Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2019-06-18 23:38:37
- 3dmann
- Contributor
- From: BRD- Deutschland
- Registered: 2019-05-18
- Posts: 43
1 to 1 copy
1 to 1 copy
the card reader recognizes
"Magic Chinese Cards"
and that does not open the door
what can you do there ?
does anyone have a hint?
UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 19 2B 33 14
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf mf wrbl 0 B 0d2DDDe90296 1942B3340E880400C844002000000018
--block no:0, key type:B, key:DD 25 8F EF 02 96
--data: 19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
#db# Cmd Error: 04
#db# Write block error
isOk:00
[usb] pm3 -->
Last edited by 3dmann (2019-06-23 11:49:44)
Offline
#2 2019-06-19 00:18:44
- mwalker
- Moderator
- Registered: 2019-05-11
- Posts: 318
Re: 1 to 1 copy
You could try
csetuid Set UID for magic Chinese card
csetblk Write block - Magic Chinese card
cgetblk Read block - Magic Chinese card
Offline
#3 2019-06-19 00:31:56
- 3dmann
- Contributor
- From: BRD- Deutschland
- Registered: 2019-05-18
- Posts: 43
Re: 1 to 1 copy
[usb] pm3 --> hf 14a read
UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
[+] field dropped.
[usb] pm3 --> hf 14a list
[+] Recorded Activity (TraceLen = 77 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+----------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |19 2B 33 14 0e | |
19456 | 29984 | Rdr |93 70 16 19 2B 33 14 d4 cb | ok | SELECT_UID
31172 | 34692 | Tag |88 be 59 | |
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 --> csetuid
help This help. Use '<command> help' for details of a particular command.
analyse { Analyse utils... }
data { Plot window / data buffer manipulation... }
emv { EMV iso14443 and iso7816... }
hf { High Frequency commands... }
hw { Hardware commands... }
lf { Low Frequency commands... }
rem { Add text to row in log file }
reveng { Crc calculations from the RevEng software... }
script { Scripting commands }
trace { Trace manipulation... }
quit
exit Exit program
[usb] pm3 --> hf mf csetblk
Set block data for magic Chinese card. Only works with magic cards
Usage: hf mf csetblk [h] <block number> <block data (32 hex symbols)> [w]
Options:
h this help
w wipe card before writing
<block> block number
<data> block data to write (32 hex symbols)
Examples:
hf mf csetblk 1 DD0203040FF0607080910111213141516
hf mf csetblk 1 DD0203040FF607080910111213141516 w
[usb] pm3 --> hf mf csetblk 1 19 2B 33 1440E880400C844002000000018
--block number: 1 data:19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf mf cgetblk
Get block data from magic Chinese card. Only works with magic cards
Usage: hf mf cgetblk [h] <block number>
Options:
h this help
<block> block number
Examples:
hf mf cgetblk 1
[usb] pm3 --> hf mf cgetblk h
Get block data from magic Chinese card. Only works with magic cards
Usage: hf mf cgetblk [h] <block number>
Options:
h this help
<block> block number
Examples:
hf mf cgetblk 1
[usb] pm3 --> hf mf cgetblk 1
--block number: 1
data: 19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[usb] pm3 --> hf mf csetuid 162A2614
--wipe card:NO uid:19 2B 33 14
[+] old block 0: 19 2B 33 DD 0E 88 04 00 C8 44 00 20 00 00 00 18
[+] new block 0: 19 2B 33 DD0E 88 04 00 C8 44 00 20 00 00 00 18
[+] old UID:00 00 00 00
[+] new UID:19 2B 33 14
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 -->Last edited by 3dmann (2019-06-23 11:48:09)
Offline
#4 2019-06-19 00:44:45
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: 1 to 1 copy
Assuming that the first is the original and the second is the clone.
hf mf csetuid 162A2614 0004 88
Some doors don't seem to respond to cards with different SAK numbers and somewhere those values don't seem to be set when I do a cload.
I haven't investigated further but I've seen this a bunch of places and been discussing it offline with someone.
I might have the order reversed in the above command for the ATQA and the SAK, best to double check the help.
Offline
#5 2019-06-19 00:47:45
- 3dmann
- Contributor
- From: BRD- Deutschland
- Registered: 2019-05-18
- Posts: 43
Re: 1 to 1 copy
thanks tomorrow morning I test the chip hopefully the door opens now
[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 115 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |40 | | MAGIC WUPC1
2500 | 3076 | Tag |0a! | |
7040 | 8352 | Rdr |43 | | MAGIC WUPC2
9540 | 10116 | Tag |0a! | |
14080 | 18784 | Rdr |a0 01 d6 a0 | ok | WRITEBLOCK(1)
20036 | 20612 | Tag |0a! | |
25600 | 46496 | Rdr |19 2B 33 14 0e 88 04 00 c8 44 00 20 00 00 00 18 2e fb | ok |
89156 | 89732 | Tag |0a! | |
91648 | 96416 | Rdr |50 00 57 cd | ok | HALT
[usb] pm3 --> hf mf csetuid 19 2B 33 14
--wipe card:NO uid:19 2B 33 14
[+] old block 0: 19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[+] new block 0: 19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[+] old UID:00 00 00 00
[+] new UID:19 2B 33 14
[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 115 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |40 | | MAGIC WUPC1
2500 | 3076 | Tag |0a! | |
7040 | 8352 | Rdr |43 | | MAGIC WUPC2
9540 | 10116 | Tag |0a! | |
14080 | 18784 | Rdr |a0 00 5f b1 | ok | WRITEBLOCK(0)
20036 | 20612 | Tag |0a! | |
25600 | 46496 | Rdr |19 2B 33 14 0e 88 04 00 c8 44 00 20 00 00 00 18 2e fb | ok |
89156 | 89732 | Tag |0a! | |
91648 | 96416 | Rdr |50 00 57 cd | ok | HALT
[usb] pm3 -->Last edited by 3dmann (2019-06-23 11:45:07)
Offline
#6 2019-06-19 19:04:30
- 3dmann
- Contributor
- From: BRD- Deutschland
- Registered: 2019-05-18
- Posts: 43
Re: 1 to 1 copy
Unfortunately, the door does not open
I have now the
10Pcs 13.5MHZ UID Changeable M1 S50 1K NFC Card Copy Rewritable Blank IC Car W0
ordered hope that it goes dan
With
hf mf wrbl 0 B 0d258fe90296 2DfA6140E880400C844002000000018
this is the garage door
Last edited by 3dmann (2019-06-23 11:43:49)
Offline
#7 2019-06-19 19:50:08
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: 1 to 1 copy
Which card is the original and which is the clone?
Offline
#8 2019-06-19 20:38:41
- 3dmann
- Contributor
- From: BRD- Deutschland
- Registered: 2019-05-18
- Posts: 43
Re: 1 to 1 copy
original
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 19 2B 33 14
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 103 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |19 2B 33 14 14 0e | |
19456 | 29984 | Rdr |93 70 16 19 2B 33 14 0e d4 cb | ok | SELECT_UID
31172 | 34692 | Tag |08 b6 dd | |
45312 | 50016 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
54852 | 59588 | Tag |b8 10 c5 02 | | AUTH: nt
clone
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 103 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |19 2B 33 14 14 0e | |
19456 | 29984 | Rdr |93 70 16 19 2B 33 14 d4 cb | ok | SELECT_UID
31172 | 34692 | Tag |08 b6 dd | |
45312 | 50016 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
54852 | 59588 | Tag |b8 10 c5 02 | | AUTH: nt
Last edited by 3dmann (2019-06-23 11:43:10)
Offline
#9 2019-06-19 20:48:46
- 3dmann
- Contributor
- From: BRD- Deutschland
- Registered: 2019-05-18
- Posts: 43
Re: 1 to 1 copy
Thanks for your help just have even seen the error
SAK : 88 [2] ---------- SAK : 08 [2]
Now the door opens SAK : 08 [2]
Offline
#10 2019-06-19 21:29:09
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: 1 to 1 copy
Yeah that is what I was trying to get at.
I am seeing that a lot. Its on my todo list when I have a 2nd proxmark around to figure out why dump -> cload doesn't change the SAK .
Offline
#11 2019-06-19 23:28:04
- 3dmann
- Contributor
- From: BRD- Deutschland
- Registered: 2019-05-18
- Posts: 43
Re: 1 to 1 copy
it's just good to know that you have to look at it and then change it yourself
So for me it's all great
Offline
#12 2019-09-30 20:28:05
- mabtux
- Contributor
- Registered: 2019-02-25
- Posts: 10
Re: 1 to 1 copy
Hello,
is it possible to dump a chinese card? when i try with
pm3--> hf mf csave e 1
the prompt answer give hf-mf-aabbccddee.eml , so if i understand correctly i have on this file hf-mf-aabbccddee.eml.
But when i try to load that file on a chine card :
pm3--> hf mf cload : or cdump , i have this response:
coud not find hf-mf-aabbccddee-key.bin
i understand no thing...
Offline
Pages: 1