Sunday, October 29, 2017

Hello world! ok, here we are...starting with Mifare Desfire EV1 2k NFC cards, the most world secure cards, with 128bit AES encryption...so...how to decode t?

IDENTIFYING UNKNOWN TAGS WITH PROXMARK3

March 08, 2016
1. Connect your Proxmark3 to your computer.
2. Launch the Proxmark3 client. If you do not have the Proxmark3 client setup check out our Getting Started Guide.
3. Once connected to the client run the 'hw ver' command. You should see output similar to what is below. If the version is not v2.2 your steps and commands may differ from the ones below.
proxmark3> hw ver
Prox/RFID mark3 RFID instrument          
bootrom: master/v2.2 2015-07-31 11:28:11
os: master/v2.2 2015-07-31 11:28:12
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 162219 bytes (31). Free: 362069 bytes (69).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory
4. Connect an HF or LF Antenna based upon whether you think the tag uses 13.56mhz or 125khz. Thicker / larger tags generally have larger antennas and use 125khz.
Here are some examples of HF tags: Mifare Ultralight, Mifare 1K, Mifare 4K, Mifare Desfire 4K and HID iClass 2000.
Here are some examples of LF Tags: T5577, HID 1326, EM4100.
5. Run the commands below based upon the Antenna you connected.

LOW FREQUENCY ANTENNA

Run command:
lf search u 
This command will detect HID 1326 and EM4100 tags. See examples below. It will not detect T5577 tags.
HID 1326
proxmark3> lf search u
Reading 30000 bytes from device memory
          
Data fetched          
WARNING: Command buffer about to overwrite command! This needs to be fixed!          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible          

Checking for known tags:
          
HID Prox TAG ID: 2004e2068a (837) - Format Len: 26bit - FC: 113 - Card: 837          

Valid HID Prox ID Found!
EM4100
lf search u
#db# DownloadFPGA(len: 42096)                 
Reading 30000 bytes from device memory
          
Data fetched          
WARNING: Command buffer about to overwrite command! This needs to be fixed!          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
EM410x pattern found:           

EM TAG ID      : 1C003B347B          
Unique TAG ID  : 3800DC2CDE          

Possible de-scramble patterns          
HoneyWell IdentKey {          
DEZ 8          : 03880059          
DEZ 10         : 0003880059          
DEZ 5.5        : 00059.13435          
DEZ 3.5A       : 028.13435          
DEZ 3.5B       : 000.13435          
DEZ 3.5C       : 059.13435          
DEZ 14/IK2     : 00120262964347          
DEZ 15/IK3     : 000240532597982          
DEZ 20/ZK      : 03080000131202121314          
}
Other          : 13435_059_03880059          
Pattern Paxton : 474968699 [0x1C4F727B]          
Pattern 1      : 6184748 [0x5E5F2C]          
Pattern Sebury : 13435 59 3880059  [0x347B 0x3B 0x3B347B]          

Valid EM410x ID Found!
T5577
proxmark3> lf search u
Reading 30000 bytes from device memory
          
Data fetched          
WARNING: Command buffer about to overwrite command! This needs to be fixed!          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 96 repeating samples          

Using Clock:64, Invert:0, Bits Found:469          
ASK/Manchester - Clock: 64 - Decoded bitstream:          
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000011000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000110
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000001
1000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0110000000000000
0000000000000000
00000          

Unknown ASK Modulated and Manchester encoded Tag Found!

HIGH FREQUENCY ANTENNA

Run command:
hf search
This command detects Mifare UltralightMifare 1KMifare 4KMifare Desfire 4K, and HID iClass 2000. See Examples below.
MIFARE ULTRALIGHT
proxmark3> hf search
          
 UID : 04 ff 55 22 98 28 80           
ATQA : 00 44          
 SAK : 00 [2]          
TYPE : MIFARE Ultralight (MF0ICU1)           
MANUFACTURER : NXP Semiconductors Germany          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO          

Valid ISO14443A Tag Found - Quiting Search
MIFARE 1K
proxmark3> hf search
          
 UID : 6b ec 41 2a           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO          

Valid ISO14443A Tag Found - Quiting Search
MIFARE 4K
proxmark3> hf search
          
 UID : 04 11 3b 62 4d 3c 80           
ATQA : 03 44          
 SAK : 20 [1]          
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41          
MANUFACTURER : NXP Semiconductors Germany          
 ATS : 06 75 77 81 02 80 02 f0           
       -  TL : length is 6 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : 80           
Answers to chinese magic backdoor commands: NO          

Valid ISO14443A Tag Found - Quiting Search
MIFARE DESFIRE 4K
proxmark3> hf search
          
 UID : 04 75 69 12 75 22 80           
ATQA : 03 44          
 SAK : 20 [1]          
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41          
MANUFACTURER : NXP Semiconductors Germany          
 ATS : 06 75 77 81 02 80 02 f0           
       -  TL : length is 6 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : 80           
Answers to chinese magic backdoor commands: NO          

Valid ISO14443A Tag Found - Quiting Search
HID ICLASS 2000
proxmark3> hf search
          
CSN: 93 e3 a9 01 f8 ff 12 e0           
 Mode: Application [Locked]          
 Coding: ISO 14443-2 B/ISO 15693          
 Crypt: Secured page, keys not locked          
 RA: Read access not enabled          
 Mem: 2 KBits ( 32 * 8 bytes)          
 AA1: blocks 6-18          
 AA2: blocks 19-          

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search
https://store.ryscc.com/blogs/news/92145857-identifying-unknown-tags-with-proxmark3

No comments:

Man in the Rain