Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-01-27 10:45:46
- scroggyg
- Contributor
- Registered: 2012-09-07
- Posts: 14
Cotag Analysis
I have been looking at the security of Cotag. There have been 2 generations of Cotag, the first was an active tag, and used a battery and dedicated silicon. The second is passive and I suspect uses standard silicon.
The passive tag operates solely at 132KHz and the tag will not respond until the following sequence is sent by the Reader.
4 pulses at 132 Khz. The first burst is 800 microseconds, a gap of 2.2msecs, a burst of 3.6 mSecs, a gap of 2.2 mSecs, a burst of 800uSecs, a gap of 2.2 mSecs, and then a pulse of 3.6mSecs. If no response the reader waits 17mSecs, and the resend the wake up sequence.
Looking at the ATA5577 data sheet the closest mode is Answer on Reset (AOR) but this seems to imply sending a password, but the burst seem too short for a password.
Using the proxmark I then captured a trace using the following sequence
lf config q 89 b 8
lf snoop
data samples 40000
data plot
data save <filename>
I will attach the captured file, which seemed to show amplitude modulation.
Any thought and input would be appreciated.
Offline
#2 2017-01-27 11:25:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Cotag Analysis
Perfect!
I've push an initial (test) of adding the cotag start sequence, to read samples from a Cotag into icemanfork.
You can test it so I can adapt it to how your cotag reader sends.
Offline
#3 2017-01-31 16:51:26
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Cotag Analysis
Got the tags today.
I think I got the reader sequence up, and it collects some tag responses now. Looks like PSK.
Bad signal,
Offline
#4 2017-01-31 23:38:03
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Cotag Analysis
At least the cotag-tag is talking, https://www.sendspace.com/file/pgxa2y
Offline
#5 2017-02-03 14:23:14
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Cotag Analysis
I've added COTAG detection to iceman fork.
I suggest @OP edits the subject and add [solved] to it in the beginning.
Offline
#6 2017-02-03 16:41:33
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Cotag Analysis
iceman has done some great work making this demod.
Below is what we found out about Cotag:
his tag had these printed #'s: 161-333593
the cotag requires a wake-up command of sorts which others have kindly snooped and iceman was able to mimic
the first traces he captured were very weak and he had to select a larger antenna (still investigating)
the traces he then captured could not catch the entire repeating message as it was longer than 40k samples.
I identified the message as ASK modulation with manchester encoding but with a VERY low bitrate (high clock) RF/768
we also were able to identify that the printed number is in the data we got but in LSB order. without any form of encryption (as outlined below)
Because of the bitrate and the fact we cannot collect enough samples to get to the end of the message iceman had to build a realtime demod on the deviceside.
with the demod built we were able to get the full repeating binary string for his tag:
1001110011000001 10000101 00000000 10000101 00000000 01111011 10000001 10100000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 16 bytes total in LSB order
reverse the bits and we get this pattern:
[leading 0's]
00000000 00000000 00000000 00000000 00000000 00000000
[unknown][cs/parity][unknown][unknown][ FC? ][ FC ][ FC? ][ FC ][Card# (without leading 3)]
00000001 00000101 10000001 11011110 00000000 10100001 00000000 10100001 1000001100111001
161 161 33593the CS/Parity is unknown but appears to be the only other changing data from card to card.
Iceman has built an auto detection and demod of this tag now that will print the full binary of the tag so we can further investigate this checksum and it can be found in his fork as well as mine. it is tied into `lf search` in these forks.
happy testing!
Offline
#7 2017-03-11 18:33:25
- Noclafasm
- Contributor
- Registered: 2014-11-17
- Posts: 10
Re: Cotag Analysis
Hi, I have 3 active cotag tags and I have just finished creating an antenna tuned for 132 kHz (hopefully). This is all tested with iceman fork version v1.7.0.
# LF antenna: 24.89 V @ 125.00 kHz
# LF antenna: 37.40 V @ 134.00 kHz
# LF optimal: 38.64 V @ 131.87 kHzWhen using lf cotag read, I get the following (tag present)
pm3 --> lf cotag read
Sending bytes to proxmark failed
DEBUG: Error - COTAG too many errors: 65When using lf cotag read 2, I get:
Data: http://pastebin.com/88ufbNdQ
I am a little lost on how to go from here as I have little understanding of the physics behind RFID and the low level modulation protocols.
Last edited by Noclafasm (2017-03-11 18:34:57)
Offline
#8 2017-03-13 11:49:32
- Noclafasm
- Contributor
- Registered: 2014-11-17
- Posts: 10
Re: Cotag Analysis
So using the same commands as OP, I tried to capture the reader activation sequence. This sequence repeats and repeats and I have captured this with my makeshift antenna from around 10cm away from the reader.
http://pastebin.com/SkKPAMye
Offline
#9 2018-06-28 08:57:22
- Sentinel
- Contributor
- Registered: 2012-11-26
- Posts: 191
Re: Cotag Analysis
Cotag PR-500 C1 Card Reader
Offline
#10 2018-06-28 09:25:12
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Cotag Analysis
nice. Now some traces or sniffs from it in order to enhance current cotag functionality 
Offline
Pages: 1