Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello together,
i'm working on an access system project. The system is from 1996. It's called ES1000 (Manual: https://drive.google.com/file/d/18sZXg5 … sp=sharing) from the company Opertis branded by HEWI.
Because the system is so old, they don't resupply it any more. I know 125kHz systems are not secure, but for us it's okay.
Now i'm trying to get new chips into the system and to analyse the tags i got the proxmark 3 evo.
As far as i investigated, it should be an hitag s or hitag 1 chip.
The tags can be read from the DOM System (https://www.dom-security.com/de/de/prod … ufzylinder).
But the chips from DOM can't be integrated into the Opertis system.
My problem now is the following that the proxmark gots unresponsible.
I've flashed the current github master and also tried the iceman fork also.
Current image on the proxmark is:
#db# Performing i2c bus recovery
#db# I2C bus recovery error: SDA still LOW
#db# Performing i2c bus recovery
#db# I2C bus recovery error: SDA still LOW
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-134-g70dbfc3-dirty-suspect 2019-09-27 16:51:14
os: master/v3.1.0-134-g70dbfc3-dirty-suspect 2019-09-27 16:51:19
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: available
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 204527 bytes (39%). Free: 319761 bytes (61%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 43.31 V @ 125.00 kHz
# LF antenna: 18.84 V @ 134.00 kHz
# LF optimal: 47.85 V @ 122.45 kHz
# HF antenna: 17.26 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
If i do the following:
proxmark3> lf hitag reader 01 02 0 0 0
#db# ReadHitagS in mode=STANDARD, blockRead=0, startPage=0
#db# Authenticating using nr,ar pair:
#db# 00 00 00 02 00 00 00 00
#db# UID: 87 92 40 15
#db# crc: 2D
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
WARNING: timeout while waiting for reply.
proxmark3> hw ping
Sending bytes to proxmark failed
I have to reset the proxmark to send commands again.
I've compiled the source with DEBUG=2 to check what is happening.
And in the log appears, that the proxmark read endless pages with zeroes as data.
Other 125kHz cards works fine (EM410x).
Another strange behaviour is, if use the ordered hitag (1,2 and s) dongle tags, they dont get found.
proxmark3> lf hitag reader 01 02 0 0 0
#db# ReadHitagS in mode=STANDARD, blockRead=0, startPage=0
#db# Authenticating using nr,ar pair:
#db# 00 00 00 02 00 00 00 00
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
WARNING: timeout while waiting for reply.
proxmark3> hw ping
Sending bytes to proxmark failed
Ping failed
I tried also different positions on the reader and measure voltage drop:
proxmark3> hw tune l
Measuring antenna characteristics, please wait........
# LF antenna: 42.21 V @ 125.00 kHz
# LF antenna: 19.94 V @ 134.00 kHz
# LF optimal: 44.00 V @ 123.71 kHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
As far as i understand it should be enough for the tag to operate.
To compare here the voltage from the card (UID: 87924015).
proxmark3> hw tune l
Measuring antenna characteristics, please wait........
# LF antenna: 39.32 V @ 125.00 kHz
# LF antenna: 21.72 V @ 134.00 kHz
# LF optimal: 39.32 V @ 125.00 kHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Using the new hitag chips to be learned into the system doesn't work.
On the cards are written beside the UID a field named K:
Card 1:
K - 003703 | T - 87924015
Card 2:
K - 003721 | T - 0A934015
My suggestion was now, that the manufactor of the ES1000 have used a shared secret.
The system is offline based and can be programmed whit an programming handheld (UID based).
Also tried the magic uid card T57xx with following configuration:
Block 0: 0048020 and 0088020
Block 1: 87924015 (UID + Config page from above)
But it is not recognized as valid.
At the writing i recognized something weird:
The offical length of the UID for hitag 1+s ist 32 bit. But in the manual for the Tag list (Page 17), are complete block 0.
The configuration blocks differs from tag to tag. So it's look like an 64 bit long UID.
I hope it's enough information and you can give me a hint where to search next.
Thank you in advance!
Greetings Mercix
Last edited by Mercix (2019-10-02 09:37:31)
Offline
An impressive first posting.
Can you link to English documents, please?
I didn't know that the PM3 Evo can be used with official or RRG repository. I thought they use different hardware? The error messages regarding i2c bus and the wrong detection of the smartcard slot seem to indicate that as well.
Nevertheless, Hitag functions are very fragile currently. Make sure that you have a good coupling between tag and proxmark antenna (roughly same size), and distance matters as well (a millimetre can make a difference).
I had started to improve this part of the code but got distracted by iClass.
Can you please rephrase the sentence with page 17 and block 0? There seems to be missing a word or two.
Offline
Thank you. I've tried to figure out as much as I can on my own.
Sry there are no english documents avaible to me. But maybe you can tell me what you need to know and i try to translate it.
To the software part:
I've got it from lab401.com and after I've got it, it wasn't avaible any more. And searching for differences in the software version doesn't yield any useful. Can you maybe give me a link, if there are differences for the evo?
On page 17 is a list of tags and which room they are contributed to.
My confuse appears here, because a hitag tag only have a 32 bit UID.
The next 32 bit of the page are for the configuration.
And on this list are tags with different UIDs and configurations.
For my understanding, it should be always the same for a class of id tags or?
As Example:
Tag 1: 1111AABB
Tag 2: 1112AABB
Tag 3: 1113AABB
And thank you for your answer.
Greetings!
Offline
Can you maybe give me a link, if there are differences for the evo?
My statement was based on https://www.reddit.com/r/RFID/comments/ … _rdv4_evo/
The tags can be read from the DOM System (https://www.dom-security.com/de/de/prod … ufzylinder).
But the chips from DOM can't be integrated into the Opertis system.
The DOM system claims to support many different chip types (Hitag 1, Hitag 2, Hitag S, EM 4100, EM 4102, EM 4150, EM 4450) but I couldn't find a hint which chip types are supported by the ES1000. From the documentation we only know that the tags have a 32Bit ID number (examples on page 17). So your ES1000 tags seem to be one of (Hitag 1, Hitag 2, Hitag S, EM 4100, EM 4102, EM 4150, EM 4450) and your DOM tags seem to be of a different type or the ES1000 requires some kind of "formatting". Besides the Serialnumber, HITAG chips have additional data and keys. The ES1000 may make use of it, but the DOM system may use the Serialnumber only.
Too many options. Can you snoop a communication between tag and reader?
Offline
The offical length of the UID for hitag 1+s ist 32 bit. But in the manual for the Tag list (Page 17), are complete block 0.
The configuration blocks differs from tag to tag. So it's look like an 64 bit long UID.
Google translates the header of the last column to "Serial number of Main programming card / Replacement programming card". What you see are therefore the 32bit numbers of two different cards. No config block or 64bit number.
Offline
Sry have got a brain fail. ^^
As you both right mentioned, the uid of the ES1000 system seems to be 32 bit aka 8 byte.
But the Hitag 1/S only have 16 bit aka 4 byte uid (page size 4 byte) | look page 32 Hitag 1 Datasheet.
The Hitag 2 got 32 bit uid Page 24.
I've also looked at the data plots. The em cards have a clearly "graph".
The hitag chips from the es1000 system and the delivered ones look indenticly.
Also it seems to be, that the K on the cards is the password for the protection.
On the hitag2 datasheet is written, that it is 24 bit long and the K is 6 byte long.
So my problem now is, can I use my proxmark 3 evo to read the hitag 2 chips or do I have to get other ones?
Also I tried the lf snoop command, when using the es1000 to open - Snoop File.
If it's not right, please tell me how to do it.
Also it seems to be the hitag2 only works in pw or crypto mode.
So one must be the same on every device and tag, right?
Thank you
Offline
As you both right mentioned, the uid of the ES1000 system seems to be 32 bit aka 8 byte.
But the Hitag 1/S only have 16 bit aka 4 byte uid (page size 4 byte) | look page 32 Hitag 1 Datasheet.
The Hitag 2 got 32 bit uid Page 24.
Where did you learn your math? 1byte is 8bits. 4bytes is 32bits.
Offline
Yes of course... I'm ill atm.
So sorry for this.
Both use the 32 bit UID.
Using the specifig hitag 2 commands, I don't get any values back.
If use hitag reader 01/02, i get the uid from the card.
So it would be right to assume, that the system use hitag 1/s, right?
Can you maybe give me hint, how i can manualy read the first two pages from the card?
Also interesting seems to be this from the es1000 manual:
Personalization: Personalization means the fixed assignment of an identifier,
a fitting or a switching module to a programming card. Brand new identifiers, fittings and switch modules can not be used without personalization. While
the personalization is a special, not from outside readable
Record from the programming card in the memory of
Transfer fitting or switch module electronics. Now this fitting / switching module can only in conjunction with this
Programming card can be programmed. In the personalization
of an identifier, this record of the fitting /
Transfer switching electronics into the identifier. That's the way it is
the identifier is connected to the programming card. The personalization of an identifier can not be undone
become. The identifier is firmly connected to the programming card.
We tried to assign brandnew hitag 1 and s chip to a door, but nothing happend.
So maybe the configuration differ from the "original" cards and the brand new one?!
And thank you very much again for your time.
Offline
Hello,
I've got the confirmation from the producer, that it's a Hitag 1 card.
They've done an initialisation before the cards are to use.
But they don't support it any more and don't have any keys.
Does you know any working breaks for the hitag 1?
Or do I have to programm my own hitag 1 functions for the proxmark?
And do you know how to sniff more then 40k bytes? So a unlimited writing to my disk?
Thank you.
Offline
Does you know any working breaks for the hitag 1?
Not that I am aware of. There are documents on Hitag 2 and Hitag S (they use the same cipher) but I couldn't find anything usefull on Hitag 1.
Or do I have to programm my own hitag 1 functions for the proxmark?
Yes, PM3 currently does not support Hitag 1.
And do you know how to sniff more then 40k bytes? So a unlimited writing to my disk?
Not yet implemented. For LF (like Hitag 1) this should be possible. But I don't see the use case for such long traces?
Offline
The key is not hard to break.
From the documentation it is an 32 bit key.
Because of that I want to record the communication between door and card and then bruteforce the key.
But if i use lf snoop I dont get the whole authentication. I want to record longer to have more time to open the door and that the encrypted communcation gets recorded.
Do you know a good tutorial for the lf snoop part?
Offline
But if i use lf snoop I dont get the whole authentication. I want to record longer to have more time to open the door and that the encrypted communcation gets recorded.
Don't use 'lf snoop'. Use 'lf hitag snoop' and display the result with 'lf hitag list'
Offline
Hello,
just a status update:
I'm now programming the hitag 1 functions.
I already got the uid and conf page running.
Curious is only, that the original tag is now readable, but not the both delievered hitag 1 tags.
I've ordered tags from another distributor for comparsion.
The 'hitag lf snoop' give no really useful data. I'll investigate it, after setup the hitag 1.
Greetings
Last edited by Mercix (2019-10-21 17:24:49)
Offline
Hello,
I tried to get the snnop running, but at the current settings the proxmark disturb the communication between reader and tag.
Yesterday I looked at the lf snoop traces. In this I see the communication and relevant information. Also the reader opens clearly.
My question now is, can I use the lf snoop in a loop to capture the whole communication in one step?
Offline
Hello,
just a little update.
I looked again at the traces and their is a page read before going into crypto mode.
Investigating this it seems to be a "company brand" to exclude hitag 1 fabric new cards.
I also got the same value for this page from the key fob, but the cards are not responding to the command.
After sending it, no more rx is recieved. But it seems correct as the fob responds.
My bet is, that it is a timing problem. Also I've recognized, that if i use to much dbprintf, the timings are go to high.
Is their a possibillity to log the exact timings, without interferring the send and recieve?
So that i can look after comm for it.
Also it would be nice to know, if I can see the com on the data plot.
Also I've got the following problem:
case RHT1_UID_CONF: { //RHT1_UID_CONF
c = (UsbCommand){ CMD_READER_HITAG_1 };
c.arg[1] = param_get64ex(Cmd, 1, 0, 0); //tag mode
} break;
case RHT1_READ_PAGE: {
c = (UsbCommand){ CMD_READER_HITAG_1 };
c.arg[1] = param_get64ex(Cmd, 1, 0, 0); // tag mode
c.arg[2] = param_get64ex(Cmd, 2, 0, 0); // page
} break;
In the RHT1_UID_CONF the tag mode is transmitted to the reader command.
In case of the RHT1_READ_PAGE i got no tag mode and no page.
It's really anoying....
I hope anyone can help me with an idea.
Thank you very much!
Offline
Pages: 1