Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-06-18 23:38:37

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

1 to 1 copy

1 to 1 copy
the card reader recognizes
"Magic Chinese Cards"
and that does not open the door
what can you do there ?
does anyone have a hint?



UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK

[+] Valid ISO14443-A tag  found

[usb] pm3 --> hf sea
[=] Checking for known tags...

UID : 19 2B 33 14
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD

[+] Valid ISO14443-A tag  found


[usb] pm3 --> hf mf wrbl 0 B 0d2DDDe90296 1942B3340E880400C844002000000018
--block no:0, key type:B, key:DD 25 8F EF 02 96
--data: 19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
#db# Cmd Error: 04
#db# Write block error
isOk:00
[usb] pm3 -->

Last edited by 3dmann (2019-06-23 11:49:44)

Offline

#2 2019-06-19 00:18:44

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: 1 to 1 copy

You could try
csetuid          Set UID for magic Chinese card
csetblk          Write block - Magic Chinese card
cgetblk          Read block - Magic Chinese card

Offline

#3 2019-06-19 00:31:56

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: 1 to 1 copy

[usb] pm3 --> hf 14a read
 UID : 19 2B 33 14
ATQA : 00 04
 SAK : 88 [2]
[+] field dropped.
[usb] pm3 --> hf 14a list
[+] Recorded Activity (TraceLen = 77 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+----------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |04  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |19 2B 33 14  0e                                                       |     |
      19456 |      29984 | Rdr |93  70  16  19 2B 33 14  d4  cb                                       |  ok | SELECT_UID
      31172 |      34692 | Tag |88  be  59                                                               |     |
[usb] pm3 --> hf sea
[=] Checking for known tags...

 UID : 19 2B 33 14
ATQA : 00 04
 SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK

[+] Valid ISO14443-A tag  found

[usb] pm3 --> csetuid
help             This help. Use '<command> help' for details of a particular command.
analyse          { Analyse utils... }
data             { Plot window / data buffer manipulation... }
emv              { EMV iso14443 and iso7816... }
hf               { High Frequency commands... }
hw               { Hardware commands... }
lf               { Low Frequency commands... }
rem              { Add text to row in log file }
reveng           { Crc calculations from the RevEng software... }
script           { Scripting commands }
trace            { Trace manipulation... }
quit
exit             Exit program
[usb] pm3 --> hf mf csetblk
Set block data for magic Chinese card. Only works with magic cards

Usage:  hf mf csetblk [h] <block number> <block data (32 hex symbols)> [w]
Options:
       h         this help
       w         wipe card before writing
       <block>   block number
       <data>    block data to write (32 hex symbols)
Examples:
       hf mf csetblk 1 DD0203040FF0607080910111213141516
       hf mf csetblk 1 DD0203040FF607080910111213141516 w
[usb] pm3 --> hf mf csetblk 1 19 2B 33 1440E880400C844002000000018
--block number: 1 data:19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[usb] pm3 --> hf sea
[=] Checking for known tags...

 UID : 19 2B 33 14
ATQA : 00 04
 SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK

[+] Valid ISO14443-A tag  found

[usb] pm3 --> hf mf cgetblk
Get block data from magic Chinese card. Only works with magic cards


Usage:  hf mf cgetblk [h] <block number>
Options:
      h         this help
      <block>   block number
Examples:
      hf mf cgetblk 1
[usb] pm3 --> hf mf cgetblk h
Get block data from magic Chinese card. Only works with magic cards


Usage:  hf mf cgetblk [h] <block number>
Options:
      h         this help
      <block>   block number
Examples:
      hf mf cgetblk 1
[usb] pm3 --> hf mf cgetblk 1
--block number: 1
data: 19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[usb] pm3 --> hf mf csetuid 162A2614
--wipe card:NO  uid:19 2B 33 14
[+] old block 0:  19 2B 33 DD 0E 88 04 00 C8 44 00 20 00 00 00 18
[+] new block 0:  19 2B 33 DD0E 88 04 00 C8 44 00 20 00 00 00 18
[+] old UID:00 00 00 00
[+] new UID:19 2B 33 14
[usb] pm3 --> hf sea
[=] Checking for known tags...

 UID : 19 2B 33 14
ATQA : 00 04
 SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK

[+] Valid ISO14443-A tag  found

[usb] pm3 -->

Last edited by 3dmann (2019-06-23 11:48:09)

Offline

#4 2019-06-19 00:44:45

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: 1 to 1 copy

Assuming that the first is the original and the second is the clone.

hf mf csetuid 162A2614 0004 88

Some doors don't seem to respond to cards with different SAK numbers and somewhere those values don't seem to be set when I do a cload. 

I haven't investigated further but I've seen this a bunch of places and been discussing it offline with someone.

I might have the order reversed in the above command for the ATQA and the SAK, best to double check the help.

Offline

#5 2019-06-19 00:47:45

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: 1 to 1 copy

thanks tomorrow morning I test the chip hopefully the door opens now

[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 115 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |40                                                                       |     | MAGIC WUPC1
       2500 |       3076 | Tag |0a!                                                                      |     |
       7040 |       8352 | Rdr |43                                                                       |     | MAGIC WUPC2
       9540 |      10116 | Tag |0a!                                                                      |     |
      14080 |      18784 | Rdr |a0  01  d6  a0                                                           |  ok | WRITEBLOCK(1)
      20036 |      20612 | Tag |0a!                                                                      |     |
      25600 |      46496 | Rdr |19 2B 33 14 0e  88  04  00  c8  44  00  20  00  00  00  18  2e  fb   |  ok |
      89156 |      89732 | Tag |0a!                                                                      |     |
      91648 |      96416 | Rdr |50  00  57  cd                                                           |  ok | HALT
[usb] pm3 --> hf mf csetuid 19 2B 33 14
--wipe card:NO  uid:19 2B 33 14
[+] old block 0:  19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[+] new block 0:  19 2B 33 14 0E 88 04 00 C8 44 00 20 00 00 00 18
[+] old UID:00 00 00 00
[+] new UID:19 2B 33 14
[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 115 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |40                                                                       |     | MAGIC WUPC1
       2500 |       3076 | Tag |0a!                                                                      |     |
       7040 |       8352 | Rdr |43                                                                       |     | MAGIC WUPC2
       9540 |      10116 | Tag |0a!                                                                      |     |
      14080 |      18784 | Rdr |a0  00  5f  b1                                                           |  ok | WRITEBLOCK(0)
      20036 |      20612 | Tag |0a!                                                                      |     |
      25600 |      46496 | Rdr |19 2B 33 14  0e  88  04  00  c8  44  00  20  00  00  00  18  2e  fb   |  ok |
      89156 |      89732 | Tag |0a!                                                                      |     |
      91648 |      96416 | Rdr |50  00  57  cd                                                           |  ok | HALT
[usb] pm3 -->

Last edited by 3dmann (2019-06-23 11:45:07)

Offline

#6 2019-06-19 19:04:30

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: 1 to 1 copy

Unfortunately, the door does not open
I have now the
10Pcs 13.5MHZ UID Changeable M1 S50 1K NFC Card Copy Rewritable Blank IC Car W0
ordered hope that it goes dan
With
hf mf wrbl 0 B 0d258fe90296 2DfA6140E880400C844002000000018


this is the garage door

Last edited by 3dmann (2019-06-23 11:43:49)

Offline

#7 2019-06-19 19:50:08

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: 1 to 1 copy

Which card is the original and which is the clone?

Offline

#8 2019-06-19 20:38:41

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: 1 to 1 copy

original

[usb] pm3 --> hf sea
[=] Checking for known tags...

UID : 19 2B 33 14
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD

[+] Valid ISO14443-A tag  found

[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 103 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |04  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |19 2B 33 14  14  0e                                                       |     |
      19456 |      29984 | Rdr |93  70  16  19 2B 33 14  0e  d4  cb                                       |  ok | SELECT_UID
      31172 |      34692 | Tag |08  b6  dd                                                               |     |
      45312 |      50016 | Rdr |60  00  f5  7b                                                           |  ok | AUTH-A(0)
      54852 |      59588 | Tag |b8  10  c5  02                                                           |     | AUTH: nt



clone
[usb] pm3 --> hf sea
[=] Checking for known tags...

UID : 19 2B 33 14
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK

[+] Valid ISO14443-A tag  found


[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 103 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |04  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |19 2B 33 14  14  0e                                                       |     |
      19456 |      29984 | Rdr |93  70  16  19 2B 33 14  d4  cb                                       |  ok | SELECT_UID
      31172 |      34692 | Tag |08  b6  dd                                                               |     |
      45312 |      50016 | Rdr |60  00  f5  7b                                                           |  ok | AUTH-A(0)
      54852 |      59588 | Tag |b8  10  c5  02                                                           |     | AUTH: nt

Last edited by 3dmann (2019-06-23 11:43:10)

Offline

#9 2019-06-19 20:48:46

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: 1 to 1 copy

Thanks for your help just have even seen the error

SAK : 88 [2]        ----------    SAK : 08 [2]


Now the door opens SAK : 08 [2]

Offline

#10 2019-06-19 21:29:09

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: 1 to 1 copy

Yeah that is what I was trying to get at.

I am seeing that a lot.  Its on my todo list when I have a 2nd proxmark around to figure out why dump -> cload doesn't change the SAK .

Offline

#11 2019-06-19 23:28:04

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: 1 to 1 copy

it's just good to know that you have to look at it and then change it yourself
So for me it's all great

Offline

#12 2019-09-30 20:28:05

mabtux
Contributor
Registered: 2019-02-25
Posts: 10

Re: 1 to 1 copy

Hello,
is it possible to dump a chinese card?  when i try with
pm3--> hf mf csave e 1
the prompt answer give hf-mf-aabbccddee.eml , so if i understand correctly i have on this file hf-mf-aabbccddee.eml.
But when i try to load that file on a chine card :
pm3--> hf mf cload : or cdump , i have this response:
coud not find hf-mf-aabbccddee-key.bin
i understand no thing...

Offline

Board footer

Powered by FluxBB