Issue cloning ISO 15693 tag with proxmark3 RDV2

Please help! Urgent!

Hello there, I am a new user of proxmark3 rdv2 I have got 512k version and flashed latest firmware using brew on Mac OS. I need your help!

I have an ISO 15693 tag and I want to dump and clone it to simulate the tag. Here the things that I have done so far:

Step 1: hf search

Step 2: “hf 15 dump

Then by using the UID I was able to dump 16 blocks of data then I ran “hf eload” to load the dump and “hf sim” to simulate the uid and also checked the simulation with my flipper zero which was fine but although the signal wasn’t picking by the reader. Then I ran “hf info” command and get this result:

[+]  UID: E0 04 01 18 01 F3 D4 19

[+] TYPE: NXP(Philips); IC NTP53x2/NTP5210/NTA5332(NTAG 5)

[+] Using UID... E0 04 01 18 01 F3 D4 19

[=] --- Tag Information ---------------------------

[+]       TYPE: NXP(Philips); IC NTP53x2/NTP5210/NTA5332(NTAG 5)

[+]        UID: E0 04 01 18 01 F3 D4 19

[+]    SYSINFO: 00 0F 19 D4 F3 01 18 01 04 E0 00 00 3F 03 01 

[+]      - DSFID supported        [0x00]

[+]      - AFI   supported        [0x00]

[+]      - IC reference supported [0x01]

[+]      - Tag provides info on memory layout (vendor dependent)

[+]            4 (or 3) bytes/blocks x 64 blocks


[=] --- NXP Sysinfo

[=]   raw... 00 11 30 00 FF 75 07 04 

[=]     Password protection configuration:

[=]       * Page L read not password protected

[=]       * Page L write not password protected

[=]       * Page H read password protected

[=]       * Page H write password protected

[=]     Lock bits:

[=]       * AFI not locked

[=]       * EAS not locked

[=]       * DSFID not locked

[=]       * Password protection configuration not locked

[=]     Features:

[=]       * User memory password protection supported

[=]       * Counter feature supported

[=]       * EAS ID supported by EAS ALARM command

[=]       * EAS password protection supported

[=]       * AFI password protection supported

[=]       * Extended mode supported by INVENTORY READ command

[=]       * EAS selection supported by extended mode in INVENTORY READ command

[=]       * READ SIGNATURE command supported

[=]       * Password protection for READ SIGNATURE command not supported

[=]       * STAY QUIET PERSISTENT command supported

[=]       * ENABLE PRIVACY command supported

[=]       * DESTROY command supported

[=]       * Additional 32 bits feature flags are not transmitted


[=]   EAS (Electronic Article Surveillance) is not active

[=] --- Tag Signature

[=]  IC signature public key name: NXP ICODE DNA, ICODE SLIX2

[=] IC signature public key value:

[=]     Elliptic curve parameters: NID_secp128r1

[=]              TAG IC Signature: 0107403AD7ECAB5261D71B934DD74F1C315F0D87E40F58B98B64D8911194E6E3

[+]        Signature verification: successful

[=]                   Params used: UID and signature, plain

Here I found may be from block 17 to 64 probably page H is password protected. Now here are my questions:

  1. How can I remove the password or unlock those blocks
  2. How can I simulate the tag

Please mention the steps and command which can help me please :pray: Maybe there is a way to unlock those blocks or remove password protection or may cloning with that passwords because my reader will try to authenticate with the password

This is called tag emulation.

The ntag5 is a communication chip meant to bridge NFC and I2C communication. What is this chip being used for?

And more one when I am scanning with hf search it is showing uid and saying “Valid ISO 15693 found” so i thought it is a iso 15693 nfc tag

Thanks for replying brother!
Actually i have a device in which a reader is built and once i take the nfc tag close to it the reader accept it and then the nfc chip die that means it is not detectable by flipper or proxmark3 i want to emulate the nfc tag so here is what i have done I have made a dump file of the nfc tag and load it and simulate it with proxmark3 but seems reader is not accepting this.

Then I do some more research and found this by running hf info and then got to know it has 64 blocks but i am only getting 17 blocks in dump file. Now might be other blocks are password protected thats why they are not in dump file. Please help me in this issue

Is this a medical device by chance?

No brother it is a dehumidifier device that has different flavors where each flavor it has nfc tag in the flavor unit and obe flavor can be used only once but i want to reuse the flavor by refilling the unit with my own customized flavor but the nfc tag in unit qhich is making trouble because i can not able to replicate it so it is not getting accepted by the reader

Interesting. The ntag5 would be overkill for this application. However if the idea is that it’s using the security features of the ntag5 to secure this use case, then it’s likely not a password that is being used. It’s probably a mutual auth process for an AES key which is not hackable.

If possible try to sniff the interaction between reader and tag using the proxmark3

Will that work? Can you please tell me how i will do that I am actually new user of proxmark3 brother

I mean procedure and pm3 commands can you tell me

And also why the tag is not detectable after installing in the device for only one time,? I want to add i have done one thing more I want share, I have refilled an old flavor and installed it in the device and normally it was rejected then from the outside I took a new unused flavor close to the device then the refilled flavor got accepted you know! But after that new unused flavor became undetectable and unusable. So what can be the reason behind this? What do you think?

Could you please respond I badly need this sir

It’s probably telling the NFC tag to go silent after use. It’s a feature of the ntag5 I believe.

@Satur9 you can’t turn it back on via NFC correct?

So basically we cant hack or emulate the tag right? Or might be we cant even reuse the tag fight sir? Is there any other solution or way? Or yesterday you mentioned sniffing will help! How will that work and how to do that sir?

I don’t think there is a practical way to solve your problem at this point. There may be a possibility but you would need to become something of an expert to figure it out. The urgency of the situation combined with the level of expertise you currently have means there is no practical solution.

If you want to pay me $1,000,000 (insert Dr. Evil laugh here), I can train you over the forum to attempt to figure out a solution.

Ahh so my bad luck :disappointed: what about sniffing can that help in any way? You mentioned sniffing day before yesterday

This is basically to see the traffic between tag and reader.

If you can see what is being sent, it may be possible to stop it or reverse it.

I don’t have access to my PM3 right now, but as you are dealing with an ISO15963 tag, the commands will be under that, so try

hf 15

and that will give you a list of commands for the ISO15963

In there, should hopefully be a “sniff” command

Sniffing can capture the commands the reader is sending to the chip. This would be useful to try to see what’s happening and maybe make a plan.

hf 15 sniff

Alright sir, I will let you know the output of the sniff.

can you tell me is there any way with proxmark3 can I read those password protected blocks

Let’s start with the sniff process and go from there.