Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Reading Hitag2

Hi all,

Among others, I have what I've been led to believe is a password mode Hitag2 token. 'set tag hitag2' followed by 'uid' returns 'read error!' (I'm guessing that 'uid' issued when the tag type is hitag2 will send START_AUTH?)

I've tried adjusting the high pot up to 255 (Adam suggested tweaking it) with the same results.

Any suggestions on how I could investigate the token further?

Many thanks,
alec
«1

Comments

  • edited June 2014
    I've got a tag that's definitely password mode Hitag2 and this is what I get (with no prior settings applied):

    RFIDler> set tag hitag2

    OK


    *HITAG2> uid

    7303xxxx

  • Hi Mike,

    Thanks for the reply. When I run the 'plot' command, the graph I get with these tags is the same as if there's no tag on the reader at all. Adam said this was because of the nature of Hitag's START_AUTH process, but I'm a bit confused why the UID command doesn't return anything.

    Perhaps it's not Hitag2 after all? Not sure how I'd make the determination though.

    alec
  • If you do a plot with the tag type set to ASKRAW you would not see any traffic from a hitag2. However, if you set it to HITAG2 and then do your plot, you should see some ASK modulation. It may be that your tag has subtle timing issues that affect the ability to read - don't forget that all the development so far has been on my personal tag collection, and on a single RFIDler board, so it's very possible that the parameters I've chosen are too tight and need tweaking...

    The other thing you need to be careful with is to set the pot to something that will produce data since the low level routines rely on the logic circuit for two-way tag types. i.e. you can't use pot settings of 0 and 255...

    Try:

    rfidler.py /dev/RFIDler 'set tag hitag2' 'potsetv h 3' 'potsetv l 0' plot 1000

    and you should see something like:

    image


    note that you need to be running the latest version to set pots in volts!

  • Hi Adam,

    Thanks for the reply. I'm using the most recent compiled version from github (0033-beta), which gives me plots like the below when I run something like " rfidler.py /dev/ttyACM0 'set tag hitag2' 'potset h 128' 'potset l 0' plot 2000":

    image

    Tags are these: http://www.paxton.co.uk/products.asp?id=011,24&strStage=product_page&strFamily=net2&strGroup=group-05041

    alec
  • OK, the problem is that the coil is not coupling well due to the size of the tag - you may need to wind a dedicated smaller coil for tags like this... RFIDler works fine with their larger tags, and I can actually get a reasonable result with these small ones by holding them at a right-angle to the standard RFIDler coil (i.e. if the coil is lying flat on the table, stand the tag on it's end in the centre or even up against the coil).

    I suspect you won't get a UID command to work (I didn't), but that is almost certainly a timing issue that I need to address in the Hitag2 code... Another one to add to the list! :)
  • Yes, you're quite right - the card and disc format tags give a much more sensible plot, and I was able to get the smaller tags to work by following your suggestion of holding them at right angles to the coil. UID didn't work, as you said.

    Can I get RFIDler to intercept an exchange between a tag and its reader in order to sniff the TAG and RWD passwords?

    Many thanks,
    alec
  • I have a tag that looks very similar to those Paxton ones and only gives a meaningful plot when in Hitag2 mode, though I can't do anything reliably.

    Two questions :-

    When in ASKRAW mode, even with all of the other options set the ame as in hitag2 mode, the plot does not register any activity from the card at all. I thought that I should at least get some sort of noticeable waveform? - what other changes doe the hitag2 mode do?

    OK, three questions ;)

    You say to wind a smaller antenna. Are there any guidelines for this - does it need to have a specific number of turns for example?
  • Hitag2 only transmits when it gets a command from the reader.

    For the coil, it needs to have a specific inductance at the chosen frequency. Chip Monkey is working on a mod for the board that will help you measure that.
  • For sniffing Hitag2, yes, in theory you should be able to do that, but I haven't got around to that bit of code yet...
  • Hi Adam,

    Thanks for the reply; I'd love to be able to intercept an exchange. Getting the UID command working with the Paxton fobs is also of great interest!

    alec
  • I think paxton is a timing issue - I hace some paxtons that read ok, and others that don't. I'll look into it...
  • Thankyou, most appreciated :)
  • Getting closer - I can copy all the fields of a password-mode Hitag2 fob into the VTAG.

    Does emulation work for this kind of tag? Running the EMULATION command and then waving the coil around a reader doesn't seem to do anything. Does the VTAG need to know the PWD somehow?

    Many thanks,
    alec
  • No, emulation for Hitag2 is not yet implemeted, but is certainly feasible.
  • Hey There,

    Im working on sniffing a Hitag 2 password too.
    Could you tell me how you got the pwd read alecw?

    Has the Hitag 2 emulation been implemented yet?

    egon
  • Hitag2 emulation is not implemented yet but I'm currently working on the sniffer code so pwd read will be trivial once that's done...
  • Looking forward to that :)

    alec
  • Step 1 is to read the messages being sent by the external reader. That seems to be fundamentally working, I just need to write some decoders now. Here is an example:

    RFIDler> detect-pwm                                                            
    Waiting for PWM (hit any key to abort/report)...                               
                                                                                   
    Pulse: 2190426 Gap: 329                                                        
    Pulse: 0 Gap: 5679                                                             
    Pulse: 10383 Gap: 40                                                           
    Pulse: 172 Gap: 48                                                             
    Pulse: 173 Gap: 48                                                             
    Pulse: 101 Gap: 48                                                             
    Pulse: 101 Gap: 48                                                             
    Pulse: 102 Gap: 46                                                             
                                                                                   
    RFIDler>

    The above is a sniff of an external reader getting the UID from a HITAG2  which can clearly be seen in the last 5 pulses: 2 long, 3 short = 11000 = "START_AUTH".

    I'll tidy up the code and write a HITAG2 decoder then commit...



  • I love it when a plan comes together:

    *HITAG2> DETECT-PWM                                                            
    Waiting for PWM (hit any key to abort/report)...                               
    11000                                                                          
    01001101010010010100101101010010                                               
                                                                                   
    *HITAG2> bintohex 01001101010010010100101101010010                             
    4D494B52


  • Rocks :)

    Is it committed? I'll test it out if it is.
  • It is now. I've only created a decoder for HITAG2 so far, but I'll work on adding anything else that uses PWM. I've also changed the name of the command to "SNIFF-PWM" and it takes an optional argument which is the minimum gap size to look for in uS. Default should be fine for HITAG2.
  • Hmm, which firmware do I put on the board? The one in debug/production, or the one in default/production?

    Thanks,
    alec
  • I compile and commit both whenever I do an update, so it's up to you.
  • What's the difference?
  • And I've added Q5, T55X7 and HITAG1 sniffing...
  • What's the physical arrangement of coil/RWD/TAG when sniffing PWM like this? All I've managed to get so far are 1's?
  • The differences between debug and default can be viewed by flipping between them and viewing the project properties in MPLAB X IDE. It's mostly to do with debugging symbols etc.

    The physical layout I used for testing was sniffer coil, tag, reader coil using two RFIDlers.

    I also used a Paxton MultiFormat desktop reader with the sniffer coil underneath the reader and the tag being placed on top.

    You'll probably find there is an optimal position, and to get a better clue of what's going on, just do a sniff without setting the tag type. Looking at the pulse and gap widths will give a strong indication of whether your sniffer coil is happy...


  • I've updated the decoder for HITAG2 so it now shows the commands and data being passed. Here is a sniff of a blank tag being cloned:

    *HITAG2> sniff-pwm
    Waiting for PWM (hit any key to abort/report)...

    11000, START_AUTH
    11000, START_AUTH
    01001101010010010100101101010010, PWD:4D494B52
    1001101100, WRITE_PAGE:3
    00000110101010100100100001010100, DATA:06AA4854
    1101100100, READ_PAGE:3
    11000, START_AUTH
    11000, START_AUTH
    01001101010010010100101101010010, PWD:4D494B52
    1000001111, WRITE_PAGE:0
    11110011110010000001001100011111, DATA:F3C8131F
    1100000111, READ_PAGE:0
    ...
    [ snip ]
    ...
    11000, START_AUTH
    01001101010010010100101101010010, PWD:4D494B52
    1001001101, WRITE_PAGE:2
    00100000111100000100111101001110, DATA:20F04F4E
    1101000101, READ_PAGE:2
    11000, START_AUTH
    01001101010010010100101101010010, PWD:4D494B52
    1010001011, WRITE_PAGE:4
    00000000000000000000000000000000, DATA:00000000
    1110000011, READ_PAGE:4
    11000, START_AUTH
    01001101010010010100101101010010, PWD:4D494B52
    1010101010, WRITE_PAGE:5
    00000000000000000000000000000000, DATA:00000000
    1110100010, READ_PAGE:5
    11000, START_AUTH
    01001101010010010100101101010010, PWD:4D494B52
    1011001001, WRITE_PAGE:6
    00000000000000000000000000000000, DATA:00000000
    1111000001, READ_PAGE:6
    11000, START_AUTH
    01001101010010010100101101010010, PWD:4D494B52
    1011101000, WRITE_PAGE:7
    00000000000000000000000000000000, DATA:00000000
    1111100000, READ_PAGE:7
    11000, START_AUTH
    010011010100100101001011010,?INVALID?


    1001101100, WRITE_PAGE:3
    00000110101010100100100001010100, DATA:06AA4854
    1101100100, READ_PAGE:3

    Note the '?INVALID?' command is due to delays induced by automatically jumping out of sniff mode when the buffer is full... Still thinking about how to deal with this more elegantly...
  • Wow great work, Thank you a lot!
    It gets better and better...

    egon
  • Adam, will there be a decoder for HITAG1 too?

    greets!
Sign In or Register to comment.