Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-05-19 20:04:13

akileos
Contributor
Registered: 2017-05-17
Posts: 23

Advant Scan

pm3 --> hf search

UID : 16 38 04 DC E7 2F 3D
ATQA : 00 41
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : EM Microelectronic-Marin SA Switzerland
ATS : 05 77 77 81 02 BD 91
       -  TL : length is 5 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 7 (FSC = 128)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
Answers to magic commands: NO

Valid ISO14443-A Tag Found - Quiting Search

pm3 --> hf mfdes info
-- Desfire Information --------------------------------------
-------------------------------------------------------------
  UID                : 16 38 04 DC E7 2F 3D
  Batch number       : 00 00 00 00 00
  Production date    : week 00, 2000
  -----------------------------------------------------------
  Hardware Information
      Vendor Id      : no tag-info available
      Type           : 0xF3
      Subtype        : 0xA2
      Version        : 0.0 (Desfire MF3ICD40)
      Storage size   : 0x00 (1 bytes)
      Protocol       : 0x00 (Unknown)
  -----------------------------------------------------------
  Software Information
      Vendor Id      : no tag-info available
      Type           : 0x48
      Subtype        : 0xBE
      Version        : 0.0
      storage size   : 0x00 (1 bytes)
      Protocol       : 0x00 (Unknown)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings

   [0x08] Configuration changeable       : NO
   [0x04] CMK required for create/delete : YES
   [0x02] Directory list access with CMK : YES
   [0x01] CMK is changeable              : NO

   Max number of keys       : 243
   Master key Version       : 0 (0x00)
   ----------------------------------------------------------
   [0x0A] Authenticate      : YES
   [0x1A] Authenticate ISO  : YES
   [0xAA] Authenticate AES  : YES

   ----------------------------------------------------------
   Available free memory on card       : 10679040 bytes
-------------------------------------------------------------

pm3 --> hf 14a reader
UID : 16 38 04 DC E7 2F 3D
ATQA : 00 41
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : EM Microelectronic-Marin SA Switzerland
ATS : 05 77 77 81 02 BD 91
       -  TL : length is 5 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 7 (FSC = 128)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
Answers to magic commands: NO


pm3 --> hf 14a cuid
Collecting 1 UIDs
Start: 1495219069
163804DCE72F3D
End: 1495219070

Last edited by akileos (2017-05-19 20:10:17)

Offline

#2 2017-05-20 13:29:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Advant Scan

Legic is not part of hf search. (well, since you are using Iceman's build I'm not certain of that...)

Use legic specific cmds if you know what it is.  (But the legic cmds are in early development still.)

Offline

#3 2017-05-20 20:15:41

akileos
Contributor
Registered: 2017-05-17
Posts: 23

Re: Advant Scan

Hi marshmellow,

I know about Legic prime being supported but Advant is the "new" legic technology, as opposed to prime which is working ok-ish in current proxmark (lack of proper protocol support-> bitbanging).
Advant is claimed to be ISO14a compliant ( and supposedly secure ! )
http://www.legic.com/en/products-and-services/smartcard-ic-s/507928/advant-as-chip.html
I'm still working on having mosci's lua working with my advant tags, all CRC are wrong smile

Offline

#4 2017-06-06 12:44:20

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: Advant Scan

Proxmark can not read Leagic advant media. The one u got is a type of advant card based on a DESfire chip. This is special EAL4 certified card. It has nothing to do with the other advant chip types. They are not limited to ISO14441A, the are also support ISO15693 variants.
So in any way the legic LUA script will not work with advant media, since proxmark can not read any data from it.

Offline

#5 2017-06-06 15:16:43

akileos
Contributor
Registered: 2017-05-17
Posts: 23

Re: Advant Scan

Hi Jason,

May I ask you to contact me ? either on IRC or by email. Working on legic.lua ad I'm pretty sure you are one of the knowledgeable persons on this area.

Offline

#6 2017-06-06 18:24:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Advant Scan

well,  on iceman fork,  "hf legic reader" is connected with "hf search".. Nevertheless,  the whole Legic Advant documents etc is much sought after.

Offline

#7 2017-06-07 16:46:10

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: Advant Scan

I have all documents available, the problem is the watermarking of this documents. Last year I started to remove it and encountered there are watermark fragments inside, so by knowing where the fragments are, someone could reassemble them easily (e.g. Legic).
So I stopped there and thought about createing a thread with advant specifications... but the massive amount of data is really hard work to be written by hand... than I was very busy also, so I dropped that at this point.

If anyone knows how to remove such watermarks from a PDF really completely I try. But the watermark removing of the PDF tool itself is useless. They don't used the embedded function, they added a background text layer with this informations.

Last edited by Jason (2017-06-07 16:46:45)

Offline

#8 2017-06-07 18:32:49

akileos
Contributor
Registered: 2017-05-17
Posts: 23

Re: Advant Scan

I already done it with other Kaba documents that had the "confidential" marking. Open PDF in word, find&replace worked fine for me. Also save as RTF removes most of the formatting if not relevant.
Edit: Not sure if relevant, are you in Switzerland ? Maybe we can meet.

Last edited by akileos (2017-06-07 18:33:19)

Offline

#9 2017-06-08 09:37:59

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: Advant Scan

akileos wrote:

Open PDF in word, find&replace worked fine for me. Also save as RTF removes most of the formatting if not relevant.

That was my first attempt. But by edititing the RTF file in raw format, I noticed the branding-fragments inside. Lets say if the name is "Microsoft" you can find encapsulated text objects names "Mi", "cros", "oft" and so on in different combination. This makes ist simply impossible to do just a quit finde&replace.
And maybe theres more inside (possibly a non visible watermark in pictures). My attemps than was to remove the brandings how are visible, than convert every page to grayscale pictures and than convert it back to PDF with OCR. I tried this for a few pages: Time consuming... sad

akileos wrote:

(...) are you in Switzerland ? Maybe we can meet.

No, I'm not from Switzerland.

Offline

#10 2017-06-08 10:45:15

akileos
Contributor
Registered: 2017-05-17
Posts: 23

Re: Advant Scan

Tested works flawlessly here :

Download qpdf  - http://qpdf.sourceforge.net/

Run :

\qpdf-6.0.0\bin\qpdf.exe --linearize --stream-data=uncompress source.pdf  dest.pdf

Open with notepad, find & replace watermark.
You can repair the file :

\qpdf-6.0.0\bin\qpdf.exe --linearize --stream-data=uncompress dest.pdf  repaired.pdf

If now working please provide a sample of your and will do a custom Python script to remove it.

Last edited by akileos (2017-06-08 10:52:10)

Offline

#11 2017-06-08 20:26:07

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: Advant Scan

The tool didn't work as well (still fragments)... I used a different way, since I tries to un-brand the files again. It took some time to convert, but now the files are clean.
Some of you got a Mail.

Offline

#12 2017-06-08 20:34:54

akileos
Contributor
Registered: 2017-05-17
Posts: 23

Re: Advant Scan

Thanks, still trying to make a valid badge on my side. The lua isn't of any help keep generating dumps that won't read after.
Edit: Tried with the CRc change in segment Zero. Will try on monday smile

Last edited by akileos (2017-06-08 21:29:30)

Offline

Board footer

Powered by FluxBB