Help with this would be very much appreciated, struggling for days.

Dan · 2018-09-21 00:26:04

I`m very new in this, technically got my Proxmark a week ago so still learning, bear with me please and what you explain please try doing it like "for dummie"

Short story: got an xM1+ implant in my hand to work with the building`s door access, maybe later program it for a Samsung door lock. Details:
UID : 89 72 6d 02
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search

So, people bricked their chips, made them unusable (and it`s a bitch to have an implant that you just can`t use and probably will take it out - just cause you were stupid), had a lot of problems, either created by themselves, accident or just lack of knowledge. Like me bricking my Proxmark first time I (tried to ) update the firmware but recovered after about half of hour of intense sweating..
I bought multiple Magic Chinese cards (same as my implant) to test on until i know how to do everything from a-z. Learned the "basic" of a Mifare Classic, gathered info here and there, in the end managed to clone an identical card from the original keyfob to a Magic cip with dumping all data, having the same keys and also changing the UID to match, on another one even writing the whole block O

Now comes the "fun part". 1 original, 2 clones. Wanted to format/reset the clones to see what happens, how it affects the keys, data and UID. After searching i tried using remagic and formatmifare script, both with no luck:

proxmark3> script run remagic
script run remagic
--- Executing: remagic.lua, args ''
hf 14a raw -p -a -b 7 40
hf 14a raw: invalid argument "7 40" to option -b|-B|--bits=<int>
Try 'hf 14a raw --help' for more information.
hf 14a raw -p -a 43
received 0 bytes:
hf 14a raw -c -p -a A000
received 0 bytes:
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
received 0 bytes:
-----Finished

-I have no ideea what this is.
And formatMifare.lua "seemed" successful but it`s the same data, same everything on the clone.
So i resorted to "hf mf cwipe w f" ...SUCCESS, everything was erased, another UID, no data and all keys to ffffffffffff .
Aaaaaand let`s crack and dump the original card all over again to make another exact clone....at the "restore" command i got this (I`ll write just a part of it - it`s the same for all blocks...)

#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block 63: b8 14 c4 c7 b8 14 7f 07 88 00 e7 31 68 53 e7 31

My second interesting "fear" was after few days of using the original keyfob after making the clone, i compared them and sector 3 block 1 and sector 14 blocks 1 and 2 were different. Do you think the reader can actually write data on the keyfob/clone/implant? They both still worked but small data was off.... that makes me think also I don`t want a system I don`t know to write things to my implant.

esave
eload of the dumpdate.bin which is scripted after in .eml file doesn`t work either

Thank you all in advance for your time.

This is the info on the clone i want to dump... just in case:

proxmark3> hf se
hf se

UID : 2c 71 45 83
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search

proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF
hf mf nested 1 0 A FFFFFFFFFFFF
--nested. sectors:16, block no: 0, key type:A, eml:n, dmp=n checktimeout=471 us

Testing known keys. Sector count=16
nested...

-----------------------------------------------
Nested statistic:
Iterations count: 0
Time in nested: 0.328 (inf sec per key)
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|

Next command I don`t understand at all but saw shows info for people that know it.
And the same with many lines lower...:

proxmark3> hf list 14a
hf list 14a
Recorded Activity (TraceLen = 1050 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error)
| CRC | Annotation |
------------|------------|-----|------------------------------------------------
-----------------|-----|--------------------|
-----------------|-----|------------
0 | 992 | Rdr | 52
| | WUPA
7040 | 8032 | Rdr | 52
| | WUPA
14080 | 15072 | Rdr | 52
| | WUPA
21120 | 22112 | Rdr | 52
| | WUPA
28160 | 29152 | Rdr | 52
| | WUPA
35200 | 36192 | Rdr | 52
| | WUPA
42240 | 43232 | Rdr | 52

PS: Found a solution. So after using “hf mf cwipe w f” and trying to dump the data from the original I get this (on all blocks):

Writing to block 63: b8 14 c4 c7 b8 14 7f 07 88 00 e7 31 68 53 e7 31

#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:100:

But then I used the app on my phone MIFARE Classic Tools (which I also updated with a nice version of keys from the Proxmark files) to Write Tag /Factory Format , it did`t change the UID from the cwipe, but now I can dump successfully another card on it. Still would love to know WTF I`m doing wrong with the Proxmark command and the script...would prefer that method then the app...

Last edited by Dan (2018-09-21 07:37:12)

merlok · 2018-09-21 15:25:38

https://github.com/Proxmark/proxmark3/pull/680
remagic fixed

iceman · 2018-09-21 16:49:59

which firmware version are you using?

hw status
hw version
hw 14a raw -h

Dan · 2018-10-01 19:09:28

iceman wrote:

which firmware version are you using?
hw status
hw version
hw 14a raw -h

Hey, sorry for the late reply, been traveling and didn`t had time to take the new toy with me
Hope these help. So far managed to "factory reset" my cards and implant but with the Mifacere Classic Tool app, worked fast but wanna learn how to properly do that on the proxmark as well...

Cheers.

proxmark3> hw status
hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image:
#db# fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
#db# LF Sampling config:
#db# [q] divisor: 95
#db# [b bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# USB Speed:
#db# Sending USB packets to client...
#db# Time elapsed: 1500ms
#db# Bytes transferred: 743936
#db# USB Transfer Speed PM3 -> Client = 495957 Bytes/s
#db# Various
#db# MF_DBGLEVEL........2
#db# ToSendMax..........41342368
#db# ToSendBit..........0

proxmark3> hw version
hw version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-401-g53edb04-suspect 2018-09-10 23:37:53
os: master/v3.0.1-401-g53edb04-suspect 2018-09-10 23:37:57
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/ 9/ 3 at 21:36:22
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 192736 bytes (37%). Free: 331
552 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hw 14a raw -h
hw 14a raw -h
help This help
detectreader ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to
limit to LF or HF)
fpgaoff Set FPGA off
lcd <HEX command> <count> -- Send command/data to LCD
lcdreset Hardware reset LCD
readmem [address] -- Read memory at decimal address from flash

reset Reset the Proxmark3
setlfdivisor <19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)
setmux <loraw|hiraw|lopkd|hipkd> -- Set the ADC mux to a specific valu
e
tune ['l'|'h'] -- Measure antenna tuning (option 'l' or 'h' to limit
to LF or HF)
version Show version information about the connected Proxmark

status Show runtime status information about the connected Proxmark

ping Test if the pm3 is responsive

Dan · 2018-10-06 06:22:03

Anyone any ideas, tried also the remagic listed but with no success...

piwi · 2018-10-06 10:03:41

Dan wrote:

Anyone any ideas, tried also the remagic listed but with no success...

What do you mean with "no success"? Any error messages?

remagic doesn't clear the card contents. It only restores block 0. You must use hf mf cwipe f to remove any other previous contents.

Proxmark3 community

Announcement

#1 2018-09-21 00:26:04

Help with this would be very much appreciated, struggling for days.

#2 2018-09-21 15:25:38

Re: Help with this would be very much appreciated, struggling for days.

#3 2018-09-21 16:49:59

Re: Help with this would be very much appreciated, struggling for days.

#4 2018-10-01 19:09:28

Re: Help with this would be very much appreciated, struggling for days.

#5 2018-10-06 06:22:03

Re: Help with this would be very much appreciated, struggling for days.

#6 2018-10-06 10:03:41

Re: Help with this would be very much appreciated, struggling for days.

Board footer