Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2018-08-07 19:46:17
- natezoom
- Contributor
- Registered: 2017-11-22
- Posts: 10
Disney Magic band snoop
This is the door at a disney hotel snooped for this guy mainly--> http://www.proxmark.org/forum/profile.php?id=6748
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
11520 | 13984 | Rdr |93 20 | | ANTICOLL
30080 | 40544 | Rdr |93 70 88 04 4f 7d be fd 2b | ok | SELECT_UID
52096 | 54560 | Rdr |95 20 | | ANTICOLL-2
70656 | 81120 | Rdr |95 70 8a fa 54 80 a4 49 63 | ok | ANTICOLL-2
193264 | 194256 | Rdr |52 | | WUPA
204912 | 207376 | Rdr |93 20 | | ANTICOLL
223472 | 233936 | Rdr |93 70 88 04 4f 7d be fd 2b | ok | SELECT_UID
245488 | 247952 | Rdr |95 20 | | ANTICOLL-2
264048 | 274512 | Rdr |95 70 8a fa 54 80 a4 49 63 | ok | ANTICOLL-2
301936 | 306640 | Rdr |e0 57 03 d1 | ok | RATS
323568 | 328272 | Rdr |d7 01 1a 1d | ok |
339440 | 345360 | Rdr |0a 07 60 60 f8 | ok |
369376 | 375232 | Rdr |0b 07 af 47 9c | ok |
398560 | 404416 | Rdr |0a 07 af 9b c6 | ok |
438624 | 448000 | Rdr |0b 07 5a 90 00 f7 bb 29 | ok |
476128 | 483200 | Rdr |0a 07 aa 00 24 54 | ok |
3389872 | 3390864 | Rdr |52 | | WUPA
3392132 | 3394500 | Tag |44 03 | |
3401392 | 3403856 | Rdr |93 20 | | ANTICOLL
3405060 | 3410884 | Tag |88 04 4f 7d be | |
3420080 | 3430544 | Rdr |93 70 88 04 4f 7d be fd 2b | ok | SELECT_UID
3431796 | 3435316 | Tag |24 d8 36 | |
3442224 | 3444688 | Rdr |95 20 | | ANTICOLL-2
3445876 | 3451764 | Tag |8a fa 54 80 a4 | |
3460784 | 3471248 | Rdr |95 70 8a fa 54 80 a4 49 63 | ok | ANTICOLL-2
3472500 | 3476084 | Tag |20 fc 70 | |
3583392 | 3584384 | Rdr |52 | | WUPA
3585652 | 3588020 | Tag |44 03 | |
3595040 | 3597504 | Rdr |93 20 | | ANTICOLL
3598708 | 3604532 | Tag |88 04 4f 7d be | |
3613600 | 3624064 | Rdr |93 70 88 04 4f 7d be fd 2b | ok | SELECT_UID
3625332 | 3628852 | Tag |24 d8 36 | |
3635616 | 3638080 | Rdr |95 20 | | ANTICOLL-2
3639284 | 3645172 | Tag |8a fa 54 80 a4 | |
3654176 | 3664640 | Rdr |95 70 8a fa 54 80 a4 49 63 | ok | ANTICOLL-2
3665892 | 3669476 | Tag |20 fc 70 | |
3692064 | 3696768 | Rdr |e0 57 03 d1 | ok | RATS
3698020 | 3707300 | Tag |06 75 77 81 02 80 02 f0 | ok |
3713696 | 3718400 | Rdr |d7 01 1a 1d | ok |
3719652 | 3723172 | Tag |d7 cc f3 | |
3729568 | 3735488 | Rdr |0a 07 60 60 f8 | ok |
3737956 | 3751844 | Tag |0a 07 af 04 01 02 01 00 12 05 3d ca | ok |
3759520 | 3765376 | Rdr |0b 07 af 47 9c | ok |
3767140 | 3781092 | Tag |0b 07 af 04 01 01 01 05 12 05 6b c2 | ok |
3788688 | 3794544 | Rdr |0a 07 af 9b c6 | ok |
3796964 | 3818980 | Tag |0a 07 00 04 4f 7d 8a fa 54 80 b9 0c 17 4d 70 37 17 48 | |
| | |e3 | ok |
3828752 | 3838128 | Rdr |0b 07 5a 90 00 f7 bb 29 | ok |
3848164 | 3854052 | Tag |0b 07 00 ba c1 | |
3866256 | 3873328 | Rdr |0a 07 aa 00 24 54 | ok |
6779792 | 6780784 | Rdr |52 | | WUPA
6782052 | 6784420 | Tag |44 03 | |
6791440 | 6793904 | Rdr |93 20 | | ANTICOLL
6795092 | 6800916 | Tag |88 04 4f 7d be | |
6810000 | 6820464 | Rdr |93 70 88 04 4f 7d be fd 2b | ok | SELECT_UID
6821716 | 6825236 | Tag |24 d8 36 | |
6832016 | 6834480 | Rdr |95 20 | | ANTICOLL-2
6835668 | 6841556 | Tag |8a fa 54 80 a4 | |
6850576 | 6861040 | Rdr |95 70 8a fa 54 80 a4 49 63 | ok | ANTICOLL-2
6862292 | 6865876 | Tag |20 fc 70 | |
6973312 | 6974304 | Rdr |52 | | WUPA
6975572 | 6977940 | Tag |44 03 | |
6984832 | 6987296 | Rdr |93 20 | | ANTICOLL
6988500 | 6994324 | Tag |88 04 4f 7d be | |
7003392 | 7013856 | Rdr |93 70 88 04 4f 7d be fd 2b | ok | SELECT_UID
7015124 | 7018644 | Tag |24 d8 36 | |
7025408 | 7027872 | Rdr |95 20 | | ANTICOLL-2
7029076 | 7034964 | Tag |8a fa 54 80 a4 | |
7043968 | 7054432 | Rdr |95 70 8a fa 54 80 a4 49 63 | ok | ANTICOLL-2
7055684 | 7059268 | Tag |20 fc 70 | |
7081856 | 7086560 | Rdr |e0 57 03 d1 | ok | RATS
7087812 | 7097092 | Tag |06 75 77 81 02 80 02 f0 | ok |
7103488 | 7108192 | Rdr |d7 01 1a 1d | ok |
7109444 | 7112964 | Tag |d7 cc f3 | |
7119360 | 7125280 | Rdr |0a 07 60 60 f8 | ok |
7127748 | 7141636 | Tag |0a 07 af 04 01 02 01 00 12 05 3d ca | ok |
7149440 | 7155296 | Rdr |0b 07 af 47 9c | ok |
7157060 | 7171012 | Tag |0b 07 af 04 01 01 01 05 12 05 6b c2 | ok |
7178736 | 7184592 | Rdr |0a 07 af 9b c6 | ok |
7187012 | 7209028 | Tag |0a 07 00 04 4f 7d 8a fa 54 80 b9 0c 17 4d 70 37 17 48 | |
| | |e3 | ok |
7218672 | 7228048 | Rdr |0b 07 5a 90 00 f7 bb 29 | ok |
7237956 | 7243844 | Tag |0b 07 00 ba c1 | |
7255920 | 7262992 | Rdr |0a 07 aa 00 24 54 | ok |
7299652 | 7323908 | Tag |0a 07 af f0 e5 e9 f4 22 e5 d0 97 30 17 a5 b4 5d e3 70 | |
| | |31 ce 53 | ok |
7348336 | 7391056 | Rdr |0b 07 af 7c 7b fe cf 02 16 54 84 7e 24 c0 1a cd 36 26 | |
| | |06 ac ea 95 75 3c 01 cb ba af 3f 40 40 08 b7 44 2d b8 | |
| | |4d | ok |
7427252 | 7451572 | Tag |0b 07 00 01 da 27 d0 91 60 05 79 8d fd d6 fd d4 95 2a | |
| | |a9 18 fe | ok |
7466336 | 7472192 | Rdr |0a 07 6f 97 00 | ok |
7487284 | 7503476 | Tag |0a 07 00 00 16 f9 9c f5 aa 40 90 48 f2 72 | ok |
7514848 | 7521856 | Rdr |0b 07 f5 00 a0 18 | ok |
7536948 | 7560052 | Tag |0b 07 00 00 03 00 00 80 00 00 42 1e ed 20 2c 6a c1 77 | |
| | |21 8b | ok |
7574240 | 7588224 | Rdr |0a 07 bd 00 00 00 00 02 00 00 70 bf | ok |
7604004 | 7628260 | Tag |0a 07 00 a6 37 1e ed 3e 1c b3 48 0e 0e 6a fd 72 09 9a | |
| | |b4 47 22 | ok |
7727696 | 7741680 | Rdr |0b 07 bd 00 02 00 00 10 00 00 2c ab | ok |
7762724 | 7805412 | Tag |0b 07 00 99 a7 39 2e f2 71 5c 96 87 e5 8f a9 09 b3 33 | |
| | |20 6d ac 64 2b ba 30 f5 f1 41 9c 64 25 a6 06 53 88 f5 | |
| | |a3 | ok |
7826768 | 7840752 | Rdr |0a 07 bd 00 12 00 00 08 00 00 ec 86 | ok |
7856404 | 7880724 | Tag |0a 07 00 75 0c 03 38 b0 fc 47 67 6a de 6b d9 5b c1 4e | |
| | |02 ae fd | ok |
Offline
#2 2018-08-07 20:45:59
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Disney Magic band snoop
you can also save the trace data, and share it.
Offline
#3 2018-08-08 20:40:32
- jump
- Contributor
- Registered: 2015-04-29
- Posts: 57
Re: Disney Magic band snoop
Thanks! I will have a look at it.
At first glance it looks weird because the alternating 0x0a and 0x0b as a first byte suggests that it's ISO7816 APDU wrapped into ISO14A RFID but the responses from the tag don't have the traditional "90 00" success code. I will have to have a closer at what chip is in the wristband (I had DESFire in mind but even though I don't know DESFire by heart, this doesn't look like DESFire to me).
Offline
#4 2018-08-09 07:21:16
- natezoom
- Contributor
- Registered: 2017-11-22
- Posts: 10
Re: Disney Magic band snoop
The tag is definitely identifying as DESfire as I can remember , I will get a screenshot soon, my mom is a disney fan and collects magic bands so I will have to stop at their place and pick it up.
Offline
#5 2018-08-09 20:41:28
- jump
- Contributor
- Registered: 2015-04-29
- Posts: 57
Re: Disney Magic band snoop
So, I had a closer look at the dump. It is DESFire.
The card as 512 bytes of memory, UID=044f7d8afa5480 (NXP) manufacturer on the 33th week of year 2017.
The reader select the app "F70090", authentifies with the card using AES on key 0, lists the file ids, requests the settings for file 0 and then reads it:
First it reads 2 bytes at offset 0 (very likely the size of the file)
Then it reads 16 bytes at offset 2 (content)
Then it reads 8 bytes at offset 18 (a MAC I reckon)
All the content that is read is encrypted with MAC according to the answer to the file settings command.
For those who are looking at the crypto details:
- ekNo(RndB)=f0 e5 e9 f4 22 e5 d0 97 30 17 a5 b4 5d e3 70 31
- dkNo(RandA+RndB')=7c 7b fe cf 02 16 54 84 7e 24 c0 1a cd 36 26 06 ac ea 95 75 3c 01 cb ba af 3f 40 40 08 b7 44 2d
- ekNo(RndA')=01 da 27 d0 91 60 05 79 8d fd d6 fd d4 95 2a a9And in case someone has unlimited computational resources to crack the AES session key:
- probable cleartext for the size "00 10" or "10 00" which could be padded
- encrypted text: a6 37 1e ed 3e 1c b3 48 0e 0e 6a fd 72 09 9a b4Last edited by jump (2018-08-09 21:49:17)
Offline
#6 2018-08-09 22:05:42
- jump
- Contributor
- Registered: 2015-04-29
- Posts: 57
Re: Disney Magic band snoop
It seems that the latest version of the NXP Android app is pretty good at extracting information from those bands when I swiped my old Disney wristband!
It confirms what I extracted manually from the provided dump but adds more:
Tag is DESFire EV1 - 512 byte total memory - 320 byte available
- App F70090 (Timelock AB)
- 3 AES keys
- required for file creation/deletion only
- 1 file present
- File ID 0x00
- communication: encrypted
- content: 128 bytes
- Key ID 0x00
- App 78E127 (Disney MagicBand)
- 2 AES keys
- required for file creation/deletion only
- 2 files present
- File ID 0x01
- communication: plaintext
- contents: 16 bytes
- Free access
- File ID 0x02
- communication: plaintext
- contents: 56 bytes
- Key ID 0x01 for readingOffline
Pages: 1