Sniffed a paxton key fob with a paxton reader

moorketom · 2018-02-27 17:32:44

Hi,
I just sniffed a paxton key fob with a paxton reader.

Can somebody explain me what I'm seeing?
Sorry for this obvious newby question...

sim <infile> Simulate Hitag transponder
snoop Eavesdrop Hitag communication
writer Act like a Hitag Writer
simS <hitagS.hts> Simulate HitagS transponder
checkChallenges <challenges.cc> test all challenges
proxmark3> lf hitag list
recorded activity (TraceLen = 0 bytes):
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 4: 80
+ 280: 4: 80
+ 278: 4: 80
+ 42: 1: 00
+ 34: 10: ff c0
+ 1427: 6: TAG 48!
+ 29: 7: fe
+ 1421: 6: TAG 48!
+ 1437: 5: TAG 48!
+ 1421: 7: TAG 52
+ 1437: 8: TAG 52
+ 1423: 3: TAG 40
+ 26378: 3: TAG 20
+ 1504: 8: 33
+ 40: 8: c3
+ 29: 2: 00
+ 1536: 4: 10
+ 1454: 3: 00
+ 41: 3: 80
+ 42: 3: c0
+ 260: 3: 80
+ 258: 3: 80
+ 87945: 3: 80
+ 260: 3: 80
+ 257: 3: 80
+ 88440: 3: 80
+ 260: 1: 00
+ 257: 3: 80
+ 87943: 3: 80
+ 1426: 8: 33
+ 1535: 5: 18
+ 30: 6: f0
+ 40: 8: e1
+ 1455: 3: 00
+ 40: 3: 80
+ 34: 1: 80
+ 29: 4: b0
+ 1421: 6: TAG 48!
+ 33: 2: c0
+ 1453: 6: TAG 48!
+ 34: 1: 80
+ 2504: 3: TAG 40
+ 33: 10: fd c0
+ 1423: 8: c3
+ 28: 6: cc
+ 1426: 8: e1
+ 1504: 8: f0
+ 1426: 3: 80
+ 34: 1: 00
+ 291: 1: 00
+ 288: 1: 00
+ 41: 3: 80
+ 292: 1: 00
+ 290: 1: 00
+ 40: 3: 80
+ 29: 26: ff ff c1 c0
+ 1424: 8: c3
+ 29: 4: 30
+ 1424: 8: e1
+ 1423: 8: f0
+ 1425: 3: 80
+ 380: 4: c0
+ 258: 3: 80
+ 88440: 3: 80
+ 260: 1: 00
+ 258: 2: 00
+ 11945: 2: 00
+ 259: 2: 00
+ 257: 2: 00
+ 88445: 3: 80
+ 260: 3: 80
+ 258: 3: 80
+ 87945: 3: 80
+ 29: 27: ef af 40 c0
+ 1432: 10: e0 c0
+ 1432: 10: e8 c0
+ 1425: 5: 08
+ 1524: 9: f0 00
+ 40: 4: 80
+ 87944: 1: 00
+ 260: 3: 80
+ 257: 3: 80
+ 88442: 3: 80
+ 260: 1: 00
+ 259: 3: 80
+ 64598: 3: 80
+ 259: 1: 00
+ 257: 2: 00
+ 27073: 3: 80
+ 259: 3: 80
+ 257: 3: 80
+ 88441: 3: 80
+ 259: 1: 00
+ 258: 1: 00
+ 88441: 1: 00
+ 66: 31: TAG 2a a9! 55! 2a
+ 37: 7: ca
+ 80: 19: TAG 2a aa! a0!
+ 90: 4: 10
+ 65: 14: TAG 55! 54
+ 29: 1: 00
+ 64: 26: TAG 55! 55! 55! 40
+ 35: 4: 10
+ 172: 2: TAG 40
+ 94: 8: TAG 55!
+ 66: 14: TAG 55! 54
+ 82: 3: 00
+ 35: 1: 00
+ 28: 14: f8 cc
+ 33: 2: 80
+ 88198: 1: TAG 00!
+ 29: 26: ff ff c1 c0
+ 1428: 8: c3
+ 30: 6: cc
+ 1427: 8: e1
+ 1426: 8: f0
+ 1427: 3: 80
+ 88443: 3: TAG 40
+ 1436: 25: TAG 2a 52 49 00!
+ 1469: 6: TAG 48!
+ 1439: 8: TAG 49
+ 1470: 6: TAG 48!
+ 1438: 8: TAG 52
+ 1469: 3: TAG 20
+ 2042: 3: TAG 20
+ 1468: 24: TAG 25 4a 92
+ 1439: 8: TAG 49
+ 1471: 6: TAG 48!
+ 1437: 8: TAG 52
+ 1469: 7: TAG 52
+ 1437: 3: TAG 40
+ 87943: 3: TAG 40
+ 1438: 25: TAG 2a 52 49 00!
+ 1470: 6: TAG 48!
+ 1439: 8: TAG 49
+ 1470: 6: TAG 48!
+ 1438: 8: TAG 52
+ 1469: 3: TAG 20
+ 88692: 3: TAG 20
+ 1468: 24: TAG 2a 92 92
+ 1439: 8: TAG 49
+ 1470: 6: TAG 48!
+ 1438: 8: TAG 52
+ 1469: 7: TAG 52
+ 1437: 3: TAG 40
+ 87945: 3: TAG 40
+ 64: 14: TAG 55! 54
+ 93: 25: TAG 2a 52 49 00!
+ 78: 20: TAG 55! 55! 50!
+ 109: 6: TAG 48!
+ 81: 14: TAG 55! 54
+ 77: 8: TAG 49
+ 65: 26: TAG 55! 55! 55! 40
+ 123: 6: TAG 48!
+ 77: 30: TAG 55! 55! 55! 54
+ 109: 7: TAG 52
+ 79: 26: TAG 55! 55! 55! 40
+ 34: 1: 00
+ 279: 3: 80
+ 313: 1: 00
+ 38004: 5: c0
+ 280: 4: 80
+ 278: 4: 80
+ 52655: 2: 00
+ 278: 2: 00
+ 276: 2: 00
+ 172: 1: TAG 00!
+ 113992: 2: 00
+ 262: 2: 00
+ 258: 2: 00
+ 88441: 2: 00
+ 260: 1: 00
+ 258: 2: 00
+ 204417: 2: 00
+ 278: 2: 00
+ 291: 2: 00
+ 1476: 2: 00
+ 278: 2: 00
+ 275: 2: 00
+ 88686: 4: 80
+ 34: 7: 1a
+ 88441: 2: 00
+ 37: 9: 3d 80
proxmark3> lf hitag snoop
#db# Starting Hitag2 snoop
proxmark3> lf hitag list
recorded activity (TraceLen = 100987360 bytes):
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 2: 00
+ 259: 2: 00
+ 258: 2: 00
+ 87946: 2: 00
+ 259: 2: 00
+ 259: 1: 00
+ 88443: 2: 00
+ 261: 2: 00
+ 258: 2: 00
+ 87945: 2: 00
+ 260: 2: 00
+ 259: 2: 00
+ 88442: 2: 00
+ 285: 2: 00
+ 259: 2: 00
+ 1714: 2: 00
+ 260: 2: 00
+ 259: 2: 00
+329363573: 0: TAG
proxmark3> lf hitag list
recorded activity (TraceLen = 100987360 bytes):
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 2: 00
+ 259: 2: 00
+ 258: 2: 00
+ 87946: 2: 00
+ 259: 2: 00
+ 259: 1: 00
+ 88443: 2: 00
+ 261: 2: 00
+ 258: 2: 00
+ 87945: 2: 00
+ 260: 2: 00
+ 259: 2: 00
+ 88442: 2: 00
+ 285: 2: 00
+ 259: 2: 00
+ 1714: 2: 00
+ 260: 2: 00
+ 259: 2: 00
+329363573: 0: TAG
proxmark3> lf hitag snoop
#db# Starting Hitag2 snoop
proxmark3> lf hitag list
recorded activity (TraceLen = 0 bytes):
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 2: 00
+ 259: 2: 00
+ 258: 2: 00
+ 1738: 2: 00
+ 259: 2: 00
+ 257: 1: 00
+ 88441: 2: 00
+ 259: 2: 00
+ 258: 2: 00
+ 88442: 2: 00
+ 261: 2: 00
+ 259: 2: 00
+ 87944: 2: 00
+ 260: 2: 00
+ 259: 2: 00
+ 87943: 2: 00
+ 259: 2: 00
+ 257: 2: 00
+ 87946: 2: 00
+ 277: 2: 00
+ 259: 2: 00
+ 38271: 2: 00
+ 1427: 30: f7 d7 a1 18
+ 1429: 6: 0c
+ 257: 6: 88
+ 395: 5: 08
+ 256: 4: 00
+ 257: 2: 00
+ 53208: 2: 00
+ 34: 10: df c0
+ 88201: 1: 00
+ 51: 6: 88
+ 87945: 3: TAG 40
+ 40: 9: fe 80
+ 38: 2: 80
+ 35: 1: 80
+ 40: 2: c0
+ 1440: 6: TAG 48!
+ 1439: 6: TAG 48!
+ 1441: 7: TAG 52
+ 1437: 8: TAG 52
+ 1423: 3: TAG 40
+ 26364: 3: TAG 20
+ 40: 2: c0
+ 1439: 6: TAG 48!
+ 1439: 6: TAG 48!
+ 1451: 6: TAG 48!
+ 28: 7: fe
+ 1423: 1: 80
+ 1470: 3: TAG 40
+ 1455: 6: TAG 48!
+ 1469: 1: 00
+ 42: 3: 80
+ 34: 1: 00
+ 29: 26: ff ff c1 c0
+ 1426: 8: c3
+ 28: 6: cc
+ 1426: 8: e1
+ 1425: 8: f0
+ 1426: 3: 80
+ 28: 25: ff ff 19 80
+ 41: 8: c3
+ 30: 6: f0
+ 40: 8: e1
+ 42: 8: f0
+ 42: 3: 80
+ 30: 26: ff ff c1 c0
+ 1425: 8: c3
+ 28: 6: cc
+ 256: 8: e1
+ 256: 3: 00
+ 258: 3: 80
+ 380: 4: c0
+ 258: 3: 80
+ 380: 4: c0
+ 258: 3: 80
+ 88442: 1: 00
+ 259: 3: 80
+ 258: 3: 80
+ 87944: 1: 00
+ 259: 3: 80
+ 258: 3: 80
+ 87945: 1: 00
+ 259: 3: 80
+ 258: 3: 80
+ 88442: 1: 00
+ 259: 3: 80
+ 258: 3: 80
+ 34: 1: 00
+ 292: 1: 00
+ 289: 1: 00
+ 12197: 1: 00
+ 260: 3: 80
+ 258: 3: 80
+ 78731: 1: 00
+ 258: 3: 80
+ 257: 3: 80
proxmark3>

iceman · 2018-02-27 17:39:38

...mental note to self, the tracelog for hitag would need to merge with the list command for a nice unified trace output...

moorketom · 2018-02-27 22:16:53

@iceman:
something like this?
+ 0: 4: 80
+ 28: 6: cc
+ 28: 14: f8 cc
+ 29: 1: 00
+ 29: 2: 00
+ 29: 4: 30
+ 29: 4: b0
+ 29: 7: fe
+ 29: 26: ff ff c1 c0
+ 29: 26: ff ff c1 c0
+ 29: 27: ef af 40 c0
+ 30: 6: cc
+ 30: 6: f0
+ 33: 2: 80
+ 33: 2: c0
+ 33: 10: fd c0
+ 34: 1: 00
+ 34: 1: 00
+ 34: 1: 80
+ 34: 1: 80
+ 34: 7: 1a
+ 34: 10: ff c0
+ 35: 1: 00
+ 35: 4: 10
+ 37: 7: ca
+ 37: 9: 3d 80
+ 40: 3: 80
+ 40: 3: 80
+ 40: 4: 80
+ 40: 8: c3
+ 40: 8: e1
+ 41: 3: 80
+ 41: 3: 80
+ 42: 1: 00
+ 42: 3: c0
+ 64: 14: TAG 55! 54
+ 64: 26: TAG 55! 55! 55! 40
+ 65: 14: TAG 55! 54
+ 65: 26: TAG 55! 55! 55! 40
+ 66: 14: TAG 55! 54
+ 66: 31: TAG 2a a9! 55! 2a
+ 77: 8: TAG 49
+ 77: 30: TAG 55! 55! 55! 54
+ 78: 20: TAG 55! 55! 50!
+ 79: 26: TAG 55! 55! 55! 40
+ 80: 19: TAG 2a aa! a0!
+ 81: 14: TAG 55! 54
+ 82: 3: 00
+ 90: 4: 10
+ 93: 25: TAG 2a 52 49 00!
+ 94: 8: TAG 55!
+ 109: 6: TAG 48!
+ 109: 7: TAG 52
+ 123: 6: TAG 48!
+ 172: 1: TAG 00!
+ 172: 2: TAG 40
+ 257: 2: 00
+ 257: 2: 00
+ 257: 3: 80
+ 257: 3: 80
+ 257: 3: 80
+ 257: 3: 80
+ 258: 1: 00
+ 258: 2: 00
+ 258: 2: 00
+ 258: 2: 00
+ 258: 3: 80
+ 258: 3: 80
+ 258: 3: 80
+ 259: 1: 00
+ 259: 1: 00
+ 259: 2: 00
+ 259: 3: 80
+ 259: 3: 80
+ 260: 1: 00
+ 260: 1: 00
+ 260: 1: 00
+ 260: 1: 00
+ 260: 3: 80
+ 260: 3: 80
+ 260: 3: 80
+ 260: 3: 80
+ 262: 2: 00
+ 275: 2: 00
+ 276: 2: 00
+ 278: 2: 00
+ 278: 2: 00
+ 278: 2: 00
+ 278: 4: 80
+ 278: 4: 80
+ 279: 3: 80
+ 280: 4: 80
+ 280: 4: 80
+ 288: 1: 00
+ 290: 1: 00
+ 291: 1: 00
+ 291: 2: 00
+ 292: 1: 00
+ 313: 1: 00
+ 380: 4: c0
+ 1421: 6: TAG 48!
+ 1421: 6: TAG 48!
+ 1421: 7: TAG 52
+ 1423: 3: TAG 40
+ 1423: 8: c3
+ 1423: 8: f0
+ 1424: 8: c3
+ 1424: 8: e1
+ 1425: 3: 80
+ 1425: 5: 08
+ 1426: 3: 80
+ 1426: 8: 33
+ 1426: 8: e1
+ 1426: 8: f0
+ 1427: 3: 80
+ 1427: 6: TAG 48!
+ 1427: 8: e1
+ 1428: 8: c3
+ 1432: 10: e0 c0
+ 1432: 10: e8 c0
+ 1436: 25: TAG 2a 52 49 00!
+ 1437: 3: TAG 40
+ 1437: 3: TAG 40
+ 1437: 5: TAG 48!
+ 1437: 8: TAG 52
+ 1437: 8: TAG 52
+ 1438: 8: TAG 52
+ 1438: 8: TAG 52
+ 1438: 8: TAG 52
+ 1438: 25: TAG 2a 52 49 00!
+ 1439: 8: TAG 49
+ 1439: 8: TAG 49
+ 1439: 8: TAG 49
+ 1439: 8: TAG 49
+ 1453: 6: TAG 48!
+ 1454: 3: 00
+ 1455: 3: 00
+ 1468: 24: TAG 25 4a 92
+ 1468: 24: TAG 2a 92 92
+ 1469: 3: TAG 20
+ 1469: 3: TAG 20
+ 1469: 6: TAG 48!
+ 1469: 7: TAG 52
+ 1469: 7: TAG 52
+ 1470: 6: TAG 48!
+ 1470: 6: TAG 48!
+ 1470: 6: TAG 48!
+ 1470: 6: TAG 48!
+ 1471: 6: TAG 48!
+ 1476: 2: 00
+ 1504: 8: 33
+ 1504: 8: f0
+ 1524: 9: f0 00
+ 1535: 5: 18
+ 1536: 4: 10
+ 2042: 3: TAG 20
+ 2504: 3: TAG 40
+ 11945: 2: 00
+ 26378: 3: TAG 20
+ 27073: 3: 80
+ 38004: 5: c0
+ 52655: 2: 00
+ 64598: 3: 80
+ 87943: 3: 80
+ 87943: 3: TAG 40
+ 87944: 1: 00
+ 87945: 3: 80
+ 87945: 3: 80
+ 87945: 3: TAG 40
+ 88198: 1: TAG 00!
+ 88440: 3: 80
+ 88440: 3: 80
+ 88441: 1: 00
+ 88441: 2: 00
+ 88441: 2: 00
+ 88441: 3: 80
+ 88442: 3: 80
+ 88443: 3: TAG 40
+ 88445: 3: 80
+ 88686: 4: 80
+ 88692: 3: TAG 20
+ 113992: 2: 00
+ 204417: 2: 00

iceman · 2018-02-28 06:58:27

kind but it was readable before also. Its just me who been thinking on making adapting the output for hitag cmd into the list command.

Sad to say, I have zero experience with hitag. ... imagine that.

marshmellow · 2018-03-01 01:00:56

I don't see the snoop stopping. I thought it should output when it stops snooping. Did you press the pm3 button when you finished snooping?

moorketom · 2018-05-01 21:31:02

What have I learned so far:
The paxton reader sends 3 times an auth and the password that is used (I used a RFIDLER-device for that)

000, START_AUTH

11000, START_AUTH
11000, START_AUTH
11000, START_AUTH

11000, START_AUTH
XXXXXXXXXXXX, PWD:NOT SHOWING
1110010111, READ_PAGE:4
1110101010, READ_PAGE:5
1111010011, READ_PAGE:6
1111100000, READ_PAGE:7
11000, START_AUTH

Last edited by moorketom (2018-05-25 09:00:49)

Proxmark3 community

Announcement

#1 2018-02-27 17:32:44

Sniffed a paxton key fob with a paxton reader

#2 2018-02-27 17:39:38

Re: Sniffed a paxton key fob with a paxton reader

#3 2018-02-27 22:16:53

Re: Sniffed a paxton key fob with a paxton reader

#4 2018-02-28 06:58:27

Re: Sniffed a paxton key fob with a paxton reader

#5 2018-03-01 01:00:56

Re: Sniffed a paxton key fob with a paxton reader

#6 2018-05-01 21:31:02

Re: Sniffed a paxton key fob with a paxton reader

Board footer