Help! cards can't copy??

Ricky1993 · 2017-02-13 11:26:29

today i copy a card using my PM3, and copy successful. when i use this card to open the door , it words just once. when I try it again, this card can't open the same door!

and I test it again, the answer on pm3 is

proxmark3> hf search

#db# DownloadFPGA(len: 42096)
Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

no known/supported 13.56 MHz tags found

the data is clear but the door? anyone know what heppen.

the card is mango S50 and I copy it successful because the first time this card unlock the door, but the secound time it not work and the data in this card changed.

the mechine on the door which I tap my card on have a FDI tag.

iceman · 2017-02-13 11:42:27

It could be antenna strength, or placement of tag over antenna. Try to find a good spot, 1-1.5cm above antenna.

hw tune
hf 14a read

ltq1990 · 2017-02-13 12:16:57

iceman wrote:

It could be antenna strength, or placement of tag over antenna. Try to find a good spot, 1-1.5cm above antenna.
hw tune
hf 14a read

I think the reader has some sort of anti clone authentication built in. The reader can detect a Chinese UID card and disable it after the first data exchange

Ricky1993 · 2017-02-13 12:24:39

I think so, but i don't know how it happen and what can I do.

iceman wrote:

It could be antenna strength, or placement of tag over antenna. Try to find a good spot, 1-1.5cm above antenna.
hw tune
hf 14a read

Last edited by Ricky1993 (2017-02-13 12:29:17)

Ricky1993 · 2017-02-13 12:25:46

before

proxmark3> hf search

UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

and after the first tap

proxmark3> hf 14a read
Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

ltq1990 wrote:

iceman wrote:
It could be antenna strength, or placement of tag over antenna. Try to find a good spot, 1-1.5cm above antenna.
hw tune
hf 14a read
I think the reader has some sort of anti clone authentication built in. The reader can detect a Chinese UID card and disable it after the first data exchange

Ricky1993 · 2017-02-13 12:27:02

before
proxmark3> hf search
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
and after the first tap
proxmark3> hf 14a read
Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

iceman wrote:

It could be antenna strength, or placement of tag over antenna. Try to find a good spot, 1-1.5cm above antenna.
hw tune
hf 14a read

Ricky1993 · 2017-02-13 12:33:02

I write same dump to the other type of card,

UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO

but this one can't open the door even once, and the data in this card also changed in same way.

I also buy some same cards with the card I need to copy, which have some words(Mango M1 S50) in the card, but it's a IC card the UID is fixd can't change and and rewrite.
Do my card not suitable to copy Mango M1 S50 or my method has mistakes?

ltq1990 · 2017-02-13 12:52:52

can you post all the data you read from both cards and compare?

Ricky1993 wrote:

I write same dump to the other type of card,
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO

but this one can't open the door even once, and the data in this card also changed in same way.

I also buy some same cards with the card I need to copy, which have some words(Mango M1 S50) in the card, but it's a IC card the UID is fixd can't change and and rewrite.
Do my card not suitable to copy Mango M1 S50 or my method has mistakes?

Ricky1993 · 2017-02-13 13:07:49

I copy it before it can be used successful both gate and life.
and about one mouth ago, the reader of gate is update, and i can use the lift anytime but when use the gate , first time is useful, but secound time the data is changed.
anyone have any exprience?

iceman · 2017-02-13 14:02:03

Theere is too little information to understand the cause of the problem.

It would be helpful with the following:

1. dump of working card
2. dump of non-working card (after use on reader)
3. sniff tracelog between card and garage reader (when it "breaks" the card)
4. hf 14a read,  hf list 14a  - tracelog from broken card

WIth this we can see if the reader tries to write to block0, or not.
we can also see if accessbits are honoured or not,
we can also see if backdoor commands is used or not,

Since its a generation1 magic card,you can just write a new dump on it, with "hf mf cload" and it should work again.

Ricky1993 · 2017-02-13 22:50:05

When I use hf search on the card I need to copy

UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

And For my copy 1

UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

and for copy 2

UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO

THE DIFFERENCES ARE:
FOR COPY1 .Answers to chinese magic backdoor commands: yes or no
FOR COPY 2#db# halt error. response len: 1

copy one and copy two are using different card(maybe is the generation 1 and 2), and copy 2 can just open the life but not the gate
and copy one can open the gate but just once.

Ricky1993 · 2017-02-13 23:03:13

is there any card
Answers to chinese magic backdoor commands: NO
but don't have #db# halt error. response len: 1 mabye I can try.
or any command can change this pls let me know

iceman · 2017-02-13 23:11:08

See point 4 in my previous post.

ltq1990 · 2017-02-13 23:49:41

If you post all data read from block 0 of both cards, you will find the SAK after UID is slightly different

Ricky1993 wrote:

When I use hf search on the card I need to copy
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

And For my copy 1
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

and for copy 2
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO

THE DIFFERENCES ARE:
FOR COPY1 .Answers to chinese magic backdoor commands: yes or no
FOR COPY 2#db# halt error. response len: 1
copy one and copy two are using different card(maybe is the generation 1 and 2), and copy 2 can just open the life but not the gate
and copy one can open the gate but just once.

Ricky1993 · 2017-02-14 00:18:48

This sounds good!
how to read block 0 ， which command?

and rewrite the copy is hf mf csetuid UID ATQA SAK ?

UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]

ltq1990 wrote:

If you post all data read from block 0 of both cards, you will find the SAK after UID is slightly different
Ricky1993 wrote:
When I use hf search on the card I need to copy
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

And For my copy 1
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

and for copy 2
UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO

THE DIFFERENCES ARE:
FOR COPY1 .Answers to chinese magic backdoor commands: yes or no
FOR COPY 2#db# halt error. response len: 1
copy one and copy two are using different card(maybe is the generation 1 and 2), and copy 2 can just open the life but not the gate
and copy one can open the gate but just once.

ltq1990 · 2017-02-14 01:49:11

Compare the dump file

Ricky1993 · 2017-02-14 02:13:06

my copy

proxmark3> hf mf nested 1 0 A 8829DA9DAF76 d
Testing known keys. Sector count=16
nested...
Time in nested: 4.416 (inf sec per key)

-----------------------------------------------
Iterations count: 0

|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|001| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|002| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|003| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|004| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|005| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|006| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|007| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|008| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|009| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|010| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|011| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|012| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|013| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|014| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|015| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...

it is the same with the card I need to copy

Ricky1993 · 2017-02-14 02:15:30

proxmark3> hf list 14a
Recorded Activity (TraceLen = 146 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 4768 | Rdr | 50 00 57 cd | ok | HALT
140160 | 141152 | Rdr | 52 | | WUPA
142388 | 144756 | Tag | 04 00 | |
147200 | 149664 | Rdr | 93 20 | | ANTICOLL
150836 | 156660 | Tag | da 6c e5 69 3a | |
158848 | 169312 | Rdr | 93 70 da 6c e5 69 3a 5b 78 | ok | SELECT_UID
170548 | 174068 | Tag | 08 b6 dd | |
175616 | 180320 | Rdr | 61 3c c2 99 | ok | AUTH-B(60)
182324 | 186996 | Tag | ff a5 10 1d | |
195840 | 205216 | Rdr | 2a 16! 09 7d bc cc 36! 3b | !crc| ?
206388 | 211124 | Tag | 1b 25 04 ec

Ricky1993 · 2017-02-14 02:20:30

after use

proxmark3> hf 14a read
Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

and I don't how to dump

before use dump is

proxmark3> hf mf nested 1 0 A 8829DA9DAF76 d
Testing known keys. Sector count=16
nested...
Time in nested: 4.416 (inf sec per key)
-----------------------------------------------
Iterations count: 0

|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|001| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|002| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|003| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|004| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|005| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|006| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|007| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|008| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|009| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|010| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|011| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|012| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|013| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|014| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|015| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...

iceman wrote:

Theere is too little information to understand the cause of the problem.
It would be helpful with the following:
1. dump of working card
2. dump of non-working card (after use on reader)
3. sniff tracelog between card and garage reader (when it "breaks" the card)
4. hf 14a read,  hf list 14a  - tracelog from broken card
WIth this we can see if the reader tries to write to block0, or not.
we can also see if accessbits are honoured or not,
we can also see if backdoor commands is used or not,

Since its a generation1 magic card,you can just write a new dump on it, with "hf mf cload" and it should work again.

ltq1990 · 2017-02-14 03:44:10

Does this card have a trapezoid black shell? Can you post a pic? It sounds like one of the card I played before. The card can only access the common area, it does not get access to the lift. Once it failed to obtain the lift access, the reader kind of erased this card and it can not even open the door anymore

Ricky1993 · 2017-02-14 03:58:33

yes it's the same

BLACK SHELL 'FDi'

ltq1990 wrote:

Does this card have a trapezoid black shell? Can you post a pic? It sounds like one of the card I played before. The card can only access the common area, it does not get access to the lift. Once it failed to obtain the lift access, the reader kind of erased this card and it can not even open the door anymore

Ricky1993 · 2017-02-14 04:08:40

I try it again and I find yesterday i just lucky , because today the same card can't open the gate even once.
and the data in the card also changed.

Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

no known/supported 13.56 MHz tags found

and use hf mf csetuid UID ATQA SAK can bring it back

--wipe card:NO uid:da 6c e5 69
old block 0: ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00
new block 0: da 6c e5 69 3a 08 04 00 00 00 00 00 00 00 00 00
old UID:00 00 00 00
new UID:da 6c e5 69

UID : da 6c e5 69
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

Valid ISO14443A Tag Found - Quiting Search

Ricky1993 · 2017-02-14 04:14:32

Answers to chinese magic backdoor commands: NO

I find the card i need to copy have this,
but for my copy this answer is Yes.
what this scentence means,is this importand, can it change?

ltq1990 · 2017-02-14 05:35:30

does the original card still work?

Ricky1993 wrote:

Answers to chinese magic backdoor commands: NO
I find the card i need to copy have this,
but for my copy this answer is Yes.
what this scentence means,is this importand, can it change?

Ricky1993 · 2017-02-14 06:32:28

Yes，I just copy some data not change the oringnal card

ltq1990 wrote:

does the original card still work?
Ricky1993 wrote:
Answers to chinese magic backdoor commands: NO
I find the card i need to copy have this,
but for my copy this answer is Yes.
what this scentence means,is this importand, can it change?

willpoeirl · 2017-02-14 06:42:11

The copy used to work on door but not anymore. The original is still working.
You make a new copy, it does not work on door. You try to read it back, it appears to be "dead".
Well, that is easy to figure it out...

Also, thanks for sharing the manufacturer's name and your customer's card number: 69E56CDA
I am sure they are already watching.

Ricky1993 · 2017-02-14 06:45:05

how to figure it out - -
I don't know how to copy this kind of card

willpoeirl wrote:

The copy used to work on door but not anymore. The original is still working.
You make a new copy, it does not work on door. You try to read it back, it appears to be "dead".
Well, that is easy to figure it out...
Also, thanks for sharing the manufacturer's name and your customer's card number: 69E56CDA
I am sure they are already watching.

willpoeirl · 2017-02-14 06:55:25

just send me an email willpoeirl@gmail.com

ltq1990 · 2017-02-14 07:20:47

I doubt there are practical approach to solve this problem I reckon the reader used rolling code to check the original card

willpoeirl wrote:

The copy used to work on door but not anymore. The original is still working.
You make a new copy, it does not work on door. You try to read it back, it appears to be "dead".
Well, that is easy to figure it out...
Also, thanks for sharing the manufacturer's name and your customer's card number: 69E56CDA
I am sure they are already watching.

iceman · 2017-02-14 10:13:35

@OP's problem seems very close to this thread by @polynom, http://www.proxmark.org/forum/viewtopic.php?id=2787

ltq1990 · 2017-02-15 01:34:55

Hi again OP, have u found any solutions yet? Do u have an email so we can discuss?

Proxmark3 community

Announcement

#1 2017-02-13 11:26:29

Help! cards can't copy??

#2 2017-02-13 11:42:27

Re: Help! cards can't copy??

#3 2017-02-13 12:16:57

Re: Help! cards can't copy??

#4 2017-02-13 12:24:39

Re: Help! cards can't copy??

#5 2017-02-13 12:25:46

Re: Help! cards can't copy??

#6 2017-02-13 12:27:02

Re: Help! cards can't copy??

#7 2017-02-13 12:33:02

Re: Help! cards can't copy??

#8 2017-02-13 12:52:52

Re: Help! cards can't copy??

#9 2017-02-13 13:07:49

Re: Help! cards can't copy??

#10 2017-02-13 14:02:03

Re: Help! cards can't copy??

#11 2017-02-13 22:50:05

Re: Help! cards can't copy??

#12 2017-02-13 23:03:13

Re: Help! cards can't copy??

#13 2017-02-13 23:11:08

Re: Help! cards can't copy??

#14 2017-02-13 23:49:41

Re: Help! cards can't copy??

#15 2017-02-14 00:18:48

Re: Help! cards can't copy??

#16 2017-02-14 01:49:11

Re: Help! cards can't copy??

#17 2017-02-14 02:13:06

Re: Help! cards can't copy??

#18 2017-02-14 02:15:30

Re: Help! cards can't copy??

#19 2017-02-14 02:20:30

Re: Help! cards can't copy??

#20 2017-02-14 03:44:10

Re: Help! cards can't copy??

#21 2017-02-14 03:58:33

Re: Help! cards can't copy??

#22 2017-02-14 04:08:40

Re: Help! cards can't copy??

#23 2017-02-14 04:14:32

Re: Help! cards can't copy??

#24 2017-02-14 05:35:30

Re: Help! cards can't copy??

#25 2017-02-14 06:32:28

Re: Help! cards can't copy??

#26 2017-02-14 06:42:11

Re: Help! cards can't copy??

#27 2017-02-14 06:45:05

Re: Help! cards can't copy??

#28 2017-02-14 06:55:25

Re: Help! cards can't copy??

#29 2017-02-14 07:20:47

Re: Help! cards can't copy??

#30 2017-02-14 10:13:35

Re: Help! cards can't copy??

#31 2017-02-15 01:34:55

Re: Help! cards can't copy??

Board footer