Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2018-11-11 19:56:08
- zhuminggang
- Contributor
- Registered: 2017-09-06
- Posts: 46
An interesting hotel tag
I am now on a business trip,always with my PM3. In the hotel, I get a door tag,use PM3 read it...
proxmark3> hf sea
UID : dc 6c 0a 3c
ATQA : 00 04
SAK : 19 [2]
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting SearchIt is too simple,it is GEN 1a,clone it,test it.
can not open the door,check the data,all the same.
read my clone tag...
proxmark3> hf sea
UID : dc 6c 0a 3c
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting SearchI found two places different: TYPE and SAK.
Continue test with MIFARE CLASSIC with No chinese magic backdoor, Still can't pass test.
Use clone GEN 1a tag, I hear a beep,It is wrong sound.
Use clone MIFARE CLASSIC with No chinese magic backdoor tag,No sound,No recognition.
reader and original tag sniff data:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 384 | Tag | 01 | |
7427068 | 7428060 | Rdr | 52 | | WUPA
14853980 | 14854972 | Rdr | 52 | | WUPA
22281260 | 22282252 | Rdr | 52 | | WUPA
22283504 | 22283952 | Tag | 04 | |
22366716 | 22367708 | Rdr | 52 | | WUPA
22368976 | 22371344 | Tag | 04 00 | |
22390780 | 22393244 | Rdr | 93 20 | | ANTICOLL
22394432 | 22400320 | Tag | dc 6c 0a 3c 86 | |
22429436 | 22439900 | Rdr | 93 70 dc 6c 0a 3c 86 0d d2 | ok | SELECT_UID
22441152 | 22444736 | Tag | 19 be dc | |
22489964 | 22494668 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
22496704 | 22501440 | Tag | 01 20 01 45 | | AUTH: nt
22511724 | 22521036 | Rdr | af 3d fa e6 83 44 81 93 | | AUTH: nr ar (enc)
22522288 | 22526960 | Tag |68! ef 06! c6 | | AUTH: at (enc)
22570092 | 22574860 | Rdr | ec 94 e1 99 | |
| * | key | probable key:a0a1a2a3a4a5 Prng:WEAK ks2:e0a13d34 ks3:f1d8367b | |
| * | dec |30 01 8b b9 | ok | >READBLOCK(1)
22576048 | 22596912 | Tag | da 80! 99 21 a9 cf! ba! c5 a7! 31 98! 35 f3 89! a7! ee | |
| | | ee 83 | |
| * | dec |a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff aa 12 1b | ok |
22629212 | 22633980 | Rdr | 3d ed 86 aa | |
| * | dec |30 02 10 8b | ok | >READBLOCK(2)
22635168 | 22656032 | Tag | cd b9! 8a! 08 5f! 63 78! e1! a1 51 81! b5! b4 50 10! c2 | |
| | | e4 20 | |
| * | dec |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 49 | ok |
22694748 | 22695740 | Rdr | 52 | | WUPA
22725708 | 22726700 | Rdr | 52 | | WUPA
22727968 | 22730336 | Tag | 04 00 | |
22749900 | 22752364 | Rdr | 93 20 | | ANTICOLL
22753568 | 22759456 | Tag | dc 6c 0a 3c 86 | |
22788556 | 22799020 | Rdr | 93 70 dc 6c 0a 3c 86 0d d2 | ok | SELECT_UID
22800272 | 22803856 | Tag | 19 be dc | |
22849212 | 22853980 | Rdr | 60 3c 1a 80 | ok | AUTH-A(60)
22855952 | 22860688 | Tag | 01 20 01 45 | | AUTH: nt
22870972 | 22880348 | Rdr | e4 4d 91 05 a0 b9 ea 32 | | AUTH: nr ar (enc)
22881552 | 22886224 | Tag | d5 5c! f8 42 | | AUTH: at (enc)
22929340 | 22934108 | Rdr | c8 82 2d ab | |
| * | key | probable key:b0dc6c0a3c36 Prng:WEAK ks2:c35c5695 ks3:4c6bc8ff | |
| * | dec |30 3c ed 53 | ok | >READBLOCK(60)
22935296 | 22956096 | Tag |47! 88 b8! 87! d9! dc! 15! 46! 05 5b! 3a! e2! ea 33 3a 6d! | |
| | |a7! aa | |
| * | dec |12 83 91 11 62 59 83 85 24 53 7c 92 88 50 7a 92 c6 76 | ok |
22988332 | 22993100 | Rdr | 3f bb 70 12 | |
| * | dec |30 3d 64 42 | ok | >READBLOCK(61)
22994304 | 23015168 | Tag | 17 c2 35 5e! b2 9e 21 8d! 9b a0! 5a 4d! d6! 47! c5 8a! | |
| | | 53 36! | |
| * | dec |88 88 88 88 88 88 88 85 dd dd dd dd dd 7d 00 00 3f 4c | ok | reader and clone tag sniff data:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
7427296 | 7428288 | Rdr | 52 | | WUPA
7429572 | 7430212 | Tag | 04 | |
7512816 | 7513808 | Rdr | 52 | | WUPA
7515060 | 7517428 | Tag | 04 00 | |
7537008 | 7539472 | Rdr | 93 20 | | ANTICOLL
7540660 | 7546548 | Tag | dc 6c 0a 3c 86 | |
7575664 | 7586128 | Rdr | 93 70 dc 6c 0a 3c 86 0d d2 | ok | SELECT_UID
7587380 | 7590900 | Tag | 08 b6 dd | |
7636192 | 7640896 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
7642916 | 7647652 | Tag | 01 20 01 45 | | AUTH: nt
7657952 | 7667264 | Rdr | 4b 26 9d 9d 58 31 ee ce | | AUTH: nr ar (enc)
7668516 | 7673188 | Tag | fc f5! 86! 1f! | | AUTH: at (enc)
7716320 | 7721088 | Rdr | fa d9 ab 95 | |
| * | key | probable key:a0a1a2a3a4a5 Prng:WEAK ks2:3bd45269 ks3:65c2b6a2 | |
| * | dec |30 01 8b b9 | ok | >READBLOCK(1)
7722276 | 7743140 | Tag |40! 0d 3c b7! 0a! c8! b9 88! 2e f7 98! 99 cd! 21 cd! 04 | |
| | |75! 11! | |
| * | dec |a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff aa 12 1b | ok |
7775440 | 7780144 | Rdr | 49 05 3f b5 | |
| * | dec |30 02 10 8b | ok | >READBLOCK(2)
7781396 | 7802260 | Tag | 98 89! 22! 7b! 8d 34 d1! 0b! 1e d8 76! dc! f0! cd! 1e 5e! | |
| | |b7! 11! | |
| * | dec |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 49 | ok |
7841104 | 7842096 | Rdr | 52 | | WUPA
7872064 | 7873056 | Rdr | 52 | | WUPA
7874324 | 7876692 | Tag | 04 00 | |
7896256 | 7898720 | Rdr | 93 20 | | ANTICOLL
7899908 | 7905796 | Tag | dc 6c 0a 3c 86 | |
7934912 | 7945376 | Rdr | 93 70 dc 6c 0a 3c 86 0d d2 | ok | SELECT_UID
7946628 | 7950148 | Tag | 08 b6 dd | |
7995568 | 8000336 | Rdr | 60 3c 1a 80 | ok | AUTH-A(60)
8002292 | 8007028 | Tag | 01 20 01 45 | | AUTH: nt
8017328 | 8026640 | Rdr | 0c 80 14 3a 39 23 ce de | | AUTH: nr ar (enc)
8027892 | 8032628 | Tag | 1c a8 50! 96! | | AUTH: at (enc)
8075696 | 8080464 | Rdr | 95 fa 0a 64 | |
| * | key | probable key:b0dc6c0a3c36 Prng:WEAK ks2:5ac67279 ks3:859f602b | |
| * | dec |30 3c ed 53 | ok | >READBLOCK(60)
8081652 | 8102516 | Tag | 25 2c cb! 12! 2f! 9c db! 65 c5 53 54 c2 d2 18! b7 33! | |
| | |96! a7 | |
| * | dec |12 83 91 11 62 59 83 85 24 53 7c 92 88 50 7a 92 c6 76 | ok |
8134816 | 8139584 | Rdr | 7a 74 7a c6 | |
| * | dec |30 3d 64 42 | ok | >READBLOCK(61)
8140772 | 8161572 | Tag |8f! 64 f3! f1! 94 3b 2d 39! e5 cc! 9c! c2 e6 86! de! 9f | |
| | | b7 b6! | |
| * | dec |88 88 88 88 88 88 88 85 dd dd dd dd dd 7d 00 00 3f 4c | ok | The hotel tag have no TYPE, How can do that? Perhaps the lock reader can find tag with no type and different SAK?
Who can have good suggestions,please infrom,thank you!
Last edited by zhuminggang (2018-11-12 10:11:05)
Offline
#2 2018-11-11 20:55:15
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: An interesting hotel tag
Have you tried changing the SAK? (hf mf csetuid h)
Offline
#3 2018-11-12 01:41:22
- zhuminggang
- Contributor
- Registered: 2017-09-06
- Posts: 46
Re: An interesting hotel tag
Have you tried changing the SAK? (hf mf csetuid h)
yes,
hf mf csetuid dc6c0a3c 0004 19
uid:dc 6c 0a 3c
--atqa:00 04 sak:19
Chinese magic backdoor commands (GEN 1a) detected
old block 0: dc 6c 0a 3c 86 19 04 00 41 44 45 4c 2d 46 50 43
new block 0: dc 6c 0a 3c 86 19 04 00 41 44 45 4c 2d 46 50 43
old UID:dc 6c 0a 3c
new UID:dc 6c 0a 3cnothing change,SAK byte already 19,use HF search it report 08.
from sniff data clone tag use SAK 08,original tag use SAK 19.
Last edited by zhuminggang (2018-11-12 10:11:53)
Offline
#4 2018-11-12 09:04:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: An interesting hotel tag
looks like your magic tag doesn't allow changing of SAK? Maybe even not ATQA... There is very many different gen1a tags, all cheap but far from all of them supports all functionality.
Offline
#5 2018-11-12 10:03:50
- zhuminggang
- Contributor
- Registered: 2017-09-06
- Posts: 46
Re: An interesting hotel tag
looks like your magic tag doesn't allow changing of SAK? Maybe even not ATQA... There is very many different gen1a tags, all cheap but far from all of them supports all functionality.
You are right!
I changed the hotel tag with SAK 08,hear the same beep like my clone tag.
then changed to SAK 19,all is OK.
the hotel magic tag allow change SAK.My magic tag not allow.
pm3 --> hf mf cgetbl 0
--block number: 0
data: DC 6C 0A 3C 86 19 04 00 41 44 45 4C 2D 46 50 43
pm3 --> hf mf csetbl 0 dc6c0a3c860804004144454c2d465043
--block number: 0 data:DC 6C 0A 3C 86 08 04 00 41 44 45 4C 2D 46 50 43
pm3 --> hf sea
UID : DC 6C 0A 3C
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A Tag Found
pm3 --> hf mf csetbl 0 dc6c0a3c861904004144454c2d465043
--block number: 0 data:DC 6C 0A 3C 86 19 04 00 41 44 45 4C 2D 46 50 43
pm3 --> hf mf cgetbl 0
--block number: 0
data: DC 6C 0A 3C 86 19 04 00 41 44 45 4C 2D 46 50 43
pm3 --> hf sea
UID : DC 6C 0A 3C
ATQA : 00 04
SAK : 19 [2]
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A Tag FoundLast edited by zhuminggang (2018-11-12 10:13:01)
Offline
#6 2018-11-12 15:32:43
- zhuminggang
- Contributor
- Registered: 2017-09-06
- Posts: 46
Re: An interesting hotel tag
more test on hotel tag:
proxmark3> hf mf csetbl 0 dc6c0a3c860804000000000000000000
Chinese magic backdoor commands (GEN 1a) detected
--block number: 0 data:dc 6c 0a 3c 86 08 04 00 00 00 00 00 00 00 00 00
proxmark3> hf sea
UID : dc 6c 0a 3c
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
proxmark3> hf mf csetbl 0 dc6c0a3c868804000000000000000000
Chinese magic backdoor commands (GEN 1a) detected
--block number: 0 data:dc 6c 0a 3c 86 88 04 00 00 00 00 00 00 00 00 00
proxmark3> hf sea
UID : dc 6c 0a 3c
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
proxmark3> hf mf csetbl 0 dc6c0a3c862802000000000000000000
Chinese magic backdoor commands (GEN 1a) detected
--block number: 0 data:dc 6c 0a 3c 86 28 02 00 00 00 00 00 00 00 00 00
proxmark3> hf sea
UID : dc 6c 0a 3c
ATQA : 00 02
SAK : 28 [1]
TYPE : JCOP31 or JCOP41 v2.3.1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting SearchMy chinese tag is not full functional tag.
Offline
#7 2018-11-12 23:36:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: An interesting hotel tag
That is how it is, I usually call the tags which supports all uid/sak/atqa , recoverable from bad block0 etc for perfecct magic tags
Offline
Pages: 1