Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device!

You are not logged in.

#1 Re: Questions and Requests » SRIX4K dump analysis » Yesterday 13:27:21

I see your humility is as great as your intelligence. Please go to steal some milk insted of waisting people time begging for lazy "improvements". I was thinking to stop releasing windows and android versions and threads and answers like this one will probably bring me nearer to this decision.

Beeing extremely clear

Does nobody indend to implement the srix write capability on pm3 commands?

And this is a polite request.

It is hard to make some research with the read capability only...

Who cares if you have difficulties in your stealing research (your name is significant in that way) ? You can study and this is enough to "research". Buy a cheaper chinese reader.

For the same reasons the other "write" commands should not exist (and we should use the raw for mifare, t555x, etc.)

A reason that you seem not to be able to explain so I will: LAZYNESS ! Mifare anticollision and authentication is far more complicated in terms of commands than srix.
T55x ? You don't know what you are talking about.

And for the same reasons (study) the "lf snoop" should work.

This is a TOTALLY DIFFERENT stuff; this is something that someone, one day, will fix, absolutely not related to adding lazy commands like the ones you are requesting.


This forum was GREAT because "thieves" were not able to find a way to express themselves, i hope it will remain that way.

No more answers form me about those subjects (decoding keys, etc).


Hope not to hear this kind of stuff from anybody soon.

#2 Re: Questions and Requests » SRIX4K dump analysis » 2014-10-29 18:51:38

You said it right, it is YOUR opinion !
As I stated in the win thread pm3 IS NOT for lazy people and what you call "incoherences" in my opinion can be considered "lazyness" because, for example, YOU CAN WRITE a srix4k tag with pm3 even if this is not the easiest way; pm3 is born to study rfid not to "write tags"; there are absolutely NO DISCREPANCIES between linux, win and android versions, all pm3 executables are EXACTLY the same ! If someone built up a GUI to make things easier this is a different kettle of fish, absolutely not related to pm3 itself (GUI sources are available if you want to port them on another platform!).

If something related to pm3 developing

could instead encourag people to collect a lot of chineese reader/writer and leave the PM3 as knick knack.

it is not important at all ! I can survive if people go and buy chinese stuff because I am ABSOLUTELY SURE they do not want to study, they probably want to do something else so "golden bridges to those fleeing".

One last thing:

In example, if somebody today implements "srix4kwrite" as a LUA script, and tomorrow the windows GUI will have the "srix4kdump", you'll have the "srix4k" functions family scattered across versions. It would be ridicolous, unusable, not serious... And can drive you crazy...

How can a thing like the one you dscribed above drive someone crazy ? Again, sentences like that one keep away developers and really interested people because what you are asking for (srix write command) is something absolutely unuseful and more important already doable so, if you want to bring respect to real devs (unfortunately I cannot consider myself one of them) you should avoid asking those kind of lazy stuff because real devs spend LOT OF THEIR TIME improving their knowledge and testing things on the field and I give them so much appreciation when they decide to share their discoveries with us.

#3 Re: Questions and Requests » SRIX4K dump analysis » 2014-10-29 15:30:58

You can make a lua script.

Anyway I already implemented srix basic functions in the windows gui.

#4 Re: Questions and Requests » SRIX4K dump analysis » 2014-10-29 08:52:19

SRIX4K writing capability is already available through ISO14443B raw commands since r762.

#5 Re: iClass » Potential IP infringement issues » 2014-10-25 22:18:35

Just read at new disclaimers in consoles firmwares (ps3, ps4, wiiu), they state it is illegal and their software is widespread in many countries.
Anyway you are free to do whatever you want, and i must thank you for your improvements, just be conscious that actions can have (bad) consequences.

#6 Re: iClass » Potential IP infringement issues » 2014-10-25 20:50:10

But the stuff we write ourselves is another matter completely.

If it explains how to avoid/circumvent a security system (or worst it does the "hack" automatically) I can ensure you that this is not legal at least in lot of countries. Also modchips are illegal in lot of countries; we can argue about this is correct or not but actually they are illegal so you can be prosecuted if you produce/resell them.

I substantially agree with the rest of your statement, in particular with your last sentence.

#7 Re: iClass » Potential IP infringement issues » 2014-10-25 19:58:09

I am sorry holiman but rules are rules and not knowing (ignorance) or not listening (arbitrary exercise of the will) to them cannot be considered a freedom of speech. A simple example: if I discover a way to break into a security system and I arbitrarily decide to tell it to the community I can/must be legally prosecuted and this is correct because the diclosure must be "wise" that is to say I need to inform the security system administrator before releasing the "exploit" to the public; if he is not doing anything to solve the problem in a reasonable time I can inform the masses to protect them from the exploit. This is what I think is the best way to behave (and I think your one too). In this specific case the "exploit" was already widely known so i think that in this specific case you are not in the wrong way.

#8 Re: iClass » Potential IP infringement issues » 2014-10-24 20:32:18

I agree with you holiman but before stating that what you are doing is not "shadowy or suspicious" you should consider that things that are legal in a country may be not in another. I suggest you to ask a lawyer before publishing stuff; this is a general consideration, not specific to this subject thread.

#9 Re: MIFARE Classic » How to tell if I am buying a magic card? » 2014-10-24 20:25:07

If you want to use your phone you need to buy a version supported by the phone. Actually there are 2 "versions" of those changeable UID chips (probably manufactured by different people):

- 1 kind of tag (the oldest ones), also known as "backdoored", that means they need some special commands (backdoor) to be sent before you will be able to freely write any block; this one is NOT USABLE with ANY mobile phone
- a second kind of tag (newer) in which you can send normal mifare commands to freely write any bloc; this one can be used with mobile phones compatible with NFC and mifare (not all mobile phones support mifare).

It is IMPOSSIBLE to say which one are sold on internet, you need to ask the seller and even if it say you "yes, it is the newer one" you will not be able to know if this is the true until you test it.

If you do not have a proxmark3 or other specific hardware+software you will not be able to write the UID on the 1st kind of tags.

#10 Re: Various Tools and Utilities » New algo discovered » 2014-10-23 22:28:16

Ok i understand now, thank you for the clarification.

My findings also work:

00 - 195225786 = 1011101000101110100010111010
01 - 195225787 = 1011101000101110100010111011
02 - 195225784 = 1011101000101110100010111000
03 - 195225785 = 1011101000101110100010111001
04 - 195225790 = 1011101000101110100010111110
05 - 195225791 = 1011101000101110100010111111
06 - 195225788 = 1011101000101110100010111100
07 - 195225789 = 1011101000101110100010111101
08 - 195225778 = 1011101000101110100010110010
09 - 195225779 = 1011101000101110100010110011
10 - 195225776 = 1011101000101110100010110000
11 - 195225777 = 1011101000101110100010110001
12 - 195225782 = 1011101000101110100010110110
13 - 195225783 = 1011101000101110100010110111
14 - 195225780 = 1011101000101110100010110100
15 - 195225781 = 1011101000101110100010110101
16 - 195225770 = 1011101000101110100010101010
17 - 195225771 = 1011101000101110100010101011

You can see that there is a sort of "base4" coding; consider last 6 bits only:

111010
111011
111000
111001

111110
111111
111100
111101

110010
110011
110000
110001

100110
100111
100100
100101

and so on with higher bits so in my opinion there is a base4 coding of the decimal short value.

#11 Re: Various Tools and Utilities » New algo discovered » 2014-10-23 18:36:31

Sorry man an example:

06 - 195225788

06 => H06 ==> 0xor6 = 6
195225788 => HBA2E8BC ==> BxorC = 7

Maybe is "xor last 2 hex values MINUS ONE of large number and the hex value of the small value"... or not ?

#12 Re: Various Tools and Utilities » New algo discovered » 2014-10-23 17:31:48

Yes double 11 is a typo, sorry!
I converted to bin and saw a 2-bits-base4 correlation-progression obviously starting frim the last 2 bits:
10
11
00
01
try to decode in bin; i think it better solve the problem.

#13 Various Tools and Utilities » New algo discovered » 2014-10-23 11:21:23

asper
Replies: 9

00 - 195225786
01 - 195225787
02 - 195225784
03 - 195225785
04 - 195225790
05 - 195225791
06 - 195225788
07 - 195225789
08 - 195225778
09 - 195225779
10 - 195225776
11 - 195225777
12 - 195225782
13 - 195225783
14 - 195225780
15 - 195225781
16 - 195225770
17 - 195225771

I recently came accross a new algo (not exactly rfid related) and I think I find it out; on the left is the shown value, on the right the real written value (find the relation was not easy but I am almost sure it is correct); my "progression" seems to be correct, can someone explain it mathematically ? It should be "base4-something" but I am not able to implement it in excel...

#14 Re: MIFARE Classic » mifare reverse engenering??? » 2014-10-23 08:35:29

I don't understand what you want to know. If you want come to irc freenode #proxmark3

#15 Re: MIFARE Classic » mifare reverse engenering??? » 2014-10-22 22:08:37

If you xor same numbers you will always obtain the same results... how can "A0A1A2A3A4A5 xor CAFED7DD4A09" = variable value ? I think you need to study A LOT more in your "srix" forums...

#16 Re: Questions and Requests » TI Tag-It HF-I "factory locked blocks" » 2014-10-22 21:55:29

I think the tag serial/id is "locked" someway to the device it is used for; without cloning its serial/id you will not be able to copy it, data only are not enough.

#17 Re: Questions and Requests » Kantech ioProx » 2014-10-22 07:15:04

Yes, you need to flash the bootloader because the new code has changes needed for the new fpga+os; usually it is not necessary to update also the bootloader, you need to have a look at the sources to see if it has been changed.

#19 Re: MIFARE Ultralight » Ultraligh otp - lockbits » 2014-10-18 10:25:51

Those "vulnerabilities" (better "bad implementations) are known since 1 year (almost) and yeah, with a lua script you can add it to pm3 in an easy way.

#20 Re: MIFARE Classic » Danish transport system RKF » 2014-10-17 22:23:21

If you have some dumps I would like to have a look.

#21 Re: MIFARE Classic » Danish transport system RKF » 2014-10-17 19:40:12

You can sniff communication between the mobile phone and the tag!

#23 Re: Various Tools and Utilities » HackRF One - A platform for RF analysis - Windows Guide » 2014-10-14 20:32:24

holiman wrote:

I've been diving into sdr, as a pet project I am writing gnuradio-modules to interpret DCS (digitally coded squelch) from a handheld radio (they use DCS / CTCSS to have 'private' channels, by transmitting a sub-audible signal which signals that the squelch should be opened). It's nice to extract that, because then you can jump on any such transmission with the same dcs-key and join the party (I can use my computer to tell the kids it's dinner time).

Anyway, @asper wrote

- 8-bit quadrature samples (8-bit I and 8-bit Q): I don't know what it is, if someone can explain it I will be grateful !

Michael Ossman has been talking about that in videos 6 and 7. Particularly 7: http://greatscottgadgets.com/sdr/7/. I'm now starting to understand the benefits of using quadrature sampling, and can't help thinking about if that's something we could do in proxmark. We wouldn't have to start anew from scratch, I think, but maybe have a separate mode for quadrature sampling. It seems a lot simpler to accurately determine PSK / ASK / whatever modulation scheme using that method instead of our current implementations which are not very robust.

Is there anyone else interested in exploring this?

@asper, on another note, how did you do the mifare reading? I would roughly go through these things...
* set the baseband frequency to 12.56 MHZ
* Shift the signal 1 MHz so 13.56 in centered
* Low-pass filter the signal. Check the waterfall graph to see how much bandwitdh is needed.
* Decimate heavily, you definitely don't need 20MHz channel width.
* Have the antenna *really* close to the signal source. Or, try to use an inductive antenna (coil) - e.g. a proper pm3 antenna. I used a pm3-antenna on my oscilloscope when doing the iclass-debugging.
* Do a recording to a file-sink. Then do the experimentation on the recorded file using a file sink.

Thank you man for your answer. Unfortunately Gnuradio is still not working with HackRF under Windows so I cannot use it to manipulate the signal. I tested the ham it up converter but the signal is really worse (almost not visible) than without the ham it up converter so I think something is wrong with my ham it up or my antenna... also recordings done with SdrSharp are not so good so I am not able to "read" the waveform...

I will do more tests with your suggestions !

Board footer

Powered by FluxBB