ISO 15693 SLIX2 signature support #2781
Comments
|
Seems there is already a tool for cracking the public key... (deleted, its the public key...) for now i implemented all the emulation stuff for having a static signature, optional passwords etc.
|
|
i wonder if the pm3 works with the SLIX2 as intended.
|
|
Great work ! I do have a proxmark and can test tomorrow. |
|
How do I add this to my flipper zero
…On Sun, 18 Jun 2023 at 10:56 am, g3gg0.de ***@***.***> wrote:
Seems there is already a tool for cracking the private key
<https://github.com/RfidResearchGroup/proxmark3/blob/master/tools/recover_pk.py>
...
[image: grafik]
<https://user-images.githubusercontent.com/479231/246638126-22c8c595-e637-4271-9aac-16ff37aab9a1.png>
so the signature might be possible to autogenerate for any UID.
for now i implemented all the emulation stuff for having a static
signature, optional passwords etc.
unfortunately reading the signature doesn't work. the proxmark aborts the
field in middle of the communication.
will have to dig deeper. do not know if this is the proxmark acting weird
or the flipper having trouble sending longer responses...
[image: grafik]
<https://user-images.githubusercontent.com/479231/246638200-45102e0e-3309-44a7-82a7-dfa1e0682aab.png>
—
Reply to this email directly, view it on GitHub
<#2781 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BATRQUCRSUQZW2BDLESE3QTXLZG45ANCNFSM6AAAAAAZJYTVVA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***
com>
|
|
How does the private key cracking work here ? Are the signatures generated with weak nonces? how could you crack the private key with just one signature ? -e |
|
I have no clue, didnt expect that t.b.h. However, from what i understand, it is just the public key used to verify the signature. The code is not live yet. I first want to fix the error when responding the 32 byte signature. |
|
Trying to emulate the SLIX2 with the proxmark right now. I am on Iceman/master/v4.14831-643-ga0ac40449. -e |
|
there is no full emulation, I just implemented SLIX-L stuff a while back. can you read the SLIX2-tag? using "hf 15 info" |
|
Yes I can read the slix2 tags without issues. It also reads out the Signature: [+] UID: E0 04 01 08 2F 81 D8 FC [=] --- Tag Information --------------------------- [=] EAS (Electronic Article Surveillance) is not active [=] --- Tag Signature |
|
okay then sending responses >32 byte causes problems with the current NfcV implementation |
|
|
…sue flipperdevices#2781), added WRITE_PASSWORD handling
|
@eychei can you test the linked PR if it works for you? |
|
Nice! Will try and report back. |
|
Ok I tried. Do get some errors / problems:
I think this may be a timing issue? -e |
|
damn. |
yeah, seen that too. |
|
I did disable debug logging and still the same error. -e |
|
Oh I think I know whats going on. This is a different inventory command. The flipper is not responding to that command. |
|
yeah, also seen just then :D the behavior of the optional AFI field was implemented incorrectly.
|
|
Ok I tried. It does go one step further: 101415 R: 36 01 00 00 6a a1 |
|
looks good. can you sniff what an original tag responds? |
|
Ok got the proxmark log. Hope it is complete: |
|
great, what does the log say for FZ? |
|
FZ log: 2912674 R: 36 01 00 00 6a a1 |
|
no, i mean proxmark log :) |
|
Somehow I did get some more transactions now with the dymo reader + Flipper: |
|
I also can see that the flipper does have some data in the log. |
|
hi there |
No offense, but please restucture your post a bit using interpuction and newlines. |
|
Sorry for my English hi there. I had a similar issue but I do not have a programming Background, I'm working in a medical lab, two yeas ago had purchased an inventory system to track samples and reagents across the lab using RFID Labels. we started to use those inlay REID tags which are expensive ~2$ but tolerable cost. I bought 50 sticker from aliexpress @15$ with the same exact IC "NXP-ICODESLIX, tried to clone But didn’t work. I HAD attached screenshot of both original tag and out sourced tags scanning results B.R
|
|
Sorry forgot to attached the copied tags scanning results which identical to the original |
|
From what i can anticipate you have tried, is copying the memory content. But there still is the DSFID and AFI which have to match as well as the password(s) Use a PM3 (easy) and sniff reader/tag comms. |
|
another thing: you are sure the UID is E0 04 01 50 .. for the genuine tags? if it is instead E0 04 01 08 or others, its a SLIX2 with (fixed) cryptograpic signature. in any case, it is not related to this (old, dead) topic. |
|
Hehehe now 😜 you speaking gebrish Joking I already saw a lot of articles and thought about sniffing but again I'm a Chemists I will try my best and keep you posted But in general do you think it's doable? |
|
Well, get yourself confortable with the terminilogy and try it |
for the moment I did dump the original tag using PM3 if it helps |
|
looks doable. check if the tag is now working. for a) get comfortable with https://www.nxp.com/docs/en/data-sheet/SL2S2002_SL2S2102.pdf and write the lock bits. for b) you need many genuine tags read out to reverse engineer the hash - if even possible with that small sample count.
in any case: |
|
I already did and block 1 locked exactly as original and did not work most probably option "b) doesn't work because the block0 data is some kind of hashed UID or Password or ECC I will sniff the reader tag communication tomorrow and update you today I'm out of office |
|
hi again did I did it right ?? |
|
[g3gg0] good day are you available ?? |
|
Good morning again There is a lot of videos describing how to sniff hf could you plz suggest a sniss protocol? |
|
This is a WebSerial implementation of a proxmark client i made.
https://upload.g3gg0.de/pub_files/cf515b7c21f0f4a620089275a583f7b1/index.html ** I think a version from this year is enough |
|
Did you saw the fils un this comment???
|
|
no, i need a packet dump of the communication. |
This file contains my trials sniffing tag/reader communication results for multiple times since i don't have the skills to check its quality could you pleas see them and comments |
|
As I wrote, please supply the list of packets as with the "hf 15 sniff" pm3 command. |
|
Thanks for your patience 🙏 and forgive my ignorance But again "hf 15 sniff" do nothing Hf sniff only working |
|
then please ensure your proxmark version is are recent one |
|
|
Now this |
|
failed to connect on both browsers !! edge and chrome do I need to disable some security feature?? |
|
click on "ISO15693 Sniff Traffic" ?? where supposed to find this |
|
sorry the command prompt was running that's why it wasn't able to connect now connected now it's late now I will do it first thing in morning tomorrow, when i reach the office |
|
Hi sniffing Reader card communication didn't work i tried multiple times the results led to 0 traces To ensure my technique is working I tried to sniff tag/ phone communication using NXP info app and it worked !!! and screenshot |
|
Any advice?? |
|
No, if there is no communication to be traced, i cannot help. Looking at the screenshot, i am missing a log message that says to press a button. |
Description of the feature you're suggesting.
The SLIX2 emulation is incomplete.
The following feature is missing.
• Originality signature:
32 byte ECC based originality signature
Anything else?
No response
The text was updated successfully, but these errors were encountered: