Dear Roel,

I search to established a PoC with your relay attack but unsuccesfully.
As you can see, I started a comversation on the proxmark forum : http://www.proxmark.org/forum/topic/247/relay-attack/
where I explain my issue. Could you help me ?
I copy the piece of conversation that we interested :

"I tested the relay exemple but  I think I have the same problem : the Timing. After the first SEL and the RATS command, when the relaying is done between 2 Touchatag (ACR122U102 Rev 1.4), if I try to SEL a Mifare 1k with my Omnikey 5553, the result is I only see the REQA but never the ATQ of the card.
On a documentation I find the possibility to change a parameter in the register of the reader named "SEL Time Iso 14443A", that I increase from 10ms to 255ms, but unsuccessfully. Do you think it is the good parameter ? Do you think 255ms is not enough ? What the difference with the Omnikey 5121 ?"

Thank you

2

(18 replies, posted in Hardware Devices)

Yes of course, I placed a Mifare 1K Tag on both Touchatag. But just only one is called when the command "list" is executed. Did you already test with 2 readers on the same machine ?
When I connect the 2nd, the first is always used, when I disconnect the first, the second is used, but never in the same time.

PS : you can complete the hardware table for the chip of the touchatag.

3

(18 replies, posted in Hardware Devices)

Just for precision, the two Touchatag are correctly loaded

> lsusb
Bus 002 Device 025: ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader
Bus 002 Device 024: ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader
> pcsc_scan 
PC/SC device scanner
V 1.4.15 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.5.3
Scanning present readers...
0: ACS ACR 38U-CCID 00 00
1: ACS ACR 38U-CCID 01 00

So the question is : why this result ?

> ./list 
Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)

Hi cybergibbons,

There is a documentation on ACR122 API available on the proxmark site in section "files/nfc", directly at http://www.proxmark.org/files/index.php … ACR122.pdf (you have to register and login before).

For example, the section LED (that you want of course !) :

Appendix 3: Sample Codes for Setting the LED

Example 1: To read the existing LED State.
// Assume both Red and Green LEDs are OFF initially //
// Not link to the buzzer //
APDU = “FF 00 40 00 04 00 00 00 00”
Response = “90 00”. RED and Green LEDs are OFF.

Example 2: To turn on RED and Green Color LEDs
// Assume both Red and Green LEDs are OFF initially //
// Not link to the buzzer //
APDU = “FF 00 40 0F 04 00 00 00 00”
Response = “90 03”. RED and Green LEDs are ON,
#To turn off both RED and Green LEDs, APDU = “FF 00 40 0C 04 00 00 00 00”

Example 3: To turn off the RED Color LED only, and left the Green Color LED unchanged.
// Assume both Red and Green LEDs are ON initially //
// Not link to the buzzer //
...

Good luck !

5

(18 replies, posted in Hardware Devices)

Thank you for the information : the command list return me : ACR122U102 - PN532 v1.4 (0x07).
So this is exaclty the same for tikitag (in fact this is just a commercial change !)

But the list command doesn't show me the 2 touchatag, only one ! So i can't use the relay command.
Do you know why ?

PS : a little suggestion : the usage (or just a "-h") would be very appreciate.
Thanks for your excellent work !

6

(18 replies, posted in Hardware Devices)

Dear Roel,

I have recently bought 2 touchatag from the official store. I write you to confirm that the firmware is ACR122U102 (the same for tikitag). I have no idea how viewing the chip version but if i find, i tell you. Now you can complete your hardware table.

Have a nice day !