Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-05-29 20:34:37

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Access conditions restore/reset on Gen3 chineese card, possible?

Hello, I have Gen3 4k 7b chineese card, with broken access conditions for sector 0.

iceman described uid changing of this card in this post:
http://www.proxmark.org/forum/viewtopic … 843#p35843

UID changing is still works and UID is NOT locked.

Maybe any chance to write block 3 (access conditions block for sector 0) on this card via this or same command?

Current state is:

[usb] pm3 --> hf mf autopwn * 1 f keys.dic

[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff   | D | 00ffffffffff   | D |
[+] | 001 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 002 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 003 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 004 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 005 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 006 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 007 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 008 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 009 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 010 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 011 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 012 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 013 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 014 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 015 | ffffffffffff   | D | ffffffffffff   | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )
[usb] pm3 --> hf mf wrbl 3 B 00FFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block no:3, key type:B, key:00 FF FF FF FF FF
--data: FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Cmd Error: 04
#db# Write block error
isOk:00
[usb] pm3 --> hf mf wrbl 3 A FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block no:3, key type:A, key:FF FF FF FF FF FF
--data: FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Cmd Error: 04
#db# Write block error
isOk:00
[usb] pm3 --> hf search
[|]Searching for ISO14443-A tag...
[+]  UID: 04 12 19 C3 21 93 16
[+] ATQA: 00 42
[+]  SAK: 18 [2]
[+] MANUFACTURER:    NXP Semiconductors Germany
[+] POSSIBLE TYPE:    MIFARE Classic 1K / Classic 1K CL2
[+] POSSIBLE TYPE:    MIFARE Plus 2K / Plus EV1 2K
[+] POSSIBLE TYPE:    MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[+] POSSIBLE TYPE:    MIFARE Plus 2K / Plus CL2 2K
[+] POSSIBLE TYPE:    MIFARE Plus 4K / Plus EV1 4K
[+] POSSIBLE TYPE:    MIFARE Plus CL2 4K / Plus CL2 EV1 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak

[+] Valid ISO14443-A tag found

also, it doesnt answer to backdoor commands:

[usb] pm3 --> hf mf cwipe
#db# wupC1 error
[!] Retry block[0]...
#db# wupC1 error
[!] Retry block[0]...
#db# wupC1 error
[!] Retry block[0]...
[!!] Error setting block[0]: -1
[!!] Can't wipe card. error=-1

Last edited by Monster1024 (2020-06-07 14:34:41)

Offline

#2 2020-06-07 13:37:52

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Access conditions restore/reset on Gen3 chineese card, possible?

Hmmm. Today my acr122u has arrived, and I restored this "dead" card with "PCSC Mifare" software.
Button "Set UID++ Info" sets UID and ERASE all sector data.

But problem for now - I don't know how this software is doing restore.

I have tried to use "hf 14a sniff" to get raw command with proxmark, but i got many select commands and one "90f0cccc10041219c321931c984200e32000".
When I have tried to replay it - it only changes UID, but didn't erase all sector data.

Here is sample log from Proxmark with erasing procedure: https://pastebin.com/iYP9izcW

How i can sniff\get command to do erase with proxmark?

@iceman - I hope you can help smile

P.S. Software link i found is here:  https://www.dropbox.com/s/7rwcu3y5lptss … w.rar?dl=0

Last edited by Monster1024 (2020-06-07 13:49:30)

Offline

#3 2020-06-07 14:20:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Access conditions restore/reset on Gen3 chineese card, possible?

That command maybe also resets the sector trailers?   You will need to dump card before and after you run the software and sniff with yr pm3 to see what the software is actually doing.

Three identified commands,  I have update my post you linked to.

Offline

#4 2020-06-07 14:22:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Access conditions restore/reset on Gen3 chineese card, possible?

And I think you can update yr first post subject.  You seem to have a gen3 card.  We don't call it "hybrid card" even if I think the functions on the card seem to be of a mix between gen1 and gen2 cards.

Offline

#5 2020-06-07 14:40:58

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Access conditions restore/reset on Gen3 chineese card, possible?

Updated first post with card name.

My goal is to able to "format" gen3 cards with proxmark (without pcsc software).

Dump files uploaded here:
https://github.com/monster1025/fileshar … clear_test

Here is my test:

Dumping card contents before erase:

[usb] pm3 --> hf mf autopwn * 1 f keys.dic
[!] no known key was supplied, key recovery might fail
[+] loaded 30 keys from dictionary file keys.dic
[=] running strategy 1
..
[=] Chunk: 4.2s | found 32/32 keys (30)

[+] target sector:  0 key type: A -- found valid key [A0 A1 A2 A3 A4 A5 ] (used for nested / hardnested attack)
[+] target sector:  0 key type: B -- found valid key [FB F2 25 DC 5D 58 ]
[+] target sector:  1 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector:  1 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector:  2 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector:  2 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector:  3 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector:  3 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector:  4 key type: A -- found valid key [73 06 8F 11 8C 13 ]
[+] target sector:  4 key type: B -- found valid key [2B 7F 32 53 FA C5 ]
[+] target sector:  5 key type: A -- found valid key [FB C2 79 3D 54 0B ]
[+] target sector:  5 key type: B -- found valid key [D3 A2 97 DC 26 98 ]
[+] target sector:  6 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector:  6 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector:  7 key type: A -- found valid key [AE 3D 65 A3 DA D4 ]
[+] target sector:  7 key type: B -- found valid key [0F 1C 63 01 3D BA ]
[+] target sector:  8 key type: A -- found valid key [A7 3F 5D C1 D3 33 ]
[+] target sector:  8 key type: B -- found valid key [E3 51 73 49 4A 81 ]
[+] target sector:  9 key type: A -- found valid key [69 A3 2F 1C 2F 19 ]
[+] target sector:  9 key type: B -- found valid key [6B 8B D9 86 07 63 ]
[+] target sector: 10 key type: A -- found valid key [9B EC DF 3D 92 73 ]
[+] target sector: 10 key type: B -- found valid key [F8 49 34 07 79 9D ]
[+] target sector: 11 key type: A -- found valid key [08 B3 86 46 32 29 ]
[+] target sector: 11 key type: B -- found valid key [5E FB AE CE F4 6B ]
[+] target sector: 12 key type: A -- found valid key [CD 4C 61 C2 6E 3D ]
[+] target sector: 12 key type: B -- found valid key [31 C7 61 0D E3 B0 ]
[+] target sector: 13 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector: 13 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector: 14 key type: A -- found valid key [0E 8F 64 34 0B A4 ]
[+] target sector: 14 key type: B -- found valid key [4A CE C1 20 5D 75 ]
[+] target sector: 15 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 15 key type: B -- found valid key [EA AC 88 E5 DC 99 ]

[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | a0a1a2a3a4a5   | D | fbf225dc5d58   | D |
[+] | 001 | a82607b01c0d   | D | 2910989b6880   | D |
[+] | 002 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] | 003 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] | 004 | 73068f118c13   | D | 2b7f3253fac5   | D |
[+] | 005 | fbc2793d540b   | D | d3a297dc2698   | D |
[+] | 006 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] | 007 | ae3d65a3dad4   | D | 0f1c63013dba   | D |
[+] | 008 | a73f5dc1d333   | D | e35173494a81   | D |
[+] | 009 | 69a32f1c2f19   | D | 6b8bd9860763   | D |
[+] | 010 | 9becdf3d9273   | D | f8493407799d   | D |
[+] | 011 | 08b386463229   | D | 5efbaecef46b   | D |
[+] | 012 | cd4c61c26e3d   | D | 31c7610de3b0   | D |
[+] | 013 | a82607b01c0d   | D | 2910989b6880   | D |
[+] | 014 | 0e8f64340ba4   | D | 4acec1205d75   | D |
[+] | 015 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )

[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-041219C3219317-key.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-041219C3219317-dump.bin
[+] saved 64 blocks to text file hf-mf-041219C3219317-dump.eml
[+] saved to json file hf-mf-041219C3219317-dump.json
[=] autopwn execution time: 6 seconds

Than run "hf 14a sniff" and put card with proxmark on arc122u and run "Set UID++ Info" from PCSC Mifare software

[usb] pm3 --> hf 14a sniff
#db# Starting to sniff
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=1425, Uart.output[0]=00000095
[usb] pm3 --> hf list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 1425 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26                                                                       |     | REQA
      76032 |      77088 | Rdr |26                                                                       |     | REQA
     574832 |     575888 | Rdr |26                                                                       |     | REQA
     650480 |     651536 | Rdr |26                                                                       |     | REQA
    4206976 |    4208032 | Rdr |26                                                                       |     | REQA
    4209236 |    4211604 | Tag |42  00                                                                   |     |
    4220288 |    4222752 | Rdr |93  20                                                                   |     | ANTICOLL
    4223940 |    4229764 | Tag |88  04  12  19  87                                                       |     |
    4250992 |    4261456 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
    4262724 |    4266244 | Tag |1c  13  8b                                                               |     |
    4275440 |    4277904 | Rdr |95  20                                                                   |     | ANTICOLL-2
    4279092 |    4284916 | Tag |c3  21  93  17  66                                                       |     |
    4306272 |    4316736 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
    4317988 |    4321572 | Tag |18  37  cd                                                               |     |
    7382528 |    7383520 | Rdr |52                                                                       |     | WUPA
    7458432 |    7459424 | Rdr |52                                                                       |     | WUPA
    7460676 |    7463044 | Tag |42  00                                                                   |     |
    7476336 |    7486800 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
    7488068 |    7491588 | Tag |1c  13  8b                                                               |     |
    7504496 |    7510352 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
    7511604 |    7513972 | Tag |17  66                                                                   |     |
    7530720 |    7541184 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
    7542436 |    7546020 | Tag |18  37  cd                                                               |     |
   10605312 |   10606304 | Rdr |52                                                                       |     | WUPA
   10681344 |   10682336 | Rdr |52                                                                       |     | WUPA
   10683588 |   10685956 | Tag |42  00                                                                   |     |
   10699248 |   10709712 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   10710980 |   10714500 | Tag |1c  13  8b                                                               |     |
   10727536 |   10733392 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   10734644 |   10737012 | Tag |17  66                                                                   |     |
   10753760 |   10764224 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   10765492 |   10769076 | Tag |18  37  cd                                                               |     |
   13828496 |   13829488 | Rdr |52                                                                       |     | WUPA
   13904512 |   13905504 | Rdr |52                                                                       |     | WUPA
   13906772 |   13909140 | Tag |42  00                                                                   |     |
   13922432 |   13932896 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   13934148 |   13937668 | Tag |1c  13  8b                                                               |     |
   13950576 |   13956432 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   13957684 |   13960052 | Tag |17  66                                                                   |     |
   13976816 |   13987280 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   13988532 |   13992116 | Tag |18  37  cd                                                               |     |
   15039936 |   15040928 | Rdr |52                                                                       |     | WUPA
   15115968 |   15116960 | Rdr |52                                                                       |     | WUPA
   15118212 |   15120580 | Tag |42  00                                                                   |     |
   15133888 |   15144352 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   15145604 |   15149124 | Tag |1c  13  8b                                                               |     |
   15162160 |   15168016 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   15169268 |   15171636 | Tag |17  66                                                                   |     |
   15188512 |   15198976 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   15200244 |   15203828 | Tag |18  37  cd                                                               |     |
   15427472 |   15428528 | Rdr |26                                                                       |     | REQA
   15503376 |   15504432 | Rdr |26                                                                       |     | REQA
   15505620 |   15507988 | Tag |42  00                                                                   |     |
   15516688 |   15519152 | Rdr |93  20                                                                   |     | ANTICOLL
   15520340 |   15526164 | Tag |88  04  12  19  87                                                       |     |
   15547392 |   15557856 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   15559108 |   15562628 | Tag |1c  13  8b                                                               |     |
   15571824 |   15574288 | Rdr |95  20                                                                   |     | ANTICOLL-2
   15575492 |   15581316 | Tag |c3  21  93  17  66                                                       |     |
   15602672 |   15613136 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   15614388 |   15617972 | Tag |18  37  cd                                                               |     |
   15895520 |   15922112 | Rdr |90  f0  cc  cc  10  04  12  19  c3  21  93  18  98  42  00  e3  20  00   |     |
            |            |     |00  00  00  7b  90                                                       |  ok |
   16096164 |   16100900 | Tag |90  00  fd  07                                                           |     |
   39146448 |   39147440 | Rdr |52                                                                       |     | WUPA
   39222480 |   39223472 | Rdr |52                                                                       |     | WUPA
   39224724 |   39227092 | Tag |42  00                                                                   |     |
   39240384 |   39250848 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   39252116 |   39255636 | Tag |1c  13  8b                                                               |     |
   39268544 |   39274400 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   39275652 |   39278020 | Tag |17  66                                                                   |     |
   39294768 |   39305232 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   39306484 |   39310068 | Tag |18  37  cd                                                               |     |
   41284848 |   41285840 | Rdr |52                                                                       |     | WUPA
   41360752 |   41361744 | Rdr |52                                                                       |     | WUPA
   41362996 |   41365364 | Tag |42  00                                                                   |     |
   41378656 |   41389120 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   41390388 |   41393908 | Tag |1c  13  8b                                                               |     |
   41406816 |   41412672 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   41413924 |   41416292 | Tag |17  66                                                                   |     |
   41433040 |   41443504 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   41444756 |   41448340 | Tag |18  37  cd                                                               |     |
   44507760 |   44508752 | Rdr |52                                                                       |     | WUPA
   44583792 |   44584784 | Rdr |52                                                                       |     | WUPA
   44586036 |   44588404 | Tag |42  00                                                                   |     |
   44601696 |   44612160 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   44613428 |   44616948 | Tag |1c  13  8b                                                               |     |
   44629856 |   44635712 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   44636964 |   44639332 | Tag |17  66                                                                   |     |
   44656080 |   44666544 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   44667812 |   44671396 | Tag |18  37  cd                                                               |     |
   47730800 |   47731792 | Rdr |52                                                                       |     | WUPA
   47806832 |   47807824 | Rdr |52                                                                       |     | WUPA
   47809092 |   47811460 | Tag |42  00                                                                   |     |
   47824752 |   47835216 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   47836468 |   47839988 | Tag |1c  13  8b                                                               |     |
   47853024 |   47858880 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   47860132 |   47862500 | Tag |17  66                                                                   |     |
   47879248 |   47889712 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   47890980 |   47894564 | Tag |18  37  cd                                                               |     |
   50953968 |   50954960 | Rdr |52                                                                       |     | WUPA
   51030000 |   51030992 | Rdr |52                                                                       |     | WUPA
   51032244 |   51034612 | Tag |42  00                                                                   |     |
   51047904 |   51058368 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   51059620 |   51063140 | Tag |1c  13  8b                                                               |     |
   51076176 |   51082032 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   51083300 |   51085668 | Tag |17  66                                                                   |     |
   51102416 |   51112880 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   51114132 |   51117716 | Tag |18  37  cd                                                               |     |
[usb] pm3 -->

and now read it back:

[usb] pm3 --> hf mf autopwn * 1 f keys.dic
[!] no known key was supplied, key recovery might fail
[+] loaded 30 keys from dictionary file keys.dic
[=] running strategy 1

[=] Chunk: 0.8s | found 32/32 keys (30)

[+] target sector:  0 key type: A -- found valid key [FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector:  0 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  1 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  1 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  2 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  2 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  3 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  3 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  4 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  4 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  5 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  5 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  6 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  6 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  7 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  7 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  8 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  8 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  9 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  9 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 10 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 11 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 11 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 12 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 12 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 13 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 13 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 14 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 14 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 15 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [FF FF FF FF FF FF ]

[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 001 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 002 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 003 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 004 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 005 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 006 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 007 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 008 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 009 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 010 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 011 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 012 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 013 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 014 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 015 | ffffffffffff   | D | ffffffffffff   | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )

[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-041219C3219318-key.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
#db# Cmd Error: 04
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-041219C3219318-dump.bin
[+] saved 64 blocks to text file hf-mf-041219C3219318-dump.eml
[+] saved to json file hf-mf-041219C3219318-dump.json
[=] autopwn execution time: 3 seconds
[usb] pm3 -->

Last edited by Monster1024 (2020-06-07 14:50:46)

Offline

#6 2020-06-07 14:51:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Access conditions restore/reset on Gen3 chineese card, possible?

Looks like the command which writes a full block 0,  also does a full reset.
Did you see if the data on the card also got wiped?

Ok,  I saw your link.   It sure looks like that one command does it all.   Strange way of mixing behavior in a command.

Offline

#7 2020-06-07 14:59:38

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Access conditions restore/reset on Gen3 chineese card, possible?

Ok, but now we are moving further:

I have restored UID back to 041219C3219317, and restored card contents with "hf mf restore u 041219C3219317".
It is writed successfully and I can read it back.

Now i want to make wipe with proxmark and without PCSC Software.

I run

[usb] pm3 --> hf 14a raw -s -c -t 2000 90f0cccc10041219c3219318984200e32000
Card selected. UID[7]:
04 12 19 C3 21 93 17
received 4 bytes
90 00 FD 07

and than

[usb] pm3 --> hf mf autopwn * 1 f keys.dic
[!] no known key was supplied, key recovery might fail
[+] loaded 30 keys from dictionary file keys.dic
[=] running strategy 1
..
[=] Chunk: 4.2s | found 32/32 keys (30)

[+] target sector:  0 key type: A -- found valid key [A0 A1 A2 A3 A4 A5 ] (used for nested / hardnested attack)
[+] target sector:  0 key type: B -- found valid key [FB F2 25 DC 5D 58 ]
[+] target sector:  1 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector:  1 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector:  2 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector:  2 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector:  3 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector:  3 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector:  4 key type: A -- found valid key [73 06 8F 11 8C 13 ]
[+] target sector:  4 key type: B -- found valid key [2B 7F 32 53 FA C5 ]
[+] target sector:  5 key type: A -- found valid key [FB C2 79 3D 54 0B ]
[+] target sector:  5 key type: B -- found valid key [D3 A2 97 DC 26 98 ]
[+] target sector:  6 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector:  6 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector:  7 key type: A -- found valid key [AE 3D 65 A3 DA D4 ]
[+] target sector:  7 key type: B -- found valid key [0F 1C 63 01 3D BA ]
[+] target sector:  8 key type: A -- found valid key [A7 3F 5D C1 D3 33 ]
[+] target sector:  8 key type: B -- found valid key [E3 51 73 49 4A 81 ]
[+] target sector:  9 key type: A -- found valid key [69 A3 2F 1C 2F 19 ]
[+] target sector:  9 key type: B -- found valid key [6B 8B D9 86 07 63 ]
[+] target sector: 10 key type: A -- found valid key [9B EC DF 3D 92 73 ]
[+] target sector: 10 key type: B -- found valid key [F8 49 34 07 79 9D ]
[+] target sector: 11 key type: A -- found valid key [08 B3 86 46 32 29 ]
[+] target sector: 11 key type: B -- found valid key [5E FB AE CE F4 6B ]
[+] target sector: 12 key type: A -- found valid key [CD 4C 61 C2 6E 3D ]
[+] target sector: 12 key type: B -- found valid key [31 C7 61 0D E3 B0 ]
[+] target sector: 13 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector: 13 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector: 14 key type: A -- found valid key [0E 8F 64 34 0B A4 ]
[+] target sector: 14 key type: B -- found valid key [4A CE C1 20 5D 75 ]
[+] target sector: 15 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 15 key type: B -- found valid key [EA AC 88 E5 DC 99 ]

[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | a0a1a2a3a4a5   | D | fbf225dc5d58   | D |
[+] | 001 | a82607b01c0d   | D | 2910989b6880   | D |
[+] | 002 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] | 003 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] | 004 | 73068f118c13   | D | 2b7f3253fac5   | D |
[+] | 005 | fbc2793d540b   | D | d3a297dc2698   | D |
[+] | 006 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] | 007 | ae3d65a3dad4   | D | 0f1c63013dba   | D |
[+] | 008 | a73f5dc1d333   | D | e35173494a81   | D |
[+] | 009 | 69a32f1c2f19   | D | 6b8bd9860763   | D |
[+] | 010 | 9becdf3d9273   | D | f8493407799d   | D |
[+] | 011 | 08b386463229   | D | 5efbaecef46b   | D |
[+] | 012 | cd4c61c26e3d   | D | 31c7610de3b0   | D |
[+] | 013 | a82607b01c0d   | D | 2910989b6880   | D |
[+] | 014 | 0e8f64340ba4   | D | 4acec1205d75   | D |
[+] | 015 | 2aa05ed1856f   | D | eaac88e5dc99   | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )

[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-041219C3219318-key.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-041219C3219318-dump.bin
[+] saved 64 blocks to text file hf-mf-041219C3219318-dump.eml
[+] saved to json file hf-mf-041219C3219318-dump.json
[=] autopwn execution time: 6 seconds

My data is NOT wiped with this command.
Maybe we miss some commands on "hf 14a sniff"? I have tried many times, but got only this one sad

p.s. Set UID button run time is longer than 1 command "time" (i have tried to simulate a gen3 card with proxmark, and got an error after this first "90f0cccc..." command -- but it was much faster then real whole card wipe).
So my assumption is that "hf 14a sniff" missed some commands in log, can this happen?


I think that PCSC is sending some "backdoor" commands to deal with block data, but we missing them in sniff log.

Last edited by Monster1024 (2020-06-07 15:09:42)

Offline

#8 2020-06-07 16:12:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Access conditions restore/reset on Gen3 chineese card, possible?

Not really missing anything in your sniff.  The timestamps looks good.

One thing that is different is when software is sending a command,  it uses  REQA,  instead of WUPA.
Another is your uid changing command tries to set:   04 12 19 c3 21 93 18  but  the anti collision afterwards keeps on saying the old UID.
04 12 19 c3 21 93 17....

And you would need to modify the pm3 simulation code in order to properly simulate a gen3 card.

15427472 |   15428528 | Rdr |26                                                                       |     | REQA
   15503376 |   15504432 | Rdr |26                                                                       |     | REQA
   15505620 |   15507988 | Tag |42  00                                                                   |     |
   15516688 |   15519152 | Rdr |93  20                                                                   |     | ANTICOLL
   15520340 |   15526164 | Tag |88  04  12  19  87                                                       |     |
   15547392 |   15557856 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   15559108 |   15562628 | Tag |1c  13  8b                                                               |     |
   15571824 |   15574288 | Rdr |95  20                                                                   |     | ANTICOLL-2
   15575492 |   15581316 | Tag |c3  21  93  17  66                                                       |     |
   15602672 |   15613136 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   15614388 |   15617972 | Tag |18  37  cd                                                               |     |
   15895520 |   15922112 | Rdr |90  f0  cc  cc  10  04  12  19  c3  21  93  18  98  42  00  e3  20  00   |     |
            |            |     |00  00  00  7b  90                                                       |  ok |
   16096164 |   16100900 | Tag |90  00  fd  07                                                           |     |
   39146448 |   39147440 | Rdr |52                                                                       |     | WUPA
   39222480 |   39223472 | Rdr |52                                                                       |     | WUPA
   39224724 |   39227092 | Tag |42  00                                                                   |     |
   39240384 |   39250848 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
   39252116 |   39255636 | Tag |1c  13  8b                                                               |     |
   39268544 |   39274400 | Rdr |95  50  c3  21  93                                                       |     | ANTICOLL-2
   39275652 |   39278020 | Tag |17  66                                                                   |     |
   39294768 |   39305232 | Rdr |95  70  c3  21  93  17  66  b6  fc                                       |  ok | SELECT_UID-2
   39306484 |   39310068 | Tag |18  37  cd          

Anyway,  happy hunting!

Offline

#9 2020-06-07 19:32:37

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Access conditions restore/reset on Gen3 chineese card, possible?

Yep, you are correct - I have installed USB analyser and sniff a USB communication to ACR122u, it is really only one command do all magic (90 f0 cc cc).
Also, I write simple c# app that sends only this command to ACR122u - and card is wiped.

But I can't replay it with proxmark.

I have changed WUPA to REQA in select sequence, but it didn't help.

[usb] pm3 --> hf 14a raw -s -c -t 2000 90f0cccc10041219c3219318984200e32000000000
Card selected. UID[7]:          
06 12 19 C3 21 93 18           
received 4 bytes          
90 00 FD 07           
[usb] pm3 --> hf list
[+] Recorded activity (trace len = 211 bytes)          
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)          
          
      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation          
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------          
          0 |       1056 | Rdr |26                                                                       |     | REQA          
       2116 |       4484 | Tag |42  00                                                                   |     |           
       7040 |       8096 | Rdr |26                                                                       |     | REQA          
      14080 |      15136 | Rdr |26                                                                       |     | REQA          
      16196 |      18564 | Tag |42  00                                                                   |     |           
      21120 |      23584 | Rdr |93  20                                                                   |     | ANTICOLL          
      24644 |      30532 | Tag |88  06  12  19  85                                                       |     |           
      33280 |      43808 | Rdr |93  70  88  06  12  19  85  72  e3                                       |  ok | SELECT_UID          
      44868 |      48388 | Tag |1c  13  8b                                                               |     |           
      49792 |      52256 | Rdr |95  20                                                                   |     | ANTICOLL-2          
      53316 |      59140 | Tag |c3  21  93  18  69                                                       |     |           
      61952 |      72416 | Rdr |95  70  c3  21  93  18  69  89  87                                       |  ok | SELECT_UID-2          
      73540 |      77124 | Tag |18  37  cd                                                               |     |           
      89728 |     116320 | Rdr |90  f0  cc  cc  10  04  12  19  c3  21  93  18  98  42  00  e3  20  00   |     |           
            |            |     |00  00  00  7b  90                                                       |  ok |           
     289988 |     294724 | Tag |90  00  fd  07                                                           |     |           

Last edited by Monster1024 (2020-06-07 19:40:12)

Offline

Board footer

Powered by FluxBB