Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-01-27 12:05:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

[solved] AZTEK iso14443a compliant tag

In a github issue there is a interesting new tag. Which has with snoops gotten some understanding.

ref: https://github.com/Proxmark/proxmark3/issues/206

Grey keyfob,  uid printed on it, company seems to be AZTEK.
I'm guessing french.  Used for a vending machine.

It follows ISO14443a standard anticollision.
4byte uid.
It has its own command set.
it uses standard ISO14443a CRC to cmds.
read / write command has been identified.
COMMANDSET 
read:
10 NN 00  + 2bytes-CRC .  where NN is blockno.

sample:  10 03 00 E9 0A

Write:
B0 NN 00 + 8bytes data + 2bytes-CRC  where NN is blockno

Tag answer the exact 8bytes data + 2bytes-CRC

 sample:  B0 03 00 11 22 33 44 55 66 77 88 03 21
--PM3 14a raw commands

--read block 3
hf 14a raw -s -c -p 10 03 00

-- write block 3
hf 14a raw -c -p B0 03 00 11 22 33 44 55 66 77 88

-- re-read block 3 to verify
hf 14a raw -c 10 03 00
data: 
Block 0, contains UID 

Unknown how much memory and other commands.

And for coffe lovers out there, this tag should be very easy to restore a previous transaction on.

Offline

#2 2017-01-27 12:53:11

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: [solved] AZTEK iso14443a compliant tag

I've heard about it. There is/was a way to "lock" a specific sector, so debit command from vending machine would fail.
However, (at this time) it just was a classic MF tag with sectors 8 to 15 using custom KEYs.
And this stuff is really old. Last models I have seen were using MIFARE Plus and a few others worked with LEGIC tags.


Can we get a photo of the tag? They might have released a new version! :L)

Last edited by app_o1 (2017-01-27 12:53:56)

Offline

#3 2017-01-27 13:57:05

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [solved] AZTEK iso14443a compliant tag

It seems to be a non-crypto iso14443a tag with just basic commands (read/write).

Offline

#4 2017-01-27 14:26:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

aztek.jpg

Offline

#5 2017-01-27 15:54:54

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: [solved] AZTEK iso14443a compliant tag

There is nothing different from what was produced 10 years ago.
Judging from the wear and tear, this fob is at least 2 or 3 years old.
How sure are we that it is not a MS50 anymore? Is the UID D17F9365?

Offline

#6 2017-01-27 18:02:01

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [solved] AZTEK iso14443a compliant tag

It doesn't answer to mifare commands. UID is 65 93 7f d1.

Last edited by asper (2017-01-27 18:02:58)

Offline

#7 2017-01-27 19:13:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

As @Asper and @joker42 (github) writes,  it doesnt answer to Mifare commands. We are 100% sure of it.

UID is same byteorder on tag as on picture.

Offline

#8 2017-01-28 14:39:17

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: [solved] AZTEK iso14443a compliant tag

How does it answer to MFU commands?
Are we sure MFU commands are working "well" recently?

On what this Aztek reader is fitted? (the brand of the vending machine)

Can the fob be melted in acetone (or else) so we can have a look at the IC/antenna?

Offline

#9 2017-01-30 10:52:48

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: [solved] AZTEK iso14443a compliant tag

It is French and is used on the Luxeo Readers which can read Mifare Classic, Mifare X Mifare S DesFire and HID
http://www.aztek.lu/en/products/solution-all-in-one

Offline

#10 2017-01-30 12:14:10

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [solved] AZTEK iso14443a compliant tag

"Solution of private payment (Aztek)", this should be our case. If not this can also be an example of the "mysterious" calypso standard (claimed to be supported in the datasheets found on the previous link) but i don't think so.

Last edited by asper (2017-01-30 17:50:18)

Offline

#11 2017-01-30 17:31:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

I've added a simple lua script which dumps a aztek tag to icemanfork.  Dumping both to screen and to uid.eml file.
It also tries to xor the block data with a xorkey I think is used. This only to screen.

pm3 --> sc r ufodump -h
--- Executing: ./scripts/ufodump.lua, args'-h'
This is a script that reads AZTEK iso14443a tags.
It starts from block 0,  and ends at default block 20.  Use 'b' to say different endblock.

xor:  the first three block (0,1,2) is not XORED.  The rest seems to be xored.

Arguments:
      h   this helptext
      b   endblock in decimal (1-255,  default 20)

Example usage
        script run ufodump
        script run ufodump -b 10

Offline

#12 2017-01-30 17:34:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

By suggestion from @asper,  I also tried to write to block0,  it failed.

Offline

#13 2017-01-30 20:48:38

joker42
Member
Registered: 2017-01-30
Posts: 3

Re: [solved] AZTEK iso14443a compliant tag

Hi,

So for me the dump is :

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | C0B912BE2447F994 | 9513471471EDAC3E |
 17 | B1CC296CC0F3C469 | E4667CC6955991C3 |
 18 | 01DC9AD76FDF6733 | 5476CF7D3A753299 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | F20C7DD23CB28EA5 | A7A628786918DB0F |
----+------------------+-------------------

And here is the diff with @iceman :

1c1
< 08000000656BCAD1
---
> 0800000065937FD1
3c3
< 10414D28000B010B
---
> 1041BA8C00060509
12,15c12,15
< AD1D95D1EFBD6D5A
< 1AB785DAEFBAF046
< 08C2E512B961708C
< B350ACC34EB223F0
---
> 045D56752F4CB77E
> 3D084508E78E6FF2
> 46C714C7BF693B35
> 2BC96267E224D5DB
17,21c17,21
< C0B912BE2447F994
< B1CC296CC0F3C469
< 01DC9AD76FDF6733
< 33BE1F217BA665CA
< F20C7DD23CB28EA5
---
> 4DC37827785E06D5
> D90C66554984B559
> 7A1B9349045DCD4E
> 464AFB36F4BA8748
> 246DDDBEDD75AA16

Weird that there is so much diff though.

Offline

#14 2017-01-30 20:58:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

How about looking att the xor diff?
Looking at the read command,  max blockno is 255 but when I look at a dump around block70 the pattern kind of stops and becomes "55aa..." rows.

http://pastebin.com/UqxAaXsT

Offline

#15 2017-01-30 21:18:13

Bebeoix
Contributor
Registered: 2014-02-03
Posts: 22

Re: [solved] AZTEK iso14443a compliant tag

Here is the dump : http://pastebin.com/hR8iWEiz

Last edited by Bebeoix (2017-01-30 21:40:58)

Offline

#16 2017-01-30 21:27:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

@bebeoix,  I think I got yr tag you posted about 6months ago....

Offline

#17 2017-01-30 21:38:12

Bebeoix
Contributor
Registered: 2014-02-03
Posts: 22

Re: [solved] AZTEK iso14443a compliant tag

@iceman, it's the same person, I was out of the nfc scene for a while, I forgot I was still logged on this old account in that browser.

Last edited by Bebeoix (2017-01-30 21:46:28)

Offline

#18 2017-01-30 21:44:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

thats an old browser session you have... smile    so joke42/bebeoix,  now that you can dump a tag. 
do a transaction and dump again.  then diff ... easy.  Lets hope we learn something.   I still want to test me xored idea.

Offline

#19 2017-01-30 21:46:45

Bebeoix
Contributor
Registered: 2014-02-03
Posts: 22

Re: [solved] AZTEK iso14443a compliant tag

Will do.
I understood the thing with the xorkey.

Last edited by Bebeoix (2017-01-30 21:57:58)

Offline

#20 2017-01-31 21:07:08

joker42
Member
Registered: 2017-01-30
Posts: 3

Re: [solved] AZTEK iso14443a compliant tag

Very very strange discovery today, this little challenge keep up with the fun...

Before any change (1.15):

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | C0B912BE2447F994 | 9513471471EDAC3E |
 17 | B1CC296CC0F3C469 | E4667CC6955991C3 |
 18 | 01DC9AD76FDF6733 | 5476CF7D3A753299 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | F20C7DD23CB28EA5 | A7A628786918DB0F |
 21 | 98A48785F0EFC62C | CD0ED22FA5459386 |
 22 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 23 | 2CA6C073A6458488 | 790C95D9F3EFD122 |
 24 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 25 | 6FAFEC2086C7E7CB | 3A05B98AD36DB261 |
 26 | A2EB301BCED473F1 | F74165B19B7E265B |
 27 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 28 | C4C834332FEDAAA8 | 916261997A47FF02 |
 29 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 30 | 6461133074C877AB | 31CB469A21622201 |
 31 | 7545F9FB03C0C835 | 20EFAC51566A9D9F |
 32 | 25AB645D5CDC2BC2 | 700131F709767E68 |
 33 | 99BC7D1146FABB1A | CC1628BB1350EEB0 |
 34 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 35 | 58D729068A33BA7F | 0D7D7CACDF99EFD5 |
 36 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 37 | 55AA55AA55AA55AA | 0000000000000000 |
 38 | 55AA55AA55AA55AA | 0000000000000000 |
 39 | 55AA55AA55AA55AA | 0000000000000000 |
 40 | 55AA55AA55AA55AA | 0000000000000000 |
 41 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 42 | 55AA55AA55AA55AA | 0000000000000000 |
 43 | 55AA55AA55AA55AA | 0000000000000000 |
 44 | 55AA55AA55AA55AA | 0000000000000000 |
 45 | 55AA55AA55AA55AA | 0000000000000000 |
 46 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 47 | 55AA55AA55AA55AA | 0000000000000000 |
 48 | 55AA55AA55AA55AA | 0000000000000000 |
 49 | 55AA55AA55AA55AA | 0000000000000000 |
 50 | 55AA55AA55AA55AA | 0000000000000000 |
 51 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 52 | 55AA55AA55AA55AA | 0000000000000000 |
 53 | 55AA55AA55AA55AA | 0000000000000000 |
 54 | 55AA55AA55AA55AA | 0000000000000000 |
 55 | 55AA55AA55AA55AA | 0000000000000000 |
 56 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 57 | 55AA55AA55AA55AA | 0000000000000000 |
 58 | 55AA55AA55AA55AA | 0000000000000000 |
 59 | 55AA55AA55AA55AA | 0000000000000000 |
 60 | 55AA55AA55AA55AA | 0000000000000000 |
 61 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 62 | 55AA55AA55AA55AA | 0000000000000000 |
 63 | 55AA55AA55AA55AA | 0000000000000000 |
 64 | 55AA55AA55AA55AA | 0000000000000000 |
 65 | 55AA55AA55AA55AA | 0000000000000000 |
 66 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 67 | 55AA55AA55AA55AA | 0000000000000000 |
 68 | 55AA55AA55AA55AA | 0000000000000000 |
 69 | 55AA55AA55AA55AA | 0000000000000000 |
 70 | 55AA55AA55AA55AA | 0000000000000000 |
 71 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 72 | 55AA55AA55AA55AA | 0000000000000000 |
 73 | 55AA55AA55AA55AA | 0000000000000000 |
 74 | 55AA55AA55AA55AA | 0000000000000000 |
 75 | 55AA55AA55AA55AA | 0000000000000000 |
 76 | 55AA55AA55AA55AA | 0000000000000000 |
 77 | 55AA55AA55AA55AA | 0000000000000000 |
 78 | 55AA55AA55AA55AA | 0000000000000000 |
 79 | 55AA55AA55AA55AA | 0000000000000000 |
 80 | 55AA55AA55AA55AA | 0000000000000000 |
----+------------------+-------------------

After a change (1.10):

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | EB50BC721F20DC4B | BEFAE9D84A8A89E1 |
 17 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
 18 | 80EA93BE7D7C885B | D540C61428D6DDF1 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | 7AD6E94C7012FE59 | 2F7CBCE625B8ABF3 |
 21 | 98A48785F0EFC62C | CD0ED22FA5459386 |
 22 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 23 | 2CA6C073A6458488 | 790C95D9F3EFD122 |
 24 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 25 | 6FAFEC2086C7E7CB | 3A05B98AD36DB261 |
 26 | A2EB301BCED473F1 | F74165B19B7E265B |
 27 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 28 | C4C834332FEDAAA8 | 916261997A47FF02 |
 29 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 30 | 6461133074C877AB | 31CB469A21622201 |
 31 | 7545F9FB03C0C835 | 20EFAC51566A9D9F |
 32 | 25AB645D5CDC2BC2 | 700131F709767E68 |
 33 | 99BC7D1146FABB1A | CC1628BB1350EEB0 |
 34 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 35 | 58D729068A33BA7F | 0D7D7CACDF99EFD5 |
 36 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 37 | 55AA55AA55AA55AA | 0000000000000000 |
 38 | 55AA55AA55AA55AA | 0000000000000000 |
 39 | 55AA55AA55AA55AA | 0000000000000000 |
 40 | 55AA55AA55AA55AA | 0000000000000000 |
 41 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 42 | 55AA55AA55AA55AA | 0000000000000000 |
 43 | 55AA55AA55AA55AA | 0000000000000000 |
 44 | 55AA55AA55AA55AA | 0000000000000000 |
 45 | 55AA55AA55AA55AA | 0000000000000000 |
 46 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 47 | 55AA55AA55AA55AA | 0000000000000000 |
 48 | 55AA55AA55AA55AA | 0000000000000000 |
 49 | 55AA55AA55AA55AA | 0000000000000000 |
 50 | 55AA55AA55AA55AA | 0000000000000000 |
 51 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 52 | 55AA55AA55AA55AA | 0000000000000000 |
 53 | 55AA55AA55AA55AA | 0000000000000000 |
 54 | 55AA55AA55AA55AA | 0000000000000000 |
 55 | 55AA55AA55AA55AA | 0000000000000000 |
 56 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 57 | 55AA55AA55AA55AA | 0000000000000000 |
 58 | 55AA55AA55AA55AA | 0000000000000000 |
 59 | 55AA55AA55AA55AA | 0000000000000000 |
 60 | 55AA55AA55AA55AA | 0000000000000000 |
 61 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 62 | 55AA55AA55AA55AA | 0000000000000000 |
 63 | 55AA55AA55AA55AA | 0000000000000000 |
 64 | 55AA55AA55AA55AA | 0000000000000000 |
 65 | 55AA55AA55AA55AA | 0000000000000000 |
 66 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 67 | 55AA55AA55AA55AA | 0000000000000000 |
 68 | 55AA55AA55AA55AA | 0000000000000000 |
 69 | 55AA55AA55AA55AA | 0000000000000000 |
 70 | 55AA55AA55AA55AA | 0000000000000000 |
 71 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 72 | 55AA55AA55AA55AA | 0000000000000000 |
 73 | 55AA55AA55AA55AA | 0000000000000000 |
 74 | 55AA55AA55AA55AA | 0000000000000000 |
 75 | 55AA55AA55AA55AA | 0000000000000000 |
 76 | 55AA55AA55AA55AA | 0000000000000000 |
 77 | 55AA55AA55AA55AA | 0000000000000000 |
 78 | 55AA55AA55AA55AA | 0000000000000000 |
 79 | 55AA55AA55AA55AA | 0000000000000000 |
 80 | 55AA55AA55AA55AA | 0000000000000000 |
----+------------------+-------------------

After another change (1.05):

blk | data             | xored
----+------------------+-------------------
 00 | 08000000656BCAD1 | 08000000656BCAD1 |
 01 | 0000000000000000 | 0000000000000000 |
 02 | 10414D28000B010B | 10414D28000B010B |
 03 | 55AA55AA55AA55AA | 0000000000000000 |
 04 | 55AA55AA55AA55AA | 0000000000000000 |
 05 | 55AA55AA55AA55AA | 0000000000000000 |
 06 | 55AA55AA55AA55AA | 0000000000000000 |
 07 | 55AA55AA55AA55AA | 0000000000000000 |
 08 | 55AA55AA55AA55AA | 0000000000000000 |
 09 | 55AA55AA55AA55AA | 0000000000000000 |
 10 | 55AA55AA55AA55AA | 0000000000000000 |
 11 | AD1D95D1EFBD6D5A | F8B7C07BBA1738F0 |
 12 | 1AB785DAEFBAF046 | 4F1DD070BA10A5EC |
 13 | 08C2E512B961708C | 5D68B0B8ECCB2526 |
 14 | B350ACC34EB223F0 | E6FAF9691B18765A |
 15 | 55AA55AA55AA55AA | 0000000000000000 |
 16 | EB50BC721F20DC4B | BEFAE9D84A8A89E1 |
 17 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
 18 | 80EA93BE7D7C885B | D540C61428D6DDF1 |
 19 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 20 | 7AD6E94C7012FE59 | 2F7CBCE625B8ABF3 |
 21 | 2F166903396F1096 | 7ABC3CA96CC5453C |
 22 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
 23 | 69971D19B7BA0358 | 3C3D48B3E21056F2 |
 24 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 25 | 810B4BBD4FA6AAA7 | D4A11E171A0CFF0D |
 26 | A2EB301BCED473F1 | F74165B19B7E265B |
 27 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
 28 | C4C834332FEDAAA8 | 916261997A47FF02 |
 29 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 30 | 6461133074C877AB | 31CB469A21622201 |
 31 | 7545F9FB03C0C835 | 20EFAC51566A9D9F |
 32 | 25AB645D5CDC2BC2 | 700131F709767E68 |
 33 | 99BC7D1146FABB1A | CC1628BB1350EEB0 |
 34 | 33BE1F217BA665CA | 66144A8B2E0C3060 |
 35 | 58D729068A33BA7F | 0D7D7CACDF99EFD5 |
 36 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 37 | 55AA55AA55AA55AA | 0000000000000000 |
 38 | 55AA55AA55AA55AA | 0000000000000000 |
 39 | 55AA55AA55AA55AA | 0000000000000000 |
 40 | 55AA55AA55AA55AA | 0000000000000000 |
 41 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 42 | 55AA55AA55AA55AA | 0000000000000000 |
 43 | 55AA55AA55AA55AA | 0000000000000000 |
 44 | 55AA55AA55AA55AA | 0000000000000000 |
 45 | 55AA55AA55AA55AA | 0000000000000000 |
 46 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 47 | 55AA55AA55AA55AA | 0000000000000000 |
 48 | 55AA55AA55AA55AA | 0000000000000000 |
 49 | 55AA55AA55AA55AA | 0000000000000000 |
 50 | 55AA55AA55AA55AA | 0000000000000000 |
 51 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 52 | 55AA55AA55AA55AA | 0000000000000000 |
 53 | 55AA55AA55AA55AA | 0000000000000000 |
 54 | 55AA55AA55AA55AA | 0000000000000000 |
 55 | 55AA55AA55AA55AA | 0000000000000000 |
 56 | 6400E6DF9A99FE16 | 31AAB375CF33ABBC |
 57 | 55AA55AA55AA55AA | 0000000000000000 |
 58 | 55AA55AA55AA55AA | 0000000000000000 |
 59 | 55AA55AA55AA55AA | 0000000000000000 |
 60 | 55AA55AA55AA55AA | 0000000000000000 |
 61 | 79FD84D11C541D2A | 2C57D17B49FE4880 |
 62 | 55AA55AA55AA55AA | 0000000000000000 |
 63 | 55AA55AA55AA55AA | 0000000000000000 |
 64 | 55AA55AA55AA55AA | 0000000000000000 |
 65 | 55AA55AA55AA55AA | 0000000000000000 |
 66 | EFC6DFCB92F0C74C | BA6C8A61C75A92E6 |
 67 | 55AA55AA55AA55AA | 0000000000000000 |
 68 | 55AA55AA55AA55AA | 0000000000000000 |
 69 | 55AA55AA55AA55AA | 0000000000000000 |
 70 | 55AA55AA55AA55AA | 0000000000000000 |
 71 | FD9F2B9C90F72DF1 | A8357E36C55D785B |
 72 | 55AA55AA55AA55AA | 0000000000000000 |
 73 | 55AA55AA55AA55AA | 0000000000000000 |
 74 | 55AA55AA55AA55AA | 0000000000000000 |
 75 | 55AA55AA55AA55AA | 0000000000000000 |
 76 | 55AA55AA55AA55AA | 0000000000000000 |
 77 | 55AA55AA55AA55AA | 0000000000000000 |
 78 | 55AA55AA55AA55AA | 0000000000000000 |
 79 | 55AA55AA55AA55AA | 0000000000000000 |
 80 | 55AA55AA55AA55AA | 0000000000000000 |
----+------------------+-------------------

Now do the diff between 115 and 110 then between 110 and 105 then 115 and 105, I never saw so many different data at different address being changed for one transaction regarding 1 or 2 digit change.

Diff 1:

diff 1.15 1.10
19,21c19,21
<  16 | C0B912BE2447F994 | 9513471471EDAC3E |
<  17 | B1CC296CC0F3C469 | E4667CC6955991C3 |
<  18 | 01DC9AD76FDF6733 | 5476CF7D3A753299 |
---
>  16 | EB50BC721F20DC4B | BEFAE9D84A8A89E1 |
>  17 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
>  18 | 80EA93BE7D7C885B | D540C61428D6DDF1 |
23c23
<  20 | F20C7DD23CB28EA5 | A7A628786918DB0F |
---
>  20 | 7AD6E94C7012FE59 | 2F7CBCE625B8ABF3 |

Diff 2:

diff 1.10 1.05
24,26c24,26
<  21 | 98A48785F0EFC62C | CD0ED22FA5459386 |
<  22 | DA49EEB84A73A8E4 | 8FE3BB121FD9FD4E |
<  23 | 2CA6C073A6458488 | 790C95D9F3EFD122 |
---
>  21 | 2F166903396F1096 | 7ABC3CA96CC5453C |
>  22 | 4D59CB61E90DA8D2 | 18F39ECBBCA7FD78 |
>  23 | 69971D19B7BA0358 | 3C3D48B3E21056F2 |
28c28
<  25 | 6FAFEC2086C7E7CB | 3A05B98AD36DB261 |
---
>  25 | 810B4BBD4FA6AAA7 | D4A11E171A0CFF0D |

Offline

#21 2017-01-31 21:21:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

The data could also be encrypted,  not just xored.

Offline

#22 2017-01-31 22:24:28

joker42
Member
Registered: 2017-01-30
Posts: 3

Re: [solved] AZTEK iso14443a compliant tag

True. They could have used mifare instead of re implementing a whole protocol with xor and encryption over 14a... Maybe they had time...

About the fact that this is not the same block that are moded, maybe it's a separate range of blocks for every digit.

Offline

#23 2017-02-01 14:43:02

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [solved] AZTEK iso14443a compliant tag

Reader is probably this one (Modulo+, not Modulo): http://www.aztek.lu/en/products/modulo
Software can be found here: http://www.lmcontrol.com/systemes-paiem … odulo.html
Here you can find useful pdf about how to use software: http://www.lmcontrol.com/images/stories/produits/pdf/

Encryption can be managed by reader firmware but maybe can be decoded by the software, if not we are ou of luck.

Last edited by asper (2017-02-01 14:43:36)

Offline

#24 2017-05-29 20:48:45

Neverlies
Contributor
Registered: 2017-05-29
Posts: 4

Re: [solved] AZTEK iso14443a compliant tag

Sounds nice ! Got almost the same device, same brand !
I've found the missing B key and started to dump as you've made this key with different balance amount... for now, not able to found any logic in the encryption.

Have you found anything new ?

Offline

#25 2017-05-29 21:00:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

For the tag in this thread, there are no key A or Key B.  It is not a Mifare Classic tag.

So, this raises the question what kind of tag do @neverlies have?  Would you mind posting your traces, dumpdata etc?

Offline

#26 2017-05-30 20:11:23

Neverlies
Contributor
Registered: 2017-05-29
Posts: 4

Re: [solved] AZTEK iso14443a compliant tag

ok, so mine is identified as mifare classic tag and got "standard" key A + custom Key B for sectors 8 to 14 included (same key for all this sectors).
This one is also used in a Luxeo/Aztek machine

Tag is like this one:
console11.jpg

I don't have access to my dumps rt now, will share some diff as soon as I can

Diff from a dump with 0.45 vs 0.95:

  0000240: e7f5 ce7c 1b6b b1a3 37b1 7e13 4199 9a4f  ...|.k..7.~.A..O  |  0000240: 3b2f e097 98ae c19a 17e3 cecc 6bf7 9dc0  ;/..........k...  
  0000250: 7daf 37b0 5b95 ecc1 7c71 2ba8 5679 10d3  }.7.[...|q+.Vy..  |  0000250: d6a6 1d4a 2e9b 94f7 7c71 2ba8 5679 10d3  ...J....|q+.Vy..  
..
  0000280: af66 0fa4 1b19 f22b 70cf 8b46 8dc7 144d  .f.....+p..F...M  |  0000280: af66 0fa4 1b19 f22b 8ed0 d5c5 f07e c8f6  .f.....+.....~..  

Diff from a dump with 0.45 vs 0.37:

  0000240: e7f5 ce7c 1b6b b1a3 37b1 7e13 4199 9a4f  ...|.k..7.~.A..O  |  0000240: 7a71 189b 41c3 f52f 7e90 4731 0be3 38ad  zq..A../~.G1..8.  
  0000250: 7daf 37b0 5b95 ecc1 7c71 2ba8 5679 10d3  }.7.[...|q+.Vy..  |  0000250: de19 7306 aef3 661b 7c71 2ba8 5679 10d3  ..s...f.|q+.Vy..  
  0000260: 0327 25fc cd1b cd05 285c e15e fe9f f9e0  .'%.....(\.^....  |  0000260: 0327 25fc cd1b cd05 cb0c 76f9 95c2 ab24  .'%.......v....$  

  0000280: af66 0fa4 1b19 f22b 70cf 8b46 8dc7 144d  .f.....+p..F...M  |  0000280: af66 0fa4 1b19 f22b e4bd afa6 20ad 5fa2  .f.....+.... ._.  
  0000290: a62e 23fb a9b0 fa56 37b1 7e13 4199 9a4f  ..#....V7.~.A..O  |  0000290: 83a1 5635 0fdd 5dcc 7e90 4731 0be3 38ad  ..V5..].~.G1..8.  
  00002a0: d402 a8d1 6bc3 641d 7c71 2ba8 5679 10d3  ....k.d.|q+.Vy..  |  00002a0: c29a f5ee eb76 fb37 7c71 2ba8 5679 10d3  .....v.7|q+.Vy..  


  00002d0: af66 0fa4 1b19 f22b 81cf e5ae bae9 588e  .f.....+......X.  |  00002d0: af66 0fa4 1b19 f22b 4e83 6b39 f3cc 564b  .f.....+N.k9..VK  

Diff from a dump with 0.95 vs 0.37:

  0000240: 3b2f e097 98ae c19a 17e3 cecc 6bf7 9dc0  ;/..........k...  |  0000240: 7a71 189b 41c3 f52f 7e90 4731 0be3 38ad  zq..A../~.G1..8.  
  0000250: d6a6 1d4a 2e9b 94f7 7c71 2ba8 5679 10d3  ...J....|q+.Vy..  |  0000250: de19 7306 aef3 661b 7c71 2ba8 5679 10d3  ..s...f.|q+.Vy..  
  0000260: 0327 25fc cd1b cd05 285c e15e fe9f f9e0  .'%.....(\.^....  |  0000260: 0327 25fc cd1b cd05 cb0c 76f9 95c2 ab24  .'%.......v....$  

  0000280: af66 0fa4 1b19 f22b 8ed0 d5c5 f07e c8f6  .f.....+.....~..  |  0000280: af66 0fa4 1b19 f22b e4bd afa6 20ad 5fa2  .f.....+.... ._.  
  0000290: a62e 23fb a9b0 fa56 37b1 7e13 4199 9a4f  ..#....V7.~.A..O  |  0000290: 83a1 5635 0fdd 5dcc 7e90 4731 0be3 38ad  ..V5..].~.G1..8.  
  00002a0: d402 a8d1 6bc3 641d 7c71 2ba8 5679 10d3  ....k.d.|q+.Vy..  |  00002a0: c29a f5ee eb76 fb37 7c71 2ba8 5679 10d3  .....v.7|q+.Vy..  


  00002d0: af66 0fa4 1b19 f22b 81cf e5ae bae9 588e  .f.....+......X.  |  00002d0: af66 0fa4 1b19 f22b 4e83 6b39 f3cc 564b  .f.....+N.k9..VK  

Last edited by Neverlies (2017-05-30 20:21:56)

Offline

#27 2017-05-30 20:26:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [solved] AZTEK iso14443a compliant tag

looks like a newer model.  cool.  What is the keyA/B?

The data looks encrypted.

Offline

#28 2017-05-30 20:34:14

Neverlies
Contributor
Registered: 2017-05-29
Posts: 4

Re: [solved] AZTEK iso14443a compliant tag

Keys A are some defaults one :

ffffffffffff
a0a1a2a3a4a5

Key B is:

415a54454b4d

at least for this device, not sure every device has the same key. Will have to get at least a couple of others fob in order to check this. But as you can see, this Key B is not really random big_smile And the suffix M is the same as the first character on the printed serial number on the fob wink

Offline

#29 2018-09-29 06:01:03

cedisov62
Contributor
Registered: 2018-09-28
Posts: 10

Re: [solved] AZTEK iso14443a compliant tag

Hello someone have some news. NXP show my Aztek tag as Infineon Technologies AG my-d NFC (SLE66R16P)

Offline

#30 2019-02-21 16:32:54

loupetre
Contributor
Registered: 2019-01-21
Posts: 29

Re: [solved] AZTEK iso14443a compliant tag

Hello everyone,

I confirm these tags all have 415a54454b4d as the B key, on sectors 9 to 15 (assuming the first sector is sector 1, not 0).
The trailer keys are default keys (a0a1a2a3a4a5 and b0b1b2b3b4b5).
The tag is recognised as a mifare classic 1K on my side.

A question for Iceman : why have you used '55AA55AA55AA55AA6262' as a XOR key ? Actually, I do not undestand why 6262 at the end which gives a 10 bytes key ?

Dumps are really difficult to undestand. Some kind of encrypted. Diffs after recharging or using the tag are not really logical ...

Offline

Board footer

Powered by FluxBB