Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Trying to examine SmarTrip card. According to https://www.dunkman.me/blog/2017/hackin … cards.html this should be a MIFARE Plus card. I can't get it to even read the UID with my ACR122 or the Proxmark.
On investigation, it looks like the ACR122 does not support MIFARE Plus, however, it looks like the Proxmark should.
Using official firmware software:
bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
os: master/v3.0.1-51-g53814fe-dirty-suspect 2018-02-07 20:05:05
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
...
proxmark3> hf search
no known/supported 13.56 MHz tags found
proxmark3> hf 14a reader
iso14443a card select failed
Now with the (almost) latest Iceman fork:
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
os: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:29
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 1
...
pm3 --> hf search
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
timeout while waiting for reply.
no known/supported 13.56 MHz tags found
pm3 --> hf 14a reader
[!] iso14443a card select failed
Any thoughts on how I could read this card? It was used a couple days ago and is not damaged so it should be good. I will try to go get another one tomorrow.
Thanks in advance.
Last edited by dontlook (2018-02-21 02:22:40)
Offline
Make sure the tag is about an inch off the antenna.
Offline
Thanks!
Tried again a bit with all different orientations, 1 inches, .5 inches, 2 inches even :[
Best I got is this run the bits changed:
pm3 --> hf search
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
timeout while waiting for reply.
no known/supported 13.56 MHz tags found
Offline
Looks like a 14b or 15 tag.
14b is a bit dodgy on iceman fork at the moment, try offical pm3 for it.
15 is quite stable, with good reading distance, so try again,
what is your output from these:
hw tune
hf 15 info u
Online
hw tune and test for 15 tag. I tried multiple orientations and heights(same result each time):
bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
os: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:29
[+] LF antenna: 26.81 V - 125.00 kHz
[+] LF antenna: 24.20 V - 134.00 kHz
[+] LF optimal: 28.60 V - 127.66 kHz
[+] LF antenna is OK
[+] HF antenna: 33.89 V - 13.56 MHz OK
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
...
pm3 --> hf 15 info u
#db# [!] error, uneven octet! (extra bits!) mask 02
iso15693 card doesn't answer to systeminfo command
back to official pm3, multiple orientations and heights(same result each time):
bootrom: iceman/master/ice_v3.1.0-532-gfe34cac-dirty-unclean 2018-02-08 16:56:27
os: master/v3.0.1-51-g53814fe-dirty-suspect 2018-02-07 20:05:05
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
...
proxmark3> hf 14b info
no 14443B tag found
Going to try to grab another card today.
Offline
Not 14b then. Could be iclass aswell but ISo15 based.
--iceman--
hf 15 info u
hf iclass reader
Online
Soooo I made it out and got a new card
pm3 --> hf search
UID : 04 24 68 02 C2 55 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x1 -> VCS, VCSL, and SVC supported
Answers to magic commands: NO
Valid ISO14443-A Tag Found - Quiting Search
So it is looking like the other card might be dead. Thanks for all the help though. We look at it more and see what else I can get off it.
Offline
Could also be uninitialized.
Online
I'm intrigued. Is there a way to initialize it with the Proxmark or some of the NFC tools for Linux? I won't repeat anymore that I'm told about the card since I might be getting bits and pieces.
Surprised at the lack of response from the first card in general.
Offline
Present it to the metro reader. you can sniff the traffic between card and the genuine reader with your pm3.
And afterwards, look at tracelog to see if the reader did something with the card.
And after that, try reading it with your pm3.
Online
I made the suggestion to the owner but had to leave the area as my trip was over. Will likely head back sometime in the next year and try then.
In the meantime, I need to do some back reading and playing around to learn to use the sniff function without a computer and maybe disassemble my Proxmark 3 rdv as right now I don't think I can get the card close enough to the reader with the card in between.
The working card I picked up does not seem to susceptible to the regular attacks and looks like it is not using any of the default keys, so this is probably going to have to wait until I can sniff the reader traffic.
Offline
Original card confirmed not working on the metro. Sorry guys and thank you for your help.
Offline