Closed maxben14 closed 6 years ago
The hf mf sim
command needs some work for the real simulation part (e.g. reading a block, writing a block - I don't think that this ever worked). However, WUPA, REQA, SELECT, HALT and the crypto1 authentication should work (i.e. those parts required to collect data for mfkey 🙁 ).
Which version do you use? Please post the output of hw ver
.
proxmark3> hw version [[[ Cached information ]]]
Prox/RFID mark3 RFID instrument bootrom: master/v3.0.1-94-g77aecdd2-dirty-suspect 2017-10-06 12:33:13 os: master/v3.0.1-94-g77aecdd2-dirty-suspect 2017-10-06 18:09:22 LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04 HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13
uC: AT91SAM7S256 Rev D Embedded Processor: ARM7TDMI Nonvolatile Program Memory Size: 256K bytes. Used: 198800 bytes (76%). Free: 63344 bytes (24%). Second Nonvolatile Program Memory Size: None Internal SRAM Size: 64K bytes Architecture Identifier: AT91SAM7Sxx Series Nonvolatile Program Memory Type: Embedded Flash Memory
Before command hf mf sim n 0, i load dump 1k card in ff.eml file this comand hf mf eload ff. proxmark3> hf mf eload ff ................................................................ Loaded 64 blocks from file: ff.eml proxmark3> hf mf sim n 0 mf 1k sim uid: N/A, numreads:0, flags:0 (0x00)
ff.eml file content: 0EB7D9B7D70804006263646566676869 00000000000000000000000000000000 00000000000000000000000000000000 A0A1A2A3A4A578778800A0A1A2A3A4A5 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF0780BCFFFFFFFFFFFF
You indeed discovered two bugs. This is what happened:
So there are two bugs I am going to fix:
I stand corrected: the Mifare Classic commands simulation (read/write block, INC, DEC, etc) should work.
ToDo: Take Access Conditions into account when simulating. Currently they are ignored.
Okay, it's good. @pwpiwi , But how to deal with the smartphone reader, why he sent a HALT. This is a timings problem, is it possible to somehow speed up the implementation of the algorithm crypto1, for example OpenMP?
I don't think that it is a timing problem. The only critical timings are during the anticollision phase when all cards in the reader field must respond at the same time. The responses during the authentication have to be send between 71us and 1ms after the reader command is received.
The AUTH-B command ended at 188507914 and tag started to respond at 188512414. This is a delay of 4500 * 1/13,56MHz = 332us which is well within the specified limits.
The reader challenge ended at 188530620 and the tag started to respond at 188539152, Again, the delay of 8532 * 1/13,56MHz = 629us is absolutely compliant with the specs.
You wrote that the simulation works against an ACR122. Wouldn't that indicate that the fault is with MCT? Did you compare the ACR122 and MCT traces?
Yes, i did compare with acr122 and MCT. acr122
23858198 | 23860566 | Tag | 04 00 | |
23873862 | 23884326 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
23886010 | 23889530 | Tag | 08 b6 dd | |
26918380 | 26919372 | Rdr | 52 | | WUPA
26920928 | 26923296 | Tag | 04 00 | |
26936640 | 26947104 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
26948596 | 26952116 | Tag | 08 b6 dd | |
29981000 | 29981992 | Rdr | 52 | | WUPA
29983548 | 29985916 | Tag | 04 00 | |
29999276 | 30009740 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
30011360 | 30014880 | Tag | 08 b6 dd | |
33043746 | 33044738 | Rdr | 52 | | WUPA
33046294 | 33048662 | Tag | 04 00 | |
33061958 | 33072422 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
33074106 | 33077626 | Tag | 08 b6 dd | |
35303750 | 35308454 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
35312954 | 35317690 | Tag | 01 02 03 04 | |
35319084 | 35328396 | Rdr | c9 95! 90! 5d! 71! ec f1 df! | !crc| ?
35337056 | 35341728 | Tag | 84 35 42 93 | |
35546696 | 35551464 | Rdr |30! 00! 02 a8 | ok | READBLOCK(0)
35565884 | 35586684 | Tag |ce! bc! f5 34! df! ee 09! 78 bc 1f b5 f3! 59! 88! 54 2f! | |
| | | a6 36 | !crc|
46721152 | 46722144 | Rdr | 52 | | WUPA
46723700 | 46726068 | Tag | 04 00 | |
46739428 | 46749892 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
46751384 | 46754904 | Tag | 08 b6 dd | |
49783722 | 49784714 | Rdr | 52 | | WUPA
49786334 | 49788702 | Tag | 04 00 | |
49801870 | 49812334 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48
nfc console, i try command 60 00 key uid & 30 00 and in console android apk this work.
10816438 | 10818806 | Tag | 04 00 | |
10827366 | 10837830 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
10839514 | 10843034 | Tag | 08 b6 dd | |
11064064 | 11068832 | Rdr | 50 00 57 cd | ok | HALT
11111676 | 11112668 | Rdr | 52 | | WUPA
11114224 | 11116592 | Tag | 04 00 | |
11126056 | 11136520 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
11138140 | 11141660 | Tag | 08 b6 dd | |
12974336 | 12979104 | Rdr | 50 00 57 cd | ok | HALT
13021288 | 13022280 | Rdr | 52 | | WUPA
13023836 | 13026204 | Tag | 04 00 | |
13035650 | 13046114 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
13047734 | 13051254 | Tag | 08 b6 dd | |
14619024 | 14635248 | Rdr | 60 00 a0 a1 a2 a3 a4 a5 0e b7 d9 b7 e3 a0 | ok | AUTH-A(0)
19298428 | 19303196 | Rdr | 30 00 02 a8 | ok | READBLOCK(0)
19315568 | 19336368 | Tag | 0e b7 d9 b7 d7 08 04 00 62 63 64 65 66 67 68 69 | |
| | | 9c 1e | ok |
19564136 | 19568904 | Rdr | 30 01 8b b9 | ok | READBLOCK(1)
19581148 | 19602012 | Tag | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 37 49 | ok |
19798366 | 19803070 | Rdr | 30 02 10 8b | ok | READBLOCK(2)
19815442 | 19836306 | Tag | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 37 49 | ok |
20024580 | 20029284 | Rdr | 30 03 99 9a | ok | READBLOCK(3)
20041784 | 20062584 | Tag | a0 a1 a2 a3 a4 a5 78 77 88 00 a0 a1 a2 a3 a4 a5 | |
| | | f3 c3 | ok |
21818864 | 21823632 | Rdr | 50 00 57 cd | ok | HALT
21866498 | 21867490 | Rdr | 52 | | WUPA
21869110 | 21871478 | Tag | 04 00 | |
21881056 | 21891520 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
21892884 | 21896404 | Tag | 08 b6 dd | |
23645472 | 23650240 | Rdr | 50 00 57 cd | ok | HALT
23693854 | 23694846 | Rdr | 52 | | WUPA
23696402 | 23698770 | Tag | 04 00 | |
23708348 | 23718812 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
23720176 | 23723696 | Tag | 08 b6 dd | |
25472816 | 25477584 | Rdr | 50 00 57 cd | ok | HALT
25520458 | 25521450 | Rdr | 52 | | WUPA
25523198 | 25525566 | Tag | 04 00 | |
25534888 | 25545352 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
25546972 | 25550492 | Tag | 08 b6 dd | |
27298960 | 27303728 | Rdr | 50 00 57 cd | ok | HALT
27346598 | 27347590 | Rdr | 52 | | WUPA
27349210 | 27351578 | Tag | 04 00 | |
27361028 | 27371492 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
27373112 | 27376632 | Tag | 08 b6 dd
mct
25587658 | 25590026 | Tag | 04 00 | |
25598650 | 25609114 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
25610734 | 25614254 | Tag | 08 b6 dd | |
25698752 | 25703520 | Rdr | 50 00 57 cd | ok | HALT
25746418 | 25747410 | Rdr | 52 | | WUPA
25749030 | 25751398 | Tag | 04 00 | |
25760976 | 25771440 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
25772804 | 25776324 | Tag | 08 b6 dd | |
25843180 | 25847948 | Rdr | 61 00 2d 62 | ok | AUTH-B(0)
25852256 | 25856992 | Tag | 01 02 03 04 | |
25861108 | 25870420 | Rdr | b6 bf 11! 46 0f! 3a 42 e4 | !crc| ?
25879080 | 25883752 | Tag | 1e d6 bc fa | |
25927952 | 25932720 | Rdr |a7! bb c0! db! | !crc| ?
25936260 | 25936900 | Tag | 07 | |
26034064 | 26035056 | Rdr | 52 | | WUPA
26036612 | 26038980 | Tag | 04 00 | |
26047574 | 26058038 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
26059722 | 26063242 | Tag | 08 b6 dd | |
26129632 | 26134400 | Rdr | 50 00 57 cd | ok | HALT
26177330 | 26178322 | Rdr | 52 | | WUPA
26179878 | 26182246 | Tag | 04 00 | |
26191666 | 26202130 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
26203814 | 26207334 | Tag | 08 b6 dd | |
27957072 | 27961840 | Rdr | 50 00 57 cd | ok | HALT
28004786 | 28005778 | Rdr | 52 | | WUPA
28007334 | 28009702 | Tag | 04 00 | |
28019122 | 28029586 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
28031270 | 28034790 | Tag | 08 b6 dd | |
29783968 | 29788736 | Rdr | 50 00 57 cd | ok | HALT
29832372 | 29833364 | Rdr | 52
I see in logs from MCT and android console apk many comand HALT and don't see HALT in log ACR122.
SIM Not sure if I agree about the idea of sim trace should always show raw data.
HALT The concept that a mifare reader sends a un-encrypted HALT while been in the authenticated state, seems more like a implementation bug in the reader software than a PM3 bug. It comes down to protocol, iso14443a it should be un-encrypted, but Mifare addition protocl above 14a protocol has its own quirks. So to find the answer in how a HALT command should be implemented for mifare should be in their documents. Not sure Mifare implementations is following protocol.
@iceman1001 , The main question is, why does not any android application want to read proxmark in the classic emulation mode?
@maxben14: your traces show two more bugs in hf mf sim:
@iceman1001: A trace should always be raw data because it can be interpreted in different ways. Interpreting traces is the task of the hf list
commands. Decrypting encrypted data should be done there if necessary (e.g. with a new hf list mf
)
hf list mf yeap, that would be good, been thinking on it for some years, never got around to do it. The problem would be that the list command does have the key needed to decrypt while the sim has it. and starting calling list with a key seems not optimal. I do agree with "hf list 14a" or "hf 14a reader" does too much. A "hf mf info" command would also be better. A side note to the actual subject.
-- crc check to the decrypted command will solve the wrong answer to HALT. That will ensure PM3 doesn't do wrong. We can NOT garantue the Android or ACR122 implementations is correct as it looks now.
As i remembered there is no problem to decrypt first Authentication command, but a problem with decryption the next
I have raised PR #419 which should fix the issues I have mentioned above. Please give it a try.
@maxben14: could you please run your tests again with PR #419 and post the results here?
@maxben14: changes are committed. Looking forward to your results...
So far so good it works very well ... **depending on the device.**
Same device from same manufacturer same year... same firwmare...
Anyway, the fix from @pwpiwi is absolutely crazy on my side... I'm able to chain succesffull Readers attacks in the wild in 1~3 try with less than 1 sec communication, ensuring a good 20% succes into finding at least a B-Key (depending on the UID chosen, because of vigik system, if it can't authenticate with A key, it will try RSA-signed services-codes/values from B block., whatever).
However, still it will ALWAYS fail to face a standard reader because of a very simple thing 👍 -
When authenticated, wheter it be from B or A key, hf mf sim
ALWAYS gives something like
a6 7f 8b f5 a7 88 04 00 46 8e 45 59 61 10 50 04
01 07 4e 00 00 00 00 00 00 00 00 00 00 00 00 00
55 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00
88 29 da 9d af 76 7f 07 88 00 88 29 da 9d af 76
So yes, @pwpiwi , Access bit condition are not followed... If i'm not mistaken, whatever would Acess bits be for any sector, the A key can Never be read. At the very least, the device should Never send a sector trailer which doesn't start by "00 00 00 00 00 00 " ...
This little fix should be enough to make the device work in more than 50% classic residential and standard implementations (Well at least here in france).
I've hoped that I could just blank the A key from emulator memory, however it makes the reader failing to authenticate with such a key so...
Also timing are very very important here too for first successu full authentification : Reader will immediately try an A key auth on sector 0 (for residentials), and upon fail will ONLY loop againts Bkey value block (for VIGIK Services codes/temporary"master keys" as mentioned above.) An A key auth will not be attempted again without the tag being out of the field for at least a few seconds (on vigik systems this state is indicated by a little red light instead of green, flashing with the same speed as the Auth are tryed). Also a note here it is quite easy on these systems to find suitable UID's for reader attacks : they are making the reader behave differently. As a master-key rsa-signe temporary masterkey could have any uid, an unknown uid will be challenged againts that behavior, creating flashing light. However a falining real candidate fro uid will trigger a "shutdown" or so of the filed , the red light will not flash, then shutdown and nothing will happen without Tag being out of the field + quick timeout.
Quite a bit of digression here, but anyway information worth the knowledge since it points towards specific needs on the Simulation side behavior. Which, again, seems to be able to become like a bright sunday on some device since your patch.
Anyway thanks again @pwpiwi ... and please don't give up on this one because from now eventual fixes should be negligible compared to the work you've done for these two P.R.; or at least can be partially mimicked with small fixes (like the never send A key...)
@pwpiwi , i try new version but comand "hf mf sim n 0" have again problems with auth on android smartphone.
9829638 | 9832006 | Tag | 44 00 | |
9841036 | 9851564 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
9852736 | 9856256 | Tag | 04 da 17 | |
9858974 | 9861438 | Rdr | 95 20 | | ANTICOLL-2
9862610 | 9868498 | Tag | 42 a7 49 80 2c | |
9872524 | 9883052 | Rdr | 95 70 42 a7 49 80 2c 2d 5e | ok | ANTICOLL-2
9884224 | 9887744 | Tag | 08 b6 dd | |
10608680 | 10613384 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
10618012 | 10622748 | Tag | 01 02 03 04 | |
10626782 | 10636094 | Rdr | b7 76 2e 8e! 6e ae! 8a! fe! | !crc| ?
10644690 | 10649362 | Tag | b4 7e 61 24 | |
10698634 | 10703402 | Rdr | 50 00 57 cd | ok | HALT
10707134 | 10707774 | Tag |03! | |
10890486 | 10891478 | Rdr | 52 | | WUPA
10892714 | 10895082 | Tag | 44 00 | |
10903288 | 10913816 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
10914988 | 10918508 | Tag | 04 da 17 | |
10921210 | 10923674 | Rdr | 95 20 | | ANTICOLL-2
I see after good auth my android send HALT in tag. Is it problem timing android ?
...some information seems missing. In order to make use the "hf mf sim" command with authentication, you would need to load a proper dump into the device first. With correct keys etc..
From your trace its not much to deduct.
@iceman1001 , Of course, i before write Before command hf mf sim n 0, i load dump 1k card in ff.eml file this comand hf mf eload ff. proxmark3> hf mf eload ff
and all correct keys are in it?
@iceman1001 , yes in 0 sector key a0a1a2a3a4a5 and in mct in key file this key, but acr122 good read when i do hf mf sim n 0
I think that there is still room for improvement regarding timing. Will try to get hold of a DSO to check.
I have a very strange addition but might be insightfull.. (if anyone could test this further I would be glad..)
I have three pm3 here (all are based on Elechouse V2 dev kit from different years and different quality) but they all act the same. Also this has been tested on several [french vigik residential] readers with consistent repeatable behavior.
4285BA87FA880400C185149451703411
00008049000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000127002793
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
414C41524F4EFF078000424C41524F4E
So the "quality" of simulation seems to depend on UID Somehow****
I made a lot of tests like that and whatever a UID is know to work with such Residential Readers or not, the behavior of the simulation drastically change with UID... two UID unknown to the Residential system can work very well or not at all, two Known UID can work very well or not at all... But this is all consistent : a "not working" UID like 4285BA87 will never work with any of such reader (but still work with e.g. nfc android phones) and UID 0A0A0A0A will always work with any of such reader (and also work with nfc android phones)...
@iceman1001 , @pwpiwi what's your opinion on this ?
This is an interesting observation. I had noticed that 4 byte UID works, but 7 byte UID didn't. But I didn't try different 4Byte and 7Byte UIDs. Your observation might direct us to find the still existing (or yet another) hf mf sim
bug.
It needs to sniff bad communication with 2nd proxmark. Maybe there are some timing Issues or anthenna quality issues
Good idea, but I am lacking the 2nd proxmark. Trying to get hold of a DSO.
@cjbrigato have) @cjbrigato can you sniff and POST here the results? P. S. I have only one too
i do have several pm3, i also has a vigik reader at home with tags, so it would be possible to look at it,
however Im busy with fixing up the firmware for chameleon mini.
Im certain @cjbrigato will figure it out.
now, is problems solved?
time to close?
@iceman1001, no, proxmark in mode emulator 1k work with android very bad, only acr122 good read,write emulator 1k proxmark.
"very bad" and "good read,write" is a bit vague :smile:. Can you please provide some traces again?
Sniff beetwen real tag and android: proxmark3> hf list 14a Recorded Activity (TraceLen = 2051 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer iso14443a - All times are in carrier periods (1/13.56Mhz) iClass - Timings are not as accurate
```
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
---|---|---|---|---|---|
0 | 38112 | Rdr | f0 1e d4 00 66 20 62 03 aa e7 65 9a 8b 59 00 00 | ||
00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 25 | |||||
c0 | ok | ? | |||
141744 | 142800 | Rdr | 26 | REQA | |
143988 | 146356 | Tag | 04 00 | ||
153968 | 156432 | Rdr | 93 20 | ANTICOLL | |
157620 | 163508 | Tag | 01 02 03 04 04 | ||
167504 | 178032 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
179220 | 182740 | Tag | 08 b6 dd | ||
790368 | 795136 | Rdr | 50 00 57 cd | ok | HALT |
837888 | 838880 | Rdr | 52 | WUPA | |
840132 | 842500 | Tag | 04 00 | ||
851504 | 862032 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
863220 | 866740 | Tag | 08 b6 dd | ||
1065872 | 1070640 | Rdr | 50 00 57 cd | ok | HALT |
1114096 | 1115088 | Rdr | 52 | WUPA | |
1116340 | 1118708 | Tag | 04 00 | ||
1127728 | 1138256 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
1139444 | 1142964 | Tag | 08 b6 dd | ||
1242528 | 1247296 | Rdr | 50 00 57 cd | ok | HALT |
1290048 | 1291040 | Rdr | 52 | WUPA | |
1292292 | 1294660 | Tag | 04 00 | ||
1303680 | 1314208 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
1315396 | 1318916 | Tag | 08 b6 dd | ||
1414688 | 1419392 | Rdr | 60 01 7c 6a | ok | AUTH-A(1) |
1421412 | 1426084 | Tag | 15 80 12 e4 | ||
1430176 | 1439552 | Rdr | bb fa! ae! cf! ab! 9f 52! 32 | !crc | ? |
1440740 | 1445412 | Tag | bc! 85! b1 c2! | ||
1574480 | 1579184 | Rdr | 25! 89 5c d0! | !crc | ? |
1580436 | 1601236 | Tag | 0a! 17 ba a3! 93! 6f 13 98 e4! a7 b5! 43! 6b! 06 58! 72 | ||
e1 3f | !crc | ||||
1684144 | 1688848 | Rdr | d6 34! 18! 76! | !crc | ? |
1690100 | 1710900 | Tag | df! 02 0b db! e7 38 03! 2b c8! 8a! 4c! a4 6d 69! 31 13! | ||
17 06 | !crc | ||||
1819152 | 1823856 | Rdr | 3a da! 97! 9c | !crc | READ RANGE (218-151) |
1825108 | 1845972 | Tag | 9c 14! 2d 2e 64 df! 7c 43! d8! 6a 14 4e 92 1d 18! 5b! | ||
1d f5! | !crc | ||||
1949984 | 1954752 | Rdr | 9f! 3b! 0f! 15 | !crc | ? |
1997520 | 1998512 | Rdr | 52 | WUPA | |
1999764 | 2002132 | Tag | 04 00 | ||
2011152 | 2021680 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
2022868 | 2026388 | Tag | 08 b6 dd | ||
2148400 | 2153168 | Rdr | 50 00 57 cd | ok | HALT |
2195936 | 2196928 | Rdr | 52 | WUPA | |
2198196 | 2200564 | Tag | 04 00 | ||
2209568 | 2220096 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
2221284 | 2224804 | Tag | 08 b6 dd | ||
2526368 | 2531072 | Rdr | 60 01 7c 6a | ok | AUTH-A(1) |
2533092 | 2537828 | Tag | ea 55 82 98 | ||
2541872 | 2551184 | Rdr | aa 93! f8! a2 38! 80! 64 07! | !crc | ? |
2552436 | 2557172 | Tag | 32 15 f6 ff! | ||
2690784 | 2695552 | Rdr | fc e9! 29 c1 | !crc | ? |
2696740 | 2717604 | Tag | 21 8a 67! 76! 88! 45 88 a7! 69! f1! 60 c5! ba! d8 c8! 6a! | ||
44! d0 | !crc | ||||
2794272 | 2798976 | Rdr | b1! 3c 5e! 71 | !crc | ? |
2800228 | 2821092 | Tag | 5f 96 24! 9f! cb! 94 95 0c! b3 9b! 2a 8d! 3d! e8! 83! 0a! | ||
9a 14! | !crc | ||||
2917696 | 2922400 | Rdr | 8f! b2 65 20! | !crc | ? |
2923652 | 2944516 | Tag | 54! 36 68! 6e 1d! f7 ef 8d 64 7c dd! 43 8b 6a! 83! ae | ||
98 54 | !crc | ||||
3077664 | 3082368 | Rdr | ff! a5 53! 79! | !crc | ? |
3124512 | 3125504 | Rdr | 52 | WUPA | |
3126756 | 3129124 | Tag | 04 00 | ||
3138144 | 3148672 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
3149860 | 3153380 | Tag | 08 b6 dd | ||
3792080 | 3796848 | Rdr | 50 00 57 cd | ok | HALT |
3840352 | 3841344 | Rdr | 52 | WUPA | |
3842596 | 3844964 | Tag | 04 00 | ||
3853984 | 3864512 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
3865700 | 3869220 | Tag | 08 b6 dd | ||
3990688 | 3995456 | Rdr | 50 00 57 cd | ok | HALT |
4038944 | 4039936 | Rdr | 52 | WUPA | |
4041204 | 4043572 | Tag | 04 00 | ||
4052592 | 4063120 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
4064308 | 4067828 | Tag | 08 b6 dd | ||
4270912 | 4275680 | Rdr | 60 08 bd f7 | ok | AUTH-A(8) |
4277636 | 4282308 | Tag | 01 f2 51 3f | ||
4286416 | 4295792 | Rdr | 08 ac! ef! b3 1c d5! 3a 5c! | !crc | ? |
4296980 | 4301652 | Tag | 04! d5! 8a! 7e | ||
4652048 | 4656752 | Rdr | fc! f6 8f! c9 | !crc | ? |
4658004 | 4678868 | Tag | 70! 4e! f1 81 1e d6! 86! dc 0b! a2! 08 45 ff! c1 7b! 55 | ||
7f! f8 | !crc | ||||
4832032 | 4836736 | Rdr | 34 d9 1c! c0 | !crc | ? |
4880304 | 4881296 | Rdr | 52 | WUPA | |
4882548 | 4884916 | Tag | 04 00 | ||
4893936 | 4904464 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
4905652 | 4909172 | Tag | 08 b6 dd | ||
5015024 | 5019792 | Rdr | 50 00 57 cd | ok | HALT |
5063296 | 5064288 | Rdr | 52 | WUPA | |
5065540 | 5067908 | Tag | 04 00 | ||
5076928 | 5087456 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
5088644 | 5092164 | Tag | 08 b6 dd | ||
5375696 | 5380464 | Rdr | 50 00 57 cd | ok | HALT |
5423264 | 5424256 | Rdr | 52 | WUPA | |
5425524 | 5427892 | Tag | 04 00 | ||
5436912 | 5447440 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
5448628 | 5452148 | Tag | 08 b6 dd | ||
5708928 | 5713696 | Rdr | 30 ff 7a a7 | ok | READBLOCK(255) |
5714900 | 5715540 | Tag | 04 | ||
5860448 | 5865216 | Rdr | 30 e0 0c 4f | ok | READBLOCK(224) |
12114096 | 12118864 | Rdr | 50 00 57 cd | ok | HALT |
12160992 | 12161984 | Rdr | 52 | WUPA | |
12163236 | 12165604 | Tag | 04 00 | ||
12174640 | 12185168 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
12186356 | 12189876 | Tag | 08 b6 dd | ||
13954624 | 13959392 | Rdr | 50 00 57 cd | ok | HALT |
14002928 | 14003920 | Rdr | 52 | WUPA | |
14005172 | 14007540 | Tag | 04 00 | ||
14016592 | 14027120 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
14028308 | 14031828 | Tag | 08 b6 dd | ||
15861552 | 15866320 | Rdr | 50 00 57 cd | ok | HALT |
15909168 | 15910160 | Rdr | 52 | WUPA | |
15911412 | 15913780 | Tag | 04 00 | ||
15922816 | 15933344 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
15934532 | 15938052 | Tag | 08 b6 dd | ||
17794288 | 17799056 | Rdr | 50 00 57 cd | ok | HALT |
17841904 | 17842896 | Rdr | 52 | WUPA | |
17844148 | 17846516 | Tag | 04 00 | ||
17855552 | 17866080 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
17867284 | 17870804 | Tag | 08 b6 dd | ||
19687280 | 19692048 | Rdr | 50 00 57 cd | ok | HALT |
19734912 | 19735904 | Rdr | 52 | WUPA | |
19737156 | 19739524 | Tag | 04 00 | ||
19748560 | 19759088 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
19760292 | 19763812 | Tag | 08 b6 dd | ||
21568576 | 21573344 | Rdr | 50 00 57 cd | ok | HALT |
21616208 | 21617200 | Rdr | 52 | WUPA | |
21618452 | 21620820 | Tag | 04 00 | ||
21629872 | 21640400 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
21641588 | 21645108 | Tag | 08 b6 dd | ||
23490000 | 23494768 | Rdr | 50 00 57 cd | ok | HALT |
23536928 | 23537920 | Rdr | 52 | WUPA | |
23539188 | 23541556 | Tag | 04 00 | ||
23550592 | 23561120 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
23562308 | 23565828 | Tag | 08 b6 dd | ||
25389056 | 25393824 | Rdr | 50 00 57 cd | ok | HALT |
25436704 | 25437696 | Rdr | 52 | WUPA | |
25438948 | 25441316 | Tag | 04 00 | ||
25450352 | 25460880 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
25462084 | 25465604 | Tag | 08 b6 dd | ||
27267056 | 27271824 | Rdr | 50 00 57 cd | ok | HALT |
27313984 | 27314976 | Rdr | 52 | WUPA | |
27316228 | 27318596 | Tag | 04 00 | ||
27327648 | 27338176 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
27339364 | 27342884 | Tag | 08 b6 dd | ||
29118112 | 29122880 | Rdr | 50 00 57 cd | ok | HALT |
29166448 | 29167440 | Rdr | 52 | WUPA | |
29168692 | 29171060 | Tag | 04 00 | ||
29180128 | 29190656 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
29191844 | 29195364 | Tag | 08 b6 dd | ||
31066720 | 31071488 | Rdr | 50 00 57 cd | ok | HALT |
31113664 | 31114656 | Rdr | 52 | WUPA | |
31115908 | 31118276 | Tag | 04 00 | ||
31127328 | 31137856 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID |
31139060 | 31142580 | Tag | 08 b6 dd |
My android read 8 block in 1k.
4270912 | 4275680 | Rdr | 60 08 bd f7 | ok | AUTH-A(8)
4277636 | 4282308 | Tag | 01 f2 51 3f | |
4286416 | 4295792 | Rdr | 08 ac! ef! b3 1c d5! 3a 5c! | !crc| ?
4296980 | 4301652 | Tag |04! d5! 8a! 7e | |
4652048 | 4656752 | Rdr |fc! f6 8f! c9 | !crc| ?
4658004 | 4678868 | Tag |70! 4e! f1 81 1e d6! 86! dc 0b! a2! 08 45 ff! c1 7b! 55 | |
| | |7f! f8 | !crc|
4832032 | 4836736 | Rdr | 34 d9 1c! c0
Sniff beetwen my emulator and android:
proxmark3> hf list 14a
Recorded Activity (TraceLen = 1448 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 2368 | Tag | 04 00 | |
14032 | 19920 | Tag | 01 02 03 04 04 | |
35648 | 39168 | Tag | 08 b6 dd | |
658972 | 663740 | Rdr | 50 00 57 cd | ok | HALT
708016 | 710384 | Tag | 04 00 | |
730288 | 733808 | Tag | 08 b6 dd | |
897964 | 902732 | Rdr | 50 00 57 cd | ok | HALT
946156 | 947148 | Rdr | 52 | | WUPA
948400 | 950768 | Tag | 04 00 | |
959756 | 970284 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
971488 | 975008 | Tag | 08 b6 dd | |
1121020 | 1122012 | Rdr | 52 | | WUPA
1123264 | 1125632 | Tag | 04 00 | |
1134620 | 1145148 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
1146352 | 1149872 | Tag | 08 b6 dd | |
1234928 | 1239600 | Tag | 00 00 00 00 | |
1243692 | 1253004 | Rdr |2d! 40! 17 ab! 2c e1! 2d 22 | !crc| ?
1262496 | 1267168 | Tag | b2 c1 95 7b | |
1322988 | 1327756 | Rdr | 50 00 57 cd | ok | HALT
1373440 | 1375808 | Tag | 04 00 | |
1384796 | 1395324 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
1396528 | 1400048 | Tag | 08 b6 dd | |
1517664 | 1520032 | Tag | 04 00 | |
1540768 | 1544288 | Tag | 08 b6 dd | |
1671264 | 1673632 | Tag | 04 00 | |
1694336 | 1697856 | Tag | 08 b6 dd | |
1786940 | 1791708 | Rdr | 50 00 57 cd | ok | HALT
1836688 | 1839056 | Tag | 04 00 | |
1848060 | 1858588 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
1859792 | 1863312 | Tag | 08 b6 dd | |
1941196 | 1945964 | Rdr | 50 00 57 cd | ok | HALT
1988716 | 1989708 | Rdr | 52 | | WUPA
1990944 | 1993312 | Tag | 04 00 | |
2014032 | 2017552 | Tag | 08 b6 dd | |
2317984 | 2320352 | Tag | 04 00 | |
2341072 | 2344592 | Tag | 08 b6 dd | |
2585532 | 2590236 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
2591488 | 2596160 | Tag | 00 00 00 00 | |
2619056 | 2623728 | Tag | c2 4b 53 5a | |
2802896 | 2805264 | Tag | 04 00 | |
2825984 | 2829504 | Tag | 08 b6 dd | |
3012844 | 3017612 | Rdr | 50 00 57 cd | ok | HALT
3060380 | 3061372 | Rdr | 52 | | WUPA
3062624 | 3064992 | Tag | 04 00 | |
3085728 | 3089248 | Tag | 08 b6 dd | |
3322844 | 3327612 | Rdr | 50 00 57 cd | ok | HALT
3370380 | 3371372 | Rdr | 52 | | WUPA
3372624 | 3374992 | Tag | 04 00 | |
3384012 | 3394540 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
3395744 | 3399264 | Tag | 08 b6 dd | |
4135216 | 4137584 | Tag | 04 00 | |
4158320 | 4161840 | Tag | 08 b6 dd | |
4254140 | 4258908 | Rdr | 50 00 57 cd | ok | HALT
4303936 | 4306304 | Tag | 04 00 | |
4315324 | 4325852 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
4327040 | 4330560 | Tag | 08 b6 dd | |
4495888 | 4500560 | Tag | 00 00 00 00 | |
4523472 | 4528144 | Tag | ba 73 cd 18 | |
4644508 | 4649276 | Rdr | 50 00 57 cd | ok | HALT
4694304 | 4696672 | Tag | 04 00 | |
4717424 | 4720944 | Tag | 08 b6 dd | |
4897964 | 4902732 | Rdr | 50 00 57 cd | ok | HALT
4947760 | 4950128 | Tag | 04 00 | |
4970880 | 4974400 | Tag | 08 b6 dd | |
5144988 | 5149756 | Rdr | 50 00 57 cd | ok | HALT
5193244 | 5194236 | Rdr | 52 | | WUPA
5195504 | 5197872 | Tag | 04 00 | |
5218608 | 5222128 | Tag | 08 b6 dd | |
5356220 | 5360988 | Rdr | 50 00 57 cd | ok | HALT
5406016 | 5408384 | Tag | 04 00 | |
5417420 | 5427948 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
5429152 | 5432672 | Tag | 08 b6 dd | |
5570556 | 5571548 | Rdr | 52 | | WUPA
5572800 | 5575168 | Tag | 04 00 | |
5584204 | 5594732 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
5595936 | 5599456 | Tag | 08 b6 dd | |
12075776 | 12078144 | Tag | 04 00 | |
12087196 | 12097724 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
12098928 | 12102448 | Tag | 08 b6 dd | |
13913680 | 13916048 | Tag | 04 00 | |
13936816 | 13940336 | Tag | 08 b6 dd | |
15814224 | 15816592 | Tag | 04 00 | |
15837376 | 15840896 | Tag | 08 b6 dd | |
17688364 | 17693132 | Rdr | 50 00 57 cd | ok | HALT
17738224 | 17740592 | Tag | 04 00 | |
17749660 | 17760188 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
17761376 | 17764896 | Tag | 08 b6 dd | |
19585056 | 19587424 | Tag | 04 00 | |
19596492 | 19607020 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
19608208 | 19611728 | Tag | 08 b6 dd | |
21400860 | 21405628 | Rdr | 50 00 57 cd | ok | HALT
21451440 | 21453808 | Tag | 04 00 | |
21474592 | 21478112 | Tag | 08 b6 dd | |
23306652 | 23311420 | Rdr | 50 00 57 cd | ok | HALT
23356528 | 23358896 | Tag | 04 00 | |
23379680 | 23383200 | Tag | 08 b6 dd | |
25246528 | 25248896 | Tag | 04 00 | |
25269664 | 25273184 | Tag | 08 b6 dd | |
27134832 | 27137200 | Tag | 04 00 | |
27146252 | 27156780 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
27157968 | 27161488 | Tag | 08 b6 dd | |
28964652 | 28969420 | Rdr | 50 00 57 cd | ok | HALT
29012300 | 29013292 | Rdr | 52 | | WUPA
29014528 | 29016896 | Tag | 04 00 | |
29025964 | 29036492 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
29037696 | 29041216 | Tag | 08 b6 dd | |
30923744 | 30926112 | Tag | 04 00 | |
30935180 | 30945708 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
30946912 | 30950432 | Tag | 08 b6 dd | |
32760540 | 32765308 | Rdr | 50 00 57 cd | ok | HALT
32810432 | 32812800 | Tag | 04 00 | |
32833568 | 32837088 | Tag | 08 b6 dd | |
34690064 | 34692432 | Tag | 04 00 | |
34713216 | 34716736 | Tag | 08 b6 dd
Proxmark have problem sniff beetwen my device and android only.
But proxmark correct read my device:
proxmark3> hf mf rdbl 9 a a0a1a2a3a4a5
--block no:9, key type:A, key:a0 a1 a2 a3 a4 a5
#db# READ BLOCK FINISHED
isOk:01 data:01 02 03 04 04 08 04 00 62 63 64 65 66 67 68 69
proxmark3> hf mf rdbl 9 a a0a1a2a3a4a5
--block no:9, key type:A, key:a0 a1 a2 a3 a4 a5
#db# READ BLOCK FINISHED
isOk:01 data:01 02 03 04 04 08 04 00 62 63 64 65 66 67 68 69
proxmark3> hf list 14a
Recorded Activity (TraceLen = 188 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer iso14443a - All times are in carrier periods (1/13.56Mhz) iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 04 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10692 | 16580 | Tag | 01 02 03 04 04 | |
19072 | 29600 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
30788 | 34308 | Tag | 08 b6 dd | |
35968 | 40736 | Rdr | 60 09 34 e6 | ok | AUTH-A(9)
41924 | 46596 | Tag | 00 00 00 00 | |
56320 | 65632 | Rdr | c1 f4! 5f 1b 25! a0! 69! 61! | !crc| DEC(244)
75124 | 79796 | Tag | 62 92 09 6c | |
85760 | 90464 | Rdr |5e! 23! 73 3e! | !crc| ?
121508 | 142372 | Tag | 89 18! 09! c3! 1a 7c a6 f7! f8 a5! f7! c6 94 28! 5a! 31! | |
| | | 4e 12! | !crc|
155520 | 160288 | Rdr |30! ef 54! be! | !crc| READBLOCK(239)
Please have a look at the topic of this issue. I don't see a trace of hf mf sim
?
@pwpiwi , proxmark3> hf mf eload 98 ..#db# Emulator stopped. Tracing: 1 trace length: 0 .............................................................. Loaded 64 blocks from file: 98.eml proxmark3> hf mf sim n 0 mf 1k sim uid: N/A, numreads:0, flags:0 (0x00)
...this issue is starting to become very unclear. I suggest we close it and when someone actually has problems with "hf mf sim", with provided needed information, they can open a new issue.
@maxben14 : still no trace? You need to run hf list 14a
after hf mf sim
.
@pwpiwi, i see in log after correct AUTH i see android send HALT. my log proxmark how emulator 1k. proxmark3> hf list 14a Recorded Activity (TraceLen = 1670 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer iso14443a - All times are in carrier periods (1/13.56Mhz) iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 38112 | Rdr | f0 1e d4 00 9a 17 98 87 0d 3f 1c 88 68 19 00 00 | |
| | | 00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 6f | |
| | | c6 | ok | ?
141712 | 142768 | Rdr | 26 | | REQA
143940 | 146308 | Tag | 04 00 | |
154128 | 156592 | Rdr | 93 20 | | ANTICOLL
157764 | 163652 | Tag | 01 02 03 04 04 | |
6031184 | 6069296 | Rdr | f0 1e d4 00 50 67 79 6d b7 7e 9e 43 9f 17 00 00 | |
| | | 00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 71 | |
| | | 05 | ok | ?
6172908 | 6173964 | Rdr | 26 | | REQA
6175136 | 6177504 | Tag | 04 00 | |
6185522 | 6187986 | Rdr | 93 20 | | ANTICOLL
6189158 | 6195046 | Tag | 01 02 03 04 04 | |
6199106 | 6209634 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
6210806 | 6214326 | Tag | 08 b6 dd | |
6651568 | 6656336 | Rdr | 50 00 57 cd | ok | HALT
6698472 | 6699464 | Rdr | 52 | | WUPA
6700700 | 6703068 | Tag | 04 00 | |
6712132 | 6722660 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
6723832 | 6727352 | Tag | 08 b6 dd | |
6861712 | 6866480 | Rdr | 50 00 57 cd | ok | HALT
6909342 | 6910334 | Rdr | 52 | | WUPA
6911570 | 6913938 | Tag | 04 00 | |
6922984 | 6933512 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
6934684 | 6938204 | Tag | 08 b6 dd | |
6993904 | 6998672 | Rdr | 50 00 57 cd | ok | HALT
7041514 | 7042506 | Rdr | 52 | | WUPA
7043742 | 7046110 | Tag | 04 00 | |
7055206 | 7065734 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
7066906 | 7070426 | Tag | 08 b6 dd | |
7213456 | 7218160 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
7222724 | 7227396 | Tag | 00 00 00 00 | |
7231512 | 7240824 | Rdr | 38 ea! ca! 56 09! 5f! cd! b8 | !crc| ?
7249548 | 7254220 | Tag | 48 79 15 09 | |
7332986 | 7337754 | Rdr | 50 00 57 cd | ok | HALT
7341486 | 7342126 | Tag |03! | |
7456032 | 7457024 | Rdr | 52 | | WUPA
7458260 | 7460628 | Tag | 04 00 | |
7468868 | 7479396 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
7480568 | 7484088 | Tag | 08 b6 dd | |
7682382 | 7687086 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
7691586 | 7696258 | Tag | 00 00 00 00 | |
7700366 | 7709742 | Rdr |b1! e5 38 7a! 2c! c4 bd 42! | !crc| ?
7718338 | 7723010 | Tag | e5 16 5f 36 | |
7826298 | 7831066 | Rdr | 50 00 57 cd | ok | HALT
7834798 | 7835374 | Tag | 0e | |
7931900 | 7932892 | Rdr | 52 | | WUPA
7934128 | 7936496 | Tag | 04 00 | |
7944734 | 7955262 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
7956434 | 7959954 | Tag | 08 b6 dd | |
8685040 | 8689808 | Rdr | 50 00 57 cd | ok | HALT
8731972 | 8732964 | Rdr | 52 | | WUPA
8734200 | 8736568 | Tag | 04 00 | |
8745632 | 8756160 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
8757332 | 8760852 | Tag | 08 b6 dd | |
8854032 | 8858800 | Rdr | 50 00 57 cd | ok | HALT
8901662 | 8902654 | Rdr | 52 | | WUPA
8903890 | 8906258 | Tag | 04 00 | |
8915322 | 8925850 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
8927022 | 8930542 | Tag | 08 b6 dd | |
9062872 | 9067640 | Rdr | 60 08 bd f7 | ok | AUTH-A(8)
9072140 | 9076812 | Tag | 00 00 00 00 | |
9080920 | 9090296 | Rdr |40! cb! 73! 0b 44 ac! b5! 00! | !crc| MAGIC WUPC1
9098892 | 9103628 | Tag | 7b a4 5a 98 | |
9170646 | 9175414 | Rdr | 50 00 57 cd | ok | HALT
9179018 | 9179594 | Tag | 08 | |
20113072 | 20151184 | Rdr | f0 1e d4 00 c1 80 6c c0 75 ca 2d e4 cf e4 00 00 | |
| | | 00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 0f | |
| | | de | ok | ?
20254808 | 20255864 | Rdr | 26 | | REQA
20257036 | 20259404 | Tag | 04 00 | |
20267022 | 20269486 | Rdr | 93 20 | | ANTICOLL
20270658 | 20276546 | Tag | 01 02 03 04 04 | |
20280572 | 20291100 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
20292272 | 20295792 | Tag | 08 b6 dd | |
20652176 | 20656944 | Rdr | 50 00 57 cd | ok | HALT
20699806 | 20700798 | Rdr | 52 | | WUPA
20702034 | 20704402 | Tag | 04 00 | |
20713450 | 20723978 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
20725150 | 20728670 | Tag | 08 b6 dd | |
20794400 | 20799168 | Rdr | 50 00 57 cd | ok | HALT
20841320 | 20842312 | Rdr | 52 | | WUPA
20843548 | 20845916 | Tag | 04 00 | |
20854980 | 20865508 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
20866680 | 20870200 | Tag | 08 b6 dd | |
20972768 | 20977536 | Rdr | 50 00 57 cd | ok | HALT
21020394 | 21021386 | Rdr | 52 | | WUPA
21022622 | 21024990 | Tag | 04 00 | |
21034086 | 21044614 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
21045786 | 21049306 | Tag | 08 b6 dd | |
21152918 | 21157622 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
21162250 | 21166922 | Tag | 00 00 00 00 | |
21171086 | 21180398 | Rdr | 22 26 c6 e6 f5 20 0b 31! | !crc| ?
21188930 | 21193602 | Tag | 68 c0 03 30 | |
21274382 | 21279150 | Rdr | 50 00 57 cd | ok | HALT
21282754 | 21283394 | Tag | 04 | |
21427178 | 21428170 | Rdr | 52 | | WUPA
21429406 | 21431774 | Tag | 04 00 | |
21440030 | 21450558 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
21451730 | 21455250 | Tag | 08 b6 dd | |
21662998 | 21667702 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
21672330 | 21677002 | Tag | 00 00 00 00 | |
21681166 | 21690478 | Rdr | 89 1c 4a! 5d ee! 0f a4! d2 | !crc| ?
21699010 | 21703682 | Tag | 96 f9 87 7e | |
21812012 | 21816780 | Rdr | 50 00 57 cd | ok | HALT
21820320 | 21820896 | Tag |0a! | |
21967904 | 21968896 | Rdr | 52 | | WUPA
21970132 | 21972500 | Tag | 04 00 | |
21980740 | 21991268 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
21992440 | 21995960 | Tag | 08 b6 dd | |
22620224 | 22624992 | Rdr | 50 00 57 cd | ok | HALT
22668574 | 22669566 | Rdr | 52 | | WUPA
22670802 | 22673170 | Tag | 04 00 | |
22682234 | 22692762 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
22693934 | 22697454 | Tag | 08 b6 dd | |
22751984 | 22756752 | Rdr | 50 00 57 cd | ok | HALT
22799646 | 22800638 | Rdr | 52 | | WUPA
22801874 | 22804242 | Tag | 04 00 | |
22813290 | 22823818 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
22824990 | 22828510 | Tag | 08 b6 dd | |
22959064 | 22963832 | Rdr | 60 08 bd f7 | ok | AUTH-A(8)
22968204 | 22972876 | Tag | 00 00 00 00 | |
22976976 | 22986288 | Rdr |82! da db a8 9e! 8e! 1b! 0f | !crc| ?
22994884 | 22999556 | Tag | 56 94 5a 21 | |
23099770 | 23104538 | Rdr | 50 00 57 cd | ok | HALT
23108270 | 23108846 | Tag |0a!
so, to make sure, are you running the latest source code (flashed and compiled) from pm3 offical github? It contains some fixes the last week.
android decrypt command HALT send
- this is an android problem. send commands wo authentication.
cards just leaves field in this case. It have no sense)
as for here
7231512 | 7240824 | Rdr | 38 ea! ca! 56 09! 5f! cd! b8 | !crc| ?
7249548 | 7254220 | Tag | 48 79 15 09 | |
7332986 | 7337754 | Rdr | 50 00 57 cd | ok | HALT
1unit-74ns 7249548 - 7240824 = 8724 = 0.6ms (it seems that it good, but not so good as real card.) 7332986 -7254220 = 78766 = 5.8ms
so it may be just timeout. and im sure that android dont see authentication. here also may be problems with field (and to be sure it needs to sniff communication with 2nd proxmark or another sniffer)
@iceman1001, my version is last. proxmark3> hw version [[[ Cached information ]]]
Prox/RFID mark3 RFID instrument bootrom: master/v3.0.1-191-g1497150-suspect 2017-11-26 08:37:57 os: master/v3.0.1-191-g1497150-suspect 2017-11-26 08:38:01 LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04 HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S256 Rev D Embedded Processor: ARM7TDMI Nonvolatile Program Memory Size: 256K bytes. Used: 199396 bytes (76%). Free: 62748 bytes (24%). Second Nonvolatile Program Memory Size: None Internal SRAM Size: 64K bytes Architecture Identifier: AT91SAM7Sxx Series Nonvolatile Program Memory Type: Embedded Flash Memory
@pwpiwi , i think basic problem in hf mf sim
is that the algorithm calculates the filter function not according to tables, but by formulas. I think the calculation on the tables will speed up the emulator.
will, or calculating in FPGA.... but there is no room for that.
@maxben14 : Can you please do the same with your ACR122 reader?
@pwpiwi ,
beetwen my emulator and acr122:
0 | 2560 | Tag | d1 ff 00! | |
21435424 | 21437792 | Tag | 04 00 | |
21511440 | 21513808 | Tag | 04 00 | |
21587488 | 21589856 | Tag | 04 00 | |
22174224 | 22176592 | Tag | 04 00 | |
22249744 | 22252112 | Tag | 04 00 | |
22325264 | 22327632 | Tag | 04 00 | |
26007436 | 26008492 | Rdr | 26 | | REQA
26009680 | 26012048 | Tag | 04 00 | |
26020732 | 26023196 | Rdr | 93 20 | | ANTICOLL
26024400 | 26030288 | Tag | 01 02 03 04 04 | |
26051580 | 26062108 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
26063312 | 26066832 | Tag | 08 b6 dd | |
30179244 | 30180236 | Rdr | 52 | | WUPA
30181488 | 30183856 | Tag | 04 00 | |
30197148 | 30207676 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
30208880 | 30212400 | Tag | 08 b6 dd | |
33241196 | 33242188 | Rdr | 52 | | WUPA
33243440 | 33245808 | Tag | 04 00 | |
33259100 | 33269628 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
33270816 | 33274336 | Tag | 08 b6 dd | |
36303132 | 36304124 | Rdr | 52 | | WUPA
36305376 | 36307744 | Tag | 04 00 | |
36320908 | 36331436 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
36332624 | 36336144 | Tag | 08 b6 dd | |
39364940 | 39365932 | Rdr | 52 | | WUPA
39367200 | 39369568 | Tag | 04 00 | |
39382716 | 39393244 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
39394448 | 39397968 | Tag | 08 b6 dd | |
42426748 | 42427740 | Rdr | 52 | | WUPA
42429008 | 42431376 | Tag | 04 00 | |
42444524 | 42455052 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
42456240 | 42459760 | Tag | 08 b6 dd | |
45488556 | 45489548 | Rdr | 52 | | WUPA
45490800 | 45493168 | Tag | 04 00 | |
45506460 | 45516988 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
45518176 | 45521696 | Tag | 08 b6 dd | |
48550508 | 48551500 | Rdr | 52 | | WUPA
48552752 | 48555120 | Tag | 04 00 | |
48568284 | 48578812 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
48580000 | 48583520 | Tag | 08 b6 dd | |
51612316 | 51613308 | Rdr | 52 | | WUPA
51614560 | 51616928 | Tag | 04 00 | |
51630092 | 51640620 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
51641824 | 51645344 | Tag | 08 b6 dd | |
54674124 | 54675116 | Rdr | 52 | | WUPA
54676384 | 54678752 | Tag | 04 00 | |
54691900 | 54702428 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
54703648 | 54707168 | Tag | 08 b6 dd | |
57735948 | 57736940 | Rdr | 52 | | WUPA
57738192 | 57740560 | Tag | 04 00 | |
57753724 | 57764252 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
57765440 | 57768960 | Tag | 08 b6 dd | |
60797756 | 60798748 | Rdr | 52 | | WUPA
60800016 | 60802384 | Tag | 04 00 | |
60815532 | 60826060 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
60827264 | 60830784 | Tag | 08 b6 dd | |
63859580 | 63860572 | Rdr | 52 | | WUPA
63861824 | 63864192 | Tag | 04 00 | |
63877356 | 63887884 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
63889088 | 63892608 | Tag | 08 b6 dd | |
66921388 | 66922380 | Rdr | 52 | | WUPA
66923632 | 66926000 | Tag | 04 00 | |
66939164 | 66949692 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
66950880 | 66954400 | Tag | 08 b6 dd | |
69983212 | 69984204 | Rdr | 52 | | WUPA
69985456 | 69987824 | Tag | 04 00 | |
70000988 | 70011516 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
70012704 | 70016224 | Tag | 08 b6 dd | |
73045020 | 73046012 | Rdr | 52 | | WUPA
73047264 | 73049632 | Tag | 04 00 | |
73062796 | 73073324 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
73074528 | 73078048 | Tag | 08 b6 dd | |
75966460 | 75967516 | Rdr | 26 | | REQA
75968704 | 75971072 | Tag | 04 00 | |
75979628 | 75982092 | Rdr | 93 20 | | ANTICOLL
75983296 | 75989184 | Tag | 01 02 03 04 04 | |
76010476 | 76021004 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
76022192 | 76025712 | Tag | 08 b6 dd | |
76362588 | 76367292 | Rdr | 60 3f 81 b2 | ok | AUTH-A(63)
76368544 | 76373216 | Tag | 00 00 00 00 | |
76374620 | 76383932 | Rdr | bd 57! ae 81! 3e e3 03 f2! | !crc| ?
76391536 | 76396208 | Tag | d8 39 78 de | |
76550684 | 76551676 | Rdr | 52 | | WUPA
76552928 | 76555296 | Tag | 04 00 | |
76568588 | 76579116 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
76580304 | 76583824 | Tag | 08 b6 dd | |
76760700 | 76765404 | Rdr | 60 3f 81 b2 | ok | AUTH-A(63)
76766656 | 76771328 | Tag | 00 00 00 00 | |
76772732 | 76782108 | Rdr | c3 cd e9 c4! 9b ef! ea d9 | !crc| ?
76789728 | 76794400 | Tag | 50 d4 ed 4d | |
76950524 | 76951516 | Rdr | 52 | | WUPA
76952784 | 76955152 | Tag | 04 00 | |
76968428 | 76978956 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
76980160 | 76983680 | Tag | 08 b6 dd | |
77171052 | 77175756 | Rdr | 60 3f 81 b2 | ok | AUTH-A(63)
77177008 | 77181680 | Tag | 00 00 00 00 | |
77183084 | 77192396 | Rdr | 57 3f! 3a 08! 94! 00! 9f! 7b | !crc| ?
77200000 | 77204672 | Tag | c4 85 5b e2 | |
77293852 | 77298556 | Rdr |b4! 74! b7 be | !crc| ?
77324432 | 77345296 | Tag | 9b 7a! 0d 89 c7 0d! d7 a3! 1c! 82! e9! fe ad 4a! 2b 5f | |
| | | 67 9a! | !crc|
77471292 | 77475996 | Rdr |90! 71! d7! 65 | !crc| ?
77501856 | 77522720 | Tag |a2! 9f 16! 2e 8b 69 15 de 2e 22 d4! c1! 66! 4a! 51 c3 | |
| | | 18 32 | !crc|
77648076 | 77652844 | Rdr |2c! b5 0c! 90! | !crc| ?
77678704 | 77699504 | Tag |28! e8 06! e1! 4a! b5! c5! 84! 4d! 7f e5 51 75! 41! c0! f9 | |
| | | 20 af | !crc|
77827228 | 77831996 | Rdr |1b! 9f! 8a! c1 | !crc| PWD-AUTH
77857856 | 77878656 | Tag |62! e1! 6b! a4 12! a2 8c! 9d! 08 f9 b0 47! d7 af! f4! a4! | |
| | |ec! e2 | !crc|
78042476 | 78047244 | Rdr |1f! 57! 5a 0a! | !crc| ?
78904284 | 78905276 | Rdr | 52 | | WUPA
78906528 | 78908896 | Tag | 04 00 | |
78922188 | 78932716 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
78933920 | 78937440 | Tag | 08 b6 dd | |
79125452 | 79130220 | Rdr | 60 3b a5 f4 | ok | AUTH-A(59)
79131408 | 79136080 | Tag | 00 00 00 00 | |
79137484 | 79146796 | Rdr | 95 7e! cf! b5 d0! 0a! b7 08! | !crc| ANTICOLL-2
79154400 | 79159136 | Tag | 41 10 86 f2 | |
79316748 | 79317740 | Rdr | 52 | | WUPA
79318992 | 79321360 | Tag | 04 00 | |
79334668 | 79345196 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
79346384 | 79349904 | Tag | 08 b6 dd | |
79529980 | 79534748 | Rdr | 60 3b a5 f4 | ok | AUTH-A(59)
79535936 | 79540608 | Tag | 00 00 00 00 | |
79542012 | 79551388 | Rdr | e8 6e! ed 98! 94 01 e3 87! | !crc| ?
79558992 | 79563728 | Tag | e3 35 09 7f | |
79644044 | 79648748 | Rdr | da 70! 85 89! | !crc| ?
79674592 | 79695392 | Tag | 8e a1 00! 3d 8f! 04! 41! 14 01! 4c! d2! b9 8f! 97 58 c0 | |
| | |17! e0! | !crc|
79813388 | 79818156 | Rdr |59! af 73! 68 | !crc| ?
79844032 | 79864896 | Tag |58! fd f7 b9! a7! 55! 7c! 2b 48 90! 77! ff 62! 9b c0! cb | |
| | | ff fa! | !crc|
101814028 | 101815020 | Rdr | 52 | | WUPA
101816272 | 101818640 | Tag | 04 00
@maxben14: sorry, I wasn't clear enough. Can you please run hf mf sim
(after you have loaded a card content with hf eload
) against your ACR122. Then run hf list 14a
and provide the output here.
The initially identified bugs have been fixed. The trace with hf mf sim
shows no incorrect tag responses.
Both traces (with @maxben14 's simulator and with hf mf sim
) show a consistent behaviour: it always takes three attempts to authenticate. The trace of the third attempt can be used to extract the key with mfkey64: a0a1a2a3a4a5. The first two attempts cannot be used to extract a key with mfkey32. Hence we can assume that the reader tries three different keys before succeeding.
@maxben14: your simulator has timing issues. The response to a REQA must start after exactly 1172 carrier clock cycles, the response to a WUPA must start after exactly 1236 clock cycles.
Everything IS working as expected. Great work @pwpiwi
@pwpiwi , "it always takes three attempts to authenticate." android system takes 2 attempts AUTH in 0 sector, my app takes only one attempt AUTH.
I try to emulate the mifare classic and read through my smartphone with android MCT apk. proxmark3> hf mf sim n 0 mf 1k sim uid: N/A, numreads:0, flags:0 (0x00)
db# 7B UID: 04 53 5d 42 a7 49 80
db# Reader tried to operate (0x30) on out of range block: 222 (0xde), nacking
db# Emulator stopped. Tracing: 1 trace length: 27908
proxmark3> hf list 14a ....... 188213078 | 188215446 | Tag | 44 00 | | 188224958 | 188235486 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
188236978 | 188240498 | Tag | 04 da 17 | | 188243234 | 188245698 | Rdr | 95 20 | | ANTICOLL-2
188247382 | 188253270 | Tag | 42 a7 49 80 2c | | 188257314 | 188267842 | Rdr | 95 70 42 a7 49 80 2c 2d 5e | ok | ANTICOLL-2
188269398 | 188272918 | Tag | 08 b6 dd | | 188503146 | 188507914 | Rdr | 61 00 2d 62 | ok | AUTH-B(0)
188512414 | 188517150 | Tag | 01 02 03 04 | | 188521244 | 188530620 | Rdr |95! cb! 40 8c 0f! 84 ec 75 | !crc| ANTICOLL-2
188539152 | 188543824 | Tag | e7 86 42 2d | | 188614336 | 188619104 | Rdr | 30 de 37 97 | !crc| READBLOCK(222) 188622644 | 188623284 | Tag | 07 | | 188826048 | 188827040 | Rdr | 52 | | WUPA 188828596 | 188830964 | Tag | 44 00 | | 188839586 | 188850114 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
188851670 | 188855190 | Tag | 04 da 17 | | 188857926 | 188860390 | Rdr | 95 20 | | ANTICOLL-2
188862074 | 188867962 | Tag | 42 a7 49 80 2c | | 188872006 | 188882534 | Rdr | 95 70 42 a7 49 80 2c 2d 5e | ok | ANTICOLL-2
188884090 | 188887610 | Tag | 08 b6 dd | | 188977072 | 188981840 | Rdr | 50 00 57 cd | ok | HALT ................
I try decrypt this with mfkey32 C:\prox\ProxSpace\pm3\tools\mfkey>mfkey64 42a74980 01020304 95cb408c 0f84ec75 e786422d 30de3797 MIFARE Classic key recovery - based on 64 bits of keystream Recover key from only one complete authentication!
Recovering key for: uid: 42a74980 nt: 01020304 {nr}: 95cb408c {ar}: 0f84ec75 {at}: e786422d {enc0}: 30de3797
LFSR successors of the tag challenge: nt' : 20f8ed56 nt'': 3c2bcdad Time spent in lfsr_recovery64(): 0.14 seconds
Keystream used to generate {ar} and {at}: ks2: 2f7c0123 ks3: dbad8f80
Decrypted communication: {dec0}: 500057cd
Found Key: [a0a1a2a3a4a5]
I found bug in this command. Why proxmark think that 30 de 37 97 this is decrypt communication ? After authorization, all communication is encrypted. And this is actually the halt command 50 00 57 cd.
And 2 problem with MCT: Error: None of the keys were valid for reading. The MCT often returns an error when authorizing, when I attach a proxmark simulating a classic card to the phone. I tried it on acr122, everything works well there.