Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-02-08 17:00:24

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Tag emulation — can't open NFC lock.

Hello.
I cloned Mifare Classic 1K with ACR122 on UID rewritable keyfob and it worked. But then they changed NFC lock. My keyfob stopped working, I checked original key and noticed that some data was changed. So I cloned it again, but newly cloned keyfob didn't wok! I tried a bunch of them.
Then I tried to emulate the key with proxmark3, but it didn't work too!
This happens then I try to open the lock with proxmark3:

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52                                                              |     | WUPA
       2676 |       5044 | Tag | 04  00                                                          |     | 
    5400374 |    5401366 | Rdr | 52                                                              |     | WUPA
    5402922 |    5405290 | Tag | 04  00                                                          |     | 
   10800860 |   10801852 | Rdr | 52                                                              |     | WUPA
   10803280 |   10805648 | Tag | 04  00                                                          |     | 
   16201216 |   16202208 | Rdr | 52                                                              |     | WUPA
   16203892 |   16206260 | Tag | 04  00                                                          |     | 
   21601172 |   21602164 | Rdr | 52                                                              |     | WUPA
   21603720 |   21606088 | Tag | 04  00                                                          |     | 
   32469596 |   32470588 | Rdr | 52                                                              |     | WUPA
   32472144 |   32474512 | Tag | 04  00                                                          |     | 
   37869922 |   37870914 | Rdr | 52                                                              |     | WUPA
   37872662 |   37875030 | Tag | 04  00                                                          |     | 
   37900002 |   37902466 | Rdr | 93  20                                                          |     | ANTICOLL
   37904278 |   37910102 | Tag | 2d  71  74  2e  06                                              |     | 
   48739290 |   48740282 | Rdr | 52                                                              |     | WUPA
   48741838 |   48744206 | Tag | 04  00                                                          |     | 

Log captured then using original key:

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       2368 | Tag | 04  00                                                          |     | 
   10931724 |   10932716 | Rdr | 52                                                              |     | WUPA
   10933984 |   10936352 | Tag | 04  00                                                          |     | 
   10961804 |   10964268 | Rdr | 93  20                                                          |     | ANTICOLL
   10965472 |   10971296 | Tag | 2d  71  74  2e  06                                              |     | 
   11003788 |   11014316 | Rdr | 93  70  2d  71  74  2e  06  2b  bc                              |  ok | SELECT_UID
   11015520 |   11019040 | Tag | 08  b6  dd                                                      |     | 
   11037836 |   11042604 | Rdr | 50  00  57  cd                                                  |  ok | HALT
   12488252 |   12489244 | Rdr | 52                                                              |     | WUPA
   12490512 |   12492880 | Tag | 04  00                                                          |     | 
   12518460 |   12520924 | Rdr | 93  20                                                          |     | ANTICOLL
   12522128 |   12527952 | Tag | 2d  71  74  2e  06                                              |     | 
   12572048 |   12575568 | Tag | 08  b6  dd                                                      |     | 
   12632336 |   12637072 | Tag | dc  57  6e  7a                                                  |     | 
   12662288 |   12667024 | Tag |29!  54  b5  9b                                                  |     | 
   12691600 |   12712400 | Tag |d0! ac! 9c!  c5  c6 24! 98! e8! b3!  59 d4! 27!  22  78 1b!  13  |     | 
            |            |     | 8f  84                                                          | !crc| 
   12933580 |   12934572 | Rdr | 40                                                              |     | MAGIC WUPC1

Can someone clarify what is going wrong when I'm using emulation? ACR122 reads emulated key without any problem.

Offline

#2 2017-02-08 17:08:10

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

hw version
hw tune
hf 14a read

Which command did you use make this traces?  "hf 14a sim" or "hf mf sim" ?

Offline

#3 2017-02-08 17:40:46

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

proxmark3> hw version
[[[ Cached information ]]]
          
Prox/RFID mark3 RFID instrument          
          
uC: AT91SAM7S256 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 256K bytes. Used: 0 bytes ( 0%). Free: 262144 bytes (100%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          
          
proxmark3> hw tune

Measuring antenna characteristics, please wait.........          
# LF antenna: 31,21 V @   125.00 kHz          
# LF antenna: 30,52 V @   134.00 kHz          
# LF optimal: 37,26 V @   129,03 kHz          
# HF antenna: 29,78 V @    13.56 MHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

With original key placed on antenna:

proxmark3> hf 14a read
 UID : 2d 71 74 2e           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO

For emulation I use "hf mf eload <filename>" and "hf mf sim" then I press the button on pm3 and get trace with "hf list 14a"

Last edited by MRZA (2017-02-08 17:42:26)

Offline

#4 2017-02-08 19:40:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

hf mf sim has an open issue https://github.com/Proxmark/proxmark3/issues/105

It doesn't work too well.  For some validations of mine, would you mind compile/flash and run the sim using icemanfork?

Offline

#5 2017-02-12 21:59:49

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I tried to sniff with copied tag:

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       2368 | Tag | 04  00                                                          |     | 
      31488 |      37312 | Tag | 2d  71  74  2e  06                                              |     | 
      81280 |      84800 | Tag | 08  b6  dd                                                      |     | 
     194304 |     194880 | Tag |0a!                                                              |     | 
   11032496 |   11034864 | Tag | 04  00                                                          |     | 
   11063872 |   11069696 | Tag | 2d  71  74  2e  06                                              |     | 
   11113664 |   11117184 | Tag | 08  b6  dd                                                      |     | 
   11225792 |   11226368 | Tag |0a!                                                              |     | 
   22062832 |   22065200 | Tag | 04  00                                                          |     | 
   22094192 |   22100016 | Tag | 2d  71  74  2e  06                                              |     | 
   22144112 |   22147632 | Tag | 08  b6  dd                                                      |     | 
   22257152 |   22257728 | Tag |0a!                                                              |     | 

For some reason there are no requests from reader in this trace.
What is "0a!"?
Then I flashed iceman's fork and tried to emulate but it didn't work as well. Also I didn't see any trace log sad

Loaded 64 blocks from file: dumpNEW.eml
 uid:N/A, numreads:0, flags:0 (0x00) 
#db# Emulator stopped. Tracing: 1  trace length: 42 
Recorded Activity (TraceLen = 0 bytes)

Offline

#6 2017-02-12 22:16:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

Your sniff shows only tag responses,   think about placement of antenna while sniffing. Finding a good spot.

A bit more debugstatements would be nice and which commands (parameters) you used would also help.
and are you really using the same client as from where you flashed the fullimage?  Your "flags" is zero, which shouldn't be.

hf mf dbg 4
hf mf sim

Offline

#7 2017-02-14 20:27:34

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I'm using proxdroid client. Is it possible to compile your fork for Android? If not, I can try to use RPi.

Offline

#8 2017-02-14 20:35:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

I have no idea on how to compile my fork to Android.  Maybe one of those proxdroid ppl wouldn't mind looking into it.

Try a pie smile

Offline

#9 2017-02-15 14:07:19

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I tried to compile it for Android:

In file included from jni/../proxmark3/client/ui.h:33:
jni/../proxmark3/client/util.h:140:27: error: expected ')'
uint32_t le32toh (uint8_t *data);
                          ^
jni/../proxmark3/client/util.h:140:10: note: to match this '('
uint32_t le32toh (uint8_t *data);

And on RPi3:

gcc -DHAS_512_FLASH -std=c99 -O3 -mpopcnt -march=native -g -I. -I../include -I../common -I../zlib -I/opt/local/include -I../liblua -Wall -DHAVE_GUI -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED  -c -o obj/proxmark3.o proxmark3.c
*** Error in `gcc': double free or corruption (top): 0x018ba0f8 ***
Makefile:204: recipe for target 'obj/proxmark3.o' failed
make[1]: *** [obj/proxmark3.o] Aborted

There is a bug in Raspbian's GCC. I tweaked Makefile and managed to compile it. I'll test it today.

Offline

#10 2017-02-15 14:26:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

@MRZA  Cool!  If wouldn't mind sending me the tweaked Makefiles?   Maybe open an issue on GitHub and post links to them?

Offline

#11 2017-02-15 21:46:08

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

Just remove "-mpopcnt -march=native" from Makefile. According to gcc bugtracker it should be fixed in newer gcc releases.
But using proxmark3 on RPi is so painful because I use touchscreen with bugged onscreen keyboard and bugged LXDE sad Couldn't test it today because some guy opened the door from other side.

Offline

#12 2017-02-15 22:01:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

hm.. if you remove those the hardnested BF solver will most likely not work.

Offline

#13 2017-02-16 19:51:34

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

Will this affect simulation and sniffing?
I tried with hf mf dbg 4:

Loaded 64 blocks from file: dumpNEW.eml
#db# Debug level: 4
 uid:N/A, numreads:0, flags:18 (0x12) 
#db# 4B UID: 2d71742e
#db# ISO14443A Timeout set to 1060 (10ms)
#db# SELECT ALL received
#db# --> WORK. anticol1 time: 9
#db# Emulator stopped. Tracing: 1  trace length: 203 
Recorded Activity (TraceLen = 203 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr |52                                                               |     | WUPA
       2676 |       5044 | Tag |04  00                                                           |     | 
   16289570 |   16290562 | Rdr |52                                                               |     | WUPA
   16292246 |   16294614 | Tag |04  00                                                           |     | 
   48935722 |   48936714 | Rdr |52                                                               |     | WUPA
   48938462 |   48940830 | Tag |04  00                                                           |     | 
   65222222 |   65223214 | Rdr |52                                                               |     | WUPA
   65225090 |   65227458 | Tag |04  00                                                           |     | 
   65252174 |   65254638 | Rdr |93  20                                                           |     | ANTICOLL
   65289986 |   65295810 | Tag |2d  71  74  2e  06                                               |     | 
   65328078 |   65338606 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
   65340290 |   65343810 | Tag |08  b6  dd                                                       |     | 
   70740936 |   70741928 | Rdr |52                                                               |     | WUPA
   70743612 |   70745980 | Tag |04  00                                                           |     | 
   76124836 |   76125828 | Rdr |52                                                               |     | WUPA
   76127512 |   76129880 | Tag |04  00                                                           |     | 
   86960876 |   86961868 | Rdr |52                                                               |     | WUPA
   86963680 |   86966048 | Tag |04  00                                                           |     | 

I also tried mf hf sniff on cloned key and original one (in the end of the log):

#db# ISO14443A Timeout set to 1060 (10ms)
#db# cancelled by button
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=1048, Uart.output[0]=00000040
Recorded Activity (TraceLen = 1048 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       2368 | Tag |04  00                                                           |     | 
      31488 |      37312 | Tag |2d  71  74  2e  06                                               |     | 
      81536 |      85056 | Tag |08  b6  dd                                                       |     | 
     194960 |     195536 | Tag |0a!                                                              |     | 
   11071344 |   11073712 | Tag |04  00                                                           |     | 
   11102960 |   11108784 | Tag |2d  71  74  2e  06                                               |     | 
   11152880 |   11156400 | Tag |08  b6  dd                                                       |     | 
   11265392 |   11265968 | Tag |0a!                                                              |     | 
   22143072 |   22145440 | Tag |04  00                                                           |     | 
   22174672 |   22180496 | Tag |2d  71  74  2e  06                                               |     | 
   22224608 |   22228128 | Tag |08  b6  dd                                                       |     | 
   22337248 |   22337824 | Tag |0a!                                                              |     | 
   33212480 |   33214848 | Tag |04  00                                                           |     | 
   33243968 |   33249792 | Tag |2d  71  74  2e  06                                               |     | 
   33293888 |   33297408 | Tag |08  b6  dd                                                       |     | 
   33406528 |   33407104 | Tag |0a!                                                              |     | 
   60687776 |   60690144 | Tag |04  00                                                           |     | 
   60719264 |   60725088 | Tag |2d  71  74  2e  06                                               |     | 
   60769184 |   60772704 | Tag |08  b6  dd                                                       |     | 
   60879452 |   60880444 | Rdr |40                                                               |     | MAGIC WUPC1
   60881696 |   60882272 | Tag |0a!                                                              |     | 
   66288972 |   66289964 | Rdr |52                                                               |     | WUPA
   71758736 |   71761104 | Tag |04  00                                                           |     | 
   71790352 |   71796176 | Tag |2d  71  74  2e  06                                               |     | 
   71840272 |   71843792 | Tag |08  b6  dd                                                       |     | 
   71950540 |   71951532 | Rdr |40                                                               |     | MAGIC WUPC1
   71952784 |   71953360 | Tag |0a!                                                              |     | 
   82831376 |   82833744 | Tag |04  00                                                           |     | 
   82862864 |   82868688 | Tag |2d  71  74  2e  06                                               |     | 
   82912912 |   82916432 | Tag |08  b6  dd                                                       |     | 
   83026320 |   83026896 | Tag |0a!                                                              |     | 
   93902608 |   93904976 | Tag |04  00                                                           |     | 
  104839168 |  104841536 | Tag |04  00                                                           |     | 
  104870784 |  104876608 | Tag |2d  71  74  2e  06                                               |     | 
  104920704 |  104924224 | Tag |08  b6  dd                                                       |     | 
  105033344 |  105033920 | Tag |0a!                                                              |     | 
  121380720 |  121383088 | Tag |04  00                                                           |     | 
  121412336 |  121418160 | Tag |2d  71  74  2e  06                                               |     | 
  121462256 |  121465776 | Tag |08  b6  dd                                                       |     | 
  121574784 |  121575360 | Tag |0a!                                                              |     | 
  132454384 |  132456752 | Tag |04  00                                                           |     | 
  132485872 |  132491696 | Tag |2d  71  74  2e  06                                               |     | 
  132535936 |  132539456 | Tag |08  b6  dd                                                       |     | 
  132649344 |  132649920 | Tag |0a!                                                              |     | 
  154465408 |  154467776 | Tag |04  00                                                           |     | 
  154496896 |  154502720 | Tag |2d  71  74  2e  06                                               |     | 
  154546944 |  154550464 | Tag |08  b6  dd                                                       |     | 
  154660352 |  154660928 | Tag |0a!                                                              |     | 
  171010048 |  171012416 | Tag |04  00                                                           |     | 
  171038012 |  171040476 | Rdr |93  20                                                           |     | ANTICOLL
  171041664 |  171047488 | Tag |2d  71  74  2e  06                                               |     | 
  171079868 |  171090396 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  171091584 |  171095104 | Tag |08  b6  dd                                                       |     | 
  171113148 |  171117916 | Rdr |50  00  57  cd                                                   |  ok | HALT
  171201852 |  171202844 | Rdr |40                                                               |     | MAGIC WUPC1
  171204112 |  171204688 | Tag |0a!                                                              |     | 
  203958304 |  203960672 | Tag |04  00                                                           |     | 
  203989920 |  203995744 | Tag |2d  71  74  2e  06                                               |     | 
  204039840 |  204043360 | Tag |08  b6  dd                                                       |     | 
  204152368 |  204152944 | Tag |0a!                                                              |     | 
  215032112 |  215034480 | Tag |04  00                                                           |     | 
  215063728 |  215069552 | Tag |2d  71  74  2e  06                                               |     | 
  215113648 |  215117168 | Tag |08  b6  dd                                                       |     | 
  215226288 |  215226864 | Tag |0a!                                                              |     | 
  275321404 |  275322396 | Rdr |52                                                               |     | WUPA
  275323648 |  275326016 | Tag |04  00                                                           |     | 
  275351484 |  275353948 | Rdr |93  20                                                           |     | ANTICOLL
  275355136 |  275360960 | Tag |2d  71  74  2e  06                                               |     | 
  275393468 |  275403996 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  275405184 |  275408704 | Tag |08  b6  dd                                                       |     | 
  275427516 |  275432284 | Rdr |50  00  57  cd                                                   |  ok | HALT
  276878444 |  276879436 | Rdr |52                                                               |     | WUPA
  276880688 |  276883056 | Tag |04  00                                                           |     | 
  276908524 |  276910988 | Rdr |93  20                                                           |     | ANTICOLL
  276912176 |  276918000 | Tag |2d  71  74  2e  06                                               |     | 
  276950508 |  276961036 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  276962240 |  276965760 | Tag |08  b6  dd                                                       |     | 
  277017068 |  277021836 | Rdr |61  20  2f  43                                                   |  ok | AUTH-B(32)
  277023424 |  277028096 | Tag |8c  6d  32  28                                                   |     | 
  277042796 |  277052172 | Rdr |7b! 3e! e0! 5b  bc! 08! 0b  47!                                  | !crc| 
  277053376 |  277058112 | Tag |1e! ea  b2  2e!                                                  |     | 
  277076716 |  277081484 | Rdr |5e! d0  12! 44!                                                  | !crc| 
  277082688 |  277103488 | Tag |cc! 1f  18  0c  c4! 52! 75! 6a  7a  12! d9! ae! 9b  3d! 6f! f9!  |     | 
            |            |     |7b! ca                                                           | !crc| 
  277156844 |  277157836 | Rdr |52                                                               |     | WUPA
  277238508 |  277240908 | Rdr |50  00                                                           |     | HALT
  277324396 |  277325388 | Rdr |40                                                               |     | MAGIC WUPC1

Last edited by MRZA (2017-02-16 19:52:31)

Offline

#14 2017-02-16 20:02:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

As suggestion is that you don't use debug mode when sniffing or sim.  those functions are quite time-critical.
you will still get a nice tracelog when "hf 14a list"...

Offline

#15 2017-02-16 20:13:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

the orginal block 32 B key [0fa30c8d0e20]  and it tries to read block 32. (0x20)

Even if the trace is bad, you still can see the reader sends 0x40,  if the tag responds with 0x0A, it fails.
Thats the magic detection in place.   You should be able to use pm3 sim.  or use a magic tag generation2.

Offline

#16 2017-02-16 20:40:14

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

iceman wrote:

the orginal block 32 B key [0fa30c8d0e20]  and it tries to read block 32. (0x20)

It's from last attempt with original key. It works.

iceman wrote:

Even if the trace is bad, you still can see the reader sends 0x40,  if the tag responds with 0x0A, it fails.
Thats the magic detection in place.   You should be able to use pm3 sim.  or use a magic tag generation2.

Well, like I supposed that lock has protection against copied keys. But why doesn't simulation work? Reader sends wakeup requests ignoring answers from pm3. What are generation2 magic keys? Are they discussed here http://www.proxmark.org/forum/viewtopic.php?id=4572

Offline

#17 2017-02-16 20:59:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

Search the forum for more details about magic tags and the different generations.  The ones talked about in your ref thread could be a new bread of magic tags.  I'm doubtful about their claims until I see them and I have seen quite a lot of different magic tags.

Offline

#18 2017-02-16 21:00:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

And the sim did most likely not work because of your debug level.  Try with it set to 0.

Offline

#19 2017-02-19 20:48:23

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

Tried without setting debug level:

Loaded 64 blocks from file: dumpNEW.eml
 uid:N/A, numreads:0, flags:18 (0x12) 
#db# 4B UID: 2d71742e
#db# Emulator stopped. Tracing: 1  trace length: 109 
Recorded Activity (TraceLen = 109 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr |52                                                               |     | WUPA
       2740 |       5108 | Tag |04  00                                                           |     | 
      30080 |      32544 | Rdr |93  20                                                           |     | ANTICOLL
      34228 |      40052 | Tag |2d  71  74  2e  06                                               |     | 
    5402234 |    5403226 | Rdr |52                                                               |     | WUPA
    5404910 |    5407278 | Tag |04  00                                                           |     | 
   10804710 |   10805702 | Rdr |52                                                               |     | WUPA
   10807514 |   10809882 | Tag |04  00                                                           |     | 
   32616840 |   32617832 | Rdr |52                                                               |     | WUPA
   32619644 |   32622012 | Tag |04  00                                                           |     | 

Then I set debug level to 0:

#db# Debug level: 0
 uid:N/A, numreads:0, flags:18 (0x12) 
Recorded Activity (TraceLen = 638 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr |52                                                               |     | WUPA
       2676 |       5044 | Tag |04  00                                                           |     | 
    5402494 |    5403486 | Rdr |52                                                               |     | WUPA
    5405170 |    5407538 | Tag |04  00                                                           |     | 
   16273898 |   16274890 | Rdr |52                                                               |     | WUPA
   16276702 |   16279070 | Tag |04  00                                                           |     | 
   27144648 |   27145640 | Rdr |52                                                               |     | WUPA
   27147452 |   27149820 | Tag |04  00                                                           |     | 
   27174728 |   27177192 | Rdr |93  20                                                           |     | ANTICOLL
   27178940 |   27184764 | Tag |2d  71  74  2e  06                                               |     | 
   27217480 |   27228008 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
   27229628 |   27233148 | Tag |08  b6  dd                                                       |     | 
   27251648 |   27256416 | Rdr |50  00  57  cd                                                   |  ok | HALT
   27340480 |   27341472 | Rdr |40                                                               |     | MAGIC WUPC1
   28701788 |   28702780 | Rdr |52                                                               |     | WUPA
   28704464 |   28706832 | Tag |04  00                                                           |     | 
   28731868 |   28734332 | Rdr |93  20                                                           |     | ANTICOLL
   28735952 |   28741776 | Tag |2d  71  74  2e  06                                               |     | 
   28774748 |   28785276 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
   28786768 |   28790288 | Tag |08  b6  dd                                                       |     | 
   28841052 |   28845820 | Rdr |61  20  2f  43                                                   |  ok | AUTH-B(32)
   28850000 |   28854736 | Tag |00  00  37  d5                                                   |     | 
   28869468 |   28878844 | Rdr |3f  00! 81  0c! 7a! 52! 6b! 21!                                  | !crc| 
   28882896 |   28887568 | Tag |5d  43  ff  2d                                                   |     | 
   28910428 |   28911420 | Rdr |52                                                               |     | WUPA
   28913104 |   28915472 | Tag |04  00                                                           |     | 
   28940636 |   28943100 | Rdr |93  20                                                           |     | ANTICOLL
   28944720 |   28950544 | Tag |2d  71  74  2e  06                                               |     | 
   34370780 |   34371772 | Rdr |52                                                               |     | WUPA
   34373456 |   34375824 | Tag |04  00                                                           |     | 
   34400860 |   34403324 | Rdr |93  20                                                           |     | ANTICOLL
   34404944 |   34410768 | Tag |2d  71  74  2e  06                                               |     | 
   34443740 |   34454268 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
   34455760 |   34459280 | Tag |08  b6  dd                                                       |     | 
   34477776 |   34482544 | Rdr |50  00  57  cd                                                   |  ok | HALT
   34566608 |   34567600 | Rdr |40                                                               |     | MAGIC WUPC1
   35927936 |   35928928 | Rdr |52                                                               |     | WUPA
   35930612 |   35932980 | Tag |04  00                                                           |     | 
   37346594 |   37347586 | Rdr |52                                                               |     | WUPA
   37349270 |   37351638 | Tag |04  00                                                           |     | 
   37376674 |   37379138 | Rdr |93  20                                                           |     | ANTICOLL
   37380758 |   37386582 | Tag |2d  71  74  2e  06                                               |     | 
   37419556 |   37430084 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
   37431576 |   37435096 | Tag |08  b6  dd                                                       |     | 
   37486116 |   37490884 | Rdr |61  20  2f  43                                                   |  ok | AUTH-B(32)
   37495064 |   37499736 | Tag |00  00  d7  a3                                                   |     | 
   37514524 |   37523836 | Rdr |45! fe! 83! d0! 74  2b  23! 2a!                                  | !crc| 
   37527888 |   37532624 | Tag |86  08  84  67                                                   |     | 
   42947682 |   42948674 | Rdr |52                                                               |     | WUPA
   42950422 |   42952790 | Tag |04  00                                                           |     | 
   59288156 |   59289148 | Rdr |52                                                               |     | WUPA
   59290832 |   59293200 | Tag |04  00                                                           |     | 

This looks more interesting. But still no luck with opening door.

Offline

#20 2017-02-19 20:56:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

Yep, better.
You can the reader tries to sen 0x40,  a gen1 tag would have answered it,  but your sim doesn't so the reader tries the proper anticoll without sending 0x40.   It tries to read block32.

Are you sure you loaded a working dump,  with correct keys in it?   (and using "hf mf sim" of course)

Offline

#21 2017-02-19 22:04:24

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I've checked with ACR122: made a new dump from original tag using existing keys. Dumps are identical. So it should be correct dump.
What is wrong with my latest trace? How should tag answer on 0x40 command?

Offline

#22 2017-02-19 22:09:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

the sim doesn't answer to 0x40.  it is not iso14443a- nor mifare standard.    So the sim correctly behavies like a normal tag.
the problem with yr trace is not the trace itself, but the lack of response from pm3 when reader wants to authenticate to b-32

Did you use  "hf mf sim"?

Offline

#23 2017-02-19 22:11:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

You need to "dump" the eloaded image.  ie  dump  when pm3 sim's

Offline

#24 2017-02-20 15:16:54

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

iceman wrote:

Did you use  "hf mf sim"?

Of course I did:

hf mf eload dumpNEW
hf mf dbg 0
hf mf sim

Then I try to bring pm3 close reader several times. I see red LED turns on then off. Then I press the button on pm3

hf list 14a
q
iceman wrote:

You need to "dump" the eloaded image.  ie  dump  when pm3 sim's

Hm… This doesn't work anymore:

$ nfc-mfclassic r a ~/test.mfd keys.mfd 
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): 2d  71  74  2e  
      SAK (SEL_RES): 08  
Guessing size: seems to be a 1024-byte card
Reading out 64 blocks |nfc_initiator_transceive_bytes: Mifare Authentication Failed
!
Error: authentication failed for block 0x3f

On pm3:

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr |26                                                               |     | REQA
       2484 |       4852 | Tag |04  00                                                           |     | 
      13532 |      15996 | Rdr |93  20                                                           |     | ANTICOLL
      17680 |      23504 | Tag |2d  71  74  2e  06                                               |     | 
      44920 |      55448 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
      56940 |      60460 | Tag |08  b6  dd                                                       |     | 
     190748 |     195452 | Rdr |e0  50  bc  a5                                                   |  ok | RATS
     197008 |     197648 | Tag |04                                                               |     | 
     332886 |     333942 | Rdr |26                                                               |     | REQA
     335434 |     337802 | Tag |04  00                                                           |     | 
     346690 |     349154 | Rdr |93  20                                                           |     | ANTICOLL
     350646 |     356470 | Tag |2d  71  74  2e  06                                               |     | 
     377886 |     388414 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
     389906 |     393426 | Tag |08  b6  dd                                                       |     | 
     563074 |     567778 | Rdr |60  3f  81  b2                                                   |  ok | AUTH-A(63)
     572086 |     576822 | Tag |00  00  bb  f7                                                   |     | 
     578198 |     587510 | Rdr |4b  62  25! 13! 34  7b  79  35                                   | !crc| VCSL
     591562 |     596298 | Tag |4b  a0  49  f2                                                   |     | 
     712002 |     716770 | Rdr |7d  66  e8! 16                                                   | !crc| 
     719926 |     720566 | Tag |01                                                               |     | 

Now I don't understand what is happening. Dumps are identical. I double checked.

Offline

#25 2017-02-20 15:56:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

the dumpEML file,  would you mind sharing it?  I just want to see the sectortrailers in it.

Offline

#26 2017-02-20 17:58:58

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I copied it from .eml file I'm using in simulation

2d71742e060804006263646566676869
0f0003e103e103e103e103e103e103e1
03e103e103e103e103e103e103e103e1
a0a1a2a3a4a5787788c1ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d3f7d3f7d3f77f078840ffffffffffff
b474470eb1464689ad061e9025ed195d
ad4e5b15c971d38f251781e4b29e4ba1
5cab72e4b319b45ccea13c9ebdd13ea3
5c055a595f03787788ff0fa30c8d0e20
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff

Offline

#27 2017-02-20 18:08:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

OK, next test:
when simulating w PM3 hf mf sim / eloaded (w the above eml)   And your ACR122 reading block0  (KeyA, 0xa0a1a2a3a4a5)

this "hf list 14a" output I would list to see.

Offline

#28 2017-02-20 20:09:11

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

Tried, but I only can read whole tag with ACR122:

#db# Debug level: 0
 uid:N/A, numreads:0, flags:18 (0x12) 
Recorded Activity (TraceLen = 1257 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr |26                                                               |     | REQA
       2612 |       4980 | Tag |04  00                                                           |     | 
      13660 |      16124 | Rdr |93  20                                                           |     | ANTICOLL
      17808 |      23632 | Tag |2d  71  74  2e  06                                               |     | 
   58903012 |   58904068 | Rdr |26                                                               |     | REQA
   58905688 |   58908056 | Tag |04  00                                                           |     | 
  174320256 |  174321312 | Rdr |26                                                               |     | REQA
  174322868 |  174325236 | Tag |04  00                                                           |     | 
  174333916 |  174336380 | Rdr |93  20                                                           |     | ANTICOLL
  174338064 |  174343888 | Tag |2d  71  74  2e  06                                               |     | 
  174365304 |  174375832 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  174377324 |  174380844 | Tag |08  b6  dd                                                       |     | 
  174510364 |  174515068 | Rdr |e0  50  bc  a5                                                   |  ok | RATS
  174516624 |  174517264 | Tag |04                                                               |     | 
  174652502 |  174653558 | Rdr |26                                                               |     | REQA
  174655050 |  174657418 | Tag |04  00                                                           |     | 
  174666306 |  174668770 | Rdr |93  20                                                           |     | ANTICOLL
  174670262 |  174676086 | Tag |2d  71  74  2e  06                                               |     | 
  174697502 |  174708030 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  174709522 |  174713042 | Tag |08  b6  dd                                                       |     | 
  174884226 |  174888930 | Rdr |60  3f  81  b2                                                   |  ok | AUTH-A(63)
  174893238 |  174897910 | Tag |00  00  5a  a9                                                   |     | 
  174899384 |  174908696 | Rdr |af! e3! 22  a0  f3! dc  f2  2e                                   | !crc| AUTH_ANSW
  174912748 |  174917420 | Tag |56  47  d0  53                                                   |     | 
  175032386 |  175037154 | Rdr |21  3d! a9! c4                                                   | !crc| 
  175040310 |  175040950 | Tag |00                                                               |     | 
  686121180 |  686122236 | Rdr |26                                                               |     | REQA
  686123792 |  686126160 | Tag |04  00                                                           |     | 
  686134776 |  686137240 | Rdr |93  20                                                           |     | ANTICOLL
  686138860 |  686144684 | Tag |2d  71  74  2e  06                                               |     | 
  686166052 |  686176580 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  686178264 |  686181784 | Tag |08  b6  dd                                                       |     | 
  686312248 |  686316952 | Rdr |e0  50  bc  a5                                                   |  ok | RATS
  686318316 |  686318956 | Tag |04                                                               |     | 
  686455874 |  686456930 | Rdr |26                                                               |     | REQA
  686458422 |  686460790 | Tag |04  00                                                           |     | 
  686469662 |  686472126 | Rdr |93  20                                                           |     | ANTICOLL
  686473618 |  686479442 | Tag |2d  71  74  2e  06                                               |     | 
  686500858 |  686511386 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  686512878 |  686516398 | Tag |08  b6  dd                                                       |     | 
  686767562 |  686772330 | Rdr |50  00  57  cd                                                   |  ok | HALT
  687631034 |  687632026 | Rdr |40                                                               |     | MAGIC WUPC1
  688442666 |  688444874 | Rdr |50  00!                                                          |     | HALT
  756813952 |  756815008 | Rdr |26                                                               |     | REQA
  756816436 |  756818804 | Tag |04  00                                                           |     | 
  756827356 |  756829820 | Rdr |93  20                                                           |     | ANTICOLL
  756831504 |  756837328 | Tag |2d  71  74  2e  06                                               |     | 
  756858744 |  756869272 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  756870764 |  756874284 | Tag |08  b6  dd                                                       |     | 
  757005340 |  757010044 | Rdr |e0  50  bc  a5                                                   |  ok | RATS
  757011600 |  757012240 | Tag |04                                                               |     | 
  757148246 |  757149302 | Rdr |26                                                               |     | REQA
  757150794 |  757153162 | Tag |04  00                                                           |     | 
  757161922 |  757164386 | Rdr |93  20                                                           |     | ANTICOLL
  757165878 |  757171702 | Tag |2d  71  74  2e  06                                               |     | 
  757193118 |  757203646 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  757205138 |  757208658 | Tag |08  b6  dd                                                       |     | 
  757459818 |  757464586 | Rdr |50  00  57  cd                                                   |  ok | HALT
  758325722 |  758326714 | Rdr |40                                                               |     | MAGIC WUPC1
  759134794 |  759137002 | Rdr |50  00!                                                          |     | HALT
  834374614 |  834375670 | Rdr |26                                                               |     | REQA
  834377162 |  834379530 | Tag |04  00                                                           |     | 
  834388418 |  834390882 | Rdr |93  20                                                           |     | ANTICOLL
  834392374 |  834398198 | Tag |2d  71  74  2e  06                                               |     | 
  834419614 |  834430142 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  834431634 |  834435154 | Tag |08  b6  dd                                                       |     | 
  834565440 |  834570144 | Rdr |e0  50  bc  a5                                                   |  ok | RATS
  834571700 |  834572340 | Tag |04                                                               |     | 
  834711516 |  834712572 | Rdr |26                                                               |     | REQA
  834714128 |  834716496 | Tag |04  00                                                           |     | 
  834725112 |  834727576 | Rdr |93  20                                                           |     | ANTICOLL
  834729196 |  834735020 | Tag |2d  71  74  2e  06                                               |     | 
  834756388 |  834766916 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  834768600 |  834772120 | Tag |08  b6  dd                                                       |     | 
  834942648 |  834947352 | Rdr |60  3f  81  b2                                                   |  ok | AUTH-A(63)
  834951532 |  834956268 | Tag |00  00  d3  fb                                                   |     | 
  834957662 |  834966974 | Rdr |87! 64! 3b! 78! e6! 10! 89  4a!                                  | !crc| 
  834971154 |  834975826 | Tag |96  8a  1c  84                                                   |     | 
  835090040 |  835094808 | Rdr |6d! 2a! 5e  d5                                                   | !crc| 
  835097964 |  835098540 | Tag |0c                                                               |     | 
  915019330 |  915020386 | Rdr |26                                                               |     | REQA
  915021878 |  915024246 | Tag |04  00                                                           |     | 
  915032990 |  915035454 | Rdr |93  20                                                           |     | ANTICOLL
  915037074 |  915042898 | Tag |2d  71  74  2e  06                                               |     | 
  915064314 |  915074842 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  915076334 |  915079854 | Tag |08  b6  dd                                                       |     | 
  915209438 |  915214142 | Rdr |e0  50  bc  a5                                                   |  ok | RATS
  915215634 |  915216274 | Tag |04                                                               |     | 
  915352314 |  915353370 | Rdr |26                                                               |     | REQA
  915354862 |  915357230 | Tag |04  00                                                           |     | 
  915365846 |  915368310 | Rdr |93  20                                                           |     | ANTICOLL
  915369930 |  915375754 | Tag |2d  71  74  2e  06                                               |     | 
  915397120 |  915407648 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
  915409204 |  915412724 | Tag |08  b6  dd                                                       |     | 
  915582308 |  915587012 | Rdr |60  3f  81  b2                                                   |  ok | AUTH-A(63)
  915591384 |  915596120 | Tag |00  00  51  c7                                                   |     | 
  915597634 |  915607010 | Rdr |9a  5f! a5! 88! 4c! 34  84  75                                   | !crc| 
  915610934 |  915615670 | Tag |3b  0d  0e  d5                                                   |     | 
  915729822 |  915734590 | Rdr |46! 29! ee! ca!                                                  | !crc| 
  915737746 |  915738322 | Tag |0f                                                               |     | 

What is wrong with simulation? I could read simulated tag on default firmware.

Offline

#29 2017-02-21 00:51:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

Looking at the code,  the authentication fails. So there is a bug.

Offline

#30 2017-02-25 23:49:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

@mrza,   Found it,  pushed a fix,  how about you test it again..

Offline

#31 2017-03-04 10:13:34

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

Thank you Iceman! Now I can read simulated tag with ACR122. But no luck with the lock:

Loaded 64 blocks from file: dumpNEW.eml
#db# Debug level: 0
 uid:N/A, numreads:0, flags:18 (0x12) 
Recorded Activity (TraceLen = 195 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr |52                                                               |     | WUPA
       2740 |       5108 | Tag |04  00                                                           |     | 
    5386874 |    5387866 | Rdr |52                                                               |     | WUPA
    5389550 |    5391918 | Tag |04  00                                                           |     | 
   21683010 |   21684002 | Rdr |52                                                               |     | WUPA
   21685558 |   21687926 | Tag |04  00                                                           |     | 
   21713090 |   21715554 | Rdr |93  20                                                           |     | ANTICOLL
   21717174 |   21722998 | Tag |2d  71  74  2e  06                                               |     | 
   21755714 |   21766242 | Rdr |93  70  2d  71  74  2e  06  2b  bc                               |  ok | SELECT_UID
   21767862 |   21771382 | Tag |08  b6  dd                                                       |     | 
   21789738 |   21794506 | Rdr |50  00  57  cd                                                   |  ok | HALT
   23236196 |   23237188 | Rdr |52                                                               |     | WUPA
   23239000 |   23241368 | Tag |04  00                                                           |     | 
  128276546 |  128277538 | Rdr |52                                                               |     | WUPA
  128279350 |  128281718 | Tag |04  00                                                           |     | 
  150025978 |  150026970 | Rdr |52                                                               |     | WUPA
  150028654 |  150031022 | Tag |04  00                                                           |     | 

Same without setting debug to 0.

Offline

#32 2017-03-04 11:50:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

try sniffing lock/key transaction

Offline

#33 2017-03-12 22:28:33

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I tried hf mf sniff several times but I always get empty trace sad

BTW, I didn't flash bootrom. Should I?

Offline

#34 2017-03-12 22:59:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Tag emulation — can't open NFC lock.

no need to flash bootrom

Offline

#35 2017-03-13 01:08:37

kwx
Contributor
Registered: 2013-11-26
Posts: 46

Re: Tag emulation — can't open NFC lock.

You wouldn't happen to be in France would you ?
Access control systems updated a few months ago to block copies on chinese clones. You'll need a badge that doesn't respond to the backdoor commands. The systems don't like the PM3 in sim mode, either.

MRZA wrote:

Hello.
I cloned Mifare Classic 1K with ACR122 on UID rewritable keyfob and it worked. But then they changed NFC lock. My keyfob stopped working, I checked original key and noticed that some data was changed. So I cloned it again, but newly cloned keyfob didn't wok! I tried a bunch of them.
Then I tried to emulate the key with proxmark3, but it didn't work too!
This happens then I try to open the lock with proxmark3:

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52                                                              |     | WUPA
       2676 |       5044 | Tag | 04  00                                                          |     | 
    5400374 |    5401366 | Rdr | 52                                                              |     | WUPA
    5402922 |    5405290 | Tag | 04  00                                                          |     | 
   10800860 |   10801852 | Rdr | 52                                                              |     | WUPA
   10803280 |   10805648 | Tag | 04  00                                                          |     | 
   16201216 |   16202208 | Rdr | 52                                                              |     | WUPA
   16203892 |   16206260 | Tag | 04  00                                                          |     | 
   21601172 |   21602164 | Rdr | 52                                                              |     | WUPA
   21603720 |   21606088 | Tag | 04  00                                                          |     | 
   32469596 |   32470588 | Rdr | 52                                                              |     | WUPA
   32472144 |   32474512 | Tag | 04  00                                                          |     | 
   37869922 |   37870914 | Rdr | 52                                                              |     | WUPA
   37872662 |   37875030 | Tag | 04  00                                                          |     | 
   37900002 |   37902466 | Rdr | 93  20                                                          |     | ANTICOLL
   37904278 |   37910102 | Tag | 2d  71  74  2e  06                                              |     | 
   48739290 |   48740282 | Rdr | 52                                                              |     | WUPA
   48741838 |   48744206 | Tag | 04  00                                                          |     | 

Log captured then using original key:

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       2368 | Tag | 04  00                                                          |     | 
   10931724 |   10932716 | Rdr | 52                                                              |     | WUPA
   10933984 |   10936352 | Tag | 04  00                                                          |     | 
   10961804 |   10964268 | Rdr | 93  20                                                          |     | ANTICOLL
   10965472 |   10971296 | Tag | 2d  71  74  2e  06                                              |     | 
   11003788 |   11014316 | Rdr | 93  70  2d  71  74  2e  06  2b  bc                              |  ok | SELECT_UID
   11015520 |   11019040 | Tag | 08  b6  dd                                                      |     | 
   11037836 |   11042604 | Rdr | 50  00  57  cd                                                  |  ok | HALT
   12488252 |   12489244 | Rdr | 52                                                              |     | WUPA
   12490512 |   12492880 | Tag | 04  00                                                          |     | 
   12518460 |   12520924 | Rdr | 93  20                                                          |     | ANTICOLL
   12522128 |   12527952 | Tag | 2d  71  74  2e  06                                              |     | 
   12572048 |   12575568 | Tag | 08  b6  dd                                                      |     | 
   12632336 |   12637072 | Tag | dc  57  6e  7a                                                  |     | 
   12662288 |   12667024 | Tag |29!  54  b5  9b                                                  |     | 
   12691600 |   12712400 | Tag |d0! ac! 9c!  c5  c6 24! 98! e8! b3!  59 d4! 27!  22  78 1b!  13  |     | 
            |            |     | 8f  84                                                          | !crc| 
   12933580 |   12934572 | Rdr | 40                                                              |     | MAGIC WUPC1

Can someone clarify what is going wrong when I'm using emulation? ACR122 reads emulated key without any problem.

Offline

#36 2017-03-13 16:55:35

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Tag emulation — can't open NFC lock.

MRZA
Does the Proxmark write using the Backdoor commands?
If so, now I can see your tag data I can write it to a fob that doesn't respond to the backdoor commands and send it to you for testing?
Just pm me your address and I'll get it in the post ASAP.
Always happy to help as people have really helped me with my stuff.
Gary

Offline

#37 2017-03-16 22:00:13

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

kwx wrote:

The systems don't like the PM3 in sim mode, either.

I wonder why it doesn't work. Wrong timings?

Onisan wrote:

MRZA
Does the Proxmark write using the Backdoor commands?

What do you mean?

Onisan wrote:

If so, now I can see your tag data I can write it to a fob that doesn't respond to the backdoor commands and send it to you for testing?
Just pm me your address and I'll get it in the post ASAP.
Always happy to help as people have really helped me with my stuff.
Gary

Thank you.
I've already ordered such tags from China. I'll try them first.

Last edited by MRZA (2017-03-16 22:00:26)

Offline

#38 2017-03-17 13:45:38

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Tag emulation — can't open NFC lock.

MRZA,
There are two types of Chinese UID writable tags, One you can write to using Chinese Backdoor commands the other you can use standard write commands. I have both types and can write to both types.
I don't know what the Proxmark uses (standard or backdoor) so you may have ordered the wrong type.
Proxmark may even write to both as I do.

Offline

#39 2017-04-02 06:03:13

slmann101
Contributor
Registered: 2017-03-30
Posts: 33

Re: Tag emulation — can't open NFC lock.

MRZA,

Some readers check to see if the card responds to backdoor commands so you should use a uid writable card not a backdoor card. Please keep in mind that some readers are reader/writers and write data back to the assess card as well as checking for back door commands.

Last edited by slmann101 (2017-04-02 06:04:00)

Offline

#40 2017-04-09 23:25:20

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I received CUID tags, wrote 0 block and it worked! I successfully opened that damn lock.
But the question why emulation is not working is still open…

Offline

#41 2017-04-10 05:40:18

slmann101
Contributor
Registered: 2017-03-30
Posts: 33

Re: Tag emulation — can't open NFC lock.

I get your point MRZA but I want to know where you got the cuid card from.

Offline

#42 2017-04-15 22:19:15

MRZA
Contributor
Registered: 2016-04-14
Posts: 29

Re: Tag emulation — can't open NFC lock.

I ordered it from one of the sellers on Aliexpress.

Last edited by MRZA (2017-04-15 22:19:34)

Offline

#43 2017-04-16 06:49:49

slmann101
Contributor
Registered: 2017-03-30
Posts: 33

Re: Tag emulation — can't open NFC lock.

Ah ok.

Offline

Board footer

Powered by FluxBB