Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-04-04 14:03:01

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Hitag2 - two improved attacks emerged

Hitag2  -  two improved attacks emerged

Based from the Hitag2 to Hell source,  two attacks has emerged.  One CPU based and one GPU based.


HiTag2 Cracking Suite

Authors:

    Attacks 1, 2, 3, 4 : Kevin Sheldrake kev@headhacking.com
    Attacks 5, 5gpu : anonymous, based on https://github.com/factoritbv/hitag2hell by FactorIT B.V.

Attack 5

Attack 5 is heavily based on the HiTag2 Hell CPU implementation from https://github.com/factoritbv/hitag2hell by FactorIT B.V., with the following changes:

    Main takes a UID and 2 {nR},{aR} pairs as arguments and searches for states producing the first aR sample, reconstructs the corresponding key candidates and tests them against the second nR,aR pair;
    Reuses the Hitag helping functions of the other attacks.

Attack 5gpu

Attack 5gpu is identical to attack 5, simply the code has been ported to OpenCL to run on GPUs and is therefore much faster than attack 5.

Usage details: Attack 5

Attack 5 requires two encrypted nonce and challenge response value pairs (nR, aR) for the tag's UID.

pm3 --> lf hitag sniff

Stop once you got two pairs.

$ ./ht2crack5 <UID> <nR1> <aR1> <nR2> <aR2>

Usage details: Attack 5gpu

Attack 5gpu requires two encrypted nonce and challenge response value pairs (nR, aR) for the tag's UID.

pm3 --> lf hitag sniff

Stop once you got two pairs.

$ ./ht2crack5gpu <UID> <nR1> <aR1> <nR2> <aR2>

ref:
https://github.com/RfidResearchGroup/pr … itag2crack


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2020-04-12 10:46:13

cosmo61
Contributor
From: Sweden
Registered: 2019-04-04
Posts: 11

Re: Hitag2 - two improved attacks emerged

Amazing!
Test on an old DELL laptop without Nvidia, It took about 3 hours to get the key.
With a fast computer or Nvida card it would be real fast.
Great hack

Last edited by cosmo61 (2020-04-12 10:50:50)

Offline

#3 2020-07-27 14:56:44

zorro
Contributor
Registered: 2020-07-25
Posts: 4

Re: Hitag2 - two improved attacks emerged

Good day.
I tried to implement the attack on my device (Proxmark3 easy china). To my regret, the latest builds for Windows downloaded from the https://drive.google.com/drive/folders/1uX9RtYGinuFrpHybu4xq_BE3HrobI20e branch do not work correctly with the "lf hitag sniff" command. After this command, the device reboots after a while. Can anyone share a working build for my device?

C:\Users\User\Downloads\rrg_other-64-20200723-84a49bf03b1c62a2f70719e7ddc3e38d2de5a819\win64>proxmark3 COM12
[=] Session log C:/Users/User/Downloads/rrg_other-64-20200723-84a49bf03b1c62a2f70719e7ddc3e38d2de5a819/win64/.proxmark3/logs/log_20200727.txt
[+] loaded from JSON file C:/Users/User/Downloads/rrg_other-64-20200723-84a49bf03b1c62a2f70719e7ddc3e38d2de5a819/win64/.proxmark3/preferences.json
[=] Using UART port COM12
[=] Communicating with PM3 over USB-CDC


  ██████╗ ███╗   ███╗█████╗
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗
  ██║     ██║ ╚═╝ ██║█████╔╝       iceman@icesql.net
  ╚═╝     ╚═╝     ╚═╝╚════╝    bleeding edge

  https://github.com/rfidresearchgroup/proxmark3/


 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:27
  compiled with MinGW-w64 9.3.0 OS:Windows (64b) ARCH:x86_64

 [ PROXMARK3 ]

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:11
       os: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:18
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 227408 bytes (43%) Free: 296880 bytes (57%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory


[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait...
[/] 10
[=] ---------- LF Antenna ----------
[+] LF antenna: 21.68 V - 125.00 kHz
[+] LF antenna: 30.03 V - 134.83 kHz
[+] LF optimal: 30.78 V - 133.33 kHz
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 36.28 V - 13.56 MHz
[+] HF antenna is OK

[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.

[usb] pm3 --> hw status
[#] Memory
[#]   BigBuf_size.............43924
[#]   Available memory........43924
[#] Tracing
[#]   tracing ................1
[#]   traceLen ...............0
[#] Current FPGA image
[#]   mode.................... HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[#] LF Sampling config
[#]   [q] divisor.............95 ( 125.00 kHz )
[#]   [b] bits per sample.....8
[#]   [d] decimation..........1
[#]   [a] averaging...........Yes
[#]   [t] trigger threshold...0
[#]   [s] samples to skip.....0
[#] LF Sampling Stack
[#]   Max stack usage.........3952 / 8480 bytes
[#] LF T55XX config
[#]            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
[#]            mode            |start|write|write|write| read|write|write
[#]                            | gap | gap |  0  |  1  | gap |  2  |  3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]     long leading reference |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]               leading zero |  31 |  20 |  18 |  40 |  15 | N/A | N/A |
[#]    1 of 4 coding reference |  31 |  20 |  18 |  34 |  15 |  50 |  66 |
[#]
[#] Transfer Speed
[#]   Sending packets to client...
[#]   Time elapsed............500ms
[#]   Bytes transferred.......270336
[#]   Transfer Speed PM3 -> Client = 540672 bytes/s
[#] Various
[#]   Max stack usage.........4112 / 8480 bytes
[#]   DBGLEVEL................1
[#]   ToSendMax...............-1
[#]   ToSendBit...............0
[#]   ToSend BUFFERSIZE.......2308
[#]   Slow clock..............31628 Hz
[#] Installed StandAlone Mode
[#]   HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza)
[usb] pm3 --> hw hitag reader 26
help             This help
connect          connect Proxmark3 to serial port
dbg              Set Proxmark3 debug level
detectreader     ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)
fpgaoff          Set FPGA off
ping             Test if the Proxmark3 is responsive
readmem          [address] -- Read memory at decimal address from flash
reset            Reset the Proxmark3
setlfdivisor     <19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)
setmux           Set the ADC mux to a specific value
standalone       Jump to the standalone mode
status           Show runtime status information about the connected Proxmark3
tia              Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider
tune             Measure antenna tuning
version          Show version information about the connected Proxmark3
[usb] pm3 --> lf hitag reader 26
[+]  UID: 0a350429
[usb] pm3 --> lf hitag sniff
[usb] pm3 --> [#] Starting Hitag2 sniffing
lf hitag list
[=] downloading tracelog from device
[=] Waiting for a response from the Proxmark3...
[=] You can cancel this operation by pressing the pm3 button
[-] Timed out while trying to download data from device
[!] timeout while waiting for reply.
[+] Recorded activity (trace len = 0 bytes)
[usb] pm3 -->
[!] Communicating with Proxmark3 device failed

[=] Running in OFFLINE mode. Use "hw connect" to reconnect

[offline] pm3 --> hw connect
[=] Using UART port COM12
[=] Communicating with PM3 over USB-CDC
[usb] pm3 --> lf hitag sniff l
[usb] pm3 --> [#] Starting Hitag2 sniffing

[!] Communicating with Proxmark3 device failed

[=] Running in OFFLINE mode. Use "hw connect" to reconnect

[offline] pm3 -->

Last edited by zorro (2020-07-27 20:37:38)

Offline

#4 2020-07-28 12:37:20

zorro
Contributor
Registered: 2020-07-25
Posts: 4

Re: Hitag2 - two improved attacks emerged

Good day . I looked at an open post about my problem at https://github.com/RfidResearchGroup/proxmark3/issues/551 and then the question arises, how to make an attack if the project is not fully functional ?. Does anyone have any thoughts? Thank.

Offline

#5 2020-07-28 13:31:18

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: Hitag2 - two improved attacks emerged

You need to somehow collect the data needed to being able to execute the key recovery software.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2020-07-28 16:17:45

zorro
Contributor
Registered: 2020-07-25
Posts: 4

Re: Hitag2 - two improved attacks emerged

Well, of the possible attacks on the key, I considered 4 or 3 attacks, but 4 attacks, as I understand it, require a valid tag to make a second request from the reader and get the second encrypted pair. cosmo61 seems to have implemented some kind of attack, it would be interesting to hear his opinion.

Yes, tell me an approximate reason why newer assemblies do not work? Well, exactly in lf hitag sniff mode?

Offline

#7 2020-08-11 06:46:14

cosmo61
Contributor
From: Sweden
Registered: 2019-04-04
Posts: 11

Re: Hitag2 - two improved attacks emerged

I did it real basic, sniff the comunication wtih (proxmark3) lf sniff command. manually read the responce, Then used the crack5 method.

Last edited by cosmo61 (2020-08-11 06:47:54)

Offline

Board footer

Powered by FluxBB