Read Calypso tag. Is possible?

pablomf · 2019-05-01 19:13:31

Hi,

today I received this card:

14443-3b tag found:
           UID: XX XX XX XX
      App Data: 53 50 4d 45
      Protocol: 33 81 93
      Bit Rate: 212 kbit/s PICC -> PCD supported
      Bit Rate: 424 kbit/s PICC -> PCD supported
      Bit Rate: 212 kbit/s PICC <- PCD supported
      Bit Rate: 424 kbit/s PICC <- PCD supported
Max Frame Size: 256
 Protocol Type: Protocol is compliant with ISO/IEC 14443-4
Frame Wait Int: 9
 App Data Code: Application is Proprietary
 Frame Options: NAD is supported
 Frame Options: CID is supported
Max Buf Length: 0 (MBLI) not supported

Valid ISO14443B Tag Found - Quiting Search

Reading on Internet about the company who uses this tag they said they uses mifare or calypso cards. As you can see in the log I posted previously it is not a mifare card so I am dealing with a calypso card.

They question is simple, how can I start reading this card? I found a calypso.lua script. Then I started sending the first command manually but I received:

proxmark3> hf 14b raw -c -p 05 00 08
received 14 octets
50 XX XX XX XX 53 50 4d 45 33 81 93 18 b0
CRC OK
proxmark3> hf 14b raw -c -p 1D XX XX XX XX 00 08 01 00
received 3 octets
00 78 f0
CRC OK
proxmark3> hf 14b raw -c -p 02 94 a4 08 00 04 20 00 20 10 41 1b
received 0 octets

Could someone send me a good point to start with it?

Thank you very much!

Pablo.

pablomf · 2019-11-12 17:55:24

I realized today I made a mistake on the last command:

pm3 --> hf 14b raw -c -p 05 00 08
[LEN 14] 50 XX XX XX XX 53 50 4D 45 33 81 93 [18 B0] OK

pm3 --> hf 14b raw -c -p 1D XX XX XX XX 00 08 01 00
[LEN 3] 00 [78 F0] OK

pm3 --> hf 14b raw -c -p 02 94 a4 08 00 04 20 00 20 10
[LEN 5] 02 6E 00 [31 8C] OK

Any idea about reading EvLog files? Is sniffing the only way to continue?

Thanks.

Pablo.

iceman · 2019-11-12 19:34:17

First you should extract all readable data from the different commands. The lua script tries to read out all. Then you would need to decode the data.

pablomf · 2019-11-13 09:23:17

Thanks for you quick reply. Is this the lua script?
https://github.com/RfidResearchGroup/pr … alypso.lua

Then if the data is encrypted probably we do not know how to decrypt it, right? Please correct me if I'm wrong but if this is true the only way to continue is sniffing traffic...

iceman · 2019-11-13 09:35:50

if the data is encrypted, what makes you think its send un-encrypted over the air?

I would start with the reader software, where there encryption / decryption layer of data is most likely to be. Once you undestand which crypto, you can find a key, with that key you can now decrypt the rfid trafic. Or that is how the process generally go.

pablomf · 2019-11-13 10:07:03

iceman wrote:

if the data is encrypted, what makes you think its send un-encrypted over the air?

True, but at least maybe we can reply with the same commands to the reader. Have this tag anti-replay protection?

iceman wrote:

I would start with the reader software, where there encryption / decryption layer of data is most likely to be.

This tag is for bus transportation here in Spain. It is not possible for me have access to the reader...

pablomf · 2019-11-13 18:34:34

This is the output after running the script:

[+] Executing: calypso.lua, args ''

----------------------------------------
----------------------------------------

Waiting for card... press any key to quit
Card UID        D3XXXX18
Card Number     35XXXXXX48
>>      01.Select ICC file
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      02.ICC
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      03.Select EnvHol file
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      04.EnvHol1
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      05.Select EvLog file
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      06.EvLog1
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      07.EvLog2
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      08.EvLog3
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      09.Select ConList file
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      10.ConList
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      11.Select Contra file
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      12.Contra1
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      13.Contra2
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      14.Contra3
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      15.Contra4
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      16.Select Counter file
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      17.Counter
GOT:    026E00318C
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      026E00318C
>>      18.Select SpecEv file
GOT:    036E00EDD6
SW      6E00    SW_CLA_NOT_SUPPORTED (6)        nil
<<      036E00EDD6
>>      19.SpecEv1
GOT:
<< no answer

[+] Finished

It does not look good

iceman · 2019-11-13 19:32:15

Looks like there is room and need for improvement

Proxmark3 community

Announcement

#1 2019-05-01 19:13:31

Read Calypso tag. Is possible?

#2 2019-11-12 17:55:24

Re: Read Calypso tag. Is possible?

#3 2019-11-12 19:34:17

Re: Read Calypso tag. Is possible?

#4 2019-11-13 09:23:17

Re: Read Calypso tag. Is possible?

#5 2019-11-13 09:35:50

Re: Read Calypso tag. Is possible?

#6 2019-11-13 10:07:03

Re: Read Calypso tag. Is possible?

#7 2019-11-13 18:34:34

Re: Read Calypso tag. Is possible?

#8 2019-11-13 19:32:15

Re: Read Calypso tag. Is possible?

Board footer