Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I've just found this script and gave it a try but a get an error and the clone doesn't work propperly. It appears on screen for 5 seconds and after that the game tells me the token must be recovered. Here's the error.
proxmark3> script run tnp3clone -t c301 -s 0030
--- Executing: tnp3clone.lua, args '-t c301 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Thunderbolt - trapmaster (air)
#db# READ BLOCK FINISHED
ERROR: Unknown parameter 'w'
Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols]
sample: hf mf csetuid 01020304
sample: hf mf csetuid 01020304 0004 08
Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)
Chinese magic backdoor commands (GEN 1a) detected
--block number: 1 data:c3 01 00 00 00 00 00 00 00 00 00 00 00 30 f1 d2
Chinese magic backdoor commands (GEN 1a) detected
--block number: 3 data:4b 0b 20 10 7c cb 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number: 7 data:e2 5a 7c c8 bd a7 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:11 data:c4 37 a8 9b 6a 64 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:15 data:57 01 42 32 81 85 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:19 data:1b db ea 95 2f 02 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:23 data:88 ed 00 3c c4 e3 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:27 data:ae 80 d4 6f 13 20 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:31 data:3d b6 3e c6 f8 c1 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:35 data:a5 02 6f 89 a5 ce 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:39 data:36 34 85 20 4e 2f 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:43 data:10 59 51 73 99 ec 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:47 data:83 6f bb da 72 0d 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:51 data:cf b5 13 7d dc 8a 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:55 data:5c 83 f9 d4 37 6b 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:59 data:7a ee 2d 87 e0 a8 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:63 data:e9 d8 c7 2e 0b 49 7f 07 88 69 00 00 00 00 00 00
-----Finished
Looking inside the script I found:
local cmd = (csetuid..'%s 0004 08 w'):format(result.uid)
That's where parameter w is but I don't know what to do now. I removed that parameter from the script and now I get
proxmark3> script run tnp3clone -t c301 -s 0030
--- Executing: tnp3clone.lua, args '-t c301 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Thunderbolt - trapmaster (air)
#db# READ BLOCK FINISHED
uid:6f 22 db 3c
--atqa:00 04 sak:08
Chinese magic backdoor commands (GEN 1a) detected
old block 0: 6f 22 db 3c aa 08 04 00 01 6f 01 6d 45 68 f8 1d
new block 0: 6f 22 db 3c aa 08 04 00 01 6f 01 6d 45 68 f8 1d
old UID:6f 22 db 3c
new UID:6f 22 db 3c
Chinese magic backdoor commands (GEN 1a) detected
--block number: 1 data:c3 01 00 00 00 00 00 00 00 00 00 00 00 30 76 88
Chinese magic backdoor commands (GEN 1a) detected
--block number: 3 data:4b 0b 20 10 7c cb 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number: 7 data:dc bb ed 90 1a 4b 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:11 data:fa d6 39 c3 cd 88 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:15 data:69 e0 d3 6a 26 69 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:19 data:25 3a 7b cd 88 ee 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:23 data:b6 0c 91 64 63 0f 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:27 data:90 61 45 37 b4 cc 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:31 data:03 57 af 9e 5f 2d 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:35 data:9b e3 fe d1 02 22 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:39 data:08 d5 14 78 e9 c3 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:43 data:2e b8 c0 2b 3e 00 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:47 data:bd 8e 2a 82 d5 e1 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:51 data:f1 54 82 25 7b 66 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:55 data:62 62 68 8c 90 87 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:59 data:44 0f bc df 47 44 7f 07 88 69 00 00 00 00 00 00
Chinese magic backdoor commands (GEN 1a) detected
--block number:63 data:d7 39 56 76 ac a5 7f 07 88 69 00 00 00 00 00 00
-----Finished
I'm using Superchargers game and portal on the Wii U.
Last edited by zantzue (2018-12-29 11:11:37)
Offline
isn't w for wipe tag ?
Offline
That makes sense to me. The card should be wiped out (just it case) before we write the other blocks. Anyway, the tag doesn't work. I tried to wipe it out but
proxmark3> hf mf csetuid 01020304 w
ERROR: Unknown parameter 'w'
Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols]
sample: hf mf csetuid 01020304
sample: hf mf csetuid 01020304 0004 08
Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)
Is there a problem with mi proxmark setup? Lualibs or something I mean.
Last edited by zantzue (2018-12-29 15:36:35)
Offline
...are you using the right client / firmware setup for the script?
the script looks adapted for a iceman based fork which has the W parameter
Offline
It seems I'm not. I followed this guide https://github.com/Proxmark/proxmark3/wiki/Windows. I downloaded the files from your fork but how am I supposed to used them? Drag, drop and overwrite files or do I have to compile everything again?
Edit: Dumb question. Forget it. I think I know what I´m supposed to do. I'll follow the guide again but this time I'll use your files instead of the official ones from Github.
I did it and this is what I see when I open the client:
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
bootrom: master/v3.1.0-35-g0d5545c-dirty-suspect 2018-12-13 21:51:14
os: master/v3.1.0-35-g0d5545c-dirty-suspect 2018-12-27 21:15:15
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/09/12 at 15:18:46
SmartCard Slot: not available
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 194961 bytes (37%) Free: 329327 bytes (63%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 -->
I tried again and this is what I get
pm3 --> script run tnp3clone -t c301 -s 0030
[+] Executing: tnp3clone.lua, args '-t c301 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Thunderbolt - trapmaster (air)
ERROR: iso14443a card select failed
[+] Finished
pm3 --> script run remagic
[+] Executing: remagic.lua, args ''
hf 14a raw -p -a -b 7 40
received 1 bytes
0A
hf 14a raw -p -a 43
received 1 bytes
0A
hf 14a raw -c -p -a A000
received 1 bytes
0A
hf 14a raw -c -p -a 01020304049802000000000000001001
received 1 bytes
0A
hf 14a raw -c -a 5000
received 0 bytes
hf mf csetbl 3 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 3 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 7 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 7 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 11 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:11 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 15 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:15 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 19 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:19 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 23 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:23 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 27 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:27 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 31 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:31 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 35 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:35 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 39 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:39 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 43 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:43 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 47 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:47 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 51 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:51 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 55 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:55 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 59 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:59 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 63 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:63 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
[+] Finished
And the card is not recognized
pm3 --> hf search
[!] timeout while waiting for reply.
#db# unknown command:: 0x03bc
ATQA : 07 ff
Tag doesn't support the Topaz protocol.
[-] no known/supported 13.56 MHz tags found
I tried "script run remagic" but it seems it killed my magic card.
pm3 --> script run remagic
[+] Executing: remagic.lua, args ''
hf 14a raw -p -a -b 7 40
received 1 bytes
0A
hf 14a raw -p -a 43
received 1 bytes
0A
hf 14a raw -c -p -a A000
received 1 bytes
0A
hf 14a raw -c -p -a 01020304049802000000000000001001
received 1 bytes
0A
hf 14a raw -c -a 5000
received 0 bytes
hf mf csetbl 3 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 3 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 7 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 7 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 11 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:11 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 15 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:15 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 19 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:19 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 23 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:23 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
#db# wupC2 error
[!] Can't write block. error=2
hf mf csetbl 27 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:27 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 31 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:31 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 35 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:35 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 39 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:39 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 43 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:43 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 47 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:47 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 51 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:51 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 55 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:55 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 59 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:59 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
hf mf csetbl 63 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:63 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Can't select card
[+] Finished
Last edited by zantzue (2018-12-29 17:37:28)
Offline
that looks like a iceman based build
Offline
Yes but now nothing works!
For instance, I put my DI token on the proxmark (I have the key) and
pm3 --> hf mf chk *0 ? d mydictionary.dic
[+] Loaded 3 keys from mydictionary.dic
Time in checkkeys: 0 seconds
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ------------ | 0 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file hf-mf-0497CA4A913780-key.bin...
Found keys have been dumped to file hf-mf-0497CA4A913780-key.bin. 0xffffffffffff has been inserted for unknown keys.
And after that
pm3 --> hf mf dump 0
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
[-] could not get access rights for sector 0. Trying with defaults...
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
[-] could not get access rights for sector 1. Trying with defaults...
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Can't select card
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
[-] could not get access rights for sector 2. Trying with defaults...
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
[-] could not get access rights for sector 3. Trying with defaults...
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
[-] could not get access rights for sector 4. Trying with defaults...
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
[-] could not read block 0 of sector 0
I have a proxmark3 Easy. Is that OK?
Edit: From https://github.com/Gator96100/ProxSpace/ In most cases the Proxmark III needs to be flashed with the just compiled firmware for details see Firmware upgrading the Proxmark III.
I'll try that later.
Last edited by zantzue (2018-12-29 18:00:43)
Offline
well.. you must run same client / firmware (on device) otherwise you will end up with trouble.
Offline
OK. I flashed bootrom and firmware again. I do much appreciate your wise advices. I'm a noob but I learn fast
Now if I try tnp3clone script I get
pm3 --> script run tnp3clone -t c301 -s 0030
[+] Executing: tnp3clone.lua, args '-t c301 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Thunderbolt - trapmaster (air)
#db# Auth error
failed reading block with factorydefault key. Trying chinese magic read.
--wipe card:YES uid:01 02 03 04
[+] old block 0: 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
[+] new block 0: 01 02 03 04 04 08 04 00 00 00 00 00 00 00 10 01
[+] old UID:00 00 00 00
[+] new UID:01 02 03 04
--block number: 1 data:C3 01 00 00 00 00 00 00 00 00 00 00 00 30 F1 D2
--block number: 3 data:4B 0B 20 10 7C CB 7F 07 88 69 00 00 00 00 00 00
--block number: 7 data:E2 5A 7C C8 BD A7 7F 07 88 69 00 00 00 00 00 00
--block number:11 data:C4 37 A8 9B 6A 64 7F 07 88 69 00 00 00 00 00 00
--block number:15 data:57 01 42 32 81 85 7F 07 88 69 00 00 00 00 00 00
--block number:19 data:1B DB EA 95 2F 02 7F 07 88 69 00 00 00 00 00 00
--block number:23 data:88 ED 00 3C C4 E3 7F 07 88 69 00 00 00 00 00 00
--block number:27 data:AE 80 D4 6F 13 20 7F 07 88 69 00 00 00 00 00 00
--block number:31 data:3D B6 3E C6 F8 C1 7F 07 88 69 00 00 00 00 00 00
--block number:35 data:A5 02 6F 89 A5 CE 7F 07 88 69 00 00 00 00 00 00
--block number:39 data:36 34 85 20 4E 2F 7F 07 88 69 00 00 00 00 00 00
--block number:43 data:10 59 51 73 99 EC 7F 07 88 69 00 00 00 00 00 00
--block number:47 data:83 6F BB DA 72 0D 7F 07 88 69 00 00 00 00 00 00
--block number:51 data:CF B5 13 7D DC 8A 7F 07 88 69 00 00 00 00 00 00
--block number:55 data:5C 83 F9 D4 37 6B 7F 07 88 69 00 00 00 00 00 00
--block number:59 data:7A EE 2D 87 E0 A8 7F 07 88 69 00 00 00 00 00 00
--block number:63 data:E9 D8 C7 2E 0B 49 7F 07 88 69 00 00 00 00 00 00
[+] Finished
And the game doesn't respond to the tag. The token doesn't appear on screen (not even for 5 seconds).
Edit: Another magic card
pm3 --> script run tnp3clone -t c301 -s 0030
[+] Executing: tnp3clone.lua, args '-t c301 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Thunderbolt - trapmaster (air)
--wipe card:YES uid:01 02 03 04
[+] old block 0: 01 02 03 04 04 08 04 00 00 00 00 00 00 00 10 01
[+] new block 0: 01 02 03 04 04 08 04 00 00 00 00 00 00 00 10 01
[+] old UID:00 00 00 00
[+] new UID:01 02 03 04
--block number: 1 data:C3 01 00 00 00 00 00 00 00 00 00 00 00 30 1F A5
--block number: 3 data:4B 0B 20 10 7C CB 7F 07 88 69 00 00 00 00 00 00
--block number: 7 data:E2 5A 7C C8 BD A7 7F 07 88 69 00 00 00 00 00 00
--block number:11 data:C4 37 A8 9B 6A 64 7F 07 88 69 00 00 00 00 00 00
--block number:15 data:57 01 42 32 81 85 7F 07 88 69 00 00 00 00 00 00
--block number:19 data:1B DB EA 95 2F 02 7F 07 88 69 00 00 00 00 00 00
--block number:23 data:88 ED 00 3C C4 E3 7F 07 88 69 00 00 00 00 00 00
--block number:27 data:AE 80 D4 6F 13 20 7F 07 88 69 00 00 00 00 00 00
--block number:31 data:3D B6 3E C6 F8 C1 7F 07 88 69 00 00 00 00 00 00
--block number:35 data:A5 02 6F 89 A5 CE 7F 07 88 69 00 00 00 00 00 00
--block number:39 data:36 34 85 20 4E 2F 7F 07 88 69 00 00 00 00 00 00
--block number:43 data:10 59 51 73 99 EC 7F 07 88 69 00 00 00 00 00 00
--block number:47 data:83 6F BB DA 72 0D 7F 07 88 69 00 00 00 00 00 00
--block number:51 data:CF B5 13 7D DC 8A 7F 07 88 69 00 00 00 00 00 00
--block number:55 data:5C 83 F9 D4 37 6B 7F 07 88 69 00 00 00 00 00 00
--block number:59 data:7A EE 2D 87 E0 A8 7F 07 88 69 00 00 00 00 00 00
--block number:63 data:E9 D8 C7 2E 0B 49 7F 07 88 69 00 00 00 00 00 00
[+] Finished
No errors, the token appears on screen but desappears after 5 seconds and the game says it may be corrupted. As I said before, I'm using Skylanders Superchargers. Maybe the last games from the Skylanders series look for gen1 magic cards and detects it.
Last edited by zantzue (2018-12-30 14:14:07)
Offline
I would say your problem is that your clone tag doesn't have the same block0 as your original...
Offline
Oh. I think you mean I should have used tnp3dump script before. Don't you? I'll take a look into the script later.
Edit: I tried with Super Shot Stealth Elf
pm3 --> script run tnp3dump -p
[+] Executing: tnp3dump.lua, args '-p'
----------------------------------------
----------------------------------------
#db# Debug level: 0
Found tag NXP MIFARE TNP3xxx Activision Game Appliance
Reading blocks > 8,9,10,12,13,14,16,17,18,20,21,36,37,38,40,41,42,44,45,46,48,49,
----------------------------------------
Wrote a BIN dump to: toydump_2018-12-30_210146-1FCA9E6F.bin
Wrote a EML dump to: toydump_2018-12-30_210146-1FCA9E6F.eml
----------------------------------------
ITEM TYPE : nil - SUPER~SHOT~STEALTH~ELF (LIFE)
UID : 0x1FCA9E6F
CARDID : 0x0000000000000000
----------------------------------------
[+] Finished
I opened the dump and it seems it has all A type keys. After that I tried
pm3 --> script run tnp3dump -k 4b0b20107ccb -n
[+] Executing: tnp3dump.lua, args '-k 4b0b20107ccb -n'
----------------------------------------
----------------------------------------
#db# Debug level: 0
Found tag NXP MIFARE TNP3xxx Activision Game Appliance
[+] Testing known keys. Sector count=16
..
[-] Chunk: 5.7s | found 17/32 keys (21)
[+] Time to check 20 known keys: 6 seconds
[+] enter nested attack
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).
Loading dumpkeys.bin
ERROR: nil
[+] Finished
in order to obtain B type keys but I couldn't. I'd tried with a figure from the first series if I had one.
Edit: I'm still thinking about what you said about the block 0... I can obtain block 0 from my original by using tnp3dump script (I obtained 1FCA9E6F2481010FC433000000000014 for Super Shot Stealth Elf from Superchargers), use csetuid command in order to set it as my clone's block 0 and after that use tnp3clone to make a clone on that tag. I tried it with my Super Shot Stealth Elf and it didn't work but I know these scripts are suppossed to be used with Skylanders tokens from the first series. I guess that´s why it didn't work.
Edit: I got Chill token. I read its block 0 and load it into the magic card
pm3 --> hf mf csetblk 0 3ac44464de81010fc433000000000012
--block number: 0 data:3A C4 44 64 DE 81 01 0F C4 33 00 00 00 00 00 12
And then
pm3 --> script run tnp3clone -t 6a00 -s 0030
[+] Executing: tnp3clone.lua, args '-t 6a00 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Chill - giant (water)
--wipe card:YES uid:3A C4 44 64
[+] old block 0: 3A C4 44 64 DE 81 01 0F C4 33 00 00 00 00 00 12
[+] new block 0: 3A C4 44 64 DE 08 04 00 C4 33 00 00 00 00 00 12
[+] old UID:00 00 00 00
[+] new UID:3A C4 44 64
--block number: 1 data:6A 00 00 00 00 00 00 00 00 00 00 00 00 30 41 BB
--block number: 3 data:4B 0B 20 10 7C CB 7F 07 88 69 00 00 00 00 00 00
--block number: 7 data:96 A5 A4 2D 62 D2 7F 07 88 69 00 00 00 00 00 00
--block number:11 data:B0 C8 70 7E B5 11 7F 07 88 69 00 00 00 00 00 00
--block number:15 data:23 FE 9A D7 5E F0 7F 07 88 69 00 00 00 00 00 00
--block number:19 data:6F 24 32 70 F0 77 7F 07 88 69 00 00 00 00 00 00
--block number:23 data:FC 12 D8 D9 1B 96 7F 07 88 69 00 00 00 00 00 00
--block number:27 data:DA 7F 0C 8A CC 55 7F 07 88 69 00 00 00 00 00 00
--block number:31 data:49 49 E6 23 27 B4 7F 07 88 69 00 00 00 00 00 00
--block number:35 data:D1 FD B7 6C 7A BB 7F 07 88 69 00 00 00 00 00 00
--block number:39 data:42 CB 5D C5 91 5A 7F 07 88 69 00 00 00 00 00 00
--block number:43 data:64 A6 89 96 46 99 7F 07 88 69 00 00 00 00 00 00
--block number:47 data:F7 90 63 3F AD 78 7F 07 88 69 00 00 00 00 00 00
--block number:51 data:BB 4A CB 98 03 FF 7F 07 88 69 00 00 00 00 00 00
--block number:55 data:28 7C 21 31 E8 1E 7F 07 88 69 00 00 00 00 00 00
--block number:59 data:0E 11 F5 62 3F DD 7F 07 88 69 00 00 00 00 00 00
--block number:63 data:9D 27 1F CB D4 3C 7F 07 88 69 00 00 00 00 00 00
[+] Finished
But the game doesn't recognize it. Why does the script chage block zero (the one I set)? Shouldn't it be exactly the same?
Should I use another game from the Skylanders series or am I doing something wrong?
Last edited by zantzue (2018-12-31 11:00:39)
Offline
I succesfully cloned 3 figures. They work but I have to admit there is still something I don't know/understand. This is what I did.
I played a whole level for the very fist time, saved and after that y cloned my figures this way:
1- "script run tnp3dump -p".
2- "hf mf eload filename" (used file name of .eml archive from step 1).
3- "hf mf cload e"
4- Used the clone in game and restored it (in some days I'll check what changed as I don't undertand what the problem was).
Do they work just on my console/savegame or may I use it on other consoles?
Edit: I tried a new savegame (on the same console) and another console and the clones work fine.
Last edited by zantzue (2019-01-01 03:31:58)
Offline
No need to eload (load to emulotor) first. You should be able to load the dumpfile direct to the magic card with cload
Offline
You're right, as usual; no need to load to emulator first (it was late and I was tired). I'm making progress with tnp3clone script also. I changed it a little bit. I wrote "local AccAndKeyB = '7F0F0869000000000000'" instead of "local AccAndKeyB = '7F078869000000000000'", called it tnp3clonezantzue.lua to keep both and now I can use it along with some bin files I found on the Internet to clone any token from the list. I use the script and I change again blocks 0, 1 and 3. After that clones work perfectly. No need to restore in game. I'm not going to post here the whole process. By the way, yesterday I discovered your videos on Youtube. Thank you for making them.
Offline
The update to the tnp3 scripts will always be welcome. I haven't touched them since long time ago.
I am glad you enjoy my videos.
Offline
@Iceman
So far I've done two modifications to the script:
1- "local AccAndKeyB = '7F0F0869000000000000'" instead of "local AccAndKeyB = '7F078869000000000000'"
2- "local cmd = (csetuid..'%s 0F01 81 w'):format(result.uid)" instead of "local cmd = (csetuid..'%s 0004 08 w'):format(result.uid)"
After I use the script I have to set block 3 4b0b20107ccb0f0f0f69000000000000 if I want the game to recognize the clone so I would like the script to set block 3 4b0b20107ccb0f0f0f69000000000000 instead of 4b0b20107ccb7F0F0869000000000000 but I don't know how to change the script. It's just that block everything else is fine. I can do it manually (hf mf csetblk 3 4b0b20107ccb7f078869000000000000) but I would like the script to do it automatically.
Last edited by zantzue (2019-01-20 22:41:15)
Offline
okok,
1) 88 vs 08 , different accessrights
2) atqa / sak, nice catch, 0F01 81. But on my version 2 skylanders SAK = 01, not 81. Is your tokes version3 or later?
3) updated sector trailer Sector 0, yeah. I was lazy at the time
I have added your suggestions to the script.
https://github.com/RfidResearchGroup/pr … 3clone.lua
Thanks!
Offline
I tried the new script but it doesn't work. I took a look into the script and it says "local AccAndKeyB = '7F078869000000000000'" and it should be "local AccAndKeyB = '7F0F0869000000000000'". I corrected it and now it works perfectly . I mean, I run the script and the clone is ready to use (no need to restore it in game) Thanks!
Edit: The tokens I own are from Imaginators. I don't know what wave they belong to but I guess it's the last one.
Last edited by zantzue (2019-01-21 17:43:37)
Offline
Ok, fixed it.
Offline
Thanks Iceman! I own two senseis and 8 crystals from Imaginators. If I shared my dumps with you, would you check them? To see how new checksums are calculated, you know.
Offline
Dunno if I have much time over that, but feel free to share you dumps here.
Imaginators signature
Blocks 2, 4, 22 and 3E are a Ed25519 signature (just like in the Kevin Valk thesis). The message that gets signed is the first two blocks (0 and 1). The number 51 also seems to correspond to a yearcode (5) and keyindex (1). I also found that only one key is currently in use. The public key to verify the signature is: 8E567B03734294EE2E491C3A2DEDA46B9E1858C08924699860D229E01287253B
Offline
We all have a regular job and a family and I know that you maybe won't have time but there you go: https://www.dropbox.com/sh/h0zea0p7w8ck … 9Cn3a?dl=0 Fire crystal came with the starter pack so I think it's the first fire crystal model. I'll take a picture to the other crystals to show you what models they are. They are unopen. I could dump them without opening the boxes .
Edit: I expect to get more senseis within the next few days.
Last edited by zantzue (2019-01-27 13:09:13)
Offline
I added some chests
Offline
Pages: 1