Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-02-19 03:28:24

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

[SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Trying to examine SmarTrip card.  According to https://www.dunkman.me/blog/2017/hackin … cards.html this should be a MIFARE Plus card.  I can't get it to even read the UID with my ACR122 or the Proxmark.

On investigation, it looks like the ACR122 does not support MIFARE Plus, however, it looks like the Proxmark should.

Using official firmware software:

bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
os: master/v3.0.1-51-g53814fe-dirty-suspect 2018-02-07 20:05:05
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
...
proxmark3> hf search
          

no known/supported 13.56 MHz tags found
          
proxmark3> hf 14a reader
iso14443a card select failed  

Now with the (almost) latest Iceman fork:

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
      os: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:29
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 1
...
pm3 --> hf search
          
#db# [!] error, uneven octet! (extra bits!) mask 02          
#db# [!] error, uneven octet! (extra bits!) mask 02          
#db# [!] error, uneven octet! (extra bits!) mask 02          
timeout while waiting for reply.          
 
no known/supported 13.56 MHz tags found
          
pm3 --> hf 14a reader
[!] iso14443a card select failed          

Any thoughts on how I could read this card?  It was used a couple days ago and is not damaged so it should be good.  I will try to go get another one tomorrow.

Thanks in advance.

Last edited by dontlook (2018-02-21 02:22:40)

Offline

#2 2018-02-19 04:15:09

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Make sure the tag is about an inch off the antenna.

Offline

#3 2018-02-19 06:11:12

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Thanks!

Tried again a bit with all different orientations, 1 inches, .5 inches, 2 inches even :[

Best I got is this run the bits changed:

pm3 --> hf search
          
#db# [!] error, uneven octet! (extra bits!) mask 02          
#db# [!] error, uneven octet! (extra bits!) mask 02          
#db# [!] error, uneven octet! (extra bits!) mask 02          
timeout while waiting for reply.          

no known/supported 13.56 MHz tags found

Offline

#4 2018-02-19 07:25:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Looks like a 14b or 15 tag.
14b is a bit dodgy on iceman fork at the moment,  try offical pm3 for it.
15 is quite stable,  with good reading distance,  so try again, 

what is your output from these:

hw tune
hf 15 info u

Offline

#5 2018-02-19 15:20:17

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

hw tune and test for 15 tag.  I tried multiple orientations and heights(same result each time):

bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
os: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:29

[+] LF antenna: 26.81 V - 125.00 kHz          
[+] LF antenna: 24.20 V - 134.00 kHz          
[+] LF optimal: 28.60 V - 127.66 kHz          
[+] LF antenna is OK 
          
[+] HF antenna: 33.89 V - 13.56 MHz OK          
[+] HF antenna is OK          

[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
...
pm3 --> hf 15 info u
#db# [!] error, uneven octet! (extra bits!) mask 02          
iso15693 card doesn't answer to systeminfo command  

back to official pm3, multiple orientations and heights(same result each time):

bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
os: master/v3.0.1-51-g53814fe-dirty-suspect 2018-02-07 20:05:05
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
...
proxmark3> hf 14b info 
no 14443B tag found  

Going to try to grab another card today.

Offline

#6 2018-02-19 16:49:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Not 14b then.    Could be iclass aswell but ISo15 based.


--iceman--

hf 15 info u
hf iclass reader

Offline

#7 2018-02-19 21:31:06

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Soooo I made it out and got a new card

pm3 --> hf search
          
 UID : 04 24 68 02 C2 55 80           
ATQA : 00 44          
 SAK : 20 [1]          
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41          
MANUFACTURER : NXP Semiconductors Germany          
 ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3           
       -  TL : length is 12 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K          
               c1 -> Mifare or (multiple) virtual cards of various type          
                  05 -> Length is 5 bytes          
                     2x -> MIFARE Plus          
                        2x -> Released          
                           x1 -> VCS, VCSL, and SVC supported          
Answers to magic commands: NO          

Valid ISO14443-A Tag Found - Quiting Search

So it is looking like the other card might be dead.  Thanks for all the help though.   We look at it more and see what else I can get off it.

Offline

#8 2018-02-19 21:31:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Could also be uninitialized.

Offline

#9 2018-02-19 22:40:43

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

I'm intrigued.  Is there a way to initialize it with the Proxmark or some of the NFC tools for Linux?  I won't repeat anymore that I'm told about the card since I might be getting bits and pieces.

Surprised at the lack of response from the first card in general.

Offline

#10 2018-02-19 22:49:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Present it to the metro reader.   you can sniff the traffic between card and the genuine reader with your pm3.
And afterwards, look at tracelog to see if the reader did something with the card. 
And after that, try reading it with your pm3.

Offline

#11 2018-02-20 17:03:15

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

I made the suggestion to the owner but had to leave the area as my trip was over.  Will likely head back sometime in the next year and try then.

In the meantime, I need to do some back reading and playing around to learn to use the sniff function without a computer and maybe disassemble my  Proxmark 3 rdv as right now I don't think I can get the card close enough to the reader with the card in between.


The working card I picked up does not seem to susceptible to the regular attacks and looks like it is not using any of the default keys, so this is probably going to have to wait until I can sniff the reader traffic.

Offline

#12 2018-02-21 01:45:48

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: [SOLVED] SmarTrip metro card - MIFARE Plus ? Not even reading

Original card confirmed not working on the metro.  sad  Sorry guys and thank you for your help.

Offline

Board footer

Powered by FluxBB