Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#101 2015-01-19 22:11:36

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

yes is possible iclass snoop command was right.
I don´t know if in the last proxmark fw versions has been some code changed.


in order to get many samples i made a tool able to continuously send the snoop, wait for the "#db# COMMAND FINISHED" string and then send another snoop request

very good idea, but I think is better to get all the memory when is full (or nearly full), flush the memory and continue sniffing, and throw this data into a file on the computer.

Like a pipe on ethernet when you want sniff, may be someone could change the code to make this.

Offline

#102 2015-01-20 07:51:22

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

thefkboss wrote:

yes is possible iclass snoop command was right.
I don´t know if in the last proxmark fw versions has been some code changed.


in order to get many samples i made a tool able to continuously send the snoop, wait for the "#db# COMMAND FINISHED" string and then send another snoop request

very good idea, but I think is better to get all the memory when is full (or nearly full), flush the memory and continue sniffing, and throw this data into a file on the computer.

Like a pipe on ethernet when you want sniff, may be someone could change the code to make this.

I've seen with sl500 reader and proxmark, that each 2 readings of a tag, the snoop command gives the #db# message, so i suppose that i hit the list command when the memory is full.
Anyway, if we agree that the snoop was ok, it means that we should investigate about the used protocol by means of a oscilloscope on the turnstile.
For this reason the new function able to record samples on proxmark is very important and it needs to be completed


Imagination is more important than knowledge.

Offline

#103 2015-01-29 10:56:17

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

I found that byte #4 in block 2  is responsible for days counting (ex. Skipass type: 10 days form 14).
But I can't chage the value, any idea?

Block  2   00 38 00 40    .8.@
Block  3   1C 48 33 00    .H3.
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-01-01 15:28:15
#db# os: /-suspect 2015-01-01 15:28:20
#db# HF FPGA image built on 2014/ 6/19 at 21:26: 2
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf 15 cmd read -2 u 2
00 38 00[b] 40 [/b]   .8.@     <-------- skipass was used 4 times
proxmark3> hf 15 cmd write -2  u 2 00 38 00 20
timeout: no answer - data may be written anyway
proxmark3> hf 15 cmd read -2 u 2
00 38 00 40    .8.@
proxmark3>

Offline

#104 2015-01-29 16:16:02

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

you need Password to write

Offline

#105 2015-01-29 20:49:40

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Can you explain this better ?

I found that byte #4 in block 2  is responsible for days counting (ex. Skipass type: 10 days form 14).

Offline

#106 2015-01-29 23:17:10

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

Can you explain this better ?

I found that byte #4 in block 2  is responsible for days counting (ex. Skipass type: 10 days form 14).

I have 4 active Skipases (Kaprun, AU), I'm doing cards dump daily , later I will post more info how to decode other bytes - but I'm not sure if this make sens if we can't write the card sad

Offline

#107 2015-01-30 18:55:58

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

thefkboss wrote:

you need Password to write

Is it possible to run a proxymark reader in sniffing mode?
My cards are active, so i can take backpack with equipment to get the login trace smile (maybe log will be usefully for brute force attack)

Offline

#108 2015-01-30 19:09:05

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Yes, you need iclass snoop command. Crc will be wrong but this is normal, snooped data will be correct and if you are lucky you can get the password. After the snoop you need to send the list command to see the snooped data.

Please explain this:

(ex. Skipass type: 10 days form 14).

Offline

#109 2015-01-30 21:01:43

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

correct
iclass snoop and you will see the password is in clear text  cool

Offline

#110 2015-01-30 23:21:54

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

>Yes, you need iclass snoop command. Crc will be wrong but this is normal, snooped data will be correct

As i understand i need to run command

hf iclass snoop

>Please explain this:
> (ex. Skipass type: 10 days form 14)

You can buy ski pass which is valid for 14 days, however it can be used  for any 10 days in this period  (10 from 14) - so if we can reset the days counter then we are The Winner smile

Offline

#111 2015-01-31 10:12:56

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

It seems to me that you all are ignoring my last post.

1) the snoop command is not versatile cause it is not a real versatile digitizer, so it doesn't allow deep analysis of the problem. Infact in my case it was not able to log anything

2) these systems uses database, and periodic synchronization of it. So whatever you will do it will be valid for limited amount of hours/days. Moreover it's easy to be identified and arrested. Better to stop kidding before to think stupid solutions.


Imagination is more important than knowledge.

Offline

#112 2015-01-31 13:10:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Piorun wrote:

>Yes, you need iclass snoop command. Crc will be wrong but this is normal, snooped data will be correct

As i understand i need to run command

hf iclass snoop

>Please explain this:
> (ex. Skipass type: 10 days form 14)

You can buy ski pass which is valid for 14 days, however it can be used  for any 10 days in this period  (10 from 14) - so if we can reset the days counter then we are The Winner smile

so you bean tha the byte "40" means "used 4 times"?

Offline

#113 2015-01-31 23:18:39

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

so you bean tha the byte "40" means "used 4 times"?

Yes, this counter is incremented on my cards daily (few other bytes also are changing - but I think bytes are related to first and last use of gate)

Offline

#114 2015-02-01 17:36:57

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

thefkboss wrote:

correct
iclass snoop and you will see the password is in clear text  cool

Doesn't work, I tested it today sad

Offline

#115 2015-02-01 20:06:47

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Piorun wrote:

Doesn't work, I tested it today sad

what you mean when you say doesn´t work:

1º you didn´t get any data (after snoop, you have to execute list command)
2º you get some data but you can´t see the password.
3º .......

I have tried with skydata machines and I can capture the comunication with snoop command

1º snoop and then list commands


reader---proxmark(ant)---card

you need some distance between the reader and the card, because the reader is to strong and sometimes  overlap the comunication

Offline

#116 2015-02-01 21:13:33

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

>what you mean when you say doesn´t work:
I didn't get any data after command "proxmark3> hf iclass list"

> 1º you didn´t get any data (after snoop, you have to execute list command)

You mean:

- hf iclass snoop
- go through the gate: reader  <- 20 cm-> proxmark <- 10 cm -> card
- hf iclass list

Offline

#117 2015-02-01 21:42:26

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Piorun wrote:

You mean:

- hf iclass snoop
- go through the gate: reader  <- 20 cm-> proxmark <- 10 cm -> card
- hf iclass list

correct, but sometimes you have to play with distances
if the reader read the card, the proxmark should capture comunication, if not, is a antenna, distances...problem

Offline

#118 2015-02-01 22:03:02

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

i found some sample output  in this thread http://www.proxmark.org/forum/viewtopic.php?id=1371

proxmark3> hf iclass snoop
#db# COMMAND FINISHED
#db# 3 0 1
#db# 20 bc3 f0
#db# 3 0 1
#db# 20 bc3 f0
proxmark3> hf iclass list
recorded activity:
ETU     :rssi: who bytes

As I understand I should see some log  after "hf iclass snoop" command (what i did) and before "hf iclass list".
But today I didn't get any outpu like "#db# COMMAND FINISHED" ?

Offline

#119 2015-02-01 23:44:53

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

It is not possible in my opinion, that a turnstile doesn't allow the start of the recording.
The turnstile has a really high signal.
I suppose only 2 solutions:
1) the recording function doesn't work properly (it is not possible to set the trigger level and i'm not sure of what it does)

2) the tag uses fast communication protocol (what is your tag model?)


Imagination is more important than knowledge.

Offline

#120 2015-02-02 00:02:24

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

> the recording function doesn't work properly (it is not possible to set the trigger level and i'm not sure of what it does)
was tested on pm3-bin-0.0.6, should I try 0.0.7 ?

>the tag uses fast communication protocol (what is your tag model?)

proxmark3> #db# 12 octets read from IDENTIFY request:                 
proxmark3> #db# NoErr CrcOK                 
proxmark3> #db# ..Dh..f$ 00 02 yy xx 18 07 66 24                 
proxmark3> #db# ...6     16 e0 9b 36                 
proxmark3> #db# UID = E016246607186xxyy                 
proxmark3> #db# 0 octets read from SELECT request:                 
proxmark3> #db# 0 octets read from XXX request: 
proxmark3> hf 15 dumpmem
Reading memory from tag UID=E01624660718xxyy
Tag Info: EM-Marin SA (Skidata)
Block  0   CE 08 0F 77    ...w
Block  1   82 18 60 20    ..`
Block  2   00 38 00 70    .8.p

Offline

#121 2015-02-02 00:19:51

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

i have tried on this

http://www.skidata.com/en/parking-management/barriers-columns/parking-column-columngate.html
http://www.skidata.com/en/parking-management/automated-payment-machines/easycash.html
http://www.skidata.com/en/parking-management/automated-payment-machines/powercash.html

and I can record de comunication

Offline

#122 2015-02-02 00:48:05

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

I have two types of cards
SKIDATA keycards (13.56 MHz) Basic  (Zell am See)- this one is valid and I'm trying to record the communication
SKIDATA keytix (13.56 MHz) - (SILVAPARK.AT) I can make a card dump, looks like a  SKIDATA keycard Basic
http://www.skidata.com/en/mountain-destinations/access-readers-turnstiles/freemotiongate.html#tabs1-2

Offline

#123 2015-02-02 00:58:13

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

mine is EM4233 skidatakeycard because is 01- is from a parking system

Offline

#124 2015-02-02 09:20:06

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

gaucho wrote:

2) the tag uses fast communication protocol (what is your tag model?)

How to check what type of protocol is used ?
I have only 5 days to finish tests (end of holiday).

Last edited by Piorun (2015-02-02 17:57:19)

Offline

#125 2015-02-02 10:18:01

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

You cannot. Simply try different positions while snooping with iclass and be sure all your hardware configuration is ok (no power loss or something like that).

Offline

#126 2015-02-02 10:25:00

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

What is the maximun in fast communication?
I 've been able to snoop 848kbs mifare desfire in fast communication.
I think is not a problem of fast communication i think is an antenna problem.
If you tune the antenna, what you get?

Offline

#127 2015-02-02 11:35:03

iceman
Administrator
Registered: 2013-04-25
Posts: 5,610
Website

Re: Skidata tickets (iso 15693)

try the r.0.0.7 since there have been a remake of the list command.   From 0.0.7 its under  "hf list iclass"


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#128 2015-02-02 17:01:47

tarcisiomerlot
Member
Registered: 2015-01-04
Posts: 3

Re: Skidata tickets (iso 15693)

As I promised, here's 7 reading of my skipass after 7 passages through the turnstile. For each of them I have attached the remaining hours and the hh:mm of the passage timestamp as displayed by the turnstile. The first passage belongs to a previous day, the other 6 are done in the same day.
Only 9 bytes change between passages: block 2 byte 4, block 47 bytes 1-4, block 48 bytes 1-4.
@Asper: I have already understood some bytes: block 2 byte 4=counter of the passage made in one day, block 48 byte 1=couple (!!) of remaining minutes, byte 2=day (coded somehow) of passage?, byte 3+8 bits of byte 4=minutes/seconds of passage (expressed in seconds)?, byte 4 last 8 bits=hour of passage.
@Gaucho: can you share what you have found about the meaning of the other bytes?

CHECK 04/01/2015 ??:?? 6h 52m
C4 08 66 B9 42 18 40 20 00 38 00 F0 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 20 0C 20 01 CE 60 98 2D 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:03 6h 48m
C4 08 66 B9 42 18 40 20 00 38 00 10 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 A0 06 F8 01 CC 20 20 4C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:17 6h 36m
C4 08 66 B9 42 18 40 20 00 38 00 20 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 70 05 F8 01 C6 20 50 2C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:25 6h 28m
C4 08 66 B9 42 18 40 20 00 38 00 30 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 40 04 F8 01 C2 20 70 2C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:47 6h 06m
C4 08 66 B9 42 18 40 20 00 38 00 40 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 B0 03 F8 01 B7 20 C8 2C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 13:02 5h 52m
C4 08 66 B9 42 18 40 20 00 38 00 50 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 60 05 F8 01 B0 20 10 2D 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 13:15 5h 38m
C4 08 66 B9 42 18 40 20 00 38 00 60 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 00 04 F8 01 A9 20 48 2D 00 30 90 15 00 00 00 00 00 00 00 00 

Offline

#129 2015-02-02 18:27:11

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

I verified these:

block02 byte 4=counter of the passage made in one day
block48 byte 1=remaining minutes/2 -> hex

For the other "guessings" maybe time and hours can be stored as a binary clock format. I am low in time those days and I cannot verify them; I paste there the only 3 changing blocks, maybe someone will find the time to verify how date and time are stored:

CHECK 04/01/2015 ??:?? 6h 52m
blocks: data
02: 00 38 00 F0 
47: 20 0C 20 01 
48: CE 60 98 2D 

CHECK 31/01/2015 12:03 6h 48m
02: 00 38 00 10 
47: A0 06 F8 01 
48: CC 20 20 4C 

CHECK 31/01/2015 12:17 6h 36m
02: 00 38 00 20 
47: 70 05 F8 01 
48: C6 20 50 2C 

CHECK 31/01/2015 12:25 6h 28m
02: 00 38 00 30 
47: 40 04 F8 01 
48: C2 20 70 2C 

CHECK 31/01/2015 12:47 6h 06m
02: 00 38 00 40 
47: B0 03 F8 01 
48: B7 20 C8 2C 

CHECK 31/01/2015 13:02 5h 52m 
02: 00 38 00 50 
47: 60 05 F8 01 
48: B0 20 10 2D 

CHECK 31/01/2015 13:15 5h 38m
02: 00 38 00 60 
47: 00 04 F8 01 
48: A9 20 48 2D 

Last edited by asper (2015-02-02 18:27:23)

Offline

#130 2015-02-02 23:22:23

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

tarcisiomerlot wrote:

@Asper: I have already understood some bytes: block 2 byte 4=counter of the passage made in one day

What type of skipass do you use?
I have skipass valid for 14 days, and 'block 2 byte 4=counter' is incremented only ones per day (Kaprun AT).

Offline

#131 2015-02-03 07:45:28

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

thefkboss wrote:

i have tried on this

http://www.skidata.com/en/parking-management/barriers-columns/parking-column-columngate.html
http://www.skidata.com/en/parking-management/automated-payment-machines/easycash.html
http://www.skidata.com/en/parking-management/automated-payment-machines/powercash.html

and I can record de comunication

these are parking systems, while we're tring pm on turnstiles with extended operative temperature and bigger antennas


Imagination is more important than knowledge.

Offline

#132 2015-02-03 07:51:52

gaucho
Contributor
From: France
Registered: 2010-06-15
Posts: 444
Website

Re: Skidata tickets (iso 15693)

Piorun wrote:
gaucho wrote:

2) the tag uses fast communication protocol (what is your tag model?)

How to check what type of protocol is used ?
I have only 5 days to finish tests (end of holiday).

now i'm not on my pc. looking at the uid you should be able to identify the model. once you know your tag model, you can find the datasheet. on mine it is written that a fast protocol is supported


Imagination is more important than knowledge.

Offline

#133 2015-02-03 08:19:35

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Piorun wrote:
tarcisiomerlot wrote:

@Asper: I have already understood some bytes: block 2 byte 4=counter of the passage made in one day

What type of skipass do you use?
I have skipass valid for 14 days, and 'block 2 byte 4=counter' is incremented only ones per day (Kaprun AT).

I do not have those tags, i just quickly analyzed your data.
To check the chip inside your tag read it again with pm3 client 0.0.7, it should name it.

Offline

#134 2015-02-03 19:06:17

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

Today I was able to record the data sent by the reader, but not sent by the card  ( proxmark antenna was in backpack), maybe this is enough to read the  password ?

proxmark3> hf list iclass
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# cancelled_a
#db# 4 0 0
#db# 20 83 f0
Recorded Activity (TraceLen = 131 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 13  23  00  03  76  c4                                          |     | ?
         0 |         0 | Rdr | 13  23  1c  02  ce  e9                                          |     | ?
         0 |         0 | Rdr | 13  23  2a  01  27  39                                          |     | ?
         0 |         0 | Rdr | 13  23  1f  01  3d  f1                                          |     | ?
         0 |         0 | Rdr | 13  23  04  02  9f  b2                                          |     | ?

Offline

#135 2015-02-03 22:28:57

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

distance problem, antenna.....???
what card do you have sle, em......?
that log is incomplete the reader have to sent the password
good progress

Offline

#136 2015-02-03 23:59:03

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

Out of subject: Today I got skipass from Italy
'Dolomity SKIPASS'
04.01.15
(10) Valle Isarco
5 days    J

proxmark3> hf 15 dumpmem
Reading memory from tag UID=E004015029720300
Tag Info: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)
Block 00   D4 08 03 BE    ....
Block 01   C2 1D 02 00    ....
Block 02   4E 29 EF 11    N)..
Block 03   12 20 53 42    . SB
Block 04   1B 00 00 00    ....
Block 05   00 00 00 00    ....
Block 06   00 00 00 00    ....
Block 07   00 00 00 00    ....
Block 08   00 00 00 00    ....
Block 09   00 00 00 00    ....
Block 0a   00 00 00 00    ....
Block 0b   00 00 00 00    ....
Block 0c   00 00 00 00    ....
Block 0d   00 00 00 00    ....
Block 0e   00 00 00 00    ....
Block 0f   00 00 00 00    ....
Block 10   00 00 00 00    ....
Block 11   00 00 00 00    ....
Block 12   02 92 30 05    ..0.
Block 13   00 00 00 84    ....
Block 14   3D 82 C8 47    =..G
Block 15   8B B1 EC 03    ....
Block 16   41 61 BC 94    Aa..
Block 17   7B 2F CD 18    {/..
Block 18   43 29 B5 BB    C)..
Block 19   F7 80 72 F0    ..r.
Block 1a   B6 90 F5 F3    ....
Block 1b   D1 0A 6F 7C    ..o|
Tag returned Error 15: Unknown error.

Offline

#137 2015-02-04 00:12:56

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

thefkboss wrote:

what card do you have sle, em......?

ho to check this ?

proxmark3> hf 15 dumpmem
Reading memory from tag UID=E0162466059BC8E6
Tag Info: EM Microelectronic-Marin SA Switzerland (Skidata)
Block 00 
{ 0xE016000000000000LL, 16, "EM Microelectronic-Marin SA Switzerland (Skidata)" },
{ 0xE016040000000000LL, 24, "EM-Marin SA (Skidata Keycard-eco); EM4034? no 'read', just 'readmulti'" },
{ 0xE0160c0000000000LL, 24, "EM-Marin SA; EM4035?" },
{ 0xE016100000000000LL, 24, "EM-Marin SA (Skidata); EM4135; 36x64bit start page 13" },
{ 0xE016940000000000LL, 24, "EM-Marin SA (Skidata); 51x64bit" },

Last edited by Piorun (2015-02-04 00:32:10)

Offline

#138 2015-02-04 00:33:49

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Tag Info: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)


http://www.nxp.com/documents/data_sheet/SL058030.pdf
http://www.nxp.com/documents/data_sheet/SL2S2002_SL2S2102.pdf

Offline

#139 2015-02-04 09:50:42

marcogtt
Member
Registered: 2015-02-04
Posts: 4

Re: Skidata tickets (iso 15693)

Hi everyone looks like this is the place to go to deepen the study around this topic. I didn't find such a comphrensive collection of infos anywhere else than here all over the net.
I'm looking at an Italian resort which basically have the same pattern of card issuing as others. They allow online top up of the card by using Te serial to identify it but I realized that they have  preactivated serials for one use only cards to be used in stores promotions all over the country. For instance I can be in a store far from the resort with some kind of promotion get a free ski pass which in fact is a card know from the main database which is waiting to be activated from the first passage at the turnstyle . I would like to target those serials which are not yet being activated and are still sitting in some store drawers. The logic behind this should be simple. Right now I'm collecting serials of cards which comes from the same store to see if there is any sub sequentiality which I guess will be. Then I will just need to change the serial of the card on an existing one with other bytes zeroed like a brand new one.....what do you think bout that?

Offline

#140 2015-02-04 10:02:20

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

It is NOT POSSIBLE to modify an UID/Serial for ISO15693 cards/tags (and the above mentioned cards are all ISO15693); no one has ever emulated an ISO15693 tags until now so it will be impossible for you to do what you are trying to do. Also serials are written at the tags factory so even ski resorts have no control on them, they receive them "as is", they can only put the serial in the database and add/remove features to it.

Last edited by asper (2015-02-04 10:06:20)

Offline

#141 2015-02-04 10:11:51

marcogtt
Member
Registered: 2015-02-04
Posts: 4

Re: Skidata tickets (iso 15693)

So what would be the way to proceed with a not yet activated card?
If we don't have chances to work on uid I dont see any way out as they are the primary key for the card in the activated database....

Offline

#142 2015-02-04 23:11:09

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

Here is full log, but I don't see any password (I removed duplicated response from the tag with the same value - i think it is noice):

proxmark3> hf list iclass
Recorded Activity (TraceLen = 9790 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |         0 | Tag | bb  d4  bb  0f  0f  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  08  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0e  03  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0c  00  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0c  07  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0c  00  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  00  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  00  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  08  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  08  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  01  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  00  03  76  c4                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  00  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  2a  01  27  39                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  2c  03  49  05                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  08  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0d  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0a  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  06  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0d  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  09  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  0b  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0d  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  05  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0b  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0e  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0d  07  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0b  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0d  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0b  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0b  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  2c  03  56  84                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  21  31  00  11  3c  15  1e  51                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  21  02  00  38  00  b0  8d  0d                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
proxmark3>

Offline

#143 2015-02-05 00:14:06

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

I don´t know if that log is ok?
do you have any of that data in your card?
I think the tag answer is different from your card, you don´t have any of that data in your card?
do you find any similarity with the info inside your card??
you card is suposed to be a  sl2s2002 or sl2s2102

http://www.nxp.com/documents/data_sheet/SL2S2002_SL2S2102.pdf

and in that log i can´t see any card command discribed in the datasheet
or the log is wrong or is not a philips sl2s2002 or sl2s2102 or proxmark sniffing error, or may be i´m wrong.

Offline

#144 2015-02-05 01:40:21

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

01 is the "inventory" but I don't think that tag answer is good... look at your dumps and see if there are any of those bytes sequences in the tag memory.

23 is the read a range of blocks while 21 is write a block.

Last edited by asper (2015-02-05 08:14:12)

Offline

#145 2015-02-05 08:58:06

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

01 is the "inventory" but I don't think that tag answer is good... look at your dumps and see if there are any of those bytes sequences in the tag memory.

23 is the read a range of blocks while 21 is write a block.

Log: Rdr | 13  21  02  00  38  00  b0  8d  0d                             
Tag: Block 02   00 38 00 B0    .8..

#2
Log:  Rdr | 13  21  31  00  11  3c  15  1e  51 
Tag:  Block 31   00 11 3C 15    ..<.

Offline

#146 2015-02-05 09:05:09

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

This is correct because 21 02 means write (21) block 2 (02), while 21 31 means write (21) block 49 (31).
23  00  03 means read from block 00 to block 03.

What is strange is the continuous tag answer, can you find "bb  d4  bb  0f  0f  0c  04  bb" or other tag-answered bytes in your dump ?

Anyway it seems you were not lucky, no password seems to be sent during your snoop time.

Last edited by asper (2015-02-05 09:07:19)

Offline

#147 2015-02-05 09:44:09

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Thanks asper.
Piorun you lost reader packets because before write you need password command

Offline

#148 2015-02-05 17:44:55

Narno
Member
Registered: 2015-02-05
Posts: 1

Re: Skidata tickets (iso 15693)

Hey guy,

May be my question is stupid but i'm looking for the answer for a long long time.
I hope you could help me to sleep better ^^

I'm developping an android app and I try to read info in skidata keycard.
I only want to get the id "1-1614 7133 53 ..." from the "raw" data tag.
Any advice or solution to get it?

Sincerely,

Arnaud

Offline

#149 2015-02-05 22:56:56

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

I verified these:

block02 byte 4=counter of the passage made in one day
block48 byte 1=remaining minutes/2 -> hex

CHECK 31/01/2015 12:03 6h 48m
02: 00 38 00 10 
47: A0 06 F8 01 
48: CC 20 20 4C 

Could you explain this:

Remainig time is 6h 48m
Block#48:byte#1 = CC

CC/2 = 66 Hex -> 102 Dec -> 1h 42m  - how to interpret the value ?

Offline

#150 2015-02-05 23:28:45

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

6h 48m = 408m /2 = 204 -> CCh

Offline

Board footer

Powered by FluxBB