Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
after i dump the contents of the mifare card to the dumpdata.bin and open it in a hex editor is there anyway to read what comes up in plain text?
Offline
If you already have dumpdata.bin in proxmark3 .exe folder execute this script:
script run htmldump.lua
and dumpdata.bin will be "converted" in really-good-reading "actual-date-time.html" file - RAW DATA on the left and ASCII on the right (thanks Holiman for this ) [dumpdata.bin will not be deleted]; here is an example:
If you need an automatic procedure you can execute:
script run mifare_autopwn.lua
where cracking+dumping+converting to html is an automatic process ! In this case html dump name will be "mifare_UID.html" and not actual-date-time.html.
Here is an example:
proxmark3> script run mifare_autopwn
--- Executing: ./scripts/mifare_autopwn.lua, args''
Card found, commencing crack 6E442129
uid(6e442129) nt(8f699195) par(0000000000000000) ks(040009030d0c0903) nr(30e3ec000000000)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000000| 4 | 1 |0,0,0,0,0,0,0,0|
| 20 |00000020| 0 | 5 |0,0,0,0,0,0,0,0|
| 40 |00000040| 9 | c |0,0,0,0,0,0,0,0|
| 60 |00000060| 3 | 6 |0,0,0,0,0,0,0,0|
| 80 |00000080| d | 8 |0,0,0,0,0,0,0,0|
| a0 |000000a0| c | 9 |0,0,0,0,0,0,0,0|
| c0 |000000c0| 9 | c |0,0,0,0,0,0,0,0|
| e0 |000000e0| 3 | 6 |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(090d0b0305020f02) nr(30e3ec000000001)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000001| 9 | c |0,0,0,0,0,0,0,0|
| 20 |00000021| d | 8 |0,0,0,0,0,0,0,0|
| 40 |00000041| b | e |0,0,0,0,0,0,0,0|
| 60 |00000061| 3 | 6 |0,0,0,0,0,0,0,0|
| 80 |00000081| 5 | 0 |0,0,0,0,0,0,0,0|
| a0 |000000a1| 2 | 7 |0,0,0,0,0,0,0,0|
| c0 |000000c1| f | a |0,0,0,0,0,0,0,0|
| e0 |000000e1| 2 | 7 |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(03030508030b0c0e) nr(30e3ec000000002)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000002| 3 | 6 |0,0,0,0,0,0,0,0|
| 20 |00000022| 3 | 6 |0,0,0,0,0,0,0,0|
| 40 |00000042| 5 | 0 |0,0,0,0,0,0,0,0|
| 60 |00000062| 8 | d |0,0,0,0,0,0,0,0|
| 80 |00000082| 3 | 6 |0,0,0,0,0,0,0,0|
| a0 |000000a2| b | e |0,0,0,0,0,0,0,0|
| c0 |000000c2| c | 9 |0,0,0,0,0,0,0,0|
| e0 |000000e2| e | b |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(02010f030c0d050d) nr(30e3ec000000003)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000003| 2 | 7 |0,0,0,0,0,0,0,0|
| 20 |00000023| 1 | 4 |0,0,0,0,0,0,0,0|
| 40 |00000043| f | a |0,0,0,0,0,0,0,0|
| 60 |00000063| 3 | 6 |0,0,0,0,0,0,0,0|
| 80 |00000083| c | 9 |0,0,0,0,0,0,0,0|
| a0 |000000a3| d | 8 |0,0,0,0,0,0,0,0|
| c0 |000000c3| 5 | 0 |0,0,0,0,0,0,0,0|
| e0 |000000e3| d | 8 |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix problem)
uid(6e442129) nt(8f699195) par(0000000000000000) ks(00040f0f0305030e) nr(30e3ec000000004)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000004| 0 | 5 |0,0,0,0,0,0,0,0|
| 20 |00000024| 4 | 1 |0,0,0,0,0,0,0,0|
| 40 |00000044| f | a |0,0,0,0,0,0,0,0|
| 60 |00000064| f | a |0,0,0,0,0,0,0,0|
| 80 |00000084| 3 | 6 |0,0,0,0,0,0,0,0|
| a0 |000000a4| 5 | 0 |0,0,0,0,0,0,0,0|
| c0 |000000c4| 3 | 6 |0,0,0,0,0,0,0,0|
| e0 |000000e4| e | b |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
p1:0 p2:0 p3:0 key:ffffffffffff
p1:1b39 p2:b97c p3:1 key:a25e4ee6ba4d
p1:1ca8 p2:c37a p3:2 key:9d4a97efd5b0
p1:2308 p2:ee3e p3:3 key:8794ad98e0ca
p1:27af p2:10da2 p3:4 key:77aebc3dfe57
p1:27e2 p2:10f1a p3:5 key:76ecf2a7c780
p1:2ed0 p2:1408c p3:6 key:5e2422973f9e
p1:37de p2:17f6a p3:7 key:3e28efbcb324
p1:4664 p2:1e1d7 p3:8 key:0cc09bd6a404
key_count:9
Key FFFFFFFFFFFF
--block no:00 key type:00 key:ff ff ff ff ff ff etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
Time in nested: 2.330 (inf sec per key)
-----------------------------------------------
Iterations count: 0
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
Wrote a HTML dump to the file 6E442129.html
Wrote an emulator-dump to the file 6E442129.eml
Before doing that verify you have htmldump.lua and mifare_autopwn.lua in your /script folder.
Last edited by asper (2013-10-16 15:13:57)
Offline
how do i run the scripts inside proxmark?
Offline
script run scriptname.lua
Offline
every time i do that the help menu pops up like i typed in an invalid code do i need to use a special proxmark client or something? I did download the "pm3-bin-756-(cdc+lua).rar" and i flashed everything changed it to com port 5 and all that but it still come up like i typed an invalid code.
Offline
Download latest revision (actually r816) and flash proxmark3 with latest firmware otherwise you won't have scripting capabilities.
Offline
Ok i finally got together and ran the script but what do i do with the html file? I opened it in the browser but a black screen came up.
Offline
dumpdata.bin must be present and must be in the same folder as proxmark3.exe.
Offline
Yes it is but what do i do with the html file that "script run htmldump.lua" creates?
Offline
Have you managed to create a dumpfile.bin? It should be 1024 bytes large for 1k, etc. If you're on linux, you can use e.g. 'xxd dumpdata.bin' to view the contents, should be identical to what you see in the html page. Could you verify that the file exists and that it is non-empty ?
Offline
Does not the html-page display something similar to the image that asper posted above?
Offline
No i just get an all black screen in the html page
Offline
Ok, so,
1. Could you verify that the file exists and that it is non-empty ?
2. Which browser and version are you using ? Do you get any error messages when loading the page (may have to find the error console)?
3. Does this jsfiddle render correctly within your browser, or is it also black ? http://jsfiddle.net/pebEG/
4. If the card data is not secret, please post the html-file here (within [code ] blocks)
Last edited by holiman (2013-10-17 20:36:58)
Offline
Sorry i just opened it in google chrome and it worked like the picture above but it still doesn't say too much though would that be all i would get out of it?
Offline
Well, what you get out is the binary data that has been put on there... There is some more information, like manufacturer info and some other stuff which can be extracted from block 0..
Anyway, it would be good to know what browser/version you used, so we can fix that bug.
Offline
I originally tried to use internet explorer 8.0.6001.18702 in windows xp. So what i get is what i get i didnt do anything wrong i just expected to see things like full sentences or my name expiration date things like that.
Offline
If there is an expiration, which there very well may be, it won't be visible to the naked eye - no need for a computer to write a date in ASCII, so you'd probably just have a timestamp (e.g. number of seconds since 1970). A while back I read somewhere about someone decoding the info on a mifare, he deduced what timestamps there were and what crcs were in use.. I'll try to find the link.
Offline
Ah, here it is: http://www.libnfc.org/community/topic/160/mifare-data-analysis/
Offline
If you want share the html dump with us.
Offline
link to html file- http://www.qfpost.com/file/d?g=yOrESauT4
Offline
Well, your card (manufactured by Infineon: 000488) is "formatted" undelyining MAD specifications; in particular the card is using sector 0F (last one) as the sector contenining info about card supplier (all FF so not so much infos there).
Your card seems to be related to Iranian railway services (MAD bytes 1004) and the provider is using sectors from 1 to 7;
sectors from 8 to 0E aren't used at all.
Sector1 and sector4 seem to contain non-encrypted data (maybe station name or selling office ID); does 1472 or 1600 mean something to you ?
Data in sectors 2, 3, 5, 6 and 7seems to be encrypted (usually DES or 3DES so it is almost impossible to decode them).
To have more info you should do some transaction with your card, dump it again and look for differences from previous dumps; if ALL BYTES in sectors 2,3,5,6 and 7 are changing so it is sure that data is encrypted.
Some good stuff on sector7: data are all the same so I suppose that sector, decrypted, will contain all 00 or all FF; this could be useful to eventually obtain the encryption key (anyone would like to make a guess?).
Sector2 and sector3 block1 and block2 are the same.
KeyA and KeyB are able to read but only KeyB is able to write (as MAD specifications describe).
That's all we can obtain (for now).
Last edited by asper (2013-10-17 22:08:06)
Offline
Pages: 1