Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I come across this white card no description nor id printed.
Using hf search it is identify as TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
but I could not doing much with it
Prox/RFID mark3 RFID instrument
bootrom: iceman/-suspect 2016-04-25 10:57:10
os: iceman/-suspect 2016-04-25 10:57:13
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 211555 bytes (40%). Free: 312733 bytes (60%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Antenna check without card
# LF antenna: 15.26 V @ 125.00 kHz
# LF antenna: 26.54 V @ 134.00 kHz
# LF optimal: 47.71 V @ 137.93 kHz
# HF antenna: 17.05 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3>
and with card
proxmark3> hw tu
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
......#db# DownloadFPGA(len: 42096)
.
# LF antenna: 15.40 V @ 125.00 kHz
# LF antenna: 26.54 V @ 134.00 kHz
# LF optimal: 47.85 V @ 137.93 kHz
# HF antenna: 15.42 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3>
I can run these commands
pm3 --> hf search
UID : DC 9A 7C 37
ATQA : 00 01
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO
Valid ISO14443A Tag Found - Quiting Search
pm3 -->
pm3 --> hf 14a reader
UID : DC 9A 7C 37
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO
pm3 -->
pm3 --> hf 14a cuids
Collecting 1 UIDs
Start: 1461588596
DC9A7C37
End: 1461588596
pm3 -->
pm3 --> hf 14a raw -c -p -s 26
received 4 octets
DC 9A 7C 37
received 0 octets
pm3 -->
perhaps some more raw commands I can run on this card too butI am not sure what will come back.
pm3 --> hf mf chk * ?
No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] aabbccddeeff
key[ 5] 4d3a99c351dd
key[ 6] 1a982c7e459a
key[ 7] d3f7d3f7d3f7
key[ 8] 714c5c886e97
key[ 9] 587ee5f9350f
key[10] a0478cc39091
key[11] 533cb6c723f6
key[12] 8fd0a4f256e9
................................
Time in checkkeys: 9340 ticks 9 seconds
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 0 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| ffffffffffff | 0 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
pm3 -->
pm3 --> hf mf nested 1 0 A ffffffffffff
Testing known keys. Sector count=16
Time to check 6 known keys: 6130 ticks 6 seconds
enter nested...
#db# Nested: Can't select card
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
pm3 --> hf search
UID : DC 9A 7C 37
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO
Valid ISO14443A Tag Found - Quiting Search
pm3 -->
pm3 --> hf mfu info
Tag is not Ultralight | NTAG | MY-D [ATQA: 00 04 SAK: 03]
pm3 -->
pm3 --> hf 14a cuids
Collecting 1 UIDs
Start: 1461588932
DC9A7C37
End: 1461588932
pm3 -->
pm3 --> hf 14a sim t u DC9A7C37
Emulating ISO/IEC 14443 type A tag with 4,7 byte UID
Usage: hf 14a sim t <type> u <uid> x
Options :
h : this help
t : 1 = MIFARE Classic
2 = MIFARE Ultralight
3 = MIFARE Desfire
4 = ISO/IEC 14443-4
5 = MIFARE Tnp3xxx
6 = MIFARE Mini
7 = AMIIBO (NTAG 215), pack 0x8080
u : 4, 7 byte UID
x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader
sample : hf 14a sim t 1 u 1122344 x
: hf 14a sim t 1 u 1122344
: hf 14a sim t 1 u 1122344556677
pm3 -->
pm3 --> hf 14a sim t 1 u DC9A7C37
proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
--sector: 1, block: 7, key type:A, key count:13
--sector: 2, block: 11, key type:A, key count:13
--sector: 3, block: 15, key type:A, key count:13
--sector: 4, block: 19, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector: 5, block: 23, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector: 6, block: 27, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector: 7, block: 31, key type:A, key count:13
--sector: 8, block: 35, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector: 9, block: 39, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector:10, block: 43, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector:11, block: 47, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector:12, block: 51, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector:13, block: 55, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector:14, block: 59, key type:A, key count:13
--sector:15, block: 63, key type:A, key count:13
--sector: 0, block: 3, key type:B, key count:13
--sector: 1, block: 7, key type:B, key count:13
#db# ChkKeys: Can't select card
--sector: 2, block: 11, key type:B, key count:13
--sector: 3, block: 15, key type:B, key count:13
--sector: 4, block: 19, key type:B, key count:13
--sector: 5, block: 23, key type:B, key count:13
#db# ChkKeys: Can't select card
--sector: 6, block: 27, key type:B, key count:13
#db# ChkKeys: Can't select card
--sector: 7, block: 31, key type:B, key count:13
--sector: 8, block: 35, key type:B, key count:13
--sector: 9, block: 39, key type:B, key count:13
--sector:10, block: 43, key type:B, key count:13
--sector:11, block: 47, key type:B, key count:13
--sector:12, block: 51, key type:B, key count:13
#db# ChkKeys: Can't select card
--sector:13, block: 55, key type:B, key count:13
--sector:14, block: 59, key type:B, key count:13
#db# ChkKeys: Can't select card
--sector:15, block: 63, key type:B, key count:13
proxmark3> What else can I do with this type of Mifare classic card? It looks like a Mifare classic but with improved security, hence keyA or keyB attack and default keys failed.
Is it correct that we can not read data block because of no key found , not decode or doing anything with this type of card, apart from using its UID to perform simulation?
Sorry to ask like a greenie but I haven't much experience with HF or simulation generally. What that means exactly "You can't clone, but you can simulate it" ? If this card is computed as entry access card, then the simulation will open the lock? if this card is meant to be used as transport card, or finance sector then a simulation will ... ring the bell for illegal intruder???
Mifare card are used for a lot of applications in the world, by google,
MIFARE products can be used in different applications:[12]
Automated fare collection system
ID Cards
Access Management
Campus cards
Loyalty cards (reward points)
Tourist cards
Micropayment (Mobile wallet, contactless payment, cashless payment)
Road tolling
Transport ticketing
Event ticketing
Mobile ticketing
Citizen card
Membership cards
Parking
Library cards
Fuel cards
Hotel key cards
NFC Tag (NFC apps, MIFARE4Mobile)
Taxi cards
Smart meter
Museum Access Cards
Product Authentication
Production control
Health cards
Ferry Cards
Car rentals
Fleet Management
Amusement parks
Bike rentals
Blood donor cards
Information services
Interactive exhibits
Interactive lotteries
Password storage
Smart advertising
Social welfare
Waste management
Formerly most access systems used MIFARE Classic, but today these systems have switched to MIFARE DESFire because this product has more security than MIFARE Classic. and even PM3 can only admire its color or shape? nothing else can we see on it? that means that Mifare is really very secure?!
Also I found something unexplained in the PM3 help for the hf 14a simulation command, What does simulation "hf 14a sim t 1 u DC9A7C37 x" mean? with the option to perform an nr/ar attack against legitimate reader? Do you know what is that for
Is the only way forward with this type of card or later Mifare DES EV1 card is snooping, from there you can calculate a key from an succedsful authentication, then performed the nested attack to get the rest of the keys, then you can analyse/study/decde its data?
Would PIWI recently release MFhardnested attack code help me with this mifare classic newer card version? COuld you help me with a link to his fork
I know
Marshmellow, https://github.com/marshmellow42/proxmark3
Iceman https://github.com/iceman1001/proxmark3
but could not find from piwi
thanks
Last edited by ntk (2016-05-08 12:44:01)
Offline