Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-08-08 14:12:42

lx2005
Contributor
Registered: 2019-09-27
Posts: 7

IKEA Rothult lock card,is it JCOP?

I have an IKEA Rothult lock. The model is "TYP E1778". It has two cards which you can use to open or close the lock.
There are words "TYP E1777" on the cards.
First of all, I ran "hf search"

[usb] pm3 --> hf search

[+]  UID: 02 E2 00 67 37 D9 6C 
[+] ATQA: 00 42
[+]  SAK: 20 [1]
[+] MANUFACTURER:    ST Microelectronics SA France
[+]    JCOP 31/41
[+]  ATS: 05 75 80 60 02 BB 58 
[+]        -  TL : length is 5 bytes
[+]        -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[+]        - TA1 : different divisors are NOT supported, DR: [], DS: []
[+]        - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 6 (FWT = 262144/fc)
[+]        - TC1 : NAD is NOT supported, CID is supported
[!!] PRNG data error: Wrong length: 0
[-] Prng detection:  fail

[+] Valid ISO14443-A tag found

My goal is to simulate the card(or copy them if possible). But I don't know use which command to do so.
I sniffed the communication between the card and the lock.

[usb] pm3 --> hf 14a sniff
[#] Starting to sniff
[#] maxDataLen=5, Uart.state=0, Uart.len=0
[#] traceLen=900, Uart.output[0]=00000026
[usb] pm3 --> hf 14a list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 900 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26                                                                       |     | REQA
    1374000 |    1375056 | Rdr |26                                                                       |     | REQA
    2748048 |    2749104 | Rdr |26                                                                       |     | REQA
    6794496 |    6795552 | Rdr |26                                                                       |     | REQA
    8168032 |    8169088 | Rdr |26                                                                       |     | REQA
    9541840 |    9542896 | Rdr |26                                                                       |     | REQA
   13588224 |   13589280 | Rdr |26                                                                       |     | REQA
   13590484 |   13592852 | Tag |42  00                                                                   |     | 
   13617856 |   13622624 | Rdr |50  00  57  cd                                                           |  ok | HALT
   13695792 |   13696784 | Rdr |52                                                                       |     | WUPA
   13698052 |   13700420 | Tag |42  00                                                                   |     | 
   13728992 |   13731456 | Rdr |93  20                                                                   |     | ANTICOLL
   13732660 |   13738548 | Tag |88  02  e2  00  68                                                       |     | 
   13764688 |   13775152 | Rdr |93  70  88  02  e2  00  68  c8  63                                       |  ok | SELECT_UID
   13776388 |   13779908 | Tag |04  da  17                                                               |     | 
   13805424 |   13807888 | Rdr |95  20                                                                   |     | ANTICOLL-2
   13809076 |   13814964 | Tag |67  37  d9  6c  e5                                                       |     | 
   13841184 |   13851712 | Rdr |95  70  67  37  d9  6c  e5  aa  64                                       |  ok | SELECT_UID-2
   13852916 |   13856500 | Tag |20  fc  70                                                               |     | 
   13878688 |   13883456 | Rdr |50  00  57  cd                                                           |  ok | HALT
   13956608 |   13957664 | Rdr |26                                                                       |     | REQA
   16008976 |   16010032 | Rdr |26                                                                       |     | REQA
   16011236 |   16013604 | Tag |42  00                                                                   |     | 
   16038624 |   16043392 | Rdr |50  00  57  cd                                                           |  ok | HALT
   16116560 |   16117552 | Rdr |52                                                                       |     | WUPA
   16118820 |   16121188 | Tag |42  00                                                                   |     | 
   16149776 |   16152240 | Rdr |93  20                                                                   |     | ANTICOLL
   16153428 |   16159316 | Tag |88  02  e2  00  68                                                       |     | 
   16185456 |   16195920 | Rdr |93  70  88  02  e2  00  68  c8  63                                       |  ok | SELECT_UID
   16197188 |   16200708 | Tag |04  da  17                                                               |     | 
   16226368 |   16228832 | Rdr |95  20                                                                   |     | ANTICOLL-2
   16230036 |   16235924 | Tag |67  37  d9  6c  e5                                                       |     | 
   16262112 |   16272640 | Rdr |95  70  67  37  d9  6c  e5  aa  64                                       |  ok | SELECT_UID-2
   16273844 |   16277428 | Tag |20  fc  70                                                               |     | 
   16299824 |   16304592 | Rdr |50  00  57  cd                                                           |  ok | HALT
   16377776 |   16378832 | Rdr |26                                                                       |     | REQA
   17777024 |   17778080 | Rdr |26                                                                       |     | REQA
   17779268 |   17781636 | Tag |42  00                                                                   |     | 
   17806656 |   17811424 | Rdr |50  00  57  cd                                                           |  ok | HALT
   17885392 |   17886384 | Rdr |52                                                                       |     | WUPA
   17887652 |   17890020 | Tag |42  00                                                                   |     | 
   17918528 |   17920992 | Rdr |93  20                                                                   |     | ANTICOLL
   17922180 |   17928068 | Tag |88  02  e2  00  68                                                       |     | 
   17954224 |   17964688 | Rdr |93  70  88  02  e2  00  68  c8  63                                       |  ok | SELECT_UID
   17965940 |   17969460 | Tag |04  da  17                                                               |     | 
   17994960 |   17997424 | Rdr |95  20                                                                   |     | ANTICOLL-2
   17998628 |   18004516 | Tag |67  37  d9  6c  e5                                                       |     | 
   18030720 |   18041248 | Rdr |95  70  67  37  d9  6c  e5  aa  64                                       |  ok | SELECT_UID-2
   18042436 |   18046020 | Tag |20  fc  70                                                               |     | 
   18068272 |   18073040 | Rdr |e0  80  31  73                                                           |  ok | RATS
   18074244 |   18082436 | Tag |05  75  80  60  02  bb  58                                               |  ok | 
   18105424 |   18111280 | Rdr |d0  11  00  52  a6                                                       |  ok | 
   18112532 |   18116052 | Tag |d0  73  87                                                               |     | 
   18140192 |   18158720 | Rdr |02  00  a4  04  00  07  d2  76  00  00  85  01  01  00  35  c0           |  ok | 
   18160740 |   18166564 | Tag |02  90  00  f1  09                                                       |     | 
   18190192 |   18201872 | Rdr |03  00  a4  00  0c  02  00  01  81  7c                                   |  ok | 
   18203332 |   18209156 | Tag |03  90  00  2d  53                                                       |     | 
   18232400 |   18241712 | Rdr |02  00  20  00  01  00  6e  a9                                           |  ok | 
   18242964 |   18248788 | Tag |02  63  00  91  5f                                                       |     | 
   18274624 |   18302368 | Rdr |03  00  20  00  01  10  33  6f  2f  d1  53  08  4b  aa  72  b9  04  3a   |     | 
            |            |     |41  81  7a  e4  69  b4                                                   |  ok | 
   18305796 |   18311620 | Tag |03  90  00  2d  53                                                       |     | 
   18334800 |   18344112 | Rdr |02  a2  b0  00  00  1d  51  69                                           |  ok | 
   18349604 |   18349604 | Tag |02  00  1b  d1  01  17  54  02  7a  68  79  f6  35  62  d0  4d  91  d9   |     | 
            |            |     |dd  e7  00  17  6b  37  05  a1  31  31  31  32  90  00  d5  b9           |  ok | 
   38785680 |   38786736 | Rdr |26                                                                       |     | REQA
   40159248 |   40160304 | Rdr |26                                                                       |     | REQA

I can only understand that it only checks UID. There are also APDUs.
Then I tried to simulate using "hf 14a sim".

[usb] pm3 --> hf 14a sim t 3 u 02E2006737D96C
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (02 E2 00 67 37 D9 6C )
[=] Press pm3-button to abort simulation
[#] Emulator stopped.  Trace length: 504 
[=] Done
[usb] pm3 --> hf 14a list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 504 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26                                                                       |     | REQA
       2228 |       4596 | Tag |44  03                                                                   |     | 
      29630 |      34398 | Rdr |50  00  57  cd                                                           |  ok | HALT
     107562 |     108554 | Rdr |52                                                                       |     | WUPA
     109790 |     112158 | Tag |44  03                                                                   |     | 
     140800 |     143264 | Rdr |93  20                                                                   |     | ANTICOLL
     144436 |     150324 | Tag |88  02  e2  00  68                                                       |     | 
     176460 |     186924 | Rdr |93  70  88  02  e2  00  68  c8  63                                       |  ok | SELECT_UID
     188160 |     191680 | Tag |24  d8  36                                                               |     | 
    1564254 |    1565310 | Rdr |26                                                                       |     | REQA
    1566482 |    1568850 | Tag |44  03                                                                   |     | 
    1593934 |    1598702 | Rdr |50  00  57  cd                                                           |  ok | HALT
    1671886 |    1672878 | Rdr |52                                                                       |     | WUPA
    1674114 |    1676482 | Tag |44  03                                                                   |     | 
    1705110 |    1707574 | Rdr |93  20                                                                   |     | ANTICOLL
    1708746 |    1714634 | Tag |88  02  e2  00  68                                                       |     | 
    3768726 |    3769782 | Rdr |26                                                                       |     | REQA
    3770954 |    3773322 | Tag |44  03                                                                   |     | 
    3798382 |    3803150 | Rdr |50  00  57  cd                                                           |  ok | HALT
    3876372 |    3877364 | Rdr |52                                                                       |     | WUPA
    3878600 |    3880968 | Tag |44  03                                                                   |     | 
    3909562 |    3912026 | Rdr |93  20                                                                   |     | ANTICOLL
    3913198 |    3919086 | Tag |88  02  e2  00  68                                                       |     | 
    3945258 |    3955722 | Rdr |93  70  88  02  e2  00  68  c8  63                                       |  ok | SELECT_UID
    3956958 |    3960478 | Tag |24  d8  36                                                               |     | 
    3986048 |    3988512 | Rdr |95  20                                                                   |     | ANTICOLL-2
    3989684 |    3995572 | Tag |67  37  d9  6c  e5                                                       |     | 
    4021782 |    4032310 | Rdr |95  70  67  37  d9  6c  e5  aa  64                                       |  ok | SELECT_UID-2
    4033482 |    4037066 | Tag |20  fc  70                                                               |     | 
    4059326 |    4064094 | Rdr |50  00  57  cd                                                           |  ok | HALT
    4137274 |    4138330 | Rdr |26                                                                       |     | REQA
    4139502 |    4141870 | Tag |44  03                                                                   |     | 
    4170424 |    4172888 | Rdr |93  20                                                                   |     | ANTICOLL
    4173932 |    4179820 | Tag |88  02  e2  00  68                                                       |     | 
    4206002 |    4216466 | Rdr |93  70  88  02  e2  00  68  c8  63                                       |  ok | SELECT_UID
    4217766 |    4221286 | Tag |24  d8  36                                                               |     | 
    4246934 |    4249398 | Rdr |95  20                                                                   |     | ANTICOLL-2
    4250570 |    4256458 | Tag |67  37  d9  6c  e5                                                       |     | 
    4282752 |    4293280 | Rdr |95  70  67  37  d9  6c  e5  aa  64                                       |  ok | SELECT_UID-2
    4294452 |    4298036 | Tag |20  fc  70                                                               |     | 

It seemed a little bit different. For example, PM3 responsed 44 03 after WUPA instead of 44 00.And of course, the lock beeped for three times which meaned the card is incorrect and didn't open.
I want to make sure what card it is and how can I simulate it. Thanks very much!

Last edited by lx2005 (2020-08-08 23:52:25)

Offline

#2 2020-08-08 15:25:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: IKEA Rothult lock card,is it JCOP?

You captured some APDU it sends to the card...

 18232400 |   18241712 | Rdr |02  00  20  00  01  00  6e  a9                                           |  ok | 
   18242964 |   18248788 | Tag |02  63  00  91  5f                                                       |     | 
   18274624 |   18302368 | Rdr |03  00  20  00  01  10  33  6f  2f  d1  53  08  4b  aa  72  b9  04  3a   |     | 
            |            |     |41  81  7a  e4  69  b4                                                   |  ok | 
   18305796 |   18311620 | Tag |03  90  00  2d  53                                                       |     | 
   18334800 |   18344112 | Rdr |02  a2  b0  00  00  1d  51  69                                           |  ok | 
   18349604 |   18349604 | Tag |02  00  1b  d1  01  17  54  02  7a  68  79  f6  35  62  d0  4d  91  d9   |     | 
            |            |     |dd  e7  00  17  6b  37  05  a1  31  31  31  32  90  00  d5  b9           |  ok | 
   38785680 |   38786736 | Rdr |26       

Offline

#3 2020-08-08 15:34:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: IKEA Rothult lock card,is it JCOP?

save that trace and share here

Offline

#4 2020-08-08 23:59:19

lx2005
Contributor
Registered: 2019-09-27
Posts: 7

Re: IKEA Rothult lock card,is it JCOP?

I saved that trace.
https://pastebin.com/u3qGwNuM

Offline

#5 2020-08-09 08:09:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: IKEA Rothult lock card,is it JCOP?

...nice, but no. I meant like in saving it as a file

hf 14a sniff
trace save rothul_02E2006737D96C.trace

Offline

#6 2020-08-09 09:59:13

lx2005
Contributor
Registered: 2019-09-27
Posts: 7

Re: IKEA Rothult lock card,is it JCOP?

Aha, sorry for that. I'm just a newbie. The true "trace" is here.
https://transfer.sh/g98bS/rothul_02E2006737D96C.trace

Offline

#7 2020-09-07 04:56:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: IKEA Rothult lock card,is it JCOP?

There is some discussions over at the discord server,  iso14443a channel,  about this lock.

Extracting your apdu's, you should be able replay that session with a pm3 against your card.

hf 14a raw -s -c -p 0200a4040007d276000085010100
hf 14a raw -c -p 0300a4000c020001
hf 14a raw -c -p 020020000100
hf 14a raw -c 030020000110 336f2fd153084baa72b9043a41817ae4
hf 14a raw -c 02a2b000001d

Offline

#8 2020-09-09 22:27:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: IKEA Rothult lock card,is it JCOP?

Good progress the last days, 
System identified as  ST25TA512B  based, 
Proxmark3 can talk with the card and remove protection limits,
Proxmark3 can simulate tag,

Offline

#9 2020-09-09 22:28:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: IKEA Rothult lock card,is it JCOP?

Since the system is a ISO14443a based one and it has NDEF  I moved the thread here.

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB