Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-10-19 10:07:10

duckwc
Contributor
Registered: 2018-10-12
Posts: 8

Transportation Tag (OùRA)

Hello,

I'm trying to understand the protocol behind my transportation tag:
oura

The card is definitely HF according to 'hf tune' command but of course, 'hf search' doesn't retun anything...
(I'm using the last version of official firmware to make my tests)

I started searching documentation and thinking it's a Caplypso TAG, but I was not able to get any answer from the card by sending basic Calypso commands to it.

I then started snooping the card on the bus reader using the PM3 connected to my android phone.

Here is the 14a snoop:

proxmark3> hf list raw l oura_14a.trc
hf list raw l oura_14a.trc
Recorded Activity (TraceLen = 222 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)
                 | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        256 | Tag |00!
                 |     |
      69904 |      70096 | Tag | 01
                 |     |
 1042232188 | 1042232476 | Rdr | 00
                 |     |
 1042232188 | 1042232476 | Rdr | 00
                 |     |
 1042232188 | 1042232476 | Rdr | 00
                 |     |
     828016 |     833200 | Tag |df! fe!  ff eb! 0f!
                 |     |
    1537376 |    1537952 | Tag |0f!
                 |     |
    1736144 |    1751824 | Tag | ff  ff fe!  ff  ff  ff  ff  ff  ff  ff  ff  ff ff  ff  ff  ff  |     |
            |            |     | ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff ff  ff  ff  ff  |     |
            |            |     | ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff ff  ff  ff  ff  |     |
            |            |     | ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff ff  ff  ff  ff  |     |
            |            |     | ff  ff  ff  ff  ff  ff 0f!
                 |     |
    3403696 |    3403888 | Tag | 01
                 |     |
    3419936 |    3420128 | Tag | 01
                 |     |
    3422496 |    3422816 | Tag |03!
                 |     |
    3423664 |    3423984 | Tag |03!
                 |     |
    3430560 |    3430752 | Tag | 01
                 |     |
    3724592 |    3724784 | Tag | 01
                 |     |

Let's say that the result doesn't look very nice...

I continued by gathering a couple 'hf snoop' traces.

Now I think I have something:
global
detail

The complete trace can be found here

I'm trying to get something from those traces now, but I'm not able to understand how to use the rawdemod command to analyse the signal.

Could you give me some clues on how to go forward on that analyze?

thank you!

Last edited by duckwc (2018-10-19 10:09:08)

Offline

#2 2018-10-21 21:33:05

duckwc
Contributor
Registered: 2018-10-12
Posts: 8

Re: Transportation Tag (OùRA)

Moving forward on this topic.
I still can't easily demodulate the signal from the previous screenshot, which is probably the signal from the reader.
The tag signal itself is a PSK modulation, but impossible to identify if it's PS1 of PS2 or if it's inverted so far.
There is a printed ID on the card (005549xxxx), but no way to find it

Here are the possible interpretations for the signal:
PSK1:

proxmark3> data rawde p1 16 1
data rawde p1 16 1

Using Clock:16, invert:1, Bits Found:327
PSK1 demoded bitstream:
0000000000000000
0000010111111101
0001111101001111
1101100011010111
0111000110101101
0100000000011111
1101010010001101
0000100101111111
1101111111110111
1111100110100101
0110101111010111
1111011011111101
1111101101001111
1101011101110100
1111110110001101
0111011100011010
1101011011111001
1111011001111111
1101111101100011
0101100001111111
1110010

or PSK2:

proxmark3> data rawde p2 16 1
data rawde p2 16 1

Using Clock:16, invert:1, Bits Found:327
PSK2 demoded bitstream:
0000000000000000
0000011100000011
1001000011101000
0011010010111100
1100100101111011
1110000000010000
0011111011001011
1000110111000000
0011000000001100
0000010101110111
1101111000111100
0000110110000011
0000011011101000
0011110011001110
1000001101001011
1100110010010111
1011110110000101
0000110101000000
0011000011010010
1111010001000000
0001011

I'm now trying to find out what kind of protocol is used by the tag to communicate...
Do you have an idea for the direction I should look at to be able to decipher this?

Offline

#3 2018-11-10 16:00:48

duckwc
Contributor
Registered: 2018-10-12
Posts: 8

Re: Transportation Tag (OùRA)

A little up.
Do someone has a clue on what the next step could be to move further with that card?

Offline

#4 2018-11-11 10:21:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Transportation Tag (OùRA)

after  data rawde p2 16 1

you can always  do    data print x  to get the hex..   from the hex you start looking for your cardnumber / SC / FC

Offline

#5 2018-11-11 21:35:38

duckwc
Contributor
Registered: 2018-10-12
Posts: 8

Re: Transportation Tag (OùRA)

Thanks for the tip, iceman, I already tried that, but the number printed on the card couldn't be found anywhere on the different messages I looked at, or at least not with the same form.
I converted the card ID to binary, that way I could identify the bits, even if they were spread across the message, but with no luck.
Here, I was wondering if that kind of signal with a lot of zeros (or ones) at the beginning was something relevant from a specific protocol.
I don't really know where I could find that kind of information or where I should search for it

Offline

#6 2018-11-11 21:40:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Transportation Tag (OùRA)

well.. the tag might use a bitscrambleing algo.  Sometimes they make it hard for you. 
Try gathering several datasets,   ie,  the hex,  the printed cardnumber,   and if you can also traces (save and upload).
Then post it here in order for ppl to be able to help.  If not, then you are on your own.

Offline

#7 2018-11-14 15:08:38

duckwc
Contributor
Registered: 2018-10-12
Posts: 8

Re: Transportation Tag (OùRA)

I focused on the message probably sent by the reader:
2018-11-14-14-33-35-proxmark3.png

first of all, I was able to work on that signal using:
-dirthreshold:
2018-11-14-14-36-48-proxmark3.png
- norm:
2018-11-14-14-37-44-Transportation-Tag-O-RA-Unknown-tags-Proxmark-developers-community.png
- getbitstream
2018-11-14-14-42-49-proxmark3.png
- decimate
2018-11-14-14-44-26-Transportation-Tag-O-RA-Unknown-tags-Proxmark-developers-community.png

and then, saving the result and opening it with notepad, I was able to get the bit stream:
00000000000110100010001001000011100110000010001010011001001101101000000010001001001000001000101100000010011100101000100011100101001010110011101000010000100000000000111
or in hex (but not sure since the amount of bits is not multiple of 4)
001A2243982299368089208B027288E52B3A108007

I was not able to use any of the available included demods to get that signal, did I miss something?

I was also able to get that same bitstream over several snoops taken at different times, so I think the scrambling is not part of the game here.

I was now wondering if there is any way I could use the PM3 to send that raw data to the tag to see if I can get any reaction.

Here is a second snoop if anyone want to play. For the card number, I'll stick to the 005549xxxx since I prefer not giving away the whole ID.

Offline

Board footer

Powered by FluxBB