Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-09-14 12:45:01

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

[solved]An anti clone card.

Recently I bought PM3, learned the relevant content, and also copied my several cards.
But there is a card of our community is very special, it may be anti clone card.
The process is as follows:

proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-04-02 15:12:04
#db# os: /-suspect 2015-04-02 15:12:11
#db# HF FPGA image built on 2015/03/09 at 08:41:42
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hw tune            //with card

Measuring antenna characteristics, please wait......
# LF antenna: 24.89 V @   125.00 kHz
# LF antenna: 22.14 V @   134.00 kHz
# LF optimal: 25.57 V @   126.32 kHz
# HF antenna: 19.39 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

proxmark3> hf 14a reader
ATQA : 00 04
UID : 2d 46 3d b8
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

proxmark3> hf mf chk *1 ? d
......

proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF d

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  013889343891  | 1 |  013889343891  | 1 |
|002|  013889343891  | 1 |  013889343891  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|

sector 1,2 key is 013889343891,can read data.

sector 10 key is FFFFFFFFFFFF can not read data with key A or B

proxmark3> hf mf rdsc 10 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 43 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 40 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 41 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 42 A FFFFFFFFFFFF
proxmark3> hf mf wrbl 43 A FFFFFFFFFFFF FFFFFFFFFFFFFF078069FFFFFFFFFFFF

above instructions all display #db# Cmd Error: 04

I think sector 10 write illegal access bits can do it,I test it use a blank card with

hf mf wrbl 43 A FFFFFFFFFFFF FFFFFFFFFFFFFF07FF69FFFFFFFFFFFF

FF07FF69 is illegal access bits, this can run once,then permanent lock the sector.

so i do this make a block unreadble as a mark.

I wrote 3 crads, (content include sector 0-2,simulate mark sector10),card type is UID,CUID,FUID(I am in China),non of them can open the door.

next step is sinff.  sinff data attached post 5.

From sinff data reader access sector 1,10, I calculated the key
sector 1 is 013889343891,sector 10 is FFFFFFFFFFFF.same with hf mf nested.

sector 2 key is 013889343891,data all is zero,I changed original card sector 2
key to FFFFFFFFFFFF,can not open the door,from sniff data reader did not access sector 2.

so the card have two things special:
1.sector 10 is unreadble,perhaps write with illegal access bits.
2.form sniff data reader did not access sector 2,change sector 2 key can not open the door. 

I am not familiar with Mifare commnication, Can anybody tell me from the sniff data what the reader do,Is the 10 sector permanently locked?Whether the reader read data from sector 10?

Any suggestion,thanks!

Last edited by zhuminggang (2017-09-17 03:52:43)

Offline

#2 2017-09-14 13:02:46

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

data of card

block0    2D463DB8EE0804008500AABBCCDDEEFF
block1    00000000000000000000000000000000
block2    00000000000000000000000000000000
block3    FFFFFFFFFFFFFF078069FFFFFFFFFFFF
block4    16063009251763000000000000006AA5
block5    00000000000000000000400000000004
block6    00000000000000000000000000000000
block7    013889343891FF078069013889343891
block8    00000000000000000000000000000000
block9    00000000000000000000000000000000
block10  00000000000000000000000000000000
block11  013889343891FF078069013889343891

block40 ?
block41 ?
block42 ?
block43 ?

Last edited by zhuminggang (2017-09-14 13:10:06)

Offline

#3 2017-09-15 16:14:44

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: [solved]An anti clone card.

hf mf chk *1 ? d
hf mf nested 1 3 A ffffffffffff d
hf mf dump
hf mf csave filename
hf mf cload

smile

Anti clone, just use a FUID, or a perfect gen2 card. The reader probably bricks gen1a mifare cards.

Offline

#4 2017-09-15 17:58:19

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

Dot.Com wrote:

hf mf chk *1 ? d
hf mf nested 1 3 A ffffffffffff d
hf mf dump
hf mf csave filename
hf mf cload

smile

Anti clone, just use a FUID, or a perfect gen2 card. The reader probably bricks gen1a mifare cards.

perhaps you read too quick,sector 10 can not read and write,so hf mf dump will fail, i wrote sector 0-2 and make unreadble sector 10, use 3 type card ,uid cid,fuid. all is failed.

Last edited by zhuminggang (2017-09-15 18:02:56)

Offline

#5 2017-09-15 18:10:24

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

sniff data:
proxmark3> hf mf sniff
-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
...................................................>//1st time
received trace len: 413 packages: 1
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(0):60 04 d1 3d
TAG(1):11 56 e7 53
RDR(2):78 a7 2b 25 9b 5c 37 7b
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(3):50 00 57 cd
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(4):60 28 bf d6
TAG(5):da d9 59 5a
RDR(6):d0 80 bd a3 97 89 9c 7a
TAG(7):52 7c e8 74
RDR(8):d1 bb 35 f1
TAG(9):06
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(10):60 28 bf d6
TAG(11):c0 68 ae 4c
RDR(12):96 c7 13 8f 3e df d2 11
TAG(13):b5 03 b9 5f
RDR(14):43 b2 20 a0
TAG(15):06
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(16):60 28 bf d6
TAG(17):5d ab bb e9
RDR(18):42 e7 e5 c1 ea 6f 8e 25
TAG(19):b7 f9 80 ee
RDR(20):58 38 c8 0f
TAG(21):04
.....................................................>//2nd time
received trace len: 781 packages: 2
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(22):60 04 d1 3d
TAG(23):be 06 f3 3f
RDR(24):91 df f4 ff 5a 7f b6 5f
TAG(25):04 00
RDR(26):2d 46 3d b8 ee
TAG(27):08 b6 dd
RDR(28):50 00
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(29):60 28 bf d6
TAG(30):a5 5d 95 0b
RDR(31):28 ee 67 57 9f a9 0d e9
TAG(32):f0 58 cf 69
RDR(33):db f4 6c a0
TAG(34):08
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(35):60 28 bf d6
TAG(36):38 a7 28 df
RDR(37):22 3a 99 ef 71 ec 36 4d
TAG(38):4e ac 01 6b
RDR(39):e2 e1 d3 d8
TAG(40):09
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(41):60 28 bf d6
TAG(42):8d 95 f3 9e
RDR(43):24 12 75 d8 8c ef ed 19
TAG(44):9e 4a 20 ed
RDR(45):89 e6 dc f2
TAG(46):02
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(47):60 04 d1 3d
TAG(48):93 e9 89 e1
RDR(49):76 36 25 ed c6 34 27 c2
TAG(50):b3 2b 9c 34
RDR(51):1c fa 75 cd
TAG(52):a3 d2 e2 26 99 05 3f 06 06 75 77 49 e3 25 95 1c cb cd
RDR(53):51 74 90 3c
TAG(54):0d 03 c3 1d 50 2e 59 f5 bf 2b 23 6d 0f 3f bc 34 d5 d3
RDR(55):35 a9 a3 8a
TAG(56):3d 2d 81 9d 2f 0e 75 77 86 65 f4 52 8a 99 16 9e fb 1e
RDR(57):a0 41 5b 69
TAG(58):18 3a ed f4
RDR(59):c7 3e 13 c7 c9 6a 63 25
TAG(60):53 e5 ff 7a
RDR(61):87 22 b0 9d
TAG(62):53 96 d1 0d 50 72 1e eb fc 39 11 de a5 ce 2e 64 94 76
RDR(63):16 8c 1b 09
TAG(64):a2 c1 2f cd c3 49 b7 53 51 1d d8 29 07 bd 99 4f d3 92
RDR(65):04 00
................................................>//3rd time
received trace len: 789 packages: 2
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(66):60 04 d1 3d
TAG(67):8a 29 95 6f
RDR(68):2b 76 54 2b 31 47 69 af
TAG(69):04 00
RDR(70):93 20
TAG(71):2d 46 3d b8 ee
RDR(72):93 70 2d 46 3d b8 ee 5b 1b
TAG(73):08 b6 dd
RDR(74):50 00 57 cd
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(75):60 28 bf d6
TAG(76):ff 45 10 de
RDR(77):a4 b9 63 25 47 4e 6d e2
TAG(78):54 59 94 e4
RDR(79):b6 7a 70 75
TAG(80):0a
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(81):60 28 bf d6
TAG(82):cb a2 36 6b
RDR(83):42 df 65 e7 3f 1a 68 8d
TAG(84):b5 76 ee 18
RDR(85):ef ad 43 a3
TAG(86):0c
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(87):60 28 bf d6
TAG(88):54 68 09 54
RDR(89):e7 be 26 d0 e9 17 ea e0
TAG(90):73 fe 1c 99
RDR(91):66 e2 82 5b
TAG(92):07
tag select uid:2d 46 3d b8  atqa:0x0004 sak:0x08
RDR(93):60 04 d1 3d
TAG(94):df e2 25 09
RDR(95):14 54 31 88 c5 0c 37 7f
TAG(96):d8 75 31 8b
RDR(97):89 d6 19 53
TAG(98):b1 c9 82 8a ce 88 5b 48 a1 10 fb 6d f0 31 f5 bd f1 86
RDR(99):e7 c4 0b a6
TAG(100):31 95 cd 4f 19 c5 9e 5b af 20 d0 db af 3b 54 ae c2 9c
RDR(101):22 50 e4 da
TAG(102):b6 1d 6f 55 c5 6d df 05 cc 85 03 37 f4 35 d7 6b 33 2c
RDR(103):8c 54 2f 21
TAG(104):dd d5 72 39
RDR(105):d0 21 dc d1 9c ef 64 df
TAG(106):a6 23 2e b1
RDR(107):09 a9 d3 15 01 aa 99 6b a2 ac 2c 05 16 03 2d c5 b8 c4
TAG(108):9e b1 6b ae
RDR(109):d1 3e a2 82 97 ae ce 61 6b cf ff 1e 8c bf f9 fc 04 53
.....#db# cancelled by button
#db# COMMAND FINISHED
#db# maxDataLen=1, Uart.state=0, Uart.len=0

Offline

#6 2017-09-15 18:13:29

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: [solved]An anti clone card.

Sorry browse too quickly.

hf mf sniff then hf list 14a

Copy that data here so someone can calculate that key for you.

If the hf mf dump fail, write it one by one using hf mf wrbl since it seems you have the keys to it already.

Offline

#7 2017-09-15 18:21:10

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

I calculated the key,sector 1 is 013889343891,sector 10 is FFFFFFFFFFFF.same with hf mf nested. I want know from the sniff data what the reader do,Is the 10 sector permanently locked?Whether the reader read data from sector 10? If a sector write a illegal access bits as a perma lock can read data form it?

Offline

#8 2017-09-15 18:39:40

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

I must post in detail about sector10,I wrote sector 10 block43 with
hf mf wrbl 43 A FFFFFFFFFFFF FFFFFFFFFFFFFF07FF69FFFFFFFFFFFF
FF07FF69 is illegal access bits, this can run once,then permanent lock the sector.
then when you use
proxmark3> hf mf rdsc 10 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 43 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 40 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 41 A FFFFFFFFFFFF
proxmark3> hf mf rdbl 42 A FFFFFFFFFFFF
proxmark3> hf mf wrbl 43 A FFFFFFFFFFFF FFFFFFFFFFFFFF078069FFFFFFFFFFFF
all display #db# Cmd Error: 04

i just simulated a unreadble and writeble sector AS it is origin card sector 10.

Last edited by zhuminggang (2017-09-15 18:58:06)

Offline

#9 2017-09-15 18:43:50

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: [solved]An anti clone card.

Actually, you have everything here I just realized here.

Just hard to see them if you don't put it clearly.

Well. I going to go by plain assumption first.

Does the reader even response to the Mifare card or does it just beep but the door doesn't open?

1) If no response, check the card whether it is a dual card. Shine the light through to check.
2) If beep, it means there is something missing from the cloned card.
3) Bad access bits. It's weird in China. Fudan's compatible mifare is good with bad access bits but nxp doesn't. So it could not figure this out till now.
4) If you tried all the FUID, CUID, UFUID, UID Mifare, the problem is probably not the reader. As I have experience reader instantly bricking the gen1a (UID,IC whatever you call it in China) cards. So if the cards bricks, then yes you need a FUID, CUID then. If not, you are still on the right track.

Offline

#10 2017-09-15 18:55:51

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

Dot.Com wrote:

Actually, you have everything here I just realized here.

Just hard to see them if you don't put it clearly.

Well. I going to go by plain assumption first.

Does the reader even response to the Mifare card or does it just beep but the door doesn't open?

1) If no response, check the card whether it is a dual card. Shine the light through to check.

2) If beep, it means there is something missing from the cloned card.
3) Bad access bits. It's weird in China. Fudan's compatible mifare is good with bad access bits but nxp doesn't. So it could not figure this out till now.
4) If you tried all the FUID, CUID, UFUID, UID Mifare, the problem is probably not the reader. As I have experience reader instantly bricking the gen1a (UID,IC whatever you call it in China) cards. So if the cards bricks, then yes you need a FUID, CUID then. If not, you are still on the right track.

reader no response, how to check the card is a dual card?

Offline

#11 2017-09-15 19:10:55

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: [solved]An anti clone card.

on your flash on your phone and shine through the card.

smile

Offline

#12 2017-09-15 19:40:40

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

Dot.Com wrote:

Actually, you have everything here I just realized here.

Just hard to see them if you don't put it clearly.

Well. I going to go by plain assumption first.

Does the reader even response to the Mifare card or does it just beep but the door doesn't open?

1) If no response, check the card whether it is a dual card. Shine the light through to check.
2) If beep, it means there is something missing from the cloned card.
3) Bad access bits. It's weird in China. Fudan's compatible mifare is good with bad access bits but nxp doesn't. So it could not figure this out till now.
4) If you tried all the FUID, CUID, UFUID, UID Mifare, the problem is probably not the reader. As I have experience reader instantly bricking the gen1a (UID,IC whatever you call it in China) cards. So if the cards bricks, then yes you need a FUID, CUID then. If not, you are still on the right track.

I just test it ,I make a mistake, select wrong CUID and FUID card,
CUID write sector 0-2,simulate sector 10, all is ok!
thank you!

Last edited by zhuminggang (2017-09-16 02:57:22)

Offline

#13 2017-09-15 21:29:46

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

More test:without simulated sector 10,can not open the door,reader read nonreadble sector 10,thank you very much!!!!

Offline

#14 2017-09-16 03:19:42

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: [solved]An anti clone card.

As iceman request,delelte it!

Last edited by zhuminggang (2017-09-16 15:56:49)

Offline

#15 2017-09-16 03:20:24

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: [solved]An anti clone card.

So now you found your problem.

Note that if you use a CUID, beware of the bad access bits. It bricks the card entirely.

If you are unsure, make sure you equipment yourself with a gen2 perfect card to test everything out before making changes to the CUID, you don't wish to brick these CUID cards. It's expensive~

Side note: you speak good english for a Chinese. I am also in China too.
Wechat ID: dennisgoh

Offline

#16 2017-09-16 07:48:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [solved]An anti clone card.

keep threads clean and to the subject.   if you have new questions, start new thread.

Offline

Board footer

Powered by FluxBB