search

Proxmark / proxmark3

Proxmark 3
http://www.proxmark.org/
GNU General Public License v2.0
3.2k stars 912 forks source link

Hitag S gives two different readings of data sectors #932

Open hiviah opened 4 years ago

hiviah commented 4 years ago

I discovered this weird behavior yesterday and could reproduce it on 3 different Hitag S tags. Refers to recent commit ebf1404a813867dbfb60dc5f4b13cfee62fb3b71.

If I put tag on Proxmark's antenna, then run lf hitag reader 01, I get one reading of 64 sectors, without UID. If I run lf hitag reader 01 and wait for about 1-2 seconds, put tag on antenna, I get different reading of 8 sectors, including UID, which seems to make more sense.

The data read is always consistent, i.e. multiple reading will give same results with this method, but depend on whether the tag is yet on the antenna when command is issued.

An example:

Reading when using delay 1-2 sec between command and putting tag on antenna, these data seem to make more sense and they contain UID:

#db# UID: B3 A4 A8 7F
#db# crc: 6B
#db# Page[ 0]: 7F A8 A4 B3
#db# Page[ 1]: AA 00 24 C9
#db# Page[ 2]: 4E 4F 54 48
#db# Page[ 3]: 52 4B 49 4D
#db# Page[ 4]: D8 00 80 FF
#db# Page[ 5]: 80 DD 31 00
#db# Page[ 6]: 00 00 00 00
#db# Page[ 7]: 4B 4F 5F 57

Reading I get when I issue the reader command with tag already on antenna, shows no UID and there is a weird repetition pattern:

proxmark3> lf hitag reader 01
#db# ReadHitagS in mode=STANDARD, blockRead=0, startPage=0          
#db# Authenticating using nr,ar pair:          
#db# 00 00 00 00 00 00 00 00          
#db# UID: 00 00 00 00          
#db# crc: 79          
#db# Page[ 0]: 55 55 55 55          
#db# Page[ 1]: 55 55 55 55          
#db# Page[ 2]: 55 55 55 55          
#db# Page[ 3]: 55 55 55 55          
#db# Page[ 4]: 55 55 55 55          
#db# Page[ 5]: 55 55 55 55          
#db# Page[ 6]: 55 55 55 55          
#db# Page[ 7]: AA AA AA 6A          
#db# Page[ 8]: 55 55 55 55          
#db# Page[ 9]: AA AA AA 6A          
#db# Page[10]: AA AA AA AA          
#db# Page[11]: 55 55 55 55          
#db# Page[12]: AA AA AA 6A          
Waiting for a response from the proxmark...          
You can cancel this operation by pressing the pm3 button          
#db# Page[13]: 55 55 55 55          
#db# Page[14]: 55 55 55 55          
#db# Page[15]: AA AA AA 2A          
#db# Page[16]: 55 55 55 55          
#db# Page[17]: 55 55 55 55          
#db# Page[18]: 55 55 55 55          
#db# Page[19]: 55 55 55 55          
#db# Page[20]: AA AA AA 2A          
#db# Page[21]: AA AA AA 6A          
#db# Page[22]: 55 55 55 55          
#db# Page[23]: 55 55 55 55          
#db# Page[24]: 55 55 55 55          
#db# Page[25]: AA AA AA 6A          
#db# Page[26]: AA AA AA 6A          
#db# Page[27]: 55 55 55 55          
#db# Page[28]: 55 55 55 55          
WARNING: timeout while waiting for reply.          
#db# Page[29]: AA AA AA 4A          
#db# Page[30]: AA AA AA AA          
#db# Page[31]: 55 55 55 55          
#db# Page[32]: 55 55 55 55          
#db# Page[33]: 55 55 55 55          
#db# Page[34]: 55 55 55 55          
#db# Page[35]: 55 55 55 55          
#db# Page[36]: 55 55 55 55          
#db# Page[37]: 55 55 55 55          
#db# Page[38]: 55 55 55 55          
#db# Page[39]: AA AA AA 4A          
#db# Page[40]: 55 55 55 55          
#db# Page[41]: 55 55 55 55          
#db# Page[42]: 55 55 55 55          
#db# Page[43]: AA AA AA 2A          
#db# Page[44]: AA AA AA 6A          
#db# Page[45]: AA AA AA 4A          
#db# Page[46]: 55 55 55 55          
#db# Page[47]: 55 55 55 55          
#db# Page[48]: 55 55 55 55          
#db# Page[49]: AA AA AA 4A          
#db# Page[50]: AA AA AA 4A          
#db# Page[51]: 55 55 55 55          
#db# Page[52]: AA AA AA 6A          
#db# Page[53]: AA AA AA 6A          
#db# Page[54]: 55 55 55 55          
#db# Page[55]: AA AA AA 4A          
#db# Page[56]: 55 55 55 55          
#db# Page[57]: AA AA AA 6A          
#db# Page[58]: AA AA AA 6A          
#db# Page[59]: AA AA AA 4A          
#db# Page[60]: 55 55 55 55          
#db# Page[61]: 55 55 55 55          
#db# Page[62]: 55 55 55 55          
#db# Page[63]: 55 55 55 55
hiviah commented 4 years ago

Got some blank tags and found out the reason for the weird reads:

If you change page 1 (which defaults to "AA 00 00 C9") to "AA 00 24 C9", the above behavior appears. Reproduced on 3 blank tags.

According to docs page 1 is configuration page, though I can't find out what exactly the changed byte does, but it seems to affect modulation.