Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device!

You are not logged in.

#1 Re: Windows Client » Compiled Android Client - Download » Today 17:54:30

1) Link (it's not the full source, just the patches to apply to the main pm3 source)
2) Never compiled for 5.0; try to compile with the sources provided and let me know wink

#2 Re: MIFARE DESFire » Desfire uid magic card? » Today 10:43:26

2-3 pieces for me too !
I would also like to know which command set will be available (password command ? other commands?); a simple ISO15693 card without some feature will be a total waste of time/money (EM and NXP proprietary commands will be the most appreciated!).

Here is a brief commands sum up:

MANDATORY COMMANDS (all ISO15693 tags must support those)
01 = Inventory (usage: 260100+2bytes ISO15693-CRC - answer: 12bytes)
02 = Stay Quiet

OPTIONAL COMMANDS (not all tags support them)
20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes)
21 = Write Block (usage: 0221+1byte block number+4bytes data+2bytes ISO15693-CRC - answer: 4bytes)
22 = Lock Block
23 = Read Multiple Blocks (usage: 0223+1byte 1st block to read+1byte last block to read+2bytes ISO15693-CRC)
24 = Write Multiple Blocks (?up to 2 blocks max?)
25 = Select
26 = Reset to Ready
27 = Write AFI
28 = Lock AFI
29 = Write DSFID
2A = Lock DSFID
2B = Get_System_Info (usage: 022B+2bytes ISO15693-CRC - answer: 14 or more bytes)
2C = Read Multiple Block Security Status (usage: 022C+1byte 1st block security to read+1byte last block security to read+2bytes ISO15693-CRC)

EM Microelectronic CUSTOM COMMANDS
A2 = Set EAS
A3 = Reset EAS
A4 = Lock EAS
A5 = Active EAS
A6 = Protect EAS
A7 = Write EAS ID
A8 = Write EAS Cfg
B4 = Write Password
B6 = Protect Memory Page
B8 = Get Protection Status for a specific block
B9 = Destroy
BA = Enable Privacy
BB = Disable Privacy
BC = Enable Low Security
C3 = Fast Read Multiple Blocks
E4 = Login

NXP/Philips CUSTOM COMMANDS
A0 = Inventory Read
A1 = Fast Inventory Read
A2 = Set EAS
A3 = Reset EAS
A4 = Lock EAS
A5 = EAS Alarm
A6 = Password Protect EAS/AFI
A7 = Write EAS ID
A8 = Read EPC
B0 = Inventory Page Read
B1 = Fast Inventory Page Read
B2 = Get Random Number
B3 = Set Password
B4 = Write Password
B5 = Lock Password
B6 = Bit Password Protection
B7 = Lock Page Protection Condition
B8 = Get Multiple Block Protection Status
B9 = Destroy SLI
BA = Enable Privacy
BB = 64bit Password Protection
40 = Long Range CMD (Standard ISO/TR7003:1990)

Texas Instruments CUSTOM COMMANDS
A2 = Write 2 Blocks
A3 = Lock 2 Blocks
A4 = Kill
A5 = Write Single Block Password

ST Microelectronics
B1 = Write-sector Password
B2 = Lock-sector Password
B3 = Present-sector Password
C0 = Fast Read Single Block
C1 = Fast Inventory Initiated
C2 = Fast Initiate
C3 = Fast Read Multiple Block
D1 = Inventory Initiated
D2 = Initiate

Fujitsu
A0 = Read EAS
A1 = Write EAS
A6 = Kill
B1 = Fast Inventory
C3 = Fast Read Multiple Blocks
C4 = Fast Write Multiple Blocks

#3 Re: Windows Client » .net (c#/vb) Client » Today 09:53:04

GUI was developed by Gaucho and .xml file is updated by me. Unfortunately no support is given for the GUI .exe but Gaucho released the source code (you can find the link in the forum) so if you want to add/modify stuff you can do it, just give him credits wink

#4 Re: Questions and Requests » China Magic Card Not Responding. » 2015-05-25 10:31:17

Good to hear that from you. Remember that a weak antenna can corrupt the data inside the signal. I recommend you to make/buy a better one because 7v without antenna is not on the lower end, is really really weak!

#5 Re: Questions and Requests » China Magic Card Not Responding. » 2015-05-25 08:50:54

Your hf antenna has a really low voltage; your read but mainly write problems are surely related to this. You need a better antenna (even if you bought it already made).

Anyway latest release is 2.0.0, 0.0.7 is really old.

#6 Re: Questions and Requests » China Magic Card Not Responding. » 2015-05-25 07:01:45

Can you do a tune command to see how good is your antenna?

#7 Re: Windows Client » GUI r845 bugs in Section EM4x in TAGs » 2015-05-25 06:56:26

The .xml was all written by hand.
Using old proxmark.exe versions (as marshmellow suggested) is NEVER a good idea, you should always use latest .exes of both proxmark client and gui, better if from the same release package.
Remember to also update the firmware to the same client version!

#9 Re: MIFARE Ultralight » [UL-EV1] an italian public transportation system » 2015-05-24 10:31:35

Just to point out the pack algo byte0 is not correct:
The correct one should be:

[00]  UID[0] ^ UID[1] ^ UID[2] ^ UID[3] ^ E2
(where E2 is a fixed value just like the 08 for pack byte1)

I think that more data are needed to find the correct algo because it can also be:
[00]  UID[0] ^ UID[1] ^ UID[2] ^ UID[3] ^ UID[4] ^ UID[5] ^ E2

#11 Re: Windows Client » Compiled Windows Client - Download » 2015-05-24 09:24:50

Link to 2.0.0 updated. Thanks marshmellow !

#12 Re: Windows Client » Compiled Windows Client - Download » 2015-05-23 13:09:36

DingYao wrote:

pm3-2.00-bin link not working, mirror? smile

Right now I only have the latest compiled build; can someone please provide a link to 2.0.0 ? I will re-upload it as soon as I get it. Dunno why sendspace deleted it.

#14 Re: MIFARE Ultralight » [FINISHED] Changes to: HF MFU INFO » 2015-05-22 13:57:14

Yeah:

pm3 --> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 203 144bytes (NT2H0301F0DT)         
       UID : 04 F2 6E E2 0D 29 80           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : E1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: E1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
pm3 -->

#16 Re: MIFARE Ultralight » [FINISHED] Changes to: HF MFU INFO » 2015-05-21 17:01:21

Yeah:

pm3 --> hf 14a raw -s -c 60
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 69
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 73
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 99
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c FF
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->

#17 Re: MIFARE Ultralight » [FINISHED] Changes to: HF MFU INFO » 2015-05-21 15:36:17

pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->

pm3 -->
pm3 --> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : Unknown 000000         
       UID : 04 F2 6E E2 0D 29 80           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : E1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: E1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
pm3 -->

#18 Re: MIFARE Ultralight » [FINISHED] Changes to: HF MFU INFO » 2015-05-21 13:59:33

This is an mfu info of ntag216 and ntag213:

proxmark3> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 216 888bytes (NT2H1611G0DU)         
       UID : 04 37 9f aa 16 3c 81           
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany         
      BCC0 : 24, Ok         
      BCC1 : 01, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : e1 10 6d 00  - 00000000011011010001000011100001
--- NDEF Message         
Capability Container: e1 10 6d 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  6D : Physical Memory Size: 880 bytes         
  6D : NDEF Memory Size: 872 bytes         
  00 : Read access granted without any security / Write access granted without any security         
--- Tag Signature         
IC signature public key name  : NXP NTAG21x 2013         
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61         
    Elliptic curve parameters : secp128r1         
            Tag ECC Signature : 96 84 64 91 6c f5 19 27 ce 4f a9 1b 3b c9 fa d1 9b d5 bf 1f fe ae e8 61 97 9f 3e 2a 67 74 c7 60           
--- Tag Version         
       Raw bytes : 00 04 04 02 01 00 13 03           
       Vendor ID : 04, NXP Semiconductors Germany         
    Product type : 04, NTAG         
Product subtype : 02, 50pF         
   Major version : 01         
   Minor version : 00         
            Size : 13 (1024 <-> 512 bytes)         
   Protocol type : 03         
--- Tag Configuration         
  cfg0 [16/0x10] : 04 00 00 ff           
                    - pages don't need authentication         
                    - strong modulation mode disabled         
  cfg1 [17/0x11] : 00 05 00 00           
                    - Unlimited password attempts         
                    - user configuration writeable         
                    - write access is protected with password         
                    - 05, Virtual Card Type Identifier is  default         
  PWD  [18/0x12] : 00 00 00 00           
  PACK [19/0x13] : 00 00 00 00           
--- Known EV1/NTAG passwords.         
Found a default password: ff ff ff ff  || Pack: 00 00         
proxmark3>
proxmark3> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 213 144bytes (NT2H1311G0DU)         
       UID : 04 c4 37 32 a1 3e 80           
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany         
      BCC0 : 7F, Ok         
      BCC1 : 2D, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : e1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: e1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
--- Tag Signature         
IC signature public key name  : NXP NTAG21x 2013         
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61         
    Elliptic curve parameters : secp128r1         
            Tag ECC Signature : 2f 27 66 0a d9 cf f6 67 df a0 c8 55 c0 b1 92 d4 58 f3 6b 1c 69 80 34 ca a5 eb 16 0b 30 49 1e 81           
--- Tag Version         
       Raw bytes : 00 04 04 02 01 00 0f 03           
       Vendor ID : 04, NXP Semiconductors Germany         
    Product type : 04, NTAG         
Product subtype : 02, 50pF         
   Major version : 01         
   Minor version : 00         
            Size : 0F (256 <-> 128 bytes)         
   Protocol type : 03         
--- Tag Configuration         
  cfg0 [16/0x10] : 04 00 00 ff           
                    - pages don't need authentication         
                    - strong modulation mode disabled         
  cfg1 [17/0x11] : 00 05 00 00           
                    - Unlimited password attempts         
                    - user configuration writeable         
                    - write access is protected with password         
                    - 05, Virtual Card Type Identifier is  default         
  PWD  [18/0x12] : 00 00 00 00           
  PACK [19/0x13] : 00 00 00 00           
--- Known EV1/NTAG passwords.         
Found a default password: ff ff ff ff  || Pack: 00 00         
proxmark3>

#19 Re: MIFARE Ultralight » Merged read/write commands in HF MFU. » 2015-05-21 13:56:45

I think there is a bug in the read commannd:

proxmark3> hf mfu rdbl l b 5 
Block: 0 (0x00) [ 04 01 02 8f ]         
proxmark3>

It always keeps to read block0 instead of the specified one.

SORRY - I WAS WRONG - I WAS USING Marshmellow .exe ! With your one ice it is working !

pm3 --> hf mfu rdbl l b 1 
Block: 1 (0x01) [ AA 16 3C 81 ]         
pm3 -->
pm3 --> hf mfu rdbl l b 5 
Block: 5 (0x05) [ 00 00 00 00 ]         
pm3 -->
pm3 --> hf mfu rdbl l b 5 
Block: 5 (0x05) [ 00 00 00 00 ]         
pm3 -->
pm3 --> hf mfu rdbl l b 3 
iso14443a card select failed         
pm3 -->
pm3 --> hf mfu rdbl l b 3 
iso14443a card select failed         
pm3 -->
pm3 --> hf mfu rdbl l b 3 
Block: 3 (0x03) [ E1 10 6D 00 ]         
pm3 -->

#20 Re: MIFARE Ultralight » [FINISHED] Changes to: HF MFU INFO » 2015-05-21 13:45:43

With your (marshmellow) client (without reflashing iceman's firmware):

proxmark3> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : Unknown 000000         
       UID : 04 f2 6e e2 0d 29 80           
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : e1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: e1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
proxmark3>

proxmark3> hf list 14a
Recorded Activity (TraceLen = 175 bytes)         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|         
         0 |       992 | Rdr | 52                                                              |     | WUPA         
      2228 |      4596 | Tag | 44  00                                                          |     |           
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL         
     10676 |     16564 | Tag | 88  04  f2  6e  10                                              |     |           
     18688 |     29216 | Rdr | 93  70  88  04  f2  6e  10  4d  ad                              |     | SELECT_UID         
     30388 |     33908 | Tag | 04  da  17                                                      |     |           
     35200 |     37664 | Rdr | 95  20                                                          |     | ANTICOLL-2         
     38836 |     44724 | Tag | e2  0d  29  80  46                                              |     |           
     46848 |     57312 | Rdr | 95  70  e2  0d  29  80  46  6b  03                              |     | ANTICOLL-2         
     58548 |     62132 | Tag | 00  fe  51                                                      |     |           
    469376 |    474144 | Rdr | 30  00  02  a8                                                  |     | READBLOCK(0)         
    475316 |    496116 | Tag | 04  f2  6e  10  e2  0d  29  80  46  48  00  00  e1  10  12  00  |     |           
           |           |     | 73  47                                                          |     |           
proxmark3>

NOTE: the above tag is the NTAG203.

#21 Re: MIFARE Ultralight » [FINISHED] Changes to: HF MFU INFO » 2015-05-21 13:44:20

@ice (with your compiled build+firmware flashed):

pm3 --> hf 14a raw -s -c 1b00000000
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->

@marsh (with iceman build with his firmware flashed):

pm3 --> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : Unknown 000000         
       UID : 04 F2 6E E2 0D 29 80           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : E1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: E1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
pm3 -->

#23 Re: MIFARE Ultralight » [FINISHED] Changes to: HF MFU INFO » 2015-05-19 23:34:47

Tested at various distances (tag<->antenna); here is the log.
They seems to be 29(hex).

#25 Re: Questions and Requests » Srix4k not working on both my PM3... Is the command broken? » 2015-05-19 20:50:15

When the command 14b raw was implemented all was working fine.

Board footer

Powered by FluxBB