Proxmark3 community

cberetta

Contributor

Registered: 2020-10-14

Posts: 4

PCF7931AS reading and writing

I'm doing some experiments with the code for pcf7931 reading, but I'm having some troubles.

I own a couple of PCF7931AS that are new but I cannot find any documents that gives me info on the default programming data.
I know that on some other PCF (for example pcf7936as) some part of the memory is written with default know data, but for the PCF7931AS I do not know if this is the case.

At the moment I'm interested only in reading the tag as I'm using a proxmark3 easy, and I read on the forum that the default coil is not capable of writing (and I'm not capable of building a new coil), but reading seems possible.

Someone here can help posting a full dump of a NEW pcf7931as?

Last edited by cberetta (2020-11-14 22:56:07)

cberetta

Contributor

Registered: 2020-10-14

Posts: 4

Re: PCF7931AS reading and writing

I worked on my problem and I want to share my progress with you. Maybe it can be useful for someone.

As I wasn't able to read the PCF with the original code I rewrite some part of the code and I finally got all the blocks read. This is the blocks I read from a NEW pcf7931as:

[#] -----------------------------------------
[#] Blocks read, in transmitted order:
[#] 0: block could be a Block 0
[#] 1: block could be a Block 1
[#] -----------------------------------------
[#] [00] aa aa aa aa aa aa aa a9 aa aa aa aa aa aa aa aa (   )
[#] [01] 56 55 55 55 55 55 55 56 00 55 55 55 55 55 55 55 (0  )
[#] [02] aa a9 aa aa aa aa aa aa aa aa aa aa 00 00 56 a5 (0 1)
[#] [03] 55 55 56 55 55 55 55 55 55 56 55 55 55 55 55 55 (   )
[#] [04] aa aa aa a9 aa aa aa aa aa aa a9 aa aa aa aa aa (0  )
[#] [05] 55 55 55 55 56 55 55 55 55 55 55 56 55 55 55 55 (   )
[#] [06] aa aa aa aa aa a9 aa aa aa aa aa aa a9 aa aa aa (0  )
[#] [07] 55 55 55 55 55 55 56 55 55 55 55 55 55 55 55 55 (   )

All the blocks are read and keep in the correct order by the reading code I wrote, but I can only make an hypothesis on which is the block0 and block1 (see the 0 and 1 on the right between parenthesis). Yes I know, in this particular case I can be sure which is block0 and block1 as I only have one block1 that is following a block0, I must improve the reading logic for this and then reorder.

Now I'm facing other reading problems:
1 - The PCF can be configured to send only some block, at the moment my code needs all the 8 blocks to function.
2 - The PCF can send the block 1 multiple times before the "data" blocks sequence, this can cause me some problems.

For the first problem I can use an old PCF I found in a drawer, that is configured to send only one block, but for the second problem I need to write the PCF so I can configure it for testing. So it's time to add the 3rd problem: write the PCF with the proxmark.

The game is becoming interesting.

cberetta

Contributor

Registered: 2020-10-14

Posts: 4

Re: PCF7931AS reading and writing

Writing on the PCF7931AS is more difficult than I was thinking, to start writing I need to synchronize with the PCF and swich it into PROGRAM_MODE. Only after that I can start writing to the PCF. But for switching the PCF into PROGRAM_MODE I must send a specific sequence of pulse during the interval between two blocks. This because the PCF when inserted into a field it will immediately start to send his blocks repeatedly.

Now my problem is: How can I syncronize with the PCF and then send the pulse? This, at this time, it's only a programming problem, I need to understand how to read from the proxmark and, at the right time, switch to write and modulate the antenna as needed.

Anyone can give me some help? Maybe exists some other tags (read by proxmark) that works in this manner from which I can get some "inspiration" (or better... from which I can copy some code). Someone can point me in a possible right direction?

yukihama

Contributor

Registered: 2018-05-13

Posts: 133

Re: PCF7931AS reading and writing

Writing on the PCF7931AS is more difficult than I was thinking, to start writing I need to synchronize with the PCF and swich it into PROGRAM_MODE. Only after that I can start writing to the PCF. But for switching the PCF into PROGRAM_MODE I must send a specific sequence of pulse during the interval between two blocks. This because the PCF when inserted into a field it will immediately start to send his blocks repeatedly.

Now my problem is: How can I syncronize with the PCF and then send the pulse? This, at this time, it's only a programming problem, I need to understand how to read from the proxmark and, at the right time, switch to write and modulate the antenna as needed.

Anyone can give me some help? Maybe exists some other tags (read by proxmark) that works in this manner from which I can get some "inspiration" (or better... from which I can copy some code). Someone can point me in a possible right direction?

pm3 is not the right tool for this chip^_^

Rafael44p

Contributor

Registered: 2022-02-15

Posts: 2

Re: PCF7931AS reading and writing

I have this coffee machine that works with this chip and the normal version for Proxmark3 easy it reads every 3 tries and than spits out 2 blocks, with your modification it works just fine everytime, the only problem for me is that i get 4 empty block with only 00s this might be normal.

Still havent found out how to write to it in a couple of day i'm getting a blank PCF7931AS to try if anything changes.

The first time i've tried to read i had 1.40€ (00 8c) and charged it with 1€ so now it reads 2.40€ (00 f0)

[#] -----------------------------------------
[#] [00] 00 00 00 00 00 00 00 01 00 00 55 55 55 55 55 55 (0  )
[#] [01] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f (  1)
[#] [02] 00 f0 00 8c df 02 00 00 00 00 00 00 11 ae e0 01 (0  )
[#] [03] 00 00 00 00 00 00 00 00 00 34 00 00 00 00 00 00 (   )
[#] [04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] [05] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] [06] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] [07] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] -----------------------------------------

The second time i've tried to read here i had 2€ (00 c8) and bought something for 0.30€ so now it reads 1.70€ (00 aa)

[#] -----------------------------------------
[#] [00] 00 00 00 00 00 00 00 01 00 00 55 55 55 55 55 55 (0  )
[#] [01] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f (  1)
[#] [02] 00 aa 00 c8 df 02 00 00 00 00 00 00 11 ae e0 01 (0  )
[#] [03] 00 00 00 00 00 00 00 00 00 34 00 00 00 00 00 00 (   )
[#] [04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] [05] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] [06] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] [07] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (   )
[#] ----------------------------------------- 

Last edited by Rafael44p (2022-02-19 18:36:23)

fazer

Contributor

Registered: 2019-03-02

Posts: 156

Re: PCF7931AS reading and writing

Hi Rafael44p, your your block 0 & protected by a pwd it is activated by 1 (00 00 00 00 00 00 00 [01] 00 00 55 55 55 55 55 55) the only solution & to be able to sniff the tag.
Have a good evening.

Regarding your blank transponder it will be useless even with block 0 without pwd & write your original data on it because when you present the key in front of the machine it will not be detected, only solution sniff with the original badge to get the 56-bit passwd out.
Good luck with the tests.

Last edited by fazer (2022-06-30 17:23:57)

fazer

Contributor

Registered: 2019-03-02

Posts: 156

Re: PCF7931AS reading and writing

Hello, I tried to sniff with my pm3 without success, because the key must be back in the reader, I'm going to go to a sniff assembly with a germanium diode on a phone jack recorded the sniff, now is it possible to connect the assembly on pm3? by disconnecting the LF antenna because otherwise I have to analyze with an audacity application that I don't know.
Thanks, have a good day.

fazer

Contributor

Registered: 2019-03-02

Posts: 156

Re: PCF7931AS reading and writing

Hello, for me it's good I managed to sniff the 56-bit pwd. Here is the only way to be able to write in the blk -3.
Have a nice week end

Last edited by fazer (2022-08-27 17:09:15)