Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-05-06 08:32:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Fudan FM11RF005SH (512 bit)

Fudan FM11RF005SH , has 512bit mem,  16blocks w 4bytes / block.   Total 64bytes

ISO14443a,  with support REQA, READ, WRITE, AUTH.   Unknown how the auth is done.
Kind of similar to Ultralight tags.

In order to add support for it in PM3. ATQA/SAK and a trace from one of these tags would be intersting to look at.
I found a v1.1 of the datasheet but it doesn't explain the auth command very well. A full datasheet would be nice to have.

Datasheet v1.1
http://www.datasheetlib.com/datasheet/1 … onics.html

Offline

#2 2018-05-06 09:13:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

Key is stored in block 8.

Reader: 60 01
Card: Random1
Reader: (encrypted stuff) with its random2
Card: ??

read = 0x30
write = 0xA0
auth = 0x60

Memory layout
-------------------
Block0 = CID customer id / MID  manufacturer id
Block1 = UID
Block 8 = key


I doubt the communications is encrypted,  so a normal sniff of a transaction between card and valid reader should reveal much.

Offline

#3 2018-05-07 23:20:25

maozhenyu
Contributor
Registered: 2018-05-07
Posts: 8

Re: Fudan FM11RF005SH (512 bit)

That's gonna be tough since you might be a stranger while using proxmark3 near the gate of subway.

Offline

#4 2018-05-20 16:13:47

atmel9077
Contributor
Registered: 2017-06-25
Posts: 46

Re: Fudan FM11RF005SH (512 bit)

According to this document, Fudan Microelectronics makes two similar chips with 512 bits of memory, one with Mifare compatible crypto and the other "compatible with Shanghai local standard"

Offline

#5 2018-06-18 17:44:52

maozhenyu
Contributor
Registered: 2018-05-07
Posts: 8

Re: Fudan FM11RF005SH (512 bit)

Here's something.
No need anymore

Last edited by maozhenyu (2018-06-19 16:18:13)

Offline

#6 2018-06-18 21:22:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

@maozhenyu 
Great trace!   Very interesting,  reader reads all memory but after the auth the communications looks like it got encrypted.

   7715052 |    7716044 | Rdr | 52                                                              |     | WUPA
   7717296 |    7719664 | Tag | 03  00

datasheet - 52 should return CID.  CID 03, 00 is part of block zero.  Which is verified by the block 0 read afterward :)

  7802092 |    7806860 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)
  7808048 |    7815024 | Tag | 03  00  02  90  f4  d4
 CID | 03  00  
MID  | 02  90

UID  | D0  0E  4E  B0

This part looks like belonging to the authentication process.  Like crypto-1 has.

    8405740 |    8410444 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
    8412080 |    8416816 | Tag | fb  9a  cd  23                          --> tag nonce?
    8431724 |    8441100 | Rdr |ba! d1! a5! 51! 2d! 8a!  f5  9e   --> 2 * 4 nonces?  encrypted(nt),  nr
    8442272 |    8447008 | Tag |59!  10  57  2f                         -->  encrypted (nr)

Guessing this reader command,  downloads something.

8548588 |    8553292 | Rdr |d5!  b9  40 08!         -->  

 --> tag answers 6*6 =36bytes.   assume 2byte crc on each. 
--> 36-12 = 24bytes.  Not common tag response size when looking on a mifare s50 card.  Must be FUDAN related
8554528 |    8561568 | Tag | f3! 50 c5  9a 2b! 3c!  
8600096 |    8607072 | Tag | 3c  c4 25! fd! a2  d2
8646432 |    8653408 | Tag | 76  ae!  59 37! 8a!  95
8692384 |    8699360 | Tag | a3  fe  50 be! 89! e5!
8738352 |    8745328 | Tag | af! d5! db! 74! 3d! 8a!
8784672 |    8791712 | Tag | 15 79! fa! 97! d4! af!

Are you able to get the Anticollision process aswell?
and is that the full transaction? 
and how did you collect the trace?  with  hf mf sniff    did you use the new hf list command?
you could also save this trace with  hf list save mytrace.trc  if you are using the latest offical repo, and upload it here.

Offline

#7 2018-06-19 03:14:00

maozhenyu
Contributor
Registered: 2018-05-07
Posts: 8

Re: Fudan FM11RF005SH (512 bit)

Full Trial:

   Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        256 | Tag |00!                                                              |     | 
     410960 |     413328 | Tag |0b!  03                                                          |     | 
     451408 |     452048 | Tag |03!                                                              |     | 
     781904 |     782544 | Tag | 01                                                              |     | 
     821824 |     824192 | Tag | 03 01!                                                          |     | 
    1110720 |    1113088 | Tag |0b!  03                                                          |     | should be CID 00 03
    1155136 |    1162176 | Tag | 5d  c9  20  b0  a5  08                                          |  ok | RESULT: READ BLOCK 1
    1201600 |    1208576 | Tag | 03  00  02  90  f4  d4                                          |  ok |  RESULT: READ BLOCK 0
    1248640 |    1248832 | Tag | 01                                                              |     |  RESULT: REQUEST CARD(FAILED)
    1292864 |    1299904 | Tag | 00  02  20  24  ad  a7                                          |  ok | RESULT: READ BLOCK 2
    1339328 |    1346048 | Tag | 3a 28! 32! 4d!  25  75                                          | !crc| 
    1385024 |    1392064 | Tag | 01  23  07  64  ce  ce                                          |  ok |  RESULT: READ BLOCK 5
    1792748 |    1797452 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
    1799344 |    1803760 | Tag |43!  d6  c7 53!                                                  |     |  Tag Nonce
    1818732 |    1828108 | Rdr | e5  ba  1d 66! ee! 18! 50!  02                                  | !crc| Ra1
    1829296 |    1833968 | Tag |c0!  41  bf 37!                                                  |     |  Rb'

    1889004 |    1893772 | Rdr | dc 26! bd! b8!                                                  | !crc| READ BLOCK(?) 9?
    1894976 |    1902016 | Tag |6e!  a2  bd  33  fe  df                                          | !crc| 

    1934956 |    1939724 | Rdr |97! 7b! 96! 14!                                                  | !crc| READ BLOCK(?) 10?
    1940912 |    1947888 | Tag | 8a df!  c0  9b  66  03                                          | !crc| 

    1981164 |    1985868 | Rdr |7f! e0! ca! b9!                                                  | !crc| READ BLOCK(?) 11?
    1987120 |    1994096 | Tag |f4!  be  4d  7c  8b  82                                          | !crc| 

    2027116 |    2031820 | Rdr |ee!  88 1e!  5f                                                  | !crc| READ BLOCK(?) 12?
    2033072 |    2040112 | Tag |ce! 75!  2b  c4  15  7a                                          | !crc| 

    2073068 |    2077772 | Rdr |e7!  ab  1a  9f                                                  | !crc| READ BLOCK(?) 13?
    2079024 |    2086000 | Tag |fe! 22! ed! af!  af 10!                                          | !crc| 

    2522092 |    2526796 | Rdr | 42 ef!  9c  9a                                                  | !crc| WRITE BLOCK(?) guess block 9
    2528048 |    2528688 | Tag |05!                                                                  |     |  ACK, should be 0A
    2544364 |    2551436 | Rdr |a3!  d4  4b  2f 77! 7b!                                      | !crc| WRITE(PUT DATA) 
    2593712 |    2594352 | Tag |03!                                                              |     |     ACK, should be 0A

    2625004 |    2629772 | Rdr |84!  34 27!  e3                                              | !crc| READ BLOCK
    2630960 |    2637936 | Tag |b6! d6!  f6  26  29 25!                                   | !crc|  probably verify

    2671980 |    2676684 | Rdr | 2c  1d 47!  e7                                   | !crc| WRITE guess block 10
    2677936 |    2678512 | Tag | 08                                                              |     |  ACK, should be 0A
    2694252 |    2701260 | Rdr |9d!  da 51!  88  15  60                        | !crc|  WRITE(PUT DATA)
    2743600 |    2744176 | Tag | 0e                                                              |     |  ACK, should be 0A

    2775660 |    2780428 | Rdr | 5b 96!  3a ca!                                    | !crc|  WRITE guess block 11
    2781616 |    2782256 | Tag | 07                                                         |     | ACK, should be 0A
    2797932 |    2804940 | Rdr | e7 f0!  92  cf 54!  ed                               | !crc| WRITE(PUT DATA)
    2847280 |    2847920 | Tag | 01                                                              |     | ACK, should be 0A

    2878956 |    2883660 | Rdr |df! e2!  bf  de                                                  | !crc| READ BLOCK(?)
    2884912 |    2891888 | Tag |6c! 9c! 46!  c9  ed  e2                                          | !crc| 
    2925164 |    2929868 | Rdr | dc  a8  43 80!                                                  | !crc| READ BLOCK(?)
    2931120 |    2938096 | Tag | 57  9d  87  79  a7 4f!                                          | !crc| 
    2971372 |    2976140 | Rdr | 42  b2  8b  34                                                  | !crc| READ BLOCK(?)
    2977328 |    2984304 | Tag |bb!  6f 5c! ed! 1d!  05                                          | !crc| 

    3018604 |    3023372 | Rdr | 5a 16! 1a! de!                                                  | !crc| WRITE
    3024560 |    3025200 | Tag |06!                                                              |     | ACK should be 0A
    3040876 |    3047948 | Rdr | f4  27 50!  9f  fc  d0                                          | !crc| WRITE(PUT DATA)
    3090224 |    3090800 | Tag |0f!                                                              |     | ACK should be 0A

    3122796 |    3127564 | Rdr | be  f5  47  d5                                                  | !crc| WRITE
    3128752 |    3129328 | Tag |0f!                                                              |     | ACK should be 0A
    3145068 |    3152140 | Rdr |dd!  59 4e!  bc  67 69!                                          | !crc| WRITE(PUT DATA)
    3194416 |    3195056 | Tag |05!                                                              |     | ACK should be 0A

    3226604 |    3231308 | Rdr |0f!  a8 6e!  0a                                                  | !crc| WRITE
    3232560 |    3233200 | Tag |00!                                                              |     |ACK should be 0A
    3248748 |    3255756 | Rdr | 2c 02!  2f 57! 64! 43!                                          | !crc| WRITE(PUT DATA)
    3298096 |    3298672 | Tag |0a!                                                              |     | ACK should be 0A

    3827164 |    3831868 | Rdr | 4d 2b! 4d!  96                                                  | !crc| WRITE
    3833120 |    3833760 | Tag |05!                                                              |     | ACK should be 0A
    3849436 |    3856508 | Rdr | 33  ea 72! 66!  85  4c                                          | !crc| WRITE(PUT DATA)
    3898784 |    3899424 | Tag |05!                                                              |     | ACK should be 0A

    7174716 |    7175708 | Rdr | 52                                                              |     | WUPA
    7176960 |    7179328 | Tag |0b!  03                                                          |     | CID should be 00 03

    7215804 |    7220572 | Rdr | 30  01  8b  b9                                                  |  ok | READBLOCK(1)
    7221760 |    7228800 | Tag | 5d  c9  20  b0  a5  08                                          |  ok | 
    7262012 |    7266780 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)
    7267968 |    7274944 | Tag | 03  00  02  90  f4  d4                                          |  ok | 
    7307964 |    7312668 | Rdr | 30  03  99  9a                                                  |  ok | READBLOCK(3)
    7313920 |    7320896 | Tag | 26  44  5c  01  00  9c                                          |  ok | 
    7354300 |    7359004 | Rdr | 30  02  10  8b                                                  |  ok | READBLOCK(2)
    7360256 |    7367296 | Tag | 00  02  20  24  ad  a7                                          |  ok | 
    7399996 |    7404700 | Rdr | 30  04  26  ee                                                  |  ok | READBLOCK(4)
    7405952 |    7412928 | Tag | ea  a2  c8  36  94  d4                                          |  ok | 
    7446204 |    7450908 | Rdr | 30  05  af  ff                                                  |  ok | READBLOCK(5)
    7452160 |    7459200 | Tag | 01  23  07  64  ce  ce                                          |  ok | 
    7859260 |    7863964 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
    7865600 |    7870272 | Tag | 9b  f9  02  0f                                                  |     |  Tag-Nonce
    7885244 |    7894556 | Rdr | d6  40  e9 d1! 02! 31! b5!  ed                                  | !crc| Ra1
    7895808 |    7900480 | Tag |5f! 56!  e0 fe!                                                  |     | Rb'

    7955388 |    7960156 | Rdr | dc 26! bd! b8!                                                  | !crc| ? READ BLOCK(?)
    7961344 |    7968384 | Tag |64!  a2  bc 28!  5b  a4                                          | !crc| 
    8001852 |    8006620 | Rdr |97! 7b! 96! 14!                                                  | !crc| ? READ BLOCK(?)
    8007808 |    8014784 | Tag | 8a df!  c0  9b  66  03                                          | !crc| 
    8047548 |    8052252 | Rdr |7f! e0! ca! b9!                                                  | !crc| READ BLOCK(?)
    8053504 |    8060480 | Tag |f4!  be  4d  7c  8b  82                                          | !crc| 
    8093756 |    8098460 | Rdr |ee!  88 1e!  5f                                                  | !crc| READ BLOCK(?)
    8099712 |    8106752 | Tag |ce! 75!  2b  c4  15  7a                                          | !crc| 
    8139836 |    8144604 | Rdr |e7!  af  3e  d9                                                  | !crc| READ BLOCK(?)
    8145792 |    8152768 | Tag |a5! 05! 23! fa!  00 df!                                          | !crc| 
    8185788 |    8190492 | Rdr | d2 eb!  e5  c5                                                  | !crc| READ BLOCK(?)
    8191744 |    8198720 | Tag | 0d 6f!  9c  2a 97! b3!                                          | !crc| 
    8231996 |    8236764 | Rdr |ad! ba!  43 b7!                                                  | !crc| READ BLOCK(?)
    8237952 |    8244992 | Tag | f5 b6! d6!  f6  26  7f                                          | !crc| 
    8836652 |    8837644 | Rdr | 52                                                              |     | WUPA
    8838896 |    8841264 | Tag |0b!  03                                                          |     | CID, should be 00 03
    8877612 |    8882380 | Rdr | 30  01  8b  b9                                                  |  ok | READBLOCK(1)
    8883552 |    8890592 | Tag | 5d  c9  20  b0  a5  08                                          |  ok | 
    8924204 |    8928972 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)
    8930144 |    8937120 | Tag | 03  00  02  90  f4  d4                                          |  ok | 
    8969900 |    8974604 | Rdr | 30  03  99  9a                                                  |  ok | READBLOCK(3)
    8975856 |    8982832 | Tag | 26  44  5c  01  00  9c                                          |  ok | 
    9015468 |    9020172 | Rdr | 30  02  10  8b                                                  |  ok | READBLOCK(2)
    9021424 |    9028464 | Tag | 00  02  20  24  ad  a7                                          |  ok | 
    9062060 |    9066764 | Rdr | 30  04  26  ee                                                  |  ok | READBLOCK(4)
    9068016 |    9074992 | Tag | ea  a2  c8  36  94  d4                                          |  ok | 
    9108012 |    9112716 | Rdr | 30  05  af  ff                                                  |  ok | READBLOCK(5)
    9113968 |    9121008 | Tag | 01  23  07  64  ce  ce                                          |  ok | 
    9527980 |    9532684 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
    9534320 |    9539056 | Tag | 94  8d  2f  e3                                                  |     | Tag-Nonce
    9553964 |    9563340 | Rdr | de  b1  20 63! 6c! 84! 86!  5e                                  | !crc| Ra
    9564528 |    9569264 | Tag |5f! da!  00 44!                                                  |     |  Rb'

    9624492 |    9629260 | Rdr | dc 26! bd! b8!                                                  | !crc| READ BLOCK(?)
    9630448 |    9637488 | Tag |64!  a2  bc 28!  5b  a4                                          | !crc| 
    9670828 |    9675596 | Rdr |97! 7b! 96! 14!                                                  | !crc| READ BLOCK(?)
    9677024 |    9683744 | Tag |a2! 77!  f0 26! d9!  40                                          | !crc| 
    9716524 |    9721228 | Rdr |7f! e0! ca! b9!                                                  | !crc| READ BLOCK(?)
    9722464 |    9729440 | Tag |f4!  be  4d  7c  8b  82                                          | !crc| 
    9763372 |    9768076 | Rdr |ee!  88 1e!  5f                                                  | !crc| READ BLOCK(?)
    9769312 |    9776352 | Tag |ce! 75!  2b  c4  15  7a                                          | !crc| 


    9815136 |    9822112 | Tag |a5! 05! 23! fa!  00 df!                                          | !crc| 
    9861088 |    9868064 | Tag | 0d 6f!  9c  2a 97! b3!                                          | !crc| 
    9907824 |    9914864 | Tag | f5 b6! d6!  f6  26  7f                                          | !crc|

Last edited by maozhenyu (2018-06-19 17:25:48)

Offline

#8 2018-06-19 15:48:45

maozhenyu
Contributor
Registered: 2018-05-07
Posts: 8

Re: Fudan FM11RF005SH (512 bit)

Anticolision:

hf 14a raw -p -b 7 -a 26 return 03 00(cid)
hf 14a raw -p 93XX(XX does not matter, return 0A)
hf 14a raw -p -c 3001 (read UID)
hf 14a raw -p -b 7 -a 26 return 01(failed cuz already selected)
hf 14a raw -p -b 7 -a 26 return 0300 (cid,request again)
hf 14a raw -p 9370XXXXXXXX(XX is UID, return 0A)
hf 14a raw -p -c 6001 (start to AUTH)
hf 14a raw -p YYYYYYYYYYYYYYYY(Ra) return Rb'

Key used is XXXXXXXX00(Block 8 + 00)

IC: FM1704/FM1705/FM1715/FM1725

Last edited by maozhenyu (2018-06-23 13:23:28)

Offline

#9 2018-07-04 13:51:17

jimmy9806
Contributor
Registered: 2018-07-01
Posts: 6

Re: Fudan FM11RF005SH (512 bit)

Here's some sniff results wiz better accuracy from anticollision procedure to reading block7 between a FM11RF005SH and a FM1715 reader set in Shanghai Standard (which I guess is quite similar to crypto-1) mode. Without knowing the key we are only able to read the first 8 blocks and apparently these blocks are encrypted.

Recorded Activity (TraceLen = 327 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52                                                              |     | WUPA
       2260 |       4628 | Tag | 03  00                                                          |     |
      49296 |      59824 | Rdr | 93  70  00  00  00  00  00  9c  d9                              |  ok | SELECT_UID
      61012 |      61588 | Tag |0a!                                                              |     |
      65168 |      69936 | Rdr | 30  01  8b  b9                                                  |  ok | READBLOCK(1)
      71124 |      78100 | Tag | 29  ab  d4  b0  91  8b                                          |  ok |
     136080 |     137072 | Rdr | 52                                                              |     | WUPA
     138340 |     138980 | Tag | 01                                                              |     |
     197024 |     198016 | Rdr | 52                                                              |     | WUPA
     199268 |     201636 | Tag | 03  00                                                          |     |
     259232 |     269696 | Rdr | 93  70  29  ab  d4  b0  00  41  5c                              |  ok | SELECT_UID
     270948 |     271524 | Tag |0a!                                                              |     |
     333616 |     338384 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)
     339572 |     346548 | Tag | 03  00  02  90  f4  d4                                          |  ok |
     407216 |     411984 | Rdr | 30  01  8b  b9                                                  |  ok | READBLOCK(1)
     483776 |     488480 | Rdr | 30  02  10  8b                                                  |  ok | READBLOCK(2)
     489732 |     496772 | Tag | 00  02  23  07  5c  9e                                          |  ok |
     558016 |     562720 | Rdr | 30  03  99  9a                                                  |  ok | READBLOCK(3)
     563972 |     571012 | Tag | 4c  f5  6e  01  c6  8c                                          |  ok |
     633936 |     638640 | Rdr | 30  04  26  ee                                                  |  ok | READBLOCK(4)
     710480 |     715184 | Rdr | 30  05  af  ff                                                  |  ok | READBLOCK(5)
     716436 |     723476 | Tag | 04  17  b9  64  28  e5                                          |  ok |
     786400 |     791168 | Rdr | 30  06  34  cd                                                  |  ok | READBLOCK(6)
     862944 |     867712 | Rdr | 30  07  bd  dc                                                  |  ok | READBLOCK(7)
     868900 |     875876 | Tag | 00  00  7e  86  ea  dd                                          |  ok |

By the way, the code for the FM1715 reader is written and tested by maozhenyu & me.

Offline

#10 2018-07-13 03:28:12

maozhenyu
Contributor
Registered: 2018-05-07
Posts: 8

Re: Fudan FM11RF005SH (512 bit)

1. Forcing a Tag Nonce by PM3
2. Use ChameleonMini to give the same tag nonce to a valid reader
3. Sniff communications between valid card and valid reader
4. Decode keystream(reader side) by guessing.Decode keystream(card side) by read public sectors(and xor)
5. Replay Attack works but have to try at most 256 times for the parity bit.
6. Once tag nonce(nt) and uid remains unchanged. The ar_ence remains constant.

Offline

#11 2019-02-14 09:43:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

From
https://github.com/iceman1001/proxmark3 … -463488244

pm3 --> hf 14a raw -s -c 6001
7B 37 F1 D5
pm3 --> hf 14a raw -s -c 6001
64 E5 BA D7
E5 BA D7 1E
54 C9 61 8C
E5 BA D7 1E
BA D7 1E 4E
35 1B 47 06
64 E5 BA D7
E5 BA D7 1E
47 06 2C E7
E5 BA D7 1E
D7 1E 4E 2A
64 E5 BA D7
BA D7 1E 4E
5A 64 E5 BA
BA D7 1E 4E
E5 BA D7 1E
BA D7 1E 4E
E5 BA D7 1E
BA D7 1E 4E
5A 64 E5 BA
63 5A 64 E5
1E 4E 2A C6
D7 1E 4E 2A
E5 BA D7 1E
BA D7 1E 4E
61 8C 96 4A
1E 4E 2A C6
D7 1E 4E 2A
D7 1E 4E 2A
E5 BA D7 1E
64 E5 BA D7
BA D7 1E 4E
2A C6 54 C9
D7 1E 4E 2A
E5 BA D7 1E
BA D7 1E 4E
D7 1E 4E 2A
D7 1E 4E 2A

I think it has some rules like this

5A64E5BAD71EAE2A
351B47062CE7

Looks like the nonce is just a byte shifting algo  (LSFR?) which
From that sample data I can see the following, if I lineup the nonces a bit.

Set 1

351B4706
    47062CE7

Set 2

635A64E5
  5A64E5BA
    64E5BAD7
      E5BAD71E
        BAD71E4E
          D71E4E2A
           1E4E2AC6
               2AC654C9
                   54C9618C
                       618C964A

Since the second set looks more complete

lets assume and extrapolate the missing steps.

635A64E5
  5A64E5BA
    64E5BAD7
      E5BAD71E
        BAD71E4E
          D71E4E2A
            1E4E2AC6
              4E2AC654
                2AC654C9
                  C654C961
                    54C9618C
                      C9618C96
                        618C964A


Which gives us the following sequences of bytes.

635A64E5BAD71E4E2AC654C9618C964A

it would be fair to assume the first set of data should also eventually find its connection with the second set but not enough sample data?

Offline

#12 2019-02-14 09:54:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

if we try filling in the first set,  this is the expected data.

------35
  ----351B
    --351B47
      351B4706
        1B47062C
          47062CE7
            062CE7--
               2CE7----
                 E7------

Following sequence of bytes.
351B47062CE7

Lets compare with spencerkais

635A64E5BAD71E4E2AC654C9618C964A
  5A64E5BAD71EAE2A

351B47062CE7
351B47062CE7

So far so good in the validation of data.  Sadly the first set and the second set has no connections.

Offline

#13 2019-02-14 09:57:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

Now where is my code to test the output of a LFSR?   Where did I read about that?
Getting the polynominal used from a sample set like this...

It would be interesting to see how long this sequence is,  when it start over.

Offline

#14 2019-02-14 20:36:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

Using the Berlekamp-Massey algorithm

First set:   length / span 25 
x^25 + x^18 + x^16 + x^13 + x^12 + x^8 + x^7 + x^5 + x^2 + x^1

second set:  length / span 64
x^64 + x^63 + x^62 + x^61 + x^57 + x^52 + x^51 + x^50 + x^48 + x^44 + x^41 + x^39 + x^37 + x^36 + x^33 + x^32 + x^31 + x^30 + x^29 + x^28 + x^27 + x^25 + x^24 + x^21 + x^19 + x^18 + x^14 + x^13 + x^5 + x^4 + x^2 + 1

Offline

#15 2019-03-26 08:33:28

maozhenyu
Contributor
Registered: 2018-05-07
Posts: 8

Re: Fudan FM11RF005SH (512 bit)

Some facts:
1. UID and Nr are not involved during authentication
2. Keystream after successful authentication will not change iif Key of the card remains constant.
3. When Key = 00000000, then succ(keystream) will always be 0

Need to figure out the LFSR

Last edited by maozhenyu (2019-03-26 08:35:55)

Offline

#16 2021-01-27 13:35:04

liushanyin1252
Contributor
Registered: 2021-01-04
Posts: 15

Re: Fudan FM11RF005SH (512 bit)

The sh algorithm needs to be figure out. It should be similar to Crypto 1 algo

Offline

#17 2021-01-27 14:11:18

liushanyin1252
Contributor
Registered: 2021-01-04
Posts: 15

Re: Fudan FM11RF005SH (512 bit)

Offline

#18 2021-01-28 14:12:07

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: Fudan FM11RF005SH (512 bit)

Fudan FM11RF005SH is total shxt card. It has already been clonable since 2020, LOL

Offline

#19 2021-01-28 14:29:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

since last year?  Nice!

You adding support to the repo?

Offline

#20 2021-01-29 03:48:11

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: Fudan FM11RF005SH (512 bit)

iceman wrote:

since last year?  Nice!

You adding support to the repo?

as far as I know, the answer is NOP. Because they promote the special purpose card for it. I have no idea how to do it.

Offline

#21 2021-01-29 08:19:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Fudan FM11RF005SH (512 bit)

Link to the special purpose card?

Offline

#22 2021-01-31 17:23:49

liushanyin1252
Contributor
Registered: 2021-01-04
Posts: 15

Re: Fudan FM11RF005SH (512 bit)

fm11rf005m is clonanble by sniffing the keys like the mifare classic cards but fm11rf005sh is not able to clone easily because the algorithm is unknown.Only way is replay attack.
There is a fact that fm11rf005m is completely same as fm11rf005sh in structure but algorithm they use is different.You can only differ these card by the Block 0 in the card.0500xxxx is 005m. 0300xxxx is 005sh
fm11rf005m used the same algorithm as the Mifare classic cards.
but fm11rf005sh is using a special algorithm which is designed by Shanghai HuaHong company.The SHC1101/FM11RF08SH is also using the same algorithm.
By the way ,there is a full-compatible card called shc1103 which is manufactured by the Shanghai HuaHong company. Fm11rf005sh and shc1103 is evenly share the same die , but packaging in different company.

Offline

#23 2021-05-15 14:18:46

liushanyin1252
Contributor
Registered: 2021-01-04
Posts: 15

Re: Fudan FM11RF005SH (512 bit)

I recently did some test and find out that
nt generating poly might probably be
x16 + x14 + x13 + x10 + 1
or not
Definitely different from crypto 1

Last edited by liushanyin1252 (2021-05-15 15:19:33)

Offline

Board footer

Powered by FluxBB