Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello, I have Gen3 4k 7b chineese card, with broken access conditions for sector 0.
iceman described uid changing of this card in this post:
http://www.proxmark.org/forum/viewtopic … 843#p35843
UID changing is still works and UID is NOT locked.
Maybe any chance to write block 3 (access conditions block for sector 0) on this card via this or same command?
Current state is:
[usb] pm3 --> hf mf autopwn * 1 f keys.dic
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | 00ffffffffff | D |
[+] | 001 | ffffffffffff | D | ffffffffffff | D |
[+] | 002 | ffffffffffff | D | ffffffffffff | D |
[+] | 003 | ffffffffffff | D | ffffffffffff | D |
[+] | 004 | ffffffffffff | D | ffffffffffff | D |
[+] | 005 | ffffffffffff | D | ffffffffffff | D |
[+] | 006 | ffffffffffff | D | ffffffffffff | D |
[+] | 007 | ffffffffffff | D | ffffffffffff | D |
[+] | 008 | ffffffffffff | D | ffffffffffff | D |
[+] | 009 | ffffffffffff | D | ffffffffffff | D |
[+] | 010 | ffffffffffff | D | ffffffffffff | D |
[+] | 011 | ffffffffffff | D | ffffffffffff | D |
[+] | 012 | ffffffffffff | D | ffffffffffff | D |
[+] | 013 | ffffffffffff | D | ffffffffffff | D |
[+] | 014 | ffffffffffff | D | ffffffffffff | D |
[+] | 015 | ffffffffffff | D | ffffffffffff | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )
[usb] pm3 --> hf mf wrbl 3 B 00FFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block no:3, key type:B, key:00 FF FF FF FF FF
--data: FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Cmd Error: 04
#db# Write block error
isOk:00
[usb] pm3 --> hf mf wrbl 3 A FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block no:3, key type:A, key:FF FF FF FF FF FF
--data: FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
#db# Cmd Error: 04
#db# Write block error
isOk:00
[usb] pm3 --> hf search
[|]Searching for ISO14443-A tag...
[+] UID: 04 12 19 C3 21 93 16
[+] ATQA: 00 42
[+] SAK: 18 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] POSSIBLE TYPE: MIFARE Classic 1K / Classic 1K CL2
[+] POSSIBLE TYPE: MIFARE Plus 2K / Plus EV1 2K
[+] POSSIBLE TYPE: MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[+] POSSIBLE TYPE: MIFARE Plus 2K / Plus CL2 2K
[+] POSSIBLE TYPE: MIFARE Plus 4K / Plus EV1 4K
[+] POSSIBLE TYPE: MIFARE Plus CL2 4K / Plus CL2 EV1 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[+] Valid ISO14443-A tag found
also, it doesnt answer to backdoor commands:
[usb] pm3 --> hf mf cwipe
#db# wupC1 error
[!] Retry block[0]...
#db# wupC1 error
[!] Retry block[0]...
#db# wupC1 error
[!] Retry block[0]...
[!!] Error setting block[0]: -1
[!!] Can't wipe card. error=-1
Last edited by Monster1024 (2020-06-07 14:34:41)
Offline
Hmmm. Today my acr122u has arrived, and I restored this "dead" card with "PCSC Mifare" software.
Button "Set UID++ Info" sets UID and ERASE all sector data.
But problem for now - I don't know how this software is doing restore.
I have tried to use "hf 14a sniff" to get raw command with proxmark, but i got many select commands and one "90f0cccc10041219c321931c984200e32000".
When I have tried to replay it - it only changes UID, but didn't erase all sector data.
Here is sample log from Proxmark with erasing procedure: https://pastebin.com/iYP9izcW
How i can sniff\get command to do erase with proxmark?
@iceman - I hope you can help
P.S. Software link i found is here: https://www.dropbox.com/s/7rwcu3y5lptss … w.rar?dl=0
Last edited by Monster1024 (2020-06-07 13:49:30)
Offline
That command maybe also resets the sector trailers? You will need to dump card before and after you run the software and sniff with yr pm3 to see what the software is actually doing.
Three identified commands, I have update my post you linked to.
Offline
And I think you can update yr first post subject. You seem to have a gen3 card. We don't call it "hybrid card" even if I think the functions on the card seem to be of a mix between gen1 and gen2 cards.
Offline
Updated first post with card name.
My goal is to able to "format" gen3 cards with proxmark (without pcsc software).
Dump files uploaded here:
https://github.com/monster1025/fileshar … clear_test
Here is my test:
Dumping card contents before erase:
[usb] pm3 --> hf mf autopwn * 1 f keys.dic
[!] no known key was supplied, key recovery might fail
[+] loaded 30 keys from dictionary file keys.dic
[=] running strategy 1
..
[=] Chunk: 4.2s | found 32/32 keys (30)
[+] target sector: 0 key type: A -- found valid key [A0 A1 A2 A3 A4 A5 ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [FB F2 25 DC 5D 58 ]
[+] target sector: 1 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector: 1 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector: 2 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 2 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector: 3 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 3 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector: 4 key type: A -- found valid key [73 06 8F 11 8C 13 ]
[+] target sector: 4 key type: B -- found valid key [2B 7F 32 53 FA C5 ]
[+] target sector: 5 key type: A -- found valid key [FB C2 79 3D 54 0B ]
[+] target sector: 5 key type: B -- found valid key [D3 A2 97 DC 26 98 ]
[+] target sector: 6 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 6 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector: 7 key type: A -- found valid key [AE 3D 65 A3 DA D4 ]
[+] target sector: 7 key type: B -- found valid key [0F 1C 63 01 3D BA ]
[+] target sector: 8 key type: A -- found valid key [A7 3F 5D C1 D3 33 ]
[+] target sector: 8 key type: B -- found valid key [E3 51 73 49 4A 81 ]
[+] target sector: 9 key type: A -- found valid key [69 A3 2F 1C 2F 19 ]
[+] target sector: 9 key type: B -- found valid key [6B 8B D9 86 07 63 ]
[+] target sector: 10 key type: A -- found valid key [9B EC DF 3D 92 73 ]
[+] target sector: 10 key type: B -- found valid key [F8 49 34 07 79 9D ]
[+] target sector: 11 key type: A -- found valid key [08 B3 86 46 32 29 ]
[+] target sector: 11 key type: B -- found valid key [5E FB AE CE F4 6B ]
[+] target sector: 12 key type: A -- found valid key [CD 4C 61 C2 6E 3D ]
[+] target sector: 12 key type: B -- found valid key [31 C7 61 0D E3 B0 ]
[+] target sector: 13 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector: 13 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector: 14 key type: A -- found valid key [0E 8F 64 34 0B A4 ]
[+] target sector: 14 key type: B -- found valid key [4A CE C1 20 5D 75 ]
[+] target sector: 15 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 15 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | a0a1a2a3a4a5 | D | fbf225dc5d58 | D |
[+] | 001 | a82607b01c0d | D | 2910989b6880 | D |
[+] | 002 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] | 003 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] | 004 | 73068f118c13 | D | 2b7f3253fac5 | D |
[+] | 005 | fbc2793d540b | D | d3a297dc2698 | D |
[+] | 006 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] | 007 | ae3d65a3dad4 | D | 0f1c63013dba | D |
[+] | 008 | a73f5dc1d333 | D | e35173494a81 | D |
[+] | 009 | 69a32f1c2f19 | D | 6b8bd9860763 | D |
[+] | 010 | 9becdf3d9273 | D | f8493407799d | D |
[+] | 011 | 08b386463229 | D | 5efbaecef46b | D |
[+] | 012 | cd4c61c26e3d | D | 31c7610de3b0 | D |
[+] | 013 | a82607b01c0d | D | 2910989b6880 | D |
[+] | 014 | 0e8f64340ba4 | D | 4acec1205d75 | D |
[+] | 015 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-041219C3219317-key.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-041219C3219317-dump.bin
[+] saved 64 blocks to text file hf-mf-041219C3219317-dump.eml
[+] saved to json file hf-mf-041219C3219317-dump.json
[=] autopwn execution time: 6 seconds
Than run "hf 14a sniff" and put card with proxmark on arc122u and run "Set UID++ Info" from PCSC Mifare software
[usb] pm3 --> hf 14a sniff
#db# Starting to sniff
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=1425, Uart.output[0]=00000095
[usb] pm3 --> hf list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 1425 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | | REQA
76032 | 77088 | Rdr |26 | | REQA
574832 | 575888 | Rdr |26 | | REQA
650480 | 651536 | Rdr |26 | | REQA
4206976 | 4208032 | Rdr |26 | | REQA
4209236 | 4211604 | Tag |42 00 | |
4220288 | 4222752 | Rdr |93 20 | | ANTICOLL
4223940 | 4229764 | Tag |88 04 12 19 87 | |
4250992 | 4261456 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
4262724 | 4266244 | Tag |1c 13 8b | |
4275440 | 4277904 | Rdr |95 20 | | ANTICOLL-2
4279092 | 4284916 | Tag |c3 21 93 17 66 | |
4306272 | 4316736 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
4317988 | 4321572 | Tag |18 37 cd | |
7382528 | 7383520 | Rdr |52 | | WUPA
7458432 | 7459424 | Rdr |52 | | WUPA
7460676 | 7463044 | Tag |42 00 | |
7476336 | 7486800 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
7488068 | 7491588 | Tag |1c 13 8b | |
7504496 | 7510352 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
7511604 | 7513972 | Tag |17 66 | |
7530720 | 7541184 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
7542436 | 7546020 | Tag |18 37 cd | |
10605312 | 10606304 | Rdr |52 | | WUPA
10681344 | 10682336 | Rdr |52 | | WUPA
10683588 | 10685956 | Tag |42 00 | |
10699248 | 10709712 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
10710980 | 10714500 | Tag |1c 13 8b | |
10727536 | 10733392 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
10734644 | 10737012 | Tag |17 66 | |
10753760 | 10764224 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
10765492 | 10769076 | Tag |18 37 cd | |
13828496 | 13829488 | Rdr |52 | | WUPA
13904512 | 13905504 | Rdr |52 | | WUPA
13906772 | 13909140 | Tag |42 00 | |
13922432 | 13932896 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
13934148 | 13937668 | Tag |1c 13 8b | |
13950576 | 13956432 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
13957684 | 13960052 | Tag |17 66 | |
13976816 | 13987280 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
13988532 | 13992116 | Tag |18 37 cd | |
15039936 | 15040928 | Rdr |52 | | WUPA
15115968 | 15116960 | Rdr |52 | | WUPA
15118212 | 15120580 | Tag |42 00 | |
15133888 | 15144352 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
15145604 | 15149124 | Tag |1c 13 8b | |
15162160 | 15168016 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
15169268 | 15171636 | Tag |17 66 | |
15188512 | 15198976 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
15200244 | 15203828 | Tag |18 37 cd | |
15427472 | 15428528 | Rdr |26 | | REQA
15503376 | 15504432 | Rdr |26 | | REQA
15505620 | 15507988 | Tag |42 00 | |
15516688 | 15519152 | Rdr |93 20 | | ANTICOLL
15520340 | 15526164 | Tag |88 04 12 19 87 | |
15547392 | 15557856 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
15559108 | 15562628 | Tag |1c 13 8b | |
15571824 | 15574288 | Rdr |95 20 | | ANTICOLL-2
15575492 | 15581316 | Tag |c3 21 93 17 66 | |
15602672 | 15613136 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
15614388 | 15617972 | Tag |18 37 cd | |
15895520 | 15922112 | Rdr |90 f0 cc cc 10 04 12 19 c3 21 93 18 98 42 00 e3 20 00 | |
| | |00 00 00 7b 90 | ok |
16096164 | 16100900 | Tag |90 00 fd 07 | |
39146448 | 39147440 | Rdr |52 | | WUPA
39222480 | 39223472 | Rdr |52 | | WUPA
39224724 | 39227092 | Tag |42 00 | |
39240384 | 39250848 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
39252116 | 39255636 | Tag |1c 13 8b | |
39268544 | 39274400 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
39275652 | 39278020 | Tag |17 66 | |
39294768 | 39305232 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
39306484 | 39310068 | Tag |18 37 cd | |
41284848 | 41285840 | Rdr |52 | | WUPA
41360752 | 41361744 | Rdr |52 | | WUPA
41362996 | 41365364 | Tag |42 00 | |
41378656 | 41389120 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
41390388 | 41393908 | Tag |1c 13 8b | |
41406816 | 41412672 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
41413924 | 41416292 | Tag |17 66 | |
41433040 | 41443504 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
41444756 | 41448340 | Tag |18 37 cd | |
44507760 | 44508752 | Rdr |52 | | WUPA
44583792 | 44584784 | Rdr |52 | | WUPA
44586036 | 44588404 | Tag |42 00 | |
44601696 | 44612160 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
44613428 | 44616948 | Tag |1c 13 8b | |
44629856 | 44635712 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
44636964 | 44639332 | Tag |17 66 | |
44656080 | 44666544 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
44667812 | 44671396 | Tag |18 37 cd | |
47730800 | 47731792 | Rdr |52 | | WUPA
47806832 | 47807824 | Rdr |52 | | WUPA
47809092 | 47811460 | Tag |42 00 | |
47824752 | 47835216 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
47836468 | 47839988 | Tag |1c 13 8b | |
47853024 | 47858880 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
47860132 | 47862500 | Tag |17 66 | |
47879248 | 47889712 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
47890980 | 47894564 | Tag |18 37 cd | |
50953968 | 50954960 | Rdr |52 | | WUPA
51030000 | 51030992 | Rdr |52 | | WUPA
51032244 | 51034612 | Tag |42 00 | |
51047904 | 51058368 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
51059620 | 51063140 | Tag |1c 13 8b | |
51076176 | 51082032 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
51083300 | 51085668 | Tag |17 66 | |
51102416 | 51112880 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
51114132 | 51117716 | Tag |18 37 cd | |
[usb] pm3 -->
and now read it back:
[usb] pm3 --> hf mf autopwn * 1 f keys.dic
[!] no known key was supplied, key recovery might fail
[+] loaded 30 keys from dictionary file keys.dic
[=] running strategy 1
[=] Chunk: 0.8s | found 32/32 keys (30)
[+] target sector: 0 key type: A -- found valid key [FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 1 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 1 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 2 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 2 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 3 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 3 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 4 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 4 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 5 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 5 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 6 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 6 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 7 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 7 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 8 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 8 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 9 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 9 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 10 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 11 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 11 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 12 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 12 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 13 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 13 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 14 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 14 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 15 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | ffffffffffff | D |
[+] | 001 | ffffffffffff | D | ffffffffffff | D |
[+] | 002 | ffffffffffff | D | ffffffffffff | D |
[+] | 003 | ffffffffffff | D | ffffffffffff | D |
[+] | 004 | ffffffffffff | D | ffffffffffff | D |
[+] | 005 | ffffffffffff | D | ffffffffffff | D |
[+] | 006 | ffffffffffff | D | ffffffffffff | D |
[+] | 007 | ffffffffffff | D | ffffffffffff | D |
[+] | 008 | ffffffffffff | D | ffffffffffff | D |
[+] | 009 | ffffffffffff | D | ffffffffffff | D |
[+] | 010 | ffffffffffff | D | ffffffffffff | D |
[+] | 011 | ffffffffffff | D | ffffffffffff | D |
[+] | 012 | ffffffffffff | D | ffffffffffff | D |
[+] | 013 | ffffffffffff | D | ffffffffffff | D |
[+] | 014 | ffffffffffff | D | ffffffffffff | D |
[+] | 015 | ffffffffffff | D | ffffffffffff | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-041219C3219318-key.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
#db# Cmd Error: 04
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-041219C3219318-dump.bin
[+] saved 64 blocks to text file hf-mf-041219C3219318-dump.eml
[+] saved to json file hf-mf-041219C3219318-dump.json
[=] autopwn execution time: 3 seconds
[usb] pm3 -->
Last edited by Monster1024 (2020-06-07 14:50:46)
Offline
Looks like the command which writes a full block 0, also does a full reset.
Did you see if the data on the card also got wiped?
Ok, I saw your link. It sure looks like that one command does it all. Strange way of mixing behavior in a command.
Offline
Ok, but now we are moving further:
I have restored UID back to 041219C3219317, and restored card contents with "hf mf restore u 041219C3219317".
It is writed successfully and I can read it back.
Now i want to make wipe with proxmark and without PCSC Software.
I run
[usb] pm3 --> hf 14a raw -s -c -t 2000 90f0cccc10041219c3219318984200e32000
Card selected. UID[7]:
04 12 19 C3 21 93 17
received 4 bytes
90 00 FD 07
and than
[usb] pm3 --> hf mf autopwn * 1 f keys.dic
[!] no known key was supplied, key recovery might fail
[+] loaded 30 keys from dictionary file keys.dic
[=] running strategy 1
..
[=] Chunk: 4.2s | found 32/32 keys (30)
[+] target sector: 0 key type: A -- found valid key [A0 A1 A2 A3 A4 A5 ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [FB F2 25 DC 5D 58 ]
[+] target sector: 1 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector: 1 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector: 2 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 2 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector: 3 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 3 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector: 4 key type: A -- found valid key [73 06 8F 11 8C 13 ]
[+] target sector: 4 key type: B -- found valid key [2B 7F 32 53 FA C5 ]
[+] target sector: 5 key type: A -- found valid key [FB C2 79 3D 54 0B ]
[+] target sector: 5 key type: B -- found valid key [D3 A2 97 DC 26 98 ]
[+] target sector: 6 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 6 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] target sector: 7 key type: A -- found valid key [AE 3D 65 A3 DA D4 ]
[+] target sector: 7 key type: B -- found valid key [0F 1C 63 01 3D BA ]
[+] target sector: 8 key type: A -- found valid key [A7 3F 5D C1 D3 33 ]
[+] target sector: 8 key type: B -- found valid key [E3 51 73 49 4A 81 ]
[+] target sector: 9 key type: A -- found valid key [69 A3 2F 1C 2F 19 ]
[+] target sector: 9 key type: B -- found valid key [6B 8B D9 86 07 63 ]
[+] target sector: 10 key type: A -- found valid key [9B EC DF 3D 92 73 ]
[+] target sector: 10 key type: B -- found valid key [F8 49 34 07 79 9D ]
[+] target sector: 11 key type: A -- found valid key [08 B3 86 46 32 29 ]
[+] target sector: 11 key type: B -- found valid key [5E FB AE CE F4 6B ]
[+] target sector: 12 key type: A -- found valid key [CD 4C 61 C2 6E 3D ]
[+] target sector: 12 key type: B -- found valid key [31 C7 61 0D E3 B0 ]
[+] target sector: 13 key type: A -- found valid key [A8 26 07 B0 1C 0D ]
[+] target sector: 13 key type: B -- found valid key [29 10 98 9B 68 80 ]
[+] target sector: 14 key type: A -- found valid key [0E 8F 64 34 0B A4 ]
[+] target sector: 14 key type: B -- found valid key [4A CE C1 20 5D 75 ]
[+] target sector: 15 key type: A -- found valid key [2A A0 5E D1 85 6F ]
[+] target sector: 15 key type: B -- found valid key [EA AC 88 E5 DC 99 ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | a0a1a2a3a4a5 | D | fbf225dc5d58 | D |
[+] | 001 | a82607b01c0d | D | 2910989b6880 | D |
[+] | 002 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] | 003 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] | 004 | 73068f118c13 | D | 2b7f3253fac5 | D |
[+] | 005 | fbc2793d540b | D | d3a297dc2698 | D |
[+] | 006 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] | 007 | ae3d65a3dad4 | D | 0f1c63013dba | D |
[+] | 008 | a73f5dc1d333 | D | e35173494a81 | D |
[+] | 009 | 69a32f1c2f19 | D | 6b8bd9860763 | D |
[+] | 010 | 9becdf3d9273 | D | f8493407799d | D |
[+] | 011 | 08b386463229 | D | 5efbaecef46b | D |
[+] | 012 | cd4c61c26e3d | D | 31c7610de3b0 | D |
[+] | 013 | a82607b01c0d | D | 2910989b6880 | D |
[+] | 014 | 0e8f64340ba4 | D | 4acec1205d75 | D |
[+] | 015 | 2aa05ed1856f | D | eaac88e5dc99 | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-041219C3219318-key.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-041219C3219318-dump.bin
[+] saved 64 blocks to text file hf-mf-041219C3219318-dump.eml
[+] saved to json file hf-mf-041219C3219318-dump.json
[=] autopwn execution time: 6 seconds
My data is NOT wiped with this command.
Maybe we miss some commands on "hf 14a sniff"? I have tried many times, but got only this one
p.s. Set UID button run time is longer than 1 command "time" (i have tried to simulate a gen3 card with proxmark, and got an error after this first "90f0cccc..." command -- but it was much faster then real whole card wipe).
So my assumption is that "hf 14a sniff" missed some commands in log, can this happen?
I think that PCSC is sending some "backdoor" commands to deal with block data, but we missing them in sniff log.
Last edited by Monster1024 (2020-06-07 15:09:42)
Offline
Not really missing anything in your sniff. The timestamps looks good.
One thing that is different is when software is sending a command, it uses REQA, instead of WUPA.
Another is your uid changing command tries to set: 04 12 19 c3 21 93 18 but the anti collision afterwards keeps on saying the old UID.
04 12 19 c3 21 93 17....
And you would need to modify the pm3 simulation code in order to properly simulate a gen3 card.
15427472 | 15428528 | Rdr |26 | | REQA
15503376 | 15504432 | Rdr |26 | | REQA
15505620 | 15507988 | Tag |42 00 | |
15516688 | 15519152 | Rdr |93 20 | | ANTICOLL
15520340 | 15526164 | Tag |88 04 12 19 87 | |
15547392 | 15557856 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
15559108 | 15562628 | Tag |1c 13 8b | |
15571824 | 15574288 | Rdr |95 20 | | ANTICOLL-2
15575492 | 15581316 | Tag |c3 21 93 17 66 | |
15602672 | 15613136 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
15614388 | 15617972 | Tag |18 37 cd | |
15895520 | 15922112 | Rdr |90 f0 cc cc 10 04 12 19 c3 21 93 18 98 42 00 e3 20 00 | |
| | |00 00 00 7b 90 | ok |
16096164 | 16100900 | Tag |90 00 fd 07 | |
39146448 | 39147440 | Rdr |52 | | WUPA
39222480 | 39223472 | Rdr |52 | | WUPA
39224724 | 39227092 | Tag |42 00 | |
39240384 | 39250848 | Rdr |93 70 88 04 12 19 87 16 f9 | ok | SELECT_UID
39252116 | 39255636 | Tag |1c 13 8b | |
39268544 | 39274400 | Rdr |95 50 c3 21 93 | | ANTICOLL-2
39275652 | 39278020 | Tag |17 66 | |
39294768 | 39305232 | Rdr |95 70 c3 21 93 17 66 b6 fc | ok | SELECT_UID-2
39306484 | 39310068 | Tag |18 37 cd
Anyway, happy hunting!
Offline
Yep, you are correct - I have installed USB analyser and sniff a USB communication to ACR122u, it is really only one command do all magic (90 f0 cc cc).
Also, I write simple c# app that sends only this command to ACR122u - and card is wiped.
But I can't replay it with proxmark.
I have changed WUPA to REQA in select sequence, but it didn't help.
[usb] pm3 --> hf 14a raw -s -c -t 2000 90f0cccc10041219c3219318984200e32000000000
Card selected. UID[7]:
06 12 19 C3 21 93 18
received 4 bytes
90 00 FD 07
[usb] pm3 --> hf list
[+] Recorded activity (trace len = 211 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | | REQA
2116 | 4484 | Tag |42 00 | |
7040 | 8096 | Rdr |26 | | REQA
14080 | 15136 | Rdr |26 | | REQA
16196 | 18564 | Tag |42 00 | |
21120 | 23584 | Rdr |93 20 | | ANTICOLL
24644 | 30532 | Tag |88 06 12 19 85 | |
33280 | 43808 | Rdr |93 70 88 06 12 19 85 72 e3 | ok | SELECT_UID
44868 | 48388 | Tag |1c 13 8b | |
49792 | 52256 | Rdr |95 20 | | ANTICOLL-2
53316 | 59140 | Tag |c3 21 93 18 69 | |
61952 | 72416 | Rdr |95 70 c3 21 93 18 69 89 87 | ok | SELECT_UID-2
73540 | 77124 | Tag |18 37 cd | |
89728 | 116320 | Rdr |90 f0 cc cc 10 04 12 19 c3 21 93 18 98 42 00 e3 20 00 | |
| | |00 00 00 7b 90 | ok |
289988 | 294724 | Tag |90 00 fd 07 | |
Last edited by Monster1024 (2020-06-07 19:40:12)
Offline