Cotag cards?

YoungJules · 2012-04-21 11:13:29

Anyone any experience of Cotag cards? Seems they use a proprietary frequency and encryption...

I think the card will react at 132kHz instead of 125kHz... is it possible to build a home-brew antenna for this?

Thanks for any information...

Jules

MagMeister · 2013-01-31 10:02:31

I couldn't find any documentation or datasheet about Cotag, but I'm sure I'm having one and I did some tests. Here the results:

First "hw tune" without any card (with standard LF antenna):

# LF antenna: 13.96 V @   125.00 kHz
# LF antenna: 14.37 V @   134.00 kHz
# LF optimal: 17.32 V @   129.03 kHz
# HF antenna:  0.16 V @    13.56 MHz
# Your HF antenna is unusable.

With the Cotag:

# LF antenna:  3.89 V @   125.00 kHz
# LF antenna:  3.36 V @   134.00 kHz
# LF optimal:  7.25 V @    97.56 kHz
# HF antenna:  0.16 V @    13.56 MHz
# Your LF antenna is marginal.
# Your HF antenna is unusable.

A voltage drop of around 10 V, so I suppose the operating frequency is indeed around the 134 kHz and the standard LF antenna will be usable. But why do you think it's 132 kHz?

Reading the card at 125 kHz:

lf read
#db# buffer samples: 7f 7f 7f 7f 7e 7f 7e 7e ...       
data samples 4000
Reading 4000 samples

Done!

Result:
125kHz
Sample file: download

Reading the card at 134 kHz:

lf read h
#db# buffer samples: 7b 7b 7b 7c 7c 7c 7c 7b ...       
data samples 4000
Reading 4000 samples

Done!

Result:
134kHz
Sample file: download

Does this make any sense to anyone?

MagMeister · 2013-01-31 10:37:17

Already an update:

I did find some "documentation": http://www.buildingtechnologies.siemens … apr_09.pdf

Quotes:

It operates on the 132 kHz band, which is similar to 125 kHz.

So it indeed is 132 kHz.

Cotag is more secure than standard 125 kHz technology because the content on the card is protected and there is no equipment available outside Siemens to read or copy the cards.

Not yet. Sounds like a challenge

Neuer_User · 2013-04-12 14:40:22

Any news on this?

Siemens is marketing this technology here in Europe as HIGH SECURITY standard. I am wondering, if there is real security involved or only obscurity...

At least it seems there are no 132kHz cards readily available, so there could only be a "lf cotag sim UID" with the proxmark3. :-)

Neuer_User · 2013-05-02 12:33:06

I found a multifrequency reader that can read Cotag cards (http://www.elatec-rfid.com/c/document_library/get_file?uuid=20898bb8-4b14-42d6-8077-75a5c16e0d93&groupId=10583). Works nicely so far.

There is no snoop command for LF, so it does not seem to be possible to see what is going on here. I also only get the same pattern that MagMeister has shown, when issuing "lf read". Maybe the card needs some kind of "activation" by the reader?

MagMeister · 2013-05-02 18:44:27

You bought the TWN4 I suppose? Do you have any software or SDK to read the card?

Neuer_User · 2013-05-03 06:49:54

Yes, I got a TWN4 Legic NFC. The sdk can be downloaded here: http://www.elatec-rfid.com/c/document_library/get_file?uuid=14369e29-7d49-4505-8a9a-d6ca74d4a7bf&groupId=10583

It's a great device: Very small, reads many, many cards, and the internal ARM can be easily programmed. As a scanner it is very fast: With an unknown card (regardless if it is 125kHz or 13.66MHz) it only takes about a second to identify the technology and the UID.
The integrated 13.66 MHz antenna, however, only works for very small distances. I do have a Junghans watch with integrated Mifare chip and it can be read by the TWN4 only in a certain position.

That's what the datasheet says, the reader can read:

125kHz / 134.2kHz:
4100, 4102, 4200, Casi Rusco, HITAG 1, HITAG 2, HITAG S, MIRO, TIRIS/HDX, UNIQUE
Optionally, in preparation: 4105, 4x50, AWID, Cardax, FDX-B, G-Prox II, Honeywell Nexwatch,
IDTECK, Pyramid, Q5, TITAN, T55x7, ZOODIAC
Legic Advant
Legic Prime

ISO14443 A+B compatible to part 4:
Mifare DESFire, Mifare Plus, Mifare SmartMX, my-d move, PayPass
Mifare Classic, Mifare Ultralight

ISO15693:
EM4035, Tag-It, my-d vicinity, ICODE SLI, M24LR16/64, PicoPass, HID iCLASS

ISO18092 / NFC:
NFCIP-1: Passive communication mode, NFC Forum Tag Type 2-4, Sony FeliCa

Version P:
Standard + Cotag, HID Prox, Indala, ioProx

It cannot so far read the content of all card types, only UID of some, but it seems elatec is continously adding new features to the firmware.

For sure, it is an interesting device. I have a customer who needs to read many different cards (only UIDs, including Cotag) and that is why I got a test unit.

Concerning the Cotag:
I can now read the UID with the TWN4, so I know, what I need to get out of the proxmark3. But with the samples of the proxmark3 I have no idea how to proceed. It doesn't look like the card is sending something automatically. That was why I was wondering, if it might need an activation from the reader? Maybe we need a snoop feature for LF, too.

MagMeister · 2013-05-03 08:21:16

Looks a great reader. Where did you bought it?

I would at least expect something like an Anser-To-Select when the card comes in range of the reader telling the card is ready for a (secure?) command (if the system is really as safe as they claim). The problem is that there is no documentation of the protocol provided by Siemens. I wonder how Elatec could implement this.

However, maybe some analyze of the SDK can make this more clear?

A LF snoop feature for the Proxmark would be very useful, indeed.

Neuer_User · 2013-05-03 12:29:37

I purchased it directly from elatec in Germany. Wasn't exactly cheap considering shipping and taxes... But I need it for a customer project.

Elatec seems to have a license for these special protocols like Cotag etc. You can get the reader with two different firmwares, the more expensive one including Cotag and HID Prox, Indala, ioProx (called Version P).

The sdk won't help much, I am afraid. You can program the reader very nicely in C, but to access lower functionalities you go via an API. It's really a nice reader but not for hacking... Have a look at the sdk. It describes the api functions.

So, to learn how Cotag works, we would indeed need a LF snoop, I'm afraid.

Neuer_User · 2013-05-03 13:09:28

Hi mk

You have an active card there. Nice. I only have a passive card, and that looks identical to all other simple cards.

It's interesting: Your card seems to come from a company called Cotag. My card comes from Siemens. Probably they have bought Cotag?

MagMeister · 2013-05-03 13:18:59

Indeed, nice pictures of an active Cotag card.

I did some googling and I found an e-shop for the TWN4: http://www.idcardcentre.co.uk/125kHz-13 … reader-HID
Indeed, not really cheap

They also sell Cotag cards and key fobs (passive and active!)! http://www.idcardcentre.co.uk/index.php … name=cotag

So I think developing a LF snoop function is the only way to get into the working of Cotag.

Neuer_User · 2013-05-03 15:16:34

You better order directly from elatec. It's still pretty expensive but at least still some 30% cheaper. It even seems your shop only offers the normal version (not P) without Cotag support.

I paid about 165 Euros plus shipping plus taxes. So app. 220 Euros. As I said, expensive. It only makes sense, when you have a good use for it. But it is a very nice reader :-)

You could also only buy the TWN4 Mifare Version P (also includes Cotag, but not Legic Prime), which costs 142 Euros (plus shipping and taxes).

MagMeister · 2013-05-03 15:27:30

Do they sell to individuals or only business? That's the price for the desktop version or just the OEM board? Thx!

Neuer_User · 2013-05-03 16:25:55

That's the price of the USB version.

Don't know about individuals vs. business. I am a freelancer so legally I have my own business :-) It is possible that they only sell to businesses. They claim "After initial test order there is a minimum order value of 500 Euros". That could be a hint that they only sell to businesses.

If there were a bigger interest in this reader (>= 10), I could try to order them. But I guess this reader is too expensive to find 10 interested persons...

It might be that my customer wants some more of these. Then I could order one for you, too. But my guess is that this will take at least 2 months for him to decide on this.

MagMeister · 2013-05-03 16:31:46

I'm not planning to buy it short-term

But if your customer wants to buy these, please order me 1 to.

Are you planning some development with the Proxmark (like LF snoop)?

Neuer_User · 2013-05-03 16:37:53

MagMeister wrote:

I'm not planning to buy it short-term
But if your customer wants to buy these, please order me 1 to.

Sure, can do that :-)

Are you planning some development with the Proxmark (like LF snoop)?

I'd like to, but I am still very unfamiliar with the proxmark and do not have an indepth knowledge of badge technologies. I'm more of a user I am afraid :-/

I already looked into the code (especially hf 14a snoop), but did not understand much. A "LF snoop" would be very nice, but probably it won't be me that creates it...

Btw. also very nice would be snooping HF UIDs from larger distances by only registering anticollision commands :-)

urkis · 2013-05-20 20:44:14

Found an interesting detail here regarding active tags
http://www.bewator.com/se/products/inde … VBER/p3339

It says on the Technical data:

"Input frequency 132kHz, Output frequency 66kHz. Though built 3V lithium cell. Bit length: 5.8ms. Up to 63 serial bits available (initiated by the two status bits - start bit and battery flag)."

Found another interesting document

http://www.borsatec.com/web\BorsatecP.n … Manual.pdf

"A long life lithium cell supports the memory and ensures a strong output signal during interrogation. 63 data bits are available for data storage of which 31 are normally allocated to implement Cotag International’s unique security coding features. The Tag can be re-programmed as often as required."

The passive tags seems to be working on the same input/output frequencys. This tag also seems to be rewritable.. Very interesting...
http://www.borsatec.com/web\BorsatecP.n … Manual.pdf

Data format : Up to 63 programmable bits. AD operation only
Security codes : Distributor Code, site code and card numbers
Input signal : 132kHz
Output signal : 66kHz

Is the proxmark hardware capable of handling the output signal at 66kHz?

There seems to be an cotag programmer from Bewator called 633-2 which I found some manuals for, could be interesting...
http://www.bewator.com/products/resourc … ndbook.pdf
http://www.bewator.com/products/resourc … ndbook.pdf

Last edited by urkis (2013-05-20 21:06:28)

Neuer_User · 2013-05-21 07:46:20

@urkis:

Sounds really interesting.

My RFID understanding is too low. I would have thought that passive tags cannot output at a different frequency than they are exited. But maybe some experts here can explain how that could work.

Edit: Hmm, 66kHz is just half of 132 kHz. So, it probably is possible. Its still running on the reader frequency. We should still see it with a data samples command.

As there is nothing to see there, probably the card waits for a special signal from the reader?

We would need the "lf snoop" command to find out.

Last edited by Neuer_User (2013-05-21 07:50:07)

urkis · 2013-05-21 15:34:52

It seems like cotag cards get activated by 132kHz, and then revealing its data on 66kHz.

What happens if we try to do a "data sample" at 134kHz with proxmark in front of a cotag reader in one system, and then compare with another reader in another access control system?

I tried it on a EM4102 USB reader at 125kHz and the plot looks like this:

As you can see, nothing exciting about the curve. It just supplies the tag with power.

If the data looks as boring as this at 132kHz on a Cotag reader it's a good sign

Last edited by urkis (2013-05-21 15:46:50)

Neuer_User · 2013-05-21 15:41:50

If I understand "data samples" correctly, it drives actively the antenna. So there would be two readers. It is not a snoop mode where the antenna is passive and just registers what the other reader does.

urkis · 2013-05-21 15:49:56

Neuer_User wrote:

If I understand "data samples" correctly, it drives actively the antenna. So there would be two readers. It is not a snoop mode where the antenna is passive and just registers what the other reader does.

Damn, I was not thinking about that. Then we need a good snoop command indeed. I hope it is possible.

urkis · 2013-05-21 16:19:58

I found some patent documents from 1987 that seems to be it!
http://worldwide.espacenet.com/publicat … cale=en_EP

Neuer_User · 2013-05-21 16:25:41

urkis wrote:

I tried it on a EM4102 USB reader at 125kHz and the plot looks like this:

I have a cotag reader here, so if we could "snoop" what is happening, then we could emulate it on the proxmark3. A EM4102 does more or less nothing, just a constant static field, if I am not mistaken. That's probably why we don't see much in the "data samples" command.

Neuer_User · 2013-05-21 16:27:44

urkis wrote:

I found some patent documents from 1987 that seems to be it!
http://worldwide.espacenet.com/publicat … cale=en_EP
http://oi42.tinypic.com/2uiu6o9.jpg

That looks interesting. Wondering about the "Prog. Clock Detection" circuit. Could it be that it needs to detect an active modulated signal on the incoming HF?

I really have no knowledge about that. Maybe some expert here can interpret the diagramme?

Neuer_User · 2013-05-21 16:32:07

Looking at it a bit mire in detail, this cannot be the Cotag card. The cotag datasheet says it can be reprogrammed, so there needs to be some microcontroller there. So, for sure not that simple as shown in the diagramme.

shabbaranks · 2013-11-01 16:00:03

YoungJules wrote:

Anyone any experience of Cotag cards? Seems they use a proprietary frequency and encryption...
I think the card will react at 132kHz instead of 125kHz... is it possible to build a home-brew antenna for this?
Thanks for any information...
Jules

Hi Jules,

apologies for jumping on your thread but I too have a COTAG\BEWATOR card used with our Siemens SiPass system. Have you found a USB card reader which can actually read these cards? Or even an alternative key fob which can be used with the SiPass readers?

If so I would be interested to know which for a little project I am trying to get off the ground which uses the cards\system we currently use for access control.

Thanks

ntk · 2016-02-23 06:08:11

it is two years ago any anyone has any update on this isue?

ntk · 2016-05-13 17:54:49

Is this type of card still in use any where in the world?

yacc143 · 2021-07-21 17:58:14

Yes, I'm almost sure that it's COTAG that is used here in Vienna in the Wohnpark/Kaufpark Alterlaa for access control. (Not sure if posting details of objects using a certain technology is okay here? If not, please tell me, I'm new.)

lf search

when scanning the tag stops on COTAG:

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
 ? Searching for MOTOROLA tag...[=] signal looks like noise
 ? Searching for COTAG tag......
[!] ⚠️  command execution time out

[-] ⛔ No data found!
[=] Signal looks like noise. Maybe not an LF tag?

The readers at the doors are clearly marked as being Siemens, the field detector registers at 125KHz.

The key fobs used for door access look surprisingly exactly like the ones on the Siemens vendor page, just in black/green (full privileges/visitors), while the garage access cards are cards ;)

And I have the bad feeling that the proxmark3 supports basically all RFID tags on this planet BUT COTAG, right? My lucky day, I guess.

Guess I'll have to try to figure out what the lf cotag subcommands really offer, they don't seem to offer to much.

TiA for any suggestions,

yacc143

iceman · 2021-07-24 18:01:04

cotag support needs some more love, meanwhile,
head over to the discord server / 125khz channel and share a file from

lf read
data save -f lf_cotag_unk.pm3

Proxmark3 community

Announcement

#1 2012-04-21 11:13:29

Cotag cards?

#2 2013-01-31 10:02:31

Re: Cotag cards?

#3 2013-01-31 10:37:17

Re: Cotag cards?

#4 2013-04-12 14:40:22

Re: Cotag cards?

#5 2013-05-02 12:33:06

Re: Cotag cards?

#6 2013-05-02 18:44:27

Re: Cotag cards?

#7 2013-05-03 06:49:54

Re: Cotag cards?

#8 2013-05-03 08:21:16

Re: Cotag cards?

#9 2013-05-03 12:29:37

Re: Cotag cards?

#10 2013-05-03 13:09:28

Re: Cotag cards?

#11 2013-05-03 13:18:59

Re: Cotag cards?

#12 2013-05-03 15:16:34

Re: Cotag cards?

#13 2013-05-03 15:27:30

Re: Cotag cards?

#14 2013-05-03 16:25:55

Re: Cotag cards?

#15 2013-05-03 16:31:46

Re: Cotag cards?

#16 2013-05-03 16:37:53

Re: Cotag cards?

#17 2013-05-20 20:44:14

Re: Cotag cards?

#18 2013-05-21 07:46:20

Re: Cotag cards?

#19 2013-05-21 15:34:52

Re: Cotag cards?

#20 2013-05-21 15:41:50

Re: Cotag cards?

#21 2013-05-21 15:49:56

Re: Cotag cards?

#22 2013-05-21 16:19:58

Re: Cotag cards?

#23 2013-05-21 16:25:41

Re: Cotag cards?

#24 2013-05-21 16:27:44

Re: Cotag cards?

#25 2013-05-21 16:32:07

Re: Cotag cards?

#26 2013-11-01 16:00:03

Re: Cotag cards?

#27 2016-02-23 06:08:11

Re: Cotag cards?

#28 2016-05-13 17:54:49

Re: Cotag cards?

#29 2021-07-21 17:58:14

Re: Cotag cards?

#30 2021-07-24 18:01:04

Re: Cotag cards?

Board footer