Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-02-02 08:00:49
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Help with MiFare Plus/JCOP/DESFIRE
Greetings all,
I have created a new thread for this as hi-jacking other's is deprecated here. Previously iceman has provided quite a bit of guidance in identifying this tag i have, but i wasn't able to follow through the investigations due to other commitment.
Introduction / Intention:
This FOB i'm trying to duplicate belongs to my apartment which i have just shifted into. The reason for duplicating this is because of the (1) insanely high replacement cost (or to purchase another one), and also because i would like to (2) duplicate it into a card where i can keep in my wallet.
Information about this FOB:
1. It uses the security system known as VITEZ - http://genspro.sg/Product%201%20-%20VITEZ.pdf
2. there is a FOB number at the back of it, "0002466". Could this be a key to the FOB?
3. There are multiple fobs with various FOB number, note that this is different from the UID of the FOB.
Card UID: 0454202202448000 - FOB number: 0002466
Proxmark3 info:
1. Using latest iceman proxmark3 build (just compiled today)
Proxmark3 RFID instrument
bootrom: iceman//-suspect 2016-11-19 14:53:14
os: iceman//-suspect 2016-11-19 14:54:05
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 216973 bytes (83). Free: 45171 bytes (17).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 -->
pm3 --> hf 14a reader
UID : 04 54 20 22 02 44 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x1 -> VCS, VCSL, and SVC supported
Answers to magic commands (GEN1): NO
pm3 -->
pm3 --> hf search
UID : 04 54 20 22 02 44 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x1 -> VCS, VCSL, and SVC supported
Answers to magic commands (GEN1): NO
Valid ISO14443-A Tag Found - Quiting Search
pm3 --> hf mfdes info
#db# halt error. response len: 3
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 54 20 22 02 44 80
Batch number : 00 00 00 00 00
Production date : week 00, 2000
-----------------------------------------------------------
Hardware Information
Vendor Id : no tag-info available
Type : 0x68
Subtype : 0x00
Version : 0.0 (Desfire MF3ICD40)
Storage size : 0x00 (1 bytes)
Protocol : 0x00 (Unknown)
-----------------------------------------------------------
Software Information
Vendor Id : no tag-info available
Type : 0x32
Subtype : 0x00
Version : 0.0
storage size : 0x00 (1 bytes)
Protocol : 0x00 (Unknown)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
#db# halt error. response len: 3
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : NO
[0x02] Directory list access with CMK : YES
[0x01] CMK is changeable : YES
#db# halt error. response len: 3
Max number of keys : 104
Master key Version : 189 (0xbd)
----------------------------------------------------------
#db# halt error. response len: 3
[0x0A] Authenticate : YES
#db# halt error. response len: 3
[0x1A] Authenticate ISO : YES
#db# halt error. response len: 3
[0xAA] Authenticate AES : YES
----------------------------------------------------------
#db# halt error. response len: 3
Available free memory on card : 26813 bytes
-------------------------------------------------------------
pm3 -->
Dark side attack
will update when complete. taking more than 5 mins ...
pm3 --> hf mf chk *4 ? d
No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] aabbccddeeff
key[ 5] 4d3a99c351dd
key[ 6] 1a982c7e459a
key[ 7] d3f7d3f7d3f7
key[ 8] 714c5c886e97
key[ 9] 587ee5f9350f
key[10] a0478cc39091
key[11] 533cb6c723f6
key[12] 8fd0a4f256e9
................................................................................
Time in checkkeys: 747528 ticks 92 seconds
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 0 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| ffffffffffff | 0 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|016| ffffffffffff | 0 | ffffffffffff | 0 |
|017| ffffffffffff | 0 | ffffffffffff | 0 |
|018| ffffffffffff | 0 | ffffffffffff | 0 |
|019| ffffffffffff | 0 | ffffffffffff | 0 |
|020| ffffffffffff | 0 | ffffffffffff | 0 |
|021| ffffffffffff | 0 | ffffffffffff | 0 |
|022| ffffffffffff | 0 | ffffffffffff | 0 |
|023| ffffffffffff | 0 | ffffffffffff | 0 |
|024| ffffffffffff | 0 | ffffffffffff | 0 |
|025| ffffffffffff | 0 | ffffffffffff | 0 |
|026| ffffffffffff | 0 | ffffffffffff | 0 |
|027| ffffffffffff | 0 | ffffffffffff | 0 |
|028| ffffffffffff | 0 | ffffffffffff | 0 |
|029| ffffffffffff | 0 | ffffffffffff | 0 |
|030| ffffffffffff | 0 | ffffffffffff | 0 |
|031| ffffffffffff | 0 | ffffffffffff | 0 |
|032| ffffffffffff | 0 | ffffffffffff | 0 |
|033| ffffffffffff | 0 | ffffffffffff | 0 |
|034| ffffffffffff | 0 | ffffffffffff | 0 |
|035| ffffffffffff | 0 | ffffffffffff | 0 |
|036| ffffffffffff | 0 | ffffffffffff | 0 |
|037| ffffffffffff | 0 | ffffffffffff | 0 |
|038| ffffffffffff | 0 | ffffffffffff | 0 |
|039| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.
pm3 --> hf list 14a
Recorded Activity (TraceLen = 1705 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
90752 | 96672 | Rdr |0a 00 60 68 b5 | ok |
105396 | 111284 | Tag |0a 00 0b bd 68 | |
114816 | 120672 | Rdr |0b 00 af 4f d1 | ok |
129204 | 135092 | Tag |0b 00 0b 61 32 | |
138624 | 144480 | Rdr |0a 00 af 93 8b | ok |
153012 | 158900 | Tag |0a 00 0b bd 68 | |
171904 | 175456 | Rdr |c2 e0 b4 | ok | RESTORE(224)
178944 | 183712 | Rdr |50 00 57 cd | ok | HALT
187316 | 190836 | Tag |c2 e0 b4 | |
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
90752 | 96608 | Rdr |0a 00 45 c7 c3 | ok |
105396 | 111284 | Tag |0a 00 0b bd 68 | |
112640 | 116192 | Rdr |c2 e0 b4 | ok | RESTORE(224)
119680 | 124448 | Rdr |50 00 57 cd | ok | HALT
128052 | 131572 | Tag |c2 e0 b4 | |
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
91008 | 98016 | Rdr |0a 00 64 00 9b 88 | ok |
106804 | 112692 | Tag |0a 00 0b bd 68 | |
114048 | 117600 | Rdr |c2 e0 b4 | ok | RESTORE(224)
121088 | 125856 | Rdr |50 00 57 cd | ok | HALT
129588 | 133108 | Tag |c2 e0 b4 | |
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
91008 | 98016 | Rdr |0a 00 0a 00 de 77 | ok |
106804 | 112692 | Tag |0a 00 0b bd 68 | |
114048 | 117600 | Rdr |c2 e0 b4 | ok | RESTORE(224)
121088 | 125856 | Rdr |50 00 57 cd | ok | HALT
129332 | 132852 | Tag |c2 e0 b4 | |
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
91008 | 98016 | Rdr |0a 00 1a 00 4f e2 | ok |
106804 | 112692 | Tag |0a 00 0b bd 68 | |
114048 | 117600 | Rdr |c2 e0 b4 | ok | RESTORE(224)
121088 | 125856 | Rdr |50 00 57 cd | ok | HALT
129460 | 132980 | Tag |c2 e0 b4 | |
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
91008 | 98016 | Rdr |0a 00 aa 00 21 d8 | ok |
106804 | 112692 | Tag |0a 00 0c 02 1c | |
114048 | 117600 | Rdr |c2 e0 b4 | ok | RESTORE(224)
121088 | 125856 | Rdr |50 00 57 cd | ok | HALT
129332 | 132852 | Tag |c2 e0 b4 | |
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
90752 | 96608 | Rdr |0a 00 6e 16 5c | ok |
105396 | 111284 | Tag |0a 00 0b bd 68 | |
112640 | 116192 | Rdr |c2 e0 b4 | ok | RESTORE(224)
119680 | 124448 | Rdr |50 00 57 cd | ok | HALT
128052 | 131572 | Tag |c2 e0 b4 | |
pm3 -->
Sniffing data with the reader
Will be running ..
(1) hf 14a sniff
(2) hf 14a list
let me know i should be doing something different.
First attempt:
30259044 | 30261412 | Tag |44 00 | |
30270112 | 30272576 | Rdr |93 20 | | ANTICOLL
30273764 | 30279652 | Tag |88 04 54 20 f8 | |
30300944 | 30311408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30312660 | 30316180 | Tag |04 da 17 | |
30325376 | 30327840 | Rdr |95 20 | | ANTICOLL-2
30329028 | 30334852 | Tag |22 02 44 80 e4 | |
30356096 | 30366624 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
30367796 | 30371380 | Tag |20 fc 70 | |
30379632 | 30384336 | Rdr |e0 50 bc a5 | ok | RATS
30385572 | 30401828 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
Second attempt:
5753792 | 5754848 | Rdr |26 | | REQA
5829680 | 5830736 | Rdr |26 | | REQA
8380704 | 8381760 | Rdr |26 | | REQA
8382948 | 8385316 | Tag |44 00 | |
8394016 | 8396480 | Rdr |93 20 | | ANTICOLL
8397652 | 8403540 | Tag |88 04 54 20 f8 | |
8424848 | 8435312 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
8436564 | 8440084 | Tag |04 da 17 | |
8449280 | 8451744 | Rdr |95 20 | | ANTICOLL-2
8452932 | 8458756 | Tag |22 02 44 80 e4 | |
8479984 | 8490512 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
8491700 | 8495284 | Tag |20 fc 70 | |
8503520 | 8508224 | Rdr |e0 50 bc a5 | ok | RATS
8509476 | 8525732 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
pm3 -->
Last edited by genexis (2017-02-02 10:15:51)
Offline
#2 2017-02-02 10:07:56
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Help with MiFare Plus/JCOP/DESFIRE
The tag answers to ISO7816 packages as seen below
90752 | 96608 | Rdr |0a 00 6e 16 5c | ok |
105396 | 111284 | Tag |0a 00 0b bd 68 | | You can try:
hf list 7816 (to get another annotation)
Question; does the tag answer to Mifare classic authentication? NO - since tag is DESFIRE.
[edit] the ISOnumber got swapped,
[edit] tag is Mifare DESFIRE, "hf mf" commands doesnt work.
Offline
#3 2017-02-02 10:15:24
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
My sniffing results seem awfully short ... and consistent. Is this the norm for DESFIRE?
The ATQA seems like classic, but the SAK shouts DESFIRE... any guidance?
Offline
#4 2017-02-02 10:27:51
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
The tag answers to ISO7618 packages as seen below
90752 | 96608 | Rdr |0a 00 6e 16 5c | ok | 105396 | 111284 | Tag |0a 00 0b bd 68 | |You can try:
hf list 7618 (to get another annotation)
hf mf chk *1 ? default_keys.dic ( testing more known keys)Question; does the tag answer to Mifare classic authentication? No need to have a valid key at this moment.
ie:
hf mf rdbl 3 0 a 112233445566
hf list 14a --> to get the trace from it.
pm3 --> hf list 7816 f
No further info given based on the info below ...
Recorded Activity (TraceLen = 203 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | ?
992 | 2228 | |fdt (Frame Delay Time): 1236
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ?
9504 | 10676 | |fdt (Frame Delay Time): 1172
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | | ?
29408 | 30644 | |fdt (Frame Delay Time): 1236
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ?
37920 | 39092 | |fdt (Frame Delay Time): 1172
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | | ?
57888 | 59060 | |fdt (Frame Delay Time): 1172
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | | ?
69024 | 70196 | |fdt (Frame Delay Time): 1172
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | |
588288 | 589280 | Rdr |40 | | ?
1639040 | 1640352 | Rdr |43 | | ?
2690560 | 2695328 | Rdr |50 00 57 cd | | ?
Offline
#5 2017-02-02 10:28:51
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
I'm trying hf mf chk *1 ? default_keys.dic, but after running about one minute, i get a lot of errors about unable to send to pm3.
.Sending bytes to proxmark failed
....Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
....Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
.Sending bytes to proxmark failed
....Sending bytes to proxmark failed
any idea if this is a firmware issue?
Offline
#6 2017-02-02 10:55:07
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
Updated bootrom and fullimage ...
pm3 --> hw ver
[[[ Cached information ]]]
Proxmark3 RFID instrument
bootrom: iceman// 2017-02-02 17:17:41
os: iceman// 2017-02-02 17:17:04
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 214876 bytes (82). Free: 47268 bytes (18).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 -->
but issue with HF MF CHK *1 d ? client/default_keys.dic persists...
Offline
#7 2017-02-03 15:57:12
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
anybody ?
Offline
#8 2017-02-03 16:32:35
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Help with MiFare Plus/JCOP/DESFIRE
hm, works for me, I get one of those messages but not more,
Offline
#9 2017-02-03 23:26:49
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
So i re-compiled the PM3 using a windows->docker build from your guide. Same issue ....
This time, i let it run all the way. Does the below look normal? Maybe there are some attempts it fails to write into the PM3.
This only happens when i supply a dic.
pm3 --> hf mf chk *1 ? d default_keys.dic
check key[ 0] ffffffffffff
.
.
.
.
check key[248] f792c4c76a5c
check key[249] bfb6796a11db
...Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
..Sending bytes to proxmark failed
.Sending bytes to proxmark failed
Time in checkkeys: 1030439 ticks 215 seconds
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 0 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| ffffffffffff | 0 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.
pm3 -->
Offline
#10 2017-02-04 00:20:57
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
So the next thing i tried was to change the tag and ran the commands and it went well ...
Seems like this Tag doesn't seem to respond well to the speed of the commands? Anybody has encountered a "slow responding" tag before?
Offline
#11 2017-02-04 04:13:28
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Help with MiFare Plus/JCOP/DESFIRE
is there anything in a hf list 14a after all that?
Offline
#12 2017-02-04 04:30:58
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
pm3 --> hw tune
Measuring antenna characteristics, please wait......
# HF antenna: 16.02 V @ 13.56 MHz
# Your LF antenna is unusable.
pm3 -->
.
.
.
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.
pm3 --> hf 14a list
Recorded Activity (TraceLen = 1033 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
89216 | 93984 | Rdr |61 3f 59 ab | ok | AUTH-B(63)
1143680 | 1144928 | Rdr |00 | |
1160192 | 1161184 | Rdr |52 | | WUPA
2211840 | 2212832 | Rdr |52 | | WUPA
3263488 | 3264480 | Rdr |52 | | WUPA
4315136 | 4316128 | Rdr |52 | | WUPA
5366784 | 5367776 | Rdr |52 | | WUPA
6418432 | 6419424 | Rdr |52 | | WUPA
7470080 | 7471072 | Rdr |52 | | WUPA
8521728 | 8522720 | Rdr |52 | | WUPA
9573376 | 9574368 | Rdr |52 | | WUPA
10625024 | 10626016 | Rdr |52 | | WUPA
11676672 | 11677664 | Rdr |52 | | WUPA
12728320 | 12729312 | Rdr |52 | | WUPA
13779968 | 13780960 | Rdr |52 | | WUPA
14831616 | 14832608 | Rdr |52 | | WUPA
15883264 | 15884256 | Rdr |52 | | WUPA
16934912 | 16935904 | Rdr |52 | | WUPA
17986560 | 17987552 | Rdr |52 | | WUPA
19038208 | 19039200 | Rdr |52 | | WUPA
20089856 | 20090848 | Rdr |52 | | WUPA
21141504 | 21142496 | Rdr |52 | | WUPA
22193152 | 22194144 | Rdr |52 | | WUPA
23244800 | 23245792 | Rdr |52 | | WUPA
24296448 | 24297440 | Rdr |52 | | WUPA
25348096 | 25349088 | Rdr |52 | | WUPA
26399744 | 26400736 | Rdr |52 | | WUPA
27451392 | 27452384 | Rdr |52 | | WUPA
28503040 | 28504032 | Rdr |52 | | WUPA
29554688 | 29555680 | Rdr |52 | | WUPA
30606336 | 30607328 | Rdr |52 | | WUPA
31657984 | 31658976 | Rdr |52 | | WUPA
32709632 | 32710624 | Rdr |52 | | WUPA
33761280 | 33762272 | Rdr |52 | | WUPA
34812928 | 34813920 | Rdr |52 | | WUPA
35864576 | 35865568 | Rdr |52 | | WUPA
36916224 | 36917216 | Rdr |52 | | WUPA
37967872 | 37968864 | Rdr |52 | | WUPA
39019520 | 39020512 | Rdr |52 | | WUPA
40071168 | 40072160 | Rdr |52 | | WUPA
41122816 | 41123808 | Rdr |52 | | WUPA
42174464 | 42175456 | Rdr |52 | | WUPA
43226112 | 43227104 | Rdr |52 | | WUPA
44277760 | 44278752 | Rdr |52 | | WUPA
45329408 | 45330400 | Rdr |52 | | WUPA
46381056 | 46382048 | Rdr |52 | | WUPA
47432704 | 47433696 | Rdr |52 | | WUPA
48484352 | 48485344 | Rdr |52 | | WUPA
49536000 | 49536992 | Rdr |52 | | WUPA
50587648 | 50588640 | Rdr |52 | | WUPA
51639296 | 51640288 | Rdr |52 | | WUPA
52690944 | 52691936 | Rdr |52 | | WUPA
53742592 | 53743584 | Rdr |52 | | WUPA
54794240 | 54795232 | Rdr |52 | | WUPA
55845888 | 55846880 | Rdr |52 | | WUPA
56897536 | 56898528 | Rdr |52 | | WUPA
57949184 | 57950176 | Rdr |52 | | WUPA
59000832 | 59001824 | Rdr |52 | | WUPA
60052480 | 60053472 | Rdr |52 | | WUPA
61104128 | 61105120 | Rdr |52 | | WUPA
62155776 | 62156768 | Rdr |52 | | WUPA
63207424 | 63208416 | Rdr |52 | | WUPA
64259072 | 64260064 | Rdr |52 | | WUPA
65310720 | 65311712 | Rdr |52 | | WUPA
66362368 | 66363360 | Rdr |52 | | WUPA
67414016 | 67415008 | Rdr |52 | | WUPA
68465664 | 68466656 | Rdr |52 | | WUPA
69517312 | 69518304 | Rdr |52 | | WUPA
70568960 | 70569952 | Rdr |52 | | WUPA
71620608 | 71621600 | Rdr |52 | | WUPA
72672256 | 72673248 | Rdr |52 | | WUPA
73723904 | 73724896 | Rdr |52 | | WUPA
74775552 | 74776544 | Rdr |52 | | WUPA
75827200 | 75828192 | Rdr |52 | | WUPA
76878848 | 76879840 | Rdr |52 | | WUPA
77930496 | 77931488 | Rdr |52 | | WUPA
78982144 | 78983136 | Rdr |52 | | WUPA
80033792 | 80034784 | Rdr |52 | | WUPA
81085440 | 81086432 | Rdr |52 | | WUPA
82137088 | 82138080 | Rdr |52 | | WUPA
83188736 | 83189728 | Rdr |52 | | WUPA
84240384 | 84241376 | Rdr |52 | | WUPA
85292032 | 85293024 | Rdr |52 | | WUPA
86343680 | 86344672 | Rdr |52 | | WUPA
87395328 | 87396320 | Rdr |52 | | WUPA
88446976 | 88447968 | Rdr |52 | | WUPA
pm3 -->
Offline
#13 2017-02-04 05:50:55
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Help with MiFare Plus/JCOP/DESFIRE
Looks like your tag shuts off after a failed auth attempt. It looks like it has a safety to prevent bruteforce attacks.
Offline
#14 2017-02-04 06:12:29
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
Looks like your tag shuts off after a failed auth attempt. It looks like it has a safety to prevent bruteforce attacks.
So its a dead end here ...? Is there some way to ... add a delay parameter for the HF MF CHK?
Offline
#15 2017-02-04 06:17:46
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Help with MiFare Plus/JCOP/DESFIRE
You'd probably need to adjust the code to turn off the antenna long enough to power down the tag before it retrys
Offline
#16 2017-02-04 12:18:37
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Help with MiFare Plus/JCOP/DESFIRE
The icemanfork uses the faster authentication way invented by piwi for hardnested inside the "hf mf chk"..
You should be able to adjust the timeout limits and recompile/flash to get it to work better.
[edit] tag is Mifare DESFIRE. "hf mf" commands doesn't work on it.
Offline
#17 2017-02-04 15:15:14
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
I think there is something which i'm understanding wrongly ...
1. I edited the client/cmdhfmf.c
2. added sleep(5) to delay 5 seconds for each loop
starting Line 1264:
for (uint32_t c = 0; c < keycnt; c += max_keys) {
printf(".");
fflush(stdout);
uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;
res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64);
if (!res) {
e_sector[i].Key[trgKeyType] = key64;
e_sector[i].foundKey[trgKeyType] = TRUE;
break;
}
[b]sleep(5);[/b]
}
b < 127 ? ( b +=4 ) : ( b += 16 );3. make clean && make
4. try again ... but i am still getting the same "locked out" symptom below.
What am i missing?
---
pm3 --> hf 14a list
Recorded Activity (TraceLen = 313 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
89216 | 93984 | Rdr |61 3f 59 ab | ok | AUTH-B(63)
1143680 | 1144928 | Rdr |00 | |
1160192 | 1161184 | Rdr |52 | | WUPA
2211840 | 2212832 | Rdr |52 | | WUPA
3263488 | 3264480 | Rdr |52 | | WUPA
4315136 | 4316128 | Rdr |52 | | WUPA
5366784 | 5367776 | Rdr |52 | | WUPA
6418432 | 6419424 | Rdr |52 | | WUPA
7470080 | 7471072 | Rdr |52 | | WUPA
8521728 | 8522720 | Rdr |52 | | WUPA
9573376 | 9574368 | Rdr |52 | | WUPA
10625024 | 10626016 | Rdr |52 | | WUPA
11676672 | 11677664 | Rdr |52 | | WUPA
12728320 | 12729312 | Rdr |52 | | WUPA
pm3 -->
Offline
#18 2017-02-04 15:28:10
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Help with MiFare Plus/JCOP/DESFIRE
its not on clientside, is on device side. (ie armsrc)
Offline
#19 2017-02-04 16:17:14
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
Found a AUTHENTICATION_TIMEOUT parameter in armsrc/mifarecmd.c
//-----------------------------------------------------------------------------
// acquire encrypted nonces in order to perform the attack described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
#define AUTHENTICATION_TIMEOUT 848 //848 // card times out 1ms after wrong authentication (according to NXP documentation)
#define PRE_AUTHENTICATION_LEADTIME 400 // some (non standard) cards need a pause after select before they are ready for first authentication
1. Changed it to about ... 2500
2. make clean && make
3. flash fullimage.elf
4. restart ...
doesn't seem to be taking effect ...
Based on Piwi's code below, it seems like that will be the correct parameter to edit.
if (mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
uint8_t dummy_answer = 0;
ReaderTransmit(&dummy_answer, 1, NULL);
timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;
// wait for the card to become ready again
while(GetCountSspClk() < timeout);
continue;
}Offline
#20 2017-02-04 17:54:50
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Help with MiFare Plus/JCOP/DESFIRE
That would be right place to change. It seems your tag doesn't timeout even when set to 2500, try a higher number.
Offline
#21 2017-02-04 18:11:15
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Help with MiFare Plus/JCOP/DESFIRE
Two likely possibilities.
1 your tag just doesn't respond to a mifare classic auth (in a higher security mode?)
2 your tag needs to power down between attempts. No amount of timeout will help unless you turn off the antenna.
Offline
#22 2017-02-05 05:13:30
- genexis
- Contributor
- Registered: 2014-01-25
- Posts: 78
Re: Help with MiFare Plus/JCOP/DESFIRE
So new tests results...
1. Changed to another DESFIRE CARD that i bought from China.
pm3 --> hf mfdes info
-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 0E 4C B2 E5 34 80
Batch number : BA 44 97 B9 50
Production date : week 28, 2013
-----------------------------------------------------------
Hardware Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.0 (Desfire EV1)
Storage size : 0x1A (8192 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-----------------------------------------------------------
Software Information
Vendor Id : NXP Semiconductors Germany
Type : 0x01
Subtype : 0x01
Version : 1.4
storage size : 0x1A (8192 bytes)
Protocol : 0x05 (ISO 14443-3, 14443-4)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : NO
[0x02] Directory list access with CMK : NO
[0x01] CMK is changeable : YES
Max number of keys : 174
Master key Version : 0 (0x00)
----------------------------------------------------------
[0x0A] Authenticate : YES
[0x1A] Authenticate ISO : YES
[0xAA] Authenticate AES : NO
----------------------------------------------------------
Available free memory on card : 7936 bytes
-------------------------------------------------------------
2. Changed AUTHENTICATION_TIMEOUT to 10000, recompile & flash fullimage.elf
3. Ran HF MF CHK *1 ? d and guess what.... Same results.
I'm starting to think it is some kind of HW issue? Any thoughts?
I have tried on different PCs / platforms. All with the same issue.
Note: I also tried the command with a hotel MIFARE card that is an Ultralight. Same issue.
P/S: Anybody knows if this China DESFIRE card is the "Magic card" with changeable UID?
Offline
#23 2017-02-05 06:07:40
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Help with MiFare Plus/JCOP/DESFIRE
HF MF chk is only for mifare classic not desfire. It doesn't speak the same language. It just means your card doesn't answer to mf classic auth cmds.
Offline
#24 2017-02-05 06:09:28
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Help with MiFare Plus/JCOP/DESFIRE
Btw it won't work with an ultralight card for the same reason.
Offline
Pages: 1