Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2024-04-08 09:30:04
- RationallyDense
- Contributor
- Registered: 2022-07-31
- Posts: 3
Mifare Classic 1k simulation failing on some readers
I'm trying to clone a Mifare Classic 1k card. (UID redacted)
[usb] pm3 --> hf search
? Searching for ISO14443-A tag...
[+] UID: XX XX XX XX
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Card didn't answer to select
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 51BF8DC5F43F8952104798D187872EDD445E37548330702E335F93DCEE2E0623
[+] Signature verification: successfulI used hf mf autopwn to get the keys.
I have 3 types of readers in my building. The proxmark simulation works just fine on 2 of them. On the third, nothing. I have a trace of the attempted simulation: (UID redacted)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
2100 | 4468 | Tag |04 00 | |
4298054 | 4299110 | Rdr |26(7) | | REQA
4300154 | 4302522 | Tag |04 00 | |
4323718 | 4326182 | Rdr |93 20 | | ANTICOLL
4327290 | 4333114 | Tag |XX XX XX XX c9 | |
4352460 | 4362924 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
4364032 | 4367552 | Tag |08 b6 dd | |
8610048 | 8611104 | Rdr |26(7) | | REQA
8612148 | 8614516 | Tag |04 00 | |
8635776 | 8638240 | Rdr |93 20 | | ANTICOLL
8639284 | 8645108 | Tag |XX XX XX XX c9 | |
8664502 | 8674966 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
8676074 | 8679594 | Tag |08 b6 dd | |
12908488 | 12909544 | Rdr |26(7) | | REQA
12910588 | 12912956 | Tag |04 00 | |
12934216 | 12936680 | Rdr |93 20 | | ANTICOLL
12937724 | 12943548 | Tag |XX XX XX XX c9 | |
12962928 | 12973392 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
12974500 | 12978020 | Tag |08 b6 dd | |
17207844 | 17208900 | Rdr |26(7) | | REQA
17209944 | 17212312 | Tag |04 00 | |
163465892 | 163466948 | Rdr |26(7) | | REQA
163467992 | 163470360 | Tag |04 00 | |
163491620 | 163494084 | Rdr |93 20 | | ANTICOLL
163495128 | 163500952 | Tag |XX XX XX XX c9 | |
163518224 | 163528688 | Rdr |93 70 0f 00 00 00 0f 97 4b | ok | SELECT_UID
249801926 | 249802982 | Rdr |26(7) | | REQA
249804026 | 249806394 | Tag |04 00 | |
249827654 | 249830118 | Rdr |93 20 | | ANTICOLL
249831162 | 249836986 | Tag |XX XX XX XX c9 | |
249856366 | 249866830 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
249867938 | 249871458 | Tag |08 b6 dd | | Any idea what might be the problem?
Offline
#2 2024-04-09 10:37:41
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Mifare Classic 1k simulation failing on some readers
add the frame time difference and see if it is the readers act different.
hf mf list -fOffline
#3 2024-04-09 19:16:19
- RationallyDense
- Contributor
- Registered: 2022-07-31
- Posts: 3
Re: Mifare Classic 1k simulation failing on some readers
The readers do react differently. There is some encrypted communication that happens on the readers that work fine:
[offline] pm3 --> trace list -1 -t mf -f
[+] Recorded activity (trace len = 415 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
1056 | 2100 | |fdt (Frame Delay Time): 1044
2100 | 4468 | Tag |04 00 | |
4298054 | 4299110 | Rdr |26(7) | | REQA
4299110 | 4300154 | |fdt (Frame Delay Time): 1044
4300154 | 4302522 | Tag |04 00 | |
4323718 | 4326182 | Rdr |93 20 | | ANTICOLL
4326182 | 4327290 | |fdt (Frame Delay Time): 1108
4327290 | 4333114 | Tag |XX XX XX XX c9 | |
4352460 | 4362924 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
4362924 | 4364032 | |fdt (Frame Delay Time): 1108
4364032 | 4367552 | Tag |08 b6 dd | |
8610048 | 8611104 | Rdr |26(7) | | REQA
8611104 | 8612148 | |fdt (Frame Delay Time): 1044
8612148 | 8614516 | Tag |04 00 | |
8635776 | 8638240 | Rdr |93 20 | | ANTICOLL
8638240 | 8639284 | |fdt (Frame Delay Time): 1044
8639284 | 8645108 | Tag |XX XX XX XX c9 | |
8664502 | 8674966 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
8674966 | 8676074 | |fdt (Frame Delay Time): 1108
8676074 | 8679594 | Tag |08 b6 dd | |
12908488 | 12909544 | Rdr |26(7) | | REQA
12909544 | 12910588 | |fdt (Frame Delay Time): 1044
12910588 | 12912956 | Tag |04 00 | |
12934216 | 12936680 | Rdr |93 20 | | ANTICOLL
12936680 | 12937724 | |fdt (Frame Delay Time): 1044
12937724 | 12943548 | Tag |XX XX XX XX c9 | |
12962928 | 12973392 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
12973392 | 12974500 | |fdt (Frame Delay Time): 1108
12974500 | 12978020 | Tag |08 b6 dd | |
17207844 | 17208900 | Rdr |26(7) | | REQA
17208900 | 17209944 | |fdt (Frame Delay Time): 1044
17209944 | 17212312 | Tag |04 00 | |
163465892 | 163466948 | Rdr |26(7) | | REQA
163466948 | 163467992 | |fdt (Frame Delay Time): 1044
163467992 | 163470360 | Tag |04 00 | |
163491620 | 163494084 | Rdr |93 20 | | ANTICOLL
163494084 | 163495128 | |fdt (Frame Delay Time): 1044
163495128 | 163500952 | Tag |XX XX XX XX c9 | |
163518224 | 163528688 | Rdr |93 70 0f 00 00 00 0f 97 4b | ok | SELECT_UID
249801926 | 249802982 | Rdr |26(7) | | REQA
249802982 | 249804026 | |fdt (Frame Delay Time): 1044
249804026 | 249806394 | Tag |04 00 | |
249827654 | 249830118 | Rdr |93 20 | | ANTICOLL
249830118 | 249831162 | |fdt (Frame Delay Time): 1044
249831162 | 249836986 | Tag |XX XX XX XX c9 | |
249856366 | 249866830 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
249866830 | 249867938 | |fdt (Frame Delay Time): 1108
249867938 | 249871458 | Tag |08 b6 dd | | This is the reader where the simulation doesn't work:
[usb] pm3 --> trace list -t mf -f
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 800 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
1056 | 2100 | |fdt (Frame Delay Time): 1044
2100 | 4468 | Tag |04 00 | |
18948 | 21412 | Rdr |93 20 | | ANTICOLL
21412 | 22456 | |fdt (Frame Delay Time): 1044
22456 | 28280 | Tag |XX XX XX XX c9 | |
40488 | 50952 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
50952 | 52060 | |fdt (Frame Delay Time): 1108
52060 | 55580 | Tag |08 b6 dd | |
301276 | 302332 | Rdr |26(7) | | REQA
302332 | 303376 | |fdt (Frame Delay Time): 1044
303376 | 305744 | Tag |04 00 | |
320258 | 322722 | Rdr |93 20 | | ANTICOLL
322722 | 323766 | |fdt (Frame Delay Time): 1044
323766 | 329590 | Tag |XX XX XX XX c9 | |
341710 | 352174 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
352174 | 353282 | |fdt (Frame Delay Time): 1108
353282 | 356802 | Tag |08 b6 dd | |
375750 | 380454 | Rdr |e0 50 bc a5 | ok | RATS
380454 | 381882 | |fdt (Frame Delay Time): 1428
381882 | 382522 | Tag |04(4) | |
569436 | 570492 | Rdr |26(7) | | REQA
570492 | 571536 | |fdt (Frame Delay Time): 1044
571536 | 573904 | Tag |04 00 | |
588416 | 590880 | Rdr |93 20 | | ANTICOLL
590880 | 591924 | |fdt (Frame Delay Time): 1044
591924 | 597748 | Tag |XX XX XX XX c9 | |
609868 | 620332 | Rdr |93 70 XX XX XX XX c9 ba 84 | ok | SELECT_UID
620332 | 621440 | |fdt (Frame Delay Time): 1108
621440 | 624960 | Tag |08 b6 dd | |
1433842 | 1438610 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
1438610 | 1443366 | |fdt (Frame Delay Time): 4756
1443366 | 1448102 | Tag |62 6d fd 70 | | AUTH: nt
1449620 | 1458996 | Rdr |fa 44 a2 4c! 2f 0c! b3! c8 | | AUTH: nr ar (enc)
1458996 | 1467720 | |fdt (Frame Delay Time): 8724
1467720 | 1472392 | Tag |13! fb 9a 8a! | | AUTH: at (enc)
1653574 | 1658278 | Rdr |19! d8! 98 e6! | |
| | * | key D03A13EEE4CF prng WEAK | |
| | * |30 08 4A 24 | ok | READBLOCK(8)
1658278 | 1674170 | |fdt (Frame Delay Time): 15892
1674170 | 1694970 | Tag |4f! 6d! d2! 85! 59! 61 a6 0c! c4! 1d 76! d5! a8 b4 50 6d! c0! 0f | |
| | * |27 63 1C 0B 02 47 A7 57 40 38 33 9B 21 99 02 A2 2D EE | ok |
1894056 | 1898824 | Rdr |4f! ab! 2a! 90! | |
| | * |61 04 09 24 | ok | AUTH-B(4)
1898824 | 1905628 | |fdt (Frame Delay Time): 6804
1905628 | 1910300 | Tag |a0! c9! 8f 60 | | AUTH: nt (enc)
1911848 | 1921160 | Rdr |75! 9b ea! f5! 74 b5! ba! 8c! | | AUTH: nr ar (enc)
1921160 | 1930076 | |fdt (Frame Delay Time): 8916
1930076 | 1934748 | Tag |22 95 a1! 24 | | AUTH: at (enc)
2113684 | 2118452 | Rdr |b5 1f! 11! 6a! | |
Nested authentication detected.
tools/mf_nonce_brute/mf_nonce_brute 444b26e0 a0c98f60 1100 759beaf5 74b5ba8c 0111 2295a124 0010 B51F116A
2118452 | 2134216 | |fdt (Frame Delay Time): 15764
2134216 | 2155016 | Tag |83 d8! a0! fb! 82! 15! 1c db! 69 2e 32 49! 46! 30 c8! 68! 34! da! | |
2170866 | 2175570 | Rdr |74 1e 95! 5a | |
2175570 | 2191654 | |fdt (Frame Delay Time): 16084
2191654 | 2212518 | Tag |46! 11! d6! 34 35! 9f! 5f! 67 ad 95! 11! e1 04! a8 e5! 66 58 d9 | |
2227148 | 2231852 | Rdr |71! 64! 3b 0e! | |
2231852 | 2247808 | |fdt (Frame Delay Time): 15956
2247808 | 2268672 | Tag |ac f6 70! ec 71! b1! f7! f2 37! 3a 1c! 72! 4b dd! 5b! 43! 50! 89 | |
2283434 | 2288138 | Rdr |d3! 3c! 55 cc | |
2288138 | 2304094 | |fdt (Frame Delay Time): 15956
2304094 | 2324958 | Tag |87 25 23! 62 76! 53 f4 e1 72! d9! e8! 3b! 10 58! d5! 18! 4a! 84! | |
2339662 | 2344366 | Rdr |2e 29 97 b9! | |
2344366 | 2360706 | |fdt (Frame Delay Time): 16340
2360706 | 2381570 | Tag |6f! 2b! b5! a8 f5! 8b 76 2c! ca! 07 35 80! 74! 31 19! 56 9e fd | |
2754800 | 2759568 | Rdr |99 d2! ab! d7! | |
2759568 | 2766372 | |fdt (Frame Delay Time): 6804
2766372 | 2771108 | Tag |9b 9b 51! d7! | |
2772594 | 2781970 | Rdr |c1! 7f 34 e7! 1d 9f! c1 8d! | |
2781970 | 2790694 | |fdt (Frame Delay Time): 8724
2790694 | 2795366 | Tag |61 96 bd c4! | |
2974414 | 2979118 | Rdr |0d! ec! a9! 18 | |
2979118 | 2995074 | |fdt (Frame Delay Time): 15956
2995074 | 3015938 | Tag |8d e1 1c a9! c2! 02! f1 11! 4e! 1a 35 b7 c6! 04 9f c3 f4 0b | |
3031592 | 3036360 | Rdr |31! 25! 65 05! | |
3036360 | 3052252 | |fdt (Frame Delay Time): 15892
3052252 | 3073116 | Tag |d5! f2! 4a! 19! ea! f3 a9! e7 7e! 70 77! b2! 9b! 41! 3c 03! c7 88! | |
3087858 | 3092562 | Rdr |fd f1! 28 1e | |
3092562 | 3108646 | |fdt (Frame Delay Time): 16084
3108646 | 3129510 | Tag |95! 3e! 5f! a4 d5! fd! a0 7e 7f 56 b8! 90! b9! a4 e4! c6 b4! 4c | | Offline