Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2021-02-08 08:16:57
- Einstein2150
- Contributor
- Registered: 2021-01-27
- Posts: 9
HITAG2 sniff
Another system in our company is based on HITAG2. I read that the support from iceman is not the best because he has no reader and tags to try. I found in the documentation of the system that it would use the challenge sequence for data exchange. To prepare for the brute force which needs at least two challenges I started sniffing the communication between reader and tag...
In every sniff sequence with the Proxmark between the reader and an accepted token I got the same data from the reader but no challenge sequence or data from the token but the reader is reacting to it. I also tried another antenna (125 kHz only) but the result was the same.
Can anyone tell me what I was capturing from the reader?
[fpc] pm3 --> lf hitag snif
[#] Starting Hitag2 sniffing
[#] Hitag2 sniffing finish. Use `lf hitag list` for annotations
[fpc] pm3 --> lf hitag list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 5837 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] Hitag1 / Hitag2 / HitagS - Timings in ETU (8us)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 0 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |<empty trace - possible error> | |
16777216 | 16777216 | Rdr |<empty trace - possible error> | |
262144 | 262144 | Rdr |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
| | |04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 | |
| | |01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 | |
| | |00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 | |
| | |00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 | |
| | |00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 | |
| | |00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 | |
| | |00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 | |
| | |00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 | |
| | |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 | |
0 | 1024 | Rdr |<empty trace - possible error> | |
256 | 256 | Rdr |<empty trace - possible error> | |
4 | 260 | Rdr |<empty trace - possible error> | |
0 | 4 | Rdr |<empty trace - possible error> | |
1 | 1 | Rdr |<empty trace - possible error> | |
0 | 1 | Rdr |<empty trace - possible error> | |
67108864 | 67108864 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
| | |04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 | |
| | |01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 | |
| | |00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 | |
| | |00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 | |
| | |00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 | |
| | |00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 | |
| | |00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 | |
| | |00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 | |
| | |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
0 | 4 | Rdr |<empty trace - possible error> | |
1 | 1 | Rdr |<empty trace - possible error> | |
0 | 1 | Rdr |<empty trace - possible error> | |
67108864 | 67108864 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
| | |04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 | |
| | |01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 | |
| | |00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 | |
| | |00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 | |
| | |00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 | |
| | |00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 | |
| | |00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 | |
| | |00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 | |
| | |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
0 | 4 | Rdr |<empty trace - possible error> | |
1 | 1 | Rdr |<empty trace - possible error> | |
0 | 1 | Rdr |<empty trace - possible error> | |
67108864 | 67108864 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
| | |04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 | |
| | |01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 | |
| | |00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 | |
| | |00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 | |
| | |00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 | |
| | |00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 | |
| | |00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 | |
| | |00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 | |
| | |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
0 | 4 | Rdr |<empty trace - possible error> | |
1 | 1 | Rdr |<empty trace - possible error> | |
0 | 1 | Rdr |<empty trace - possible error> | |
67108864 | 67108864 | Rdr |<empty trace - possible error> | |
0 | 0 | Rdr |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
| | |04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 | |
| | |01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 | |
| | |00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 | |
| | |00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 | |
| | |00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 | |
| | |00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 | |
| | |00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 | |
| | |00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 | |
| | |00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 | |
| | |00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 | |
| | |00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 | |
| | |00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 01 00 00 | |
| | |00 00 00 00 00 04 00 00 00 00 01 00 00 00 00 00 00 00 | |
0 | 4 | Rdr |<empty trace - possible error> | |
1 | 1 | Rdr |<empty trace - possible error> | |
0 | 1 | Rdr |<empty trace - possible error> | |
67108864 | 67108864 | Rdr |<empty trace - possible error> | | Offline
#2 2021-02-08 18:19:39
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: HITAG2 sniff
Hitag2 sniff and sim commands needs some serious love on RRG/Iceman repo.
However on official repo it should work better. Try it and collect your needed data...
Offline
#3 2021-02-09 09:17:07
- Einstein2150
- Contributor
- Registered: 2021-01-27
- Posts: 9
Re: HITAG2 sniff
iceman wrote:
Hitag2 sniff and sim commands needs some serious love on RRG/Iceman repo.
However on official repo it should work better. Try it and collect your needed data...
Two questions @iceman:
I installed your fork with homebrew. Can I parallel install the official repo with homebrew?
Switching between yours and the official one means reflashing the Proxmark every time I switch between the two versions or?
Offline
#4 2021-02-09 10:35:29
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: HITAG2 sniff
Sadly not on homebrew,
Offline
#5 2021-02-11 15:00:31
- Einstein2150
- Contributor
- Registered: 2021-01-27
- Posts: 9
Re: HITAG2 sniff
iceman wrote:
Hitag2 sniff and sim commands needs some serious love on RRG/Iceman repo.
However on official repo it should work better. Try it and collect your needed data...
I installed the official firmware manually after compiling from source. Seems that HITAG is working there worser than in your fork. Reading HITAG is nearly impossible. Want to have a look? 
./client/proxmark3 /dev/cu.usbmodem1454401
Prox/RFID mark3 RFID instrument
bootrom: RRG/Iceman/master/b60daea 2021-01-11 16:59:49
os: /-suspect 2021-02-11 09:05:33
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2020/03/05 at 19:09:39
SmartCard Slot: available
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 207672 bytes (40). Free: 316616 bytes (60).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#db# Unknown frame length: 1
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#db# Unknown frame length: 2
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3>
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#db# Unknown frame length: 4
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID
proxmark3> lf hitag info
#: DEBUG: Error - failed getting UID Its totally sh** 
Offline
#6 2021-02-11 15:20:43
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: HITAG2 sniff
well... you said sniffing....
Offline
#7 2021-02-15 16:17:56
- Einstein2150
- Contributor
- Registered: 2021-01-27
- Posts: 9
Re: HITAG2 sniff
iceman wrote:
well... you said sniffing....
Ok. Today I visited the reader to snoop the traffic. This had worked fine. Im wondering what of the output would be the nR and the aR. Every reading produced 5 lines of data:
proxmark3> lf hitag snoop
proxmark3> #db# Starting Hitag2 snoop
lf hitag snoop list
recorded activity (TraceLen = 58145400 bytes):
ETU :nbits: who bytes
---------+-----+----+-----------
+ 0: 3: 80
+ 3188: 4: 80
+ 3187: 4: 80
+ 947: 5: c0
+ 3186: 4: 80
+ 3186: 4: 80
+ 947: 5: c0
+ 3188: 4: 80
+ 3187: 4: 80
+ 3189: 4: 80
+ 3187: 4: 80
+ 3186: 4: 80
+ 3188: 4: 80
+ 3186: 4: 80
+ 3186: 4: 80
+ 949: 5: c0
+ 3186: 4: 80
+ 3189: 4: 80
+ 3188: 4: 80
+ 3188: 4: 80
+ 4728: 63: 86 13 1f 3e 87 6e 36 56
+ 3186: 4: 80
+ 4723: 63: 0e 26 3c 7f 53 58 f0 54
+ 3190: 4: 80
+ 4727: 63: 1c 4e 78 fc c6 4f 2c 52
+ 3186: 4: 80
+ 4726: 63: 38 9c f1 f9 3d 59 a1 64
+ 3187: 4: 80
+ 4725: 63: 71 39 e1 f0 4a 91 cc 2c
+ 3188: 4: 80
+ 3189: 4: 80
+ 949: 5: c0
+ 3188: 4: 80
+ 4722: 63: e0 71 c3 e2 d0 17 c6 f0
+ 948: 5: c0
+ 4726: 63: c0 e1 85 c7 18 44 cc 20
+ 3187: 4: 80
+ 4725: 63: 81 c3 09 8f af 06 7f 42
+ 948: 5: c0
+ 4721: 63: 03 86 13 1f ac 7f 18 34
+ 948: 5: c0
+ 4723: 63: 05 0e 26 3c 37 c4 bf ae
+ 3188: 4: 80
+ 947: 5: c0
+ 3188: 4: 80
+ 4725: 63: 08 1c 4e 79 f2 00 7d f6
+ 948: 5: c0
+ 4725: 63: 12 38 9c f0 29 db f4 b6
+ 3188: 4: 80
+ 4720: 63: 26 71 39 e0 00 da 40 70
+ 3189: 4: 80
+ 4722: 63: 4c e0 71 c3 11 a8 e0 52
+ 3188: 4: 80
+ 4728: 63: 9b c0 e1 84 e4 e1 38 d4
+ 3188: 4: 80
+ 3187: 4: 80
+ 3189: 4: 80
+ 4728: 63: 35 81 c3 08 c7 72 d6 60
+ 3188: 4: 80
+ 4723: 63: 6b 03 86 13 04 46 27 32
+ 3186: 4: 80
+ 4723: 63: d4 05 0e 27 36 e5 1e 8a
+ 3188: 4: 80
+ 4722: 63: aa 08 1c 4e e6 d4 0d 4a
+ 3189: 4: 80
+ 4728: 63: 54 12 38 9d 7e 16 ac 1c
+ 3188: 4: 80
+ 3187: 4: 80
+ 3188: 4: 80
+ 4728: 63: aa 26 71 38 d6 ac 27 3c
+ 949: 5: c0
+ 4728: 63: 56 4c e0 70 15 26 e6 da
+ 3186: 4: 80
+ 4726: 63: ac 9b c0 e0 fb 92 b3 5a
+ 3187: 4: 80
+ 4726: 63: 59 35 81 c2 6a dd b6 0e
+ 3188: 4: 80
+ 4722: 63: b2 6b 03 87 a9 1b dd 4c Offline
Pages: 1