Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-12-30 17:52:51

Gtpy
Contributor
From: GER
Registered: 2017-10-24
Posts: 32

ICode SLIX-L (SL2S5002)

Anyone has already take a look at the Tonies?
You know Tonie Boxes to play radio plays.

So far, I haven't had a chance with these little figures.
With the smartphone I could see SLIX-L (SL2S5002) on some ICODE devices.
Which I don't understand why not all figures are recognized.

Neither with the Smartphone nor Pm3,etc..

The functionality is coupled with a cloud. However, this must be related to the figures and their UID.

Anyone have some ideas how to go on?

I’ll try to recognize some of them with pm3 and post more infos if successful.

Offline

#2 2018-12-30 18:10:45

iceman
Administrator
Registered: 2013-04-25
Posts: 5,449
Website

Re: ICode SLIX-L (SL2S5002)

Got a link?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2018-12-30 18:56:33

Gtpy
Contributor
From: GER
Registered: 2017-10-24
Posts: 32

Offline

#4 2019-03-26 17:18:14

datatype
Contributor
Registered: 2019-03-18
Posts: 4

Re: ICode SLIX-L (SL2S5002)

As you already had find out, the "Tonies" contain  a SL2S5002.
Normally, the Token is protected by something Icode calls privacy mode.
The chip will not respond to a INV request if in this state, just to commands 0xB2 (get random number, always) or 0xB3 (set password, if you submit the correct xored pw).
If you sniff the communication, you will see the Box sending continuously 0xB2 in unadressed mode until a Token responds.
At this point the box uses the acquired random number xored with the password to unlock the privacy mode, send an INV request to obtain the UID,reads Block 1 to 8 and locks the chip with 0xBA (enable privacy) again. After this, the box continously sends 0xB2 (get random number), this time in addressed mode, just to detect if the "Tonie" is still present.

Sometimes, reenabling the privacy mode seem to fail - this is the case when the "Tonie" responds to the INV send by your smartphone... If you put the tonie onto the box, you have a good chance that the box locks the Tonie at this time correctly and it will no longer respond to your smartphones INV requests afterwards :-)

Its quite easy to get the privacy mode password by sniffing the communication... With this you can script your own reader and readout the tonies without the box... (Don't do this in the next shop
You will find 32Byte of data in the SLIX-L.
This could be either a SHA256 hash, being a signature of the UID, being just the hash of the content to be downloaded, a internal serialnumber etc.

If I find the time I will read some more of them (I am specially interested in reading 2 similar tonies...), maybe I find out something more...

Offline

#5 2019-03-26 20:09:41

Gtpy
Contributor
From: GER
Registered: 2017-10-24
Posts: 32

Re: ICode SLIX-L (SL2S5002)

Great info. I didn't have much time to deal with it again. I have a lot of Tonies to test here, because my kids love them all.

I will also have to search and read the data sheet again.

If I find out more too, you'll hear from me.

Offline

#6 2019-03-26 20:49:51

iceman
Administrator
Registered: 2013-04-25
Posts: 5,449
Website

Re: ICode SLIX-L (SL2S5002)

[moved to correct category]


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2019-03-28 13:50:12

Gtpy
Contributor
From: GER
Registered: 2017-10-24
Posts: 32

Re: ICode SLIX-L (SL2S5002)

If I remember correctly is ICODE SLIX —> ISO 15693

Offline

#8 2019-03-28 16:08:31

iceman
Administrator
Registered: 2013-04-25
Posts: 5,449
Website

Re: ICode SLIX-L (SL2S5002)

yup. moved again smile


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2019-03-28 22:28:09

Gtpy
Contributor
From: GER
Registered: 2017-10-24
Posts: 32

Re: ICode SLIX-L (SL2S5002)

How'd you sniff out the communications? I've never dealt with ISO 15693 tags before. Do you use the pm3 Hf 15 commands? Strangely enough, I haven't had any luck yet. I'll keep trying.

Offline

#10 2019-03-29 12:53:26

datatype
Contributor
Registered: 2019-03-18
Posts: 4

Re: ICode SLIX-L (SL2S5002)

As far as I can remember: "hf 15 snoop"... press the pm3 button afterwards and printout the communication with "hf list raw"...
In my setup it was a little bit tricky to get both directions (I guess the antenna in the token is not really good...).
If you see just the reader, play a bit with position of antenna and use a tonie with a "fat ass"...

BTW: In active communication, I didn't get the unlocking of a tonie be done by pm3, due the pm3 did not maintain the reader field after sending a command, see my other topic in ISO15639... I do this with a QR-15 fom http://www.metratec.com/ now.

In the meantime I was able to readout some more Tonies, especially two "identical" ones. (Reading works also on tonies in their original packaging... :-) )
Unfortunately, they differ in both, UID and data. The data does not have any conspicuous structure i can see right now... (I still believe it's a sha256 hash over Tokens UID and a secret")

Offline

#11 2019-05-16 17:36:54

Json50
Contributor
From: China
Registered: 2018-08-30
Posts: 6

Re: ICode SLIX-L (SL2S5002)

I have  ICode SLIX-L(SL2S5002) magic card.Can be exported in large quantities


I am China people

Offline

#12 2019-05-16 18:00:54

Gtpy
Contributor
From: GER
Registered: 2017-10-24
Posts: 32

Re: ICode SLIX-L (SL2S5002)

@Json50 nice to know. I’ll come back to you later and send you an email if I need some.

Offline

Board footer

Powered by FluxBB