Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-03-06 12:20:15

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

ISO14443A Commands

Using a chip card reader mfrс522 for VISA paywave. where to find documentation on work with records?

->26 (REQA)
<-0400

->9320
<-B81900AA0B

->9370B81900AA0B (SELECT CARD)
<-28

<-E050  (RATS)
->137880820280318066B0840C016E0183009000

<-0200A4040007A0000000031010 (SELECT VISA)
->026F318407A0000000031010A526.....900000 (55 byte)

<-0300B2010C (read record 1)
->13704D57134402......43000   (63 bytes)

<-A2 (continue read???)
->0230303030.........900000 (22 byte)

If the command 0хA2 - continue reading to learn how to give it or not?

in another device  I use chip pn531. 0xA2 command was intercepted when pn531 read record 1
pn531 chip joined 2 pieces (63byte and 22 byte) and gave them one piece.
RATS comand  I do not ask to send pn531. he decided to send this command

Offline

#2 2015-03-06 12:27:29

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: ISO14443A Commands

Visa books..... 4 books.....you can find the books in pirateba......

Offline

#3 2015-03-06 13:36:41

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: ISO14443A Commands

Any hint about books name ?

Offline

#4 2015-03-06 13:46:42

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: ISO14443A Commands

I don't know if is legal??
I could upload....but  cool
I don't know if that could have legal problems to the forum.
Some moderator......

Offline

#5 2015-03-06 13:47:48

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: ISO14443A Commands

EMV visa books

Offline

#6 2015-03-06 14:55:30

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: ISO14443A Commands

They seems to be freely available on the net.

Last edited by asper (2015-03-06 14:57:07)

Offline

#7 2015-03-06 16:28:24

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

QvBV0qI.jpg
Red line - APDU comand
Blue line - responce, decoding by www. emvlab. org/tlvutils/
Green line - ???

Offline

#8 2015-03-06 17:45:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: ISO14443A Commands

apdu command/status byte, if I remember it correct.

Offline

#9 2015-03-06 18:00:23

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: ISO14443A Commands

Can I ask you what is the way you logged data ? Snoop with pm3 ? Those "green" bytes seems the header of the incapsulated apdus (CLA INS P1 P2 P3)...

I think there is a problem in the arrows you used:

-> sent to the card
<- received from the card

like:

->26 (REQA)
<-0400

What we have next:

<-E050  (RATS)
->137880820280318066B0840C016E0183009000

E050 is sent by the card to the reader ?

EDIT: no Iceman, the status byte are 2 bytes at the end of the string (ex. 90 00) called also SW1 and SW2.

Ex: ->137880820280318066B0840C016E0183009000

Last edited by asper (2015-03-06 18:09:24)

Offline

#10 2015-03-06 18:16:30

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

" 0x02, 0x03, 0x0A, 0x0B...this is the Protocol Control Byte (called PCB), comes from ISO14443-4, in the Prologue field, indicates if the block is I, R or S, and if chaining is being used"    from forum http://e2e.ti.com/


The next question is where to get the Standard ISO14443-4 )))

Offline

#11 2015-03-06 18:23:40

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: ISO14443A Commands

Yes, I did not remember "protocol control byte" but this is what I meant.

Last edited by asper (2015-03-06 18:52:57)

Offline

#12 2015-03-06 18:31:00

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

to Asper: Can I ask you what is the way you logged data ? Snoop with pm3 ? Those "green" bytes seems the header of the incapsulated apdus (CLA INS P1 P2 P3)...

I use "Saleae Logic - 8-Channel USB Logic Analyzer"
edfHKet.jpg

with the direction of the arrow I really made a mistake...

answers from cards get from the buffer circuit  MFRC522

Offline

#13 2015-03-06 18:34:27

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: ISO14443A Commands

So you sniffed a contact, not a contactless communication ? Am I wrong ?

Offline

#14 2015-03-06 18:37:48

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

pn531 chip adds PCB(0x02 or 0x03) and glues packages (use A2 comand?).
I need to use MFRC522, but it is not so clever %)

Offline

#15 2015-03-06 18:39:41

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

I wrapped the antenna, and it is perfectly catches the signal)))

Offline

#16 2015-03-06 21:13:26

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: ISO14443A Commands

Can you make a picture of the wrapped antenna ? (I contacted you to the other ICQ account)

Offline

#17 2015-03-06 22:40:31

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: ISO14443A Commands

I've been curious to play with paywave, but haven't seen any such cards here in sweden yet... sad
... and it's not like someone else will send me their credit card for experimentation either..

Offline

#18 2015-03-06 22:41:39

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: ISO14443A Commands

@Sentinel - you don't use a proxmark for this ? How come?

Offline

#19 2015-03-07 09:39:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: ISO14443A Commands

Hasn't Peter Fillmore a branch filled with all EMV functions for Visa and Mastercard? https://github.com/peterfillmore/proxmark3

Offline

#20 2015-03-09 10:57:38

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

Q6uuF5k.jpg

Offline

#21 2015-03-09 11:05:49

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

@ holiman - In the near future plan to buy proxmark .. because I'm tired of painting bits and bytes)))

Offline

#22 2015-03-09 11:52:02

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

parse command RATS according to standard 14443-4
-> E050  (RATS)
kcPVQcx.jpg
Chip buffer is limited(64byte), and it is, continue to see that the length of the record cut

Offline

#23 2015-03-09 12:14:33

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

The figure illustrates how the string  "0123456789ABCDEF"  transferred from the card to the reader, if the reader is limited budffer 7 bytes. In fact, the first constraint = 16 bytes (See previous picture)
gcopIMB.jpg

Offline

#24 2015-03-09 12:21:06

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: ISO14443A Commands

@ iceman - in the source code to which you sent the link, as described command PCB and ACK )))

Offline

Board footer

Powered by FluxBB