Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello everybody, I finally got my Proxmark RDV4 and want to start studying a PCF7931 (coffee machine).
I'm able to read it and this is the result:
proxmark3> lf pcf7931 read
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
command execution time out
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) Max blocks: 4
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00
#db# Error reading the tag
#db# Here is the partial content
#db# -----------------------------------------
#db# Memory content:
#db# -----------------------------------------
#db# 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# <missing block 2>
#db# <missing block 3>
#db# -----------------------------------------
Link to recorded data plot file in case is useful
On the chip there are 2.22 euro, so 222 is DE in hex, and I find many DE in different blocks.
As far as I understood, when the byte number 8 of the first block is 01, it means the chip is protected by password and it's not writable, however, I don't undestand why the line that has 01 in eighth byte is the 2nd, the 4th, the 6th and then others... Seems sectors are repeated. I know I should have 8 blocks, and as the 2nd and the 3rd are missing... I see that I can identify 6 different blocks in my code (with no clue about which one is the first except for the fact that it has 7 bytes = 00 at the beginning).
Now.. what could I do at this point? I know it should be possible to record communication between chip and reader using proxmark, is it correct? Can someone give me a link where to study better the procedure? Or another hint about how to proceed?
Thank you in advance
In case it helps:
I recorded other data with different amount of money on the key, this was with 2.98 euro (012a in hex)
proxmark3> lf pcf7931 read
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
command execution time out
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) Max blocks: 4
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00
#db# Error reading the tag
#db# Here is the partial content
#db# -----------------------------------------
#db# Memory content:
#db# -----------------------------------------
#db# 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00
#db# 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03
#db# <missing block 2>
#db# <missing block 3>
#db# -----------------------------------------
Last edited by zavidos (2019-10-02 08:53:10)
Offline
I would say that the PCF7931 implementation could need some love to become better at presenting the data
Offline
I would say that the PCF7931 implementation could need some love to become better at presenting the data
ahah I would like to be able to give that love but at the current date all my love is consumed by "understanding" and the day I will be able to spend it in "creating" is still far
Offline
don't worry, you will get there soon enough and I be looking forward to your contributions
Offline
To get there, if you have any text or guide to link...feel free, I expected to find more literature on the topic eheh
Last edited by zavidos (2019-09-10 11:09:32)
Offline
Hi Zavidos,
do You have any progress?
Offline
Hi Zavidos,
do You have any progress?
unfortunately I have no news, I tried with the simple lf sniff but I can't get anything, maybe the antenna is too small and I'm trying to figure out how to build a bigger one. The PCF7931 is fully inserted in the reader, so it is not phisically possible to keep the PM3 in between reander and tag.
I'm not even sure that with sniff I will get something, I started studying how to decode the raw signal
Offline
Are You shure that is not pcf7935?
Last edited by accdigit (2019-09-12 20:49:14)
Offline
http://imgur.com/a/kVm8Mgs
Last edited by accdigit (2019-09-12 21:42:49)
Offline
Are You shure that is not pcf7935?
You are right, mine is PCF7935AS, but I didn't understand what does it change
Offline
Any help here?
Offline
While i know nothing about these cards or system, I did find these two lines interesting (based on your current values supplied)
aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00 : 00de (2.22) (first card)
55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00 : 012a (2.98) (second card)
With no more data to check, this is just a thought.
aa = Current Balance tag
55 = Previous Balance tag
<flag> <2 byte value> <2 byte value (repeat)> <flag> <2 byte value> <2 byte value (repeat)> <6 byte filler 0x00>
So, with that in mind, that would mean
Card 1, last spend was (00e1 - 00de) = 0.03 ?
Card 2, last spend was (0151 - 012a) = 0.27 ?
Offline
While i know nothing about these cards or system, I did find these two lines interesting (based on your current values supplied)
aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00 : 00de (2.22) (first card) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00 : 012a (2.98) (second card)
With no more data to check, this is just a thought.
aa = Current Balance tag
55 = Previous Balance tag<flag> <2 byte value> <2 byte value (repeat)> <flag> <2 byte value> <2 byte value (repeat)> <6 byte filler 0x00>
So, with that in mind, that would mean
Card 1, last spend was (00e1 - 00de) = 0.03 ?
Card 2, last spend was (0151 - 012a) = 0.27 ?
Hi, first of all, thanks for your interest.
This could be right, 0.03 is for sure ok, it is the price of an empty glass, while 0.27 is not, maybe result of charge+expense, one curiosity, did you use something to have immediate hex->dec conversion to see 2.22 and 2.98 or just converted the value you supposed are associate with credit?
In any case the problem is that I should find a way to sniff the first 7 bytes during reader/card communication and I don't find any, without them, seems I can't write in the PCF7935
Last edited by zavidos (2019-10-03 14:42:15)
Offline
"...did you use something to have immediate hex->dec conversion..."
Nope, I was just looking while on my train ride home from work
Offline
update: with last proxmark firmware readng pcf7935 became more difficult, even with good signal (data plot-->lf read). It takes long time and sometimes jsut get disordered blocks.
Moreover it appears impossible to write PCF7935 tag even with known password and multiple (tens) of writing pulse sent
Offline
Pages: 1