[solved] AZTEK iso14443a compliant tag

iceman · 2017-01-27 12:05:24

In a github issue there is a interesting new tag. Which has with snoops gotten some understanding.

ref: https://github.com/Proxmark/proxmark3/issues/206

Grey keyfob, uid printed on it, company seems to be AZTEK.
I'm guessing french. Used for a vending machine.

It follows ISO14443a standard anticollision.
4byte uid.
It has its own command set.
it uses standard ISO14443a CRC to cmds.
read / write command has been identified.

COMMANDSET 
read:
10 NN 00  + 2bytes-CRC .  where NN is blockno.

sample:  10 03 00 E9 0A

Write:
B0 NN 00 + 8bytes data + 2bytes-CRC  where NN is blockno

Tag answer the exact 8bytes data + 2bytes-CRC

 sample:  B0 03 00 11 22 33 44 55 66 77 88 03 21

--PM3 14a raw commands

--read block 3
hf 14a raw -s -c -p 10 03 00

-- write block 3
hf 14a raw -c -p B0 03 00 11 22 33 44 55 66 77 88

-- re-read block 3 to verify
hf 14a raw -c 10 03 00

data: 
Block 0, contains UID 

Unknown how much memory and other commands.

And for coffe lovers out there, this tag should be very easy to restore a previous transaction on.

app_o1 · 2017-01-27 12:53:11

I've heard about it. There is/was a way to "lock" a specific sector, so debit command from vending machine would fail.
However, (at this time) it just was a classic MF tag with sectors 8 to 15 using custom KEYs.
And this stuff is really old. Last models I have seen were using MIFARE Plus and a few others worked with LEGIC tags.

Can we get a photo of the tag? They might have released a new version! :L)

Last edited by app_o1 (2017-01-27 12:53:56)

asper · 2017-01-27 13:57:05

It seems to be a non-crypto iso14443a tag with just basic commands (read/write).

iceman · 2017-01-27 14:26:25

app_o1 · 2017-01-27 15:54:54

There is nothing different from what was produced 10 years ago.
Judging from the wear and tear, this fob is at least 2 or 3 years old.
How sure are we that it is not a MS50 anymore? Is the UID D17F9365?

asper · 2017-01-27 18:02:01

It doesn't answer to mifare commands. UID is 65 93 7f d1.

Last edited by asper (2017-01-27 18:02:58)

iceman · 2017-01-27 19:13:31

As @Asper and @joker42 (github) writes, it doesnt answer to Mifare commands. We are 100% sure of it.

UID is same byteorder on tag as on picture.

app_o1 · 2017-01-28 14:39:17

How does it answer to MFU commands?
Are we sure MFU commands are working "well" recently?

On what this Aztek reader is fitted? (the brand of the vending machine)

Can the fob be melted in acetone (or else) so we can have a look at the IC/antenna?

Onisan · 2017-01-30 10:52:48

It is French and is used on the Luxeo Readers which can read Mifare Classic, Mifare X Mifare S DesFire and HID
http://www.aztek.lu/en/products/solution-all-in-one

asper · 2017-01-30 12:14:10

"Solution of private payment (Aztek)", this should be our case. If not this can also be an example of the "mysterious" calypso standard (claimed to be supported in the datasheets found on the previous link) but i don't think so.

Last edited by asper (2017-01-30 17:50:18)

iceman · 2017-01-30 17:31:34

I've added a simple lua script which dumps a aztek tag to icemanfork. Dumping both to screen and to uid.eml file.
It also tries to xor the block data with a xorkey I think is used. This only to screen.

pm3 --> sc r ufodump -h
--- Executing: ./scripts/ufodump.lua, args'-h'
This is a script that reads AZTEK iso14443a tags.
It starts from block 0,  and ends at default block 20.  Use 'b' to say different endblock.

xor:  the first three block (0,1,2) is not XORED.  The rest seems to be xored.

Arguments:
      h   this helptext
      b   endblock in decimal (1-255,  default 20)

Example usage
        script run ufodump
        script run ufodump -b 10

iceman · 2017-01-30 17:34:06

By suggestion from @asper, I also tried to write to block0, it failed.

joker42 · 2017-01-30 20:48:38

Hi,

So for me the dump is :

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | C0B912BE2447F994 | 9513471471EDAC3E |
 17 | B1CC296CC0F3C469 | E4667CC6955991C3 |
 18 | 01DC9AD76FDF6733 | 5476CF7D3A753299 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | F20C7DD23CB28EA5 | A7A628786918DB0F |
----+------------------+-------------------

And here is the diff with @iceman :

1c1
< 08000000656BCAD1
---
> 0800000065937FD1
3c3
< 10414D28000B010B
---
> 1041BA8C00060509
12,15c12,15
< AD1D95D1EFBD6D5A
< 1AB785DAEFBAF046
< 08C2E512B961708C
< B350ACC34EB223F0
---
> 045D56752F4CB77E
> 3D084508E78E6FF2
> 46C714C7BF693B35
> 2BC96267E224D5DB
17,21c17,21
< C0B912BE2447F994
< B1CC296CC0F3C469
< 01DC9AD76FDF6733
< 33BE1F217BA665CA
< F20C7DD23CB28EA5
---
> 4DC37827785E06D5
> D90C66554984B559
> 7A1B9349045DCD4E
> 464AFB36F4BA8748
> 246DDDBEDD75AA16

Weird that there is so much diff though.

iceman · 2017-01-30 20:58:39

How about looking att the xor diff?
Looking at the read command, max blockno is 255 but when I look at a dump around block70 the pattern kind of stops and becomes "55aa..." rows.

http://pastebin.com/UqxAaXsT

Bebeoix · 2017-01-30 21:18:13

Here is the dump : http://pastebin.com/hR8iWEiz

Last edited by Bebeoix (2017-01-30 21:40:58)

iceman · 2017-01-30 21:27:18

@bebeoix, I think I got yr tag you posted about 6months ago....

Bebeoix · 2017-01-30 21:38:12

@iceman, it's the same person, I was out of the nfc scene for a while, I forgot I was still logged on this old account in that browser.

Last edited by Bebeoix (2017-01-30 21:46:28)

iceman · 2017-01-30 21:44:59

thats an old browser session you have... so joke42/bebeoix, now that you can dump a tag.
do a transaction and dump again. then diff ... easy. Lets hope we learn something. I still want to test me xored idea.

Bebeoix · 2017-01-30 21:46:45

Will do.
I understood the thing with the xorkey.

Last edited by Bebeoix (2017-01-30 21:57:58)

joker42 · 2017-01-31 21:07:08

Very very strange discovery today, this little challenge keep up with the fun...

Before any change (1.15):

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | C0B912BE2447F994 | 9513471471EDAC3E |
 17 | B1CC296CC0F3C469 | E4667CC6955991C3 |
 18 | 01DC9AD76FDF6733 | 5476CF7D3A753299 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | F20C7DD23CB28EA5 | A7A628786918DB0F |
 21 | 98A48785F0EFC62C | CD0ED22FA5459386 |
 22 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 23 | 2CA6C073A6458488 | 790C95D9F3EFD122 |
 24 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 25 | 6FAFEC2086C7E7CB | 3A05B98AD36DB261 |
 26 | A2EB301BCED473F1 | F74165B19B7E265B |
 27 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 28 | C4C834332FEDAAA8 | 916261997A47FF02 |
 29 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 30 | 6461133074C877AB | 31CB469A21622201 |
 31 | 7545F9FB03C0C835 | 20EFAC51566A9D9F |
 32 | 25AB645D5CDC2BC2 | 700131F709767E68 |
 33 | 99BC7D1146FABB1A | CC1628BB1350EEB0 |
 34 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 35 | 58D729068A33BA7F | 0D7D7CACDF99EFD5 |
 36 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 37 | 55AA55AA55AA55AA | 0000000000000000 |
 38 | 55AA55AA55AA55AA | 0000000000000000 |
 39 | 55AA55AA55AA55AA | 0000000000000000 |
 40 | 55AA55AA55AA55AA | 0000000000000000 |
 41 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 42 | 55AA55AA55AA55AA | 0000000000000000 |
 43 | 55AA55AA55AA55AA | 0000000000000000 |
 44 | 55AA55AA55AA55AA | 0000000000000000 |
 45 | 55AA55AA55AA55AA | 0000000000000000 |
 46 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 47 | 55AA55AA55AA55AA | 0000000000000000 |
 48 | 55AA55AA55AA55AA | 0000000000000000 |
 49 | 55AA55AA55AA55AA | 0000000000000000 |
 50 | 55AA55AA55AA55AA | 0000000000000000 |
 51 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 52 | 55AA55AA55AA55AA | 0000000000000000 |
 53 | 55AA55AA55AA55AA | 0000000000000000 |
 54 | 55AA55AA55AA55AA | 0000000000000000 |
 55 | 55AA55AA55AA55AA | 0000000000000000 |
 56 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 57 | 55AA55AA55AA55AA | 0000000000000000 |
 58 | 55AA55AA55AA55AA | 0000000000000000 |
 59 | 55AA55AA55AA55AA | 0000000000000000 |
 60 | 55AA55AA55AA55AA | 0000000000000000 |
 61 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 62 | 55AA55AA55AA55AA | 0000000000000000 |
 63 | 55AA55AA55AA55AA | 0000000000000000 |
 64 | 55AA55AA55AA55AA | 0000000000000000 |
 65 | 55AA55AA55AA55AA | 0000000000000000 |
 66 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 67 | 55AA55AA55AA55AA | 0000000000000000 |
 68 | 55AA55AA55AA55AA | 0000000000000000 |
 69 | 55AA55AA55AA55AA | 0000000000000000 |
 70 | 55AA55AA55AA55AA | 0000000000000000 |
 71 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 72 | 55AA55AA55AA55AA | 0000000000000000 |
 73 | 55AA55AA55AA55AA | 0000000000000000 |
 74 | 55AA55AA55AA55AA | 0000000000000000 |
 75 | 55AA55AA55AA55AA | 0000000000000000 |
 76 | 55AA55AA55AA55AA | 0000000000000000 |
 77 | 55AA55AA55AA55AA | 0000000000000000 |
 78 | 55AA55AA55AA55AA | 0000000000000000 |
 79 | 55AA55AA55AA55AA | 0000000000000000 |
 80 | 55AA55AA55AA55AA | 0000000000000000 |
----+------------------+-------------------

After a change (1.10):

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | EB50BC721F20DC4B | BEFAE9D84A8A89E1 |
 17 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
 18 | 80EA93BE7D7C885B | D540C61428D6DDF1 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | 7AD6E94C7012FE59 | 2F7CBCE625B8ABF3 |
 21 | 98A48785F0EFC62C | CD0ED22FA5459386 |
 22 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 23 | 2CA6C073A6458488 | 790C95D9F3EFD122 |
 24 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 25 | 6FAFEC2086C7E7CB | 3A05B98AD36DB261 |
 26 | A2EB301BCED473F1 | F74165B19B7E265B |
 27 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 28 | C4C834332FEDAAA8 | 916261997A47FF02 |
 29 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 30 | 6461133074C877AB | 31CB469A21622201 |
 31 | 7545F9FB03C0C835 | 20EFAC51566A9D9F |
 32 | 25AB645D5CDC2BC2 | 700131F709767E68 |
 33 | 99BC7D1146FABB1A | CC1628BB1350EEB0 |
 34 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 35 | 58D729068A33BA7F | 0D7D7CACDF99EFD5 |
 36 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 37 | 55AA55AA55AA55AA | 0000000000000000 |
 38 | 55AA55AA55AA55AA | 0000000000000000 |
 39 | 55AA55AA55AA55AA | 0000000000000000 |
 40 | 55AA55AA55AA55AA | 0000000000000000 |
 41 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 42 | 55AA55AA55AA55AA | 0000000000000000 |
 43 | 55AA55AA55AA55AA | 0000000000000000 |
 44 | 55AA55AA55AA55AA | 0000000000000000 |
 45 | 55AA55AA55AA55AA | 0000000000000000 |
 46 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 47 | 55AA55AA55AA55AA | 0000000000000000 |
 48 | 55AA55AA55AA55AA | 0000000000000000 |
 49 | 55AA55AA55AA55AA | 0000000000000000 |
 50 | 55AA55AA55AA55AA | 0000000000000000 |
 51 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 52 | 55AA55AA55AA55AA | 0000000000000000 |
 53 | 55AA55AA55AA55AA | 0000000000000000 |
 54 | 55AA55AA55AA55AA | 0000000000000000 |
 55 | 55AA55AA55AA55AA | 0000000000000000 |
 56 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 57 | 55AA55AA55AA55AA | 0000000000000000 |
 58 | 55AA55AA55AA55AA | 0000000000000000 |
 59 | 55AA55AA55AA55AA | 0000000000000000 |
 60 | 55AA55AA55AA55AA | 0000000000000000 |
 61 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 62 | 55AA55AA55AA55AA | 0000000000000000 |
 63 | 55AA55AA55AA55AA | 0000000000000000 |
 64 | 55AA55AA55AA55AA | 0000000000000000 |
 65 | 55AA55AA55AA55AA | 0000000000000000 |
 66 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 67 | 55AA55AA55AA55AA | 0000000000000000 |
 68 | 55AA55AA55AA55AA | 0000000000000000 |
 69 | 55AA55AA55AA55AA | 0000000000000000 |
 70 | 55AA55AA55AA55AA | 0000000000000000 |
 71 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 72 | 55AA55AA55AA55AA | 0000000000000000 |
 73 | 55AA55AA55AA55AA | 0000000000000000 |
 74 | 55AA55AA55AA55AA | 0000000000000000 |
 75 | 55AA55AA55AA55AA | 0000000000000000 |
 76 | 55AA55AA55AA55AA | 0000000000000000 |
 77 | 55AA55AA55AA55AA | 0000000000000000 |
 78 | 55AA55AA55AA55AA | 0000000000000000 |
 79 | 55AA55AA55AA55AA | 0000000000000000 |
 80 | 55AA55AA55AA55AA | 0000000000000000 |
----+------------------+-------------------

After another change (1.05):

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | EB50BC721F20DC4B | BEFAE9D84A8A89E1 |
 17 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
 18 | 80EA93BE7D7C885B | D540C61428D6DDF1 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | 7AD6E94C7012FE59 | 2F7CBCE625B8ABF3 |
 21 | 2F166903396F1096 | 7ABC3CA96CC5453C |
 22 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
 23 | 69971D19B7BA0358 | 3C3D48B3E21056F2 |
 24 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 25 | 810B4BBD4FA6AAA7 | D4A11E171A0CFF0D |
 26 | A2EB301BCED473F1 | F74165B19B7E265B |
 27 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 28 | C4C834332FEDAAA8 | 916261997A47FF02 |
 29 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 30 | 6461133074C877AB | 31CB469A21622201 |
 31 | 7545F9FB03C0C835 | 20EFAC51566A9D9F |
 32 | 25AB645D5CDC2BC2 | 700131F709767E68 |
 33 | 99BC7D1146FABB1A | CC1628BB1350EEB0 |
 34 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 35 | 58D729068A33BA7F | 0D7D7CACDF99EFD5 |
 36 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 37 | 55AA55AA55AA55AA | 0000000000000000 |
 38 | 55AA55AA55AA55AA | 0000000000000000 |
 39 | 55AA55AA55AA55AA | 0000000000000000 |
 40 | 55AA55AA55AA55AA | 0000000000000000 |
 41 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 42 | 55AA55AA55AA55AA | 0000000000000000 |
 43 | 55AA55AA55AA55AA | 0000000000000000 |
 44 | 55AA55AA55AA55AA | 0000000000000000 |
 45 | 55AA55AA55AA55AA | 0000000000000000 |
 46 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 47 | 55AA55AA55AA55AA | 0000000000000000 |
 48 | 55AA55AA55AA55AA | 0000000000000000 |
 49 | 55AA55AA55AA55AA | 0000000000000000 |
 50 | 55AA55AA55AA55AA | 0000000000000000 |
 51 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 52 | 55AA55AA55AA55AA | 0000000000000000 |
 53 | 55AA55AA55AA55AA | 0000000000000000 |
 54 | 55AA55AA55AA55AA | 0000000000000000 |
 55 | 55AA55AA55AA55AA | 0000000000000000 |
 56 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 57 | 55AA55AA55AA55AA | 0000000000000000 |
 58 | 55AA55AA55AA55AA | 0000000000000000 |
 59 | 55AA55AA55AA55AA | 0000000000000000 |
 60 | 55AA55AA55AA55AA | 0000000000000000 |
 61 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 62 | 55AA55AA55AA55AA | 0000000000000000 |
 63 | 55AA55AA55AA55AA | 0000000000000000 |
 64 | 55AA55AA55AA55AA | 0000000000000000 |
 65 | 55AA55AA55AA55AA | 0000000000000000 |
 66 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 67 | 55AA55AA55AA55AA | 0000000000000000 |
 68 | 55AA55AA55AA55AA | 0000000000000000 |
 69 | 55AA55AA55AA55AA | 0000000000000000 |
 70 | 55AA55AA55AA55AA | 0000000000000000 |
 71 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 72 | 55AA55AA55AA55AA | 0000000000000000 |
 73 | 55AA55AA55AA55AA | 0000000000000000 |
 74 | 55AA55AA55AA55AA | 0000000000000000 |
 75 | 55AA55AA55AA55AA | 0000000000000000 |
 76 | 55AA55AA55AA55AA | 0000000000000000 |
 77 | 55AA55AA55AA55AA | 0000000000000000 |
 78 | 55AA55AA55AA55AA | 0000000000000000 |
 79 | 55AA55AA55AA55AA | 0000000000000000 |
 80 | 55AA55AA55AA55AA | 0000000000000000 |
----+------------------+-------------------

Now do the diff between 115 and 110 then between 110 and 105 then 115 and 105, I never saw so many different data at different address being changed for one transaction regarding 1 or 2 digit change.

Diff 1:

diff 1.15 1.10
19,21c19,21
<  16 | C0B912BE2447F994 | 9513471471EDAC3E |
<  17 | B1CC296CC0F3C469 | E4667CC6955991C3 |
<  18 | 01DC9AD76FDF6733 | 5476CF7D3A753299 |
---
>  16 | EB50BC721F20DC4B | BEFAE9D84A8A89E1 |
>  17 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
>  18 | 80EA93BE7D7C885B | D540C61428D6DDF1 |
23c23
<  20 | F20C7DD23CB28EA5 | A7A628786918DB0F |
---
>  20 | 7AD6E94C7012FE59 | 2F7CBCE625B8ABF3 |

Diff 2:

diff 1.10 1.05
24,26c24,26
<  21 | 98A48785F0EFC62C | CD0ED22FA5459386 |
<  22 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
<  23 | 2CA6C073A6458488 | 790C95D9F3EFD122 |
---
>  21 | 2F166903396F1096 | 7ABC3CA96CC5453C |
>  22 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
>  23 | 69971D19B7BA0358 | 3C3D48B3E21056F2 |
28c28
<  25 | 6FAFEC2086C7E7CB | 3A05B98AD36DB261 |
---
>  25 | 810B4BBD4FA6AAA7 | D4A11E171A0CFF0D |

iceman · 2017-01-31 21:21:59

The data could also be encrypted, not just xored.

joker42 · 2017-01-31 22:24:28

True. They could have used mifare instead of re implementing a whole protocol with xor and encryption over 14a... Maybe they had time...

About the fact that this is not the same block that are moded, maybe it's a separate range of blocks for every digit.

asper · 2017-02-01 14:43:02

Reader is probably this one (Modulo+, not Modulo): http://www.aztek.lu/en/products/modulo
Software can be found here: http://www.lmcontrol.com/systemes-paiem … odulo.html
Here you can find useful pdf about how to use software: http://www.lmcontrol.com/images/stories/produits/pdf/

Encryption can be managed by reader firmware but maybe can be decoded by the software, if not we are ou of luck.

Last edited by asper (2017-02-01 14:43:36)

Neverlies · 2017-05-29 20:48:45

Sounds nice ! Got almost the same device, same brand !
I've found the missing B key and started to dump as you've made this key with different balance amount... for now, not able to found any logic in the encryption.

Have you found anything new ?

iceman · 2017-05-29 21:00:33

For the tag in this thread, there are no key A or Key B. It is not a Mifare Classic tag.

So, this raises the question what kind of tag do @neverlies have? Would you mind posting your traces, dumpdata etc?

Neverlies · 2017-05-30 20:11:23

ok, so mine is identified as mifare classic tag and got "standard" key A + custom Key B for sectors 8 to 14 included (same key for all this sectors).
This one is also used in a Luxeo/Aztek machine

Tag is like this one:

I don't have access to my dumps rt now, will share some diff as soon as I can

Diff from a dump with 0.45 vs 0.95:

  0000240: e7f5 ce7c 1b6b b1a3 37b1 7e13 4199 9a4f  ...|.k..7.~.A..O  |  0000240: 3b2f e097 98ae c19a 17e3 cecc 6bf7 9dc0  ;/..........k...  
  0000250: 7daf 37b0 5b95 ecc1 7c71 2ba8 5679 10d3  }.7.[...|q+.Vy..  |  0000250: d6a6 1d4a 2e9b 94f7 7c71 2ba8 5679 10d3  ...J....|q+.Vy..  
..
  0000280: af66 0fa4 1b19 f22b 70cf 8b46 8dc7 144d  .f.....+p..F...M  |  0000280: af66 0fa4 1b19 f22b 8ed0 d5c5 f07e c8f6  .f.....+.....~..

Diff from a dump with 0.45 vs 0.37:

  0000240: e7f5 ce7c 1b6b b1a3 37b1 7e13 4199 9a4f  ...|.k..7.~.A..O  |  0000240: 7a71 189b 41c3 f52f 7e90 4731 0be3 38ad  zq..A../~.G1..8.  
  0000250: 7daf 37b0 5b95 ecc1 7c71 2ba8 5679 10d3  }.7.[...|q+.Vy..  |  0000250: de19 7306 aef3 661b 7c71 2ba8 5679 10d3  ..s...f.|q+.Vy..  
  0000260: 0327 25fc cd1b cd05 285c e15e fe9f f9e0  .'%.....(\.^....  |  0000260: 0327 25fc cd1b cd05 cb0c 76f9 95c2 ab24  .'%.......v....$  

  0000280: af66 0fa4 1b19 f22b 70cf 8b46 8dc7 144d  .f.....+p..F...M  |  0000280: af66 0fa4 1b19 f22b e4bd afa6 20ad 5fa2  .f.....+.... ._.  
  0000290: a62e 23fb a9b0 fa56 37b1 7e13 4199 9a4f  ..#....V7.~.A..O  |  0000290: 83a1 5635 0fdd 5dcc 7e90 4731 0be3 38ad  ..V5..].~.G1..8.  
  00002a0: d402 a8d1 6bc3 641d 7c71 2ba8 5679 10d3  ....k.d.|q+.Vy..  |  00002a0: c29a f5ee eb76 fb37 7c71 2ba8 5679 10d3  .....v.7|q+.Vy..  


  00002d0: af66 0fa4 1b19 f22b 81cf e5ae bae9 588e  .f.....+......X.  |  00002d0: af66 0fa4 1b19 f22b 4e83 6b39 f3cc 564b  .f.....+N.k9..VK

Diff from a dump with 0.95 vs 0.37:

  0000240: 3b2f e097 98ae c19a 17e3 cecc 6bf7 9dc0  ;/..........k...  |  0000240: 7a71 189b 41c3 f52f 7e90 4731 0be3 38ad  zq..A../~.G1..8.  
  0000250: d6a6 1d4a 2e9b 94f7 7c71 2ba8 5679 10d3  ...J....|q+.Vy..  |  0000250: de19 7306 aef3 661b 7c71 2ba8 5679 10d3  ..s...f.|q+.Vy..  
  0000260: 0327 25fc cd1b cd05 285c e15e fe9f f9e0  .'%.....(\.^....  |  0000260: 0327 25fc cd1b cd05 cb0c 76f9 95c2 ab24  .'%.......v....$  

  0000280: af66 0fa4 1b19 f22b 8ed0 d5c5 f07e c8f6  .f.....+.....~..  |  0000280: af66 0fa4 1b19 f22b e4bd afa6 20ad 5fa2  .f.....+.... ._.  
  0000290: a62e 23fb a9b0 fa56 37b1 7e13 4199 9a4f  ..#....V7.~.A..O  |  0000290: 83a1 5635 0fdd 5dcc 7e90 4731 0be3 38ad  ..V5..].~.G1..8.  
  00002a0: d402 a8d1 6bc3 641d 7c71 2ba8 5679 10d3  ....k.d.|q+.Vy..  |  00002a0: c29a f5ee eb76 fb37 7c71 2ba8 5679 10d3  .....v.7|q+.Vy..  


  00002d0: af66 0fa4 1b19 f22b 81cf e5ae bae9 588e  .f.....+......X.  |  00002d0: af66 0fa4 1b19 f22b 4e83 6b39 f3cc 564b  .f.....+N.k9..VK

Last edited by Neverlies (2017-05-30 20:21:56)

iceman · 2017-05-30 20:26:31

looks like a newer model. cool. What is the keyA/B?

The data looks encrypted.

Neverlies · 2017-05-30 20:34:14

Keys A are some defaults one :

ffffffffffff
a0a1a2a3a4a5

Key B is:

415a54454b4d

at least for this device, not sure every device has the same key. Will have to get at least a couple of others fob in order to check this. But as you can see, this Key B is not really random And the suffix M is the same as the first character on the printed serial number on the fob

cedisov62 · 2018-09-29 06:01:03

Hello someone have some news. NXP show my Aztek tag as Infineon Technologies AG my-d NFC (SLE66R16P)

loupetre · 2019-02-21 16:32:54

Hello everyone,

I confirm these tags all have 415a54454b4d as the B key, on sectors 9 to 15 (assuming the first sector is sector 1, not 0).
The trailer keys are default keys (a0a1a2a3a4a5 and b0b1b2b3b4b5).
The tag is recognised as a mifare classic 1K on my side.

A question for Iceman : why have you used '55AA55AA55AA55AA6262' as a XOR key ? Actually, I do not undestand why 6262 at the end which gives a 10 bytes key ?

Dumps are really difficult to undestand. Some kind of encrypted. Diffs after recharging or using the tag are not really logical ...

Proxmark3 community

Announcement

#1 2017-01-27 12:05:24

[solved] AZTEK iso14443a compliant tag

#2 2017-01-27 12:53:11

Re: [solved] AZTEK iso14443a compliant tag

#3 2017-01-27 13:57:05

Re: [solved] AZTEK iso14443a compliant tag

#4 2017-01-27 14:26:25

Re: [solved] AZTEK iso14443a compliant tag

#5 2017-01-27 15:54:54

Re: [solved] AZTEK iso14443a compliant tag

#6 2017-01-27 18:02:01

Re: [solved] AZTEK iso14443a compliant tag

#7 2017-01-27 19:13:31

Re: [solved] AZTEK iso14443a compliant tag

#8 2017-01-28 14:39:17

Re: [solved] AZTEK iso14443a compliant tag

#9 2017-01-30 10:52:48

Re: [solved] AZTEK iso14443a compliant tag

#10 2017-01-30 12:14:10

Re: [solved] AZTEK iso14443a compliant tag

#11 2017-01-30 17:31:34

Re: [solved] AZTEK iso14443a compliant tag

#12 2017-01-30 17:34:06

Re: [solved] AZTEK iso14443a compliant tag

#13 2017-01-30 20:48:38

Re: [solved] AZTEK iso14443a compliant tag

#14 2017-01-30 20:58:39

Re: [solved] AZTEK iso14443a compliant tag

#15 2017-01-30 21:18:13

Re: [solved] AZTEK iso14443a compliant tag

#16 2017-01-30 21:27:18

Re: [solved] AZTEK iso14443a compliant tag

#17 2017-01-30 21:38:12

Re: [solved] AZTEK iso14443a compliant tag

#18 2017-01-30 21:44:59

Re: [solved] AZTEK iso14443a compliant tag

#19 2017-01-30 21:46:45

Re: [solved] AZTEK iso14443a compliant tag

#20 2017-01-31 21:07:08

Re: [solved] AZTEK iso14443a compliant tag

#21 2017-01-31 21:21:59

Re: [solved] AZTEK iso14443a compliant tag

#22 2017-01-31 22:24:28

Re: [solved] AZTEK iso14443a compliant tag

#23 2017-02-01 14:43:02

Re: [solved] AZTEK iso14443a compliant tag

#24 2017-05-29 20:48:45

Re: [solved] AZTEK iso14443a compliant tag

#25 2017-05-29 21:00:33

Re: [solved] AZTEK iso14443a compliant tag

#26 2017-05-30 20:11:23

Re: [solved] AZTEK iso14443a compliant tag

#27 2017-05-30 20:26:31

Re: [solved] AZTEK iso14443a compliant tag

#28 2017-05-30 20:34:14

Re: [solved] AZTEK iso14443a compliant tag

#29 2018-09-29 06:01:03

Re: [solved] AZTEK iso14443a compliant tag

#30 2019-02-21 16:32:54

Re: [solved] AZTEK iso14443a compliant tag

Board footer