Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-06-24 01:14:19

mic_hkhk
Contributor
Registered: 2018-06-23
Posts: 3

a popular toy Snack World datafig

I am new to this forum.

I am trying to dump the data of the Switch Game Snack World nfc datafig

http://www.takaratomy.co.jp/products/sn … eup/#anc06

Toy token is
1. Mifare NTAG213
2. 144 bytes

I got 2 problems

1. I use "hf mfu info", but no Tag configuration can be read.
    How can I read it out?

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : NTAG 213 144bytes (NT2H1311G0DU)
       UID : 04 93 44 3A ED 4C 80
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 5B, Ok
      BCC1 : 1B, Ok
  Internal : 48, default
      Lock : 30 00  - 40
OneTimePad : E1 10 12 00  - 2110

--- NDEF Message
Capability Container: E1 10 12 00
  E1 : NDEF Magic Number
  10 : version 1.0 supported by tag
  12 : Physical Memory Size: 152 bytes
  12 : NDEF Memory Size: 144 bytes
  00 : Read access granted without any security / Write access granted without any security

--- Tag Signature
IC signature public key name  : NXP NTAG21x (2013)
IC signature public key value : 04 49 4E 1A 38 6D 3D 3C FE 3D C1 0E 5D E6 8A 49 9B 1C 20 2D B5 B1 32 39 3E 89 ED 19 FE 5B E8 BC 61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : DD CD 68 10 01 8E F4 DA A1 98 86 FD 96 E7 D8 C4 47 26 15 11 4C FD 5F 8A 76 31 C8 1B 7A FA 2A 5E

--- Tag Version
       Raw bytes : 00 04 04 02 01 00 0F 03
       Vendor ID : 04, NXP Semiconductors Germany
    Product type : 04, NTAG
 Product subtype : 02, 50pF
   Major version : 01
   Minor version : 00
            Size : 0F, (256 <-> 128 bytes)
   Protocol type : 03 (ISO14443-3 Compliant)
 

2. When use command "hf 14a sniff", I got the record from tag only. No matter what reader i use (Smartphone / Switch/ 3ds)
    I tried:
    card - proxmark - reader
    proxmark - card - reader
    But no luck

pm3 --> hf 14a sniff
#db# Starting to sniff
#db# maxDataLen=207, Uart.state=0, Uart.len=0
#db# traceLen=506, Uart.output[0]=00000000
pm3 --> hf 14a list
trace pointer not allocated
Recorded Activity (TraceLen = 506 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       2368 | Tag |44  00                                                                   |     |
     917872 |     920240 | Tag |44  00                                                                   |     |
     936784 |     942672 | Tag |88  04  93  44  5b                                                       |     |
     968144 |     971664 | Tag |04  da  17                                                               |     |
     988032 |     993856 | Tag |3a  ed  4c  80  1b                                                       |     |
    1018464 |    1022048 | Tag |00  fe  51                                                               |     |
    3998112 |    4000480 | Tag |44  00                                                                   |     |
    4916256 |    4918624 | Tag |44  00                                                                   |     |
    4935168 |    4941056 | Tag |88  04  93  44  5b                                                       |     |
    4966512 |    4970032 | Tag |04  da  17                                                               |     |
    4986400 |    4992224 | Tag |3a  ed  4c  80  1b                                                       |     |
    5016800 |    5020384 | Tag |00  fe  51                                                               |     |
    6111984 |    6132848 | Tag |04  93  44  5b  3a  ed  4c  80  1b  48  30  00  e1  10  12  00  05  57   |  ok |
    9489072 |    9491440 | Tag |44  00                                                                   |     |
   10407152 |   10409520 | Tag |44  00                                                                   |     |
   10426048 |   10431936 | Tag |88  04  93  44  5b                                                       |     |
   10457408 |   10460928 | Tag |04  da  17                                                               |     |
   10477296 |   10483120 | Tag |3a  ed  4c  80  1b                                                       |     |
   10507712 |   10511296 | Tag |00  fe  51                                                               |     |
   11599568 |   11604240 | Tag |04  17  fe  1d                                                           |     |
   13022560 |   13034144 | Tag |c0  00  04  91  00  00  00  00  d4  de                                   |  ok |
   27992304 |   27994672 | Tag |44  00                                                                   |     |
   28910336 |   28912704 | Tag |44  00                                                                   |     |
   28929248 |   28935136 | Tag |88  04  93  44  5b                                                       |     |
   28960592 |   28964112 | Tag |04  da  17                                                               |     |
   28980480 |   28986304 | Tag |3a  ed  4c  80  1b                                                       |     |
   29010880 |   29014464 | Tag |00  fe  51                                                               |     |
   43648144 |   43650512 | Tag |44  00                                                                   |     |
   44565712 |   44568080 | Tag |44  00                                                                   |     |
   44584624 |   44590512 | Tag |88  04  93  44  5b                                                       |     |
   44615968 |   44619488 | Tag |04  da  17                                                               |     |
   44635840 |   44641664 | Tag |3a  ed  4c  80  1b                                                       |     |
   44666256 |   44669840 | Tag |00  fe  51                                                               |     |
   59305568 |   59307936 | Tag |44  00                                                                   |     |
   60223552 |   60225920 | Tag |44  00                                                                   |     |
   60242464 |   60248352 | Tag |88  04  93  44  5b                                                       |     |
   60273808 |   60277328 | Tag |04  da  17                                                               |     |
   60293680 |   60299504 | Tag |3a  ed  4c  80  1b                                                       |     |
   60324080 |   60327664 | Tag |00  fe  51                                                               |     |

Here is my hw ver:

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-881-g28a4260e 2018-06-19 14:08:01
      os: iceman/master/ice_v3.1.0-881-g28a4260e 2018-06-19 14:08:07
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 238952 bytes (46%) Free: 285336 bytes (54%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

I know this too long, but i have try to search in this forum, but still cannot find out the solution
Thanks and forgive my poor english.

Offline

#2 2018-06-24 06:38:17

iceman
Administrator
Registered: 2013-04-25
Posts: 6,173
Website

Re: a popular toy Snack World datafig

Your sniff trace indicates you didnt get the reader communications.

Antenna voltages:
hw tune


Sniffing is a delicate question on finding a good spot with the pm3 antenna to pick up all communications.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2018-06-24 06:51:42

mic_hkhk
Contributor
Registered: 2018-06-23
Posts: 3

Re: a popular toy Snack World datafig

iceman wrote:

Your sniff trace indicates you didnt get the reader communications.

Antenna voltages:
hw tune


Sniffing is a delicate question on finding a good spot with the pm3 antenna to pick up all communications.

Thanks for your reply

Here is the result of hw tune
is it not sensitive to detect the signal from reader?

 
pm3 --> hw tune

[=] measuring antenna characteristics, please wait...

...

[+] LF antenna: 38.81 V - 125.00 kHz
[+] LF antenna: 32.57 V - 134.00 kHz
[+] LF optimal: 39.23 V - 126.32 kHz
[+] LF antenna is OK

[+] HF antenna: 30.16 V - 13.56 MHz
[+] HF antenna is OK


[+]  Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Offline

#4 2019-02-23 13:05:30

iceman
Administrator
Registered: 2013-04-25
Posts: 6,173
Website

Re: a popular toy Snack World datafig

looks like a ok hf antenna.

try different position / distances to get a proper sniff with both reader and tag communications in it.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB