ISO 15693 SLIX2 signature support

[eychei]

Description of the feature you're suggesting.

The SLIX2 emulation is incomplete. The following feature is missing.

• Originality signature: 32 byte ECC based originality signature

Anything else?

No response

[eychei]

Yes signature was read correctly. I tried two tags. Just cloned them and emulated. They worked fine on the Dymo printer.

The Dymo printer is sending the write password so to increment the counter later on. Can you store this in the flipper during emulation?

[eychei]

or do you mean when emulating, the password gets updated in the .nfc file?

Yes exactly.

[g3gg0]

another update, can you try please?

[eychei]

Hi. Tried the update. The Security Status and the Protection pointers are read correctly now.

Did you also implement the password update function while emulating the tag?

-e

[g3gg0]

great! nah, didn't add this feature yet. but added right now.

can you check if that works as expected?

[g3gg0]

edit: moved that PR-related discussion here

[eychei]

Tried newest firmware and the password is stored now. Great work! But if I read one tag get the password and read a second tag afterwards, the password of the first tag is also stored in the second tag. The password field and all other fields needs to be cleared on every new read, else the data of the old tag is used. Can you check that ?

[eychei]

Just found another bug. When you check the tag content on the flipper it will only show you 50 blocks. The tag does have 80 blocks though. It will only show the 50 blocks to skip through.

[g3gg0]

password storing fixed, can you check again?

it's intentional to not show too much information in that small textbox, if you meant that?

[eychei]

I meant the Block size field which is shown on the flipper screen when pressing the info button. It says 50 blocks but the data is 80 blocks in the nfc file. Also scrolling down through the info page on the flipper only 50 blocks are shown. I can not scroll down to see the counter value for example.

[g3gg0]

good point, this is shown in hexadecimal, but not annotated. will fix it.

[eychei]

Ok tested the newest version. Reading Tags is working now as expected. The Password field and others are not copied over from the old tag data. Great Work!

Will test more if you have new updates.

P.S. Can I contact you somehow via email or do you have time for a chat via discord or others?

[g3gg0]

thanks for your extensive testing and technical support.

yeah, use git_at_g3gg0.de

[eychei]

How is this working over git? New to this thing for chating or sending messages.

[g3gg0]

fixed the mail addres in the previous message. just mail me.

[Morfis1855]

hi there I had a similar issue but I didn't have a programming Background, I'm working in a medical lab, two yeas ago I had purchased an inventory system the manufacturer provided a software plus hardware (readers) and 5 years licence we started using those inlay tags which are expensive but tolerable cost after one year they start raising the price for each tag till reaching more than 4$ now which is insanely high I believe you had an idea about how much inlay Slix cost from china or Europe suppliers which is less than 1 $, I got stuck with expensive hardware and 5 years prepaid licence Plz help to crack those tags, I had punch of Nxp Slix tags from different supplier and a PM3 all my trials to clone a serial of those tags went south even if NXP Info and/or PM3 show them as identical to the original

[g3gg0]

hi there I had a similar issue but I didn't have a programming Background, I'm working in a medical lab, two yeas ago I had purchased an inventory system the manufacturer provided a software plus hardware (readers) and 5 years licence we started using those inlay tags which are expensive but tolerable cost after one year they start raising the price for each tag till reaching more than 4$ now which is insanely high I believe you had an idea about how much inlay Slix cost from china or Europe suppliers which is less than 1 $, I got stuck with expensive hardware and 5 years prepaid licence Plz help to crack those tags, I had punch of Nxp Slix tags from different supplier and a PM3 all my trials to clone a serial of those tags went south even if NXP Info and/or PM3 show them as identical to the original

No offense, but please restucture your post a bit using interpuction and newlines. It is too hard to follow what your point really is.

[Morfis1855]

Sorry for my English

hi there.

I had a similar issue but I do not have a programming Background, I'm working in a medical lab, two yeas ago had purchased an inventory system to track samples and reagents across the lab using RFID Labels. the manufacturer provided a software, hardware (readers) and 5 years licence.

we started to use those inlay REID tags which are expensive ~2$ but tolerable cost. after one year the supplier started raising the price for each tag till reaching more than 4$ last month, which is insanely high. I believe you had an idea about how much RFID lable cost from china or Europe it cost less than 1 $, Now I got stuck with expensive hardware and 5 years prepaid licence Plz help to crack those tags,

I bought 50 sticker from aliexpress @15$ with the same exact IC "NXP-ICODESLIX, tried to clone But didn’t work. All my trials to clone a serial of those tags went south even if NXP, MCT Apps and/or PM3 but reader failed to see tags at all

I HAD attached screenshot of both original tag and out sourced tags scanning results

B.R Morfis

[Morfis1855]

Sorry forgot to attached the copied tags scanning results which identical to the original

[g3gg0]

From what i can anticipate you have tried, is copying the memory content. There is still the UID which is hardcoded, but i guess that should not be a indicator for clone/genuine seller tags (they also cannot control the UID)

But there still is the DSFID and AFI which have to match as well as the password(s)

Use a PM3 (easy) and sniff reader/tag comms. If it makes use of a password (which i guess is the only senseful way of protecting) then you will see a GET RAND and SET PASSWORD command in the hexdump.

[g3gg0]

another thing: you are sure the UID is E0 04 01 50 .. for the genuine tags? because if its that sequence, its indeed a SLIX and there is good chance.

if it is instead E0 04 01 08 or others, its a SLIX2 with (fixed) cryptograpic signature.

in any case, it is not related to this (old, dead) topic.

[Morfis1855]

Hehehe now 😜 you speaking gebrish

Joking I already saw a lot of articles and thought about sniffing but again I'm a Chemists I will try my best and keep you posted

But in general do you think it's doable?

[g3gg0]

Well, get yourself confortable with the terminilogy and try it

[Morfis1855]

another thing: you are sure the UID is E0 04 01 50 .. for the genuine tags? because if its that sequence, its indeed a SLIX and there is good chance.

if it is instead E0 04 01 08 or others, its a SLIX2 with (fixed) cryptograpic signature.

in any case, it is not related to this (old, dead) topic.

for the moment I did dump the original tag using PM3 if it helps hf-15-E0040150AE82CD7C-dump.json

[g3gg0]

looks doable. not sure what the lock block format is, there is a bit set. compare this with a off-the-shelf tag and write the memory content of the old to the new tag.

check if the tag is now working. options: a) doesn't work because of lock bit not set b) doesn't work because the block0 data is some kind of hashed UID c) works, impersonating the genuine tag

for a) get comfortable with https://www.nxp.com/docs/en/data-sheet/SL2S2002_SL2S2102.pdf and write the lock bits.

for b) you need many genuine tags read out to reverse engineer the hash - if even possible with that small sample count. also good to know before reversing:

• when ordering genuine tags, do you have to specify your "customer/system ID" or smth like that?
• what is the absolute maximum number of tags allowed?
• can you store custom information in the genuine tags?

in any case: use your pm3 to sniff the traffic between tag and reader.

[Morfis1855]

I already did and block 1 locked exactly as original and did not work

most probably option "b) doesn't work because the block0 data is some kind of hashed UID or Password or ECC

I will sniff the reader tag communication tomorrow and update you today I'm out of office

[Morfis1855]

hi again hf 15 sniff do nothing hf sniff command resulted the attached .mp3 file sniff results.zip

did I did it right ??

[Morfis1855]

[g3gg0] good day are you available ??

[Morfis1855]

Good morning again

There is a lot of videos describing how to sniff hf could you plz suggest a sniss protocol?

[g3gg0]

This is a WebSerial implementation of a proxmark client i made.

• use edge or chrome
• connect to the proxmark3
• make sure you have the latest** iceman firmware if it doesn't connect properly.
• click on "ISO15693 Sniff Traffic"
• sniff the communication with the PM3 a few times
• press the button on the PM3
• you should see a log

https://upload.g3gg0.de/pub_files/cf515b7c21f0f4a620089275a583f7b1/index.html

** I think a version from this year is enough

[Morfis1855]

Did you saw the fils un this comment???

hi again hf 15 sniff do nothing hf sniff command resulted the attached .mp3 file sniff results.zip

did I did it right ??

[g3gg0]

no, i need a packet dump of the communication. https://www.reddit.com/r/proxmark3/comments/xyyv2g/how_to_sniff_iso15693/

[Morfis1855]

Did you saw the fils un this comment???

hi again hf 15 sniff do nothing hf sniff command resulted the attached .mp3 file sniff results.zip did I did it right ??

This file contains my trials sniffing tag/reader communication results for multiple times since i don't have the skills to check its quality could you pleas see them and comments

[g3gg0]

As I wrote, please supply the list of packets as with the "hf 15 sniff" pm3 command. not sure which kind of file type this is, what you provided, thus me asking for a list of sniffed commands.

[Morfis1855]

Thanks for your patience 🙏 and forgive my ignorance

But again "hf 15 sniff" do nothing

Hf sniff only working

[g3gg0]

then please ensure your proxmark version is are recent one

[Morfis1855]

i assume its the latest

[g3gg0]

This is a WebSerial implementation of a proxmark client i made.

• use edge or chrome
• connect to the proxmark3
• make sure you have the latest** iceman firmware if it doesn't connect properly.
• click on "ISO15693 Sniff Traffic"
• sniff the communication with the PM3 a few times
• press the button on the PM3
• you should see a log

https://upload.g3gg0.de/pub_files/cf515b7c21f0f4a620089275a583f7b1/index.html

** I think a version from this year is enough

Now this

[Morfis1855]

failed to connect on both browsers !! edge and chrome do I need to disable some security feature??

[Morfis1855]

click on "ISO15693 Sniff Traffic" ?? where supposed to find this

[Morfis1855]

sorry the command prompt was running that's why it wasn't able to connect now

connected now it's late now I will do it first thing in morning tomorrow, when i reach the office appreciated

[Morfis1855]

Hi sniffing Reader card communication didn't work i tried multiple times the results led to 0 traces

To ensure my technique is working I tried to sniff tag/ phone communication using NXP info app and it worked !!! and screenshot , attached i saved the log as TXT if it helps sniffing.txt

[Morfis1855]

Any advice??

[g3gg0]

No, if there is no communication to be traced, i cannot help. You could use a more recent version of that html from https://github.com/g3gg0/ProxmarkWebSerial, however there were no changes that should have impact.

Looking at the screenshot, i am missing a log message that says to press a button.