Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2015-04-14 16:15:05
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
unknown hf tag
I've got a tag I can't seem to identify.
it doesn't respond to any of my hf readers (iclass, mifare, nfc phone, twn4...)
the pm3 shows a 4volt drop on the HF antenna.
a hf 14a read - hf list 14a f gives
proxmark3> hf 14a read
ATQA : 00 00
UID : 00 00 00 00
SAK : 00 [2]
TYPE : NXP MIFARE Ultralight | Ultralight C
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
proxmark3> hf list 14a f
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 00 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16500 | Tag | 00 00 00 00 00 | |
18688 | 29216 | Rdr | 93 70 00 00 00 00 00 9c d9 | | SELECT_UID
30388 | 33972 | Tag | 00 fe 51 | |
325248 | 330016 | Rdr | e0 80 31 73 | | RATS
331188 | 331828 | Tag | 04 | |
749184 | 750176 | Rdr | 40 | | MAGIC WUPC1
885632 | 886944 | Rdr | 43 | | MAGIC WUPC2
1022720 | 1027488 | Rdr | 50 00 57 cd | | HALTbut it is not an ultralight mifare card (atqa 00 00, SAK 00)
i tried hf 15 read and got nothing
i also tried hf 14b read but got nothing.
Last edited by marshmellow (2015-04-14 16:17:16)
Offline
#2 2015-04-14 16:50:19
- app_o1
- Contributor
- Registered: 2013-06-22
- Posts: 247
Re: unknown hf tag
Do you have an oscilloscope and a sniffer to see what's going on between the reader and that tag?
I know a good hf sniffer that has connectors for oscilloscope and that has helped me quite a few times.
Or, if you can have access to your reader's antenna or your tag's antenna (for your osci) during reading transaction, that would be easier...
And there are not many "unknown" hf tags. How does it look like? Can you post a pic?
Last edited by app_o1 (2015-04-14 16:51:38)
Offline
#3 2015-04-14 17:08:20
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: unknown hf tag
Could be a "wiped" magic tag.
Try "hf mf csetuid 11223344 0004 08" and see if you can read it afterwards.
U also need to comment these two breaks out, to force it to execute the magic commands anyway.
https://github.com/Proxmark/proxmark3/b … cmd.c#L945
https://github.com/Proxmark/proxmark3/b … cmd.c#L950
Worth a try at least 
Offline
#4 2015-04-14 17:22:33
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
It is a used hotel key card with 4 languages on it. I do not have a good oscilloscope available ATM. I'm wondering if it has been damaged.. In one corner of the card it reads "1k SC". Everything else is hotel info. I will look at the magic tag commands but as a last resort as I do not think that is the case with this tag...
Offline
#5 2015-04-14 17:23:44
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
And no I'm not near a hotel reader to sniff it 
Offline
#6 2015-04-14 17:55:43
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: unknown hf tag
Or use this simple script to see if it is "magic" and if it writes block0:
hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -c -p -a A000
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
Offline
#7 2015-04-14 17:56:30
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
is the tag spitting out garbage at me?
proxmark3> hf mf rdbl 1 A FFFFFFFFFFFF
--block no:1, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3> hf list 14a
Recorded Activity (TraceLen = 188 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 00 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16500 | Tag | 00 00 00 00 00 | |
18688 | 29216 | Rdr | 93 70 00 00 00 00 00 9c d9 | | SELECT_UID
30388 | 33972 | Tag | 00 fe 51 | |
35456 | 40160 | Rdr | 60 01 7c 6a | | AUTH-A(1)
41780 | 46516 | Tag | 05 91 ec 43 | |
55296 | 64608 | Rdr | 31 ba 65 71 c4 02 99 46 | !crc| ?
65844 | 70516 | Tag | 79! 89 3b! e4 | |
76032 | 80800 | Rdr | 20 08 90 4b | !crc| ?
81972 | 102772 | Tag | a6 50! 33 02! c6! 5f! 85! b4 dc b5 b9! b6! e4 54! 8c 71 | |
| | | 35 54! | !crc|
114944 | 119648 | Rdr | 19 4a 4e be | !crc| ?
proxmark3> hf mf rdbl 2 A FFFFFFFFFFFF
--block no:2, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
proxmark3> hf list 14a
Recorded Activity (TraceLen = 188 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 00 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16500 | Tag | 00 00 00 00 00 | |
18688 | 29216 | Rdr | 93 70 00 00 00 00 00 9c d9 | | SELECT_UID
30388 | 33972 | Tag | 00 fe 51 | |
35456 | 40224 | Rdr | 60 02 e7 58 | | AUTH-A(2)
41780 | 46516 | Tag | 54 10 c9 3e | |
55296 | 64608 | Rdr | 72 08 0d bb ba 51 c2 25 | !crc| ?
65844 | 70580 | Tag | 8a 00! d6! c8 | |
76032 | 80736 | Rdr | 9a 35 74 7d | !crc| ?
81972 | 102836 | Tag | 67! 4b 01 44 0f 97! ef 8e! b2 c0 77! ca! ea! 33! 92 e8! | |
| | | 1d! 01 | !crc|
114944 | 119712 | Rdr | 5d 14 91 10 | !crc| ?Offline
#8 2015-04-14 17:59:26
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
it does not respond to the backdoor commands
Offline
#9 2015-04-14 18:00:32
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
i'm starting to think it is just a broken or VERY weak mifare 1k tag.
Offline
#10 2015-04-14 18:02:53
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
Or use this simple script to see if it is "magic" and if it writes block0:
hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -c -p -a A000
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
Thanks, i tried this and the tag had no response and it did not change the selected UID or the way the tag responds...
Offline
#11 2015-04-14 18:05:41
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
anyone ever do a data samples after a hf 14a read? anyone know how to interpret it?
i get the same sample length (133) for a mifare 1k as i do when i read my strange tag. and many of the waves look identical.
Offline
#12 2015-04-14 18:17:46
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
bad tag:
good tag:
Offline
#13 2015-04-14 18:43:36
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: unknown hf tag
Since yr tag is giving you a uid with zeros, and lots of the inital communications is zero:d
and the readblock2 is giving you sectortrailer data, it looks weird...
why not read the whole sector 0 and see?
Offline
#14 2015-04-14 18:48:47
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ffstrange indeed
Offline
#15 2015-04-14 18:49:48
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
it does that for all sectors 0 - 15, then it gives auth error.
Offline
#16 2015-04-14 18:50:58
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
i think the tag is damaged and not strong enough to be read correctly. (only the pm3 can get this far, other readers do not see anything), but i think it is just a basic Mifare 1k that isn't working anymore...
Offline
#17 2015-04-14 19:07:26
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: unknown hf tag
Looks strange, but I'm with you on the damaged tag part. Talk to the reception and see if you can get a new key?
Why would the Pm3 client identify it as an Ultralight when the SAK & ATQA is zero, is what I wonder..
Offline
#18 2015-04-14 19:09:49
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: unknown hf tag
I was wondering that myself..
Offline
#19 2015-04-14 22:06:46
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: unknown hf tag
Test1:
try to cut the chip out and insert it in a working card (soldering the 2 tips of the antenna): maybe the tag coil is damaged; if this is the case it will work again;
Test2:
also try to put the surely-good chip in the bad-tag antenna and see if it is still working; if so you will be sure the bad-tag chip is damaged.
To eliminate the plastic part of the card you can dissolve it in aceton - submerge it and cover it to avoid evaporation - only the metal parts will remain [chip+antenna]
Example:
Last edited by asper (2015-04-14 22:10:40)
Offline
#20 2015-04-14 22:54:46
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: unknown hf tag
@marshmellow,
https://github.com/Proxmark/proxmark3/b … 14a.c#L165
fast answer to the SAK = 0x00 == Ultralight, as you can see in the code (link above) the identification inside "hf 14a reader" is only based on SAK and not in union with ATQA.
Offline
Pages: 1