Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-04-25 15:55:46

ntk
Contributor
Registered: 2015-05-24
Posts: 701

[abandoned] help identify white card ...

I come across this white card no description nor id printed.

Using hf search it is identify as TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1   
but I could not doing much with it

Prox/RFID mark3 RFID instrument          
bootrom: iceman/-suspect 2016-04-25 10:57:10
os: iceman/-suspect 2016-04-25 10:57:13
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 211555 bytes (40%). Free: 312733 bytes (60%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          

Antenna check without card
# LF antenna: 15.26 V @   125.00 kHz          
# LF antenna: 26.54 V @   134.00 kHz          
# LF optimal: 47.71 V @   137.93 kHz          
# HF antenna: 17.05 V @    13.56 MHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3>

and with card
proxmark3> hw tu
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)          
......#db# DownloadFPGA(len: 42096)          
.          
# LF antenna: 15.40 V @   125.00 kHz          
# LF antenna: 26.54 V @   134.00 kHz          
# LF optimal: 47.85 V @   137.93 kHz          
# HF antenna: 15.42 V @    13.56 MHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3>

I can run these commands

pm3 --> hf search
 UID : DC 9A 7C 37           
ATQA : 00 01          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to magic commands (GEN1): NO          
Valid ISO14443A Tag Found - Quiting Search
pm3 --> 
pm3 --> hf 14a reader
 UID : DC 9A 7C 37           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to magic commands (GEN1): NO          
pm3 --> 

pm3 --> hf 14a cuids 
Collecting 1 UIDs          
Start: 1461588596          
DC9A7C37          
End: 1461588596          
pm3 --> 

pm3 --> hf 14a raw  -c -p -s    26
received 4 octets          
DC 9A 7C 37           
received 0 octets          
pm3 --> 
perhaps some more raw commands I can run on this card too butI am not sure what will come back. 

pm3 --> hf mf chk * ?   
No key specified, trying default keys          
key[ 0] ffffffffffff          
key[ 1] 000000000000          
key[ 2] a0a1a2a3a4a5          
key[ 3] b0b1b2b3b4b5          
key[ 4] aabbccddeeff          
key[ 5] 4d3a99c351dd          
key[ 6] 1a982c7e459a          
key[ 7] d3f7d3f7d3f7          
key[ 8] 714c5c886e97          
key[ 9] 587ee5f9350f          
key[10] a0478cc39091          
key[11] 533cb6c723f6          
key[12] 8fd0a4f256e9          
................................
Time in checkkeys: 9340 ticks 9 seconds
testing to read key B...          
|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|001|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|002|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|003|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|004|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|005|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|006|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|007|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|008|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|009|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|010|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|011|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|012|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|013|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|014|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|015|  ffffffffffff  | 0 |  ffffffffffff  | 0 |          
|---|----------------|---|----------------|---|          
pm3 --> 
pm3 --> hf mf nested 1 0 A ffffffffffff   
Testing known keys. Sector count=16          
Time to check 6 known keys: 6130 ticks 6 seconds
enter nested...          
#db# Nested: Can't select card          
#db# Authentication failed. Card timeout.          
#db# Nested: Auth1 error   


pm3 --> hf search
 UID : DC 9A 7C 37           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to magic commands (GEN1): NO          
Valid ISO14443A Tag Found - Quiting Search
pm3 --> 

pm3 --> hf mfu info  
Tag is not Ultralight | NTAG | MY-D  [ATQA: 00 04 SAK: 03]
pm3 --> 

pm3 --> hf 14a cuids 
Collecting 1 UIDs          
Start: 1461588932          
DC9A7C37          
End: 1461588932          
pm3 --> 

pm3 --> hf 14a sim t   u DC9A7C37
 Emulating ISO/IEC 14443 type A tag with 4,7 byte UID
Usage: hf 14a sim t <type> u <uid> x          
  Options :           
    h     : this help          
    t     : 1 = MIFARE Classic          
            2 = MIFARE Ultralight          
            3 = MIFARE Desfire          
            4 = ISO/IEC 14443-4          
            5 = MIFARE Tnp3xxx          
            6 = MIFARE Mini          
            7 = AMIIBO (NTAG 215),  pack 0x8080          
    u     : 4, 7 byte UID          
    x     : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader          
   sample : hf 14a sim t 1 u 1122344 x          
          : hf 14a sim t 1 u 1122344          
          : hf 14a sim t 1 u 1122344556677          
pm3 --> 
pm3 --> hf 14a sim t  1 u DC9A7C37       

proxmark3> hf mf chk * ?   
No key specified, trying default keys          
chk default key[ 0] ffffffffffff          
chk default key[ 1] 000000000000          
chk default key[ 2] a0a1a2a3a4a5          
chk default key[ 3] b0b1b2b3b4b5          
chk default key[ 4] aabbccddeeff          
chk default key[ 5] 4d3a99c351dd          
chk default key[ 6] 1a982c7e459a          
chk default key[ 7] d3f7d3f7d3f7          
chk default key[ 8] 714c5c886e97          
chk default key[ 9] 587ee5f9350f          
chk default key[10] a0478cc39091          
chk default key[11] 533cb6c723f6          
chk default key[12] 8fd0a4f256e9          
--sector: 0, block:  3, key type:A, key count:13           
--sector: 1, block:  7, key type:A, key count:13           
--sector: 2, block: 11, key type:A, key count:13           
--sector: 3, block: 15, key type:A, key count:13           
--sector: 4, block: 19, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector: 5, block: 23, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector: 6, block: 27, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector: 7, block: 31, key type:A, key count:13           
--sector: 8, block: 35, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector: 9, block: 39, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector:10, block: 43, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector:11, block: 47, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector:12, block: 51, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector:13, block: 55, key type:A, key count:13           
#db# ChkKeys: Can't select card          
--sector:14, block: 59, key type:A, key count:13           
--sector:15, block: 63, key type:A, key count:13           
--sector: 0, block:  3, key type:B, key count:13           
--sector: 1, block:  7, key type:B, key count:13           
#db# ChkKeys: Can't select card          
--sector: 2, block: 11, key type:B, key count:13           
--sector: 3, block: 15, key type:B, key count:13           
--sector: 4, block: 19, key type:B, key count:13           
--sector: 5, block: 23, key type:B, key count:13           
#db# ChkKeys: Can't select card          
--sector: 6, block: 27, key type:B, key count:13           
#db# ChkKeys: Can't select card          
--sector: 7, block: 31, key type:B, key count:13           
--sector: 8, block: 35, key type:B, key count:13           
--sector: 9, block: 39, key type:B, key count:13           
--sector:10, block: 43, key type:B, key count:13           
--sector:11, block: 47, key type:B, key count:13           
--sector:12, block: 51, key type:B, key count:13           
#db# ChkKeys: Can't select card          
--sector:13, block: 55, key type:B, key count:13           
--sector:14, block: 59, key type:B, key count:13           
#db# ChkKeys: Can't select card          
--sector:15, block: 63, key type:B, key count:13           
proxmark3> 

What else can I do with this type of Mifare classic card? It looks like a Mifare classic but with improved security, hence keyA or keyB attack and default keys failed.

Is it correct that we can not read data block because of no key found , not decode or doing anything with this type of card, apart from using its UID to perform simulation?

Sorry to ask like a greenie but I haven't much experience with HF or simulation generally. What that means exactly "You can't clone, but you can simulate it" ? If this card is computed as entry access card, then the simulation will open the lock? if this card is meant to be used as transport card, or finance sector then a simulation will ... ring the bell for illegal intruder??? 

Mifare card are used for a lot of applications in the world, by google,

MIFARE products can be used in different applications:[12]

Automated fare collection system
ID Cards
Access Management
Campus cards
Loyalty cards (reward points)
Tourist cards
Micropayment (Mobile wallet, contactless payment, cashless payment)
Road tolling
Transport ticketing
Event ticketing
Mobile ticketing
Citizen card
Membership cards
Parking
Library cards
Fuel cards
Hotel key cards
NFC Tag (NFC apps, MIFARE4Mobile)
Taxi cards
Smart meter
Museum Access Cards
Product Authentication
Production control
Health cards
Ferry Cards
Car rentals
Fleet Management
Amusement parks
Bike rentals
Blood donor cards
Information services
Interactive exhibits
Interactive lotteries
Password storage
Smart advertising
Social welfare
Waste management
Formerly most access systems used MIFARE Classic, but today these systems have switched to MIFARE DESFire because this product has more security than MIFARE Classic. 

and even PM3 can only admire its color or shape? nothing else can we see on it? that means that Mifare is really very secure?!

Also I found something unexplained in the PM3 help for the hf 14a simulation command, What does simulation "hf 14a sim t  1 u DC9A7C37  x" mean? with the option to perform an nr/ar attack against legitimate reader? Do you know what is that for

Is the only way forward with this type of card or later Mifare DES EV1 card is snooping, from there you can calculate a key from an succedsful authentication, then performed the nested attack to get the rest of the keys, then you can analyse/study/decde its data?

Would PIWI recently release MFhardnested attack code help me with this mifare classic newer card version? COuld you help me with a link to his fork
I know
Marshmellow, https://github.com/marshmellow42/proxmark3
Iceman https://github.com/iceman1001/proxmark3 
but could not find from piwi

thanks

Last edited by ntk (2016-05-08 12:44:01)

Offline

Board footer

Powered by FluxBB