Mifare Dump - need help to interpret

DC440 · 2015-02-15 15:46:19

Hey there..

First of all, I want to say "thanks" for this great community.

I stumbled into RFID just some Months ago and was fascinated again, like the first Time I get a Legic Card in my Hand´s at a Job years ago.
I remembered that I ever wondered about how that Stuff works, so I started to read. After some reading, it turnes out that this Card´s are pretty insecure.
This was interesting too, because I love to play around with stuff like that, just for fun and the challenge.

So I started to read every published Paper about the Mifare Card´s again and again.
The first times, some part´s are pretty hard to understand for somebody who did his first steps on this Terrain.
In all that Papers, Post´s and PDF´s, one device was named again and again, the Proxmark3.
So I started reading about this and decided that I definately have to own one of this little devices.

After some frustrating hour´s with flashing the Proxmark3 (and even more and more reading here again) I get the thing running fine.
So I was able to start the first Test´s. This community helped me a lot with this. Because I wouldn´t annoy you with the classic Noob Post´s like "I purchased the Proxmark3, so please give me a detailed instruction how to crack any Card..", i just continue reading for a time..

The Card I play with at the moment, is the Membercard of a Gym, owned by one of my oldest friend´s.
(It was funny to see that, even if he uses this Card´s for his Business, he had really no Idea about how this Card´s work -and even never suspected them as insecure)
The Card´s are used for Access Control and Food purchases at the Vendor Machine. For this, you have to charge the Card at another Machine before, the maximum are 10,00€.
As we decided to go a little bit deeper, he created two fictitious Membercard´s for me to try to analyze them and share the result´s with him.
So I have 2 Card´s for possible comparing. And of course I have free access to the Reader´s in his Gym if needed.

After reading every Post in the Mifare Section of this Forum, I was able to get the Card´s Key´s, read the Raw Data and have a better understanding about the Layout of a Mifare Card.
But even if I also read a lot about how to interpret the Dump´s and reverse engineering, know I´m confronted with a Dump and it´s behaviour, I don´t understand.
Maybe for you guy´s it´s still just a noobish question, but I hope you´ll have patience with me -and maybe the one or another advise to help me how I have to read this Data.

Okay, I start from the beginning to avoid that I´ve had overlooked something stupid at the first steps..
First of all, I checked with wich Card I´m confronted:

proxmark3> hf 14a reader
ATQA : 04 00
UID : a3 6a 61 25
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k
proprietary non iso14443a-4 card found, RATS not supported

For me it look´s like I have a Mifare Classic 1K, so I tried:

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.................
uid(a36a6125) nt(9ea27e2b) par(746c3cb41c5404fc) ks(050f0a06040c0908)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000000| 5 | 0 |0,0,1,0,1,1,1,0|
| 20 |00000020| f | a |0,0,1,1,0,1,1,0|
| 40 |00000040| a | f |0,0,1,1,1,1,0,0|
| 60 |00000060| 6 | 3 |0,0,1,0,1,1,0,1|
| 80 |00000080| 4 | 1 |0,0,1,1,1,0,0,0|
| a0 |000000a0| c | 9 |0,0,1,0,1,0,1,0|
| c0 |000000c0| 9 | c |0,0,1,0,0,0,0,0|
| e0 |000000e0| 8 | d |0,0,1,1,1,1,1,1|
00ff1e57|00ff78d6
------------------------------------------------------------------
Key found:ffffffffffff
Found valid key:ffffffffffff

Okay, seems like the default Key was used, so I try the nested:

proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF d
--block no:00 key type:00 key:ff ff ff ff ff ff etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
...uid:a36a6125 len=2 trgbl=24 trgkey=0
.uid:a36a6125 len=3 trgbl=24 trgkey=0
.uid:a36a6125 len=4 trgbl=24 trgkey=0
.uid:a36a6125 len=4 trgbl=24 trgkey=0
.uid:a36a6125 len=4 trgbl=24 trgkey=0
.------------------------------------------------------------------
Total keys count:1102145
Found valid key:a9f953def0a3
...uid:a36a6125 len=3 trgbl=28 trgkey=0
.uid:a36a6125 len=3 trgbl=28 trgkey=0
.uid:a36a6125 len=3 trgbl=28 trgkey=0
.uid:a36a6125 len=4 trgbl=28 trgkey=0
.uid:a36a6125 len=2 trgbl=28 trgkey=0
.------------------------------------------------------------------
Total keys count:1037744
Found valid key:a9f953def0a3
Iterations count: 2
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | a9f953def0a3 | 1 |
|007| ffffffffffff | 1 | a9f953def0a3 | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...

If I´m right until here, I have found the Card´s Key´s.
And if I´m still right, all Sector´s have the default Key´s, with the exception Key B of Sector 6 and 7.
After dumping the Card, I would say the only Data on the Card is located at:

The Manufacturer Block:

proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:00 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:a3 6a 61 25 8d 88 04 00 c1 85 14 99 65 90 45 12
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Sector 6:

proxmark3> hf mf rdsc 6 A FFFFFFFFFFFF
--sector no:06 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:01 00 02 00 d2 a2 00 00 f7 f4 12 c0 7a 59 e4 40
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 78 77 88 00 00 00 00 00 00 00

and Sector 7:

proxmark3> hf mf rdsc 7 A FFFFFFFFFFFF
--sector no:07 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:f5 2f 15 9b 69 ab f4 14 84 02 7e cd fb 1f 01 43
data:4d a7 1d 42 89 56 be 48 9f 53 e4 16 e7 e4 77 15
data:00 47 85 3f 80 08 08 25 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 78 77 88 00 00 00 00 00 00 00

Every other Block look´s the same, like an untouched, empty Block:

proxmark3> hf mf rdsc 2 A FFFFFFFFFFFF
--sector no:02 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Okay, If I didn´t made a stupid mistake during this process, I now have the Card´s Raw Data in Hexadezimal, right?
Now I´ve tried to interpret this Data to understand how it works:

Since I know that I´ve charged the Card with the maximum amount of 10,00€ at the Start, but buyed a Protein Shake for 2,80€ before dumping the Card the first time, the remaining Balance in the Card Dump must be 7,20€.
Unfortunately I wasn´t able to find this Balance in any Form as hexadezimal value in the Dump.
After some frustrating hour´s just gazing at Hex Value´s but didn´t find anything, I decided to make a Top up at the Machine, Dump the Card again and compare the two Dumps.

The result was a pretty confusing for me because both Dumps are exactly the same. Not a single Hex value was changed!?
So I started reading on here again, but this time I wasn´t able to find something, because I even didn´t really know what I have to search for.

This results in my first post here..
I would be thankful if somebody can give me at least an push in the right direction and tell me for for what I have to search in this case?

Thanks for your patience & sorry for my English

asper · 2015-02-15 16:26:39

If the dumps are identical there must be something stored somewhere else. Please show sector1 data and 2 blocks with 2 different stored values acquired in different times and let see if there are really no differences.

marshmellow · 2015-02-15 17:15:25

after the nested command you can do a
hf mf dump 1

to dump all the blocks to a bin file. easier than read block one by one

DC440 · 2015-02-15 17:24:52

Oh, thanks for your quick response..!

Here´s Sector 1, 6 and 7 of the Dump I´ve had made with a remaining Balance of 7,20€:

--sector no:01 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

--sector no:06 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:01 00 02 00 d2 a2 00 00 f7 f4 12 c0 7a 59 e4 40
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 78 77 88 00 00 00 00 00 00 00

--sector no:07 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:f5 2f 15 9b 69 ab f4 14 84 02 7e cd fb 1f 01 43
data:4d a7 1d 42 89 56 be 48 9f 53 e4 16 e7 e4 77 15
data:00 47 85 3f 80 08 08 25 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 78 77 88 00 00 00 00 00 00 00

And here´s again Sector 1, 6 and 7 of the Dump from the same Card after Top up:

--sector no:01 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

--sector no:06 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:01 00 02 00 d2 a2 00 00 f7 f4 12 c0 7a 59 e4 40
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 78 77 88 00 00 00 00 00 00 00

--sector no:07 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data:f5 2f 15 9b 69 ab f4 14 84 02 7e cd fb 1f 01 43
data:4d a7 1d 42 89 56 be 48 9f 53 e4 16 e7 e4 77 15
data:00 47 85 3f 80 08 08 25 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 78 77 88 00 00 00 00 00 00 00

asper · 2015-02-15 17:44:29

Maybe the vending machne and the cash/recharger are connected together and they store the value using the card UID; you can try to clone another card with a rewritable UID chinese mifare card and see if the credit is maintained (in official mifare cards you cannot change the UID, you need a special chinese card).

marshmellow · 2015-02-15 18:01:20

you are certain all the other sectors are blank?

DC440 · 2015-02-15 18:23:28

asper wrote:

Maybe the vending machne and the cash/recharger are connected together and they store the value using the card UID; you can try to clone another card with a rewritable UID chinese mifare card and see if the credit is maintained (in official mifare cards you cannot change the UID, you need a special chinese card).

Yes, I know about the write protection of the Manufacturer Block..
So I´ll try it this way when the Chinese Card´s has arrived.

But It would be a suprise for me if the Vending Machine or Cash Machine will hold the current Balance because it´s a Franchise Club.
This means you can use your Card for several Club´s in different Town´s.
I don´t know much about Backend Solutions for this, but I think this way of Value storage would be a little bit complicated to achieve that every Member can use every Vending Machine at every Club..?

DC440 · 2015-02-15 18:31:17

marshmellow wrote:

you are certain all the other sectors are blank?

Unfortunately yes..

The only Sector´s that contain Data are Sector 0, 6 and 7.
I parsed the Dump from before -and after recharge again with 101Editor.. They´re exactly the same byte by byte.. strange..

DC440 · 2015-02-15 18:38:07

Every Sector (with the exception of 0, 6 and 7) looks like that:

0000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000b0: FF FF FF FF FF FF FF 07 8069 FF FF FF FF FF FF .........i......

marshmellow · 2015-02-15 19:09:45

as asper mentioned it may have a database of sorts that the value is stored in, as long as the issuer machine and the vending machine can talk to each other in some way (networked).
in that case the card only stores a valid unique id in the db (this is how most gift cards work.)

DC440 · 2015-02-15 19:49:33

marshmellow wrote:

as asper mentioned it may have a database of sorts that the value is stored in, as long as the issuer machine and the vending machine can talk to each other in some way (networked).
in that case the card only stores a valid unique id in the db (this is how most gift cards work.)

Okay..

Maybe that´s the problem that causes that I didn´t see any changes after recharge the Card.
If I want to charge the Card, I have to place it in the Reader, choose deposit, put the desired amount of Money in the Machine and press "deposit" again.
After I´m finished, I have to press the Logout Button.
So it´s possible, that my deposit is just stored in a centralized Database and not on the Card itself.

But if this is the case and the Vending Machines/Deposit Machine just read the Card´s UID for Identification, what kind of Data need to be stored in Sector 6 and 7?
The only Functions of the Card are:

-Get entry to the Club (shows my Data/Picture on a Screen at the Reception)
-Buy Food/Drinks at the Machine
-and lock/open the wardrobe

iceman · 2015-02-15 19:58:31

BIN(little endian) BIN ( big endian)
7.20€ = 0720 = 0010 1101 0000 = 0000 1101 0010

Sector 6 Block 0 in BIN:
[0000 0001 0000 0000 0000 0010 0000 0000 1101 0010 1010 0010 0000 0000 0000 0000 1111 0111 1111 0100 0001 0010 1100 0000 0111 1010 0101 1001 1110 0100 0100 0000]
0000 1101 0010

byte 0xD2 could be 7.20€.

marshmellow · 2015-02-15 20:08:47

you would need dumps from more than one tag to learn much more. also, the vending may not just look at the UID of the TAG, but may look at a Unique ID programmed in sector 6 or 7 also... but we are speculating

Proxmark3 community

Announcement

#1 2015-02-15 15:46:19

Mifare Dump - need help to interpret

#2 2015-02-15 16:26:39

Re: Mifare Dump - need help to interpret

#3 2015-02-15 17:15:25

Re: Mifare Dump - need help to interpret

#4 2015-02-15 17:24:52

Re: Mifare Dump - need help to interpret

#5 2015-02-15 17:44:29

Re: Mifare Dump - need help to interpret

#6 2015-02-15 18:01:20

Re: Mifare Dump - need help to interpret

#7 2015-02-15 18:23:28

Re: Mifare Dump - need help to interpret

#8 2015-02-15 18:31:17

Re: Mifare Dump - need help to interpret

#9 2015-02-15 18:38:07

Re: Mifare Dump - need help to interpret

#10 2015-02-15 19:09:45

Re: Mifare Dump - need help to interpret

#11 2015-02-15 19:49:33

Re: Mifare Dump - need help to interpret

#12 2015-02-15 19:58:31

Re: Mifare Dump - need help to interpret

#13 2015-02-15 20:08:47

Re: Mifare Dump - need help to interpret

Board footer