Hello there, I am a new user of proxmark3 rdv2 I have got 512k version and flashed latest firmware using brew on Mac OS. I need your help!
I have an ISO 15693 tag and I want to dump and clone it to simulate the tag. Here the things that I have done so far:
Step 1: hf search
Step 2: “hf 15 dump”
Then by using the UID I was able to dump 16 blocks of data then I ran “hf eload” to load the dump and “hf sim” to simulate the uid and also checked the simulation with my flipper zero which was fine but although the signal wasn’t picking by the reader. Then I ran “hf info” command and get this result:
[+] UID: E0 04 01 18 01 F3 D4 19
[+] TYPE: NXP(Philips); IC NTP53x2/NTP5210/NTA5332(NTAG 5)
[+] Using UID... E0 04 01 18 01 F3 D4 19
[=] --- Tag Information ---------------------------
[+] TYPE: NXP(Philips); IC NTP53x2/NTP5210/NTA5332(NTAG 5)
[+] UID: E0 04 01 18 01 F3 D4 19
[+] SYSINFO: 00 0F 19 D4 F3 01 18 01 04 E0 00 00 3F 03 01
[+] - DSFID supported [0x00]
[+] - AFI supported [0x00]
[+] - IC reference supported [0x01]
[+] - Tag provides info on memory layout (vendor dependent)
[+] 4 (or 3) bytes/blocks x 64 blocks
[=]
[=] --- NXP Sysinfo
[=] raw... 00 11 30 00 FF 75 07 04
[=] Password protection configuration:
[=] * Page L read not password protected
[=] * Page L write not password protected
[=] * Page H read password protected
[=] * Page H write password protected
[=] Lock bits:
[=] * AFI not locked
[=] * EAS not locked
[=] * DSFID not locked
[=] * Password protection configuration not locked
[=] Features:
[=] * User memory password protection supported
[=] * Counter feature supported
[=] * EAS ID supported by EAS ALARM command
[=] * EAS password protection supported
[=] * AFI password protection supported
[=] * Extended mode supported by INVENTORY READ command
[=] * EAS selection supported by extended mode in INVENTORY READ command
[=] * READ SIGNATURE command supported
[=] * Password protection for READ SIGNATURE command not supported
[=] * STAY QUIET PERSISTENT command supported
[=] * ENABLE PRIVACY command supported
[=] * DESTROY command supported
[=] * Additional 32 bits feature flags are not transmitted
[=]
[=] EAS (Electronic Article Surveillance) is not active
[=] --- Tag Signature
[=] IC signature public key name: NXP ICODE DNA, ICODE SLIX2
[=] IC signature public key value:
048878A2A2D3EEC336B4F261A082BD71F9BE11C4E2E896648B32EFA59CEA6E59F0
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 0107403AD7ECAB5261D71B934DD74F1C315F0D87E40F58B98B64D8911194E6E3
[+] Signature verification: successful
[=] Params used: UID and signature, plain
Here I found may be from block 17 to 64 probably page H is password protected. Now here are my questions:
How can I remove the password or unlock those blocks
How can I simulate the tag
Please mention the steps and command which can help me please Maybe there is a way to unlock those blocks or remove password protection or may cloning with that passwords because my reader will try to authenticate with the password
Thanks for replying brother!
Actually i have a device in which a reader is built and once i take the nfc tag close to it the reader accept it and then the nfc chip die that means it is not detectable by flipper or proxmark3 i want to emulate the nfc tag so here is what i have done I have made a dump file of the nfc tag and load it and simulate it with proxmark3 but seems reader is not accepting this.
Then I do some more research and found this by running hf info and then got to know it has 64 blocks but i am only getting 17 blocks in dump file. Now might be other blocks are password protected thats why they are not in dump file. Please help me in this issue
No brother it is a dehumidifier device that has different flavors where each flavor it has nfc tag in the flavor unit and obe flavor can be used only once but i want to reuse the flavor by refilling the unit with my own customized flavor but the nfc tag in unit qhich is making trouble because i can not able to replicate it so it is not getting accepted by the reader
Interesting. The ntag5 would be overkill for this application. However if the idea is that it’s using the security features of the ntag5 to secure this use case, then it’s likely not a password that is being used. It’s probably a mutual auth process for an AES key which is not hackable.
And also why the tag is not detectable after installing in the device for only one time,? I want to add i have done one thing more I want share, I have refilled an old flavor and installed it in the device and normally it was rejected then from the outside I took a new unused flavor close to the device then the refilled flavor got accepted you know! But after that new unused flavor became undetectable and unusable. So what can be the reason behind this? What do you think?
So basically we cant hack or emulate the tag right? Or might be we cant even reuse the tag fight sir? Is there any other solution or way? Or yesterday you mentioned sniffing will help! How will that work and how to do that sir?
I don’t think there is a practical way to solve your problem at this point. There may be a possibility but you would need to become something of an expert to figure it out. The urgency of the situation combined with the level of expertise you currently have means there is no practical solution.
If you want to pay me $1,000,000 (insert Dr. Evil laugh here), I can train you over the forum to attempt to figure out a solution.
Maybe there is a way to unlock those blocks or remove password protection or may cloning with that passwords because my reader will try to authenticate with the password
what about sniffing can that help in any way? You mentioned sniffing day before yesterday