Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-02-07 15:03:40

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Legacy Tag

I ran the 'hf class reader 1' command,it indicates that 'possibly iclass(Legacy)'.
Therefore I tried to dump AA1 using the MasterKey. However it failed (I know how to use Masterkey correctly).
Then I tried to run sim 2 against a R10 reader and successfully dumped MAC. But failed loclass attack which means it is not elites or custom.
I am so confusing, could someone give me some hints?

Offline

#2 2018-02-07 15:30:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

if you post the first 24 bytes of the sim2 file,   I can check it out.

Offline

#3 2018-02-07 15:44:59

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

uint8_t i = 0;
			for (i = 0 ; i < NUM_CSNS ; i++) {
				//copy CSN 
				memcpy(dump + i*24, csns + i*8, 8);
				//copy epurse
				memcpy(dump + i*24 + 8, resp.d.asBytes + i*16, 8);
				// NR_MAC (eight bytes from the response)  ( 8b csn + 8b epurse == 16)
				memcpy(dump + i*24 + 16, resp.d.asBytes + i*16 + 8, 8);
			}

Also I checked iceman latest modified in cmdhficlass.c, this is might be incorrect. Because I open the sim 2 dump file, every CSN should follow E purse and MAC, right? The first half CSN 'seems' to be good following everything. But the remaining CSNs follow with all 0. I am guessing

resp.d.asBytes

will not return e-purse, because they all should be set to 0  compared with official folk?

Last edited by rookieatall (2018-02-07 15:59:07)

Offline

#4 2018-02-07 15:46:46

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

all right. Thanks .I will give you tomorrow, and the test for you latest modified in cmdhficlass.c

Offline

#5 2018-02-07 15:52:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

Since the sim 2 creates a working loclass bin file for me when used against SE r10,   where the loclass afterwards works aswell,  I'm not convinced of a bug.

Needed information like,   output from sim 2,  output from loclass,  bin-file.  tracelog from running sim 2.

Offline

#6 2018-02-07 15:57:53

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

I thought I deleted it, but luckily I find it

010a 0fff f7ff 12e0
34e6 60fb 24c9 eac5
94b1 e8a3 3c97 d7ce

0c06 0cfe f7ff 12e0
c17e ccb6 55e5 c610
94c9 5da2 a88d a38d

1097 837b f7ff 12e0
461e 1cab 5189 f029
de1d 5658 3b1a 43a6

1397 827a f7ff 12e0
967b 3d84 2926 92b3
bf0f c6be 6fc9 7aea

070e 0df9 f7ff 12e0
9621 3fc0 36e7 25a3
0000 0000 0000 0000

1496 8476 f7ff 12e0
0000 0000 0000 0000
0000 0000 0000 0000

1796 8571 f7ff 12e0
0000 0000 0000 0000
0000 0000 0000 0000

cec5 0f77 f7ff 12e0
0000 0000 0000 0000
0000 0000 0000 0000

d25a 82f8 f7ff 12e0
0000 0000 0000 0000
0000 0000 0000 0000

this is the sim2 output

Last edited by rookieatall (2018-02-07 15:58:41)

Offline

#7 2018-02-07 16:00:45

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

if my guess is right, you can treat
010a 0fff f7ff 12e0
0000 0000 0000 0000
34e6 60fb 24c9 eac5
as first 24 byte

Last edited by rookieatall (2018-02-07 16:02:18)

Offline

#8 2018-02-07 16:02:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

looks like the sim2 attack failed from the middle to the end...

Offline

#9 2018-02-07 16:05:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

actually,  all of the data looks bad..

Have you pulled latest / compiled / flashed iceman fork before running sim2??

Offline

#10 2018-02-07 16:05:44

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

I think is due to the code

memcpy(dump + i*24 + 8, resp.d.asBytes + i*16, 8);
				// NR_MAC (eight bytes from the response)  ( 8b csn + 8b epurse == 16)

because I dumped before without this line. It was correct I think

Offline

#11 2018-02-07 16:06:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

hw version

Offline

#12 2018-02-07 16:06:46

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

yes I did you add the code above right?

Offline

#13 2018-02-07 16:08:34

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

[ ARM ]
bootrom: iceman/master/ice_v3.1.0-466-g45a5576 2018-02-03 15:33:21
      os: iceman/master/ice_v3.1.0-466-g45a5576 2018-02-03 15:33:24
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16
         
[ Hardware ]           
  --= uC: AT91SAM7S512 Rev B         
  --= Embedded Processor: ARM7TDMI         
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 237485 bytes (45) Free: 286803 bytes (55)         
  --= Second Nonvolatile Program Memory Size: None         
  --= Internal SRAM Size: 64K bytes         
  --= Architecture Identifier: AT91SAM7Sxx Series         
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Offline

#14 2018-02-07 16:10:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

whats the output from your sim2 when you run untouched iceman fork?

Offline

#15 2018-02-07 16:11:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

You seem to be missing some commits,    try pulling latest as instructed.

 os: iceman/master/ice_v3.1.0-510-ga2ac368-dirty-unclean 

Offline

#16 2018-02-07 16:13:41

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

like this

010a 0fff f7ff 12e0
0000 0000 0000 0000
34e6 60fb 24c9 eac5

0c06 0cfe f7ff 12e0
0000 0000 0000 0000
94b1 e8a3 3c97 d7ce

1097 837b f7ff 12e0
0000 0000 0000 0000
c17e ccb6 55e5 c610

1397 827a f7ff 12e0
0000 0000 0000 0000
94c9 5da2 a88d a38d

070e 0df9 f7ff 12e0
0000 0000 0000 0000
461e 1cab 5189 f029

1496 8476 f7ff 12e0
0000 0000 0000 0000
de1d 5658 3b1a 43a6

1796 8571 f7ff 12e0
0000 0000 0000 0000
967b 3d84 2926 92b3 

cec5 0f77 f7ff 12e0
0000 0000 0000 0000
bf0f c6be 6fc9 7aea

d25a 82f8 f7ff 12e0
0000 0000 0000 0000
9621 3fc0 36e7 25a3

Last edited by rookieatall (2018-02-07 16:14:54)

Offline

#17 2018-02-07 16:15:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

that looks like a sim 2 from offical pm3.  that is not from iceman fork.

Offline

#18 2018-02-07 16:17:38

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

No this is from your folk before you add the line to copy 'return' e-purse

Offline

#19 2018-02-07 16:22:02

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

I will test it again with latest folk. Thanks for help

Offline

#20 2018-02-07 16:25:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

How does your  armsrc/iclass.c look like?
From here and some few lines below.   https://github.com/iceman1001/proxmark3 … ss.c#L1162

Offline

#21 2018-02-07 16:30:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Legacy Tag

btw,  the collected data shows a elite key.  So something has gone wrong when you  pulled latest/compile (make clean before?) / flashed.

Once you get that part right,  you will see it work like it should.

Offline

#22 2018-02-07 16:38:33

rookieatall
Contributor
Registered: 2016-07-31
Posts: 25

Re: Legacy Tag

code are exactly same. I will test it again tomorrow with latest folk. Thanks

Offline

Board footer

Powered by FluxBB