Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-07-10 21:41:37

crocs
Contributor
Registered: 2020-07-10
Posts: 5

NexKey mode issue on RRG/Iceman/master/v4.9237

Hi,
for few last days i was playing with some NexKey cards i got my hands on. Ive also switched to the latest precompiled version of Proxmark RDV4 , the v4.9237 when stumbled upon a problem i cant figure out. Please bare in mind im a newbie, but i believe i did my homework as much as i could.
Anyways, with the v4.9237 i found a mismatch between Block 0 readout in lf t55 detect and info/dump.

essentially detect command shows correct mode and Block0, but reading directly, Block0 changes to 0x20000108


[usb] pm3 --> lf t55 detect
[=]      Chip Type      : T55x7
[=]      Modulation     : PSK2
[=]      Bit Rate       : 1 - RF/16
[=]      Inverted       : No
[=]      Offset         : 55
[=]      Seq. Term.     : No
[=]      Block0         : [b]0x00042080[/b]
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : No



[usb] pm3 --> lf t55 info

--- T55x7 Configuration & Information ---------
-------------------------------------------------------------
 Safer key                 : 2
 reserved                  : 0
 Data bit rate             : 0 - RF/8
 eXtended mode             : No
 Modulation                : 0 - DIRECT (ASK/NRZ)
 PSK clock frequency       : 0 - RF/2
 AOR - Answer on Request   : No
 OTP - One Time Pad        : Yes - Warning
 Max block                 : 0
 Password mode             : No
 Sequence Terminator       : Yes
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0,  block 0
    [b]0x20000108[/b] 00100000000000000000000100001000



[usb] pm3 --> lf t55 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 20000108 | 00100000000000000000000100001000 |  ...
[+]  01 | 007D0000 | 00000000011111010000000000000000 | .}..
[+]  02 | 68800298 | 01101000100000000000001010011000 | h...
[+]  03 | C0154E5D | 11000000000101010100111001011101 | ..N]
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 20000108 | 00100000000000000000000100001000 |  ...
[+]  01 | 95380542 | 10010101001110000000010101000010 | .8.B
[+]  02 | 23FD4AC5 | 00100011111111010100101011000101 | #.J.
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+] saved to json file lf-t55xx-007D0000-68800298-C0154E5D-dump.json
[+] saved 12 blocks to text file lf-t55xx-007D0000-68800298-C0154E5D-dump.eml
[+] saved 48 bytes to binary file lf-t55xx-007D0000-68800298-C0154E5D-dump.bin

it gets even worse when i try to write dumped blocks from legit nexkey card. i cant get any reliable readouts afterwards, cuz each time i dump all the blocks, i got slightly different output.

Its highly possible that i dont fully understand this what i am doing wink




Old version firmware i used :

Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-197-gebf1404-suspect 2020-06-13 20:47:17
os: master/v3.1.0-197-gebf1404-suspect 2020-06-13 20:47:21
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2020/03/05 at 19:09:39
SmartCard Slot: available

uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 208298 bytes (40%). Free: 315990 bytes (60%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

latest Iceman precompiled:

[=] Communicating with PM3 over USB-CDC


  ██████╗ ███╗   ███╗█████╗
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗
  ██║     ██║ ╚═╝ ██║█████╔╝       iceman@icesql.net
  ╚═╝     ╚═╝     ╚═╝╚════╝    bleeding edge

  https://github.com/rfidresearchgroup/proxmark3/


 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.9237-593-g8934fd52 2020-07-09 13:17:22
  compiled with MinGW-w64 9.3.0 OS:Windows (64b) ARCH:x86_64

 [ PROXMARK3 RDV4 ]
  external flash:                  present
  smartcard reader:                present

 [ PROXMARK3 RDV4 Extras ]
  FPC USART for BT add-on support: present

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-593-g8934fd52 2020-07-09 13:17:05
       os: RRG/Iceman/master/v4.9237-593-g8934fd52 2020-07-09 13:17:12
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 266058 bytes (51%) Free: 258230 bytes (49%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Any advice that will help me understand whats going on will be appreciated.

Offline

#2 2020-07-11 08:53:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: NexKey mode issue on RRG/Iceman/master/v4.9237

yeah,  PSK demod is notorious bad. The problem with getting a good first phase shift detection.
@mwalker33 has some ideas for improvements.

You should use the  lf nexwatch commands when playing with the data.  It will enable you to read and clone a credential.

Offline

#3 2020-07-11 10:06:53

crocs
Contributor
Registered: 2020-07-10
Posts: 5

Re: NexKey mode issue on RRG/Iceman/master/v4.9237

Thanks Iceman for suggestions.
I have tried the lf nex mode to clone, however it sets up the t55 card config in a way that does not trigger DigiReader to read.
When i switch the mode manually, it seems that remaining blocks gets scrambled and even proxmark does not recognize the card anymore, as nexkey.

Offline

#4 2020-07-11 10:56:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: NexKey mode issue on RRG/Iceman/master/v4.9237

Are you sure it was a Nexkey and not a Quadrakey? or vice versa.
Would you mind sharing a trace of your original card?     if not share your t55xx?  And is there any printing on your tag?

lf read
data save

Offline

#5 2020-07-11 11:54:48

crocs
Contributor
Registered: 2020-07-10
Posts: 5

Re: NexKey mode issue on RRG/Iceman/master/v4.9237

Im quite positive that this is a quadrakey.

[usb] pm3 --> lf nex read

[=] Inverted the demodulated data
[+]  NexWatch raw id : 0x40c00080
[+]         88bit id : 67913575 (0x40c4767)
[+]             mode : 1
[=]  Raw : 560000003104F33172D00

[usb] pm3 --> lf t55 detect

[=]      Chip Type      : T55x7
[=]      Modulation     : PSK2
[=]      Bit Rate       : 1 - RF/16
[=]      Inverted       : No
[=]      Offset         : 55
[=]      Seq. Term.     : No
[=]      Block0         : 0x00042080
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : No

[usb] pm3 --> lf t55 info


--- T55x7 Configuration & Information ---------
-------------------------------------------------------------
 Safer key                 : 2
 reserved                  : 0
 Data bit rate             : 0 - RF/8
 eXtended mode             : No
 Modulation                : 0 - DIRECT (ASK/NRZ)
 PSK clock frequency       : 0 - RF/2
 AOR - Answer on Request   : No
 OTP - One Time Pad        : Yes - Warning
 Max block                 : 0
 Password mode             : No
 Sequence Terminator       : Yes
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0,  block 0
    0x20000108 00100000000000000000000100001000




trace will be here : https://pastebin.com/1A7MKguc

on the older version firmware i also get 0x00042080 Block0, but on both t55 detect and t55 info, and cloned card by directly copying blocks 0-3 gave proper results against DigiReader.

meanwhile, lf nex clone sets the Bloc0 to

[usb] pm3 --> lf t55 read b 0
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00081060 | 00000000000010000001000001100000 | ...`

to which DigiReader does not respond.

Offline

#6 2020-07-11 12:04:11

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: NexKey mode issue on RRG/Iceman/master/v4.9237

Yeah,   
there seem to be something going on with the commands.  I belive its because of the PSK demod.

lf t55 detect
lf t55 info

the lf nex clone,  should have set a configuration block that your t55x7 tag should be able to be read by your reader.

Offline

Board footer

Powered by FluxBB