Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2020-08-08 14:12:42
- lx2005
- Contributor
- Registered: 2019-09-27
- Posts: 7
IKEA Rothult lock card,is it JCOP?
I have an IKEA Rothult lock. The model is "TYP E1778". It has two cards which you can use to open or close the lock.
There are words "TYP E1777" on the cards.
First of all, I ran "hf search"
[usb] pm3 --> hf search
[+] UID: 02 E2 00 67 37 D9 6C
[+] ATQA: 00 42
[+] SAK: 20 [1]
[+] MANUFACTURER: ST Microelectronics SA France
[+] JCOP 31/41
[+] ATS: 05 75 80 60 02 BB 58
[+] - TL : length is 5 bytes
[+] - T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[+] - TA1 : different divisors are NOT supported, DR: [], DS: []
[+] - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 6 (FWT = 262144/fc)
[+] - TC1 : NAD is NOT supported, CID is supported
[!!] PRNG data error: Wrong length: 0
[-] Prng detection: fail
[+] Valid ISO14443-A tag foundMy goal is to simulate the card(or copy them if possible). But I don't know use which command to do so.
I sniffed the communication between the card and the lock.
[usb] pm3 --> hf 14a sniff
[#] Starting to sniff
[#] maxDataLen=5, Uart.state=0, Uart.len=0
[#] traceLen=900, Uart.output[0]=00000026
[usb] pm3 --> hf 14a list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 900 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | | REQA
1374000 | 1375056 | Rdr |26 | | REQA
2748048 | 2749104 | Rdr |26 | | REQA
6794496 | 6795552 | Rdr |26 | | REQA
8168032 | 8169088 | Rdr |26 | | REQA
9541840 | 9542896 | Rdr |26 | | REQA
13588224 | 13589280 | Rdr |26 | | REQA
13590484 | 13592852 | Tag |42 00 | |
13617856 | 13622624 | Rdr |50 00 57 cd | ok | HALT
13695792 | 13696784 | Rdr |52 | | WUPA
13698052 | 13700420 | Tag |42 00 | |
13728992 | 13731456 | Rdr |93 20 | | ANTICOLL
13732660 | 13738548 | Tag |88 02 e2 00 68 | |
13764688 | 13775152 | Rdr |93 70 88 02 e2 00 68 c8 63 | ok | SELECT_UID
13776388 | 13779908 | Tag |04 da 17 | |
13805424 | 13807888 | Rdr |95 20 | | ANTICOLL-2
13809076 | 13814964 | Tag |67 37 d9 6c e5 | |
13841184 | 13851712 | Rdr |95 70 67 37 d9 6c e5 aa 64 | ok | SELECT_UID-2
13852916 | 13856500 | Tag |20 fc 70 | |
13878688 | 13883456 | Rdr |50 00 57 cd | ok | HALT
13956608 | 13957664 | Rdr |26 | | REQA
16008976 | 16010032 | Rdr |26 | | REQA
16011236 | 16013604 | Tag |42 00 | |
16038624 | 16043392 | Rdr |50 00 57 cd | ok | HALT
16116560 | 16117552 | Rdr |52 | | WUPA
16118820 | 16121188 | Tag |42 00 | |
16149776 | 16152240 | Rdr |93 20 | | ANTICOLL
16153428 | 16159316 | Tag |88 02 e2 00 68 | |
16185456 | 16195920 | Rdr |93 70 88 02 e2 00 68 c8 63 | ok | SELECT_UID
16197188 | 16200708 | Tag |04 da 17 | |
16226368 | 16228832 | Rdr |95 20 | | ANTICOLL-2
16230036 | 16235924 | Tag |67 37 d9 6c e5 | |
16262112 | 16272640 | Rdr |95 70 67 37 d9 6c e5 aa 64 | ok | SELECT_UID-2
16273844 | 16277428 | Tag |20 fc 70 | |
16299824 | 16304592 | Rdr |50 00 57 cd | ok | HALT
16377776 | 16378832 | Rdr |26 | | REQA
17777024 | 17778080 | Rdr |26 | | REQA
17779268 | 17781636 | Tag |42 00 | |
17806656 | 17811424 | Rdr |50 00 57 cd | ok | HALT
17885392 | 17886384 | Rdr |52 | | WUPA
17887652 | 17890020 | Tag |42 00 | |
17918528 | 17920992 | Rdr |93 20 | | ANTICOLL
17922180 | 17928068 | Tag |88 02 e2 00 68 | |
17954224 | 17964688 | Rdr |93 70 88 02 e2 00 68 c8 63 | ok | SELECT_UID
17965940 | 17969460 | Tag |04 da 17 | |
17994960 | 17997424 | Rdr |95 20 | | ANTICOLL-2
17998628 | 18004516 | Tag |67 37 d9 6c e5 | |
18030720 | 18041248 | Rdr |95 70 67 37 d9 6c e5 aa 64 | ok | SELECT_UID-2
18042436 | 18046020 | Tag |20 fc 70 | |
18068272 | 18073040 | Rdr |e0 80 31 73 | ok | RATS
18074244 | 18082436 | Tag |05 75 80 60 02 bb 58 | ok |
18105424 | 18111280 | Rdr |d0 11 00 52 a6 | ok |
18112532 | 18116052 | Tag |d0 73 87 | |
18140192 | 18158720 | Rdr |02 00 a4 04 00 07 d2 76 00 00 85 01 01 00 35 c0 | ok |
18160740 | 18166564 | Tag |02 90 00 f1 09 | |
18190192 | 18201872 | Rdr |03 00 a4 00 0c 02 00 01 81 7c | ok |
18203332 | 18209156 | Tag |03 90 00 2d 53 | |
18232400 | 18241712 | Rdr |02 00 20 00 01 00 6e a9 | ok |
18242964 | 18248788 | Tag |02 63 00 91 5f | |
18274624 | 18302368 | Rdr |03 00 20 00 01 10 33 6f 2f d1 53 08 4b aa 72 b9 04 3a | |
| | |41 81 7a e4 69 b4 | ok |
18305796 | 18311620 | Tag |03 90 00 2d 53 | |
18334800 | 18344112 | Rdr |02 a2 b0 00 00 1d 51 69 | ok |
18349604 | 18349604 | Tag |02 00 1b d1 01 17 54 02 7a 68 79 f6 35 62 d0 4d 91 d9 | |
| | |dd e7 00 17 6b 37 05 a1 31 31 31 32 90 00 d5 b9 | ok |
38785680 | 38786736 | Rdr |26 | | REQA
40159248 | 40160304 | Rdr |26 | | REQAI can only understand that it only checks UID. There are also APDUs.
Then I tried to simulate using "hf 14a sim".
[usb] pm3 --> hf 14a sim t 3 u 02E2006737D96C
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (02 E2 00 67 37 D9 6C )
[=] Press pm3-button to abort simulation
[#] Emulator stopped. Trace length: 504
[=] Done
[usb] pm3 --> hf 14a list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 504 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | | REQA
2228 | 4596 | Tag |44 03 | |
29630 | 34398 | Rdr |50 00 57 cd | ok | HALT
107562 | 108554 | Rdr |52 | | WUPA
109790 | 112158 | Tag |44 03 | |
140800 | 143264 | Rdr |93 20 | | ANTICOLL
144436 | 150324 | Tag |88 02 e2 00 68 | |
176460 | 186924 | Rdr |93 70 88 02 e2 00 68 c8 63 | ok | SELECT_UID
188160 | 191680 | Tag |24 d8 36 | |
1564254 | 1565310 | Rdr |26 | | REQA
1566482 | 1568850 | Tag |44 03 | |
1593934 | 1598702 | Rdr |50 00 57 cd | ok | HALT
1671886 | 1672878 | Rdr |52 | | WUPA
1674114 | 1676482 | Tag |44 03 | |
1705110 | 1707574 | Rdr |93 20 | | ANTICOLL
1708746 | 1714634 | Tag |88 02 e2 00 68 | |
3768726 | 3769782 | Rdr |26 | | REQA
3770954 | 3773322 | Tag |44 03 | |
3798382 | 3803150 | Rdr |50 00 57 cd | ok | HALT
3876372 | 3877364 | Rdr |52 | | WUPA
3878600 | 3880968 | Tag |44 03 | |
3909562 | 3912026 | Rdr |93 20 | | ANTICOLL
3913198 | 3919086 | Tag |88 02 e2 00 68 | |
3945258 | 3955722 | Rdr |93 70 88 02 e2 00 68 c8 63 | ok | SELECT_UID
3956958 | 3960478 | Tag |24 d8 36 | |
3986048 | 3988512 | Rdr |95 20 | | ANTICOLL-2
3989684 | 3995572 | Tag |67 37 d9 6c e5 | |
4021782 | 4032310 | Rdr |95 70 67 37 d9 6c e5 aa 64 | ok | SELECT_UID-2
4033482 | 4037066 | Tag |20 fc 70 | |
4059326 | 4064094 | Rdr |50 00 57 cd | ok | HALT
4137274 | 4138330 | Rdr |26 | | REQA
4139502 | 4141870 | Tag |44 03 | |
4170424 | 4172888 | Rdr |93 20 | | ANTICOLL
4173932 | 4179820 | Tag |88 02 e2 00 68 | |
4206002 | 4216466 | Rdr |93 70 88 02 e2 00 68 c8 63 | ok | SELECT_UID
4217766 | 4221286 | Tag |24 d8 36 | |
4246934 | 4249398 | Rdr |95 20 | | ANTICOLL-2
4250570 | 4256458 | Tag |67 37 d9 6c e5 | |
4282752 | 4293280 | Rdr |95 70 67 37 d9 6c e5 aa 64 | ok | SELECT_UID-2
4294452 | 4298036 | Tag |20 fc 70 | | It seemed a little bit different. For example, PM3 responsed 44 03 after WUPA instead of 44 00.And of course, the lock beeped for three times which meaned the card is incorrect and didn't open.
I want to make sure what card it is and how can I simulate it. Thanks very much!
Last edited by lx2005 (2020-08-08 23:52:25)
Offline
#2 2020-08-08 15:25:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: IKEA Rothult lock card,is it JCOP?
You captured some APDU it sends to the card...
18232400 | 18241712 | Rdr |02 00 20 00 01 00 6e a9 | ok |
18242964 | 18248788 | Tag |02 63 00 91 5f | |
18274624 | 18302368 | Rdr |03 00 20 00 01 10 33 6f 2f d1 53 08 4b aa 72 b9 04 3a | |
| | |41 81 7a e4 69 b4 | ok |
18305796 | 18311620 | Tag |03 90 00 2d 53 | |
18334800 | 18344112 | Rdr |02 a2 b0 00 00 1d 51 69 | ok |
18349604 | 18349604 | Tag |02 00 1b d1 01 17 54 02 7a 68 79 f6 35 62 d0 4d 91 d9 | |
| | |dd e7 00 17 6b 37 05 a1 31 31 31 32 90 00 d5 b9 | ok |
38785680 | 38786736 | Rdr |26 Offline
#3 2020-08-08 15:34:40
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: IKEA Rothult lock card,is it JCOP?
save that trace and share here
Offline
#4 2020-08-08 23:59:19
- lx2005
- Contributor
- Registered: 2019-09-27
- Posts: 7
Re: IKEA Rothult lock card,is it JCOP?
I saved that trace.
https://pastebin.com/u3qGwNuM
Offline
#5 2020-08-09 08:09:04
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: IKEA Rothult lock card,is it JCOP?
...nice, but no. I meant like in saving it as a file
hf 14a sniff
trace save rothul_02E2006737D96C.traceOffline
#6 2020-08-09 09:59:13
- lx2005
- Contributor
- Registered: 2019-09-27
- Posts: 7
Re: IKEA Rothult lock card,is it JCOP?
Aha, sorry for that. I'm just a newbie. The true "trace" is here.
https://transfer.sh/g98bS/rothul_02E2006737D96C.trace
Offline
#7 2020-09-07 04:56:37
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: IKEA Rothult lock card,is it JCOP?
There is some discussions over at the discord server, iso14443a channel, about this lock.
Extracting your apdu's, you should be able replay that session with a pm3 against your card.
hf 14a raw -s -c -p 0200a4040007d276000085010100
hf 14a raw -c -p 0300a4000c020001
hf 14a raw -c -p 020020000100
hf 14a raw -c 030020000110 336f2fd153084baa72b9043a41817ae4
hf 14a raw -c 02a2b000001dOffline
#8 2020-09-09 22:27:02
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: IKEA Rothult lock card,is it JCOP?
Good progress the last days,
System identified as ST25TA512B based,
Proxmark3 can talk with the card and remove protection limits,
Proxmark3 can simulate tag,
Offline
#9 2020-09-09 22:28:06
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: IKEA Rothult lock card,is it JCOP?
Since the system is a ISO14443a based one and it has NDEF I moved the thread here.
Offline
Pages: 1