Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ISO 15693 SLIX2 signature support #2781

Closed
eychei opened this issue Jun 16, 2023 · 94 comments
Closed

ISO 15693 SLIX2 signature support #2781

eychei opened this issue Jun 16, 2023 · 94 comments
Assignees
Labels
Bug NFC NFC-related

Comments

@eychei
Copy link

eychei commented Jun 16, 2023

Description of the feature you're suggesting.

The SLIX2 emulation is incomplete.
The following feature is missing.

• Originality signature:
32 byte ECC based originality signature

Anything else?

No response

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 18, 2023

Seems there is already a tool for cracking the public key...
grafik

(deleted, its the public key...)

for now i implemented all the emulation stuff for having a static signature, optional passwords etc.
unfortunately reading the signature doesn't work. the proxmark aborts the field in middle of the communication.
will have to dig deeper. do not know if this is the proxmark acting weird or the flipper having trouble sending longer responses...

grafik

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 18, 2023

i wonder if the pm3 works with the SLIX2 as intended.
do you have a proxmark for testing?

grafik

@eychei
Copy link
Author

eychei commented Jun 18, 2023

Great work ! I do have a proxmark and can test tomorrow.

@Frostyy99
Copy link

Frostyy99 commented Jun 18, 2023 via email

@eychei
Copy link
Author

eychei commented Jun 18, 2023

How does the private key cracking work here ? Are the signatures generated with weak nonces? how could you crack the private key with just one signature ?
We would need more then 50-60 biased signatures for a lattice attack.

-e

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 18, 2023

I have no clue, didnt expect that t.b.h.

However, from what i understand, it is just the public key used to verify the signature.
Recovering the private key is probably pointless.
ECC is a lot more complex than e.g. RSA, so even just 128 bit is a hard nut to crack.

The code is not live yet. I first want to fix the error when responding the 32 byte signature.
For this i have to know if pm3 works reliable.

@eychei
Copy link
Author

eychei commented Jun 18, 2023

Trying to emulate the SLIX2 with the proxmark right now.
There is only a "sim" mode which only uses the UID.
Is there an emulation of ISO15693 SLIX2 Tags which I am missing?

I am on Iceman/master/v4.14831-643-ga0ac40449.
I only have the 256kb version.

-e

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 18, 2023

there is no full emulation, I just implemented SLIX-L stuff a while back.
I don't think someone pushed that further since then.

can you read the SLIX2-tag? using "hf 15 info"

@eychei
Copy link
Author

eychei commented Jun 18, 2023

Yes I can read the slix2 tags without issues. It also reads out the Signature:
Looks like this:

[+] UID: E0 04 01 08 2F 81 D8 FC
[+] TYPE: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX) ICS2602(SLIX2)
[+] Using UID... E0 04 01 08 2F 81 D8 FC

[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+] TYPE: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX) ICS2602(SLIX2)
[+] UID: E0 04 01 08 2F 81 D8 FC
[+] SYSINFO: 00 0F FC D8 81 2F 08 01 04 E0 01 3D 4F 03 01
[+] - DSFID supported [0x01]
[+] - AFI supported [0x3D]
[+] - IC reference supported [0x01]
[+] - Tag provides info on memory layout (vendor dependent)
[+] 4 (or 3) bytes/blocks x 80 blocks
[=] --------- NXP Sysinfo ---------
[=] raw : 00 32 02 0F 7F 35 00 00
[=] Password protection configuration:
[=] * Page L read not password protected
[=] * Page L write password protected
[=] * Page H read not password protected
[=] * Page H write not password protected
[=] Lock bits:
[=] * AFI locked
[=] * EAS locked
[=] * DSFID locked
[=] * Password protection configuration locked
[=] Features:
[=] * User memory password protection supported
[=] * Counter feature supported
[=] * EAS ID supported by EAS ALARM command
[=] * EAS password protection supported
[=] * AFI password protection supported
[=] * Extended mode supported by INVENTORY READ command
[=] * EAS selection supported by extended mode in INVENTORY READ command
[=] * READ SIGNATURE command supported
[=] * Password protection for READ SIGNATURE command not supported
[=] * STAY QUIET PERSISTENT command supported
[=] * ENABLE PRIVACY command supported
[=] * DESTROY command supported
[=] * Additional 32 bits feature flags are not transmitted

[=] EAS (Electronic Article Surveillance) is not active

[=] --- Tag Signature
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 22B83A239BE578F02CDED3CD31BA6A20F19AE721F2FCCCEE37FA68E77A298620
[+] Signature verification: failed

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 18, 2023

okay then sending responses >32 byte causes problems with the current NfcV implementation

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 18, 2023

grafik
grafik

g3gg0 added a commit to g3gg0/flipperzero-firmware that referenced this issue Jun 19, 2023
@g3gg0
Copy link
Contributor

g3gg0 commented Jun 19, 2023

SKU_S0722550 S0722430.zip

@eychei can you test the linked PR if it works for you?
attached you will find two of those SLIX2 tags

@eychei
Copy link
Author

eychei commented Jun 19, 2023

Nice! Will try and report back.

@eychei
Copy link
Author

eychei commented Jun 19, 2023

Ok I tried. Do get some errors / problems:

  1. Proxmark3 does not recognize the tag immediately. I do have to search for the tag (emulated) a few dozen times till it gets recognized
  2. On the original reader (Dymo) it does not get past the inventory command. The debug. txt does only contain these commands:
    1035227 R: 36 01 00 00 6a a1
    1035228 R: 36 01 00 00 6a a1
    1035228 R: 36 01 00 00 6a a1
    1035228 R: 36 01 00 00 6a a1
    1035244 R: 36 01 00 00 6a a1
    1035247 R: 36 01 00 00 6a a1
    1035247 R: 36 01 00 00 6a a1

I think this may be a timing issue?

-e

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 19, 2023

damn.
did you try to disable debug logging to reduce latency?

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 19, 2023

1. Proxmark3 does not recognize the tag immediately. I do have to search for the tag (emulated) a few dozen times till it gets recognized

yeah, seen that too.
the first reading goes through, then the first few seconds it doesnt respond.

@eychei
Copy link
Author

eychei commented Jun 19, 2023

I did disable debug logging and still the same error.
I can see that reading with the proxmark does work upto the signature command. But when putting into the Dymo reader it does not get past the inventory command.

-e

@eychei
Copy link
Author

eychei commented Jun 19, 2023

Oh I think I know whats going on.
The Flipper is not responding to the inventory command.
So the standard get inventory command is:
inventory[] = { 0x26, 0x01, 0x00 };
This is also what the proxmark3 sends.
But the Dymo reader sends out:
0x36, 0x01, 0x00, 0x00

This is a different inventory command.

The flipper is not responding to that command.

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 19, 2023

yeah, also seen just then :D
can you try the latest changes?

the behavior of the optional AFI field was implemented incorrectly.
i did only a exact "AFI matches" check, but its a bit more sophisticated.
the AFI 00 means "any AFI" just as not supplying any AFI.

grafik

@eychei
Copy link
Author

eychei commented Jun 19, 2023

Ok I tried. It does go one step further:

101415 R: 36 01 00 00 6a a1
101415 T: 00 01 ba 6c 60 3d 08 01 04 e0 5d 2b
101416 R: 36 01 00 00 6a a1
101416 T: 00 01 ba 6c 60 3d 08 01 04 e0 5d 2b
101417 R: 36 01 00 00 6a a1
101417 T: 00 01 ba 6c 60 3d 08 01 04 e0 5d 2b

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 19, 2023

looks good. can you sniff what an original tag responds?

@eychei
Copy link
Author

eychei commented Jun 19, 2023

Ok got the proxmark log. Hope it is complete:

 Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |      52224 | Rdr |36  01  00  00  6a  a1                                                   |  ok |
 INVENTORY
    9636608 |    9688832 | Rdr |36  01  00  00  6a  a1                                                   |  ok |
 INVENTORY
    9692992 |    9746240 | Tag |00  01  fc  d8  81  2f  08  01  04  e0  cc  48                           |  ok |

    9795712 |    9913472 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  00  03  39  f0                   |  ok |
 READ_MULTI_BLOCK(0-3)
    9917632 |    9999552 | Tag |00  03  0a  82  ed  86  39  61  d2  03  14  1e  32  b6  ca  00  3c  d4   |     |

            |            |     |c3                                                                       |  ok |

   10096768 |   10140800 | Rdr |22  bd  e4  53  36                                                       | !crc|
 READ_SIGNATURE
   10144960 |   10288320 | Tag |00  22  38  23  9b  e5  78  f0  2c  de  d3  cd  31  ba  6a  20  f1  9a   |     |

            |            |     |e7  21  f2  fc  cc  ee  37  fa  68  e7  7a  29  86  20  67  cc           | !crc|

   11964864 |   12066240 | Rdr |22  2b  fc  d8  81  2f  08  01  04  e0  3e  af                           |  ok |
 GET_SYSTEM_INFO
   12070400 |   12144128 | Tag |00  0f  fc  d8  81  2f  08  01  04  e0  01  3d  4f  03  01  38  5a       |  ok |

   12338784 |   12456544 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  00  03  39  f0                   |  ok |
 READ_MULTI_BLOCK(0-3)
   12460736 |   12542656 | Tag |00  03  0a  82  ed  86  39  61  d2  03  14  1e  32  b6  ca  00  3c  d4   |     |

            |            |     |c3                                                                       |  ok |

   12604000 |   12721760 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  03  0f  3d  10                   |  ok |
 READ_MULTI_BLOCK(3-18)
   12970624 |   13080192 | Rdr |22  23  fc  80  2f  08  01  04  e0  14  07  ec  44                       | !crc|
 READ_MULTI_BLOCK(7-243)
   13084352 |   13231808 | Tag |00  d7  fa  00  1c  76  c6  91  7b  00  30  30  30  30  30  30  30  30   |     |

            |            |     |30  30  00  00  00  f9  0c  10  00  00  00  00  00  00  00  03  28       |  ok |

   13311968 |   13429728 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  1e  0c  4f  07                   |  ok |
 READ_MULTI_BLOCK(30-42)
   13690752 |   13808512 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  32  0b  63  f9                   |  ok |
 READ_MULTI_BLOCK(50-61)
   14209088 |   14220352 | Rdr |22                                                                       |     |

   14635904 |   14652288 | Tag |00  78  f0                                                               |  ok |

   14913056 |   15030816 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  4f  01  85  16                   |  ok |
 READ_MULTI_BLOCK(79-80)
   15035008 |   15067776 | Tag |00  fd  ff  00  01  a9  e4                                               |  ok |

   36301760 |   36337600 | Rdr |22  26  fc  d8                                                           | !crc|
 RESET_TO_READY
   36341312 |   36357696 | Tag |00  78  f0                                                               |  ok |

   49795456 |   49896832 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
   49901056 |   49917440 | Tag |00  78  f0                                                               |  ok |

   63333664 |   63484192 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2  00  00  00  00  00  40   | !crc|
 RESET_TO_READY
   72993824 |   73095200 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
   73099392 |   73115776 | Tag |00  78  f0                                                               |  ok |

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 19, 2023

great, what does the log say for FZ?

@eychei
Copy link
Author

eychei commented Jun 19, 2023

FZ log:

2912674 R: 36 01 00 00 6a a1
2912675 T: 00 01 fc d8 81 2f 08 01 04 e0 cc 48
2912675 R: 36 01 00 00 6a a1
2912675 T: 00 01 fc d8 81 2f 08 01 04 e0 cc 48
2912676 R: 36 01 00 00 6a a1
2912676 T: 00 01 fc d8 81 2f 08 01 04 e0 cc 48
2912677 R: 36 01 00 00 6a a1
2912677 T: 00 01 fc d8 81 2f 08 01 04 e0 cc 48
2912697 R: 36 01 00 00 6a a1
2912697 T: 00 01 fc d8 81 2f 08 01 04 e0 cc 48

@g3gg0
Copy link
Contributor

g3gg0 commented Jun 19, 2023

no, i mean proxmark log :)

@eychei
Copy link
Author

eychei commented Jun 19, 2023

Somehow I did get some more transactions now with the dymo reader + Flipper:

   90015296 |   90067520 | Rdr |36  01  00  00  6a  a1                                                   |  ok |
 INVENTORY
   90071744 |   90124992 | Tag |00  01  fc  d8  81  2f  08  01  04  e0  cc  48                           |  ok |

   90207296 |   90259520 | Rdr |22  23  fc  d8  81  cb                                                   | !crc|
 READ_MULTI_BLOCK(252-468)
   92314816 |   92432576 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  03  0f  3d  10                   |  ok |
 READ_MULTI_BLOCK(3-18)
   93046752 |   93098976 | Rdr |22  23  fc  d8  81  07                                                   | !crc|
 READ_MULTI_BLOCK(252-468)
   93765824 |   93875392 | Rdr |22  b2  04  fc  d8  81  2f  08  01  04  e0  8f  9b                       |  ok |
 GET_RANDOM_NUMBER
   93883712 |   93908288 | Tag |00  e1  71  83  54                                                       |  ok |

   94245248 |   94330240 | Rdr |22  b3  04  fc  d8  81  2f  08  01  72                                   | !crc|
 SET_PASSWORD
   94523936 |   94641696 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  4f  01  85  16                   |  ok |
 READ_MULTI_BLOCK(79-80)
   94645888 |   94666368 | Tag |01  0f  68  ee                                                           |  ok |

  102097472 |  102403648 | Rdr |36  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00   |     |

            |            |     |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00   |     |

            |            |     |00                                                                       | !crc|
 ?
  102540320 |  102649888 | Rdr |22  bd  04  fc  d8  81  2f  08  01  04  e0  53  36                       |  ok |
 READ_SIGNATURE
  103914496 |  104015872 | Rdr |22  2b  fc  d8  81  2f  08  01  04  e0  3e  af                           |  ok |
 GET_SYSTEM_INFO
  104020032 |  104093760 | Tag |00  0f  fc  d8  81  2f  08  01  04  e0  01  3d  4f  03  01  38  5a       |  ok |

  104288416 |  104406176 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  00  03  39  f0                   |  ok |
 READ_MULTI_BLOCK(0-3)
  104410624 |  104492544 | Tag |00  03  0a  82  ed  86  39  61  d2  03  14  1e  32  b6  ca  00  3c  d4   |     |

            |            |     |c3                                                                       |  ok |

  105808256 |  105926016 | Rdr |22  23  fc  d8  81  2f  08  01  04  e0  32  0b  63  f9                   |  ok |
 READ_MULTI_BLOCK(50-61)
  106275936 |  106385504 | Rdr |22  b2  04  fc  d8  81  2f  08  01  04  e0  8f  9b                       |  ok |
 GET_RANDOM_NUMBER
  122049120 |  122150496 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  122154688 |  122171072 | Tag |00  78  f0                                                               |  ok |

  135641696 |  135677536 | Rdr |22  26  fc  d8                                                           | !crc|
 RESET_TO_READY
  135681664 |  135698048 | Tag |00  78  f0                                                               |  ok |

  149133312 |  149234688 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  149238848 |  149255232 | Tag |00  78  f0                                                               |  ok |

  162692992 |  162794368 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  172317696 |  172419072 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  172423232 |  172439616 | Tag |00  78  f0                                                               |  ok |

  185877280 |  185978656 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  185982784 |  185999168 | Tag |00  78  f0                                                               |  ok |

  199404192 |  199505568 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  199509696 |  199526080 | Tag |00  78  f0                                                               |  ok |

  212963968 |  213065344 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  213069504 |  213085888 | Tag |00  78  f0                                                               |  ok |

  226490912 |  226592288 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  226596480 |  226612864 | Tag |00  78  f0                                                               |  ok |

  240050528 |  240151904 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  240156032 |  240172416 | Tag |00  78  f0                                                               |  ok |

  253577536 |  253678912 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  253683072 |  253699456 | Tag |00  78  f0                                                               |  ok |

  267137216 |  267238592 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  267242752 |  267259136 | Tag |00  78  f0                                                               |  ok |

  280664128 |  280765504 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  280769664 |  280786048 | Tag |00  78  f0                                                               |  ok |

  294223840 |  294325216 | Rdr |22  26  fc  d8  81  2f  08  01  04  e0  ec  a2                           |  ok |
 RESET_TO_READY
  294329344 |  294345728 | Tag |00  78  f0                                                               |  ok |

@eychei
Copy link
Author

eychei commented Jun 19, 2023

I also can see that the flipper does have some data in the log.
Here is the log for the SKU_S0722430.nfc:

7478244 R: 36 01 00 00 6a a1
7478244 T: 00 01 ba 6c 60 3d 08 01 04 e0 5d 2b
7478244 R: 36 01 00 00 6a a1
7478245 T: 00 01 ba 6c 60 3d 08 01 04 e0 5d 2b
7478245 R: 22 23 ba 6c 60 3d 08 01 04 e0 00 03 21 a1
7478246 T: 00 03 0a 82 ed 86 39 61 d2 03 14 1e 32 b6 ca 00 3c d4 c3
7478246 R: 22 bd 04 ba 6c 60 3d 08 01 04 e0 c2 55
7478247 T: 00 33 4a 63 63 d0 13 49 db a0 9e ee 15 1e f8 f8 f3 fa 15 f5 77 e4 4d 75 9b 78 14 ca d3 7e 02 ef 10 6d 93
7478248 R: 22 2b ba 6c 60 3d 08 01 04 e0 af cc
7478249 T: 00 0f ba 6c 60 3d 08 01 04 e0 01 3d 4f 03 01 40 d3
7478249 R: 22 23 ba 6c 60 3d 08 01 04 e0 00 03 21 a1
7478250 T: 00 03 0a 82 ed 86 39 61 d2 03 14 1e 32 b6 ca 00 3c d4 c3
7478250 R: 22 23 ba 6c 60 3d 08 01 04 e0 03 0f 25 41
7478251 T: 00 b6 ca 00 3c 27 b3 98 ba 53 30 37 32 32 34 33 30 00 00 00 00 00 ff 04 01 01 00 00 00 22 04 1e 00 28 00 00 00 00 00 0f 00 f0 03 1c 02 00 00 00 00 46 02 dc 00 78 2d 16 00 01 00 00 00 00 00 00 00 22 4f
7478253 R: 22 23 ba 6c 60 3d 08 01 04 e0 14 07 f4 15
7478254 T: 00 d7 fa 00 1c 10 17 6e 3b 00 30 30 30 30 30 30 30 30 30 30 00 00 00 a9 75 6b 06 00 00 00 00 00 00 10 08
7478271 R: 22 23 ba 6c 60 3d 08 01 04 e0 1e 0c 57 56
7478271 T: 00 32 8c 00 30 ba 47 99 b3 00 00 00 00 ac 87 ff 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 a2
7478273 R: 22 23 ba 6c 60 3d 08 01 04 e0 32 0b 7b a8
7478274 T: 00 11 f3 00 2c dd c3 3e 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 87
7478276 R: 22 b2 04 ba 6c 60 3d 08 01 04 e0 1e f8
7478276 T: 00 5e e8 6d e4
7478276 R: 22 b3 04 ba 6c 60 3d 08 01 04 e0 01 d1 25 0e ee 37 81
7478277 T: 00 78 f0
7478277 R: 22 23 ba 6c 60 3d 08 01 04 e0 4f 01 9d 47
7478278 T: 01 0f 68 ee
7478278 R: 36 01 00 00 6a a1
7478278 T: 00 01 ba 6c 60 3d 08 01 04 e0 5d 2b
7478278 R: 22 23 ba 6c 60 3d 08 01 04 e0 00 03 21 a1
7478279 T: 00 03 0a 82 ed 86 39 61 d2 03 14 1e 32 b6 ca 00 3c d4 c3
7478280 R: 22 bd 04 ba 6c 60 3d 08 01 04 e0 c2 55
7478280 T: 00 33 4a 63 63 d0 13 49 db a0 9e ee 15 1e f8 f8 f3 fa 15 f5 77 e4 4d 75 9b 78 14 ca d3 7e 02 ef 10 6d 93
7478293 R: 22 2b ba 6c 60 3d 08 01 04 e0 af cc
7478293 T: 00 0f ba 6c 60 3d 08 01 04 e0 01 3d 4f 03 01 40 d3
7478294 R: 22 23 ba 6c 60 3d 08 01 04 e0 00 03 21 a1
7478294 T: 00 03 0a 82 ed 86 39 61 d2 03 14 1e 32 b6 ca 00 3c d4 c3
7478295 R: 22 23 ba 6c 60 3d 08 01 04 e0 03 0f 25 41
7478295 T: 00 b6 ca 00 3c 27 b3 98 ba 53 30 37 32 32 34 33 30 00 00 00 00 00 ff 04 01 01 00 00 00 22 04 1e 00 28 00 00 00 00 00 0f 00 f0 03 1c 02 00 00 00 00 46 02 dc 00 78 2d 16 00 01 00 00 00 00 00 00 00 22 4f
7478298 R: 22 23 ba 6c 60 3d 08 01 04 e0 14 07 f4 15
7478298 T: 00 d7 fa 00 1c 10 17 6e 3b 00 30 30 30 30 30 30 30 30 30 30 00 00 00 a9 75 6b 06 00 00 00 00 00 00 10 08
7478300 R: 22 23 ba 6c 60 3d 08 01 04 e0 1e 0c 57 56
7491148 T: 30 ba 47 99 b3 00 00 00 00 ac 87 ff 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 a2 01 00 0e 00 22 23 ba 6c 60 3d 08 01 04 e0 32 0b 7b a8 00 00 33 00 00 11 f3 00 2c dd c3 3e 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 87 01 00 0d 00 22 b2 04 ba 6c 60 3d 08 01 04 e0 1e
7491172 T: 3c 27 b3 98 ba 53 30 37 32 32 34 33 30 00 00 00 00 00 ff 04 01 01 00 00 00 22 04 1e 00 28 00 00 00 00 00 0f 00 f0 03 1c 02 00 00 00 00 46 02 dc 00 78 2d 16 00 01 00 00 00 00 00 00 00 22 4f 01 00 0c 00 22 26 ba 6c 60 3d 08 01 04 e0 7d c1 00 00 03 00 00 78 f0 01 00 0c 00 22 26 ba 6c 60 3d 08 01 04 e0 7d c1 00 00 03 00 00 78 f0 01 00 0c 00 22 26 ba 6c 60 3d 08 01 04 e0 7d c1 00 00 03 00 00 78 f0 01 00 0c 00 22 26 ba 6c 60 3d 08 01 04 e0 7d c1 00 00 03 00 00 78 f0 01 00 0c 00 22 26 ba 6c 60 3d 08 01 04 e0 7d c1 00 00 03 00 00 78 f0 01 00 0c 00 22 26 ba 6c 60 3d 08 01 04 e0 7d c1 00 00 03 00 00 78 f0 01

@Morfis1855
Copy link

hi there
I had a similar issue but I didn't have a programming Background, I'm working in a medical lab, two yeas ago I had purchased an inventory system the manufacturer provided a software plus hardware (readers) and 5 years licence we started using those inlay tags which are expensive but tolerable cost after one year they start raising the price for each tag till reaching more than 4$ now which is insanely high I believe you had an idea about how much inlay Slix cost from china or Europe suppliers which is less than 1 $, I got stuck with expensive hardware and 5 years prepaid licence Plz help to crack those tags, I had punch of Nxp Slix tags from different supplier and a PM3 all my trials to clone a serial of those tags went south even if NXP Info and/or PM3 show them as identical to the original

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 10, 2024

hi there I had a similar issue but I didn't have a programming Background, I'm working in a medical lab, two yeas ago I had purchased an inventory system the manufacturer provided a software plus hardware (readers) and 5 years licence we started using those inlay tags which are expensive but tolerable cost after one year they start raising the price for each tag till reaching more than 4$ now which is insanely high I believe you had an idea about how much inlay Slix cost from china or Europe suppliers which is less than 1 $, I got stuck with expensive hardware and 5 years prepaid licence Plz help to crack those tags, I had punch of Nxp Slix tags from different supplier and a PM3 all my trials to clone a serial of those tags went south even if NXP Info and/or PM3 show them as identical to the original

No offense, but please restucture your post a bit using interpuction and newlines.
It is too hard to follow what your point really is.

@Morfis1855
Copy link

Sorry for my English

hi there.

I had a similar issue but I do not have a programming Background, I'm working in a medical lab, two yeas ago had purchased an inventory system to track samples and reagents across the lab using RFID Labels.
the manufacturer provided a software, hardware (readers) and 5 years licence.

we started to use those inlay REID tags which are expensive ~2$ but tolerable cost.
after one year the supplier started raising the price for each tag till reaching more than 4$ last month, which is insanely high.
I believe you had an idea about how much RFID lable cost from china or Europe it cost less than 1 $, Now I got stuck with expensive hardware and 5 years prepaid licence Plz help to crack those tags,

I bought 50 sticker from aliexpress @15$ with the same exact IC "NXP-ICODESLIX, tried to clone But didn’t work.
All my trials to clone a serial of those tags went south even if NXP, MCT Apps and/or PM3 but reader failed to see tags at all

I HAD attached screenshot of both original tag and out sourced tags scanning results

B.R
Morfis
image

image

@Morfis1855
Copy link

Sorry forgot to attached the copied tags scanning results which identical to the original
image
image

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 10, 2024

From what i can anticipate you have tried, is copying the memory content.
There is still the UID which is hardcoded, but i guess that should not be a indicator for clone/genuine seller tags (they also cannot control the UID)

But there still is the DSFID and AFI which have to match as well as the password(s)

Use a PM3 (easy) and sniff reader/tag comms.
If it makes use of a password (which i guess is the only senseful way of protecting)
then you will see a GET RAND and SET PASSWORD command in the hexdump.

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 10, 2024

another thing: you are sure the UID is E0 04 01 50 .. for the genuine tags?
because if its that sequence, its indeed a SLIX and there is good chance.

if it is instead E0 04 01 08 or others, its a SLIX2 with (fixed) cryptograpic signature.

in any case, it is not related to this (old, dead) topic.

@Morfis1855
Copy link

Hehehe now 😜 you speaking gebrish

Joking I already saw a lot of articles and thought about sniffing but again I'm a Chemists I will try my best and keep you posted

But in general do you think it's doable?

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 10, 2024

Well, get yourself confortable with the terminilogy and try it

@Morfis1855
Copy link

another thing: you are sure the UID is E0 04 01 50 .. for the genuine tags? because if its that sequence, its indeed a SLIX and there is good chance.

if it is instead E0 04 01 08 or others, its a SLIX2 with (fixed) cryptograpic signature.

in any case, it is not related to this (old, dead) topic.

for the moment I did dump the original tag using PM3 if it helps
hf-15-E0040150AE82CD7C-dump.json

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 10, 2024

looks doable.
not sure what the lock block format is, there is a bit set.
compare this with a off-the-shelf tag and write the memory content of the old to the new tag.

check if the tag is now working.
options:
a) doesn't work because of lock bit not set
b) doesn't work because the block0 data is some kind of hashed UID
c) works, impersonating the genuine tag

for a) get comfortable with https://www.nxp.com/docs/en/data-sheet/SL2S2002_SL2S2102.pdf and write the lock bits.

for b) you need many genuine tags read out to reverse engineer the hash - if even possible with that small sample count.
also good to know before reversing:

  • when ordering genuine tags, do you have to specify your "customer/system ID" or smth like that?
  • what is the absolute maximum number of tags allowed?
  • can you store custom information in the genuine tags?

in any case:
use your pm3 to sniff the traffic between tag and reader.

@Morfis1855
Copy link

I already did and block 1 locked exactly as original and did not work

most probably option "b) doesn't work because the block0 data is some kind of hashed UID or Password or ECC

I will sniff the reader tag communication tomorrow and update you today I'm out of office

@Morfis1855
Copy link

hi again
hf 15 sniff do nothing
hf sniff command resulted the attached .mp3 file
sniff results.zip

did I did it right ??

@Morfis1855
Copy link

[g3gg0] good day are you available ??

@Morfis1855
Copy link

Good morning again

There is a lot of videos describing how to sniff hf could you plz suggest a sniss protocol?

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 12, 2024

This is a WebSerial implementation of a proxmark client i made.

  • use edge or chrome
  • connect to the proxmark3
  • make sure you have the latest** iceman firmware if it doesn't connect properly.
  • click on "ISO15693 Sniff Traffic"
  • sniff the communication with the PM3 a few times
  • press the button on the PM3
  • you should see a log

https://upload.g3gg0.de/pub_files/cf515b7c21f0f4a620089275a583f7b1/index.html

** I think a version from this year is enough

@Morfis1855
Copy link

Did you saw the fils un this comment???

hi again hf 15 sniff do nothing hf sniff command resulted the attached .mp3 file sniff results.zip

did I did it right ??

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 12, 2024

no, i need a packet dump of the communication.
https://www.reddit.com/r/proxmark3/comments/xyyv2g/how_to_sniff_iso15693/

@Morfis1855
Copy link

Did you saw the fils un this comment???

hi again hf 15 sniff do nothing hf sniff command resulted the attached .mp3 file sniff results.zip
did I did it right ??

This file contains my trials sniffing tag/reader communication results for multiple times since i don't have the skills to check its quality could you pleas see them and comments

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 12, 2024

As I wrote, please supply the list of packets as with the "hf 15 sniff" pm3 command.
not sure which kind of file type this is, what you provided, thus me asking for a list of sniffed commands.

@Morfis1855
Copy link

Thanks for your patience 🙏 and forgive my ignorance

But again "hf 15 sniff" do nothing

Hf sniff only working

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 12, 2024

then please ensure your proxmark version is are recent one

@Morfis1855
Copy link

Version
i assume its the latest

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 13, 2024

This is a WebSerial implementation of a proxmark client i made.

  • use edge or chrome
  • connect to the proxmark3
  • make sure you have the latest** iceman firmware if it doesn't connect properly.
  • click on "ISO15693 Sniff Traffic"
  • sniff the communication with the PM3 a few times
  • press the button on the PM3
  • you should see a log

https://upload.g3gg0.de/pub_files/cf515b7c21f0f4a620089275a583f7b1/index.html

** I think a version from this year is enough

Now this

@Morfis1855
Copy link

failed to connect on both browsers !! edge and chrome do I need to disable some security feature??

@Morfis1855
Copy link

click on "ISO15693 Sniff Traffic" ?? where supposed to find this

@Morfis1855
Copy link

sorry the command prompt was running that's why it wasn't able to connect now

connected now it's late now I will do it first thing in morning tomorrow, when i reach the office
appreciated

@Morfis1855
Copy link

Hi sniffing Reader card communication didn't work i tried multiple times the results led to 0 traces tag on reader sniff

To ensure my technique is working I tried to sniff tag/ phone communication using NXP info app and it worked !!! and screenshot tag on phone sniff, attached i saved the log as TXT if it helps sniffing.txt

@Morfis1855
Copy link

Any advice??

@g3gg0
Copy link
Contributor

g3gg0 commented Mar 18, 2024

No, if there is no communication to be traced, i cannot help.
You could use a more recent version of that html from https://github.com/g3gg0/ProxmarkWebSerial, however there were no changes that should have impact.

Looking at the screenshot, i am missing a log message that says to press a button.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug NFC NFC-related
Projects
None yet
Development

No branches or pull requests

7 participants