Issue cloning ISO 15693 tag with proxmark3 RDV2

Ok sir

Hahaha just think you are helping your brother! Still need 1M?

That is what i get after sniffing and hitting hf 15 list

[=] downloading tracelog data from device
[+] Recorded activity (trace len = 118 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |      26112 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
     958208 |     984320 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
    1928512 |    1954624 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
    3899200 |    3925312 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
    5873952 |    5900064 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
    7845088 |    7871200 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
    8812608 |    8838720 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
    9788608 |    9806528 | Rdr |fe  fc  15  5c                                                           |  !! | Proprietary IC MFG dependent

Tell me can we move forward with this result

re do the sniff you’re missing the tag interactions. you need to sniff the comms between the tag and the reader so you can see what they are saying to each other.

Okay sir

Brother actually sorry I was away for some reason I re-sniffed the tag and reader communication and got this as results. Let me know you I made it confirmed that the tag is detectable through proxmark3 before sniffing.

[usb] pm3 --> hf 15 list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 56 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |      71168 | Rdr |02  35  00  02  00  7e  e5  e1  09  17  19  78  7b  e3  9e  6e  92       |  ok | Optional RFU
    2287040 |    2358208 | Rdr |02  35  00  02  00  58  57  3e  28  b7  2b  3f  5a  e5  86  f5  ab       |  ok | Optional RFU

@amal @Equipter please help brother

I sniffed again more carefully please someone help,

when I was try snigging with

hf 15 sniff -r -c

I was getting error and got this result

[usb] pm3 --> hf 15 sniff -r -c
hf 15 sniff: invalid option "-r"
hf 15 sniff: invalid option "-c"
[!] ⚠  Try 'hf 15 sniff --help' for more information.

Then I made sure the tag is well detected and run hf 15 sniff and found a good result as below,

[usb] pm3 --> hf 15 list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 157 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |      26112 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
   63975968 |   64002080 | Rdr |36  01  00  00  6a  a1                                                   |  ok | INVENTORY
   65331680 |   65402848 | Rdr |02  35  00  02  00  5c  b8  9f  23  97  cb  4d  48  2a  92  bc  30       |  ok | Optional RFU
   66034624 |   66126272 | Rdr |02  35  00  06  ca  f5  5d  4b  11  f5  ab  b6  58  53  79  ef  81  db   |     | 
            |            |     |46  3d  38  3f                                                           |  ok | Optional RFU
   66145216 |   66165696 | Tag |00  a7  f2  de                                                           |  ok | 
   66376192 |   66402304 | Rdr |02  23  10  2f  93  65                                                   |  ok | READ_MULTI_BLOCK(16-63)
   67828096 |   67938688 | Tag |04  a7  17  a8  fe  fb  c1  96  73  54  9a  f3  16  4b  ea  4e  98  1d   |     | 
            |            |     |c1  56  71  52  55  4c  d8  8b                                           |  ok |

Now brother please tell me what needs to done! I am dying for this device now

@Equipter @amal

I just realized this is an NTAG5 chip… this will probably be a problem. What is the device you are trying to read / clone? It is not likely to carry simple NFC data.

The sniff data you have posted show no indication of a password command, so I think what might be happening is that the NTAG5 features being used for security are AES crypto challenges and not basic password authentication.

I don’t think this can be done.

Thanks @amal for replying but clearly i can see it is reading block 16 to 32 right? Now my question is why can’t I read those blocks with proxmark3 because I think if we can emulate block 1-64 that will be all.

Can you suggest me something?

I don’t see the memory actually being read though… possibly a partial reply? Blocks typically contain 4 bytes of data per block so reading blocks 16 - 63 as indicated in your sniff log should produce around 188 bytes of data, but there is only like 26 bytes in your sniff log.

The important aspect here is that this is a smart card. I don’t know what these commands are doing, or what the tag response means;

   65331680 |   65402848 | Rdr |02  35  00  02  00  5c  b8  9f  23  97  cb  4d  48  2a  92  bc  30       |  ok | Optional RFU
   66034624 |   66126272 | Rdr |02  35  00  06  ca  f5  5d  4b  11  f5  ab  b6  58  53  79  ef  81  db   |     | 
            |            |     |46  3d  38  3f                                                           |  ok | Optional RFU
   66145216 |   66165696 | Tag |00  a7  f2  de                                                           |  ok | 

My guess is that it’s some kind of security function. You could try to cross reference these commands with an NTAG5 specification document, but NXP usually keeps that level of information behind NDAs.

Am I missing something then @amal ?

What is this tag? What does it do? Send photos?

Hello brother. I have attached two photos here one that looks like a ring is the tag actually and it will be installed on the top of the other picture.

A small request I have, can I please give me your contact number or maybe Zoom session where you can help me? Is that possible brother?

IMG-20231111-WA00061200×1600 155 KB

IMG-20231111-WA00031600×1200 167 KB

Interesting… no idea why they would use an ntag5 chip for this. It’s so strange since there doesn’t seem to be any purpose for using this advanced chip. Does that ring report anything like temperature? Anything like that?

Maybe simply to “stop” people from doing just that

Seems a bit over the top to me…

Ah yeah interesting. So yeah the ntag5 does have a command you can send to it that will disable the NFC function of the chip entirely. Seems like overkill to me also.

is there any way to stop being overkilled? I think it will be better if you can give me a little time and join a meeting and see it yourself @amal

Any luck cracking this? I tried a few things but to no avail. Must know the authentication between the chip and the and reader.

FYI I think this is a ICODE DNA tag. Sends a command to kill the chip once it authenticate to prevent re-use. I sniffed the kill command. Any luck ?