search

RfidResearchGroup / ChameleonUltra

The new generation chameleon based on NRF52840 makes the performance of card emulation more stable. And gave the chameleon the ability to read, write, and decrypt cards.
https://chameleonultra.com
GNU General Public License v3.0
873 stars 147 forks source link

Chameleon FW can't emulate 7B UID Mifare Classic cards #47

Closed the-Jamz closed 1 year ago

the-Jamz commented 1 year ago

Hi, so I'm trying to emulate an EV1 tag (without signature), and I can get the UID/ATQA/SAK to emulate correctly, but then cannot read any data from the tag. I'm using a proxmark3 generic to verify. Any help would be appreciated.

I'm running the latest firmware and using the latest version of the client.

Edit: this now appears to occur with all 7B UID Mifare classic cards.

My steps: hw mode set -m e hw slot change -s 1 hw slot openall hw slot init -t 3 -s 1 hf mf eload -t hex -f dump.eml hf mf sim --sak 08 --atqa 4400 --uid 04**********80 (7 byte uid)

Reading on the proxmark:

Chameleon:

[usb] pm3 --> hf 14a info

[+]  UID: 04 ** ** ** ** ** 80
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[#] Auth error
[?] Hint: try `hf mf` commands

[usb] pm3 --> hf mf rdbl --blk 0 -k FFFFFFFFFFFF
[#] Auth error

Actual key:

[usb] pm3 --> hf 14a info

[+]  UID: 04 ** ** ** ** ** 80
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
(omitted)

[usb] pm3 --> hf mf rdbl --blk 0 -k FFFFFFFFFFFF

[=]   # | sector 00 / 0x00                                | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   0 | 04 ** ** ** ** ** 80 88 44 00 C8 20 00 00 00 00 | ****
GameTec-live commented 1 year ago

idk if it makes a difference, but maybe try and load a .bin?

the-Jamz commented 1 year ago

idk if it makes a difference, but maybe try and load a .bin?

Thanks for the suggestion but the same issue; I switched to eml to determine there was nothing wrong with my dump, which it appears there isn't, unless you consider the extra two sectors the original key has for signature verification. My imperession is it should be safe to leave off those last two sectors though.

the-Jamz commented 1 year ago

I've also just tried importing the key dictionary to the GUI, dumping the key using the chameleon, and then loading the card through the GUI, but I get the same result.

whywilson commented 1 year ago

Have you tried reversing the ATQA? write it in 0044?

the-Jamz commented 1 year ago

Have you tried reversing the ATQA? write it in 0044?

I have tried this but it yields the error: Card doesn't support standard iso14443-3 anticollision

the-Jamz commented 1 year ago

I've now tried emulating the same dump on my proxmark3 and reading with the chameleon, and it does it fine, so seems to be nothing wrong with the dump itself.

Foxushka commented 1 year ago

Chumleon FW can't currently emulate 7B UID Mifare Classic cards

xianglin1998 commented 1 year ago

Caused by mifareclassic crypto1 using wrong uid cascade level.

xianglin1998 commented 1 year ago

BUG LINE

https://github.com/RfidResearchGroup/ChameleonUltra/blob/8f2d999363249e6e4e7840bba8a59b1213b042ea/firmware/application/src/rfid/nfctag/hf/nfc_mf1.c#L533

xianglin1998 commented 1 year ago

image BUG fixed@ 0e601366f2e4583bc8b568c247c12f68ce8cf0a4

the-Jamz commented 1 year ago

Can confirm issue is fixed for me after updating the firmware, thanks!