Hitag2 simu

[RaspExt]

Description

After to have started the hitag2 simulation through the following command lf hitag sim 2 j car.json, I can see the configured EEPROM displayed on the console and simulation is well started. However, impossible to decode correctly the signal in order to be able to detect/see the START_AUTH command despite the fact that I can see the signal with the commands: data plot and lf sniff -s 3000 -@ in oscilloscope mode.

There may be some adjustments to be made. Any idea ?

[+] loaded from JSON file car.json

[#] Starting Hitag2 simulation
[#] Loading hitag2 memory...
[#] | 0 | a9323533 |
[#] | 1 | 301823bd |
[#] | 2 | 2acc5821 |
[#] | 3 | 0ec91792 |
[#] | 4 | 00000000 |
[#] | 5 | 00000000 |
[#] | 6 | 00000000 |
[#] | 7 | 00000000 |
[#] | 8 | f3e2bdc7 |
[#] | 9 | 000009c2 |
[#] | 10 | 10640206 |
[#] | 11 | ba817571 |

[#] Detected unexpected number of manchester decoded samples [2]
[#] Detected unexpected number of manchester decoded samples [2]
[#] Detected unexpected period count: 123
[#] Detected incorrect header, the bit [0] is zero instead of one
[#] Detected incorrect header, the bit [2] is zero instead of one
[#] Detected incorrect header, the bit [4] is zero instead of one
[#] Reader password is wrong
[#] Detected unexpected number of manchester decoded samples [2]
[#] Detected unexpected number of manchester decoded samples [2]
[#] Detected unexpected number of manchester decoded samples [2]
[#] Detected incorrect header, the bit [1] is zero instead of one
[#] Detected incorrect header, the bit [3] is zero instead of one
[#] Reader password is wrong

[+] loaded from JSON file /home/seb/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM2
[=] Communicating with PM3 over USB-CDC

  ██████╗ ███╗   ███╗█████╗ 
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗
  ██║     ██║ ╚═╝ ██║█████╔╝       Iceman ☕
  ╚═╝     ╚═╝     ╚═╝╚════╝    ❄️ bleeding edge

  https://github.com/rfidresearchgroup/proxmark3/

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.9237-3423-g924a8163d 2021-04-02 17:54:45
  compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

 [ PROXMARK3 ]
  device.................... RDV4
  firmware.................. RDV4
  external flash............ present
  smartcard reader.......... present
  FPC USART for BT add-on... absent

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-3423-g924a8163d 2021-04-02 17:55:12
       os: RRG/Iceman/master/v4.9237-3423-g924a8163d 2021-04-02 17:55:27
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
  HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 59% used )

Expected behavior

Be able to emulate a hitag2 tag in order to replace the hitag2 keyfob.

[iceman1001]

124

240

878

889

551

764

The lf hitag commands needs more love. I am currently looking into the lf hitag sniff
If you go back to an older version of the repo like two years, or rather before I did some refactoring of the hitag2 stuff you find simulation working.

[dk5ras]

HITAG in general seems to be a mistery :) Quite hard to start playing with it without at least some basic tools...

[pispo1]

124 #240 #878 #889 #551 #764

The lf hitag commands needs more love. I am currently looking into the lf hitag sniff If you go back to an older version of the repo like two years, or rather before I did some refactoring of the hitag2 stuff you find simulation working.

I have been looking the versions around April 2019 but it is no clear to me identify a working version of lf hitag sim. @iceman1001 Could you tell me a working commit of tag sim?

[iceman1001]

I have no clue, try git bisect, from 2018 to 2020 in order to find a working hitag sim.