Digital Signature Transponder work

samy · 2009-07-20 02:45:11

Hey guys,

Has anyone done any work with the DST implementation from Texas Instruments?

I've gone over the previous work in cracking that, however no code implementation of the cracking or Hellman tables described in the document have been released that I've found. This is not a big issue, it just means I need some FPGAs and some time to create these tables or potentially crack keys, as well as implement the reader in the pm3.

I'd like to implement the active attack (getting the pm3 to excite the DST) to allow the ability to later simulate that DST. The passive attack would be neat (eavesdropping), though I think it's less interesting and less useful for mere demonstration purposes.

If anyone is interested in working with this implementation on the PM3 with me, please let me know! I don't have access to any FPGAs (besides on the PM3) so any access to those would be great, and I'm sure it will be trivial to get access to DSTs for testing purposes.

I would also purchase the TI-RFID kit which includes a reader, but it's a bit pricey. I found it on ebay for about $560 which is out of my price range. I'm hoping with the available documentation, it won't be necessary.

I also realized my own car key has an RFID tag in it, so I'm assuming it's using DST. I'll be able to learn more once I JTAG my PM3 back up in the next few days.

samy · 2009-07-20 02:46:07

If you're interested but not familiar with the attack, read the PDF and related docs here:
http://securityevaluators.com/content/c … /index.jsp

Last edited by samy (2009-07-20 02:46:18)

rule · 2009-08-22 17:09:51

Hey Samy,

This would be indeed a interesting project. Keep me updated, I can help you work out the details.

About your car-key, check out if it is a hitag2 chip. These seems to be used in a lot car-keys
More info about this LF chip is available here:
https://har2009.org/program/events/135.en.html

Cheers,

Roel

Gratefuldeadbolt · 2009-09-18 23:02:15

This is a 2 part post...

1. This is my first post here, just ordered my P3 today... and anxiously await its arrival!

So I guess an introduction is in order. My name is Dave (Gratefuldeadbolt), I am from Ontario Canada and work in the security industry as a Locksmith and Electronics Technician - any day I can find myself busy doing anything from Locksmithing to Sales / Installation of access control systems +hardware as well as Alarm systems and CCTV video surveillance.

2. I offer any help you may want with regards to identifying specific transponders in use with specific vehicles. If you tell me what year and model of vehicle you drive Sammy I'm sure I can determine the exact chip in use.

Roel is correct that the Hitag 2 is used in many vehicles but the list is also quite long....

Here is a quote from JMAUSA (one of the larger key manufacturers)

"JMA offers its clients an extensive variety of chips as listed:

TP01 TP05    PHILIPS
TP02 TP02-TPX1 TEXAS FIJO CRISTAL
TP03 TP05    MEGAMOS
TP04 TP05    TEMIC
TP05 TP05    NOVA
TP06 TP06    TEXAS CRYPTO CRISTAL
TP07 TP07-TPX1 TEXAS FIJO CERAMICA
TP08 TP08    MEGAMOS CRIPTO CRISTAL
TP09 TP09    PHILIPS CRIPTO    OPEL-GM-HOLDEN-SUZUKI
TP10 TP10    PHILIPS CRIPTO 1º GENERACION SEAT-VOLKSWAGWEN
TP11 TP11    MEGAMOS CERAMICA CRYPTO CITROEN
TP12 TP12    PHILIPS CRIPTO
TP13 TP13    PHILIPS CRIPTO NISSAN
TP14 TP14    PHILIPS CRIPTO 2º GENERACION SEAT-VOLKSWAGWEN
TP15 TP15    PHILIPS CRIPTO 2º GENERACION OPEL
TP16 TP16    PHILIPS CRIPTO 1º GENERACION PEUGEOT
TP17 TP17    TEMIC CRIPTO MAZDA
TP18 TP18    MOTOROLA INDALA LINCOLN
TP19 TP19    TEXAS CRIPTO CERAMICA
TP20 TP20    TEXAS CRIPTO CERAMICA    FORD-MAZDA
TP21 TP21    TEXAS CRYPTO    RENAULT-JEEP-CHRYSLER
TP22 TP22    MEGAMOS CRIPTO SEAT
TP23 TP23    MEGAMOS CRIPTO VOLKSWAGEN
TP24 TP24    MEGAMOS CRIPTO SKODA
TP25 TP25    MEGAMOS CRIPTO AUDI
TP26 TP26    TEXAS CRYPTO    MITSUBISHI
TPX1 TPX1    TPX1

end quote "

I have reference material that will identify the chip by model and year... just ask and I'll see what I can find out.

I look forward to trying out the Proxmark3 and getting to know everyone here!

.....oh the painful wait has begun!!!! I have to stop looking at the mailbox geeze I just ordered it today!!! lol.

Gratefuldeadbolt.

samy · 2009-09-18 23:53:50

Hey Dave,

Welcome!

Hope you get it soon. Let us know how your experience is and what you start using it for.

That's great if you can provide some info...I have an '02 porsche boxster that I'd like to communicate with. If you happen to know any info on the hitag/DST on it, that'd be great.

I haven't had a chance to play with it as I've been working on some other projects but I'll be returning to PM3 code shortly, and hopefully will begin working with the car immobilizers.

-samy

Gratefuldeadbolt · 2009-09-19 03:28:37

thanks for the welcome Sammy!

I'm not at work so I don't have access to my manuals there but a quick read through JMA's pdf at

http://www.jmausa.com/pdf/Transponder%2009.pdf only lists the Boxters up to 1998... with the philips or Megamos and Megamos Crypto. (page 43)

the Megamos was clonable with their TRS 5000 tool. (not the Megamos Crypto) I will have a look at work on Monday and see what else I can find.

On a side note... look what I found here ---->

http://cgi.ebay.com/ebaymotors/TRANSPON … 6011r34315

apparently it is a transponder bypass kit that will work with your boxter.

Gratefuldeadbolt · 2009-09-24 14:22:18

Hey Sammy, I just looked up your Boxter at work. The 1999-2008 is a restricted dealer key, requires a Porsche System Tester to program the computer and the key uses a MEGAMOS ENCRYPTED SYSTEM chip.

Not sure if that helps you much, but thought I'd pass that on anyway.

djrevmoon · 2009-09-24 20:58:00

Any idea on how mercedes keys work? Karsten tried to read my key at HAR but was not succesfull. I have a feeling it might not be rfid but IR becuase there is a round slightly translucent bit in the key, and the keyhole that looks like it might house an IR LED to communicate and not rfid.

Gratefuldeadbolt · 2009-09-24 22:54:32

Hi Dj.... yes your key is probably infrared. I know most M's keys are dealer restricted... my auto book lists some as using a Philips code rolling tech... but interestingly enough they do use IR. I wonder if philips has a code rolling standard for encryption. Most IR keys will store both a unique Serial number id as well as a code roll key... every time the key is usedin the ignition, a new code roll key is written to the key.

A 2 sec search on Google and I found this for you:

http://www.mbclub.bg/forums/lofiversion … 18197.html

some good reading there

Now I wonder what we could read with some custom IR kits!

hmmm. plenty of IR projects online.

Proxmark3 community

Announcement

#1 2009-07-20 02:45:11

Digital Signature Transponder work

#2 2009-07-20 02:46:07

Re: Digital Signature Transponder work

#3 2009-08-22 17:09:51

Re: Digital Signature Transponder work

#4 2009-09-18 23:02:15

Re: Digital Signature Transponder work

#5 2009-09-18 23:53:50

Re: Digital Signature Transponder work

#6 2009-09-19 03:28:37

Re: Digital Signature Transponder work

#7 2009-09-24 14:22:18

Re: Digital Signature Transponder work

#8 2009-09-24 20:58:00

Re: Digital Signature Transponder work

#9 2009-09-24 22:54:32

Re: Digital Signature Transponder work

Board footer