Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-09-21 00:26:04

Dan
Contributor
Registered: 2018-09-14
Posts: 4

Help with this would be very much appreciated, struggling for days.

I`m very new in this, technically got my Proxmark a week ago so still learning, bear with me please and what you explain please try doing it like "for dummie" smile

Short story: got an xM1+ implant in my hand to work with the building`s door access, maybe later program it for a Samsung door lock. Details:
UID : 89 72 6d 02
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search


So, people  bricked their chips, made them unusable (and it`s a bitch to have an implant that you just can`t use and probably will take it out - just cause you were stupid), had a lot of problems, either created by themselves, accident or just lack of knowledge. Like me bricking my Proxmark first time I (tried to ) update the firmware but recovered after about half of hour of intense sweating..
I bought multiple Magic Chinese cards  (same as my implant) to test on until i know how to do everything from a-z. Learned the "basic" of a Mifare Classic, gathered info here and there, in the end managed to clone an identical card from the original keyfob to a Magic cip with dumping all data, having the same keys and also changing the UID to match, on another one even writing the whole block O big_smile

Now comes the "fun part". 1 original, 2 clones. Wanted to format/reset the clones to see what happens, how it affects the keys, data and UID. After searching i tried using remagic and formatmifare script, both with no luck:

proxmark3> script run remagic
script run remagic
--- Executing: remagic.lua, args ''
hf 14a raw -p -a -b 7 40
hf 14a raw: invalid argument "7 40" to option -b|-B|--bits=<int>
Try 'hf 14a raw --help' for more information.
hf 14a raw -p -a 43
received 0 bytes:
hf 14a raw -c -p -a A000
received 0 bytes:
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
received 0 bytes:
-----Finished

-I have no ideea what this is.
And formatMifare.lua "seemed" successful but it`s the same data, same everything on the clone.
So i resorted to "hf mf cwipe w f" ...SUCCESS, everything was erased, another UID, no data and all keys to ffffffffffff .
Aaaaaand let`s crack and dump the original card all over again to make another exact clone....at the "restore" command i got this (I`ll write just a part of it - it`s the same for all blocks...)

#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block  63: b8 14 c4 c7 b8 14 7f 07 88 00 e7 31 68 53 e7 31


My second interesting "fear" was after few days of using the original keyfob after making the clone, i compared them and sector 3 block 1 and sector 14 blocks 1 and 2 were different. Do you think the reader can actually write data on the keyfob/clone/implant? They both still worked but small data was off.... that makes me think also I don`t want a system I don`t know to write things to my implant.

esave
eload  of the dumpdate.bin which is scripted after in .eml file doesn`t work either



Thank you all in advance for your time.


This is the info on the clone i want to dump... just in case:

proxmark3> hf se
hf se

UID : 2c 71 45 83
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search

proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF
hf mf nested 1 0 A FFFFFFFFFFFF
--nested. sectors:16, block no:  0, key type:A, eml:n, dmp=n checktimeout=471 us

Testing known keys. Sector count=16
nested...


-----------------------------------------------
Nested statistic:
Iterations count: 0
Time in nested: 0.328 (inf sec per key)
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|


Next command I don`t understand at all but saw shows info for people that know it.
And the same with many lines lower...:

proxmark3> hf list 14a
hf list 14a
Recorded Activity (TraceLen = 1050 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)
                 | CRC | Annotation         |
------------|------------|-----|------------------------------------------------
-----------------|-----|--------------------|
          -----------------|-----|------------
          0 |        992 | Rdr | 52
                 |     | WUPA
       7040 |       8032 | Rdr | 52
                 |     | WUPA
      14080 |      15072 | Rdr | 52
                 |     | WUPA
      21120 |      22112 | Rdr | 52
                 |     | WUPA
      28160 |      29152 | Rdr | 52
                 |     | WUPA
      35200 |      36192 | Rdr | 52
                 |     | WUPA
      42240 |      43232 | Rdr | 52



PS: Found a solution. So after using “hf mf cwipe w f” and trying to dump the data from the original I get this (on all blocks):

Writing to block 63: b8 14 c4 c7 b8 14 7f 07 88 00 e7 31 68 53 e7 31

#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:100:

But then I used the app on my phone MIFARE Classic Tools (which I also updated with a nice version of keys from the Proxmark files) to Write Tag /Factory Format , it did`t change the UID from the cwipe, but now I can dump successfully another card on it. Still would love to know WTF I`m doing wrong with the Proxmark command and the script...would prefer that method then the app...

Last edited by Dan (2018-09-21 07:37:12)

Offline

#2 2018-09-21 15:25:38

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Help with this would be very much appreciated, struggling for days.

https://github.com/Proxmark/proxmark3/pull/680
remagic fixed

Offline

#3 2018-09-21 16:49:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Help with this would be very much appreciated, struggling for days.

which firmware version are you using?

hw status
hw version
hw 14a raw -h

Offline

#4 2018-10-01 19:09:28

Dan
Contributor
Registered: 2018-09-14
Posts: 4

Re: Help with this would be very much appreciated, struggling for days.

iceman wrote:

which firmware version are you using?

hw status
hw version
hw 14a raw -h

Hey, sorry for the late reply, been traveling and didn`t had time to take the new toy with me smile
Hope these help. So far managed to "factory reset" my cards and implant but with the Mifacere Classic Tool app, worked fast but wanna learn how to properly do that on the proxmark as well... smile

Cheers.


proxmark3> hw status
hw status
#db# Memory
#db#   BIGBUF_SIZE.............40000
#db#   Available memory........40000
#db# Tracing
#db#   tracing ................1
#db#   traceLen ...............0
#db# Currently loaded FPGA image:
#db#   fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
#db# LF Sampling config:
#db#   [q] divisor:           95
#db#   [b bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# USB Speed:
#db#   Sending USB packets to client...
#db#   Time elapsed:      1500ms
#db#   Bytes transferred: 743936
#db#   USB Transfer Speed PM3 -> Client = 495957 Bytes/s
#db# Various
#db#   MF_DBGLEVEL........2
#db#   ToSendMax..........41342368
#db#   ToSendBit..........0



proxmark3> hw version
hw version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-401-g53edb04-suspect 2018-09-10 23:37:53
os: master/v3.0.1-401-g53edb04-suspect 2018-09-10 23:37:57
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/ 9/ 3 at 21:36:22
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 192736 bytes (37%). Free: 331
552 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory



proxmark3> hw 14a raw -h
hw 14a raw -h
help             This help
detectreader     ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to
limit to LF or HF)
fpgaoff          Set FPGA off
lcd              <HEX command> <count> -- Send command/data to LCD
lcdreset         Hardware reset LCD
readmem          [address] -- Read memory at decimal address from flash

reset            Reset the Proxmark3
setlfdivisor     <19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)
setmux           <loraw|hiraw|lopkd|hipkd> -- Set the ADC mux to a specific valu
e
tune             ['l'|'h'] -- Measure antenna tuning (option 'l' or 'h' to limit
to LF or HF)
version          Show version information about the connected Proxmark

status           Show runtime status information about the connected Proxmark

ping             Test if the pm3 is responsive

Offline

#5 2018-10-06 06:22:03

Dan
Contributor
Registered: 2018-09-14
Posts: 4

Re: Help with this would be very much appreciated, struggling for days.

Anyone any ideas, tried also the remagic listed but with no success...

Offline

#6 2018-10-06 10:03:41

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Help with this would be very much appreciated, struggling for days.

Dan wrote:

Anyone any ideas, tried also the remagic listed but with no success...

What do you mean with "no success"? Any error messages?

remagic doesn't clear the card contents. It only restores block 0. You must use hf mf cwipe f to remove any other previous contents.

Offline

Board footer

Powered by FluxBB