Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-03-03 17:14:49
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Strange tag where UID != first 4 bytes of block 0
pm3 --> hf mf rdbl 0 a xxx
hf mf rdbl 0 a xxx
--block no:0, key type:A, key:xxx
#db# READ BLOCK FINISHED
isOk:01 data:04 0D 68 1A B5 22 81 88 44 00 C2 00 00 00 00 00
pm3 --> hf 14a reader
hf 14a reader
UID : 8F 43 0F EF
ATQA : 00 44
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NOAnyone seen a tag like this?
Offline
#2 2017-03-04 12:06:12
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
which version of client?
Offline
#3 2017-03-05 16:31:10
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Strange tag where UID != first 4 bytes of block 0
Proxmark3 RFID instrument
bootrom: master/v2.2.0-282-g3e50af4-suspect 2017-02-20 14:55:16
os: iceman/master/v1.1.0-1959-gc24364a-dirty-unclean 2017-03-02 00:41:07
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 215974 bytes (41%). Free: 308314 bytes (59%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash MemoryC:\...>git show
commit c24364a8a4932f51a9b9e255d2ed0c67b9e37c74
Author: iceman1001 <iceman@iuse.se>
Date: Tue Feb 28 19:20:12 2017 +0100
FIX: @marshmellow42 's ST detection fix.
FIX: lfops.c and em4x05 command timings.On your fork.
Anyway, my Android phone with a PN544 also shows the same UID and block 0, so..
Offline
#4 2017-03-05 17:51:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
strange, would you mind posting tracelog when you run the command?
hf mf rb 0 a xxxx
hf list 14a
hf 14a read
hf list 14aOffline
#5 2017-03-06 12:16:07
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Strange tag where UID != first 4 bytes of block 0
pm3 --> hf mf rdbl 0 a xxx
hf mf rdbl 0 a xxx
--block no:0, key type:A, key:xxx
#db# READ BLOCK FINISHED
isOk:01 data:04 0D 68 1A B5 22 81 88 44 00 C2 00 00 00 00 00
pm3 --> hf list 14a
hf list 14a
Recorded Activity (TraceLen = 188 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |8f 43 0f ef 2c | |
19328 | 29856 | Rdr |93 70 8f 43 0f ef 2c b7 c1 | ok | SELECT_UID
31028 | 34548 | Tag |08 b6 dd | |
36608 | 41312 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
45620 | 50292 | Tag |06 df 1a 7e | |
59264 | 68640 | Rdr |e8 40! 49 71 ba! fd 24! 9f! | !crc|
69812 | 74548 | Tag |f3! 4d! bc 0b | |
80000 | 84768 | Rdr |e4! a9 ba! 21! | !crc|
85940 | 106740 | Tag |f8! 7e! e4! 80! ee 39! 00! f1! 98! da! bc! d3! 4e! 57! 7a 23! | |
| | |78 c1! | !crc|
118272 | 123040 | Rdr |88! 35 b9! 6c! | !crc|
pm3 --> hf 14a read
hf 14a read
UID : 8F 43 0F EF
ATQA : 00 44
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
pm3 --> hf list 14a
hf list 14a
Recorded Activity (TraceLen = 123 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |8f 43 0f ef 2c | |
19200 | 29728 | Rdr |93 70 8f 43 0f ef 2c b7 c1 | ok | SELECT_UID
30900 | 34420 | Tag |08 b6 dd | |
498688 | 503456 | Rdr |e0 80 31 73 | ok | RATS
504628 | 505268 | Tag |04 | |
957440 | 958432 | Rdr |40 | | MAGIC WUPC1
964480 | 969248 | Rdr |50 00 57 cd | ok | HALTOffline
#6 2017-03-06 14:38:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
Well, the UID is definitly 8F 43 0F EF, and the decrypted block 0, is whats printed.
I can't verify what and why your Android phone w PN544 shows the same UID and block 0.
Did you mean to say that pn544 shows same values as pm3?
You could have a Mifare Plus tag , which behaves differently.
Offline
#7 2017-03-06 20:12:01
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Strange tag where UID != first 4 bytes of block 0
Yes, that's what I mean — my Android shows the same UID and same block 0 as PM3. So there's nothing wrong with PM3.
I figured so. Time to do more research I guess..
One thing though, I got the keys through hardnested. Would this be possible if it weren't a real Mifare Classic card and simply something providing a Mifare Classic interface?
Last edited by angelsl (2017-03-06 20:14:05)
Offline
#8 2017-03-06 20:36:21
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
Mifare plus in secure mode 1, (SL1) is using Mifare Classic interface.
Offline
#9 2017-03-06 20:42:56
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Strange tag where UID != first 4 bytes of block 0
I mean, would hardnested work on Mifare Plus through the Classic interface?
Anyway I think this tag is a Classic EV1 1k MF1S500yX configured to do anticollision with a 4 byte UID generated from the 7 byte UID in block 0.
So, problem solved.
Offline
#10 2017-03-06 20:51:30
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Strange tag where UID != first 4 bytes of block 0
a mifare plus in SL1 would be vulnerable to the hardnested attack as iceman alluded to.
Offline
#11 2017-03-06 21:13:06
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
hm.. curious on if we have Mifare Classic EV1 detection.
Offline
#12 2017-03-07 00:50:49
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Strange tag where UID != first 4 bytes of block 0
hm.. curious on if we have Mifare Classic EV1 detection.
I'll send in a PR.
Offline
#13 2017-03-07 08:52:25
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
Will be looking forward to it
Offline
#14 2017-03-10 10:17:06
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
Implemented a 7b UID -> to 4b NUID... It matches your tag. ref:http://www.gorferay.com/mifare-and-handling-of-uids/
pm3 --> analyse nuid 040D681AB52281
UID | 04 0D 68 1A B5 22 81
NUID | 8F 43 0F EFOffline
#15 2017-03-16 02:44:16
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Strange tag where UID != first 4 bytes of block 0
Yeah, it's a 7 byte UID card. Wonder if there are any Chinese cards that can do this..
Anyway, still not sure of the best way to detect an EV1 card because SetModType needs sector 0 key A authentication. (And I don't have an EV1 card to test)
Offline
#16 2017-03-25 11:57:53
- Dot.Com
- Contributor
- From: Hong Kong
- Registered: 2016-10-05
- Posts: 180
- Website
Re: Strange tag where UID != first 4 bytes of block 0
We have the UID 7 byte magic cards ready in my website but you got hardnest the blocks inside and write it one by one.
Make sure you know what you are doing before attempting or else you will be wasting your money.
Offline
#17 2017-03-25 12:21:14
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
He has at least one key. So getting the keys wouldn't be too hard.
@dot.com has magic 7b uid... Always worth testing things out.
Offline
#18 2017-03-28 06:15:16
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Strange tag where UID != first 4 bytes of block 0
Those are really expensive if I'm not looking for DESfire functionality though.
Offline
#19 2017-03-28 07:39:22
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Strange tag where UID != first 4 bytes of block 0
if i'm not mistaken @dot.com also has ordinary magic 7b uid mifare classic. Not the new ones w desfire.
and if I remember correct lab401.com also has a magic 7b uid.
But google and look at the shops. You may find something, if you unsure about the tag ask the reseller about it.
Offline