Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi,
I have mifare classic 1k public transport card that needed hardnested command for dumping. I successfully got past that hurdle and now I have a full card dump in 'bin' and 'eml' formats.
Now I want to understand how does a card store value. I did an experiment like this:
- Read initial card state: 105.00 credits
- Dump the card
- Spend 4.00 credits
- Read card state: 101.00 credits
- Dump the card
- Diff two card dumps
Here are the before and after values I'm getting in a hex editor.
Block 17 before the reading: dbfe ff7f 2401 0080 dbfe ff7f 11ee 11ee
Block 17 after the reading: dafe ff7f 2501 0080 dafe ff7f 11ee 11ee
Block 18 before the reading: dbfe ff7f 2401 0080 dbfe ff7f 11ee 11ee
Block 18 after the reading: dafe ff7f 2501 0080 dafe ff7f 11ee 11ee
These are obviously value blocks. The first 2 rows should correspond to value "105.00". The last two rows should contain "101.00".
MAD application ID of this sector is 887b, I looked it up in MAD directory here http://cardinfo.barkweb.com.au/index.php?location=19&sub=36
And it seems these values are "electronic purse".
Application Service provider Service integrator
0x887B Electronic purse ZAGREBACKI Holding d.o.o. MIKROELEKTRONIKA spol.s.r.o. Mikroelektronika spol.s r.o.
The problem is: I can't make sense of the values in the value block. "dbfe ff7f" should somehow correspond to "105.00" credits, but I can't make sense of it, even after flipping the bytes to "7fff fedb". Same goes for the other value "dafe ff7f" which should correspond to "101.00".
Questions:
- Can someone help with deciphering the above values? A pointer to a link, resource or a specification would be great.
- Is there a way to get specification for each MAD application id? Example: can I somehow get a specification for MAD AID 0x887B? With that I could decipher these and any other AID values.
Thanks
Last edited by franskav (2019-10-13 10:24:27)
Offline
Hi,
it does not seem that the values above show the credits in hexadecimal!
Does your dump contains a valid "value-block"?
Offline
Yes, I think the dump contains valid "value blocks".
Based on your comment I realized I copy-pasted values from my hex editor which contained some text that is not a part of the value block. I edited the original post and "cleaned" up the "before" and "after" values. I think the data provided above should be clearer now.
Offline