Proxmark3 community

ljt31980

Contributor

Registered: 2016-09-05

Posts: 4

Card Trace

This is my first post, so please excuse me if I am not doing it right.
Here is a trace below from sniff of an Aptiq card and reader.
I was able to recreate this card using a Chinese Magic card copying block 0, but I was wondering if it is possible to make this system recognize a card without having to modify block 0.

Is there a way to make the system look for a different block to authenticate (if that is the right term)?
I would like to get the system to respond to standard mifare cards so they can be used in this system.

Is that possible or when you have a system that uses block 0 this way, the only option is to use a card that is UID writeable?

Thank you for your help!

received trace len: 290 packages: 1         
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(0):61 04 09 24           
TAG(1):f5 be 5e 7e           
RDR(2):ab 75 50 d5 f9 80 7e 8c           
TAG(3):34 3e 57 2f           
RDR(4):8c 0e db 3b           
TAG(5):29 ee 42 c9 64 30 5f 43 b4 9e 3b 34 27 f2 28 bf b1 15           
RDR(6):1f f6 88 b5           
TAG(7):6b b4 5e 1b f9 ec 30 47 fc a6 77 f1 85 d1 b6 93 4a f8           
RDR(8):22 04 5e 63           
TAG(9):b0 b8 92 6c 83 7d f4 fd 33 1c a8 65 c1 a4 d1 dc a2 72           
RDR(10):5a 70 af 82           
TAG(11):0c 98 57 dc 41 7e 93 1e 19 c9 4c 7a 36 48 1c 72 4e 84           
RDR(12):12 c5 8a dc           
TAG(13):8b 50 2c 70 3e 5c b8 c9 fa ec ec f5 89 fe 87 1d 2d 61           
..........>
received trace len: 65 packages: 1         
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(14):60 00 f5 7b           
TAG(15):85 2b           
RDR(16):b2 fd 18 05 a6 ff 9e 94           
....>
received trace len: 357 packages: 1         
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(17):60 00 f5 7b           
TAG(18):d4 81 1e 13           
RDR(19):4d 06 a3 db f1 03 26 68           
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(20):61 04 09 24           
TAG(21):d7 79 00 80           
RDR(22):17 7c 05 6e 7c 01 91 86           
TAG(23):bf 15 19 3c           
RDR(24):ba 06 ce 62           
TAG(25):57 9f 71 e9 27 d2 eb a8 45 aa ee af a6 ca 8a 1f 15 5a           
RDR(26):ea 77 13 e3           
TAG(27):97 a8 18 7e 6c d7 cc 7c 37 10 54 d7 13 fb cb 2f a8 08           
RDR(28):13 bb 0f 1e           
TAG(29):f4 cd 7e a4 d4 47 dc 45 ab dd 26 8c bf c9 79 da b6 93           
RDR(30):4c a6 03 4c           
TAG(31):40 f4 69 8f 23 18 cf 17 cc c9 a5 9c 19 a0 97 7d fa 5b           
RDR(32):ee 8e 7e 13           
TAG(33):63 69 81 8e c6 6a 8e 7a 18 69 03 0c 99 0a 4b 6a 56 83

received trace len: 67 packages: 1         
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(0):60 00 f5 7b           
TAG(1):a1 3f 46 de           
RDR(2):2b 19 b2 e4 ef d7 ec d9           
......>
received trace len: 111 packages: 1         
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(3):24           
TAG(4):01           
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(5):60 00 f5 7b           
TAG(6):9b 1b 0f ee           
RDR(7):10 0a c5 58 12 5b d5 12           
....>
received trace len: 357 packages: 1         
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(8):60 00 f5 7b           
TAG(9):dc 5a 95 27           
RDR(10):68 8b 17 42 40 3e ce d8           
tag select uid:ee 8b d6 c1  atqa:0x0004 sak:0x08         
RDR(11):61 04 09 24           
TAG(12):90 55 3f 39           
RDR(13):04 a8 4b 43 1f 5b 0e 8c           
TAG(14):f9 20 b7 3f           
RDR(15):59 aa cb 75           
TAG(16):cc 9e 9b 7d ae d2 48 90 37 13 70 30 ab b0 6a af dd 8f           
RDR(17):a4 4f 2f 1a           
TAG(18):f6 46 e5 85 d6 45 c8 d0 92 e0 f5 d0 e9 87 52 79 de ac           
RDR(19):8d 5d 9b 00           
TAG(20):8b 9c 6d 13 da 9c d7 b6 1f a9 e0 89 b7 d0 c9 d9 11 c8           
RDR(21):00 30 1f ee           
TAG(22):36 85 f8 f0 d9 a5 a8 ff 30 b0 6d aa 10 fa bc 7c a4 bf           
RDR(23):8c a1 78 de           
TAG(24):13 86 ac 5c 3e e8 cc df db 89 e9 3a be 0e be a0 bc 24 

RDR(0):04 00           
TAG(1):7a a0 8c 81 d7           
RDR(2):08 b6 dd           
TAG(3):04 00           
RDR(4):7a a0 8c 81 d7           
TAG(5):08 b6 dd           
RDR(6):04 00           
TAG(7):7a a0 8c 81 d7           
RDR(8):08 b6 dd           
.......>
received trace len: 49 packages: 1         
tag select uid:7a a0 8c 81  atqa:0x0004 sak:0x08         
RDR(9):04 00           
TAG(10):7a a0 8c 81 d7           
.....>
received trace len: 61 packages: 1         
tag select uid:7a a0 8c 81  atqa:0x0004 sak:0x08         
RDR(11):04 00           
TAG(12):7a a0 8c 81 d7           
RDR(13):08 b6 dd           
....>
received trace len: 508 packages: 1         
tag select uid:7a a0 8c 81  atqa:0x0004 sak:0x08         
RDR(14):04 00           
TAG(15):7a a0 8c 81 d7           
RDR(16):08 b6 dd           
TAG(17):04 00           
RDR(18):7a a0 8c 81 d7           
TAG(19):08 b6 dd           
RDR(20):e0 77 5b 1f           
TAG(21):04 00           
RDR(22):7a a0 8c 81 d7           
TAG(23):93 70 7a a0 8c 81 d7 93 bc           
RDR(24):08 b6 dd           
TAG(25):04 00           
RDR(26):93 20           
TAG(27):7a a0 8c 81 d7           
RDR(28):08 b6 dd           
tag select uid:7a a0 8c 81  atqa:0x0004 sak:0x08         
RDR(29):61 04 09 24           
TAG(30):d4 e2 2d 49           
RDR(31):26 36 8c 2a           
TAG(32):6e ad df ef           
RDR(33):56 71 92 e4 18 4a ea 2b 63 30 58 5f 9c d4 3e bb 76 f2           
TAG(34):cb 77 a3 52           
RDR(35):4b f9 a6 d1 bf eb 99 1a a7 78 a7 06 9a 57 cc 11 90 04           
TAG(36):27 1b 5d e1           
RDR(37):ee 9c db 5f b2 85 4a 33 c3 8f b1 ba 63 ba 1e 96 e9 fd           
TAG(38):5a 8b 56 c2           
RDR(39):96 ed 86 6f c7 fd 66 76 a1 e6 e7 29 04 92 69 2b 07 a2           
TAG(40):5e 09 0a a1           
RDR(41):e6 89 c5 a0 95 4a 1c 43 5a 31 20 17 bd a1 1e 10 88 44           
TAG(42):24           
RDR(43):01           
.....>
received trace len: 67 packages: 1         
tag select uid:1e 86 d6 c1  atqa:0x0004 sak:0x08         
RDR(44):60 00 f5 7b           
TAG(45):5f e3 37 fd           
RDR(46):20 5a c0 db e2 d8 ff 03           
....#db# cancelled by button                 
#db# COMMAND FINISHED                 
#db# maxDataLen=3, Uart.state=0, Uart.len=0                 
proxmark3>

ljt31980

Contributor

Registered: 2016-09-05

Posts: 4

Re: Card Trace

Is anyone able to help me out there?

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: Card Trace

The card itself is just a memory card. It doesn't have any logic.  If you want to system to auth against another block then its the system that needs to be changed. All your questions concerns the used system,  digg there to the answers you are looking for.

Is the UID used in the authentication? the trace you posted gives  keyB block 4 (sector 1) as 55b9e33b7fee,  which indicates that block for has some data that the system reads.  Then you have more trace data encrypted,  which you need to decrypt to understand which data the system reads/writes on your card.

You'll need to get a picture of what happens.

ljt31980

Contributor

Registered: 2016-09-05

Posts: 4

Re: Card Trace

Thank you iceman!
When I cloned the card including block 0, it worked.
When I cloned all but block 0, it didn't even recognize the card.
Does this mean the system is using UID or manufacturer info or are there other possibilities?

Last edited by ljt31980 (2016-09-15 00:16:02)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: Card Trace

Sounds like the UID/Block0 is used in the backend system.