Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-09-27 09:11:23

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Anyone Know this new TAG

hi has any one see this before

tag

Last edited by Dan from OZ (2017-09-27 11:13:57)

Offline

#2 2017-09-28 05:11:18

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,073

Re: Anyone Know this new TAG

Stick it on a pm3 and 'lf search u' it and post the results.

Offline

#3 2017-09-28 17:07:58

atmel9077
Contributor
Registered: 2017-06-25
Posts: 23

Re: Anyone Know this new TAG

I have an alarm system, which uses a tag of exactly this shape (except that they are white). I know that the tag is 125khz.


Those who forget the past are doomed to repeat it.

Offline

#4 2017-09-29 10:52:29

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 47

Re: Anyone Know this new TAG

I copied one this shape for a customer a while back, Very thin. It was an EM Marin Tag.


Hardware: Elatec TWN4 dev kit / ACS ACR122U / IDTronic LF Reader / OmniKey 5321 / HT108 RW / Custom Read Write 125khz RW and a couple of other RW bits.

Offline

#5 2017-10-04 07:56:27

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

HI i done lf search U

this is what came up

#db# DownloadFPGA(len: 42096)                 
Reading 30000 bytes from device memory
Data fetched         
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
False Positives ARE possible
Checking for known tags:
EM410x pattern found:           
EM TAG ID      : 0004EA0351         
Unique TAG ID  : 002057C08A         
Possible de-scramble patterns         
HoneyWell IdentKey {         
DEZ 8          : 15336273         
DEZ 10         : 0082445137         
DEZ 5.5        : 01258.00849         
DEZ 3.5A       : 000.00849         
DEZ 3.5B       : 004.00849         
DEZ 3.5C       : 234.00849         
DEZ 14/IK2     : 00000082445137         
DEZ 15/IK3     : 000000542621834         
DEZ 20/ZK      : 00000200050712000810         
}
Other          : 00849_234_15336273         
Pattern Paxton : 16662865 [0xFE4151]         
Pattern 1      : 12321674 [0xBC038A]         
Pattern Sebury : 849 106 6947665  [0x351 0x6A 0x6A0351]         
Valid EM410x ID Found!

Offline

#6 2017-10-04 07:57:44

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

copied the card and it didn't work it opened my front door but not the entrance or elevator

Offline

#7 2017-10-04 07:58:48

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

then i did hf search u

and this came up

UID : 04 34 24 aa 8e 56 80           
ATQA : 03 44         
SAK : 20 [1]         
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41         
MANUFACTURER : NXP Semiconductors Germany         
ATS : 06 75 77 81 02 80 02 f0           
       -  TL : length is 6 bytes         
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)         
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]         
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)         
       - TC1 : NAD is NOT supported, CID is supported         
       -  HB : 80           
Answers to chinese magic backdoor commands: NO         
Valid ISO14443A Tag Found - Quiting Search

Offline

#8 2017-10-04 09:07:37

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 47

Re: Anyone Know this new TAG

So are you saying it;s a dual technology tag, EM Marin like the one I copied and Mifare?
the access control companies are getting wise. I'm seeing more and more of these tags come through the door.


Hardware: Elatec TWN4 dev kit / ACS ACR122U / IDTronic LF Reader / OmniKey 5321 / HT108 RW / Custom Read Write 125khz RW and a couple of other RW bits.

Offline

#9 2017-10-04 11:13:05

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

no sure as am new to this myself but is this card able to clone i tried to sniff it but it wont read between antenna and tag the tag has to touch the reader, no brand or marking on reader either any help would be appreciated,

Offline

#10 2017-10-04 11:38:08

iceman
Administrator
Registered: 2013-04-25
Posts: 3,964
Website

Re: Anyone Know this new TAG

You would need a dual card,   one with t55x7 for LF,   one with magic HF..  But since its desfire/jcop,  you would need to sniff some traffic to see whats going on.

I have only seen ONE dual card in existence with T55x7 and magic Mifare classic. 

Alternatively, two cards would be needed,   

But start with sniffing the HF part,    with a pm3 when you try the elevator..    Thats the starting point


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2017-10-04 12:39:36

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

OK thanks iceman, but putting the card between the reader and the antenna it wont read the card has to touch the reader how do i go around that

Offline

#12 2017-10-04 12:42:00

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Anyone Know this new TAG

this card is dual and the mifare part is a "NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41" I thought this type "MIFARE DESFire" or "JCOP " can not be simulated or copy yet, even when you have had a good sniff trace

Last edited by ntk (2017-10-04 12:50:38)


modhex(ichbifhkhghuhehghkiehbihhkidifighgebecedfchihthbhkhrduhehvht)

Offline

#13 2017-10-04 12:47:17

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

I didn't know that, so this Tag can not be done yet at all

Offline

#14 2017-10-04 12:50:18

717
Contributor
Registered: 2015-10-21
Posts: 16

Re: Anyone Know this new TAG

Don't give up just yet.
Send us the lf search and hf search result from as much different tags as you can, that will be helpful.

717

Last edited by 717 (2017-10-04 12:53:44)

Offline

#15 2017-10-04 13:16:37

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

OK will do but have to ask neighbors to borrow different keys and the sniff or snoop command cause they changed the system in my building and they want $250 for one card

Offline

#16 2017-10-04 13:20:31

717
Contributor
Registered: 2015-10-21
Posts: 16

Re: Anyone Know this new TAG

Dan from OZ wrote:

OK will do but have to ask neighbors to borrow different keys and the sniff or snoop command cause they changed the system in my building and they want $250 for one card

That is quite over the top indeed... Is it made of gold?
Send us more tag info and we will help you

717

Last edited by 717 (2017-10-04 13:20:47)

Offline

#17 2017-10-04 13:53:15

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Anyone Know this new TAG

I was surprised too that nobody had point the fingers on the word Desfire EV, But as long as Iceman says Tries it  something someway might be / could be done


modhex(ichbifhkhghuhehghkiehbihhkidifighgebecedfchihthbhkhrduhehvht)

Offline

#18 2017-10-04 14:08:12

iceman
Administrator
Registered: 2013-04-25
Posts: 3,964
Website

Re: Anyone Know this new TAG

...hehe.. I did notice it,  but since we can't tell if system uses UID only or more data from HF part of card, I suggested to sniff the trafic.

Once we see the trace from the sniff, we know more on what is possible.  Until then its pure speculation.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#19 2017-10-04 14:10:59

iceman
Administrator
Registered: 2013-04-25
Posts: 3,964
Website

Re: Anyone Know this new TAG

@DanFromOz,    you could either put

READER -> PM3 -> CARD
READER -> CARD -> PM3

Both should work but as with all sniffing,  its a fiddle to find a good sniffing spot.   Trial and error is your friend.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#20 2017-10-04 14:23:29

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

i cant get my snoop to work when i do it nothing happened then i pressed the button on the pm3 and these results came out

Offline

#21 2017-10-04 14:24:50

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

proxmark3> #db# cancelled by button                 
proxmark3> #db# COMMAND FINISHED                 
proxmark3> #db# maxDataLen=5, Uart.state=0, Uart.len=0                 
proxmark3> #db# traceLen=14556, Uart.output[0]=000000e0                 
proxmark3> #db# Stand-alone mode! No PC necessary.                 
proxmark3> #db# Enabling iso14443a reader mode for [Bank: 0]...                 
proxmark3> #db# Read UID:                 
proxmark3> #db# 04 34 24 aa 8e 56 80 00                 
proxmark3> #db# 00 00                 
proxmark3> #db# Bank[0] received a 7-byte UID                 
proxmark3> #db# ATQA = 4403                 
proxmark3> #db# SAK = 20                 
proxmark3> #db# Playing                 
proxmark3> #db# Simulating ISO14443a tag with uid[0]: 00043424, uid[1]: aa8e5680 [Bank: 0]                 
proxmark3> #db# Unrecognized tag type -- defaulting to Mifare Classic emulation                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=7):                 
proxmark3> #db# 02 5a c0 1b f5 e7 c4                 
proxmark3> #db# Received unknown command (len=5):                 
proxmark3> #db# 03 aa 01 76 09                 
proxmark3> #db# Received unknown command (len=36):                 
proxmark3> #db# 02 af 34 2e 97 df 9d 49                 
proxmark3> #db# e5 f0 49 8e 79 a7 d0 bc                 
proxmark3> #db# 57 c7 13 9f 0a 3e 05 58                 
proxmark3> #db# c4 50 c6 7e 94 79 03 99                 
proxmark3> #db# a9 0e 1b 62                 
proxmark3> #db# Received unknown command (len=11):                 
proxmark3> #db# 03 bd 01 00 00 00 03 00                 
proxmark3> #db# 00 8d a4                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=7):                 
proxmark3> #db# 02 5a c0 1b f5 e7 c4                 
proxmark3> #db# Received unknown command (len=5):                 
proxmark3> #db# 03 aa 01 76 09                 
proxmark3> #db# Received unknown command (len=36):                 
proxmark3> #db# 02 af d8 c3 fb e2 b1 0b                 
proxmark3> #db# 8e 2b c8 13 68 ab 06 59                 
proxmark3> #db# c4 b3 f5 25 1e 84 40 d9                 
proxmark3> #db# f4 c3 7d 02 50 41 a3 79                 
proxmark3> #db# f9 b4 63 07                 
proxmark3> #db# Received unknown command (len=11):                 
proxmark3> #db# 03 bd 01 00 00 00 03 00                 
proxmark3> #db# 00 8d a4                 
proxmark3> #db# Received unknown command (len=2):                 
proxmark3> #db# 97 20                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=2):                 
proxmark3> #db# 97 20                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=7):                 
proxmark3> #db# 02 5a c0 1b f5 e7 c4                 
proxmark3> #db# Received unknown command (len=5):                 
proxmark3> #db# 03 aa 01 76 09                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 00                 
proxmark3> #db# Received unknown command (len=36):                 
proxmark3> #db# 02 af 56 ff 23 08 60 eb                 
proxmark3> #db# 96 ca 7d 13 9e ed e7 b1                 
proxmark3> #db# 06 31 13 7e e9 96 97 dd                 
proxmark3> #db# 59 e2 6c df 39 e3 d3 36                 
proxmark3> #db# 29 d0 97 d5                 
proxmark3> #db# Received unknown command (len=11):                 
proxmark3> #db# 03 bd 01 00 00 00 03 00                 
proxmark3> #db# 00 8d a4                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=1):                 
proxmark3> #db# 04                 
proxmark3> #db# Received unknown command (len=7):                 
proxmark3> #db# 02 5a c0 1b f5 e7 c4                 
proxmark3> #db# Received unknown command (len=5):                 
proxmark3> #db# 03 aa 01 76 09                 
proxmark3> #db# Received unknown command (len=2):                 
proxmark3> #db# 48 02                 
proxmark3> #db# Received unknown command (len=36):                 
proxmark3> #db# 02 af 6a ed 1a f5 25 a4                 
proxmark3> #db# d1 f0 25 65 6e 76 73 cd                 
proxmark3> #db# fe d2 8d f2 6b ac 40 0d                 
proxmark3> #db# 24 79 d8 cc 4f 6d 4f 81                 
proxmark3> #db# 89 07 0e e5                 
proxmark3> #db# Received unknown command (len=11):                 
proxmark3> #db# 03 bd 01 00 00 00 03 00                 
proxmark3> #db# 00 8d a4                 
proxmark3> #db# Button press                 
proxmark3> #db# 0 0 1a1                 
proxmark3> #db# Done playing. Switching to record mode on bank 1                 
proxmark3> #db# Enabling iso14443a reader mode for [Bank: 1]...                 
proxmark3> #db# Read UID:                 
proxmark3> #db# 04 34 24 aa 8e 56 80 00                 
proxmark3> #db# 00 00                 
proxmark3> #db# Bank[1] received a 7-byte UID                 
proxmark3> #db# ATQA = 4403                 
proxmark3> #db# SAK = 20                 
proxmark3> #db# Playing                 
proxmark3> #db# Simulating ISO14443a tag with uid[0]: 00043424, uid[1]: aa8e5680 [Bank: 1]                 
proxmark3> #db# Unrecognized tag type -- defaulting to Mifare Classic emulation

Offline

#22 2017-10-04 14:42:50

iceman
Administrator
Registered: 2013-04-25
Posts: 3,964
Website

Re: Anyone Know this new TAG

It seems like the button press, just enabled your standalone mode.  The sniff / snoop usually is quite until you issue a  hf list 14a ...

Did you use    hf mf sniff or hf 14a snoop  ?
You should be able to get some trace from hf list 14a

But from the simulation fail,  it seems your door uses APDU's and reads data from card.
If true,  your HF part can't be cloned as of today.

well,  you could test hf mfdes info from iceman fork,  to see if there is some desfire default keys. Highly doubtful though.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#23 2017-10-05 09:06:30

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

hf list 14a dosent work at all for me am using the pm3 bin 2.4.0 and i think it has your fork iceman

Offline

#24 2017-10-05 09:11:27

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

Last night our security company identified this email address as being used in an attempt to illegally duplicate the fobs in """%^%^t, Sydney.  An attempt was made to duplicate fob 849.  This fob has now been cancelled and the tenant of unit %% will need to personally attend reception to obtain another working fob with a copy of the lease and his/her ID.  Any further attempts to hack the fob system will result in a report directly to Police.  Unit %%% is now on the watch list and the agent will be notified.

Offline

#25 2017-10-05 09:19:10

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

I got this email this morning which i don't know how they got my email and was told by strata that they seen my post on this site as a warning to me little did they know i own the apartment.  my sniffing last night must have triggered something. "this is a message to the security company watching our post and spying. Your key will be cracked your new system will be useless maybe not to day maybe not tomorrow. and before threatening to call the police, copying your own key is not freaking illegal."

Offline

#26 2017-10-05 10:25:17

iceman
Administrator
Registered: 2013-04-25
Posts: 3,964
Website

Re: Anyone Know this new TAG

...not the first time HID / lock related ppl is on this forum warning ppl. We have law enforment,  company ppl, researchers, black hats, all of which is here to keep track of security status of different products. Whenever they find something they warn or threathen the user. 

I've said it before and say it again,  don't be naive on this forum.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#27 2017-10-05 11:09:38

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: Anyone Know this new TAG

thanks but they can do what you they like i own the key and the place so not going to back down but now very interested where can i go from here to clone this card, and what study and research needed

Offline

Board footer

Powered by FluxBB