Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2011-10-19 14:49:19

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

LF snoop capability

Is there a way to snoop the communication between a tag (unknown) and a reader (unknown) that works in low frequency (probably 125kHz)? I cannot find the "snoop" command under the lf command set... only "read" that will try to get tag id... any idea ? Maybe the "cmdread" command can be suitable for this ? Or "simbidir" ?

Last edited by asper (2011-10-19 15:09:37)

Offline

#2 2011-10-20 09:10:26

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: LF snoop capability

Since most of LF(except few ones like Hitag2) tags are ID-only, which means that the tag answers with a static answer(tag's ID) when reader communicates with it. Here is a very simple example: reader asks tag: "What's your ID?"; tag answers: "99DEADBEAF"(EM-Marine for examle). It can't answer anything except "99DEADBEAF"(this type of tags also called as "dummy" tags). So, if you want to simulate LF tag you will need read it, and using samples in your proxmark's buffer simulate it(for manual ID simulation you will need tag's ID, modulation type, timings etc). So, you don't need any LF sniffer. Most of HF tags(like Mifare) use bidirectional communication with challenge-response, cryptography etc. To crack such card you will need to analyze challenges/responses between tag and reader, perform MITM attacks.

Offline

#3 2011-10-20 09:12:52

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: LF snoop capability

As far as I know the FPGA is not supporting a mode that do not drive the antenna for LF, so no snooping possible with current firmware.
Try reading your unknown card, most LF tags are not bidirectional and only send an ID when they are read.

Offline

#4 2011-10-20 10:56:18

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: LF snoop capability

The tag has a chip built by EM-Marine but is undocumented (I have the pcitures and name); it has xor and probably flip-flop capabilities and write data in an external 2Kb eeprom (micro eeprom, only 2x2 mm); the tag is probably 125kHz but not absolutely sure of that frequency, and has been manufactured since (probably) 1994/1995 so it's quite old.

I do not want to simulate that tag, I only would like to record the tag<->reader transaction using the proxmark... is this possible at 125kHz ? I tryed with an oscilloscope but waveform is really unreadable (I have them recorded in audacity format if you want to try).

More info and pics there: http://www.proxmark.org/forum/viewtopic.php?id=123

These are the docs (application notes and requested patents) officially published by EM Marine that most are similar to this chip (in AN411 doc is clearly visible the same plastic case used to contain the circuit): http://www.sendspace.com/file/kcvvfa

If you can, please help !

Last edited by asper (2011-10-20 11:04:22)

Offline

#5 2011-10-20 11:11:44

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: LF snoop capability

Is quite unprobable that a tag with such an small antenna was 125KHz, it won't be able to power-up from it.
It can be anything (as it is custom-made), but look for higher carrier frequencies.
If you are able to take off the epoxy (look for Wii epoxy removers) and provide the IC references maybe you'll be able to figure it out.

Do you have access to the reader?
Could you check the antenna voltage with an oscilloscope?
This will provide the correct carrier frequency (note that your antenna seems to be damaged).

Offline

#6 2011-10-20 11:32:36

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: LF snoop capability

Yes, the antenna was damaged but I have other tags.

The voltage "moves" at 1-3 kHz and.

Already accessed with an oscillsocope and the frequency seems to be 1.45khz.... too low.... sometimes the oscilloscope sayd 125kHz, some other time 5MHz.... it is a cheap usb oscilloscope so no luck with it.

I remove the epoxy, the chip is H4062, never documented, no datasheet.
The eeprom is an AT35529 (formerly AT24C02)

Last edited by asper (2011-10-20 11:33:24)

Offline

#7 2011-10-20 11:44:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: LF snoop capability

A question: if it is a 13.56kHz, how can i record the reader-tag transaction with proxmark3 ? I mean, which commands ?

Offline

#8 2011-10-20 11:50:30

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: LF snoop capability

Which bandwidth does your oscilloscope have? Assuming 13.56MHz you'll need at least around 25MHz analog bandwidth and around 100Msps to properly display the waveform.
Don't look at the oscilloscope automatic measures. Just stop the trace (hold) and measure the carrier frecuency using cursors.

On the other hand, I saw something similar in an old vending machine (but the antenna had a lot more wounds and had a ferrite inside.
Ii did not have an IC, it used some discrete components, but the fact was that is was not intelligent, the EEPROM was read directly.
The IC on yours may only be a front-end for the EEPROM.

In the key I'm talking about all you have to do was taking the EEPROM out and put in a socket.
Then recharge the token, take the EEPROM out and read, and after credit was consumed you could
reprogram EEPROM with the values previously saved (the EEPROM contents were scrambled, so it was
easier to copy from a refilled one than trying to find out how the credit was coded.

Offline

#9 2011-10-20 11:54:17

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: LF snoop capability

I know the keys you are talking about (2 inductances, right ?), this is absolutely not the case; H4062 (relly small: 3x4 mm) has 8 pins so it is a "complex" circuit.

The oscilloscope I used is a DSO-2090: http://www.hantek.com/english/produce_list.asp?unid=62

Last edited by asper (2011-10-20 11:58:56)

Offline

#10 2011-10-20 12:45:41

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: LF snoop capability

Yes I think it had 2 inductors.

Your oscilloscope should be enough to measure the field.

Have you tried to read the EEPROM?
Even if the IC is more intelligent, maybe the EEPROM contents can be read/written directly.

Offline

#11 2011-10-20 19:59:37

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: LF snoop capability

The eeprom is extremely small (2x2 mm), almost impossible to connect to... evevn more impossible to connect without destroying the tag.

Offline

#12 2011-10-21 07:25:40

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: LF snoop capability

asper wrote:

The eeprom is extremely small (2x2 mm), almost impossible to connect to... evevn more impossible to connect without destroying the tag.

Could you post a photo of the device without epoxy?
Which package does the EEPORM have (BGA/MLF/TSSOP)?

Offline

#13 2011-10-21 15:54:27

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: LF snoop capability

It seems to be Mini-MAP (MLP 2x3) but is probably smaller (almost 2x2); I think it is a custom format without any known package (all is under epoxy resin).

Offline

#14 2011-10-23 13:16:17

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: LF snoop capability

For datasheet you can try to contact to EM-Marine and write something like:

our company, Retard, inc. have bought your tags/readers and we have problems with them...Please give us technical documentation(datasheets, schematics) related to this products...

and send it from email like company@retatrdincorporated.com
This works sometimes

Offline

#15 2011-10-23 17:58:41

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: LF snoop capability

I already tryed that but absolutely NO answer... maybe I did not use "@retatrdincorporated.com"... if you are lucky you can try but it is difficult to say that I have problems with H4062 when H4062 is probably NEVER mentioned anywere... but if you obtain datasheet please, share it with me smile

Anyway I am going to do some other tests to identify the (I hope) correct frequency, so stay tyned !

Offline

#16 2012-05-29 10:17:45

rule
Administrator
Registered: 2008-05-21
Posts: 416

Re: LF snoop capability

Dear Transponder101,

Could you be more specific about the tag/transponder you want to eavesdrop? It is necessary to use the correct demodulation scheme used by both entities (reader and tag) to be able to interpret the communicated bits. I probably could help you out with the implementation and show some demodulation/decoding tricks.

Cheers,

  Roel

Offline

Board footer

Powered by FluxBB