MCU....... AT91SAM7S512 Rev A
Memory.... 512 Kb ( 66% used )
Client.... Iceman/master/v4.16191-110-g93d7d4677 2023-02-25 15:03:22
Bootrom... Iceman/master/v4.16191-110-g93d7d4677 2023-02-25 15:03:07
OS........ Iceman/master/v4.16191-110-g93d7d4677 2023-02-25 15:03:15
Target.... RDV4
[usb] pm3 --> hf 15 info
[+] UID: E0 04 01 08 38 4E 04 D9
[+] TYPE: NXP(Philips); IC SL2 ICS2602(SLIX2)
[+] Using UID... E0 04 01 08 38 4E 04 D9
[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+] TYPE: NXP(Philips); IC SL2 ICS2602(SLIX2)
[+] UID: E0 04 01 08 38 4E 04 D9
[+] SYSINFO: 00 0F D9 04 4E 38 08 01 04 E0 00 00 4F 03 01
[+] - DSFID supported [0x00]
[+] - AFI supported [0x00]
[+] - IC reference supported [0x01]
[+] - Tag provides info on memory layout (vendor dependent)
[+] 4 (or 3) bytes/blocks x 80 blocks
[=] --------- NXP Sysinfo ---------
[=] raw : 00 47 30 00 7F 35 00 00
[=] Password protection configuration:
[=] * Page L read not password protected
[=] * Page L write not password protected
[=] * Page H read password protected
[=] * Page H write password protected
[=] Lock bits:
[=] * AFI not locked
[=] * EAS not locked
[=] * DSFID not locked
[=] * Password protection configuration not locked
[=] Features:
[=] * User memory password protection supported
[=] * Counter feature supported
[=] * EAS ID supported by EAS ALARM command
[=] * EAS password protection supported
[=] * AFI password protection supported
[=] * Extended mode supported by INVENTORY READ command
[=] * EAS selection supported by extended mode in INVENTORY READ command
[=] * READ SIGNATURE command supported
[=] * Password protection for READ SIGNATURE command not supported
[=] * STAY QUIET PERSISTENT command supported
[=] * ENABLE PRIVACY command supported
[=] * DESTROY command supported
[=] * Additional 32 bits feature flags are not transmitted
[=] EAS (Electronic Article Surveillance) is not active
[=] --- Tag Signature
[=] IC signature public key name: NXP ICODE DNA, ICODE SLIX2
[=] IC signature public key value: 048878A2A2D3EEC336B4F261A082BD71F9BE11C4E2E896648B32EFA59CEA6E59F0
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: E8419AD2787E81C475A24053692BE48E8FF8191DE3A60B264759699FE8FF25EC
[+] Signature verification: successful
[=] Params used: UID and signature, plain
[usb] pm3 --> hf 15 raw -kc -d 22B204d9044e38080104e0
[+] received 5 octets
[+] 00 C2 87 61 CF
[usb] pm3 --> hf 15 raw -kc -d 22b304d9044e38080104e0XXXXXXXX
[+] received 4 octets
[+] 01 0F 68 EE
What am I doing wrong?
Sorry for the translation with Gogle Translation.
I did notice a the "-p" flag for the raw command to leave the field on.
[usb] pm3 --> hf 15 raw -h
Usage: hf 15 raw [-r] [-2] [-c] <0A 0B 0C ... hex>
Options:
-r do not read response
-2 use slower '1 out of 256' mode
-c calculate and append CRC
-p leave the signal field ON
I still get the same result however when issuing the set password. Where you successfully in using this flag or did you need to further modify the client?
cmdhf15.c shows the -p being parsed:
...
case 'p':
case 'P':
leaveSignalON = true;
break;
...
if (!leaveSignalON)
DropField();
My results:
[usb] pm3 --> hf 15 raw -p -c 22 B2 04 1F72A911080104E0
[=] received 5 octets
[+] 00 43 92 59 1D
[usb] pm3 --> hf 15 raw -p -c 62 B3 04 1F72A911080104E0 08 4C9D4C9D
[=] received 4 octets
[+] 01 0F 68 EE
The Proxmark is getting a little warm now. Do you see an issue with flags or anything else?
]]>This make complete sense! The random number is no longer valid by the time I send the next command as the the tag loses power between these commands.
Now, how to implement a fix in the proxmark. Did you modify the client or recall how to implement this on the command line as suggested?
I'm on the latest proxmark version, also comfortable with modifying, compiling and flashing if you point me in the right direction. Maybe implementing a "SLIX2" sub command to encapsulate these calls requiring authentication.
██████╗ ███╗ ███╗ ████╗
██╔══██╗████╗ ████║ ══█║
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ══█║ iceman@icesql.net
██║ ██║ ╚═╝ ██║ ████╔╝ https://github.com/rfidresearchgroup/proxmark3/
╚═╝ ╚═╝ ╚═╝ ╚═══╝ pre-release v4.0
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman
compiled with GCC 8.3.0 OS:Linux ARCH:x86_64
[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: present
[ ARM ]
bootrom: RRG/Iceman/master/257a722c-dirty-unclean 2020-02-10 14:16:04
os: RRG/Iceman/master/257a722c-dirty-unclean 2020-02-10 14:16:14
compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]
[ FPGA ]
LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 281740 bytes (54%) Free: 242548 bytes (46%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
Hope I could help you.
Regards,
Gambrius
P.S.: please let uns know if it worked.
...or if you have further questions.
I would like to experiment and set set passwords and destroy a tag etc. I keep getting 0x0F errors when it comes to issues the extending methods supported by the NXP IDCODE2/SLIX2 tags. Here is what I have been doing.
Get the tag UID
[usb] pm3 --> hf search
[-] Searching for ISO15693 tag...
[+] UID : E0 04 01 08 11 A9 72 1F
[+] TYPE : NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX) ICS2602(SLIX2)
[+] Valid ISO15693 tag found
Use the UID to get fetch a random number
[usb] pm3 --> hf 15 raw -c 22 B2 04 1f72a911080104e0
[=] received 5 octets
[+] 00 7C 06 9E FA
Then i use this random number to generate the XOR password:
XOR_Password[31:0] = Password[31:0] XOR {Random_Number[15:0], Random_Number[15:0]}.
The password in this case should be default: 0x0F0F0F0F
I generate the XOR password given the random number above:
0x0F0F0F0F | 0x7C067C06 = 0x73097309
Set "DESTROY" password command
[usb] pm3 --> hf 15 raw -c 62 B3 04 1f72a911080104e0 08 73097309
[=] received 4 octets
[+] 01 0F 68 EE
As you can i get an error flag of 0x0F. Same error when setting other passwords or trying pretty much anything.
Am i misinterpreting the results here? Is there a reverse byte ordering for portions of the payload?
Any help is greatly appreciated
]]>The tag signature is a signed piece of data with the private key from NXP ICODE.
You would use the public key to verify that the signed data is correct.
Nothing secret with that, just normal asymmetric crypto signing.
That public key is in the source code. https://github.com/RfidResearchGroup/pr … f15.c#L211