Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-08-21 15:41:38

somm15
Contributor
Registered: 2019-05-08
Posts: 4

Ikea ROTHULT simulation

Hello,

I'm trying to emulate an Ikea Rothult card.

usb] pm3 --> hf search 
[=] Checking for known tags...
          
 UID : 02 E2 00 68 97 67 55           
ATQA : 00 42          
 SAK : 20 [1]          
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41          
MANUFACTURER : ST Microelectronics SA France          
 ATS : 05 75 80 60 02 BB 58           
       -  TL : length is 5 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are NOT supported, DR: [], DS: []          
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 6 (FWT = 262144/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
[=] Answers to magic commands: NO           
          
[+] Valid ISO14443-A tag  found

So it is a MiFare plus card.

I added a mode 10 in "armsrc/iso14443a.c". I can now run:

hf 14a sim t 10 u 02E20068976755

I sniffed the real card opening the lock and compared with the simulation.

    2904320 |    2905376 | Rdr |26                                                                       |     | REQA          
    2906548 |    2908916 | Tag |42  00                                                                   |     |           
    2937218 |    2939682 | Rdr |93  20                                                                   |     | ANTICOLL          
    2940854 |    2946742 | Tag |88  02  e2  00  68                                                       |     |           
    2972856 |    2983320 | Rdr |93  70  88  02  e2  00  68  c8  63                                       |  ok | SELECT_UID          
    2984556 |    2988076 | Tag |24  d8  36                                                               |     |            
    3013634 |    3016098 | Rdr |95  20                                                                   |     | ANTICOLL-2          
    3017270 |    3023158 | Tag |68  97  67  55  cd                                                       |     |           
    3049236 |    3059700 | Rdr |95  70  68  97  67  55  cd  c2  fa                                       |  ok | SELECT_UID-2          
    3060936 |    3064520 | Tag |20  fc  70                                                               |     |    

The answer to SELECT_UID should be "04 da 17" and not "24 d8 36".
However, I don't understand why and I can't find how to update the code for this.

Does anyone has a clue?

Thanks in advance and regards,

Offline

#2 2019-08-22 09:32:04

somm15
Contributor
Registered: 2019-05-08
Posts: 4

Re: Ikea ROTHULT simulation

I solved the problem. I'll post the code if I succeed for the rest.
Now, the entire conversation is the same, until the answer to "SELECT_UID-2".
Then the reader is supposed to issue RATS but nothing happens.
It beeps and the communication is terminated. However, I can't see any difference in the conversation between the emulation and the legit tag.
Does anyone has an idea?

Offline

Board footer

Powered by FluxBB