Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2010-09-09 11:22:01
- sikinmettugi
- Member
- Registered: 2010-07-08
- Posts: 10
Adding additional "ping-pong" command loops in hi14areader
Another loooooooooong loooooooooong question. Sorry 
Recently I'm investigating Korean T-money Seoul Citypass+ card, which does not use MiFare Classic but uses 13.56MHz frequency.
This one's trace looks like this:
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 52
+ 64: 0: TAG 04 00
+ 4328: : 93 20
+ 64: 0: TAG 08 9d 3a 5c f3
+ 2456: : 93 70 08 9d 3a 5c f3 6b ac
+ 64: 0: TAG 20 fc 70
+ 11879: : 50 00 57 cd
+ 8015: : 26
+ 126438: : 52
+ 64: 0: TAG 04 00
+ 4320: : 93 20
+ 64: 0: TAG 08 5b b4 b4 53
+ 2463: : 93 70 08 5b b4 b4 53 8c 42
+ 64: 0: TAG 20 fc 70
+ 11839: : e0 70 be 84
+ 64: 0: TAG 09 78 77 b9 02 01 11 20 03 f9 fc
+ 268738: : 0a 00 00 a4 04 00 07 d4 10 00 00 03 00 01 33 1d f4
+ 1295: 0: TAG 0a 00 6f! 31 b0 2f 00! 10! 01! 08! 10! 10! 00 03 95 59 95 74 01! 15! 53 11 04! 20! 10! 05 11 20 15 05 10 01 00 00 07 a1 20 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 41 39
+ 64711: : 0b 00 90 40 00 00 04 00 00 07 d0 1e aa 0b
+ 12590: 0: TAG 0b! 00 10! 00! 00 1d b0 08 10 10 00 03 95 59 95 74 00 00 00 17 29 01 0d fe 71 0c 7f a6 2c c6 25 a9 90 00 b1 73
+ 309364: : 0a 00 90 42 00 00 10 07 20 09 00 30 00 65 39 00 00 55 c3 c9 20 b7 76 08 ea 9e
+ 18502: 0: TAG 0a 00 00 00 25 80 77 43 e6 53 90 00 2d 0a
+ 39802: : 0b 00 90 4c 00 00 04 17 08
+ 432: 0: TAG 0b 00 00 00 25 80 90 00 e3 06 The trace is about charging additional 2000 Korean Won(you can find 0x07d0) into T-money card, so the total balance becomes 9600 KRW(0x2580). This T-money Citypass+ card uses 13.56MHz carrier frequency and has anticollision part, similar to MiFare Classic's. The trace doesn't look like encrypted at all, since the BCD representation of the TAG UID is shown,
What I want to do is, make Proxmark3 act like the T-money balance recharger(what do you call it exactly? anyway...) and get the trace similar to this one. And the problem is, I don't find the way I add the additional commands to send, like "0a 00 00 a4 04 00 07 d4 10 00 00 03 00 01 33 1d f4."
I added that like this below inside of the function ReaderIso14443a() in iso14443a.c,
(Oh, I almost forgot it. I'm using Summer 2009 firmware - SVN revision 215)
and it was compiled successfully but the command wasn't transmitted :
//T-money pp02 - TAG information request
BYTE cmd8[] = {0x0a, 0x00, 0x00, 0xa4, 0x04, 0x00, 0x07, 0xd4, 0x10, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x05, 0xf7};
BYTE *req8 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 7));
int req8Len;
// Secondly compute the two CRC bytes at the end
ComputeCrc14443(CRC_14443_A, cmd7, 2, &cmd7[2], &cmd7[3]);
CodeIso14443aAsReader(cmd7, sizeof(cmd7));
memcpy(req7, ToSend, ToSendMax); req7Len = ToSendMax;
// Send authentication request (Mifare Classic)
TransmitFor14443a(req7, req7Len, &samples, &wait);
trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;
trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;
trace[traceLen++] = 4;
memcpy(trace+traceLen, cmd7, 4);
traceLen += 4;
if(traceLen > TRACE_LENGTH) goto done;
if(GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) {
rsamples++;
// We received probably a random, continue and trace!
}
else {
// Received nothing
continue;
}
//Test for PP02
CodeIso14443aAsReader(cmd8, sizeof(cmd8));
memcpy(req8, ToSend, ToSendMax);
req8Len = ToSendMax;
// Send T-money PP02
TransmitFor14443a(req8, req8Len, &samples, &wait);
rsamples = rsamples + (samples - Demod.samples);
trace[traceLen++] = ((rsamples >> 0) & 0xff);
trace[traceLen++] = ((rsamples >> 8) & 0xff);
trace[traceLen++] = ((rsamples >> 16) & 0xff);
trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
trace[traceLen++] = Demod.len;
memcpy(trace+traceLen, receivedAnswer, Demod.len);
traceLen += Demod.len;
if(traceLen > TRACE_LENGTH) goto done;
//Endtest
// Trace the random, i'm curious
rsamples = rsamples + (samples - Demod.samples);
trace[traceLen++] = ((rsamples >> 0) & 0xff);
trace[traceLen++] = ((rsamples >> 8) & 0xff);
trace[traceLen++] = ((rsamples >> 16) & 0xff);
trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
trace[traceLen++] = Demod.len;
memcpy(trace+traceLen, receivedAnswer, Demod.len);
traceLen += Demod.len;
if(traceLen > TRACE_LENGTH) goto done;
// Thats it...Yeah, I'm a terrible programmer...
Anyway, is there a way I can add those additional command in order to make Proxmark3 act like 'the recharger?'
Last edited by sikinmettugi (2010-09-09 11:28:09)
Offline
#2 2010-09-10 11:18:47
- rumpeltux
- Contributor
- From: München, Germany
- Registered: 2010-02-04
- Posts: 18
- Website
Re: Adding additional "ping-pong" command loops in hi14areader
Have a look at ReaderIso14443a(…).
It allows you to establish a connection to the tag and send raw commands. However you need a more recent firmware and then implement the commands in the command line tool.
Offline
#3 2010-09-13 12:02:08
- sikinmettugi
- Member
- Registered: 2010-07-08
- Posts: 10
Re: Adding additional "ping-pong" command loops in hi14areader
Hmm.. Okay, so I need recent version of the firmware, and suitable compile environment.
Is recent one stable on Windows, BTW? I saw someone said "no, it isn't" from the internet somewhere...
Offline
#4 2014-01-20 03:52:05
- krfidhunter
- Member
- Registered: 2014-01-20
- Posts: 6
Re: Adding additional "ping-pong" command loops in hi14areader
The Cashbee, and T-Money not use Mifare Classic Module, but uses 13.56Hz Frequency.
The Korea Transportation Card use KS X 6923 ~ KS X 6925 Technology.
and that use iso-7816 and iso 14443 3 ~ 4.
Cashbee and T-Money not use Recharger Concept.
That use Purchase Concept.
The Purchse Concept has Sign and SEED, 3DES Crypto Algorithm.
The Sign Data has Date, Money Type(Purchase, Cancel Purchase, Recharger, maybe) and Money
If the Reader send this command -> Hey! Card! I Need Your Balance Information
next card will be send to reader -> Hey! Reader! I Send you Balance Information!
next if Reader received -> if have purchse process compare balance.
if card balance > purchase process balance
start process
if card balance < purchase process balance
you don't have enough balance!! Get out!!
If Started process
the reader make sign data and send to card.
if card receive sign data, the card checking information
decrypt sign data and verify sign data and apply sign data(balance or anything else, if card have may memory, that will be save sign data)
so, if you hack korea transportation card, you maybe know ks x 6923 ~ ks x 6925 technology.
and sign data ~ anything else.
Offline