Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-12-03 07:34:26

HyperVectra
Contributor
From: Sydney
Registered: 2019-01-19
Posts: 6

Unknown mifare Card

Hi,

My building got new HF card reader access, which I am trying to make a second copy. While I am ok with HF/LF HID or Indala cards, I have no real experience with Mifare Classic / 2K/4K Plus / Ultralight let alone DESfire cards. (Speaking of which, does anyone know a good guide to these cards? Please don't say 'read the 'product implementation data sheet' as maths is not my strong suit, or even a good overview of all the popular RFID implementations would be great)

Firstly, hw ver (on what I believe is iceman fork) on Proxmark v1

***
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-134-g70dbfc3-suspect 2019-09-27 02:39:21
os: master/v3.1.0-134-g70dbfc3-suspect 2019-09-27 02:39:30
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: not available

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 204527 bytes (78%). Free: 57617 bytes (22%).       
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
***

I am not even sure of the card size let alone the implementation (1k/DES etc).

Also not sure whether I should use hf mf/p or hf 14a.

Anyway, here is the card info:

***
UID : 04 60 39 9a 7d 24 80
ATQA : 00 42
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3
       -  TL : length is 12 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : c1 05 2f 2f 01 bc d6 -> MIFARE Plus X 2K or 4K
               c1 -> Mifare or (multiple) virtual cards of various type
                  05 -> Length is 5 bytes
                     2x -> MIFARE Plus
                        2x -> Released
                           x1 -> VCS, VCSL, and SVC supported
No chinese magic backdoor command detected
PRNG data error: Wrong length: 0
Prng detection error.
----------------------------------------------
Mifare Plus info:
ATQA: Mifare Plus 4k 7bUID
SAK: Mifare Plus SL0/SL3 or Mifare desfire
Mifare Plus SL mode: SL3
***

When I search for keys using default dic it says none of the keys work.

Neither does autopwn, which just returns a 'could't retrieve tag nonce'

Also, here is hf list 14a printout:

***
Recorded Activity (TraceLen = 159 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error, ' denotes short bytes)            | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52'                                                             |     | WUPA
       2228 |       4596 | Tag | 42  00                                                          |     |
      17024 |      19488 | Rdr | 93  20                                                          |     | ANTICOLL
      20660 |      26548 | Tag | 88  04  60  39  d5                                              |     |
      28928 |      39456 | Rdr | 93  70  88  04  60  39  d5  d2  9e                              |  ok | SELECT_UID
      40628 |      44148 | Tag | 04  da  17                                                      |     |
      45440 |      47904 | Rdr | 95  20                                                          |     | ANTICOLL-2
      49076 |      54964 | Tag | 9a  7d  24  80  43                                              |     |
      57344 |      67808 | Rdr | 95  70  9a  7d  24  80  43  2f  be                              |  ok | ANTICOLL-2
      69044 |      72628 | Tag | 20  fc  70                                                      |     |
      74112 |      78816 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
     240000 |     244768 | Rdr | 50  00  57  cd                                                  |  ok | HALT
***

I don't want to be spoon fed answers here, I am not trying to be lazy but any help pointing me in the right direction would be appreciated.


Of all the things I miss the most, I miss my mind the most

Offline

#2 2019-12-03 07:57:20

iceman
Administrator
Registered: 2013-04-25
Posts: 5,944
Website

Re: Unknown mifare Card

Your tag seem to be  MFP in SL3 mode.  No known easy cloning.

Mifare Plus SL mode: SL3

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2019-12-03 08:13:44

HyperVectra
Contributor
From: Sydney
Registered: 2019-01-19
Posts: 6

Re: Unknown mifare Card

Damn.

If _the_ authority says so then I guess I am screwed.

Thanks Iceman


Of all the things I miss the most, I miss my mind the most

Offline

Board footer

Powered by FluxBB