Hi all,
Among others, I have what I've been led to believe is a password mode Hitag2 token. 'set tag hitag2' followed by 'uid' returns 'read error!' (I'm guessing that 'uid' issued when the tag type is hitag2 will send START_AUTH?)
I've tried adjusting the high pot up to 255 (Adam suggested tweaking it) with the same results.
Any suggestions on how I could investigate the token further?
Many thanks,
alec
Comments
RFIDler> set tag hitag2
OK
*HITAG2> uid
7303xxxx
The other thing you need to be careful with is to set the pot to something that will produce data since the low level routines rely on the logic circuit for two-way tag types. i.e. you can't use pot settings of 0 and 255...
Try:
rfidler.py /dev/RFIDler 'set tag hitag2' 'potsetv h 3' 'potsetv l 0' plot 1000
and you should see something like:
note that you need to be running the latest version to set pots in volts!
Thanks for the reply. I'm using the most recent compiled version from github (0033-beta), which gives me plots like the below when I run something like " rfidler.py /dev/ttyACM0 'set tag hitag2' 'potset h 128' 'potset l 0' plot 2000":
Tags are these: http://www.paxton.co.uk/products.asp?id=011,24&strStage=product_page&strFamily=net2&strGroup=group-05041
alec
I suspect you won't get a UID command to work (I didn't), but that is almost certainly a timing issue that I need to address in the Hitag2 code... Another one to add to the list! :)
Two questions :-
When in ASKRAW mode, even with all of the other options set the ame as in hitag2 mode, the plot does not register any activity from the card at all. I thought that I should at least get some sort of noticeable waveform? - what other changes doe the hitag2 mode do?
OK, three questions ;)
You say to wind a smaller antenna. Are there any guidelines for this - does it need to have a specific number of turns for example?
For the coil, it needs to have a specific inductance at the chosen frequency. Chip Monkey is working on a mod for the board that will help you measure that.
RFIDler> detect-pwm
Waiting for PWM (hit any key to abort/report)...
Pulse: 2190426 Gap: 329
Pulse: 0 Gap: 5679
Pulse: 10383 Gap: 40
Pulse: 172 Gap: 48
Pulse: 173 Gap: 48
Pulse: 101 Gap: 48
Pulse: 101 Gap: 48
Pulse: 102 Gap: 46
RFIDler>
The above is a sniff of an external reader getting the UID from a HITAG2 which can clearly be seen in the last 5 pulses: 2 long, 3 short = 11000 = "START_AUTH".
I'll tidy up the code and write a HITAG2 decoder then commit...
*HITAG2> DETECT-PWM
Waiting for PWM (hit any key to abort/report)...
11000
01001101010010010100101101010010
*HITAG2> bintohex 01001101010010010100101101010010
4D494B52
The physical layout I used for testing was sniffer coil, tag, reader coil using two RFIDlers.
I also used a Paxton MultiFormat desktop reader with the sniffer coil underneath the reader and the tag being placed on top.
You'll probably find there is an optimal position, and to get a better clue of what's going on, just do a sniff without setting the tag type. Looking at the pulse and gap widths will give a strong indication of whether your sniffer coil is happy...
*HITAG2> sniff-pwm
Waiting for PWM (hit any key to abort/report)...
11000, START_AUTH
11000, START_AUTH
01001101010010010100101101010010, PWD:4D494B52
1001101100, WRITE_PAGE:3
00000110101010100100100001010100, DATA:06AA4854
1101100100, READ_PAGE:3
11000, START_AUTH
11000, START_AUTH
01001101010010010100101101010010, PWD:4D494B52
1000001111, WRITE_PAGE:0
11110011110010000001001100011111, DATA:F3C8131F
1100000111, READ_PAGE:0
...
[ snip ]
...
11000, START_AUTH
01001101010010010100101101010010, PWD:4D494B52
1001001101, WRITE_PAGE:2
00100000111100000100111101001110, DATA:20F04F4E
1101000101, READ_PAGE:2
11000, START_AUTH
01001101010010010100101101010010, PWD:4D494B52
1010001011, WRITE_PAGE:4
00000000000000000000000000000000, DATA:00000000
1110000011, READ_PAGE:4
11000, START_AUTH
01001101010010010100101101010010, PWD:4D494B52
1010101010, WRITE_PAGE:5
00000000000000000000000000000000, DATA:00000000
1110100010, READ_PAGE:5
11000, START_AUTH
01001101010010010100101101010010, PWD:4D494B52
1011001001, WRITE_PAGE:6
00000000000000000000000000000000, DATA:00000000
1111000001, READ_PAGE:6
11000, START_AUTH
01001101010010010100101101010010, PWD:4D494B52
1011101000, WRITE_PAGE:7
00000000000000000000000000000000, DATA:00000000
1111100000, READ_PAGE:7
11000, START_AUTH
010011010100100101001011010,?INVALID?
1001101100, WRITE_PAGE:3
00000110101010100100100001010100, DATA:06AA4854
1101100100, READ_PAGE:3
Note the '?INVALID?' command is due to delays induced by automatically jumping out of sniff mode when the buffer is full... Still thinking about how to deal with this more elegantly...