Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-08-06 23:08:43

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

PCF7931 first steps (edit:PCF7935)

Hello everybody, I finally got my Proxmark RDV4 and want to start studying a PCF7931 (coffee machine).
I'm able to read it and this is the result:

proxmark3> lf pcf7931 read
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
Waiting for a response from the proxmark...          
You can cancel this operation by pressing the pm3 button          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
command execution time out          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) Max blocks: 4          
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00          
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00          
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00          
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00          
#db# (dbg) 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) aa 00 de 00 de 55 00 e1 00 e1 00 00 00 00 00 00          
#db# Error reading the tag          
#db# Here is the partial content          
#db# -----------------------------------------          
#db# Memory content:          
#db# -----------------------------------------          
#db# 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# 00 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# <missing block 2>          
#db# <missing block 3>          
#db# -----------------------------------------   

Link to recorded data plot file in case is useful

On the chip there are 2.22 euro, so 222 is DE in hex, and I find many DE in different blocks.
As far as I understood, when the byte number 8 of the first block is 01, it means the chip is protected by password and it's not writable, however, I don't undestand why the line that has 01 in eighth byte is the 2nd, the 4th, the 6th and then others... Seems sectors are repeated. I know I should have 8 blocks, and as the 2nd and the 3rd are missing... I see that I can identify 6 different blocks in my code (with no clue about which one is the first except for the fact that it has 7 bytes = 00 at the beginning).

Now.. what could I do at this point? I know it should be possible to record communication between chip and reader using proxmark, is it correct? Can someone give me a link where to study better the procedure? Or another hint about how to proceed?
Thank you in advance smile


In case it helps:
I recorded other data with different amount of money on the key, this was with 2.98 euro (012a in hex)

 proxmark3> lf pcf7931 read
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00          
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
Waiting for a response from the proxmark...          
You can cancel this operation by pressing the pm3 button          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
command execution time out          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) Max blocks: 4          
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00          
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00          
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) c8 19 5a 9d d1 23 60 37 88 df 67 d3 a0 9c 09 05          
#db# (dbg) 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00          
#db# (dbg) 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# (dbg) 55 01 51 01 51 aa 01 2a 01 2a 00 00 00 00 00 00          
#db# Error reading the tag          
#db# Here is the partial content          
#db# -----------------------------------------          
#db# Memory content:          
#db# -----------------------------------------          
#db# 00 00 00 00 00 00 00 01 04 00 00 00 00 00 00 00          
#db# 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 03          
#db# <missing block 2>          
#db# <missing block 3>          
#db# -----------------------------------------      

Last edited by zavidos (2019-10-02 08:53:10)

Offline

#2 2019-08-12 19:43:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: PCF7931 first steps (edit:PCF7935)

I would say that the PCF7931 implementation could need some love to become better at presenting the data

Offline

#3 2019-08-22 09:34:36

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

Re: PCF7931 first steps (edit:PCF7935)

iceman wrote:

I would say that the PCF7931 implementation could need some love to become better at presenting the data

ahah I would like to be able to give that love but at the current date all my love is consumed by "understanding" and the day I will be able to spend it in "creating" is still far

Offline

#4 2019-08-23 13:52:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: PCF7931 first steps (edit:PCF7935)

don't worry, you will get there soon enough and I be looking forward to your contributions smile

Offline

#5 2019-08-23 13:55:51

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

Re: PCF7931 first steps (edit:PCF7935)

To get there, if you have any text or guide to link...feel free, I expected to find more literature on the topic eheh

Last edited by zavidos (2019-09-10 11:09:32)

Offline

#6 2019-09-10 09:44:11

accdigit
Contributor
Registered: 2019-09-04
Posts: 5

Re: PCF7931 first steps (edit:PCF7935)

Hi Zavidos,
do You have any progress?

Offline

#7 2019-09-10 11:14:03

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

Re: PCF7931 first steps (edit:PCF7935)

accdigit wrote:

Hi Zavidos,
do You have any progress?

unfortunately I have no news, I tried with the simple lf sniff but I can't get anything, maybe the antenna is too small and I'm trying to figure out how to build a bigger one. The PCF7931 is fully inserted in the reader, so it is not phisically possible to keep the PM3 in between reander and tag.
I'm not even sure that with sniff I will get something, I started studying how to decode the raw signal

Offline

#8 2019-09-12 20:48:52

accdigit
Contributor
Registered: 2019-09-04
Posts: 5

Re: PCF7931 first steps (edit:PCF7935)

Are You shure that is not pcf7935?

Last edited by accdigit (2019-09-12 20:49:14)

Offline

#9 2019-09-12 21:31:25

accdigit
Contributor
Registered: 2019-09-04
Posts: 5

Re: PCF7931 first steps (edit:PCF7935)

http://imgur.com/a/kVm8Mgs

Last edited by accdigit (2019-09-12 21:42:49)

Offline

#10 2019-09-13 09:56:02

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

Re: PCF7931 first steps (edit:PCF7935)

accdigit wrote:

Are You shure that is not pcf7935?

You are right, mine is PCF7935AS, but I didn't understand what does it change

Offline

#11 2019-10-02 08:52:35

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

Re: PCF7931 first steps (edit:PCF7935)

Any help here?

Offline

#12 2019-10-03 07:45:02

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: PCF7931 first steps (edit:PCF7935)

While i know nothing about these cards or system, I did find these two lines interesting (based on your current values supplied)

aa  00 de 00 de   55   00 e1 00 e1   00 00 00 00 00 00      : 00de (2.22) (first card)
55  01 51 01 51   aa   01 2a 01 2a   00 00 00 00 00 00      : 012a (2.98) (second card)

With no more data to check, this is just a thought.
aa = Current Balance tag
55 = Previous Balance tag

<flag> <2 byte value> <2 byte value (repeat)> <flag> <2 byte value> <2 byte value (repeat)> <6 byte filler 0x00>

So, with that in mind, that would mean
Card 1, last spend was (00e1 - 00de)  = 0.03 ?
Card 2, last spend was (0151 - 012a)  = 0.27 ?

Offline

#13 2019-10-03 14:41:54

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

Re: PCF7931 first steps (edit:PCF7935)

mwalker wrote:

While i know nothing about these cards or system, I did find these two lines interesting (based on your current values supplied)

aa  00 de 00 de   55   00 e1 00 e1   00 00 00 00 00 00      : 00de (2.22) (first card)
55  01 51 01 51   aa   01 2a 01 2a   00 00 00 00 00 00      : 012a (2.98) (second card)

With no more data to check, this is just a thought.
aa = Current Balance tag
55 = Previous Balance tag

<flag> <2 byte value> <2 byte value (repeat)> <flag> <2 byte value> <2 byte value (repeat)> <6 byte filler 0x00>

So, with that in mind, that would mean
Card 1, last spend was (00e1 - 00de)  = 0.03 ?
Card 2, last spend was (0151 - 012a)  = 0.27 ?

Hi, first of all, thanks for your interest.
This could be right, 0.03 is for sure ok, it is the price of an empty glass, while 0.27 is not, maybe result of charge+expense, one curiosity, did you use something to have immediate hex->dec conversion to see 2.22 and 2.98 or just converted the value you supposed are associate with credit?
In any case the problem is that I should find a way to sniff the first 7 bytes during reader/card communication and I don't find any, without them, seems I can't write in the PCF7935

Last edited by zavidos (2019-10-03 14:42:15)

Offline

#14 2019-10-04 00:47:00

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: PCF7931 first steps (edit:PCF7935)

"...did you use something to have immediate hex->dec conversion..."
Nope, I was just looking while on my train ride home from work smile

Offline

#15 2020-03-01 12:48:32

zavidos
Contributor
Registered: 2019-07-17
Posts: 14

Re: PCF7931 first steps (edit:PCF7935)

update: with last proxmark firmware readng pcf7935 became more difficult, even with good signal (data plot-->lf read). It takes long time and sometimes jsut get disordered blocks.

Moreover it appears impossible to write PCF7935 tag even with known password and multiple (tens) of writing pulse sent

Offline

Board footer

Powered by FluxBB