Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-10-02 09:28:26

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Hitag Access System

Hello together,

i'm working on an access system project. The system is from 1996. It's called ES1000 (Manual: https://drive.google.com/file/d/18sZXg5 … sp=sharing) from the company Opertis branded by HEWI.
Because the system is so old, they don't resupply it any more. I know 125kHz systems are not secure, but for us it's okay.

Now i'm trying to get new chips into the system and to analyse the tags i got the proxmark 3 evo.
As far as i investigated, it should be an hitag s or hitag 1 chip.
The tags can be read from the DOM System (https://www.dom-security.com/de/de/prod … ufzylinder).
But the chips from DOM can't be integrated into the Opertis system.

My problem now is the following that the proxmark gots unresponsible.

I've flashed the current github master and also tried the iceman fork also.
Current image on the proxmark is:
#db# Performing i2c bus recovery
#db# I2C bus recovery  error: SDA still LOW
#db# Performing i2c bus recovery
#db# I2C bus recovery  error: SDA still LOW
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-134-g70dbfc3-dirty-suspect 2019-09-27 16:51:14
os: master/v3.1.0-134-g70dbfc3-dirty-suspect 2019-09-27 16:51:19
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: available

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 204527 bytes (39%). Free: 319761 bytes (61%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 43.31 V @   125.00 kHz
# LF antenna: 18.84 V @   134.00 kHz
# LF optimal: 47.85 V @   122.45 kHz
# HF antenna: 17.26 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

If i do the following:
proxmark3> lf hitag reader 01 02 0 0 0
#db# ReadHitagS in mode=STANDARD, blockRead=0, startPage=0
#db# Authenticating using nr,ar pair:
#db# 00 00 00 02 00 00 00 00
#db# UID: 87 92 40 15
#db# crc: 2D
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
WARNING: timeout while waiting for reply.
proxmark3> hw ping
Sending bytes to proxmark failed

I have to reset the proxmark to send commands again.

I've compiled the source with DEBUG=2 to check what is happening.
And in the log appears, that the proxmark read endless pages with zeroes as data.

Other 125kHz cards works fine (EM410x).

Another strange behaviour is, if use the ordered hitag (1,2 and s) dongle tags, they dont get found.

proxmark3> lf hitag reader 01 02 0 0 0
#db# ReadHitagS in mode=STANDARD, blockRead=0, startPage=0
#db# Authenticating using nr,ar pair:
#db# 00 00 00 02 00 00 00 00
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
WARNING: timeout while waiting for reply.
proxmark3> hw ping
Sending bytes to proxmark failed
Ping failed

I tried also different positions on the reader and measure voltage drop:
proxmark3> hw tune l

Measuring antenna characteristics, please wait........
# LF antenna: 42.21 V @   125.00 kHz
# LF antenna: 19.94 V @   134.00 kHz
# LF optimal: 44.00 V @   123.71 kHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

As far as i understand it should be enough for the tag to operate.
To compare here the voltage from the card (UID: 87924015).

proxmark3> hw tune l

Measuring antenna characteristics, please wait........
# LF antenna: 39.32 V @   125.00 kHz
# LF antenna: 21.72 V @   134.00 kHz
# LF optimal: 39.32 V @   125.00 kHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Using the new hitag chips to be learned into the system doesn't work.
On the cards are written beside the UID a field named K:
Card 1:
K - 003703 | T - 87924015
Card 2:
K - 003721 | T - 0A934015

My suggestion was now, that the manufactor of the ES1000 have used a shared secret.
The system is offline based and can be programmed whit an programming handheld (UID based).

Also tried the magic uid card T57xx with following configuration:
Block 0: 0048020 and 0088020
Block 1: 87924015 (UID + Config page from above)
But it is not recognized as valid.

At the writing i recognized something weird:
The offical length of the UID for hitag 1+s ist 32 bit. But in the manual for the Tag list (Page 17), are complete block 0.
The configuration blocks differs from tag to tag. So it's look like an 64 bit long UID.

I hope it's enough information and you can give me a hint where to search next.

Thank you in advance!

Greetings Mercix

Last edited by Mercix (2019-10-02 09:37:31)

Offline

#2 2019-10-02 17:18:17

piwi
Contributor
Registered: 2013-06-04
Posts: 674

Re: Hitag Access System

An impressive first posting.

Can you link to English documents, please?

I didn't know that the PM3 Evo can be used with official or RRG repository. I thought they use different hardware? The error messages regarding i2c bus and the wrong detection of the smartcard slot seem to indicate that as well.

Nevertheless, Hitag functions are very fragile currently. Make sure that you have a good coupling between tag and proxmark antenna (roughly same size), and distance matters as well (a millimetre can make a difference).

I had started to improve this part of the code but got distracted by iClass.

Can you please rephrase the sentence with page 17 and block 0? There seems to be missing a word or two.

Offline

#3 2019-10-02 20:03:43

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Re: Hitag Access System

Thank you. I've tried to figure out as much as I can on my own.

Sry there are no english documents avaible to me. But maybe you can tell me what you need to know and i try to translate it.

To the software part:
I've got it from lab401.com and after I've got it, it wasn't avaible any more. And searching for differences in the software version doesn't yield any useful. Can you maybe give me a link, if there are differences for the evo?

On page 17 is a list of tags and which room they are contributed to.
My confuse appears here, because a hitag tag only have a 32 bit UID.
The next 32 bit of the page are for the configuration.

And on this list are tags with different UIDs and configurations.
For my understanding, it should be always the same for a class of id tags or?
As Example:
Tag 1: 1111AABB
Tag 2: 1112AABB
Tag 3: 1113AABB

And thank you for your answer. smile

Greetings!

Offline

#4 2019-10-04 15:27:57

piwi
Contributor
Registered: 2013-06-04
Posts: 674

Re: Hitag Access System

Can you maybe give me a link, if there are differences for the evo?

My statement was based on https://www.reddit.com/r/RFID/comments/ … _rdv4_evo/

The tags can be read from the DOM System (https://www.dom-security.com/de/de/prod … ufzylinder).
But the chips from DOM can't be integrated into the Opertis system.

The DOM system claims to support many different chip types (Hitag 1, Hitag 2, Hitag S, EM 4100, EM 4102, EM 4150, EM 4450) but I couldn't find a hint which chip types are supported by the ES1000. From the documentation we only know that the tags have a 32Bit ID number (examples on page 17). So your ES1000 tags seem to be one of (Hitag 1, Hitag 2, Hitag S, EM 4100, EM 4102, EM 4150, EM 4450) and your DOM tags seem to be of a different type or the ES1000 requires some kind of "formatting". Besides the Serialnumber, HITAG chips have additional data and keys. The ES1000 may make use of it, but the DOM system may use the Serialnumber only.

Too many options. Can you snoop a communication between tag and reader?

Offline

#5 2019-10-04 15:36:08

piwi
Contributor
Registered: 2013-06-04
Posts: 674

Re: Hitag Access System

The offical length of the UID for hitag 1+s ist 32 bit. But in the manual for the Tag list (Page 17), are complete block 0.
The configuration blocks differs from tag to tag. So it's look like an 64 bit long UID.

Google translates the header of the last column to "Serial number of Main programming card / Replacement programming card". What you see are therefore the 32bit numbers of two different cards. No config block or 64bit number.

Offline

#6 2019-10-04 20:09:05

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Re: Hitag Access System

Sry have got a brain fail. ^^
As you both right mentioned, the uid of the ES1000 system seems to be 32 bit aka 8 byte.
But the Hitag 1/S only have 16 bit aka 4 byte uid (page size 4 byte) | look page 32 Hitag 1 Datasheet.
The Hitag 2 got 32 bit uid Page 24.

I've also looked at the data plots. The em cards have a clearly "graph".
The hitag chips from the es1000 system and the delivered ones look indenticly.

Also it seems to be, that the K on the cards is the password for the protection.
On the hitag2 datasheet is written, that it is 24 bit long and the K is 6 byte long.

So my problem now is, can I use my proxmark 3 evo to read the hitag 2 chips or do I have to get other ones?
Also I tried the lf snoop command, when using the es1000 to open - Snoop File.

If it's not right, please tell me how to do it.

Also it seems to be the hitag2 only works in pw or crypto mode.
So one must be the same on every device and tag, right?

Thank you smile

Offline

#7 2019-10-05 12:25:29

piwi
Contributor
Registered: 2013-06-04
Posts: 674

Re: Hitag Access System

As you both right mentioned, the uid of the ES1000 system seems to be 32 bit aka 8 byte.
But the Hitag 1/S only have 16 bit aka 4 byte uid (page size 4 byte) | look page 32 Hitag 1 Datasheet.
The Hitag 2 got 32 bit uid Page 24.

Where did you learn your math? 1byte is 8bits. 4bytes is 32bits.

Offline

#8 2019-10-05 15:09:10

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Re: Hitag Access System

Yes of course... I'm ill atm.
So sorry for this.

Both use the 32 bit UID.
Using the specifig hitag 2 commands, I don't get any values back.
If use hitag reader 01/02, i get the uid from the card.

So it would be right to assume, that the system use hitag 1/s, right?
Can you maybe give me hint, how i can manualy read the first two pages from the card?

Also interesting seems to be this from the es1000 manual:

Personalization: Personalization means the fixed assignment of an identifier,
a fitting or a switching module to a programming card. Brand new identifiers, fittings and switch modules can not be used without personalization. While
the personalization is a special, not from outside readable
Record from the programming card in the memory of
Transfer fitting or switch module electronics. Now this fitting / switching module can only in conjunction with this
Programming card can be programmed. In the personalization
of an identifier, this record of the fitting /
Transfer switching electronics into the identifier. That's the way it is
the identifier is connected to the programming card. The personalization of an identifier can not be undone
become. The identifier is firmly connected to the programming card.

We tried to assign brandnew hitag 1 and s chip to a door, but nothing happend.
So maybe the configuration differ from the "original" cards and the brand new one?!

And thank you very much again for your time.

Offline

#9 2019-10-08 11:37:47

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Re: Hitag Access System

Hello,

I've got the confirmation from the producer, that it's a Hitag 1 card.
They've done an initialisation before the cards are to use.
But they don't support it any more and don't have any keys.

Does you know any working breaks for the hitag 1?

Or do I have to programm my own hitag 1 functions for the proxmark?

And do you know how to sniff more then 40k bytes? So a unlimited writing to my disk?

Thank you.

Offline

#10 2019-10-08 13:51:18

piwi
Contributor
Registered: 2013-06-04
Posts: 674

Re: Hitag Access System

Does you know any working breaks for the hitag 1?

Not that I am aware of. There are documents on Hitag 2 and Hitag S (they use the same cipher) but I couldn't find anything usefull on Hitag 1.

Or do I have to programm my own hitag 1 functions for the proxmark?

Yes, PM3 currently does not support Hitag 1.

And do you know how to sniff more then 40k bytes? So a unlimited writing to my disk?

Not yet implemented. For LF (like Hitag 1) this should be possible. But I don't see the use case for such long traces?

Offline

#11 2019-10-08 14:30:07

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Re: Hitag Access System

The key is not hard to break.
From the documentation it is an 32 bit key.

Because of that I want to record the communication between door and card and then bruteforce the key.

But if i use lf snoop I dont get the whole authentication. I want to record longer to have more time to open the door and that the encrypted communcation gets recorded.

Do you know a good tutorial for the lf snoop part?

Offline

#12 2019-10-08 15:35:41

piwi
Contributor
Registered: 2013-06-04
Posts: 674

Re: Hitag Access System

But if i use lf snoop I dont get the whole authentication. I want to record longer to have more time to open the door and that the encrypted communcation gets recorded.

Don't use 'lf snoop'. Use 'lf hitag snoop' and display the result with 'lf hitag list'

Offline

#13 2019-10-21 17:24:03

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Re: Hitag Access System

Hello,

just a status update:
I'm now programming the hitag 1 functions.

I already got the uid and conf page running.
Curious is only, that the original tag is now readable, but not the both delievered hitag 1 tags.

I've ordered tags from another distributor for comparsion.

The 'hitag lf snoop' give no really useful data. I'll investigate it, after setup the hitag 1.

Greetings

Last edited by Mercix (2019-10-21 17:24:49)

Offline

#14 2019-11-06 09:00:11

Mercix
Contributor
Registered: 2019-09-27
Posts: 10

Re: Hitag Access System

Hello,

I tried to get the snnop running, but at the current settings the proxmark disturb the communication between reader and tag.

Yesterday I looked at the lf snoop traces. In this I see the communication and relevant information. Also the reader opens clearly.

My question now is, can I use the lf snoop in a loop to capture the whole communication in one step?

Offline

Board footer

Powered by FluxBB