Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.

"Learn the tools of the trade the hard way." +Fravia

You are not logged in.


Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-01-13 06:12:51

Registered: 2017-11-09
Posts: 7

Clarification on Hitag Commands

Hello, I'm kind of new to all of this so please forgive dumb questions.

I successfully used my Proxmark to clone a HID tag. I just used the commands ('clone' I think) and a blank key that came with my electrohouse proxmark RDV (blank card was the T-something) and I drove the clone out to the reader, tried it, it worked, it was amazing. Honestly a huge moment.

Now I'm on to a Hitag2. I have the card I want to clone and the reader. I believe there is some sort of security protocol involved. I used 'snoop' holding the prox inbetween the card and the HID reader and the reader beeped and let me in per usual. However, when I then use 'sim' and hold the prox up (prox lights up like it's doing something), the reader doesn't beep or do anything. It looks like 'sim' takes in another parameter 'infile.' What is that...? It is automatically saved by 'snoop'? Where does the 'snoop' trace go? I ran 'list' after the snoop and it looks like there's nothing there:

proxmark3> lf hitag list
recorded activity (TraceLen = 102429104 bytes):
ETU     :nbits: who bytes

I also tried 'lf hitag list test.txt' and it created a text file test.txt which was blank.

Again, 'list' takes in the parameter 'outfile'. What is 'outfile' and where is it coming from?

Now under 'hitag reader' I see the options:
proxmark3> lf hitag reader

Usage: hitag reader <Reader Function #>
Reader Functions:
HitagS (0*)
  01 <nr> <ar> (Challenge) read all pages from a Hitag S tag
  02 <key> (set to 0 if no authentication is needed) read all pages from a Hitag S tag
Hitag1 (1*)
Hitag2 (2*)
  21 <password> (password mode)
  22 <nr> <ar> (authentication)
  23 <key> (authentication) key is in format: ISK high + ISK low
  25 (test recorded authentications)
  26 just read UID

So I tried 26 with the card on the prox and got:
proxmark3> lf hitag reader 26
#db# Starting Hitag reader family
#db# Error, unknown function: 26

meanwhile lf search returns:
proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

#db# Starting Hitag reader family
#db# Error, unknown function: 26
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Valid Hitag2 tag found - UID: 807f7f7f

So for the other options: what do 'nr' and 'ar' stand for in 22? I'm assuming this also records the data used by 25?
How do you get the 'key'? What does 'key is in format: ISK high + ISK low' mean?

Thanks so much to anyone who can give a little guidance.


Board footer

Powered by FluxBB