Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Fudan FM11RF005SH , has 512bit mem, 16blocks w 4bytes / block. Total 64bytes
ISO14443a, with support REQA, READ, WRITE, AUTH. Unknown how the auth is done.
Kind of similar to Ultralight tags.
In order to add support for it in PM3. ATQA/SAK and a trace from one of these tags would be intersting to look at.
I found a v1.1 of the datasheet but it doesn't explain the auth command very well. A full datasheet would be nice to have.
Datasheet v1.1
http://www.datasheetlib.com/datasheet/1 … onics.html
Offline
Key is stored in block 8.
Reader: 60 01
Card: Random1
Reader: (encrypted stuff) with its random2
Card: ??
read = 0x30
write = 0xA0
auth = 0x60
Memory layout
-------------------
Block0 = CID customer id / MID manufacturer id
Block1 = UID
Block 8 = key
I doubt the communications is encrypted, so a normal sniff of a transaction between card and valid reader should reveal much.
Offline
That's gonna be tough since you might be a stranger while using proxmark3 near the gate of subway.
Offline
According to this document, Fudan Microelectronics makes two similar chips with 512 bits of memory, one with Mifare compatible crypto and the other "compatible with Shanghai local standard"
Offline
Here's something.
No need anymore
Last edited by maozhenyu (2018-06-19 16:18:13)
Offline
@maozhenyu
Great trace! Very interesting, reader reads all memory but after the auth the communications looks like it got encrypted.
7715052 | 7716044 | Rdr | 52 | | WUPA
7717296 | 7719664 | Tag | 03 00
datasheet - 52 should return CID. CID 03, 00 is part of block zero. Which is verified by the block 0 read afterward :)
7802092 | 7806860 | Rdr | 30 00 02 a8 | ok | READBLOCK(0)
7808048 | 7815024 | Tag | 03 00 02 90 f4 d4
CID | 03 00
MID | 02 90
UID | D0 0E 4E B0
This part looks like belonging to the authentication process. Like crypto-1 has.
8405740 | 8410444 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
8412080 | 8416816 | Tag | fb 9a cd 23 --> tag nonce?
8431724 | 8441100 | Rdr |ba! d1! a5! 51! 2d! 8a! f5 9e --> 2 * 4 nonces? encrypted(nt), nr
8442272 | 8447008 | Tag |59! 10 57 2f --> encrypted (nr)
Guessing this reader command, downloads something.
8548588 | 8553292 | Rdr |d5! b9 40 08! -->
--> tag answers 6*6 =36bytes. assume 2byte crc on each.
--> 36-12 = 24bytes. Not common tag response size when looking on a mifare s50 card. Must be FUDAN related
8554528 | 8561568 | Tag | f3! 50 c5 9a 2b! 3c!
8600096 | 8607072 | Tag | 3c c4 25! fd! a2 d2
8646432 | 8653408 | Tag | 76 ae! 59 37! 8a! 95
8692384 | 8699360 | Tag | a3 fe 50 be! 89! e5!
8738352 | 8745328 | Tag | af! d5! db! 74! 3d! 8a!
8784672 | 8791712 | Tag | 15 79! fa! 97! d4! af!
Are you able to get the Anticollision process aswell?
and is that the full transaction?
and how did you collect the trace? with hf mf sniff did you use the new hf list command?
you could also save this trace with hf list save mytrace.trc if you are using the latest offical repo, and upload it here.
Offline
Full Trial:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 256 | Tag |00! | |
410960 | 413328 | Tag |0b! 03 | |
451408 | 452048 | Tag |03! | |
781904 | 782544 | Tag | 01 | |
821824 | 824192 | Tag | 03 01! | |
1110720 | 1113088 | Tag |0b! 03 | | should be CID 00 03
1155136 | 1162176 | Tag | 5d c9 20 b0 a5 08 | ok | RESULT: READ BLOCK 1
1201600 | 1208576 | Tag | 03 00 02 90 f4 d4 | ok | RESULT: READ BLOCK 0
1248640 | 1248832 | Tag | 01 | | RESULT: REQUEST CARD(FAILED)
1292864 | 1299904 | Tag | 00 02 20 24 ad a7 | ok | RESULT: READ BLOCK 2
1339328 | 1346048 | Tag | 3a 28! 32! 4d! 25 75 | !crc|
1385024 | 1392064 | Tag | 01 23 07 64 ce ce | ok | RESULT: READ BLOCK 5
1792748 | 1797452 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
1799344 | 1803760 | Tag |43! d6 c7 53! | | Tag Nonce
1818732 | 1828108 | Rdr | e5 ba 1d 66! ee! 18! 50! 02 | !crc| Ra1
1829296 | 1833968 | Tag |c0! 41 bf 37! | | Rb'
1889004 | 1893772 | Rdr | dc 26! bd! b8! | !crc| READ BLOCK(?) 9?
1894976 | 1902016 | Tag |6e! a2 bd 33 fe df | !crc|
1934956 | 1939724 | Rdr |97! 7b! 96! 14! | !crc| READ BLOCK(?) 10?
1940912 | 1947888 | Tag | 8a df! c0 9b 66 03 | !crc|
1981164 | 1985868 | Rdr |7f! e0! ca! b9! | !crc| READ BLOCK(?) 11?
1987120 | 1994096 | Tag |f4! be 4d 7c 8b 82 | !crc|
2027116 | 2031820 | Rdr |ee! 88 1e! 5f | !crc| READ BLOCK(?) 12?
2033072 | 2040112 | Tag |ce! 75! 2b c4 15 7a | !crc|
2073068 | 2077772 | Rdr |e7! ab 1a 9f | !crc| READ BLOCK(?) 13?
2079024 | 2086000 | Tag |fe! 22! ed! af! af 10! | !crc|
2522092 | 2526796 | Rdr | 42 ef! 9c 9a | !crc| WRITE BLOCK(?) guess block 9
2528048 | 2528688 | Tag |05! | | ACK, should be 0A
2544364 | 2551436 | Rdr |a3! d4 4b 2f 77! 7b! | !crc| WRITE(PUT DATA)
2593712 | 2594352 | Tag |03! | | ACK, should be 0A
2625004 | 2629772 | Rdr |84! 34 27! e3 | !crc| READ BLOCK
2630960 | 2637936 | Tag |b6! d6! f6 26 29 25! | !crc| probably verify
2671980 | 2676684 | Rdr | 2c 1d 47! e7 | !crc| WRITE guess block 10
2677936 | 2678512 | Tag | 08 | | ACK, should be 0A
2694252 | 2701260 | Rdr |9d! da 51! 88 15 60 | !crc| WRITE(PUT DATA)
2743600 | 2744176 | Tag | 0e | | ACK, should be 0A
2775660 | 2780428 | Rdr | 5b 96! 3a ca! | !crc| WRITE guess block 11
2781616 | 2782256 | Tag | 07 | | ACK, should be 0A
2797932 | 2804940 | Rdr | e7 f0! 92 cf 54! ed | !crc| WRITE(PUT DATA)
2847280 | 2847920 | Tag | 01 | | ACK, should be 0A
2878956 | 2883660 | Rdr |df! e2! bf de | !crc| READ BLOCK(?)
2884912 | 2891888 | Tag |6c! 9c! 46! c9 ed e2 | !crc|
2925164 | 2929868 | Rdr | dc a8 43 80! | !crc| READ BLOCK(?)
2931120 | 2938096 | Tag | 57 9d 87 79 a7 4f! | !crc|
2971372 | 2976140 | Rdr | 42 b2 8b 34 | !crc| READ BLOCK(?)
2977328 | 2984304 | Tag |bb! 6f 5c! ed! 1d! 05 | !crc|
3018604 | 3023372 | Rdr | 5a 16! 1a! de! | !crc| WRITE
3024560 | 3025200 | Tag |06! | | ACK should be 0A
3040876 | 3047948 | Rdr | f4 27 50! 9f fc d0 | !crc| WRITE(PUT DATA)
3090224 | 3090800 | Tag |0f! | | ACK should be 0A
3122796 | 3127564 | Rdr | be f5 47 d5 | !crc| WRITE
3128752 | 3129328 | Tag |0f! | | ACK should be 0A
3145068 | 3152140 | Rdr |dd! 59 4e! bc 67 69! | !crc| WRITE(PUT DATA)
3194416 | 3195056 | Tag |05! | | ACK should be 0A
3226604 | 3231308 | Rdr |0f! a8 6e! 0a | !crc| WRITE
3232560 | 3233200 | Tag |00! | |ACK should be 0A
3248748 | 3255756 | Rdr | 2c 02! 2f 57! 64! 43! | !crc| WRITE(PUT DATA)
3298096 | 3298672 | Tag |0a! | | ACK should be 0A
3827164 | 3831868 | Rdr | 4d 2b! 4d! 96 | !crc| WRITE
3833120 | 3833760 | Tag |05! | | ACK should be 0A
3849436 | 3856508 | Rdr | 33 ea 72! 66! 85 4c | !crc| WRITE(PUT DATA)
3898784 | 3899424 | Tag |05! | | ACK should be 0A
7174716 | 7175708 | Rdr | 52 | | WUPA
7176960 | 7179328 | Tag |0b! 03 | | CID should be 00 03
7215804 | 7220572 | Rdr | 30 01 8b b9 | ok | READBLOCK(1)
7221760 | 7228800 | Tag | 5d c9 20 b0 a5 08 | ok |
7262012 | 7266780 | Rdr | 30 00 02 a8 | ok | READBLOCK(0)
7267968 | 7274944 | Tag | 03 00 02 90 f4 d4 | ok |
7307964 | 7312668 | Rdr | 30 03 99 9a | ok | READBLOCK(3)
7313920 | 7320896 | Tag | 26 44 5c 01 00 9c | ok |
7354300 | 7359004 | Rdr | 30 02 10 8b | ok | READBLOCK(2)
7360256 | 7367296 | Tag | 00 02 20 24 ad a7 | ok |
7399996 | 7404700 | Rdr | 30 04 26 ee | ok | READBLOCK(4)
7405952 | 7412928 | Tag | ea a2 c8 36 94 d4 | ok |
7446204 | 7450908 | Rdr | 30 05 af ff | ok | READBLOCK(5)
7452160 | 7459200 | Tag | 01 23 07 64 ce ce | ok |
7859260 | 7863964 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
7865600 | 7870272 | Tag | 9b f9 02 0f | | Tag-Nonce
7885244 | 7894556 | Rdr | d6 40 e9 d1! 02! 31! b5! ed | !crc| Ra1
7895808 | 7900480 | Tag |5f! 56! e0 fe! | | Rb'
7955388 | 7960156 | Rdr | dc 26! bd! b8! | !crc| ? READ BLOCK(?)
7961344 | 7968384 | Tag |64! a2 bc 28! 5b a4 | !crc|
8001852 | 8006620 | Rdr |97! 7b! 96! 14! | !crc| ? READ BLOCK(?)
8007808 | 8014784 | Tag | 8a df! c0 9b 66 03 | !crc|
8047548 | 8052252 | Rdr |7f! e0! ca! b9! | !crc| READ BLOCK(?)
8053504 | 8060480 | Tag |f4! be 4d 7c 8b 82 | !crc|
8093756 | 8098460 | Rdr |ee! 88 1e! 5f | !crc| READ BLOCK(?)
8099712 | 8106752 | Tag |ce! 75! 2b c4 15 7a | !crc|
8139836 | 8144604 | Rdr |e7! af 3e d9 | !crc| READ BLOCK(?)
8145792 | 8152768 | Tag |a5! 05! 23! fa! 00 df! | !crc|
8185788 | 8190492 | Rdr | d2 eb! e5 c5 | !crc| READ BLOCK(?)
8191744 | 8198720 | Tag | 0d 6f! 9c 2a 97! b3! | !crc|
8231996 | 8236764 | Rdr |ad! ba! 43 b7! | !crc| READ BLOCK(?)
8237952 | 8244992 | Tag | f5 b6! d6! f6 26 7f | !crc|
8836652 | 8837644 | Rdr | 52 | | WUPA
8838896 | 8841264 | Tag |0b! 03 | | CID, should be 00 03
8877612 | 8882380 | Rdr | 30 01 8b b9 | ok | READBLOCK(1)
8883552 | 8890592 | Tag | 5d c9 20 b0 a5 08 | ok |
8924204 | 8928972 | Rdr | 30 00 02 a8 | ok | READBLOCK(0)
8930144 | 8937120 | Tag | 03 00 02 90 f4 d4 | ok |
8969900 | 8974604 | Rdr | 30 03 99 9a | ok | READBLOCK(3)
8975856 | 8982832 | Tag | 26 44 5c 01 00 9c | ok |
9015468 | 9020172 | Rdr | 30 02 10 8b | ok | READBLOCK(2)
9021424 | 9028464 | Tag | 00 02 20 24 ad a7 | ok |
9062060 | 9066764 | Rdr | 30 04 26 ee | ok | READBLOCK(4)
9068016 | 9074992 | Tag | ea a2 c8 36 94 d4 | ok |
9108012 | 9112716 | Rdr | 30 05 af ff | ok | READBLOCK(5)
9113968 | 9121008 | Tag | 01 23 07 64 ce ce | ok |
9527980 | 9532684 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
9534320 | 9539056 | Tag | 94 8d 2f e3 | | Tag-Nonce
9553964 | 9563340 | Rdr | de b1 20 63! 6c! 84! 86! 5e | !crc| Ra
9564528 | 9569264 | Tag |5f! da! 00 44! | | Rb'
9624492 | 9629260 | Rdr | dc 26! bd! b8! | !crc| READ BLOCK(?)
9630448 | 9637488 | Tag |64! a2 bc 28! 5b a4 | !crc|
9670828 | 9675596 | Rdr |97! 7b! 96! 14! | !crc| READ BLOCK(?)
9677024 | 9683744 | Tag |a2! 77! f0 26! d9! 40 | !crc|
9716524 | 9721228 | Rdr |7f! e0! ca! b9! | !crc| READ BLOCK(?)
9722464 | 9729440 | Tag |f4! be 4d 7c 8b 82 | !crc|
9763372 | 9768076 | Rdr |ee! 88 1e! 5f | !crc| READ BLOCK(?)
9769312 | 9776352 | Tag |ce! 75! 2b c4 15 7a | !crc|
9815136 | 9822112 | Tag |a5! 05! 23! fa! 00 df! | !crc|
9861088 | 9868064 | Tag | 0d 6f! 9c 2a 97! b3! | !crc|
9907824 | 9914864 | Tag | f5 b6! d6! f6 26 7f | !crc|
Last edited by maozhenyu (2018-06-19 17:25:48)
Offline
Anticolision:
hf 14a raw -p -b 7 -a 26 return 03 00(cid)
hf 14a raw -p 93XX(XX does not matter, return 0A)
hf 14a raw -p -c 3001 (read UID)
hf 14a raw -p -b 7 -a 26 return 01(failed cuz already selected)
hf 14a raw -p -b 7 -a 26 return 0300 (cid,request again)
hf 14a raw -p 9370XXXXXXXX(XX is UID, return 0A)
hf 14a raw -p -c 6001 (start to AUTH)
hf 14a raw -p YYYYYYYYYYYYYYYY(Ra) return Rb'
Key used is XXXXXXXX00(Block 8 + 00)
IC: FM1704/FM1705/FM1715/FM1725
Last edited by maozhenyu (2018-06-23 13:23:28)
Offline
Here's some sniff results wiz better accuracy from anticollision procedure to reading block7 between a FM11RF005SH and a FM1715 reader set in Shanghai Standard (which I guess is quite similar to crypto-1) mode. Without knowing the key we are only able to read the first 8 blocks and apparently these blocks are encrypted.
Recorded Activity (TraceLen = 327 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2260 | 4628 | Tag | 03 00 | |
49296 | 59824 | Rdr | 93 70 00 00 00 00 00 9c d9 | ok | SELECT_UID
61012 | 61588 | Tag |0a! | |
65168 | 69936 | Rdr | 30 01 8b b9 | ok | READBLOCK(1)
71124 | 78100 | Tag | 29 ab d4 b0 91 8b | ok |
136080 | 137072 | Rdr | 52 | | WUPA
138340 | 138980 | Tag | 01 | |
197024 | 198016 | Rdr | 52 | | WUPA
199268 | 201636 | Tag | 03 00 | |
259232 | 269696 | Rdr | 93 70 29 ab d4 b0 00 41 5c | ok | SELECT_UID
270948 | 271524 | Tag |0a! | |
333616 | 338384 | Rdr | 30 00 02 a8 | ok | READBLOCK(0)
339572 | 346548 | Tag | 03 00 02 90 f4 d4 | ok |
407216 | 411984 | Rdr | 30 01 8b b9 | ok | READBLOCK(1)
483776 | 488480 | Rdr | 30 02 10 8b | ok | READBLOCK(2)
489732 | 496772 | Tag | 00 02 23 07 5c 9e | ok |
558016 | 562720 | Rdr | 30 03 99 9a | ok | READBLOCK(3)
563972 | 571012 | Tag | 4c f5 6e 01 c6 8c | ok |
633936 | 638640 | Rdr | 30 04 26 ee | ok | READBLOCK(4)
710480 | 715184 | Rdr | 30 05 af ff | ok | READBLOCK(5)
716436 | 723476 | Tag | 04 17 b9 64 28 e5 | ok |
786400 | 791168 | Rdr | 30 06 34 cd | ok | READBLOCK(6)
862944 | 867712 | Rdr | 30 07 bd dc | ok | READBLOCK(7)
868900 | 875876 | Tag | 00 00 7e 86 ea dd | ok |
By the way, the code for the FM1715 reader is written and tested by maozhenyu & me.
Offline
1. Forcing a Tag Nonce by PM3
2. Use ChameleonMini to give the same tag nonce to a valid reader
3. Sniff communications between valid card and valid reader
4. Decode keystream(reader side) by guessing.Decode keystream(card side) by read public sectors(and xor)
5. Replay Attack works but have to try at most 256 times for the parity bit.
6. Once tag nonce(nt) and uid remains unchanged. The ar_ence remains constant.
Offline
From
https://github.com/iceman1001/proxmark3 … -463488244
pm3 --> hf 14a raw -s -c 6001
7B 37 F1 D5
pm3 --> hf 14a raw -s -c 6001
64 E5 BA D7
E5 BA D7 1E
54 C9 61 8C
E5 BA D7 1E
BA D7 1E 4E
35 1B 47 06
64 E5 BA D7
E5 BA D7 1E
47 06 2C E7
E5 BA D7 1E
D7 1E 4E 2A
64 E5 BA D7
BA D7 1E 4E
5A 64 E5 BA
BA D7 1E 4E
E5 BA D7 1E
BA D7 1E 4E
E5 BA D7 1E
BA D7 1E 4E
5A 64 E5 BA
63 5A 64 E5
1E 4E 2A C6
D7 1E 4E 2A
E5 BA D7 1E
BA D7 1E 4E
61 8C 96 4A
1E 4E 2A C6
D7 1E 4E 2A
D7 1E 4E 2A
E5 BA D7 1E
64 E5 BA D7
BA D7 1E 4E
2A C6 54 C9
D7 1E 4E 2A
E5 BA D7 1E
BA D7 1E 4E
D7 1E 4E 2A
D7 1E 4E 2AI think it has some rules like this
5A64E5BAD71EAE2A
351B47062CE7
Looks like the nonce is just a byte shifting algo (LSFR?) which
From that sample data I can see the following, if I lineup the nonces a bit.
Set 1
351B4706
47062CE7
Set 2
635A64E5
5A64E5BA
64E5BAD7
E5BAD71E
BAD71E4E
D71E4E2A
1E4E2AC6
2AC654C9
54C9618C
618C964A
Since the second set looks more complete
lets assume and extrapolate the missing steps.
635A64E5
5A64E5BA
64E5BAD7
E5BAD71E
BAD71E4E
D71E4E2A
1E4E2AC6
4E2AC654
2AC654C9
C654C961
54C9618C
C9618C96
618C964A
Which gives us the following sequences of bytes.
635A64E5BAD71E4E2AC654C9618C964A
it would be fair to assume the first set of data should also eventually find its connection with the second set but not enough sample data?
Offline
if we try filling in the first set, this is the expected data.
------35
----351B
--351B47
351B4706
1B47062C
47062CE7
062CE7--
2CE7----
E7------
Following sequence of bytes.
351B47062CE7
Lets compare with spencerkais
635A64E5BAD71E4E2AC654C9618C964A
5A64E5BAD71EAE2A
351B47062CE7
351B47062CE7
So far so good in the validation of data. Sadly the first set and the second set has no connections.
Offline
Now where is my code to test the output of a LFSR? Where did I read about that?
Getting the polynominal used from a sample set like this...
It would be interesting to see how long this sequence is, when it start over.
Offline
Using the Berlekamp-Massey algorithm
First set: length / span 25
x^25 + x^18 + x^16 + x^13 + x^12 + x^8 + x^7 + x^5 + x^2 + x^1
second set: length / span 64
x^64 + x^63 + x^62 + x^61 + x^57 + x^52 + x^51 + x^50 + x^48 + x^44 + x^41 + x^39 + x^37 + x^36 + x^33 + x^32 + x^31 + x^30 + x^29 + x^28 + x^27 + x^25 + x^24 + x^21 + x^19 + x^18 + x^14 + x^13 + x^5 + x^4 + x^2 + 1
Offline
Some facts:
1. UID and Nr are not involved during authentication
2. Keystream after successful authentication will not change iif Key of the card remains constant.
3. When Key = 00000000, then succ(keystream) will always be 0
Need to figure out the LFSR
Last edited by maozhenyu (2019-03-26 08:35:55)
Offline
The sh algorithm needs to be figure out. It should be similar to Crypto 1 algo
Offline
https://patents.google.com/patent/CN133 … y:20050101
this may be helpful
Offline
Fudan FM11RF005SH is total shxt card. It has already been clonable since 2020, LOL
Offline
since last year? Nice!
You adding support to the repo?
Offline
since last year? Nice!
You adding support to the repo?
as far as I know, the answer is NOP. Because they promote the special purpose card for it. I have no idea how to do it.
Offline
Link to the special purpose card?
Offline
fm11rf005m is clonanble by sniffing the keys like the mifare classic cards but fm11rf005sh is not able to clone easily because the algorithm is unknown.Only way is replay attack.
There is a fact that fm11rf005m is completely same as fm11rf005sh in structure but algorithm they use is different.You can only differ these card by the Block 0 in the card.0500xxxx is 005m. 0300xxxx is 005sh
fm11rf005m used the same algorithm as the Mifare classic cards.
but fm11rf005sh is using a special algorithm which is designed by Shanghai HuaHong company.The SHC1101/FM11RF08SH is also using the same algorithm.
By the way ,there is a full-compatible card called shc1103 which is manufactured by the Shanghai HuaHong company. Fm11rf005sh and shc1103 is evenly share the same die , but packaging in different company.
Offline
I recently did some test and find out that
nt generating poly might probably be
x16 + x14 + x13 + x10 + 1
or not
Definitely different from crypto 1
Last edited by liushanyin1252 (2021-05-15 15:19:33)
Offline
Pages: 1