Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#2 Re: Unknown tags » [solved] AZTEK iso14443a compliant tag » 2017-02-01 14:43:02

asper

Reader is probably this one (Modulo+, not Modulo): http://www.aztek.lu/en/products/modulo
Software can be found here: http://www.lmcontrol.com/systemes-paiement/lecteur-privatif-mifare/188-soft-modulo.html
Here you can find useful pdf about how to use software: http://www.lmcontrol.com/images/stories/produits/pdf/

Encryption can be managed by reader firmware but maybe can be decoded by the software, if not we are ou of luck.

#3 Re: Unknown tags » [solved] AZTEK iso14443a compliant tag » 2017-01-30 12:14:10

asper

"Solution of private payment (Aztek)", this should be our case. If not this can also be an example of the "mysterious" calypso standard (claimed to be supported in the datasheets found on the previous link) but i don't think so.

#4 Re: Unknown tags » [solved] AZTEK iso14443a compliant tag » 2017-01-27 18:02:01

asper

It doesn't answer to mifare commands. UID is 65 93 7f d1.

#5 Re: Unknown tags » [solved] AZTEK iso14443a compliant tag » 2017-01-27 13:57:05

asper

It seems to be a non-crypto iso14443a tag with just basic commands (read/write).

#6 Re: Windows Client » Compiled Windows clients - always up to date » 2016-12-16 20:08:46

asper

Good job gator96100, thank you for you work.

#8 Re: Questions and Requests » Do you recognise these types, are they RFIDs .... » 2016-04-14 07:53:14

asper

They seems to be programmable UHF remote controls, you cannot use pm3 for them.

They usually comes in 3 frequencies: 315, 433.92 and 868.3 MHz but the most common one is 433MHz (you can open it and look at the internal oscillator frequency to be sure).

You need to know how to program them; usually you need to hold 1 or 2 buttons at the same time to "erase" the memory and then keep pressed a button while at the same time pressing the button you want to clone in the originale remote.

You can "analyze" them if you have something like this.

#10 Re: Calypso » 14B' » 2016-03-22 12:41:51

asper

Great work !

#11 Re: Proxmark Board Innovations » New PM3 with newer chip? » 2016-03-05 23:53:36

asper

What do you think about an hackrf implementation/expansion ?

#12 Re: Proxmark Board Innovations » New PM3 with newer chip? » 2016-02-19 16:51:30

asper

I will be interested!
Kickstarter campaign?

#13 Re: MIFARE Classic » [FINISHED] A popular toy, Disney Infinity » 2016-02-16 13:26:09

asper
junglipar wrote:
iceman wrote:

hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?

No. The DI firmware (STM32F102) calculates the key and gives it to the NFC frontend (MFRC630) which handles the MIFARE authentication. I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.

Very good P.O.C. ! Did you test some STM32F vulnerabilities ? If so can you share them even if they won't work with DI base ?

#16 Re: Questions and Requests » Is it possible to hack a SKIPASS ? » 2015-12-23 09:29:36

asper

Wrong place, wrong subject and wrong way to ask. Go study before asking those idiot questions.

#17 Re: Questions and Requests » Unknown 13.56MHz tag in toy, not found by hf search, suggestions? » 2015-12-14 15:56:30

asper

It is not ISO standard, probably a simple modulated 13.56MHz interface. You will need an oscilloscope or maybe the new pm3 function but i never used that because it is too recent.

#18 Re: Questions and Requests » Unknown 13.56MHz tag in toy, not found by hf search, suggestions? » 2015-12-09 17:21:57

asper

Do you see a voltage drop before and after positioning the toy over the antenna ? Can you show it ?

#19 Re: MIFARE Ultralight » [FINISHED] a popular toy Lego Dimensions » 2015-12-03 12:21:07

asper

Great sim ! Can you start with 00000000000000 and not 0400000000000 ? Thank you for your support !

#20 Re: MIFARE Ultralight » [FINISHED] a popular toy Lego Dimensions » 2015-12-01 12:52:06

asper

It probably uses a pseudorandom generation algo; collectiong UIDs from ...00000, 00001, 00002, 00003 and correspective password is the only way to try to find it.

#21 Re: MIFARE DESFire » Desfire uid magic card? » 2015-11-26 14:14:03

asper

Icode1 is NOT ISO15693-standard compatible !
I think it will not be the right product for uid-changing purpose.

#22 Re: Questions and Requests » [14b] Trying to read data from card » 2015-11-21 22:56:12

asper

It probably uses Calypso standard (often used in transport systems) which is proprietary and actually undisclosed to public (for what know you need to be a transport service provider and you must pay to have it). If you want to study/reversing it you need to know the command set; you can get some info sniffing transaction but it will be an hard work.

#23 Re: Questions and Requests » [14b] Trying to read data from card » 2015-11-21 00:08:22

asper

Ok, so you can try starting the software, put the card in the reader and show the ATR (I suggest you Smart Card Toolset Pro).

#24 Re: Questions and Requests » [14b] Trying to read data from card » 2015-11-19 19:28:52

asper

Do you have a software to send APDUs like Smart Card Toolset Pro ?

#25 Re: Questions and Requests » [14b] Trying to read data from card » 2015-11-19 12:25:15

asper

It seems to be a dual interface smartcard and the data you sniffed are (or seem to be) a smartcard apdu communication transaction (commands that can be send via contact interface embedded inside a rfid commandset); it is good that you managed to sniff.

You should try to sniff the very beginning of the transaction and see if the byte "E0" comes out.

If you have a smartcart (contact!) reader I can give you some commands to be tested.

#26 Re: Windows Client » Compiled Windows Client - Download » 2015-11-19 12:07:31

asper

Added the new rev 2.5.0 to the 1st post.

#27 Re: Android Client » [ERROR] Compiling Android Client in NDK » 2015-11-18 23:53:12

asper

You don't read threads. Marcv81 code is extremely old, me and jonor managed To port it To a more recent release. This project offer NO support as stated in the 1st page proxdroid thread.

If Simeone want To contributo feel free To help but you are on tour own.

#28 Re: Android Client » Compiled Android Client - Download » 2015-11-18 22:59:04

asper

Again, this thread is NOT for support, please stop asking help here, just open another thread.

#29 Re: Android Client » Compiled Android Client - Download » 2015-11-16 09:17:32

asper

Ask To the kernel/rom authors.

#30 Re: Android Client » Compiled Android Client - Download » 2015-11-15 16:40:53

asper

You need the correct compiled file for your exact kernel, other versions will not work. You need To compile it yourself if you are not able To find Someone who already compiled it.
Do not try the ones contained in my packet with a kernel different from the ones tested, they will not work.

#31 Re: Questions and Requests » inhova/tesa mifare password » 2015-11-14 14:59:00

asper

4th, 5th and 6th bytes are related to 1st 3bytes values. Not at home To study it further today.

#32 Re: Questions and Requests » 13.56Mhz Sielox tags... » 2015-11-12 15:24:23

asper

This forum is getting populated by I-want-to-fraud people (from experience italians to fraud, chinese people to make money) because too many good people here are kind enough to answer almost every question; my help will not be given anymore to them anyway each user is responsible for the help given so, siop, you can try to explain how stuff seems to be going on but you cannot force people not to giving help, you can only "suggest".

#33 Re: MIFARE DESFire » Desfire uid magic card? » 2015-11-11 13:42:16

asper

The important thing is the supported command set... I cannot see it...

#34 Re: Windows Client » Compiled Windows Client - Download » 2015-11-05 00:11:35

asper

Added the new rev 2.4.0 to the 1st post.

It now supports piwi's topaz support ! Settings.xml is updated just for it, not for HF sniff.

#35 Re: iClass » iClass is coming... » 2015-11-04 14:53:08

asper

Unless you are able to extract it yourself NO, you cannot have it.

#36 Re: Windows Client » Compiled Windows Client - Download » 2015-11-03 11:14:49

asper

Added the new rev 2.3.0 to the 1st post.

It now supports HF sniff; settings.xml is not updated, if someome want to do that I will add them to the release package.

#37 Re: Felica » TOPAZ » 2015-10-27 08:51:57

asper

Added a topaz dump (found on the web) to the 1st post. Encrypted data are only a part (big part) of the NTAG and TOPAZ; the encryption should be the same.

I also think to have an explanation for the 1st 4 "reserved" bytes... iceman ? smile

#39 Re: Felica » TOPAZ » 2015-10-26 08:46:37

asper

Amiibos had been totally reversed, look at this thread in the forum (I suppose the topaz content can be decrypted the same way as the ntag content - not tested).

#40 Re: MIFARE Classic » MCT - An Android NFC-App for reading/writing/analysing/etc. MF Classic » 2015-10-24 23:03:23

asper

Device tested: Samsung Galaxy S4 Value Edition [I9515] is NOT compatibile with MCT.

#41 Re: MIFARE Classic » Manufacturer data detailed » 2015-10-21 07:05:27

asper

In original cards last 2 bytes year and week. Other bytes have not an official meaning nor unofficial speculative meaning

#42 Re: Questions and Requests » [14b] Trying to read data from card » 2015-10-19 15:25:35

asper

It probably is a CD21 (a chip from ST Microelectronics) contact/contactelss smartcard using Calypso standard (if it is quite old it can be ISO14443B'). 99.9% it is NOT a mifare, but it can be a mifare-emulate (I don't think so).

#44 Re: Installing, compiling & flashing questions » New user - Driver problems » 2015-10-04 18:09:55

asper

You have a libusb bootloader and you are trying to flash over it with the CDC-serial flasher; you need to use the old flasher.

#46 Re: MIFARE Classic » cracking mifare keys » 2015-10-02 13:17:58

asper

Need to test a different mizip; i suspect keys will be the same and not uid-dependant.

#47 Re: MIFARE Ultralight » [FINISHED] a popular toy Amiibo » 2015-09-30 12:47:30

asper

To get the amiibo password without sniffing you can use this online tool.

#48 Re: MIFARE Classic » MCT - An Android NFC-App for reading/writing/analysing/etc. MF Classic » 2015-09-27 08:58:45

asper

Good test tontol1 but even solving that problem there is another one to make it "full raw compatible": the ability to send 7bits commands insted of 8bits. 26 (or 52) is a 7bits command that is part of the mifare standard command set managed by the NXP chip. If you want, for example, "talk" with a magic 1st gen mifare card you must send another 7bits command [it is 40] that is not coded inside NXP chip so even with your method it will be not possible to achieve a full raw.

It is something like SRIX4K support: they are not supported by Android because they are not full ISO14443B and have specific commands not supported by the chipset (at least this is what came out by tests) but maybe with your method this one can be solved because those specific commands (SRIX) are 8bits [the command is exactly 0600 = INITIATE]. Let us know if you find a way (also for ISO14443B commnds) !

#49 Re: Questions and Requests » 13.56Mhz Sielox tags... » 2015-09-27 08:49:01

asper

In theory the tag should start answering with something like an UID while just entering the magnetic field (if it does not want any specific wake-up command).
The answer must be in ISO14443 format to be shown in pm3; if it is ISO14443A, as iceman said, you need to test all the 256 bytes possibilities using the following commands:

hf 14a raw -p 00
hf 14a raw -p 01
hf 14a raw -p 02
hf 14a raw -p 03
hf 14a raw -p 04
hf 14a raw -p 05
hf 14a raw -p 06
hf 14a raw -p 07
hf 14a raw -p 08
hf 14a raw -p 09
hf 14a raw -p 0A
hf 14a raw -p 0B
hf 14a raw -p 0C
hf 14a raw -p 0D
hf 14a raw -p 0E
hf 14a raw -p 0F
hf 14a raw -p 10
hf 14a raw -p 11
hf 14a raw -p 12
hf 14a raw -p 13
hf 14a raw -p 14
....
and so on until FF value (=256).

#50 Re: Questions and Requests » 212$ usd proxmark3 elechouse dev kit version 2.0 » 2015-09-23 11:04:13

asper

It is supposed to be a modified pm3 hardware with support for offical pm3 firmware (the site is linking to my compiled firmware releases). Version 2.0.0 does not support pcf write but the site it calims it is supported but it is not if you do not update firmare to the latest revision available (that is NOT 2.0.0) so I don't trust sites that says something that is not real (to show better compatibility only) even if the stuff they sell seems to be good.

Board footer

Powered by FluxBB