Ok sir
Hahaha just think you are helping your brother! Still need 1M?
That is what i get after sniffing and hitting hf 15 list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 118 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 26112 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
958208 | 984320 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
1928512 | 1954624 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
3899200 | 3925312 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
5873952 | 5900064 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
7845088 | 7871200 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
8812608 | 8838720 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
9788608 | 9806528 | Rdr |fe fc 15 5c | !! | Proprietary IC MFG dependent
Tell me can we move forward with this result
re do the sniff youâre missing the tag interactions. you need to sniff the comms between the tag and the reader so you can see what they are saying to each other.
Okay sir
Brother actually sorry I was away for some reason I re-sniffed the tag and reader communication and got this as results. Let me know you I made it confirmed that the tag is detectable through proxmark3 before sniffing.
[usb] pm3 --> hf 15 list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 56 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 71168 | Rdr |02 35 00 02 00 7e e5 e1 09 17 19 78 7b e3 9e 6e 92 | ok | Optional RFU
2287040 | 2358208 | Rdr |02 35 00 02 00 58 57 3e 28 b7 2b 3f 5a e5 86 f5 ab | ok | Optional RFU
I sniffed again more carefully please someone help,
when I was try snigging with
hf 15 sniff -r -c
I was getting error and got this result
[usb] pm3 --> hf 15 sniff -r -c
hf 15 sniff: invalid option "-r"
hf 15 sniff: invalid option "-c"
[!] â Try 'hf 15 sniff --help' for more information.
Then I made sure the tag is well detected and run hf 15 sniff and found a good result as below,
[usb] pm3 --> hf 15 list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 157 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 26112 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
63975968 | 64002080 | Rdr |36 01 00 00 6a a1 | ok | INVENTORY
65331680 | 65402848 | Rdr |02 35 00 02 00 5c b8 9f 23 97 cb 4d 48 2a 92 bc 30 | ok | Optional RFU
66034624 | 66126272 | Rdr |02 35 00 06 ca f5 5d 4b 11 f5 ab b6 58 53 79 ef 81 db | |
| | |46 3d 38 3f | ok | Optional RFU
66145216 | 66165696 | Tag |00 a7 f2 de | ok |
66376192 | 66402304 | Rdr |02 23 10 2f 93 65 | ok | READ_MULTI_BLOCK(16-63)
67828096 | 67938688 | Tag |04 a7 17 a8 fe fb c1 96 73 54 9a f3 16 4b ea 4e 98 1d | |
| | |c1 56 71 52 55 4c d8 8b | ok |
Now brother please tell me what needs to done! I am dying for this device now
I just realized this is an NTAG5 chip⌠this will probably be a problem. What is the device you are trying to read / clone? It is not likely to carry simple NFC data.
The sniff data you have posted show no indication of a password command, so I think what might be happening is that the NTAG5 features being used for security are AES crypto challenges and not basic password authentication.
I donât think this can be done.
Thanks @amal for replying but clearly i can see it is reading block 16 to 32 right? Now my question is why canât I read those blocks with proxmark3 because I think if we can emulate block 1-64 that will be all.
Can you suggest me something?
I donât see the memory actually being read though⌠possibly a partial reply? Blocks typically contain 4 bytes of data per block so reading blocks 16 - 63 as indicated in your sniff log should produce around 188 bytes of data, but there is only like 26 bytes in your sniff log.
The important aspect here is that this is a smart card. I donât know what these commands are doing, or what the tag response means;
65331680 | 65402848 | Rdr |02 35 00 02 00 5c b8 9f 23 97 cb 4d 48 2a 92 bc 30 | ok | Optional RFU
66034624 | 66126272 | Rdr |02 35 00 06 ca f5 5d 4b 11 f5 ab b6 58 53 79 ef 81 db | |
| | |46 3d 38 3f | ok | Optional RFU
66145216 | 66165696 | Tag |00 a7 f2 de | ok |
My guess is that itâs some kind of security function. You could try to cross reference these commands with an NTAG5 specification document, but NXP usually keeps that level of information behind NDAs.
What is this tag? What does it do? Send photos?
Hello brother. I have attached two photos here one that looks like a ring is the tag actually and it will be installed on the top of the other picture.
A small request I have, can I please give me your contact number or maybe Zoom session where you can help me? Is that possible brother?
Interesting⌠no idea why they would use an ntag5 chip for this. Itâs so strange since there doesnât seem to be any purpose for using this advanced chip. Does that ring report anything like temperature? Anything like that?
Maybe simply to âstopâ people from doing just that
Seems a bit over the top to meâŚ
Ah yeah interesting. So yeah the ntag5 does have a command you can send to it that will disable the NFC function of the chip entirely. Seems like overkill to me also.
is there any way to stop being overkilled? I think it will be better if you can give me a little time and join a meeting and see it yourself @amal
Any luck cracking this? I tried a few things but to no avail. Must know the authentication between the chip and the and reader.
FYI I think this is a ICODE DNA tag. Sends a command to kill the chip once it authenticate to prevent re-use. I sniffed the kill command. Any luck ?