Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi To all,
New owner of a pm3, i'd like to play with my coffee tag.
Here is a picture
With a pn533 on linux i can nfc-list that:
ISO14443B-2 ST SRx passive target(s) found
ISO/IEC 14443-2B ST SRx (106 kbps) target:
UID : ce 33 c2 44 8b xx xx xx
What about this tag, any idea ? I can use it in any different machine (same mark) credit will be the same, machine are not on lan or gsm wan.
Which command, script i can use to begin and extract key & bin/hex.
Thanks !
Last edited by larson (2017-11-10 20:25:43)
Offline
...it say 14443B... maybe a good starting point is to use those commands?
and use the latest source on github, Piwi just added better signal support for 14B..
Offline
Yes, i see that. I’m going to make some test with piwi github.
Offline
...it say 14443B... maybe a good starting point is to use those commands?
and use the latest source on github, Piwi just added better signal support for 14B..
Hi,
Need help for this tag, i try many thing but i can't get any result.
Even serial like with my pn 533.
I test iceman compil, original, nothing good.
What command i can use to start ?
Thanks
Offline
You should use the offical pm3, latest source, compile an flash fullimage,
look at "hf 14b" commands. Read a datasheet for 14443-B and understand the commands and try using the "hf 14b raw" to send it.
Offline
Thanks for your answer.
Can i use precompiled image or better to do it myself ? In general
I use my debian server for that, but for first testing if i can fast check with a clean precompiled version..
For the datasheet, i agree, i don’t have problem with mifare for exemp’e, only this tag, i know it’s dumpable some guys do it with mod after..
Offline
It's better ! :-)
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-131-g75e42ef-suspect 2017-11-02 13:19:41
os: master/v3.0.1-131-g75e42ef-suspect 2017-11-02 13:19:45
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/09/05 at 08:50:16
uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 197928 bytes (76%). Free: 64216 bytes (24%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
# LF antenna: 17.88 V @ 125.00 kHz
# LF antenna: 27.23 V @ 134.00 kHz
# LF optimal: 29.43 V @ 136.36 kHz
# HF antenna: 25.20 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
14443-3b ST tag found:
UID: xx xx xx
MFG: 02,
Chip: 03, SRIX4K
Chip Write Protection Bits:
raw: 11111111
07/08: not locked
09: not locked
10: not locked
11: not locked
12: not locked
13: not locked
14: not locked
15: not locked
key is 11111111 ? hf 14b srix4kread give me result in log. What command to use to make a dump for mod and write later ?
Thanks !
Last edited by larson (2019-03-24 20:35:41)
Offline
You have a SRIX4K tag, try
hf 14b srix4kread
Offline
command is unknown it seems
help This help
info Find and print details about a 14443B tag
list [Deprecated] List ISO 14443B history
reader Act as a 14443B reader to identify a tag
sim Fake ISO 14443B tag
snoop Eavesdrop ISO 14443B
sri512read Read contents of a SRI512 tag
srix4kread Read contents of a SRIX4K tag
sriwrite Write data to a SRI512 | SRIX4K tag
raw Send raw hex data to tag
i use before hf 14b srix4kread but give me only data in proxmark3.log
Offline
pm3 offical, a bit different from mine
srix4kread is the one for you. Before you didn't get the tag recognised either, but now you do. So use this one.
Offline
Yes ?
If i want to replace data from the log, which command i must use
To send data with a good checksum
Thanks!
#db# Randomly generated Chip ID (+ 2 byte CRC): c8 3c ba
#db# Now SELECT tag:
#db# Tag UID ......
Last edited by larson (2019-03-24 20:36:13)
Offline
There is no dump / restore command for 14b currently in the pm3 client.
feel free to add it
Offline
I will have a look on source to try to make something in this way :-)
Other, after charging key, i log before one amount and after an other amount.
I don't see where the part of the amount, because several block change after charging, do you think it's something like date, hour, number of coins ?
Because for the moment i can't dump and write on the fly, i send contents at adress manually but what about CRC ?
Other, i don't know why, impossible to write in block 5, was working at test begin and not now anymore.
Last edited by larson (2019-03-24 20:37:39)
Offline
I test today my 14443b after replacing some data with no success, my old credit has been deleted.
I try new data, but like i can’t write correctly on block 05 i suppose it will crash again.
Got question, i test write and raw command, does i need key manager or something like that?
Can you move my post in 14443b section ?
Thanks
Offline
Moved.
If you could identify the system/brand/company, then that would be great.
Offline
Yes, it’s an Astro Necta.
Thanks
Offline
A suggestion, edit your first post, both text and subject.
Offline
I made new test today with 2 keys, now no works anymore
On machine, no charge possible with my keys, detected like bad keys.
I’m going to try restoring old block. Except 05, unmodifiable for now.
Last edited by larson (2017-11-10 20:28:56)
Offline
If you look at the blocks that changes from before and after one use.
you should be able to"reset" back if you can write to the tag.
Offline
Yes, that’s what i do, after charging, and uncharging.
But strangely no works. I suppose it comes from block 05 that i can’t write correctly.
Maybe protected ? Easy Tool can help me ? Or same as manual command.
A full copy of the tag will be more usefull to play, because
Sending reversed hex manually is long !
Last edited by larson (2017-11-10 20:35:34)
Offline
14443-3b ST tag found:
UID: d0 02 0c xx 44 xx xx xx
MFG: 02, ST Microelectronics SA France
Chip: 03, SRIX4K
Chip Write Protection Bits:
raw: 11111111
07/08: not locked
09: not locked
10: not locked
11: not locked
12: not locked
13: not locked
14: not locked
15: not locked
if i send hf 14b sriwrite 02 05 fffffb0f
got
[SRIX4K] Write block 05 [ ff ff fb 0f ]
received 0 octets
but no write
the block 05 stay on last value
so strange.. need to change firmware ? I don't have the problem on other block 00 to 7F
Offline
I think my 2 previous Tag are bricked, not detected anymore on coffee machine. I suppose the problem comes from block 05 change.
New test today, with 2 other Tags
First one with 0.02 euros on it and second with 0.14 euros on it.
I can't see where euros are stocked, any idea ? 02 & 0E ?
hf 14b srix4kread is good for reading tag ? or must use raw ?
Last edited by larson (2019-03-24 20:38:09)
Offline
Should work. Why don't you test it?
hf 14b srix4kread
Offline
? My log posted are done with srix4read
Offline
because you asked a question about it in the post...
Offline
Yes, ok.
For now searching credit block, i think it’s not so hard
Offline
Hello,
I continue my investigation on my tag, with some brick .. (4)
On the datasheet i can see that the SRIX4K ST got anti collision and anti clone.
On my test, i try this
- TAG 1 Value block, use it on machine, after put previous value block (several block change), i try to put them all back and one by one.. 'except block 05' because brick tag
when i do that, tag no works anymore.
- TAG 2 put value block of TAG 1, works one time, but never success to make it works again...
The command
hf 14b info give me chip bit protection raw: 11111111
14443-3b ST tag found:
UID: d0 02 0c .. .. .. .. ..
MFG: 02, ST Microelectronics SA France
Chip: 03, SRIX4K
Chip Write Protection Bits:
raw: 11111111
07/08: not locked
09: not locked
10: not locked
11: not locked
12: not locked
13: not locked
14: not locked
15: not locked
can i use raw 11111111 key to make write enable on block 05 ?
Because i can't change block 05, or one time, after block is unwritable again, or i can send only 00000000.
Any idea ?
Thanks !!!!
Offline
Up
Help, idea are welcome :-)
Always on research, it seems that some blocks are paired with other with countdown. Now my tag are not detected any more, since i can't change back block 05.
Offline
Hello to everyone , did you manage to clone it or even to write data back?
I am currently having the same problem.
Offline
What commands you have to give with the proxmark3 test to read a card 14443B
Offline
Pages: 1