Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2015-07-24 11:12:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
14B'
I found this inside the libnfc,
https://github.com/nfc-tools/libnfc/blo … dNavigo.sh
Where it looks like the 14b' protocol is used.
Offline
#2 2015-07-24 12:10:30
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: 14B'
Great finding !!! Can someone with old navigo can test this ?
Offline
#3 2015-07-27 14:05:02
- Minus8
- Contributor
- Registered: 2014-09-18
- Posts: 13
Re: 14B'
Too fast Iceman !
I try to snoop my old Navigo and as Asper said => Nothing was capture (hf 14b snoop).
So, it confirm Navigo have 2 versions with a 14B'
Sadly, I don't' have another reader to test the script.
During this WE, I decompile the java app used to read the navigo card on the official RATP website.
I found 2 infos which could be usefull and confirm the 2 versions of the navigo :
String selectAPDUs = "00A4040008315449432E494341|9000;94A40800022000|9000";Offline
#4 2015-07-27 16:04:42
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: 14B'
Too fast?
[94A40800022000] This part I've seen in the Navigo lua scripts.
[00A4040008315449432E494341] this one I haven't tested. can you test it?
Last edited by iceman (2015-07-27 16:05:05)
Offline
#5 2015-07-28 23:19:55
- Minus8
- Contributor
- Registered: 2014-09-18
- Posts: 13
Re: 14B'
I found 2 source code which could be interesting to implement 14B'
http://docs.ros.org/hydro/api/rfid_drivers/html/classFedmIscTagHandler__ISO14443__Innovatron.html#details
http://apidoc.springcard.com/springprox/sprox_14443-bi_c.html#robo4 (source)
I try to analyse it and extract (what I suppose to be 
) some useful information.
In Hydro API, a new struct is added to the ISO 14443-B for B':
[== C++ ==]
struct {
unsigned char m_ucAtr [33] // Array with ATR (only applicable with ISO 14443-B' Innovatron Tag)
unsigned char m_ucAtrLen // ATR Length (only applicable with ISO 14443-B' Innovatron Tag)
unsigned char m_ucConfig // Config (only applicable with ISO 14443-B' Innovatron Tag)
unsigned char m_ucVerlog // Verlog (only applicable with ISO 14443-B' Innovatron Tag)
}In Spingprox:
[== C++ ==]
/* B' (Innovatron) */
/* --------------- */
/* Those function are only avalaible for Calypso-enabled readers */
SPRINGPROX_LIB SWORD SPRINGPROX_API SPROX_Bi_Apgen(BYTE uid[4], BYTE atr[32], BYTE *atrlen);Offline
#6 2015-07-28 23:40:48
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: 14B'
I wonder if you are able to use the apdu for 14b' with the "hf 14b raw" commands.
UID - 4bytes, ok.
ATR as a max of 33/32bytes but is defined with a atrlen variable.
CONFIG - 1byte
VERLOG - 1byte
APDU:
00A4040008315449432E494341
-----------------------------------------
00 - normal CLA?
A4 - CMD
04 - P1
00 - P2
08 - LEN of next data.
[31 54 49 43] [2E 49 43 41] (Directory/Files} ?
But what is the REQB / ATTRIB commands for 14b' ? Thats the question.
Or did your tag answer to the 05 00 08 ??
Offline
#7 2016-03-17 18:04:55
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: 14B'
Finally,
just to enhance some functionality of the "hf 14b raw" command meant that I had to rewrite a lot of it.
but the upside is that codewise the new raw command looks and behavies just like "hf 14a raw".
Since I'm thinking a lua imp for dealing with Calypso tags I started with that. Since there was not much to start with, I had to write that aswell. Now that I have everything I need for it, I can start with my lua script. Below is a sample of reading a calypso tag, and selecting the AID 2000. With a nice answer from the tag, verified with the output from "hf list 14b"
pm3 --> sc r f
--- Executing: ./scripts/f.lua, args''
Waiting for card... press any key to quit
Card UID 2618ADC4
Card Number 639151556
>> 0a0094a40800043f000002
<< 0A0085170204021D011F000000010101010000000000000000000090003425pm3 --> hf li 14b
Recorded Activity (TraceLen = 137 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr |05 00 08 39 73 | ok | WUPB
696 | 696 | Tag |50 26 18 ad c4 00 00 00 00 00 71 81 8c 74 | ok |
0 | 0 | Rdr |1d 26 18 ad c4 00 08 01 00 a5 8f | ok | ATTRIB
264 | 264 | Tag |00 78 f0 | ok |
0 | 0 | Rdr |0a 00 94 a4 08 00 04 3f 00 00 02 d3 59 | ok | AUTHENTICATE
1948 | 1948 | Tag |0a 00 85 17 02 04 02 1d 01 1f 00 00 00 01 01 01 | |
| | |01 00 00 00 00 00 00 00 00 00 00 90 00 34 25 | ok |Offline
#8 2016-03-21 21:51:44
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: 14B'
Looking way better.
The ISO 7816 annotation works, and the calypso tag gives happily out data.
pm3 --> sc r calypso
--- Executing: ./scripts/calypso.lua, args''
Waiting for card... press any key to quit
Card UID 2618ADC4
Card Number 639151556
>> 01.Select ICC file
<< no answer
>> 02.ICC
<< no answer
>> 03.Select EnvHol file
<< no answer
>> 04.EnvHol1
<< no answer
>> 05.Select EvLog file
SW 9000 OK
<< 0285170804041D031F12121201030303000000000000000000009000FB5F
>> 06.EvLog1
SW 9000 OK
<< 036D2168900068A18818F2808828002040000000000000000000000000009000BA5D
>> 07.EvLog2
SW 9000 OK
<< 026D2167900068A18818F20088100020400000000000000000000000000090002E75
>> 08.EvLog3
SW 9000 OK
<< 036D2165900068A2B818F6818A100090400000000000000000000000000090009B5D
>> 09.Select ConList file
SW 9000 OK
<< 0285171E04021D011F120000010301010000000000000000000090002D92
>> 10.ConList
SW 9000 OK
<< 031C1FF2100000000000000000000000000000000000000000000000000090009F06
>> 11.Select Contra file
SW 9000 OK
<< 0285170904021D041F121200010203010000000000000000000090008E98
>> 12.Contra1
SW 9000 OK
<< 035A506000001166109A456D21B4E1FD6D200C9E3404019CFFFFFFFFFFFF90000FBB
>> 13.Contra2
SW 9000 OK
<< 0200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9000E179
>> 14.Contra3
SW 9000 OK
<< 0300000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9000830E
>> 15.Contra4
SW 9000 OK
<< 0200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9000E179
>> 16.Select Counter file
SW 9000 OK
<< 0385171904091D011F1212120102030200000000000000FFFFFF9000C9D7
>> 17.Counter
SW 9000 OK
<< 0200000000000000000000000000000000000000000000000000000000009000E93A
>> 18.Select SpecEv file
SW 9000 OK
<< 0385171D04021D031F12000001030101000000000000000000009000663E
>> 19.SpecEv1
SW 9000 OK
<< 0200000000000000000000000000000000000000000000000000000000009000E93A-----Finished
pm3 --> hf li 7816
Recorded Activity (TraceLen = 1031 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr |05 00 08 39 73 | | ?
698 | 698 | Tag |50 26 18 ad c4 00 00 00 00 00 71 81 8c 74 | |
0 | 0 | Rdr |1d 26 18 ad c4 00 08 01 00 a5 8f | | ?
264 | 264 | Tag |00 78 f0 | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 10 41 1b | | SELECT FILE
2182 | 2182 | Tag |02 85 17 08 04 04 1d 03 1f 12 12 12 01 03 03 03 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 fb 5f | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1622 | 1622 | Tag |03 6d 21 68 90 00 68 a1 88 18 f2 80 88 28 00 20 | |
| | |40 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |ba 5d | |
0 | 0 | Rdr |02 94 b2 02 04 1d 8a ad | | READ RECORDS
1624 | 1624 | Tag |02 6d 21 67 90 00 68 a1 88 18 f2 00 88 10 00 20 | |
| | |40 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |2e 75 | |
0 | 0 | Rdr |02 94 b2 03 04 1d 56 f7 | | READ RECORDS
1622 | 1622 | Tag |03 6d 21 65 90 00 68 a2 b8 18 f6 81 8a 10 00 90 | |
| | |40 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |9b 5d | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 50 45 59 | | SELECT FILE
1682 | 1682 | Tag |02 85 17 1e 04 02 1d 01 1f 12 00 00 01 03 01 01 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 2d 92 | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1626 | 1626 | Tag |03 1c 1f f2 10 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |9f 06 | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 20 c2 2a | | SELECT FILE
1698 | 1698 | Tag |02 85 17 09 04 02 1d 04 1f 12 12 00 01 02 03 01 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 8e 98 | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1620 | 1620 | Tag |03 5a 50 60 00 00 11 66 10 9a 45 6d 21 b4 e1 fd | |
| | |6d 20 0c 9e 34 04 01 9c ff ff ff ff ff ff 90 00 | |
| | |0f bb | |
0 | 0 | Rdr |02 94 b2 02 04 1d 8a ad | | READ RECORDS
1620 | 1620 | Tag |02 00 00 0f ff ff ff ff ff ff ff ff ff ff ff ff | |
| | |ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 | |
| | |e1 79 | |
0 | 0 | Rdr |02 94 b2 03 04 1d 56 f7 | | READ RECORDS
1622 | 1622 | Tag |03 00 00 0f ff ff ff ff ff ff ff ff ff ff ff ff | |
| | |ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 | |
| | |83 0e | |
0 | 0 | Rdr |02 94 b2 04 04 1d 53 7b | | READ RECORDS
1624 | 1624 | Tag |02 00 00 0f ff ff ff ff ff ff ff ff ff ff ff ff | |
| | |ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 | |
| | |e1 79 | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 69 07 f5 | | SELECT FILE
1692 | 1692 | Tag |03 85 17 19 04 09 1d 01 1f 12 12 12 01 02 03 02 | |
| | |00 00 00 00 00 00 00 ff ff ff 90 00 c9 d7 | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1618 | 1618 | Tag |02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |e9 3a | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 40 c4 49 | | SELECT FILE
1694 | 1694 | Tag |03 85 17 1d 04 02 1d 03 1f 12 00 00 01 03 01 01 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 66 3e | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1628 | 1628 | Tag |02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |e9 3a | |
pm3 -->Offline
#9 2016-03-21 21:54:29
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: 14B'
But my usb communication between device and client over a vmware client is so slow that it drops some packages. Thats why the "<< no answer" rows from executing the script.
Someone up for starting mapping data? 
Offline
#10 2016-03-22 12:41:51
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: 14B'
Great work !
Offline
#11 2019-10-27 15:35:20
- Shvaeel
- Contributor
- Registered: 2019-09-22
- Posts: 3
Re: 14B'
But my usb communication between device and client over a vmware client is so slow that it drops some packages. Thats why the "<< no answer" rows from executing the script.
Someone up for starting mapping data?
Sorry for bumping this. Are there any news on the matter? Were you able to read the data fully?
Offline