Proxmark3 community

robot

Contributor

Registered: 2015-10-13

Posts: 13

cloning a cloner... tnp3

Firstly - Hi to all!. I have been interested in nfc/rfid for a while and finally got around to buying a pm3!.

What reawakened my interest is looking at the tnp3 type toys and trying to understand how they worked. Looking through the source code (thanks iceman) it is starting to become clearer.

As part of this interest, I also purchased a m*xl*nder reader to see how they do things. Its a very interesting device and user friendly for backing up your toys (the dog has eaten one of my sons figures already).

I had a look at the blanks that they are using: the uid first digits seem to be unique. (this is a blank card)

proxmark3> hf 14a reader
UID : xx xx 90 55
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

with:
proxmark3> hf mf chk *1 ? t
The keys to all blocks seem to be [ffffffffffff] for all but for sector 15, block 63 key B - shows nothing

If I try
hf mf nested o 3 B ffffffffffff 63 B
the proxmark3 locks up (Error: No response from Proxmark) red lights on and I have to unplug it. Is there something else that I should be doing?

I'm using a Proxmark3 RDV2 and I believe that I have the latest software compiled a couple of days ago (although I dont see proof below)

pm3 ~$ ./client/proxmark3.exe COM2
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-10-11 23:03:47
os: /-suspect 2015-10-13 14:48:33
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54

uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 171073 bytes (33%). Free: 353
215 bytes (67%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>

I am also playing with a strange chinese Gen1.5? card - It is perhaps a Gen2 card but likes some gen1 commands but not all (hence Icemans scripts for tnp3 don't work with it).....

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: cloning a cloner... tnp3

You don't need to know the key for that sector since its a magic tag.
Use the  "hf mf cget*" command instead if you want to read it.

robot

Contributor

Registered: 2015-10-13

Posts: 13

Re: cloning a cloner... tnp3

thank you for the pointer - even easier than I thought as I used the csave and cload function.

The chinese cards I was using seem to be a Gen2 and give errors on programming but seem to still work ok?. Is it a proxmark error with these cards as they seem to be pretty new. The description matches this thread: http://www.proxmark.org/forum/viewtopic.php?id=2554

When using cload, it ends with: (but works ok)
#db# halt error. response len: 1       
#db# Halt error       
Can't set magic card block: 63

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: cloning a cloner... tnp3

If it generation2,  you don't have to use the "hf mf c*" commands.  You can just write to block 0 as you wish.
however I don't know if the generation 2  tags allows r/w sectors without a key (or don't verify key)

You can think like this:
Gen 1: 
  - use "hf mf c*" commands to change uid,  read/write all kinds of blocks and sectors without key.

Gen2:
  - use  normal "hf mf" commands to be able to write block 0. 

--  So gen1 is "better" at getting all data easier.
--  gen2 is "better" for devices which can only use normal mifare command.  ie NFC ..

However  if the output from "hf 14a reader"  says "answers to chines YES",   then it is a Generation1. period.

If you have a Generation2,   you can test the normal write commands with a fake key and see if it writes the data nevertheless.