Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-04-28 11:15:34

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

SRIX4K dump analysis

Dear all I'm new here I saw varius interestung posts concerning the RFID software and hardware Development :-) .
I write on this site because I need to find someone that could help me for the SRIX4K data analysis. I already know more data into the dump, included the crypto method to re-fill credit, but this is not my reason. Now I would like to find the MasterKey which permit to use all keys with different Vendor ID. I already found the Session Key but it is used only for the credit reason. I have few dumps for analysis and I hope that someone in this forum can help me.
I think that these data are sensitive therefore I can provide my email if required.
Thanks in advance

Offline

#2 2014-04-29 11:12:47

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

Any news?? Is there someone can help me?

Offline

#3 2014-04-29 18:05:20

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

Ciao Mariolino,
are you using the PM3 in order to collect data?
I think if it is not native in the PM3 firmware you should use RAW commands then modify the FW source in order to manage the specific chip and memory areas (I said this after a very very fast look at the datasheet).
Where did you found the information you have at the moment (crypto, algos, etc.)? I'm interested in it but still have'nt found over the internet... :-)
If I understand what you want to do, is to have a key where you put the credit of different keys in order to have one key only in your pocket with different credits...
A multipurpose key, space saving. Interesting! I work in 3 separate offices (100 km distance), it would wonderful to have one key instead 3...
I will follow this post and try to contribute if my knowledgment will permit it, otherwise I'll learn something new...

Offline

#4 2014-04-29 18:52:07

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

Ciao MilkThief,
I'm not using the PM3 for read and write the SRIX4K but I have a dedicated arduino to do that :-) . unfortunately there was a misunderstanding of my reason because, for my opoinon :-) , is not possible collect more keys credit data into only one because for each key there is a different credit algo linked to the UID, KEY SERIAL NUMBER and so and so.... :-)
What I want to do is to find that part of memory which, if I change the content, will permit to use on the other "office" with different Vendor ID. I already understood more data into this key but I still haven't the full algo which permit that. I can provide some dumps by mail for all people that are iterested in studying :-) .

I hope to find someone here for do that :-)

Offline

#5 2014-04-29 19:20:29

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

Ok, let's do this: let's start from the reader. Let me build one. What do I need?
I have a dozen of different arduino boards between home and office... Are you speking about a shield or a custom circuit?

Offline

#6 2014-04-29 20:12:34

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: SRIX4K dump analysis

This is not a srix4k thread, this is a "MyKey Security System" thread (srix4k is the tag choosen by a specific company putting it inside a tag they called MyKey); this security system seems to be "secured" by this "key" (I read infos in a forum with many posts about that subjec); if you public the way it is calculated the system will be broken so I don't think this will be the right place to share those kind of infos. I suggest you to use your private email to talk about that.

Offline

#7 2014-04-29 20:14:28

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

i think that having PM3 you can perform all operations with that but you need a custom FW. anyway I used a GutenTag programmer of the SPlabs company or you could use the SL500F programmer mentionated from member "asper" on the other post here.

Offline

#8 2014-04-29 20:27:19

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

dear Asper I agree your point of you, infact I added my private email on the profile to talk about that. I'm sorry If I made something out of forum rules.

Offline

#9 2014-04-29 20:32:14

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

Asper you are right. We not intend to exchange informations about this thing here. Mariolino always wrote "I send a private email". He sure understands the problem.
This post is dedicated, if I'm right, to say:

A. Does somebody work at this project with me?
B. World, we have discovered some interesting things. We don't say what and how, but "about"...

By the other side, I think the mifare was "secured" as the "mykey" before somebody posted something somewhere (sure not here). But for being "pure", the mifare attacks should not exists inside the PM3 firmware but as external "personal" script. Don't you agree?

Offline

#10 2014-04-29 20:59:05

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: SRIX4K dump analysis

No, mifare crack is about exploiting a weakness (you need to exploit that weakness to obtain the keys); directly releasing keys or algos is not the same thing because this way you provide spoon-feeding to lazy people. This is my opinion of course.

Pm3 implements attacks using info provided in official public papers.

Last edited by asper (2014-04-29 21:02:13)

Offline

#11 2014-04-29 21:13:23

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

I think that we can close friendly the discussion, was not my intention to create noise. I added the private email for all guys interested to investigate on this topic and I was hoping on your help just seen your post on this forum.:-)

Offline

#12 2014-04-29 21:29:50

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: SRIX4K dump analysis

Thanks for understanding wink

Offline

#13 2014-10-26 13:06:30

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

Dear Asper, you there??
I would like to talk with you on freenode about the real MK calc smile

I would like to have from you a dump file where are implemented all blocks for MK calc..

Last edited by mariolino (2014-10-26 13:29:56)

Offline

#14 2014-10-27 06:26:24

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

Dear Asper, i'm in freenode.... have you some srix dumps to share with me?..

Offline

#15 2014-10-28 18:30:07

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

I'm sorry, you are right....starting from now, I will be available on freenode to discuss about the above subject
smile

Offline

#16 2014-10-28 23:33:26

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

Does nobody indend to implement the srix write capability on pm3 commands?
It is hard to make some research with the read capability only...
Same for PCF in the lf section...
Thank you?

Offline

#17 2014-10-29 08:52:19

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: SRIX4K dump analysis

SRIX4K writing capability is already available through ISO14443B raw commands since r762.

Last edited by asper (2014-10-29 09:13:04)

Offline

#18 2014-10-29 14:21:22

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

asper wrote:

SRIX4K writing capability is already available through ISO14443B raw commands since r762.

I cannot read the word "write" near the word "srix4k", what do I miss?

proxmark3> hf 14b
help             This help          
demod            Demodulate ISO14443 Type B from tag          
list             List ISO 14443 history          
read             Read HF tag (ISO 14443)          
sim              Fake ISO 14443 tag          
simlisten        Get HF samples as fake tag          
snoop            Eavesdrop ISO 14443          
sri512read       Read contents of a SRI512 tag          
srix4kread       Read contents of a SRIX4K tag          
raw              Send raw hex data to tag 

Offline

#19 2014-10-29 15:15:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: SRIX4K dump analysis

Asper means that you can use  the  "hf 14b raw"  to send write commands to your tag.

Offline

#20 2014-10-29 15:22:36

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

Ok... But it is not a "srix4kwrite" command... I was speaking about srix4k writing, not raw sending. It's clear that with raw you can write...
I also could have used the "raw" for writing the mifare blocks, too... But it is not so "user friendly".

Offline

#21 2014-10-29 15:30:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: SRIX4K dump analysis

You can make a lua script.

Anyway I already implemented srix basic functions in the windows gui.

Offline

#22 2014-10-29 15:36:32

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

Sorry, I don't use windows... Of course it can be done via lua script.
The thing I cannot understand is why not integrate the write functionality into the C cose as the "read" functionality is...

Offline

#23 2014-10-29 16:45:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: SRIX4K dump analysis

To overcome some of the issues with having to code in C,  some friendly people here on the forum decided to enhance and make life easier for their own platform. So grew the Android-,  Windows GUI-, lua functionality up.   Now we have many different options and you can choose which one fits your style.   I don't use the WindowsGUI, but when I see how much extras that was very easily added I'm impressed.   And it is sad that the linux platform doesn't have the same easyness. 

Of course I also get frustrated that there lack of uniform among all functionality.

Offline

#24 2014-10-29 17:02:41

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

You are right: there are some "extra" beautiful implementations I appreciate. Android use is equal to the command line use (windows or linux), and this is very powerful, it gives out the requirement of the stand-alone version of the PM3... You can use a $80 android phone.

In a ideal world, a command (like "srix4kwrite") should be available in the windows GUI as in the command line, otherwise the risk is to have incoherence between versions, and the windows gui can make something that the command line cannot do and vice-versa.
In example, if somebody today implements "srix4kwrite" as a LUA script, and tomorrow the windows GUI will have the "srix4kdump", you'll have the "srix4k" functions family scattered across versions. It would be ridicolous, unusable, not serious... And can drive you crazy...

Offline

#25 2014-10-29 17:18:46

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

I think the purpose of this project is to encourage different people (skilled like you and not skilled like me) to use the PM3 and learn something more about RFID.
An "incoherent" approach to the project (things that don't work since the stone age like "lf em410 snoop", things that exists on the Windows GUI and not on the command line and vice-versa, missing functions like "srix4kwrite" or "srix4kdump" or "pcf7931write" etc.) could instead encourage people to collect a lot of chineese reader/writer and leave the PM3 as knick knack.

I'm sorry to give so brutal my point of view, but that's what I see coming here from outside as a new user. Maybe you are here for a long time and no longer have a global vision. Of course, it is an opinion, my opinion, and counts as 2 cents... :-)
I trust in this project, but I'm not a programmer, so my contribute cannot be so heavy.
Thank you for understand and be here!

Last edited by MilkThief (2014-10-29 17:22:56)

Offline

#26 2014-10-29 18:51:38

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: SRIX4K dump analysis

You said it right, it is YOUR opinion !
As I stated in the win thread pm3 IS NOT for lazy people and what you call "incoherences" in my opinion can be considered "lazyness" because, for example, YOU CAN WRITE a srix4k tag with pm3 even if this is not the easiest way; pm3 is born to study rfid not to "write tags"; there are absolutely NO DISCREPANCIES between linux, win and android versions, all pm3 executables are EXACTLY the same ! If someone built up a GUI to make things easier this is a different kettle of fish, absolutely not related to pm3 itself (GUI sources are available if you want to port them on another platform!).

If something related to pm3 developing

could instead encourag people to collect a lot of chineese reader/writer and leave the PM3 as knick knack.

it is not important at all ! I can survive if people go and buy chinese stuff because I am ABSOLUTELY SURE they do not want to study, they probably want to do something else so "golden bridges to those fleeing".

One last thing:

In example, if somebody today implements "srix4kwrite" as a LUA script, and tomorrow the windows GUI will have the "srix4kdump", you'll have the "srix4k" functions family scattered across versions. It would be ridicolous, unusable, not serious... And can drive you crazy...

How can a thing like the one you dscribed above drive someone crazy ? Again, sentences like that one keep away developers and really interested people because what you are asking for (srix write command) is something absolutely unuseful and more important already doable so, if you want to bring respect to real devs (unfortunately I cannot consider myself one of them) you should avoid asking those kind of lazy stuff because real devs spend LOT OF THEIR TIME improving their knowledge and testing things on the field and I give them so much appreciation when they decide to share their discoveries with us.

Last edited by asper (2014-10-29 19:04:43)

Offline

#27 2014-10-29 19:13:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: SRIX4K dump analysis

A lot of knowledge can be read in the  "settings.xml"  file for the Proxmark tool....     Download it http://www.proxmark.org/forum/viewtopic.php?id=1562

It's a normal text file and if you read it, you will find out how to do a lot of neat things.   Among one,  is how  to write to a sri4x tag.
Once you have learnt it,  you can contribute with making for example a lua-script which has the extra bells you want to have.


My suggestion is to turn all the emotions into actions which the community can all benefit from.

Offline

#28 2014-10-30 07:19:35

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

Asper,
For the same reasons the other "write" commands should not exist (and we should use the raw for mifare, t555x, etc.)
And for the same reasons (study) the "lf snoop" should work.
Maybe both our opinions are not correct?

Offline

#29 2014-10-30 13:27:21

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: SRIX4K dump analysis

I see your humility is as great as your intelligence. Please go to steal some milk insted of waisting people time begging for lazy "improvements". I was thinking to stop releasing windows and android versions and threads and answers like this one will probably bring me nearer to this decision.

Beeing extremely clear

Does nobody indend to implement the srix write capability on pm3 commands?

And this is a polite request.

It is hard to make some research with the read capability only...

Who cares if you have difficulties in your stealing research (your name is significant in that way) ? You can study and this is enough to "research". Buy a cheaper chinese reader.

For the same reasons the other "write" commands should not exist (and we should use the raw for mifare, t555x, etc.)

A reason that you seem not to be able to explain so I will: LAZYNESS ! Mifare anticollision and authentication is far more complicated in terms of commands than srix.
T55x ? You don't know what you are talking about.

And for the same reasons (study) the "lf snoop" should work.

This is a TOTALLY DIFFERENT stuff; this is something that someone, one day, will fix, absolutely not related to adding lazy commands like the ones you are requesting.


This forum was GREAT because "thieves" were not able to find a way to express themselves, i hope it will remain that way.

No more answers form me about those subjects (decoding keys, etc).


Hope not to hear this kind of stuff from anybody soon.

Last edited by asper (2014-10-30 14:47:44)

Offline

#30 2014-10-30 15:35:33

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

ROTFL...

My intelligence is very low, your intelligence is very high, no doubt. (anyway... no reason to become offensive, don't you think?)
This is the reason why you should understand that my nickname cannot be an element of judgment against me, nor even a process to my intentions. I'm a honest guy, you don't know me, you cannot judge me!
I do a honest job that you definitely need (and this is not compatible with bad intention), I hope that this happens only in a marginal way. That day maybe you'll judge me, regardless of the nickname I use.
Now, use your intelligence to think over this, and over what are "assumptions" and what are "certainties"...

I'll stop posting here, don't worry, too many geniuses in the same forum... swim well in your beloved anarchy!

Last edited by MilkThief (2014-10-30 15:57:08)

Offline

#31 2014-10-30 15:36:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: SRIX4K dump analysis

Not for it matters... But to be honest,  writing to a sri512 tag,  using the existing "hf 14b raw" commad is easy.   It is not easy to find out how do it,  then you need to search like crazy.  I didn't know it either before since I have'nt read the datasheets for  iso15693.   

It is easier to request a command than to figure them out.  When it comes to "lf snoop"  there is a whole level of knowledge need to solve it. There is not so many active people on the forum who can do it.  Sadly, I'm not one of them.

But in the interest of keeping a nice tone on the forum, I'd added  a  "hf 14b write"  command in my fork,   I don't know if its working, it needs testing.  It uses the same "hf 14b raw"  commands Asper hinted about.   Asper is right in that, adding this kinds of functionality is not research,  it will not push the knowledge of rfid security forward at all.
However, milkthief is right in that adding these functions we make the pm3 experience a nice one.  Maybe we can attract more people to enhancing the codebase?

Just be nice.

Offline

#32 2014-10-30 16:07:05

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: SRIX4K dump analysis

iceman wrote:

However, milkthief is right in that adding these functions we make the pm3 experience a nice one.  Maybe we can attract more people to enhancing the codebase?

Right, Iceman! This is exactly what I tried to say... And this is the reason why I asked if somebody will integrate into the codebase the write function. Unfortunately Iceman understands what he wants to much understand, and I am too stupid to interact with him.
No worries, I will learn how to write srix4k with raw commands, and I just do it with a chineese hf R/W with a GUI interface "for dummies".
But the concept I was telling is another than simply write a srix4k. Fortunately you understood that!

Last edited by MilkThief (2014-10-30 16:07:42)

Offline

#33 2014-10-30 17:31:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: SRIX4K dump analysis

Just try the one in my fork and see if it works for you.

Offline

#34 2014-10-31 09:21:56

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: SRIX4K dump analysis

I think that this topic can be closed.... no more disputes. byee

Offline

Board footer

Powered by FluxBB