Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-08-15 04:41:02

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Confused ! "Noob"

Followed instructions on setting up proxmark environment for Windows 7. The libusb-win32 drivers were properly installed per device manager for proxmark.
here's my confusion.. attempted to update flash for cdc interface, now if I hold down the button when connecting usb, a COM port is identified. The minute I release the button, it returns back to libusb-win32 in device manager. I can open the environment with "./client/proxmark3.exe COM3. run hw version and results are:
hw version: bootrom svn 756    os: svn 651    fpga image built on 2012/01/06

Please tell me what I'm doing wrong? What do I need to do to have this work properly? I would like the abilty to use the gui interface...

I appreciate all responses in advice ! Thanks !

Offline

#2 2015-08-15 18:08:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

which version are you trying to upgrade to?

Offline

#3 2015-08-15 18:14:21

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

I would like to update to the most current version or is there one you would recommend? I would like to use the gui interface..
Thanks

Offline

#4 2015-08-15 18:42:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

So, you downloaded the v2.2.0 from github (and compiled it?)
and when you flashed bootrom it worked?
and then you flashed fullimage ..

Yr bootrom says 756, which is old. So you need to start there,   flash the latest (w keeping the button pressed all time)
after that, u need to flash fullimage.elf...

then you should be good to go.

Offline

#5 2015-08-16 03:11:11

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

iceman,
I did the following: Description:   
* Make sure you also download and install:
  - YAGARTO GNU ARM toolchain (http://www.yagarto.de/)
  - Subversion for Windows (http://sourceforge.net/projects/win32svn/)
  - Perl for Windows (http://strawberryperl.com/)

* Place the "MinGW" directory in your "c:\" folder
* Start msys (C:\MinGW\msys\1.0\msys.bat)
* Browse to "c:\" by typing "cd /c"
* Execute "."
* Change to proxmark folder "cd /c/proxmark3"
* Compile the code by executing "make"
* Connect proxmark and install (c:\proxmark3\driver\proxmark3.inf)
* Look up new serial port COM* in device manager (could differ per usb port)
* Flash with "./client/flasher COM* ./armsrc/obj/osimage.elf"
or
* Flash with "./client/flasher COM* ./armsrc/obj/fullimage.elf" (if FPGA changed)

* Finally, start proxmark console with "./client/proxmark3 COM*"

results: bootrom: svn 756  2013-07-13
            os:         svn 852   2015-08-16
            fpga image built on 2014/03/21

I assume I was able to update the os and fpga but NOT the boot rom..

HOW? PLEASE & THANKS !

Offline

#6 2015-08-16 03:15:07

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

I tried a few things..  I was able to hf tune, hf 14a read..  any other commands it would start then 15 -20 seconds in it just stopped..

But I would like to start first with boot loader... then worry about anything else..  THANKS !

Offline

#7 2015-08-16 10:12:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

Still, you didn't answer my questions.
Your compiled source is very old,  you need to download the latest source from GitHub.
Then you must flash bootrom, which you didn't do in your description.
then flash the fullimage.

When you have done that, you can enjoy your device better.

Offline

#8 2015-08-16 13:17:19

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

which is the latest proper source to use?  Thanks.. "Iceman" !

Offline

#9 2015-08-16 15:23:57

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Iceman,

THANKS ! Exactly what you advised worked ! I appreciate the knowledge shared here by everyone !  big_smile

Offline

#10 2015-08-16 16:11:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

Good.

Offline

#11 2015-08-17 01:56:17

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Iceman,
Can u explain this ? What am I doing wrong?  Trying to clone a blank token..


C:\Users\Chris\Desktop\Proxmark3\pm3-bin-2.1.0\win32 (client+GUI)>proxmark3 COM3
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-06-23 13:21:04
#db# os: /-suspect 2015-06-23 13:21:10
#db# HF FPGA image built on 2015/06/22 at 21:47:54
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf 14a read
UID : fd 78 90 55
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
proxmark3> hf mf chk *1 ? t
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block:  3, key type:A, key count:13
Found valid key:[000000000000]
--sector: 1, block:  7, key type:A, key count:13
Found valid key:[000000000000]
--sector: 2, block: 11, key type:A, key count:13
Found valid key:[000000000000]
--sector: 3, block: 15, key type:A, key count:13
Found valid key:[000000000000]
--sector: 4, block: 19, key type:A, key count:13
Found valid key:[000000000000]
--sector: 5, block: 23, key type:A, key count:13
Found valid key:[000000000000]
--sector: 6, block: 27, key type:A, key count:13
Found valid key:[000000000000]
--sector: 7, block: 31, key type:A, key count:13
Found valid key:[000000000000]
--sector: 8, block: 35, key type:A, key count:13
Found valid key:[000000000000]
--sector: 9, block: 39, key type:A, key count:13
Found valid key:[000000000000]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[000000000000]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[000000000000]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[000000000000]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[000000000000]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[000000000000]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[000000000000]
--sector: 0, block:  3, key type:B, key count:13
Found valid key:[000000000000]
--sector: 1, block:  7, key type:B, key count:13
Found valid key:[000000000000]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[000000000000]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[000000000000]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[000000000000]
--sector: 5, block: 23, key type:B, key count:13
Found valid key:[000000000000]
--sector: 6, block: 27, key type:B, key count:13
Found valid key:[000000000000]
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[000000000000]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[000000000000]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[000000000000]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[000000000000]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[000000000000]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[000000000000]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[000000000000]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[000000000000]
--sector:15, block: 63, key type:B, key count:13
Found keys have been transferred to the emulator memory

proxmark3> hf mf nested 1 0 a 000000000000 d
Testing known keys. Sector count=16
nested...
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
Time in nested: 33.998 (3.400 sec per key)

-----------------------------------------------
Iterations count: 10


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  000000000000  | 1 |  000000000000  | 1 |
|001|  000000000000  | 1 |  000000000000  | 1 |
|002|  000000000000  | 1 |  000000000000  | 1 |
|003|  000000000000  | 1 |  000000000000  | 1 |
|004|  000000000000  | 1 |  000000000000  | 1 |
|005|  000000000000  | 1 |  000000000000  | 1 |
|006|  000000000000  | 1 |  000000000000  | 1 |
|007|  000000000000  | 1 |  000000000000  | 1 |
|008|  000000000000  | 1 |  000000000000  | 1 |
|009|  000000000000  | 1 |  000000000000  | 1 |
|010|  000000000000  | 1 |  000000000000  | 1 |
|011|  000000000000  | 1 |  000000000000  | 1 |
|012|  000000000000  | 1 |  000000000000  | 1 |
|013|  000000000000  | 1 |  000000000000  | 1 |
|014|  000000000000  | 1 |  000000000000  | 1 |
|015|  000000000000  | 1 |  000000000000  | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
Command execute timeout when trying to read access rights for sector  0. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  1. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  2. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  3. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  4. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  5. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  6. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  7. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  8. Trying
with defaults...
Command execute timeout when trying to read access rights for sector  9. Trying
with defaults...
Command execute timeout when trying to read access rights for sector 10. Trying
with defaults...
Command execute timeout when trying to read access rights for sector 11. Trying
with defaults...
Command execute timeout when trying to read access rights for sector 12. Trying
with defaults...
Command execute timeout when trying to read access rights for sector 13. Trying
with defaults...
Command execute timeout when trying to read access rights for sector 14. Trying
with defaults...
Command execute timeout when trying to read access rights for sector 15. Trying
with defaults...
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
Command execute timeout when trying to read block  0 of sector  0.
proxmark3>

Offline

#12 2015-08-17 09:54:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

The commands works as expected, you got all keys in two different ways.
If you use the "d" parameter for the chk command instead of "t" you would get a dumpkeys.bin also..

However having keys is useless if the access rights don't allow it.  But you know this from reading the output....

Since yr tag is a magic gen1, you can use the "hf mf c*" commands to write some proper sectortrailers on yr tag and experiment further.

A tip is to read the datasheets for Mifare s50 1k,  this way you can widen your understanding on whats going on.

Offline

#13 2015-08-17 12:55:46

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Kewl,  i thought i was doing part of it correctly.
This is a token from a friend and he wanted a backup it . So let him know this token cant be cloned to uid changeable card he bought over with it? Correct?
Thanks

Offline

#14 2015-08-17 13:00:28

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Excuse me,  he has another token like this one that his son messed uo and wants to recover that bad one to the state it initially was by copying the info from the new one he brought over. Thats the background.. Lol..  TMI. But for understanding .

Offline

#15 2015-08-17 14:45:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

The output you posted shows a a magic chinese gen1 tag,   
The other tag you are referencing to, i can't tell, since I haven't seen its output.

If your friend has two chinese magic gen1 tags, then do learn the "hf mf cload/csave/csetuid/cgetblk/csetblk" commands and if you wanna impress yr friend, read the datasheet or search this forum for a correct sectortrailer so you can rewrite it back to the broken tag.

Offline

#16 2015-08-17 15:44:40

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Is this the correct command to use to fix this broken tag?

hf mf csetblk 0 01020304048804000000000000001001 command

Thanks !

Offline

#17 2015-08-17 15:51:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

if you want to write a correct block 0,  just use the "hf mf csetuid" instead.

your problem seems to be the sectortrailer.

Offline

#18 2015-08-17 15:57:27

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

I'm trying to read the correct info on the sectortrailer..   can u point me in the right direction?

Thanks !

Offline

#19 2015-08-17 16:06:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

You can google "mifare s50 1k sector trailer"
or
Read / search on the forum: http://www.proxmark.org/forum/viewforum.php?id=5
read / search on the documents area: http://proxmark.org/files/Documents/13. … 20Classic/

Offline

#20 2015-08-17 17:40:55

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

ok , I'm lost... I'm reading so many different threads on sector trailer.  Asper: regarding the sector trailers ie via android , others on what it is, etc..

Basically, before I before I get too involved to learn for myself. I just ant to know can this new token be cloned ? if not, can the old one be return to its magic state? if yes for either how?

I'll be the first to say nothing is easy, but there is so much information a person can be easily turned in the wrong direction and frustration seeks in..

thanks !

Offline

#21 2015-08-17 18:27:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

Since you don't answer questions yourself and don't provide needed information,  don't expect someone to be able to help you.

Offline

#22 2015-08-17 18:31:59

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Iceman,

Frustrated...I think I have a better understanding from some of the threads read and the readings of structures.. Thanks !  I have a few questions from the readings but trying to figure them out thru trial and error. I'll ask if help needed..

Offline

#23 2015-08-17 18:44:36

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Here's a question... how come in one instance the keys are 000000000000 but in another there ffffffffffff ?  i dont understanf that !

Offline

#24 2015-08-17 19:07:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

Not found keys is usually substituted with 0xFFFFFFFFFFFF since the dumpfiles are raw binary.
I don't remember which dumpdata.bin files that will get the key swapped with real values. 
I think its the lua "autopwn" that creates dumps with real keys inside and the "hf mf" merges them with the dumpkeys.bin at runtime.

Offline

#25 2015-08-18 21:06:02

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

If I understand some of the readings, the sector trailer determines the read write access. correct? so, if this is correct then I would need to write a new sector trailer allowing these rights. correct? 

Thanks !

Offline

#26 2015-08-18 21:27:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

Yes, the sectortrailer is just another block of 16bytes.
However, it needs to be specific which bytes you right or you permalock your tag.  This doesnot apply to magic gen1 tags.

Offline

#27 2015-08-18 21:46:43

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Iceman,

Is this a generic sector trailer or its determined by other blocks ? I still reading but its a lot of information to absorb.. smile

Offline

#28 2015-08-18 21:49:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

1 sector = 4 blocks. (lets say zero based) Block 0,1,2 = data storage. Block 3 = sector trailer (ie last block of a sector)
Each ST decides over its sector...

Last edited by iceman (2015-08-18 22:31:56)

Offline

#29 2015-08-18 22:08:02

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

So, I need to read more on the proper use of the cload, csetuid, etc. commands ! Does all 4 sector trailers need to be change or does I need to be concern with the first that contains the uid, manufacturer data, etc. ?

Offline

#30 2015-08-18 22:09:21

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

oops, wrote that wrong.. The sector trailer is actually in block 3 the last few bytes ..  got ahead of myself..

Offline

#31 2015-08-18 22:38:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

no, ST is the whole block3.

Offline

#32 2015-08-18 22:47:23

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

I was reading about "aspers" Mifare Access Condition Calculator,  No readme to explain its use..  Seems like a utility I could use seeing that it does the following : utility to encode/decode the sector trailer (block 3) bytes 6-7-8 (starting form 0; they are called "Access Bits"); those bits set the access conditions (read/write/value) of the 4 blocks of a specific sector.

Could use enlighten me on its usage? Have u tried it before ?

Thanks !

Offline

#33 2015-08-19 01:31:10

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

From reading multiple sources including NFC Access Control for Mifare S50 1k, Block 3 should be 00 00 00 00 00 00 00 7F 07 88 00 00 00 00 00 00 . Correct ?  From the readings this allows for key B to update key A, update access bits, update itself and read /write Block 0-2.  Question: should key B be 00's or ff's?

Thanks !

Offline

#34 2015-08-19 01:34:09

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

00 00 00 00 00 00 7F 07 88 00 00 00 00 00 00 00 !   or 00 00 00 00 00 00 7F 07 88 00 ff ff ff ff ff ff

Offline

#35 2015-08-19 09:17:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Confused ! "Noob"

Try it..  Since it is a magic tag you can always re-write it. smile

Offline

#36 2015-08-19 18:43:45

crstofer
Contributor
Registered: 2015-06-22
Posts: 33

Re: Confused ! "Noob"

Does each sector trailer have to written to individual or is it possible to one command for all?

Offline

Board footer

Powered by FluxBB