Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-03-03 17:14:49

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Strange tag where UID != first 4 bytes of block 0

pm3 --> hf mf rdbl 0 a xxx
hf mf rdbl 0 a xxx
--block no:0, key type:A, key:xxx
#db# READ BLOCK FINISHED
isOk:01 data:04 0D 68 1A B5 22 81 88 44 00 C2 00 00 00 00 00
pm3 --> hf 14a reader
hf 14a reader
 UID : 8F 43 0F EF
ATQA : 00 44
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO

Anyone seen a tag like this?

Offline

#2 2017-03-04 12:06:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

which version of client?

Offline

#3 2017-03-05 16:31:10

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Re: Strange tag where UID != first 4 bytes of block 0

Proxmark3 RFID instrument
bootrom: master/v2.2.0-282-g3e50af4-suspect 2017-02-20 14:55:16
os: iceman/master/v1.1.0-1959-gc24364a-dirty-unclean 2017-03-02 00:41:07
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 215974 bytes (41%). Free: 308314 bytes (59%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
C:\...>git show
commit c24364a8a4932f51a9b9e255d2ed0c67b9e37c74
Author: iceman1001 <iceman@iuse.se>
Date:   Tue Feb 28 19:20:12 2017 +0100

    FIX: @marshmellow42 's ST detection fix.
    FIX: lfops.c and em4x05 command timings.

On your fork.

Anyway, my Android phone with a PN544 also shows the same UID and block 0, so..

Offline

#4 2017-03-05 17:51:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

strange,  would you mind posting tracelog when you run the command?

hf mf rb 0 a xxxx
hf list 14a
hf 14a read 
hf list 14a

Offline

#5 2017-03-06 12:16:07

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Re: Strange tag where UID != first 4 bytes of block 0

pm3 --> hf mf rdbl 0 a xxx
hf mf rdbl 0 a xxx
--block no:0, key type:A, key:xxx
#db# READ BLOCK FINISHED
isOk:01 data:04 0D 68 1A B5 22 81 88 44 00 C2 00 00 00 00 00
pm3 --> hf list 14a
hf list 14a
Recorded Activity (TraceLen = 188 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr |52                                                               |     | WUPA
       2228 |       4596 | Tag |44  00                                                           |     |
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
      10676 |      16564 | Tag |8f  43  0f  ef  2c                                               |     |
      19328 |      29856 | Rdr |93  70  8f  43  0f  ef  2c  b7  c1                               |  ok | SELECT_UID
      31028 |      34548 | Tag |08  b6  dd                                                       |     |
      36608 |      41312 | Rdr |60  00  f5  7b                                                   |  ok | AUTH-A(0)
      45620 |      50292 | Tag |06  df  1a  7e                                                   |     |
      59264 |      68640 | Rdr |e8  40! 49  71  ba! fd  24! 9f!                                  | !crc|
      69812 |      74548 | Tag |f3! 4d! bc  0b                                                   |     |
      80000 |      84768 | Rdr |e4! a9  ba! 21!                                                  | !crc|
      85940 |     106740 | Tag |f8! 7e! e4! 80! ee  39! 00! f1! 98! da! bc! d3! 4e! 57! 7a  23!  |     |
            |            |     |78  c1!                                                          | !crc|
     118272 |     123040 | Rdr |88! 35  b9! 6c!                                                  | !crc|
pm3 --> hf 14a read
hf 14a read
 UID : 8F 43 0F EF
ATQA : 00 44
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
pm3 --> hf list 14a
hf list 14a
Recorded Activity (TraceLen = 123 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr |52                                                               |     | WUPA
       2228 |       4596 | Tag |44  00                                                           |     |
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
      10676 |      16564 | Tag |8f  43  0f  ef  2c                                               |     |
      19200 |      29728 | Rdr |93  70  8f  43  0f  ef  2c  b7  c1                               |  ok | SELECT_UID
      30900 |      34420 | Tag |08  b6  dd                                                       |     |
     498688 |     503456 | Rdr |e0  80  31  73                                                   |  ok | RATS
     504628 |     505268 | Tag |04                                                               |     |
     957440 |     958432 | Rdr |40                                                               |     | MAGIC WUPC1
     964480 |     969248 | Rdr |50  00  57  cd                                                   |  ok | HALT

Offline

#6 2017-03-06 14:38:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

Well,  the UID is definitly 8F 43 0F EF,   and the decrypted block 0, is whats printed.

I can't verify what and why your Android phone w PN544 shows the same UID and block 0.   
Did you mean to say that pn544 shows same values as pm3?

You could have a Mifare Plus tag ,  which behaves differently.

Offline

#7 2017-03-06 20:12:01

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Re: Strange tag where UID != first 4 bytes of block 0

Yes, that's what I mean — my Android shows the same UID and same block 0 as PM3. So there's nothing wrong with PM3.

I figured so. Time to do more research I guess..

One thing though, I got the keys through hardnested. Would this be possible if it weren't a real Mifare Classic card and simply something providing a Mifare Classic interface?

Last edited by angelsl (2017-03-06 20:14:05)

Offline

#8 2017-03-06 20:36:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

Mifare plus in secure mode 1, (SL1) is using Mifare Classic interface.

Offline

#9 2017-03-06 20:42:56

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Re: Strange tag where UID != first 4 bytes of block 0

I mean, would hardnested work on Mifare Plus through the Classic interface?

Anyway I think this tag is a Classic EV1 1k MF1S500yX configured to do anticollision with a 4 byte UID generated from the 7 byte UID in block 0.

So, problem solved.

Offline

#10 2017-03-06 20:51:30

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Strange tag where UID != first 4 bytes of block 0

a mifare plus in SL1 would be vulnerable to the hardnested attack as iceman alluded to.

Offline

#11 2017-03-06 21:13:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

hm.. curious on if we have Mifare Classic EV1 detection.

Offline

#12 2017-03-07 00:50:49

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Re: Strange tag where UID != first 4 bytes of block 0

iceman wrote:

hm.. curious on if we have Mifare Classic EV1 detection.

I'll send in a PR.

Offline

#13 2017-03-07 08:52:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

Will be looking forward to it

Offline

#14 2017-03-10 10:17:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

Implemented a 7b UID -> to 4b NUID...   It matches your tag.  ref:http://www.gorferay.com/mifare-and-handling-of-uids/

pm3 --> analyse nuid 040D681AB52281
UID  | 04 0D 68 1A B5 22 81
NUID | 8F 43 0F EF

Offline

#15 2017-03-16 02:44:16

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Re: Strange tag where UID != first 4 bytes of block 0

Yeah, it's a 7 byte UID card. Wonder if there are any Chinese cards that can do this..

Anyway, still not sure of the best way to detect an EV1 card because SetModType needs sector 0 key A authentication. (And I don't have an EV1 card to test)

Offline

#16 2017-03-25 11:57:53

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Strange tag where UID != first 4 bytes of block 0

We have the UID 7 byte magic cards ready in my website but you got hardnest the blocks inside and write it one by one.

Make sure you know what you are doing before attempting or else you will be wasting your money.

Offline

#17 2017-03-25 12:21:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

He has at least one key. So getting the keys wouldn't be too hard.
@dot.com has magic 7b uid...   Always worth testing things out.

Offline

#18 2017-03-28 06:15:16

angelsl
Contributor
Registered: 2017-02-13
Posts: 16

Re: Strange tag where UID != first 4 bytes of block 0

Those are really expensive if I'm not looking for DESfire functionality though.

Offline

#19 2017-03-28 07:39:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Strange tag where UID != first 4 bytes of block 0

if i'm not mistaken @dot.com also has ordinary magic 7b uid mifare classic.  Not the new ones w desfire.
and if I remember correct lab401.com also has a magic 7b uid.

But google and look at the shops. You may find something, if you unsure about the tag ask the reseller about it.

Offline

Board footer

Powered by FluxBB