Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
- Logged in as ikarus
- Last visit: Today 11:22:42
- Topics: Posted | New | Active | Unanswered
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#3 2021-10-02 18:33:46
- hkplus
- Contributor
- Registered: 2015-01-07
- Posts: 127
Re: OSDP traffic
Don't have links but one interesting thing...the BUSY signal from the PD (reader) can be sent unencrypted back to the panel even if secure-channel is enabled. With the current specification, the BUSY signal can be sent unencrypted indefinitely making the APU (panel) think that nothing at all is wrong. It's a way to respond to a poll that was sent over secure channel without responding with a secure response. Additionally, some manufacturer's devices (Cypress-based) can be reset from the bus, making the reader jump back to RS485 Address 0 with Secure channel disabled and reset to the default base key. This reset process is also accepted unencrypted. A perfect way to inject a man-in-the middle attack to scan swipes without the panel knowing about it with a very simple circuit just added to the bus. There's more...
Last edited by hkplus (2021-10-02 18:39:22)
#4 2021-10-02 18:36:37
- hkplus
- Contributor
- Registered: 2015-01-07
- Posts: 127
Re: OSDP traffic
Iceman, I need a favor...I could not find the bit and parity structure of HID Corp 1000 48 bit format with a search...do you have this offhand? Also looking for how to generate the checksum of Securikey, but I don't think anyone but the manufacture knows that calculation. I am sure I can find the Corp 1000 48 bit format someplace...
Last edited by hkplus (2021-10-02 18:37:45)