Proxmark3 community

HyperVectra

Contributor

From: Sydney

Registered: 2019-01-19

Posts: 9

Website

Unknown mifare Card

Hi,

My building got new HF card reader access, which I am trying to make a second copy. While I am ok with HF/LF HID or Indala cards, I have no real experience with Mifare Classic / 2K/4K Plus / Ultralight let alone DESfire cards. (Speaking of which, does anyone know a good guide to these cards? Please don't say 'read the 'product implementation data sheet' as maths is not my strong suit, or even a good overview of all the popular RFID implementations would be great)

Firstly, hw ver (on what I believe is iceman fork) on Proxmark v1

***
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-134-g70dbfc3-suspect 2019-09-27 02:39:21
os: master/v3.1.0-134-g70dbfc3-suspect 2019-09-27 02:39:30
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: not available

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 204527 bytes (78%). Free: 57617 bytes (22%).       
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
***

I am not even sure of the card size let alone the implementation (1k/DES etc).

Also not sure whether I should use hf mf/p or hf 14a.

Anyway, here is the card info:

***
UID : 04 60 39 9a 7d 24 80
ATQA : 00 42
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3
       -  TL : length is 12 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : c1 05 2f 2f 01 bc d6 -> MIFARE Plus X 2K or 4K
               c1 -> Mifare or (multiple) virtual cards of various type
                  05 -> Length is 5 bytes
                     2x -> MIFARE Plus
                        2x -> Released
                           x1 -> VCS, VCSL, and SVC supported
No chinese magic backdoor command detected
PRNG data error: Wrong length: 0
Prng detection error.
----------------------------------------------
Mifare Plus info:
ATQA: Mifare Plus 4k 7bUID
SAK: Mifare Plus SL0/SL3 or Mifare desfire
Mifare Plus SL mode: SL3
***

When I search for keys using default dic it says none of the keys work.

Neither does autopwn, which just returns a 'could't retrieve tag nonce'

Also, here is hf list 14a printout:

***
Recorded Activity (TraceLen = 159 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error, ' denotes short bytes)            | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52'                                                             |     | WUPA
       2228 |       4596 | Tag | 42  00                                                          |     |
      17024 |      19488 | Rdr | 93  20                                                          |     | ANTICOLL
      20660 |      26548 | Tag | 88  04  60  39  d5                                              |     |
      28928 |      39456 | Rdr | 93  70  88  04  60  39  d5  d2  9e                              |  ok | SELECT_UID
      40628 |      44148 | Tag | 04  da  17                                                      |     |
      45440 |      47904 | Rdr | 95  20                                                          |     | ANTICOLL-2
      49076 |      54964 | Tag | 9a  7d  24  80  43                                              |     |
      57344 |      67808 | Rdr | 95  70  9a  7d  24  80  43  2f  be                              |  ok | ANTICOLL-2
      69044 |      72628 | Tag | 20  fc  70                                                      |     |
      74112 |      78816 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
     240000 |     244768 | Rdr | 50  00  57  cd                                                  |  ok | HALT
***

I don't want to be spoon fed answers here, I am not trying to be lazy but any help pointing me in the right direction would be appreciated.

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Unknown mifare Card

Your tag seem to be  MFP in SL3 mode.  No known easy cloning.

Mifare Plus SL mode: SL3

HyperVectra

Contributor

From: Sydney

Registered: 2019-01-19

Posts: 9

Website

Re: Unknown mifare Card

Damn.

If _the_ authority says so then I guess I am screwed.

Thanks Iceman

aheagel

Contributor

Registered: 2021-12-29

Posts: 2

Re: Unknown mifare Card

Just hypothetically. If I have a Mifare Plus SL3 card and I have scaned it with NXP taginfo where it says "Factory default AES key". Is it then possible for me to clone the card with proxmark or the chameleon? And would the process be complicated?

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Unknown mifare Card

I don't think Chameleon supports MIFARE Plus (MFP).
You might be able to read it with your proxmark and you might be able to restore the data onto another MFP card

Sanjulian321

Contributor

From: US, Pacific

Registered: 2022-06-11

Posts: 2

Re: Unknown mifare Card

never heard of it