Proxmark3 community

Omikron

Contributor

Registered: 2010-02-12

Posts: 78

Mifare Classic 4K Emulation

Hey All,

I've recently run across a card type that I haven't seen yet before:

[== Undefined ==]
proxmark3> hf search

 UID : bd 70 c7 50
ATQA : 00 02
 SAK : 38 [1]
TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K
 ATS : 0d 78 77 b1 02 4a 43 4f 50 76 32 34 31 3c 5e
       -  TL : length is 13 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 11 (FWT = 8388608/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : 4a 43 4f 50 76 32 34 31
Answers to chinese magic backdoor commands: NO

Valid ISO14443A Tag Found - Quiting Search

I did a trace with the reader it is for and observed the following:

[== Undefined ==]
   10684400 |   10685392 | Rdr | 52                                                              |     | WUPA
   10686644 |   10689012 | Tag | 02  00                                                          |     |
   12036976 |   12037968 | Rdr | 52                                                              |     | WUPA
   12039220 |   12041588 | Tag | 02  00                                                          |     |
   12045696 |   12048160 | Rdr | 93  20                                                          |     | ANTICOLL
   12049348 |   12055172 | Tag | bd  70  c7  50  5a                                              |     |
   12059952 |   12070416 | Rdr | 93  70  bd  70  c7  50  5a  9e  09                              |  ok | SELECT_UID
   12071652 |   12075236 | Tag | 38  35  ec                                                      |     |
   12079840 |   12084608 | Rdr | e0  80  31  73                                                  |  ok | RATS
   12086052 |   12103460 | Tag | 0d  78  77  b1  02  4a  43  4f  50  76  32  34  31  3c  5e      |  ok |
   12116848 |   12122704 | Rdr | d0  11  00  52  a6                                              |  ok | ?
   12126516 |   12130036 | Tag | d0  73  87                                                      |     |
   12415200 |   12437184 | Rdr | 0a  00  00  a4  04  00  0a  a0  00  00  03  82  00  13  00  01  |     |
            |            |     | 01  13  71                                                      |  ok | ?
   12888964 |   12895940 | Tag | 0a  00  90  00  f3  93                                          |  ok |
   12967680 |   12978144 | Rdr | 0b  00  00  d4  00  00  00  31  7b                              |  ok | ?
   13008308 |   13017588 | Tag | 0b  00  7f  ff  90  00  84  2d                                  |  ok |
   13088416 |   13098880 | Rdr | 0a  00  a0  10  00  00  00  15  47                              |  ok | ?
   13173860 |   13209700 | Tag | 0a  00  00  01  00  01  00  01  00  11  53  53  45  43  39  2d  |     |
            |            |     | 47  52  50  43  2d  30  30  30  33  5f  44  90  00  f6  6d      |  ok |
   13352032 |   13394816 | Rdr | 0b  00  a0  da  04  00  1c  1b  2b  06  01  04  01  81  e4  38  |     |
            |            |     | 01  01  03  05  0f  8c  90  88  cd  a2  a3  95  e2  82  83  d0  |     |
            |            |     | cf  ff  7f  7c  58                                              |  ok | ?
   13422628 |   13429668 | Tag | 0b  00  90  00  48  8f                                          |  ok |
   13507408 |   13534064 | Rdr | 0a  00  a0  da  05  00  0e  0d  2b  06  01  04  01  81  e4  38  |     |
            |            |     | 01  01  04  08  0f  0a  29                                      |  ok | ?
   13561604 |   13568580 | Tag | 0a  00  90  00  f3  93                                          |  ok |
   13639904 |   13651520 | Rdr | 0b  00  a0  da  10  00  01  01  fb  0a                          |  ok | ?
   15052756 |   15059796 | Tag | 0b  00  90  00  48  8f                                          |  ok |
   15130208 |   15140672 | Rdr | 0a  00  a0  d3  00  00  00  01  59                              |  ok | ?
   15170084 |   15179428 | Tag | 0a  00  02  00  90  00  96  3e                                  |  ok |

So it looks like it's a tag pretending to be a 4K tag, but the trace doesn't look anything like other examples I've seen, so I am not sure if it is possible to run mfkey64 on it.  The data doesn't quite line up with the example in the folder.

Anyone have any thoughts?

Last edited by Omikron (2016-01-24 07:38:06)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,507

Website

Re: Mifare Classic 4K Emulation

Looks like a smartcard (emulating a classic 4k?)   with ISO7816 APdu packages

starting here:
   12116848 |   12122704 | Rdr | d0  11  00  52  a6   
   12126516 |   12130036 | Tag | d0  73  87   
   12415200 |   12437184 | Rdr | 0a  00  00  a4  04  00  0a  a0  00  00  03  82  00  13  00  01  01  13 71  |    -- reader select?
   12888964 |   12895940 | Tag | 0a  00  90  00  f3  93     << tag answers 90 00 OK

Omikron

Contributor

Registered: 2010-02-12

Posts: 78

Re: Mifare Classic 4K Emulation

Looks like a smartcard (emulating a classic 4k?)   with ISO7816 APdu packages

starting here:
   12116848 |   12122704 | Rdr | d0  11  00  52  a6   
   12126516 |   12130036 | Tag | d0  73  87   
   12415200 |   12437184 | Rdr | 0a  00  00  a4  04  00  0a  a0  00  00  03  82  00  13  00  01  01  13 71  |    -- reader select?
   12888964 |   12895940 | Tag | 0a  00  90  00  f3  93     << tag answers 90 00 OK

Indeed, but the real question is, is there a way I can get the key for it?

iceman

Administrator

Registered: 2013-04-25

Posts: 9,507

Website

Re: Mifare Classic 4K Emulation

and by "get the key" you mean?    since its a smartcard it is not a Mifare classic 4k where you need the keys to be able to dump the card.
You will need to figure out what kind of data encryption and its keys.
You will need to figure out if the iso7816 uses some kind of application with access rights.

you're in for a ride,  so get you google foo ready.