Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.

"Learn the tools of the trade the hard way." +Fravia

You are not logged in.


Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#101 2015-01-30 18:55:58

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

thefkboss wrote:

you need Password to write

Is it possible to run a proxymark reader in sniffing mode?
My cards are active, so i can take backpack with equipment to get the login trace smile (maybe log will be usefully for brute force attack)


#102 2015-01-30 19:09:05

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Yes, you need iclass snoop command. Crc will be wrong but this is normal, snooped data will be correct and if you are lucky you can get the password. After the snoop you need to send the list command to see the snooped data.

Please explain this:

(ex. Skipass type: 10 days form 14).


#103 2015-01-30 21:01:43

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

iclass snoop and you will see the password is in clear text  cool


#104 2015-01-30 23:21:54

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

>Yes, you need iclass snoop command. Crc will be wrong but this is normal, snooped data will be correct

As i understand i need to run command

hf iclass snoop

>Please explain this:
> (ex. Skipass type: 10 days form 14)

You can buy ski pass which is valid for 14 days, however it can be used  for any 10 days in this period  (10 from 14) - so if we can reset the days counter then we are The Winner smile


#105 2015-01-31 10:12:56

From: France
Registered: 2010-06-15
Posts: 444

Re: Skidata tickets (iso 15693)

It seems to me that you all are ignoring my last post.

1) the snoop command is not versatile cause it is not a real versatile digitizer, so it doesn't allow deep analysis of the problem. Infact in my case it was not able to log anything

2) these systems uses database, and periodic synchronization of it. So whatever you will do it will be valid for limited amount of hours/days. Moreover it's easy to be identified and arrested. Better to stop kidding before to think stupid solutions.


#106 2015-01-31 13:10:58

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Piorun wrote:

>Yes, you need iclass snoop command. Crc will be wrong but this is normal, snooped data will be correct

As i understand i need to run command

hf iclass snoop

>Please explain this:
> (ex. Skipass type: 10 days form 14)

You can buy ski pass which is valid for 14 days, however it can be used  for any 10 days in this period  (10 from 14) - so if we can reset the days counter then we are The Winner smile

so you bean tha the byte "40" means "used 4 times"?


#107 2015-01-31 23:18:39

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

so you bean tha the byte "40" means "used 4 times"?

Yes, this counter is incremented on my cards daily (few other bytes also are changing - but I think bytes are related to first and last use of gate)


#108 2015-02-01 17:36:57

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

thefkboss wrote:

iclass snoop and you will see the password is in clear text  cool

Doesn't work, I tested it today sad


#109 2015-02-01 20:06:47

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Piorun wrote:

Doesn't work, I tested it today sad

what you mean when you say doesn´t work:

1º you didn´t get any data (after snoop, you have to execute list command)
2º you get some data but you can´t see the password.
3º .......

I have tried with skydata machines and I can capture the comunication with snoop command

1º snoop and then list commands


you need some distance between the reader and the card, because the reader is to strong and sometimes  overlap the comunication


#110 2015-02-01 21:13:33

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

>what you mean when you say doesn´t work:
I didn't get any data after command "proxmark3> hf iclass list"

> 1º you didn´t get any data (after snoop, you have to execute list command)

You mean:

- hf iclass snoop
- go through the gate: reader  <- 20 cm-> proxmark <- 10 cm -> card
- hf iclass list


#111 2015-02-01 21:42:26

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Piorun wrote:

You mean:

- hf iclass snoop
- go through the gate: reader  <- 20 cm-> proxmark <- 10 cm -> card
- hf iclass list

correct, but sometimes you have to play with distances
if the reader read the card, the proxmark should capture comunication, if not, is a antenna, distances...problem


#112 2015-02-01 22:03:02

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

i found some sample output  in this thread

proxmark3> hf iclass snoop
#db# 3 0 1
#db# 20 bc3 f0
#db# 3 0 1
#db# 20 bc3 f0
proxmark3> hf iclass list
recorded activity:
ETU     :rssi: who bytes

As I understand I should see some log  after "hf iclass snoop" command (what i did) and before "hf iclass list".
But today I didn't get any outpu like "#db# COMMAND FINISHED" ?


#113 2015-02-01 23:44:53

From: France
Registered: 2010-06-15
Posts: 444

Re: Skidata tickets (iso 15693)

It is not possible in my opinion, that a turnstile doesn't allow the start of the recording.
The turnstile has a really high signal.
I suppose only 2 solutions:
1) the recording function doesn't work properly (it is not possible to set the trigger level and i'm not sure of what it does)

2) the tag uses fast communication protocol (what is your tag model?)


#114 2015-02-02 00:02:24

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

> the recording function doesn't work properly (it is not possible to set the trigger level and i'm not sure of what it does)
was tested on pm3-bin-0.0.6, should I try 0.0.7 ?

>the tag uses fast communication protocol (what is your tag model?)

proxmark3> #db# 12 octets read from IDENTIFY request:                 
proxmark3> #db# NoErr CrcOK                 
proxmark3> #db# ..Dh..f$ 00 02 yy xx 18 07 66 24                 
proxmark3> #db# ...6     16 e0 9b 36                 
proxmark3> #db# UID = E016246607186xxyy                 
proxmark3> #db# 0 octets read from SELECT request:                 
proxmark3> #db# 0 octets read from XXX request: 
proxmark3> hf 15 dumpmem
Reading memory from tag UID=E01624660718xxyy
Tag Info: EM-Marin SA (Skidata)
Block  0   CE 08 0F 77    ...w
Block  1   82 18 60 20    ..`
Block  2   00 38 00 70    .8.p


#115 2015-02-02 00:19:51

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

i have tried on this

and I can record de comunication


#116 2015-02-02 00:48:05

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

I have two types of cards
SKIDATA keycards (13.56 MHz) Basic  (Zell am See)- this one is valid and I'm trying to record the communication
SKIDATA keytix (13.56 MHz) - (SILVAPARK.AT) I can make a card dump, looks like a  SKIDATA keycard Basic


#117 2015-02-02 00:58:13

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

mine is EM4233 skidatakeycard because is 01- is from a parking system


#118 2015-02-02 09:20:06

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

gaucho wrote:

2) the tag uses fast communication protocol (what is your tag model?)

How to check what type of protocol is used ?
I have only 5 days to finish tests (end of holiday).

Last edited by Piorun (2015-02-02 17:57:19)


#119 2015-02-02 10:18:01

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

You cannot. Simply try different positions while snooping with iclass and be sure all your hardware configuration is ok (no power loss or something like that).


#120 2015-02-02 10:25:00

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

What is the maximun in fast communication?
I 've been able to snoop 848kbs mifare desfire in fast communication.
I think is not a problem of fast communication i think is an antenna problem.
If you tune the antenna, what you get?


#121 2015-02-02 11:35:03

Registered: 2013-04-25
Posts: 9,514

Re: Skidata tickets (iso 15693)

try the r.0.0.7 since there have been a remake of the list command.   From 0.0.7 its under  "hf list iclass"


#122 2015-02-02 17:01:47

Registered: 2015-01-04
Posts: 3

Re: Skidata tickets (iso 15693)

As I promised, here's 7 reading of my skipass after 7 passages through the turnstile. For each of them I have attached the remaining hours and the hh:mm of the passage timestamp as displayed by the turnstile. The first passage belongs to a previous day, the other 6 are done in the same day.
Only 9 bytes change between passages: block 2 byte 4, block 47 bytes 1-4, block 48 bytes 1-4.
@Asper: I have already understood some bytes: block 2 byte 4=counter of the passage made in one day, block 48 byte 1=couple (!!) of remaining minutes, byte 2=day (coded somehow) of passage?, byte 3+8 bits of byte 4=minutes/seconds of passage (expressed in seconds)?, byte 4 last 8 bits=hour of passage.
@Gaucho: can you share what you have found about the meaning of the other bytes?

CHECK 04/01/2015 ??:?? 6h 52m
C4 08 66 B9 42 18 40 20 00 38 00 F0 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 20 0C 20 01 CE 60 98 2D 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:03 6h 48m
C4 08 66 B9 42 18 40 20 00 38 00 10 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 A0 06 F8 01 CC 20 20 4C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:17 6h 36m
C4 08 66 B9 42 18 40 20 00 38 00 20 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 70 05 F8 01 C6 20 50 2C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:25 6h 28m
C4 08 66 B9 42 18 40 20 00 38 00 30 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 40 04 F8 01 C2 20 70 2C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 12:47 6h 06m
C4 08 66 B9 42 18 40 20 00 38 00 40 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 B0 03 F8 01 B7 20 C8 2C 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 13:02 5h 52m
C4 08 66 B9 42 18 40 20 00 38 00 50 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 60 05 F8 01 B0 20 10 2D 00 30 90 15 00 00 00 00 00 00 00 00 

CHECK 31/01/2015 13:15 5h 38m
C4 08 66 B9 42 18 40 20 00 38 00 60 1C 48 33 00 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 80 53 42 1F 90 53 42 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 13 01 1D 00 04 1B 01 B0 C7 F7 C3 48 FF C8 79 40 77 6B D6 00 04 F8 01 A9 20 48 2D 00 30 90 15 00 00 00 00 00 00 00 00 


#123 2015-02-02 18:27:11

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

I verified these:

block02 byte 4=counter of the passage made in one day
block48 byte 1=remaining minutes/2 -> hex

For the other "guessings" maybe time and hours can be stored as a binary clock format. I am low in time those days and I cannot verify them; I paste there the only 3 changing blocks, maybe someone will find the time to verify how date and time are stored:

CHECK 04/01/2015 ??:?? 6h 52m
blocks: data
02: 00 38 00 F0 
47: 20 0C 20 01 
48: CE 60 98 2D 

CHECK 31/01/2015 12:03 6h 48m
02: 00 38 00 10 
47: A0 06 F8 01 
48: CC 20 20 4C 

CHECK 31/01/2015 12:17 6h 36m
02: 00 38 00 20 
47: 70 05 F8 01 
48: C6 20 50 2C 

CHECK 31/01/2015 12:25 6h 28m
02: 00 38 00 30 
47: 40 04 F8 01 
48: C2 20 70 2C 

CHECK 31/01/2015 12:47 6h 06m
02: 00 38 00 40 
47: B0 03 F8 01 
48: B7 20 C8 2C 

CHECK 31/01/2015 13:02 5h 52m 
02: 00 38 00 50 
47: 60 05 F8 01 
48: B0 20 10 2D 

CHECK 31/01/2015 13:15 5h 38m
02: 00 38 00 60 
47: 00 04 F8 01 
48: A9 20 48 2D 

Last edited by asper (2015-02-02 18:27:23)


#124 2015-02-02 23:22:23

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

tarcisiomerlot wrote:

@Asper: I have already understood some bytes: block 2 byte 4=counter of the passage made in one day

What type of skipass do you use?
I have skipass valid for 14 days, and 'block 2 byte 4=counter' is incremented only ones per day (Kaprun AT).


#125 2015-02-03 07:45:28

From: France
Registered: 2010-06-15
Posts: 444

Re: Skidata tickets (iso 15693)

thefkboss wrote:

i have tried on this

and I can record de comunication

these are parking systems, while we're tring pm on turnstiles with extended operative temperature and bigger antennas


#126 2015-02-03 07:51:52

From: France
Registered: 2010-06-15
Posts: 444

Re: Skidata tickets (iso 15693)

Piorun wrote:
gaucho wrote:

2) the tag uses fast communication protocol (what is your tag model?)

How to check what type of protocol is used ?
I have only 5 days to finish tests (end of holiday).

now i'm not on my pc. looking at the uid you should be able to identify the model. once you know your tag model, you can find the datasheet. on mine it is written that a fast protocol is supported


#127 2015-02-03 08:19:35

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

Piorun wrote:
tarcisiomerlot wrote:

@Asper: I have already understood some bytes: block 2 byte 4=counter of the passage made in one day

What type of skipass do you use?
I have skipass valid for 14 days, and 'block 2 byte 4=counter' is incremented only ones per day (Kaprun AT).

I do not have those tags, i just quickly analyzed your data.
To check the chip inside your tag read it again with pm3 client 0.0.7, it should name it.


#128 2015-02-03 19:06:17

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

Today I was able to record the data sent by the reader, but not sent by the card  ( proxmark antenna was in backpack), maybe this is enough to read the  password ?

proxmark3> hf list iclass
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# cancelled_a
#db# 4 0 0
#db# 20 83 f0
Recorded Activity (TraceLen = 131 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Rdr | 13  23  00  03  76  c4                                          |     | ?
         0 |         0 | Rdr | 13  23  1c  02  ce  e9                                          |     | ?
         0 |         0 | Rdr | 13  23  2a  01  27  39                                          |     | ?
         0 |         0 | Rdr | 13  23  1f  01  3d  f1                                          |     | ?
         0 |         0 | Rdr | 13  23  04  02  9f  b2                                          |     | ?


#129 2015-02-03 22:28:57

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

distance problem, antenna.....???
what card do you have sle, em......?
that log is incomplete the reader have to sent the password
good progress


#130 2015-02-03 23:59:03

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

Out of subject: Today I got skipass from Italy
'Dolomity SKIPASS'
(10) Valle Isarco
5 days    J

proxmark3> hf 15 dumpmem
Reading memory from tag UID=E004015029720300
Tag Info: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)
Block 00   D4 08 03 BE    ....
Block 01   C2 1D 02 00    ....
Block 02   4E 29 EF 11    N)..
Block 03   12 20 53 42    . SB
Block 04   1B 00 00 00    ....
Block 05   00 00 00 00    ....
Block 06   00 00 00 00    ....
Block 07   00 00 00 00    ....
Block 08   00 00 00 00    ....
Block 09   00 00 00 00    ....
Block 0a   00 00 00 00    ....
Block 0b   00 00 00 00    ....
Block 0c   00 00 00 00    ....
Block 0d   00 00 00 00    ....
Block 0e   00 00 00 00    ....
Block 0f   00 00 00 00    ....
Block 10   00 00 00 00    ....
Block 11   00 00 00 00    ....
Block 12   02 92 30 05    ..0.
Block 13   00 00 00 84    ....
Block 14   3D 82 C8 47    =..G
Block 15   8B B1 EC 03    ....
Block 16   41 61 BC 94    Aa..
Block 17   7B 2F CD 18    {/..
Block 18   43 29 B5 BB    C)..
Block 19   F7 80 72 F0    ..r.
Block 1a   B6 90 F5 F3    ....
Block 1b   D1 0A 6F 7C    ..o|
Tag returned Error 15: Unknown error.


#131 2015-02-04 00:12:56

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

thefkboss wrote:

what card do you have sle, em......?

ho to check this ?

proxmark3> hf 15 dumpmem
Reading memory from tag UID=E0162466059BC8E6
Tag Info: EM Microelectronic-Marin SA Switzerland (Skidata)
Block 00 
{ 0xE016000000000000LL, 16, "EM Microelectronic-Marin SA Switzerland (Skidata)" },
{ 0xE016040000000000LL, 24, "EM-Marin SA (Skidata Keycard-eco); EM4034? no 'read', just 'readmulti'" },
{ 0xE0160c0000000000LL, 24, "EM-Marin SA; EM4035?" },
{ 0xE016100000000000LL, 24, "EM-Marin SA (Skidata); EM4135; 36x64bit start page 13" },
{ 0xE016940000000000LL, 24, "EM-Marin SA (Skidata); 51x64bit" },

Last edited by Piorun (2015-02-04 00:32:10)


#132 2015-02-04 00:33:49

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Tag Info: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)


#133 2015-02-04 09:50:42

Registered: 2015-02-04
Posts: 4

Re: Skidata tickets (iso 15693)

Hi everyone looks like this is the place to go to deepen the study around this topic. I didn't find such a comphrensive collection of infos anywhere else than here all over the net.
I'm looking at an Italian resort which basically have the same pattern of card issuing as others. They allow online top up of the card by using Te serial to identify it but I realized that they have  preactivated serials for one use only cards to be used in stores promotions all over the country. For instance I can be in a store far from the resort with some kind of promotion get a free ski pass which in fact is a card know from the main database which is waiting to be activated from the first passage at the turnstyle . I would like to target those serials which are not yet being activated and are still sitting in some store drawers. The logic behind this should be simple. Right now I'm collecting serials of cards which comes from the same store to see if there is any sub sequentiality which I guess will be. Then I will just need to change the serial of the card on an existing one with other bytes zeroed like a brand new one.....what do you think bout that?


#134 2015-02-04 10:02:20

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

It is NOT POSSIBLE to modify an UID/Serial for ISO15693 cards/tags (and the above mentioned cards are all ISO15693); no one has ever emulated an ISO15693 tags until now so it will be impossible for you to do what you are trying to do. Also serials are written at the tags factory so even ski resorts have no control on them, they receive them "as is", they can only put the serial in the database and add/remove features to it.

Last edited by asper (2015-02-04 10:06:20)


#135 2015-02-04 10:11:51

Registered: 2015-02-04
Posts: 4

Re: Skidata tickets (iso 15693)

So what would be the way to proceed with a not yet activated card?
If we don't have chances to work on uid I dont see any way out as they are the primary key for the card in the activated database....


#136 2015-02-04 23:11:09

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

Here is full log, but I don't see any password (I removed duplicated response from the tag with the same value - i think it is noice):

proxmark3> hf list iclass
Recorded Activity (TraceLen = 9790 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
         0 |         0 | Tag | bb  d4  bb  0f  0f  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  08  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0e  03  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0c  00  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0c  07  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0c  00  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  00  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  00  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  08  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  07  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  08  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  01  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 27  01  00  2a  50                                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  00  03  76  c4                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  00  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  2a  01  27  39                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  2c  03  49  05                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  08  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  01  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  03  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0d  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0a  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  08  06  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0d  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0c  09  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  0b  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0d  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  05  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0b  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0e  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0d  07  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0b  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0d  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0e  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0b  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0b  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  23  2c  03  56  84                                          |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  00  00  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0e  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0c  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  21  31  00  11  3c  15  1e  51                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  02  bb                                  |  ok |
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |
         0 |         0 | Rdr | 13  21  02  00  38  00  b0  8d  0d                              |     | ?
         0 |         0 | Tag | bb  d4  bb  0f  0f  0f  04  bb                                  |  ok |


#137 2015-02-05 00:14:06

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

I don´t know if that log is ok?
do you have any of that data in your card?
I think the tag answer is different from your card, you don´t have any of that data in your card?
do you find any similarity with the info inside your card??
you card is suposed to be a  sl2s2002 or sl2s2102

and in that log i can´t see any card command discribed in the datasheet
or the log is wrong or is not a philips sl2s2002 or sl2s2102 or proxmark sniffing error, or may be i´m wrong.


#138 2015-02-05 01:40:21

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

01 is the "inventory" but I don't think that tag answer is good... look at your dumps and see if there are any of those bytes sequences in the tag memory.

23 is the read a range of blocks while 21 is write a block.

Last edited by asper (2015-02-05 08:14:12)


#139 2015-02-05 08:58:06

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

01 is the "inventory" but I don't think that tag answer is good... look at your dumps and see if there are any of those bytes sequences in the tag memory.

23 is the read a range of blocks while 21 is write a block.

Log: Rdr | 13  21  02  00  38  00  b0  8d  0d                             
Tag: Block 02   00 38 00 B0    .8..

Log:  Rdr | 13  21  31  00  11  3c  15  1e  51 
Tag:  Block 31   00 11 3C 15    ..<.


#140 2015-02-05 09:05:09

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

This is correct because 21 02 means write (21) block 2 (02), while 21 31 means write (21) block 49 (31).
23  00  03 means read from block 00 to block 03.

What is strange is the continuous tag answer, can you find "bb  d4  bb  0f  0f  0c  04  bb" or other tag-answered bytes in your dump ?

Anyway it seems you were not lucky, no password seems to be sent during your snoop time.

Last edited by asper (2015-02-05 09:07:19)


#141 2015-02-05 09:44:09

Registered: 2008-10-26
Posts: 198

Re: Skidata tickets (iso 15693)

Thanks asper.
Piorun you lost reader packets because before write you need password command


#142 2015-02-05 22:56:56

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

I verified these:

block02 byte 4=counter of the passage made in one day
block48 byte 1=remaining minutes/2 -> hex

CHECK 31/01/2015 12:03 6h 48m
02: 00 38 00 10 
47: A0 06 F8 01 
48: CC 20 20 4C 

Could you explain this:

Remainig time is 6h 48m
Block#48:byte#1 = CC

CC/2 = 66 Hex -> 102 Dec -> 1h 42m  - how to interpret the value ?


#143 2015-02-05 23:28:45

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

6h 48m = 408m /2 = 204 -> CCh


#144 2015-02-06 00:59:36

Registered: 2015-02-06
Posts: 5

Re: Skidata tickets (iso 15693)

Dear all,

   I'm following your topic while trying to test and understand comparable topic for another location, but I'm having some interogation regarding hf 15 functions...

   UID of my tag seems to be writen on it but hf15 reader and hf 15 dumpmemory seems to


#145 2015-02-06 01:09:02

Registered: 2015-02-06
Posts: 5

Re: Skidata tickets (iso 15693)

(sorry for the incomplete post...)

...hf 15 seems to reverse UID for example, on a tag writen as : B2F9597E-A0E-BC1
   I have following results :
              proxmark3> hf 15 reader
                                  #db# ....Y~.. 00 00 b2 f9 59 7e 00 01                 
                                  #db# ...S     04 e0 fe 53                 
                                  #db# UID = E00401007E59F9B2                 

               proxmark3> hf 15 dumpmemory
                                  Reading memory from tag UID=E00401007E59F9B2

Did you experienced same behavior ?

On another I was wondering how do you succed snooping with iclass (iso 14443) communication of skipass (iso 15693) isn't it problematical snooping with iclass function ?


#146 2015-02-06 08:59:12

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

A correct iso15693 UID starts with E0 (iso15693 definition).

icalss is not iso14443 nor iso15693 but it uses a protocol compatible with iso15693 and indeed snoop is working.

Last edited by asper (2015-02-06 09:07:20)


#147 2015-02-06 09:34:26

Registered: 2008-08-24
Posts: 1,409

Re: Skidata tickets (iso 15693)

I missed this one:

Piorun wrote:
thefkboss wrote:

what card do you have sle, em......?

ho to check this ?

proxmark3> hf 15 dumpmem
Reading memory from tag UID=E0162466059BC8E6
Tag Info: EM Microelectronic-Marin SA Switzerland (Skidata)
Block 00 
{ 0xE016000000000000LL, 16, "EM Microelectronic-Marin SA Switzerland (Skidata)" },
{ 0xE016040000000000LL, 24, "EM-Marin SA (Skidata Keycard-eco); EM4034? no 'read', just 'readmulti'" },
{ 0xE0160c0000000000LL, 24, "EM-Marin SA; EM4035?" },
{ 0xE016100000000000LL, 24, "EM-Marin SA (Skidata); EM4135; 36x64bit start page 13" },
{ 0xE016940000000000LL, 24, "EM-Marin SA (Skidata); 51x64bit" },

It is an EM4233, it should be correctly identified in the 0.0.7 version (please let us know if it is).


#148 2015-02-09 10:19:49

Registered: 2013-08-22
Posts: 15

Re: Skidata tickets (iso 15693)


What are the posibility to write to the tag? I tested with the android app RFID NFC tool and can write only from block 4 to 27. the rest is giving me an error :Action failed.(0x21) 01 0F

the tag is:EM4x3x (for customer 066)
UID e01624660925e3b0

There are interesting changes in blocks 42 to 49


The first is 50 point, the last is 0 points. first was decreased by 3 points, last two are decreased by 4 points.

42     06289f1e    06289f1e    06289f1e    06289f1e    06289f1e        06289f1e    06289f1e    06289f1e
43     a0051b01    a0051b01    a0051b01    a0051b01    a0051b01        a0051b01    a0051b01    a0051b01
44     e81437ca    e81437ca    e81437ca    e81437ca    e81437ca        e81437ca    e81437ca    e81437ca
45     46518647    46518647    46518647    46518647    46518647        46518647    46518647    46518647
46     50131d31    50131d31    50131d31    50131d31    50131d31        50131d31    50131d31    50131d31
47     00000000    60000000    60000000    60000000    60000000        60000000    60000000    80000000
48    e2005906    c280f705    59003a05    5a003a05    4500b903        3200b903    5180bd00    bd801f00
49    00003200    00c83200    00c82c00    00d02600    00e42000        00d01a00    00ec0800    00fc0000

day card after 13h



before use.    day end
after 11h.      after 11h

0628a71c    0628a71c
c0051b01    c0051b01
d43437c2    d43437c2
8653f044    8653f044
f0fe5531    f0fe5531
11000000    00000000
000080fc    0000c03f
00f8e937    00000000

block 42 seems to be date
block 47 gate or start-end
block 48-49 points

hoe to interbreed?


#149 2015-02-09 12:17:34

Registered: 2013-08-22
Posts: 15

Re: Skidata tickets (iso 15693)

to the post above:

day card after 13h is on 06.02.2015


#150 2015-02-11 10:29:59

Registered: 2015-01-29
Posts: 57

Re: Skidata tickets (iso 15693)

asper wrote:

I missed this one:

Piorun wrote:
thefkboss wrote:

what card do you have sle, em......?

ho to check this ?

proxmark3> hf 15 dumpmem
Reading memory from tag UID=E0162466059BC8E6
Tag Info: EM Microelectronic-Marin SA Switzerland (Skidata)
Block 00 
{ 0xE016000000000000LL, 16, "EM Microelectronic-Marin SA Switzerland (Skidata)" },
{ 0xE016040000000000LL, 24, "EM-Marin SA (Skidata Keycard-eco); EM4034? no 'read', just 'readmulti'" },
{ 0xE0160c0000000000LL, 24, "EM-Marin SA; EM4035?" },
{ 0xE016100000000000LL, 24, "EM-Marin SA (Skidata); EM4135; 36x64bit start page 13" },
{ 0xE016940000000000LL, 24, "EM-Marin SA (Skidata); 51x64bit" },

It is an EM4233, it should be correctly identified in the 0.0.7 version (please let us know if it is).

The log is from 0.0.7 version, so isn't correctly recognized

Last edited by Piorun (2015-02-11 10:32:37)


Board footer

Powered by FluxBB