Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2017-08-31 00:15:27

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

[solved] Unknown Yellow LF rewritable Tag

Hi,
today I have a tag that looks like USB Flash (without contacts). It has a small antenna, big as a bracelet.
We still know that the card is rewritable and is LF and has no inscription and number, just the printed "MARK" logo.
I can not find UIDs or data from Tag.

Photo
y4m_xmmF0jcsw1wQcgiWzo2dxSeBVAX-ricqKUsjsEAwZwTP97sGAoGPnDsocat3BsKs7vr7R8lT4iB5lUr3AQcBJDYclX8S7JJEBisOvr_LarMqw-779N3u13vMeWZW2Ox3FdR8Um7WVjpgNw-jwsGL7djLfyeKTuo65DYzL52dP_l2DfbSUGdC5omVTywZ0FeFeJ9RW9oR_S_T30yMBYRPA?width=640&height=480&cropmode=none

So far I have tried:

pm3 --> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

Valid EM4x05/EM4x69 Chip Found
Try lf em 4x05... commands

Maybe it's t55x7. When I hit a lot of Enter, I sometimes saw it:

pm3 --> lf t55xx info
pm3 --> lf t55xx info
pm3 --> lf t55xx info
pm3 --> lf t55xx info

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
 Safer key                 : 0
 reserved                  : 0
 Data bit rate             : 0 - RF/8
 eXtended mode             : No
 Modulation                : 0 - DIRECT (ASK/NRZ)
 PSK clock frequency       : 0
 AOR - Answer on Request   : No
 OTP - One Time Pad        : No
 Max block                 : 0
 Password mode             : No
 Sequence Start Terminator : No
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0
     Block 0  : 0x00000000  00000000000000000000000000000000
-------------------------------------------------------------
pm3 --> lf t55xx info
pm3 --> lf t55xx info

or 

pm3 --> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:


Valid Indala ID Found!

pm3 --> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:


Valid Indala ID Found!
pm3 --> lf em 4x05_read 0
Reading address 00
Read Address 00 | failed

pm3 --> lf em 4x05_info
no tag found
no tag found
 Chip Type:   0 Unknown
  Cap Type:   0 | no resonant capacitor
 Cust Code: 000 | Unknown
no tag found

What can I do to find out which chip is and could read it?

Proxmark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: iceman/master/v1.1.0-2207-gbd71e152 2017-08-28 10:21:02
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 216234 bytes (41%). Free: 308054 bytes (59%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

pm3 --> hw tune

Measuring antenna characteristics, please wait......
# LF antenna: 36.30 V @   125.00 kHz
# LF antenna: 23.93 V @   134.00 kHz
# LF optimal: 37.54 V @   126.32 kHz
# HF antenna: 18.54 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.


pm3 --> lf read
#db# LF Sampling config:
#db#   [q] divisor..............95 (125 KHz)
#db#   [b] bps..................8
#db#   [d] decimation...........1
#db#   [a] averaging............Yes
#db#   [t] trigger threshold....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 08 0d 14 1a 1f 25 2b 2e ...
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1

Graph https://1drv.ms/i/s!AhQ8z_7i-A6egYtatZ_tdnAXML-EUw

Last edited by Tatka (2017-09-02 23:56:10)

Offline

#2 2017-08-31 05:34:29

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [solved] Unknown Yellow LF rewritable Tag

i cannot see your graph. the link is bad
post a trace file using `data save xxx.pm3`(or contents of one to pastebin) instead of graph images

as far as identifying the chip, your lf search output is a bit erratic.  i suggest you try the latest code from the main repo and not icemans build, and we can go from there.

Offline

#3 2017-08-31 07:17:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [solved] Unknown Yellow LF rewritable Tag

Don't forget the detect first,

lf t55xx detect 
lf t55xx info

And yeah, LF 4x05/4x50 detection is irractic on iceman fork at the moment not to mention PSK...,  try offical pm3 smile

Offline

#4 2017-08-31 11:25:18

meter
Contributor
Registered: 2015-07-13
Posts: 78

Re: [solved] Unknown Yellow LF rewritable Tag

I know that key, it should have a PCF7931 or PCF7935

Offline

#5 2017-08-31 14:26:25

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Unknown Yellow LF rewritable Tag

Yes @meter. Google has now revealed a lot of things. The logo is the same and the chip is PCF7931 (definitely). Thank you.
goole pic

Now just read and write data to Tag. I'll examine how to do it. smile Tonight I will be flashing the official firmware for my Proxmark3.

Offline

#6 2017-08-31 18:23:49

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Unknown Yellow LF rewritable Tag

I did a flash Proxmark. "Ave Ubuntu".

./client/proxmark3 /dev/ttyACM0 
Prox/RFID mark3 RFID instrument          
bootrom: /-suspect 2015-11-19 10:08:02
os: master/v3.0.1-75-g1dae981-suspect 2017-08-31 15:46:50
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 198426 bytes (38%). Free: 325862 bytes (62%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory

I confirm it is PCF7931 inside Tag.

proxmark3> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 1 repeating samples          

Using Clock:16, invert:0, Bits Found:259          
PSK1 demoded bitstream:          
0000000000000000
0000101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
101          
Possible unknown PSK1 Modulated Tag Found above!

Could also be PSK2 - try 'data rawdemod p2'          

Could also be PSK3 - [currently not supported]          

Could also be NRZ - try 'data rawdemod nr'

I happen to see mistakes. I think it's angry with the magnetic field. It's hard to find a good place on the antenna even if the tag is perpendicular to the antenna. I always see different lines, but numbers are always the same.

First try:

proxmark3> lf pcf7931 read
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01          
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
command execution time out          
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) Max blocks: 1          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01          
#db# Error reading the tag          
#db# Here is the partial content          
#db# -----------------------------------------          
#db# Memory content:          
#db# -----------------------------------------          
#db# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# ----------------------------------------- ]

Second try:

proxmark3> lf pcf7931 read
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
command execution time out          
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# Error reading the tag          
#db# Here is the partial content          
#db# -----------------------------------------          
#db# Memory content:          
#db# -----------------------------------------          
#db# <missing block 0>          
#db# <missing block 1>          
#db# <missing block 2>          
#db# <missing block 3>          
#db# <missing block 4>          
#db# <missing block 5>          
#db# <missing block 6>          
#db# <missing block 7>          
#db# -----------------------------------------

The numbers inside are correct. I just do not know why they're repeating and why so much zero.

Here is a link to the pm3 file. Perhaps it will help. I do not know much about it yet. https://1drv.ms/u/s!AhQ8z_7i-A6egYtb-oxEYAROk1ycgw
The tag has about one block. How do I know there is a write-protected block? I'm getting no error while trying to write, but it did not do it. I did not find anything like that in the code. Is not it a shame?

proxmark3> lf pcf7931 write 1 1 dd
Writing block: 1          
          pos: 1          
         data: 0xDD          
#db# Initialization delay : 0 us          
#db# Offsets : -128 us on the low pulses width, -128 us on the low pulses positions          
#db# Password (LSB first on each byte) : ff ff ff ff ff ff ff          
#db# Block address : 01          
#db# Byte address : 01          
#db# Data : dd          
#db# SENDING DATA FRAME...          
#db# FINISH !          
#db# (Could be usefull to send the same trame many times)          
proxmark3> lf pcf7931 read
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
command execution time out          
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# (dbg) Max blocks: 1          
#db# Error reading the tag          
#db# Here is the partial content          
#db# -----------------------------------------          
#db# Memory content:          
#db# -----------------------------------------          
#db# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          
#db# -----------------------------------------          
proxmark3>

Last edited by Tatka (2017-08-31 19:09:36)

Offline

#7 2017-08-31 21:39:40

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Unknown Yellow LF rewritable Tag

Tag I opened. What was inside of it? PCF7931AS smile @
Photo of chip
20170831_200344145_iOS.jpg?psid=1

Offline

#8 2017-09-01 00:48:26

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: [solved] Unknown Yellow LF rewritable Tag

Philips PCF7931 datasheet

Offline

#9 2017-09-01 14:07:57

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Unknown Yellow LF rewritable Tag

Thanks.
If I understand this, I can not verify that I am using a bad password or I have a weak magnetic field when writing.
It is so?

Offline

#10 2017-09-02 07:15:42

meter
Contributor
Registered: 2015-07-13
Posts: 78

Re: [solved] Unknown Yellow LF rewritable Tag

There is this thread http://proxmark.org/forum/viewtopic.php?id=1440 where you can find more informations on pcf7931 and PM3

Offline

#11 2017-09-13 20:57:57

Tatka
Contributor
From: Czech rep., EU
Registered: 2017-08-21
Posts: 21

Re: [solved] Unknown Yellow LF rewritable Tag

Thank you.

Last edited by Tatka (2017-09-13 21:00:18)

Offline

Pages: 1

Board footer

Powered by FluxBB