Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-12-03 07:34:26

HyperVectra
Contributor
From: Sydney
Registered: 2019-01-19
Posts: 8
Website

Unknown mifare Card

Hi,

My building got new HF card reader access, which I am trying to make a second copy. While I am ok with HF/LF HID or Indala cards, I have no real experience with Mifare Classic / 2K/4K Plus / Ultralight let alone DESfire cards. (Speaking of which, does anyone know a good guide to these cards? Please don't say 'read the 'product implementation data sheet' as maths is not my strong suit, or even a good overview of all the popular RFID implementations would be great)

Firstly, hw ver (on what I believe is iceman fork) on Proxmark v1

***
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-134-g70dbfc3-suspect 2019-09-27 02:39:21
os: master/v3.1.0-134-g70dbfc3-suspect 2019-09-27 02:39:30
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: not available

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 204527 bytes (78%). Free: 57617 bytes (22%).       
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
***

I am not even sure of the card size let alone the implementation (1k/DES etc).

Also not sure whether I should use hf mf/p or hf 14a.

Anyway, here is the card info:

***
UID : 04 60 39 9a 7d 24 80
ATQA : 00 42
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3
       -  TL : length is 12 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : c1 05 2f 2f 01 bc d6 -> MIFARE Plus X 2K or 4K
               c1 -> Mifare or (multiple) virtual cards of various type
                  05 -> Length is 5 bytes
                     2x -> MIFARE Plus
                        2x -> Released
                           x1 -> VCS, VCSL, and SVC supported
No chinese magic backdoor command detected
PRNG data error: Wrong length: 0
Prng detection error.
----------------------------------------------
Mifare Plus info:
ATQA: Mifare Plus 4k 7bUID
SAK: Mifare Plus SL0/SL3 or Mifare desfire
Mifare Plus SL mode: SL3
***

When I search for keys using default dic it says none of the keys work.

Neither does autopwn, which just returns a 'could't retrieve tag nonce'

Also, here is hf list 14a printout:

***
Recorded Activity (TraceLen = 159 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error, ' denotes short bytes)            | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52'                                                             |     | WUPA
       2228 |       4596 | Tag | 42  00                                                          |     |
      17024 |      19488 | Rdr | 93  20                                                          |     | ANTICOLL
      20660 |      26548 | Tag | 88  04  60  39  d5                                              |     |
      28928 |      39456 | Rdr | 93  70  88  04  60  39  d5  d2  9e                              |  ok | SELECT_UID
      40628 |      44148 | Tag | 04  da  17                                                      |     |
      45440 |      47904 | Rdr | 95  20                                                          |     | ANTICOLL-2
      49076 |      54964 | Tag | 9a  7d  24  80  43                                              |     |
      57344 |      67808 | Rdr | 95  70  9a  7d  24  80  43  2f  be                              |  ok | ANTICOLL-2
      69044 |      72628 | Tag | 20  fc  70                                                      |     |
      74112 |      78816 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
     240000 |     244768 | Rdr | 50  00  57  cd                                                  |  ok | HALT
***

I don't want to be spoon fed answers here, I am not trying to be lazy but any help pointing me in the right direction would be appreciated.


the funniest thing about this particular signature is that by the time you realise it doesn't say anything it's to late to stop reading it

Offline

#2 2019-12-03 07:57:20

iceman
Administrator
Registered: 2013-04-25
Posts: 6,466
Website

Re: Unknown mifare Card

Your tag seem to be  MFP in SL3 mode.  No known easy cloning.

Mifare Plus SL mode: SL3

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2019-12-03 08:13:44

HyperVectra
Contributor
From: Sydney
Registered: 2019-01-19
Posts: 8
Website

Re: Unknown mifare Card

Damn.

If _the_ authority says so then I guess I am screwed.

Thanks Iceman


the funniest thing about this particular signature is that by the time you realise it doesn't say anything it's to late to stop reading it

Offline

Board footer

Powered by FluxBB