Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-02-08 17:00:24
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Tag emulation — can't open NFC lock.
Hello.
I cloned Mifare Classic 1K with ACR122 on UID rewritable keyfob and it worked. But then they changed NFC lock. My keyfob stopped working, I checked original key and noticed that some data was changed. So I cloned it again, but newly cloned keyfob didn't wok! I tried a bunch of them.
Then I tried to emulate the key with proxmark3, but it didn't work too!
This happens then I try to open the lock with proxmark3:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2676 | 5044 | Tag | 04 00 | |
5400374 | 5401366 | Rdr | 52 | | WUPA
5402922 | 5405290 | Tag | 04 00 | |
10800860 | 10801852 | Rdr | 52 | | WUPA
10803280 | 10805648 | Tag | 04 00 | |
16201216 | 16202208 | Rdr | 52 | | WUPA
16203892 | 16206260 | Tag | 04 00 | |
21601172 | 21602164 | Rdr | 52 | | WUPA
21603720 | 21606088 | Tag | 04 00 | |
32469596 | 32470588 | Rdr | 52 | | WUPA
32472144 | 32474512 | Tag | 04 00 | |
37869922 | 37870914 | Rdr | 52 | | WUPA
37872662 | 37875030 | Tag | 04 00 | |
37900002 | 37902466 | Rdr | 93 20 | | ANTICOLL
37904278 | 37910102 | Tag | 2d 71 74 2e 06 | |
48739290 | 48740282 | Rdr | 52 | | WUPA
48741838 | 48744206 | Tag | 04 00 | | Log captured then using original key:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 2368 | Tag | 04 00 | |
10931724 | 10932716 | Rdr | 52 | | WUPA
10933984 | 10936352 | Tag | 04 00 | |
10961804 | 10964268 | Rdr | 93 20 | | ANTICOLL
10965472 | 10971296 | Tag | 2d 71 74 2e 06 | |
11003788 | 11014316 | Rdr | 93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
11015520 | 11019040 | Tag | 08 b6 dd | |
11037836 | 11042604 | Rdr | 50 00 57 cd | ok | HALT
12488252 | 12489244 | Rdr | 52 | | WUPA
12490512 | 12492880 | Tag | 04 00 | |
12518460 | 12520924 | Rdr | 93 20 | | ANTICOLL
12522128 | 12527952 | Tag | 2d 71 74 2e 06 | |
12572048 | 12575568 | Tag | 08 b6 dd | |
12632336 | 12637072 | Tag | dc 57 6e 7a | |
12662288 | 12667024 | Tag |29! 54 b5 9b | |
12691600 | 12712400 | Tag |d0! ac! 9c! c5 c6 24! 98! e8! b3! 59 d4! 27! 22 78 1b! 13 | |
| | | 8f 84 | !crc|
12933580 | 12934572 | Rdr | 40 | | MAGIC WUPC1Can someone clarify what is going wrong when I'm using emulation? ACR122 reads emulated key without any problem.
Offline
#2 2017-02-08 17:08:10
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
hw version
hw tune
hf 14a readWhich command did you use make this traces? "hf 14a sim" or "hf mf sim" ?
Offline
#3 2017-02-08 17:40:46
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
proxmark3> hw version
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 0 bytes ( 0%). Free: 262144 bytes (100%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 31,21 V @ 125.00 kHz
# LF antenna: 30,52 V @ 134.00 kHz
# LF optimal: 37,26 V @ 129,03 kHz
# HF antenna: 29,78 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.With original key placed on antenna:
proxmark3> hf 14a read
UID : 2d 71 74 2e
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NOFor emulation I use "hf mf eload <filename>" and "hf mf sim" then I press the button on pm3 and get trace with "hf list 14a"
Last edited by MRZA (2017-02-08 17:42:26)
Offline
#4 2017-02-08 19:40:07
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
hf mf sim has an open issue https://github.com/Proxmark/proxmark3/issues/105
It doesn't work too well. For some validations of mine, would you mind compile/flash and run the sim using icemanfork?
Offline
#5 2017-02-12 21:59:49
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I tried to sniff with copied tag:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 2368 | Tag | 04 00 | |
31488 | 37312 | Tag | 2d 71 74 2e 06 | |
81280 | 84800 | Tag | 08 b6 dd | |
194304 | 194880 | Tag |0a! | |
11032496 | 11034864 | Tag | 04 00 | |
11063872 | 11069696 | Tag | 2d 71 74 2e 06 | |
11113664 | 11117184 | Tag | 08 b6 dd | |
11225792 | 11226368 | Tag |0a! | |
22062832 | 22065200 | Tag | 04 00 | |
22094192 | 22100016 | Tag | 2d 71 74 2e 06 | |
22144112 | 22147632 | Tag | 08 b6 dd | |
22257152 | 22257728 | Tag |0a! | | For some reason there are no requests from reader in this trace.
What is "0a!"?
Then I flashed iceman's fork and tried to emulate but it didn't work as well. Also I didn't see any trace log 
Loaded 64 blocks from file: dumpNEW.eml
uid:N/A, numreads:0, flags:0 (0x00)
#db# Emulator stopped. Tracing: 1 trace length: 42
Recorded Activity (TraceLen = 0 bytes)Offline
#6 2017-02-12 22:16:05
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
Your sniff shows only tag responses, think about placement of antenna while sniffing. Finding a good spot.
A bit more debugstatements would be nice and which commands (parameters) you used would also help.
and are you really using the same client as from where you flashed the fullimage? Your "flags" is zero, which shouldn't be.
hf mf dbg 4
hf mf sim
Offline
#7 2017-02-14 20:27:34
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I'm using proxdroid client. Is it possible to compile your fork for Android? If not, I can try to use RPi.
Offline
#8 2017-02-14 20:35:58
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
I have no idea on how to compile my fork to Android. Maybe one of those proxdroid ppl wouldn't mind looking into it.
Try a pie 
Offline
#9 2017-02-15 14:07:19
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I tried to compile it for Android:
In file included from jni/../proxmark3/client/ui.h:33:
jni/../proxmark3/client/util.h:140:27: error: expected ')'
uint32_t le32toh (uint8_t *data);
^
jni/../proxmark3/client/util.h:140:10: note: to match this '('
uint32_t le32toh (uint8_t *data);And on RPi3:
gcc -DHAS_512_FLASH -std=c99 -O3 -mpopcnt -march=native -g -I. -I../include -I../common -I../zlib -I/opt/local/include -I../liblua -Wall -DHAVE_GUI -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED -c -o obj/proxmark3.o proxmark3.c
*** Error in `gcc': double free or corruption (top): 0x018ba0f8 ***
Makefile:204: recipe for target 'obj/proxmark3.o' failed
make[1]: *** [obj/proxmark3.o] AbortedThere is a bug in Raspbian's GCC. I tweaked Makefile and managed to compile it. I'll test it today.
Offline
#10 2017-02-15 14:26:29
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
@MRZA Cool! If wouldn't mind sending me the tweaked Makefiles? Maybe open an issue on GitHub and post links to them?
Offline
#11 2017-02-15 21:46:08
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
Just remove "-mpopcnt -march=native" from Makefile. According to gcc bugtracker it should be fixed in newer gcc releases.
But using proxmark3 on RPi is so painful because I use touchscreen with bugged onscreen keyboard and bugged LXDE Couldn't test it today because some guy opened the door from other side.
Offline
#12 2017-02-15 22:01:30
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
hm.. if you remove those the hardnested BF solver will most likely not work.
Offline
#13 2017-02-16 19:51:34
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
Will this affect simulation and sniffing?
I tried with hf mf dbg 4:
Loaded 64 blocks from file: dumpNEW.eml
#db# Debug level: 4
uid:N/A, numreads:0, flags:18 (0x12)
#db# 4B UID: 2d71742e
#db# ISO14443A Timeout set to 1060 (10ms)
#db# SELECT ALL received
#db# --> WORK. anticol1 time: 9
#db# Emulator stopped. Tracing: 1 trace length: 203
Recorded Activity (TraceLen = 203 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2676 | 5044 | Tag |04 00 | |
16289570 | 16290562 | Rdr |52 | | WUPA
16292246 | 16294614 | Tag |04 00 | |
48935722 | 48936714 | Rdr |52 | | WUPA
48938462 | 48940830 | Tag |04 00 | |
65222222 | 65223214 | Rdr |52 | | WUPA
65225090 | 65227458 | Tag |04 00 | |
65252174 | 65254638 | Rdr |93 20 | | ANTICOLL
65289986 | 65295810 | Tag |2d 71 74 2e 06 | |
65328078 | 65338606 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
65340290 | 65343810 | Tag |08 b6 dd | |
70740936 | 70741928 | Rdr |52 | | WUPA
70743612 | 70745980 | Tag |04 00 | |
76124836 | 76125828 | Rdr |52 | | WUPA
76127512 | 76129880 | Tag |04 00 | |
86960876 | 86961868 | Rdr |52 | | WUPA
86963680 | 86966048 | Tag |04 00 | | I also tried mf hf sniff on cloned key and original one (in the end of the log):
#db# ISO14443A Timeout set to 1060 (10ms)
#db# cancelled by button
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=1048, Uart.output[0]=00000040
Recorded Activity (TraceLen = 1048 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 2368 | Tag |04 00 | |
31488 | 37312 | Tag |2d 71 74 2e 06 | |
81536 | 85056 | Tag |08 b6 dd | |
194960 | 195536 | Tag |0a! | |
11071344 | 11073712 | Tag |04 00 | |
11102960 | 11108784 | Tag |2d 71 74 2e 06 | |
11152880 | 11156400 | Tag |08 b6 dd | |
11265392 | 11265968 | Tag |0a! | |
22143072 | 22145440 | Tag |04 00 | |
22174672 | 22180496 | Tag |2d 71 74 2e 06 | |
22224608 | 22228128 | Tag |08 b6 dd | |
22337248 | 22337824 | Tag |0a! | |
33212480 | 33214848 | Tag |04 00 | |
33243968 | 33249792 | Tag |2d 71 74 2e 06 | |
33293888 | 33297408 | Tag |08 b6 dd | |
33406528 | 33407104 | Tag |0a! | |
60687776 | 60690144 | Tag |04 00 | |
60719264 | 60725088 | Tag |2d 71 74 2e 06 | |
60769184 | 60772704 | Tag |08 b6 dd | |
60879452 | 60880444 | Rdr |40 | | MAGIC WUPC1
60881696 | 60882272 | Tag |0a! | |
66288972 | 66289964 | Rdr |52 | | WUPA
71758736 | 71761104 | Tag |04 00 | |
71790352 | 71796176 | Tag |2d 71 74 2e 06 | |
71840272 | 71843792 | Tag |08 b6 dd | |
71950540 | 71951532 | Rdr |40 | | MAGIC WUPC1
71952784 | 71953360 | Tag |0a! | |
82831376 | 82833744 | Tag |04 00 | |
82862864 | 82868688 | Tag |2d 71 74 2e 06 | |
82912912 | 82916432 | Tag |08 b6 dd | |
83026320 | 83026896 | Tag |0a! | |
93902608 | 93904976 | Tag |04 00 | |
104839168 | 104841536 | Tag |04 00 | |
104870784 | 104876608 | Tag |2d 71 74 2e 06 | |
104920704 | 104924224 | Tag |08 b6 dd | |
105033344 | 105033920 | Tag |0a! | |
121380720 | 121383088 | Tag |04 00 | |
121412336 | 121418160 | Tag |2d 71 74 2e 06 | |
121462256 | 121465776 | Tag |08 b6 dd | |
121574784 | 121575360 | Tag |0a! | |
132454384 | 132456752 | Tag |04 00 | |
132485872 | 132491696 | Tag |2d 71 74 2e 06 | |
132535936 | 132539456 | Tag |08 b6 dd | |
132649344 | 132649920 | Tag |0a! | |
154465408 | 154467776 | Tag |04 00 | |
154496896 | 154502720 | Tag |2d 71 74 2e 06 | |
154546944 | 154550464 | Tag |08 b6 dd | |
154660352 | 154660928 | Tag |0a! | |
171010048 | 171012416 | Tag |04 00 | |
171038012 | 171040476 | Rdr |93 20 | | ANTICOLL
171041664 | 171047488 | Tag |2d 71 74 2e 06 | |
171079868 | 171090396 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
171091584 | 171095104 | Tag |08 b6 dd | |
171113148 | 171117916 | Rdr |50 00 57 cd | ok | HALT
171201852 | 171202844 | Rdr |40 | | MAGIC WUPC1
171204112 | 171204688 | Tag |0a! | |
203958304 | 203960672 | Tag |04 00 | |
203989920 | 203995744 | Tag |2d 71 74 2e 06 | |
204039840 | 204043360 | Tag |08 b6 dd | |
204152368 | 204152944 | Tag |0a! | |
215032112 | 215034480 | Tag |04 00 | |
215063728 | 215069552 | Tag |2d 71 74 2e 06 | |
215113648 | 215117168 | Tag |08 b6 dd | |
215226288 | 215226864 | Tag |0a! | |
275321404 | 275322396 | Rdr |52 | | WUPA
275323648 | 275326016 | Tag |04 00 | |
275351484 | 275353948 | Rdr |93 20 | | ANTICOLL
275355136 | 275360960 | Tag |2d 71 74 2e 06 | |
275393468 | 275403996 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
275405184 | 275408704 | Tag |08 b6 dd | |
275427516 | 275432284 | Rdr |50 00 57 cd | ok | HALT
276878444 | 276879436 | Rdr |52 | | WUPA
276880688 | 276883056 | Tag |04 00 | |
276908524 | 276910988 | Rdr |93 20 | | ANTICOLL
276912176 | 276918000 | Tag |2d 71 74 2e 06 | |
276950508 | 276961036 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
276962240 | 276965760 | Tag |08 b6 dd | |
277017068 | 277021836 | Rdr |61 20 2f 43 | ok | AUTH-B(32)
277023424 | 277028096 | Tag |8c 6d 32 28 | |
277042796 | 277052172 | Rdr |7b! 3e! e0! 5b bc! 08! 0b 47! | !crc|
277053376 | 277058112 | Tag |1e! ea b2 2e! | |
277076716 | 277081484 | Rdr |5e! d0 12! 44! | !crc|
277082688 | 277103488 | Tag |cc! 1f 18 0c c4! 52! 75! 6a 7a 12! d9! ae! 9b 3d! 6f! f9! | |
| | |7b! ca | !crc|
277156844 | 277157836 | Rdr |52 | | WUPA
277238508 | 277240908 | Rdr |50 00 | | HALT
277324396 | 277325388 | Rdr |40 | | MAGIC WUPC1Last edited by MRZA (2017-02-16 19:52:31)
Offline
#14 2017-02-16 20:02:53
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
As suggestion is that you don't use debug mode when sniffing or sim. those functions are quite time-critical.
you will still get a nice tracelog when "hf 14a list"...
Offline
#15 2017-02-16 20:13:54
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
the orginal block 32 B key [0fa30c8d0e20] and it tries to read block 32. (0x20)
Even if the trace is bad, you still can see the reader sends 0x40, if the tag responds with 0x0A, it fails.
Thats the magic detection in place. You should be able to use pm3 sim. or use a magic tag generation2.
Offline
#16 2017-02-16 20:40:14
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
the orginal block 32 B key [0fa30c8d0e20] and it tries to read block 32. (0x20)
It's from last attempt with original key. It works.
Even if the trace is bad, you still can see the reader sends 0x40, if the tag responds with 0x0A, it fails.
Thats the magic detection in place. You should be able to use pm3 sim. or use a magic tag generation2.
Well, like I supposed that lock has protection against copied keys. But why doesn't simulation work? Reader sends wakeup requests ignoring answers from pm3. What are generation2 magic keys? Are they discussed here http://www.proxmark.org/forum/viewtopic.php?id=4572
Offline
#17 2017-02-16 20:59:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
Search the forum for more details about magic tags and the different generations. The ones talked about in your ref thread could be a new bread of magic tags. I'm doubtful about their claims until I see them and I have seen quite a lot of different magic tags.
Offline
#18 2017-02-16 21:00:28
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
And the sim did most likely not work because of your debug level. Try with it set to 0.
Offline
#19 2017-02-19 20:48:23
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
Tried without setting debug level:
Loaded 64 blocks from file: dumpNEW.eml
uid:N/A, numreads:0, flags:18 (0x12)
#db# 4B UID: 2d71742e
#db# Emulator stopped. Tracing: 1 trace length: 109
Recorded Activity (TraceLen = 109 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2740 | 5108 | Tag |04 00 | |
30080 | 32544 | Rdr |93 20 | | ANTICOLL
34228 | 40052 | Tag |2d 71 74 2e 06 | |
5402234 | 5403226 | Rdr |52 | | WUPA
5404910 | 5407278 | Tag |04 00 | |
10804710 | 10805702 | Rdr |52 | | WUPA
10807514 | 10809882 | Tag |04 00 | |
32616840 | 32617832 | Rdr |52 | | WUPA
32619644 | 32622012 | Tag |04 00 | | Then I set debug level to 0:
#db# Debug level: 0
uid:N/A, numreads:0, flags:18 (0x12)
Recorded Activity (TraceLen = 638 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2676 | 5044 | Tag |04 00 | |
5402494 | 5403486 | Rdr |52 | | WUPA
5405170 | 5407538 | Tag |04 00 | |
16273898 | 16274890 | Rdr |52 | | WUPA
16276702 | 16279070 | Tag |04 00 | |
27144648 | 27145640 | Rdr |52 | | WUPA
27147452 | 27149820 | Tag |04 00 | |
27174728 | 27177192 | Rdr |93 20 | | ANTICOLL
27178940 | 27184764 | Tag |2d 71 74 2e 06 | |
27217480 | 27228008 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
27229628 | 27233148 | Tag |08 b6 dd | |
27251648 | 27256416 | Rdr |50 00 57 cd | ok | HALT
27340480 | 27341472 | Rdr |40 | | MAGIC WUPC1
28701788 | 28702780 | Rdr |52 | | WUPA
28704464 | 28706832 | Tag |04 00 | |
28731868 | 28734332 | Rdr |93 20 | | ANTICOLL
28735952 | 28741776 | Tag |2d 71 74 2e 06 | |
28774748 | 28785276 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
28786768 | 28790288 | Tag |08 b6 dd | |
28841052 | 28845820 | Rdr |61 20 2f 43 | ok | AUTH-B(32)
28850000 | 28854736 | Tag |00 00 37 d5 | |
28869468 | 28878844 | Rdr |3f 00! 81 0c! 7a! 52! 6b! 21! | !crc|
28882896 | 28887568 | Tag |5d 43 ff 2d | |
28910428 | 28911420 | Rdr |52 | | WUPA
28913104 | 28915472 | Tag |04 00 | |
28940636 | 28943100 | Rdr |93 20 | | ANTICOLL
28944720 | 28950544 | Tag |2d 71 74 2e 06 | |
34370780 | 34371772 | Rdr |52 | | WUPA
34373456 | 34375824 | Tag |04 00 | |
34400860 | 34403324 | Rdr |93 20 | | ANTICOLL
34404944 | 34410768 | Tag |2d 71 74 2e 06 | |
34443740 | 34454268 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
34455760 | 34459280 | Tag |08 b6 dd | |
34477776 | 34482544 | Rdr |50 00 57 cd | ok | HALT
34566608 | 34567600 | Rdr |40 | | MAGIC WUPC1
35927936 | 35928928 | Rdr |52 | | WUPA
35930612 | 35932980 | Tag |04 00 | |
37346594 | 37347586 | Rdr |52 | | WUPA
37349270 | 37351638 | Tag |04 00 | |
37376674 | 37379138 | Rdr |93 20 | | ANTICOLL
37380758 | 37386582 | Tag |2d 71 74 2e 06 | |
37419556 | 37430084 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
37431576 | 37435096 | Tag |08 b6 dd | |
37486116 | 37490884 | Rdr |61 20 2f 43 | ok | AUTH-B(32)
37495064 | 37499736 | Tag |00 00 d7 a3 | |
37514524 | 37523836 | Rdr |45! fe! 83! d0! 74 2b 23! 2a! | !crc|
37527888 | 37532624 | Tag |86 08 84 67 | |
42947682 | 42948674 | Rdr |52 | | WUPA
42950422 | 42952790 | Tag |04 00 | |
59288156 | 59289148 | Rdr |52 | | WUPA
59290832 | 59293200 | Tag |04 00 | | This looks more interesting. But still no luck with opening door.
Offline
#20 2017-02-19 20:56:28
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
Yep, better.
You can the reader tries to sen 0x40, a gen1 tag would have answered it, but your sim doesn't so the reader tries the proper anticoll without sending 0x40. It tries to read block32.
Are you sure you loaded a working dump, with correct keys in it? (and using "hf mf sim" of course)
Offline
#21 2017-02-19 22:04:24
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I've checked with ACR122: made a new dump from original tag using existing keys. Dumps are identical. So it should be correct dump.
What is wrong with my latest trace? How should tag answer on 0x40 command?
Offline
#22 2017-02-19 22:09:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
the sim doesn't answer to 0x40. it is not iso14443a- nor mifare standard. So the sim correctly behavies like a normal tag.
the problem with yr trace is not the trace itself, but the lack of response from pm3 when reader wants to authenticate to b-32
Did you use "hf mf sim"?
Offline
#23 2017-02-19 22:11:02
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
You need to "dump" the eloaded image. ie dump when pm3 sim's
Offline
#24 2017-02-20 15:16:54
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
Did you use "hf mf sim"?
Of course I did:
hf mf eload dumpNEW
hf mf dbg 0
hf mf simThen I try to bring pm3 close reader several times. I see red LED turns on then off. Then I press the button on pm3
hf list 14a
qYou need to "dump" the eloaded image. ie dump when pm3 sim's
Hm… This doesn't work anymore:
$ nfc-mfclassic r a ~/test.mfd keys.mfd
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 2d 71 74 2e
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Reading out 64 blocks |nfc_initiator_transceive_bytes: Mifare Authentication Failed
!
Error: authentication failed for block 0x3fOn pm3:
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
2484 | 4852 | Tag |04 00 | |
13532 | 15996 | Rdr |93 20 | | ANTICOLL
17680 | 23504 | Tag |2d 71 74 2e 06 | |
44920 | 55448 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
56940 | 60460 | Tag |08 b6 dd | |
190748 | 195452 | Rdr |e0 50 bc a5 | ok | RATS
197008 | 197648 | Tag |04 | |
332886 | 333942 | Rdr |26 | | REQA
335434 | 337802 | Tag |04 00 | |
346690 | 349154 | Rdr |93 20 | | ANTICOLL
350646 | 356470 | Tag |2d 71 74 2e 06 | |
377886 | 388414 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
389906 | 393426 | Tag |08 b6 dd | |
563074 | 567778 | Rdr |60 3f 81 b2 | ok | AUTH-A(63)
572086 | 576822 | Tag |00 00 bb f7 | |
578198 | 587510 | Rdr |4b 62 25! 13! 34 7b 79 35 | !crc| VCSL
591562 | 596298 | Tag |4b a0 49 f2 | |
712002 | 716770 | Rdr |7d 66 e8! 16 | !crc|
719926 | 720566 | Tag |01 | | Now I don't understand what is happening. Dumps are identical. I double checked.
Offline
#25 2017-02-20 15:56:31
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
the dumpEML file, would you mind sharing it? I just want to see the sectortrailers in it.
Offline
#26 2017-02-20 17:58:58
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I copied it from .eml file I'm using in simulation
2d71742e060804006263646566676869
0f0003e103e103e103e103e103e103e1
03e103e103e103e103e103e103e103e1
a0a1a2a3a4a5787788c1ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
b474470eb1464689ad061e9025ed195d
ad4e5b15c971d38f251781e4b29e4ba1
5cab72e4b319b45ccea13c9ebdd13ea3
5c055a595f03787788ff0fa30c8d0e20
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffffOffline
#27 2017-02-20 18:08:43
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
OK, next test:
when simulating w PM3 hf mf sim / eloaded (w the above eml) And your ACR122 reading block0 (KeyA, 0xa0a1a2a3a4a5)
this "hf list 14a" output I would list to see.
Offline
#28 2017-02-20 20:09:11
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
Tried, but I only can read whole tag with ACR122:
#db# Debug level: 0
uid:N/A, numreads:0, flags:18 (0x12)
Recorded Activity (TraceLen = 1257 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
2612 | 4980 | Tag |04 00 | |
13660 | 16124 | Rdr |93 20 | | ANTICOLL
17808 | 23632 | Tag |2d 71 74 2e 06 | |
58903012 | 58904068 | Rdr |26 | | REQA
58905688 | 58908056 | Tag |04 00 | |
174320256 | 174321312 | Rdr |26 | | REQA
174322868 | 174325236 | Tag |04 00 | |
174333916 | 174336380 | Rdr |93 20 | | ANTICOLL
174338064 | 174343888 | Tag |2d 71 74 2e 06 | |
174365304 | 174375832 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
174377324 | 174380844 | Tag |08 b6 dd | |
174510364 | 174515068 | Rdr |e0 50 bc a5 | ok | RATS
174516624 | 174517264 | Tag |04 | |
174652502 | 174653558 | Rdr |26 | | REQA
174655050 | 174657418 | Tag |04 00 | |
174666306 | 174668770 | Rdr |93 20 | | ANTICOLL
174670262 | 174676086 | Tag |2d 71 74 2e 06 | |
174697502 | 174708030 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
174709522 | 174713042 | Tag |08 b6 dd | |
174884226 | 174888930 | Rdr |60 3f 81 b2 | ok | AUTH-A(63)
174893238 | 174897910 | Tag |00 00 5a a9 | |
174899384 | 174908696 | Rdr |af! e3! 22 a0 f3! dc f2 2e | !crc| AUTH_ANSW
174912748 | 174917420 | Tag |56 47 d0 53 | |
175032386 | 175037154 | Rdr |21 3d! a9! c4 | !crc|
175040310 | 175040950 | Tag |00 | |
686121180 | 686122236 | Rdr |26 | | REQA
686123792 | 686126160 | Tag |04 00 | |
686134776 | 686137240 | Rdr |93 20 | | ANTICOLL
686138860 | 686144684 | Tag |2d 71 74 2e 06 | |
686166052 | 686176580 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
686178264 | 686181784 | Tag |08 b6 dd | |
686312248 | 686316952 | Rdr |e0 50 bc a5 | ok | RATS
686318316 | 686318956 | Tag |04 | |
686455874 | 686456930 | Rdr |26 | | REQA
686458422 | 686460790 | Tag |04 00 | |
686469662 | 686472126 | Rdr |93 20 | | ANTICOLL
686473618 | 686479442 | Tag |2d 71 74 2e 06 | |
686500858 | 686511386 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
686512878 | 686516398 | Tag |08 b6 dd | |
686767562 | 686772330 | Rdr |50 00 57 cd | ok | HALT
687631034 | 687632026 | Rdr |40 | | MAGIC WUPC1
688442666 | 688444874 | Rdr |50 00! | | HALT
756813952 | 756815008 | Rdr |26 | | REQA
756816436 | 756818804 | Tag |04 00 | |
756827356 | 756829820 | Rdr |93 20 | | ANTICOLL
756831504 | 756837328 | Tag |2d 71 74 2e 06 | |
756858744 | 756869272 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
756870764 | 756874284 | Tag |08 b6 dd | |
757005340 | 757010044 | Rdr |e0 50 bc a5 | ok | RATS
757011600 | 757012240 | Tag |04 | |
757148246 | 757149302 | Rdr |26 | | REQA
757150794 | 757153162 | Tag |04 00 | |
757161922 | 757164386 | Rdr |93 20 | | ANTICOLL
757165878 | 757171702 | Tag |2d 71 74 2e 06 | |
757193118 | 757203646 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
757205138 | 757208658 | Tag |08 b6 dd | |
757459818 | 757464586 | Rdr |50 00 57 cd | ok | HALT
758325722 | 758326714 | Rdr |40 | | MAGIC WUPC1
759134794 | 759137002 | Rdr |50 00! | | HALT
834374614 | 834375670 | Rdr |26 | | REQA
834377162 | 834379530 | Tag |04 00 | |
834388418 | 834390882 | Rdr |93 20 | | ANTICOLL
834392374 | 834398198 | Tag |2d 71 74 2e 06 | |
834419614 | 834430142 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
834431634 | 834435154 | Tag |08 b6 dd | |
834565440 | 834570144 | Rdr |e0 50 bc a5 | ok | RATS
834571700 | 834572340 | Tag |04 | |
834711516 | 834712572 | Rdr |26 | | REQA
834714128 | 834716496 | Tag |04 00 | |
834725112 | 834727576 | Rdr |93 20 | | ANTICOLL
834729196 | 834735020 | Tag |2d 71 74 2e 06 | |
834756388 | 834766916 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
834768600 | 834772120 | Tag |08 b6 dd | |
834942648 | 834947352 | Rdr |60 3f 81 b2 | ok | AUTH-A(63)
834951532 | 834956268 | Tag |00 00 d3 fb | |
834957662 | 834966974 | Rdr |87! 64! 3b! 78! e6! 10! 89 4a! | !crc|
834971154 | 834975826 | Tag |96 8a 1c 84 | |
835090040 | 835094808 | Rdr |6d! 2a! 5e d5 | !crc|
835097964 | 835098540 | Tag |0c | |
915019330 | 915020386 | Rdr |26 | | REQA
915021878 | 915024246 | Tag |04 00 | |
915032990 | 915035454 | Rdr |93 20 | | ANTICOLL
915037074 | 915042898 | Tag |2d 71 74 2e 06 | |
915064314 | 915074842 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
915076334 | 915079854 | Tag |08 b6 dd | |
915209438 | 915214142 | Rdr |e0 50 bc a5 | ok | RATS
915215634 | 915216274 | Tag |04 | |
915352314 | 915353370 | Rdr |26 | | REQA
915354862 | 915357230 | Tag |04 00 | |
915365846 | 915368310 | Rdr |93 20 | | ANTICOLL
915369930 | 915375754 | Tag |2d 71 74 2e 06 | |
915397120 | 915407648 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
915409204 | 915412724 | Tag |08 b6 dd | |
915582308 | 915587012 | Rdr |60 3f 81 b2 | ok | AUTH-A(63)
915591384 | 915596120 | Tag |00 00 51 c7 | |
915597634 | 915607010 | Rdr |9a 5f! a5! 88! 4c! 34 84 75 | !crc|
915610934 | 915615670 | Tag |3b 0d 0e d5 | |
915729822 | 915734590 | Rdr |46! 29! ee! ca! | !crc|
915737746 | 915738322 | Tag |0f | | What is wrong with simulation? I could read simulated tag on default firmware.
Offline
#29 2017-02-21 00:51:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
Looking at the code, the authentication fails. So there is a bug.
Offline
#30 2017-02-25 23:49:31
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
@mrza, Found it, pushed a fix, how about you test it again..
Offline
#31 2017-03-04 10:13:34
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
Thank you Iceman! Now I can read simulated tag with ACR122. But no luck with the lock:
Loaded 64 blocks from file: dumpNEW.eml
#db# Debug level: 0
uid:N/A, numreads:0, flags:18 (0x12)
Recorded Activity (TraceLen = 195 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2740 | 5108 | Tag |04 00 | |
5386874 | 5387866 | Rdr |52 | | WUPA
5389550 | 5391918 | Tag |04 00 | |
21683010 | 21684002 | Rdr |52 | | WUPA
21685558 | 21687926 | Tag |04 00 | |
21713090 | 21715554 | Rdr |93 20 | | ANTICOLL
21717174 | 21722998 | Tag |2d 71 74 2e 06 | |
21755714 | 21766242 | Rdr |93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID
21767862 | 21771382 | Tag |08 b6 dd | |
21789738 | 21794506 | Rdr |50 00 57 cd | ok | HALT
23236196 | 23237188 | Rdr |52 | | WUPA
23239000 | 23241368 | Tag |04 00 | |
128276546 | 128277538 | Rdr |52 | | WUPA
128279350 | 128281718 | Tag |04 00 | |
150025978 | 150026970 | Rdr |52 | | WUPA
150028654 | 150031022 | Tag |04 00 | | Same without setting debug to 0.
Offline
#32 2017-03-04 11:50:58
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
try sniffing lock/key transaction
Offline
#33 2017-03-12 22:28:33
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I tried hf mf sniff several times but I always get empty trace
BTW, I didn't flash bootrom. Should I?
Offline
#34 2017-03-12 22:59:53
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Tag emulation — can't open NFC lock.
no need to flash bootrom
Offline
#35 2017-03-13 01:08:37
- kwx
- Contributor
- Registered: 2013-11-26
- Posts: 46
Re: Tag emulation — can't open NFC lock.
You wouldn't happen to be in France would you ?
Access control systems updated a few months ago to block copies on chinese clones. You'll need a badge that doesn't respond to the backdoor commands. The systems don't like the PM3 in sim mode, either.
Hello.
I cloned Mifare Classic 1K with ACR122 on UID rewritable keyfob and it worked. But then they changed NFC lock. My keyfob stopped working, I checked original key and noticed that some data was changed. So I cloned it again, but newly cloned keyfob didn't wok! I tried a bunch of them.
Then I tried to emulate the key with proxmark3, but it didn't work too!
This happens then I try to open the lock with proxmark3:Start | End | Src | Data (! denotes parity error) | CRC | Annotation | ------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| 0 | 992 | Rdr | 52 | | WUPA 2676 | 5044 | Tag | 04 00 | | 5400374 | 5401366 | Rdr | 52 | | WUPA 5402922 | 5405290 | Tag | 04 00 | | 10800860 | 10801852 | Rdr | 52 | | WUPA 10803280 | 10805648 | Tag | 04 00 | | 16201216 | 16202208 | Rdr | 52 | | WUPA 16203892 | 16206260 | Tag | 04 00 | | 21601172 | 21602164 | Rdr | 52 | | WUPA 21603720 | 21606088 | Tag | 04 00 | | 32469596 | 32470588 | Rdr | 52 | | WUPA 32472144 | 32474512 | Tag | 04 00 | | 37869922 | 37870914 | Rdr | 52 | | WUPA 37872662 | 37875030 | Tag | 04 00 | | 37900002 | 37902466 | Rdr | 93 20 | | ANTICOLL 37904278 | 37910102 | Tag | 2d 71 74 2e 06 | | 48739290 | 48740282 | Rdr | 52 | | WUPA 48741838 | 48744206 | Tag | 04 00 | |Log captured then using original key:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation | ------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| 0 | 2368 | Tag | 04 00 | | 10931724 | 10932716 | Rdr | 52 | | WUPA 10933984 | 10936352 | Tag | 04 00 | | 10961804 | 10964268 | Rdr | 93 20 | | ANTICOLL 10965472 | 10971296 | Tag | 2d 71 74 2e 06 | | 11003788 | 11014316 | Rdr | 93 70 2d 71 74 2e 06 2b bc | ok | SELECT_UID 11015520 | 11019040 | Tag | 08 b6 dd | | 11037836 | 11042604 | Rdr | 50 00 57 cd | ok | HALT 12488252 | 12489244 | Rdr | 52 | | WUPA 12490512 | 12492880 | Tag | 04 00 | | 12518460 | 12520924 | Rdr | 93 20 | | ANTICOLL 12522128 | 12527952 | Tag | 2d 71 74 2e 06 | | 12572048 | 12575568 | Tag | 08 b6 dd | | 12632336 | 12637072 | Tag | dc 57 6e 7a | | 12662288 | 12667024 | Tag |29! 54 b5 9b | | 12691600 | 12712400 | Tag |d0! ac! 9c! c5 c6 24! 98! e8! b3! 59 d4! 27! 22 78 1b! 13 | | | | | 8f 84 | !crc| 12933580 | 12934572 | Rdr | 40 | | MAGIC WUPC1Can someone clarify what is going wrong when I'm using emulation? ACR122 reads emulated key without any problem.
Offline
#36 2017-03-13 16:55:35
- Onisan
- Contributor
- From: London
- Registered: 2016-07-18
- Posts: 88
Re: Tag emulation — can't open NFC lock.
MRZA
Does the Proxmark write using the Backdoor commands?
If so, now I can see your tag data I can write it to a fob that doesn't respond to the backdoor commands and send it to you for testing?
Just pm me your address and I'll get it in the post ASAP.
Always happy to help as people have really helped me with my stuff.
Gary
Offline
#37 2017-03-16 22:00:13
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
The systems don't like the PM3 in sim mode, either.
I wonder why it doesn't work. Wrong timings?
MRZA
Does the Proxmark write using the Backdoor commands?
What do you mean?
If so, now I can see your tag data I can write it to a fob that doesn't respond to the backdoor commands and send it to you for testing?
Just pm me your address and I'll get it in the post ASAP.
Always happy to help as people have really helped me with my stuff.
Gary
Thank you.
I've already ordered such tags from China. I'll try them first.
Last edited by MRZA (2017-03-16 22:00:26)
Offline
#38 2017-03-17 13:45:38
- Onisan
- Contributor
- From: London
- Registered: 2016-07-18
- Posts: 88
Re: Tag emulation — can't open NFC lock.
MRZA,
There are two types of Chinese UID writable tags, One you can write to using Chinese Backdoor commands the other you can use standard write commands. I have both types and can write to both types.
I don't know what the Proxmark uses (standard or backdoor) so you may have ordered the wrong type.
Proxmark may even write to both as I do.
Offline
#39 2017-04-02 06:03:13
- slmann101
- Contributor
- Registered: 2017-03-30
- Posts: 33
Re: Tag emulation — can't open NFC lock.
MRZA,
Some readers check to see if the card responds to backdoor commands so you should use a uid writable card not a backdoor card. Please keep in mind that some readers are reader/writers and write data back to the assess card as well as checking for back door commands.
Last edited by slmann101 (2017-04-02 06:04:00)
Offline
#40 2017-04-09 23:25:20
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I received CUID tags, wrote 0 block and it worked! I successfully opened that damn lock.
But the question why emulation is not working is still open…
Offline
#41 2017-04-10 05:40:18
- slmann101
- Contributor
- Registered: 2017-03-30
- Posts: 33
Re: Tag emulation — can't open NFC lock.
I get your point MRZA but I want to know where you got the cuid card from.
Offline
#42 2017-04-15 22:19:15
- MRZA
- Contributor
- Registered: 2016-04-14
- Posts: 29
Re: Tag emulation — can't open NFC lock.
I ordered it from one of the sellers on Aliexpress.
Last edited by MRZA (2017-04-15 22:19:34)
Offline
#43 2017-04-16 06:49:49
- slmann101
- Contributor
- Registered: 2017-03-30
- Posts: 33
Re: Tag emulation — can't open NFC lock.
Ah ok.
Offline
Pages: 1