Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-09-15 20:05:43

Piotr0
Contributor
Registered: 2020-09-15
Posts: 3

Bricked tag? How to unbrick it?

Hi,

I'm having some issues with a tag using a brand new (Chinese) Proxmark 3 (Easy) 3.0 with the latest official firmware and software.

proxmark3> hw status

#db# Memory
#db#   BIGBUF_SIZE.............40000
#db#   Available memory........40000
#db# Tracing
#db#   tracing ................1
#db#   traceLen ...............114
#db# Currently loaded FPGA image:
#db#   fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
#db# Smart card module (ISO 7816)
#db#   version.................FAILED
#db# LF Sampling config:
#db#   [q] divisor:           95
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db#   [s] samples to skip:   0
#db# USB Speed:
#db#   Sending USB packets to client...
#db#   Time elapsed:      1500ms
#db#   Bytes transferred: 1052672
#db#   USB Transfer Speed PM3 -> Client = 701781 Bytes/s
#db# Various
#db#   MF_DBGLEVEL........2
#db#   ToSendMax..........6
#db#   ToSendBit..........1
proxmark3> hw version

Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-200-ge6158a4-suspect 2020-09-14 18:23:19
os: master/v3.1.0-200-ge6158a4-suspect 2020-09-14 18:23:20
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2020/03/05 at 19:09:39
SmartCard Slot: not available

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 211935 bytes (40%). Free: 312353 bytes (60%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

First tries,

proxmark3> hf search
 UID : a8 6f aa 4c
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search

and after some commands the tag was bricked and since then it remains unreadable:

proxmark3> hf search

#db# Reading card ...
No or unknown card found, aborting

no known/supported 13.56 MHz tags found

trying to restore its contents from a backup (.bin):

proxmark3> hf mf restore 1
Restoring dumpdata.bin to card
Writing to block   0: a8 6f aa 4c 24 08 04 00 62 63 64 65 66 67 68 69
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk:00
[...]
Writing to block  63: ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk:00

trying to restore its contents from a backup (.eml):

proxmark3> hf mf cload dumpdata
No chinese magic backdoor command detected
Loading magic mifare 1K
#db# wupC1 error
Can't set magic card block: 0

trying to reset the tag:

proxmark3> hf mf cwipe 1 w f
No chinese magic backdoor command detected

no luck with lua scripts.

proxmark3> script run remagic
--- Executing: remagic.lua, args ''
hf 14a raw -p -a -b 7 40
received 0 bytes:
hf 14a raw -p -a 43
received 0 bytes:
hf 14a raw -c -p -a A000
received 0 bytes:
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
received 0 bytes:

-----Finished
proxmark3> script run formatMifare
--- Executing: formatMifare.lua, args ''
----------------------------------------
----------------------------------------

No response from card
No response from card
Estimating number of blocks: 64
Old key:    FFFFFFFFFFFF
New key:    FFFFFFFFFFFF
New Access: FF0780
----------------------------------------
###	New sector-trailer : FFFFFFFFFFFFFF078000FFFFFFFFFFFF
###	New emptyblock: 00000000000000000000000000000000
###	
Do you want to erase this card [y/n] ?y
----------------------------------------
hf mf wrbl 1 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 2 B FFFFFFFFFFFF 00000000000000000000000000000000
[...]
hf mf wrbl 63 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 64 B FFFFFFFFFFFF 00000000000000000000000000000000

-----Finished

no way to write on block 0,

proxmark3> hf mf wrbl 0 A ffffffffffff a86faa4c240804006263646566676869
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: a8 6f aa 4c 24 08 04 00 62 63 64 65 66 67 68 69
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk:00
proxmark3> hf list 14a
Recorded Activity (TraceLen = 65 bytes)

Start = Start of Frame, End = End of Frame. Src = Source of transfer
All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error, ' denotes short bytes)            | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52'                                                             |     | WUPA
       2116 |       4484 | Tag | 04  00                                                          |     |
       7040 |       9504 | Rdr | 93  20                                                          |     | ANTICOLL
      10564 |      16388 | Tag | a8  6f  aa  4c  24                                              |     |
      18816 |      29280 | Rdr | 93  70  a8  6f  aa  4c  21  85  e1                              |  ok | SELECT_UID

a second try

proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF a86faa4c240804006263646566676869
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: a8 6f aa 4c 24 08 04 00 62 63 64 65 66 67 68 69
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk:00

Is it possible to recover access to this tag?

Thanks

Offline

#2 2020-09-16 11:53:31

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: Bricked tag? How to unbrick it?

Start reading https://github.com/RfidResearchGroup/pr … s_notes.md
since you are running on official repo you might need to adapt the way the commands are used.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2020-09-18 18:08:57

Piotr0
Contributor
Registered: 2020-09-15
Posts: 3

Re: Bricked tag? How to unbrick it?

Thanks.

iceman wrote:

since you are running on official repo you might need to adapt the way the commands are used.

Of course, because almost none of the commands in the document work. Now the new problem is to figure out how.

I'm not able to find any hint about "hf 14a config" checking the proxmark3 help or wiki (https://github.com/Proxmark/proxmark3/wiki/commands).

On the other hand I am clear that the problem is that the BCC is wrong, it should be 21 instead of 24, but also reading the linked document I see that the tag is not of any of the types mentioned ("proprietary non iso14443-4 card", "RATS not supported", "No chinese magic backdoor command detected",...) Anyway when I have tried to send the raw commands 90 f0 cc cc 10 ... (some of them are identical to the remagic script) and there was no changes. I know perfectly well that this  not my area of expertise but I guess that this kind of tag cannot be fixed.

Last edited by Piotr0 (2020-09-18 20:40:56)

Offline

Board footer

Powered by FluxBB