I finally took the plunge and got a Proxmark3 rdv2.
Ive been trying to clone my bus pass, I keep losing the damn think and it's driving me insane. Especially because I get charged every time for a new on...
14b info works
I managed to sniff transaction between my phone and the card.
But I can't dump it, I get " Failed to select 2 | 20.
Could someone point me in the right direction please?
I was able to sniff the between the card and my phone (phone is used to add look at current balance and add credit)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 14 | Tag |a3 e9 67 | ok |
77798 | 77811 | Tag |c2 66 15 | ok |
646741 | 646755 | Tag |00 01 00 03 fe | ok |
933581 | 933594 | Tag |03 | |
978399 | 978407 | Rdr |03 94 b2 07 4c 1d ba 18 | ok | ?
982495 | 982509 | Tag |03 00 00 00 00 | ok |
1026913 | 1026921 | Rdr |03 94 b2 01 ec 1d 9c 61 | ok | ?
1104322 | 1104335 | Tag |02 | |
1208812 | 1208826 | Tag |c2 66 15 | ok |
3188707 | 3188721 | Tag |50 79 6c | ok |
3204217 | 3204224 | Rdr |05 | | WUPB
3232176 | 3232189 | Rdr |b2 e1 66 | ok | ?
3310007 | 3310019 | Rdr |05 00 00 71 ff | ok | REQB
11011265 | 11011272 | Rdr |05 00 00 71 ff | ok | REQB
11029875 | 11029887 | Rdr |05 00 08 39 73 | ok | WUPB
11045196 | 11045210 | Tag |00 78 f0 | ok |
11059768 | 11059782 | Tag |a3 e9 67 | ok |
11084122 | 11084129 | Rdr |03 00 a4 04 00 07 d2 76 | ok | ?
12188519 | 12188526 | Rdr |05 00 00 71 ff | ok | REQB
12687089 | 12687097 | Rdr |b2 e1 66 | ok | ?
12758660 | 12758673 | Tag |c2 66 15 | ok |
13431515 | 13431528 | Tag |02 | |
13626853 | 13626865 | Rdr |02 94 b2 06 4c 1d 4d 46 | ok | ?
13650841 | 13650853 | Rdr |03 94 b2 07 4c 1d ba | ok | ?
13911757 | 13911771 | Tag |c2 66 15 | ok |
15960967 | 15960980 | Tag |a3 e9 67 | ok |
31642442 | 31642454 | Rdr |05 00 f8 | ok | WUPB
31660449 | 31660457 | Rdr |05 | | WUPB
31689507 | 31689519 | Rdr |b2 e1 66 | ok | ?
31711332 | 31711346 | Tag |02 6a 82 4b 4c | ok |
31769553 | 31769560 | Rdr |05 00 00 71 ff | ok | REQB
31777642 | 31777656 | Tag |50 79 6c c0 2a 00 dd a6 11 f7 71 85 a9 47 | ok |
32853758 | 32853770 | Rdr |05 00 00 71 ff | ok | REQB
34253730 | 34253742 | Rdr |b2 e1 66 | ok | ?
34322446 | 34322459 | Rdr |c2 | | ?
34325101 | 34325114 | Tag |c2 66 15 | ok |
34821990 | 34822003 | Tag |03 6f 22 84 | ok |
34873687 | 34873700 | Tag |00 01 f0 | ok |
35186187 | 35186200 | Tag |02 | |
35283933 | 35283947 | Tag |02 00 00 | ok |
35329129 | 35329136 | Rdr |02 94 b2 04 ec 1d 8a | ok | ?
35333248 | 35333262 | Tag |02 00 00 | ok |
35437140 | 35437154 | Tag |c2 66 15 | ok |
35502786 | 35502800 | Tag |50 79 | |
37464827 | 37464839 | Rdr |05 00 00 71 ff | ok | REQB
37509614 | 37509621 | Rdr |b2 e1 66 | ok | ?
37521175 | 37521187 | Rdr |02 00 a4 04 00 07 d2 76 | ok | ?
37587050 | 37587062 | Rdr |00 71 ff | ok | ?
45621183 | 45621197 | Tag |a3 e9 67 | ok |
46624692 | 46624706 | Tag |a3 e9 67 | ok |
46705382 | 46705390 | Rdr |ff | | ?
46741105 | 46741119 | Tag |00 78 f0 | ok |
47398516 | 47398529 | Tag |02 | |
47618420 | 47618434 | Tag |03 | |
47642425 | 47642438 | Tag |02 00 00 | ok |
47837101 | 47837109 | Rdr |c2 | | ?
47839822 | 47839836 | Tag |c2 66 15 | ok |
49913402 | 49913416 | Tag |50 79 6c | ok |
49938875 | 49938883 | Rdr |b2 e1 66 | ok | ?
51104775 | 51104787 | Rdr |05 00 00 71 ff | ok | REQB
51106556 | 51106570 | Tag |50 79 | |
59034630 | 59034643 | Tag |00 78 f0 | ok |
59045735 | 59045749 | Tag |a3 e9 67 | ok |
59113455 | 59113467 | Rdr |c2 66 15 | ok | ?
59703873 | 59703881 | Rdr |02 94 b2 01 3c 1d 8c 3a | ok | ?
59727115 | 59727123 | Rdr |03 94 b2 01 cc 1d af 42 | ok | ?
59776454 | 59776466 | Rdr |03 94 b2 01 44 1d a3 | ok | ?
60071680 | 60071693 | Rdr |03 94 b2 07 4c 1d ba 18 | ok | ?
60082421 | 60082434 | Tag |03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 90 00 8b 4d | ok |
60095100 | 60095108 | Rdr |02 94 b2 08 4c 1d 56 56 | ok | ?
60120313 | 60120321 | Rdr |03 94 b2 01 ec 1d 9c 61 | ok | ?
60131234 | 60131248 | Tag |03 00 a2 23 5b dc 0d e2 b7 b8 1b c4 ee ee ee ee 6c ae | |
| | |a0 01 c4 6c 81 53 32 0a 80 93 82 00 90 00 90 40 | ok |
60144151 | 60144158 | Rdr |02 94 b2 02 ec 1d d3 8a | ok | ?
60169711 | 60169718 | Rdr |03 94 b2 03 ec 1d 24 d4 | ok | ?
60194330 | 60194338 | Rdr |02 94 b2 04 ec 1d 0a 5c | ok | ?
60301755 | 60301768 | Rdr |c2 66 15 | ok | ?
60368895 | 60368903 | Rdr |05 00 00 71 ff | ok | REQB
62367578 | 62367586 | Rdr |b2 e1 66 | ok | ?
62379461 | 62379469 | Rdr |02 00 a4 04 00 07 d2 76 | ok | ?
62394043 | 62394055 | Rdr |03 00 a4 04 | ok | ?
62445175 | 62445187 | Rdr |05 00 00 71 ff | ok | REQB
71590126 | 71590139 | Tag |00 78 f0 | ok |
71712839 | 71712852 | Rdr |00 08 01 00 94 86 | ok | ?
72223573 | 72223585 | Rdr |03 94 b2 01 cc 1d af | ok | ?
72252731 | 72252744 | Tag |02 1d a6 3a | ok |
72362446 | 72362460 | Tag |00 00 00 00 00 00 00 00 00 00 00 90 00 bb ce | ok |
72375166 | 72375179 | Rdr |03 94 b2 05 44 1d c2 63 | ok | ?
72386077 | 72386091 | Tag |03 00 a2 23 58 51 8f 22 b0 a3 1e 4d ee ee ee ee 6c 98 | |
| | |40 02 c3 ee 81 52 08 00 00 00 00 00 90 00 d3 42 | ok |
72397924 | 72397931 | Rdr |02 94 b2 06 44 1d 8d 88 | ok | ?
72548029 | 72548042 | Tag |02 00 00 44 | ok |
72598996 | 72599009 | Tag |02 1d 56 56 | ok |
72617476 | 72617488 | Rdr |03 94 b2 01 ec 1d 9c | ok | ?
72649328 | 72649335 | Rdr |ff ff | | ?
72797948 | 72797956 | Rdr |c2 66 15 | ok | ?
74925471 | 74925485 | Tag |a3 e9 67 | ok |
[+] [LEN 14] 50 79 6C C0 2A 00 DD A6 11 F7 71 85 [A9 47] OK
It responded the above with raw 05 00 08 39 73.
I'm a bit lost now.
]]>But my usb communication between device and client over a vmware client is so slow that it drops some packages. Thats why the "<< no answer" rows from executing the script.
Someone up for starting mapping data?
Sorry for bumping this. Are there any news on the matter? Were you able to read the data fully?
]]>This was totally a normal thing for these to not be expected to work when we had the B' only tags. It has gotten better with month and then new reader, big, slow, are making what I expect to be at least an homage of how bad it was.
Maybe that is a new form of security, which may be even more
]]>You could try to use the iclass snoop function in the recent proxmark firmware.
It uses the same modulation and encoding, although the protocol/crc is different, in principle it should be possible to capture (raw) frames.You could try to use the iclass snoop function in the recent proxmark firmware.
It uses the same modulation and encoding, although the protocol/crc is different, in principle it should be possible to capture (raw) frames.
iclass snoop can be used to snoop ISO15693 protocol, not ISO14443AorB; to snoop ISO14443AorB there is a specific command.
If the protocol is ISO14443B' (as Calypso can be B') no snooping method will be correct because ISO14443B' is not a free-documented protocol (no datasheets available until now).
]]>Does anyone still work on this kind of tag, Calypso ?
]]>is the number "2454053860" written somewhere on your card? If yes, you have part of your response
You know what ... that is the serial number of the card actually, it's written on the back. Thanks for that. I guess I have to start looking at those proprietary Calypso functions now.
Any idea why hi14snoop might have failed? If I can get a trace of the reader-card communication that would help a lot.
]]>