="44" locked="false" factoryLocked="false">adf8eb2e</Block> 
  <Block index="45" locked="false" factoryLocked="false">4ebc92ab</Block> 
  <Block index="46" locked="false" factoryLocked="false">50185027</Block> 
  <Block index="47" locked="false" factoryLocked="false">0b80460e</Block> 
  <Block index="48" locked="false" factoryLocked="false">00008051</Block> 
  <Block index="49" locked="false" factoryLocked="false">00e01877</Block> 
  <Block index="50" locked="false" factoryLocked="false">00000000</Block> 
  <Block index="51" locked="false" factoryLocked="false">00000000</Block> 
  </Data>
  </MemoryTag>
  </Tag>
  </InfoDump>

gaucho · 2015-01-19 16:48:53

each year during winter we always return to this page. at least we have big passion for.. ski!

i used skipass with points on do lo mi ti s up ers ki
these tags are
Producer=NXP Semiconductors(Germany) (code 04)
Model=SL2 S2002/SL2 S2102(ICODE SLIX)

the same tag model is used for one day skipass.

i verified that it is possible to reload point skipass.
the coding of the points is not so much complicate, and i found some method to change credit.
unfortunately i also found that turnstile are connected to a database that is syncronized, probabily each day. so after some time your tag is banned from the system and you will be not able to use it again.
this means that whatever we discover about these tags, we will never reload with real success a tag with a proxmark.

so i understood that the only possible attack to this system is the cloning of a tag with the proxmark.
(yes we know since many years..)

i tried then to record data exchanged between the turnstile and the tag, by means of the function hf iclass snoop and hf iclass list.

in order to get many samples i made a tool able to continuously send the snoop, wait for the "#db# COMMAND FINISHED" string and then send another snoop request.

after about 10 turnstiles i found that no message was logged on the proxmark log.

i also tested the snoop by reading a skipass with sl500 reader, in order to confirm that the snoop function was correclty working.

now there are 2 options:
1) i made some mistake during data snoop
2) the turnstile is using the fast comunication protocol mentioned on the datasheet of these tags.

in any case we need to find the correct communication protocol and to teach the proxmark to use it to clone a tag.

could someone confirm my tests with snoop on these tags?

EDIT:
consider that i'm actually using this revision of the proxmark (i hope that there was no update on the snoop function) :
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 845 2014-02-19 20:58:33
#db# os: svn 845 2014-02-19 20:58:37
#db# FPGA image built on 2014/02/19 at 11:41:11
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>

Last edited by gaucho (2015-01-19 16:58:40)

thefkboss · 2015-01-19 22:11:36

yes is possible iclass snoop command was right.
I don´t know if in the last proxmark fw versions has been some code changed.

in order to get many samples i made a tool able to continuously send the snoop, wait for the "#db# COMMAND FINISHED" string and then send another snoop request

very good idea, but I think is better to get all the memory when is full (or nearly full), flush the memory and continue sniffing, and throw this data into a file on the computer.

Like a pipe on ethernet when you want sniff, may be someone could change the code to make this.

gaucho · 2015-01-20 07:51:22

thefkboss wrote:

yes is possible iclass snoop command was right.
I don´t know if in the last proxmark fw versions has been some code changed.

in order to get many samples i made a tool able to continuously send the snoop, wait for the "#db# COMMAND FINISHED" string and then send another snoop request
very good idea, but I think is better to get all the memory when is full (or nearly full), flush the memory and continue sniffing, and throw this data into a file on the computer.
Like a pipe on ethernet when you want sniff, may be someone could change the code to make this.

I've seen with sl500 reader and proxmark, that each 2 readings of a tag, the snoop command gives the #db# message, so i suppose that i hit the list command when the memory is full.
Anyway, if we agree that the snoop was ok, it means that we should investigate about the used protocol by means of a oscilloscope on the turnstile.
For this reason the new function able to record samples on proxmark is very important and it needs to be completed

Piorun · 2015-01-29 10:56:17

I found that byte #4 in block 2 is responsible for days counting (ex. Skipass type: 10 days form 14).
But I can't chage the value, any idea?

Block  2   00 38 00 40    .8.@
Block  3   1C 48 33 00    .H3.

proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-01-01 15:28:15
#db# os: /-suspect 2015-01-01 15:28:20
#db# HF FPGA image built on 2014/ 6/19 at 21:26: 2
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hf 15 cmd read -2 u 2
00 38 00[b] 40 [/b]   .8.@     <-------- skipass was used 4 times

proxmark3> hf 15 cmd write -2  u 2 00 38 00 20
timeout: no answer - data may be written anyway

proxmark3> hf 15 cmd read -2 u 2
00 38 00 40    .8.@
proxmark3>

thefkboss · 2015-01-29 16:16:02

you need Password to write

asper · 2015-01-29 20:49:40

Can you explain this better ?

I found that byte #4 in block 2  is responsible for days counting (ex. Skipass type: 10 days form 14).

Piorun · 2015-01-29 23:17:10

asper wrote:

Can you explain this better ?

I found that byte #4 in block 2  is responsible for days counting (ex. Skipass type: 10 days form 14).

I have 4 active Skipases (Kaprun, AU), I'm doing cards dump daily , later I will post more info how to decode other bytes - but I'm not sure if this make sens if we can't write the card

Proxmark3 community

Announcement

#51 2013-12-04 23:14:10

Re: Skidata tickets (iso 15693)

#52 2013-12-04 23:38:37

Re: Skidata tickets (iso 15693)

#53 2013-12-05 23:54:03

Re: Skidata tickets (iso 15693)

#54 2013-12-06 07:19:34

Re: Skidata tickets (iso 15693)

#55 2014-01-07 17:03:00

Re: Skidata tickets (iso 15693)

#56 2014-01-10 11:40:43

Re: Skidata tickets (iso 15693)

#57 2014-01-10 14:28:02

Re: Skidata tickets (iso 15693)

#58 2014-01-11 20:31:56

Re: Skidata tickets (iso 15693)

#59 2014-01-30 11:11:50

Re: Skidata tickets (iso 15693)

#60 2014-02-04 13:09:45

Re: Skidata tickets (iso 15693)

#61 2014-02-19 16:57:10

Re: Skidata tickets (iso 15693)

#62 2014-02-19 17:06:04

Re: Skidata tickets (iso 15693)

#63 2014-03-11 08:05:05

Re: Skidata tickets (iso 15693)

#64 2014-03-11 19:58:44

Re: Skidata tickets (iso 15693)

#65 2014-04-01 14:02:09

Re: Skidata tickets (iso 15693)

#66 2014-04-26 14:37:18

Re: Skidata tickets (iso 15693)

#67 2014-07-29 17:07:31

Re: Skidata tickets (iso 15693)

#68 2014-09-27 13:07:50

Re: Skidata tickets (iso 15693)

#69 2014-10-13 14:23:44

Re: Skidata tickets (iso 15693)

#70 2014-11-20 00:06:44

Re: Skidata tickets (iso 15693)

#71 2014-12-12 23:23:45

Re: Skidata tickets (iso 15693)

#72 2014-12-13 10:59:58

Re: Skidata tickets (iso 15693)

#73 2015-01-02 11:33:49

Re: Skidata tickets (iso 15693)

#74 2015-01-04 19:11:19

Re: Skidata tickets (iso 15693)

#75 2015-01-05 10:01:43

Re: Skidata tickets (iso 15693)

#76 2015-01-05 14:04:43

Re: Skidata tickets (iso 15693)

#77 2015-01-05 14:58:33

Re: Skidata tickets (iso 15693)

#78 2015-01-05 15:17:21

Re: Skidata tickets (iso 15693)

#79 2015-01-05 15:27:30

Re: Skidata tickets (iso 15693)

#80 2015-01-05 15:33:10

Re: Skidata tickets (iso 15693)

#81 2015-01-05 15:44:07

Re: Skidata tickets (iso 15693)

#82 2015-01-05 16:09:33

Re: Skidata tickets (iso 15693)

#83 2015-01-05 16:14:07

Re: Skidata tickets (iso 15693)

#84 2015-01-05 16:24:40

Re: Skidata tickets (iso 15693)

#85 2015-01-05 18:40:16

Re: Skidata tickets (iso 15693)

#86 2015-01-05 19:04:52

Re: Skidata tickets (iso 15693)

#87 2015-01-05 19:29:58

Re: Skidata tickets (iso 15693)

#88 2015-01-07 20:15:35

Re: Skidata tickets (iso 15693)

#89 2015-01-07 21:27:29

Re: Skidata tickets (iso 15693)