FM11RF005M reading/cloning problem

[secit-pl]

I'm trying to clone the FM11RF005M card but it looks like it's not supported by current firmware as it cannot be read (BCC0 incorrect, got 0x00, expected 0x0a).

I have also found some forum information about lack of support for this card http://proxmark.io/www.proxmark.org/forum/viewtopic.php%3Fpid=43788.html#p43788

Could you please add suport for it?

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  RRG/Iceman/master/v4.14831 2022-01-11 19:17:19
  compiled with............. Clang/LLVM Apple LLVM 12.0.0 (clang-1200.0.32.28)
  platform.................. OSX / x86_64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... absent
  Lua SWIG support.......... present
  Python SWIG support....... absent

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.14831-274-g9abb026d0 2022-02-14 01:56:35
       os: RRG/Iceman/master/v4.14831-274-g9abb026d0 2022-02-14 02:13:32
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )
[usb] pm3 --> hf search
 🕗  Searching for ISO14443-A tag...[#] BCC0 incorrect, got 0x00, expected 0x0a
[#] Aborting
[!] ⚠️  No known/supported 13.56 MHz tags found
[usb] pm3 --> hf 14a info
[#] BCC0 incorrect, got 0x00, expected 0x0a
[#] Aborting

Datasheet -> https://www.datasheetarchive.com/pdf/download.php?id=00568652df7ca75faff183a3817b91facc6109&type=P&term=IC%2520TDA%25208335

[iceman1001]

This is an open source project, feel free to contribute!

[iceman1001]

ref: https://github.com/RfidResearchGroup/proxmark3/issues/875

[lsylx]

Some details for it FM11RF005M Use the same crypto1 algorithm But keys use into calculation is the Real 32 bit key + 16 bit 0 And keys are stored in Block 8 of the card unencrypted For example: Real key in block 8 : AB CD EF 12 Key used for encryption : AB CD EF 12 00 00

You can use the command 60xx to authenticate to get full access of the card or just like ref: #875 to get unprotected data (Block 0-7)

[lsylx]

I abstracted out some of my codes from my modified version of proxmark3 This might can help fix the UID reading problem

proxmark3/armsrc/iso14443a.c
 Line 2517 +

   if (((p_card->atqa[0]==0x03) || (p_card->atqa[0]==0x05))  && p_card->atqa[1]==0x00) //11RF005SH or 11RF005M, Read UID again
    {
        uint8_t fudancardread[]    = { 0x30,0x01,0x00,0x00 };
        AddCrc14A(fudancardread, 2);
        ReaderTransmit(fudancardread, sizeof(fudancardread), NULL); //ReadReal UID
        ReaderReceive(resp, resp_par);
        memcpy(p_card->uid, resp, 4);
        GetATQA(resp, resp_par);
        GetATQA(resp, resp_par);
        p_card->sak = 0x0A;
        p_card->uidlen =4;
        return 1;
    }

proxmark3/client/src/cmdhf14a.c
Line 1587 +

  } else if ((sak & 0x0A) == 0x0A && (atqa & 0x0003) == 0x0003) {
        printTag("FM11RF005SH");
        type |= MTOTHER;
    } 
       else if ((sak & 0x0A) == 0x0A && (atqa & 0x0005) == 0x0005) {
        printTag("FM11RF005M");
        type |= MTOTHER;
    } 
       else if ((sak & 0x53) == 0x53) {
            printTag("FM11RF005SH");
            type |= MTOTHER;
}

[iceman1001]

Nice finds,

I mapped 0x0003 to FM11RF005M I mapped 0x0005 to FM11RF005SH when I looked into the datasheets. You have it the other way around.

And 0x53 SAK, where did you get it to map to FM11RF005SH?

[lsylx]

Nice finds,

I mapped 0x0003 to FM11RF005M I mapped 0x0005 to FM11RF005SH when I looked into the datasheets. You have it the other way around.

And 0x53 SAK, where did you get it to map to FM11RF005SH?

Actually the identifier stores in the block 0 of these cards. You can do 3000 to read it out A typical 005SH block 0 is: ‘03 00 02 90’ 03 is the Atqa of this card 0x0003 Also, A typical 005M block 0 is: ‘05 00 XX XX’ So, 0x0003 is 005SH 0x0005 is 005M And the datasheet isn’t fully correct. And a lot of important points didn’t give out. Even some of the commands mapped wrongly. Maybe I will make a corrected version of the datasheet instead of the original one.

The UID stores in block 1 And can be read out by 3001 command.

(Whoops, I found that I wrote it wrong in my code, it should be FM11RF08SH with SAK 0x53, It is a differently card with memory layout identical to mifare except authentication algorithm. But anyway I will share the findings below)

And also the same way the SAK of 08SH reads out also from the 3000 command without authentication needed You will get a card response in this layout AABBCCDDEE53XXXXXXXXXXXX 0x53 is the SAK and also you can use the ‘hf 14a reader’ command to get the SAK too.

[iceman1001]

@lsylx I pushed some adaptations of your fudan anti collision and 14a info identification.

Would you mind testing them out?

[iceman1001]

Thanks for your suggestions, and @doegox for testing, it will now be correct identified

[usb] pm3 --> hf 14a info

[+]  UID: 26 7D 4E 30 
[+] ATQA: 00 03
[+]  SAK: 0A [1]
[+] Possible types:
[+]    FM11RF005SH (FUDAN Shanghai Metro)
[=] proprietary non iso14443-4 card found, RATS not supported
[?] Hint: try hf 14a raw - since FUDAN is different
[?]   hf 14a raw -a -b 7 -k 26
[?]   hf 14a raw -k -c 3000
[?]   hf 14a raw -k -c 3001
[?]   hf 14a raw -k -c 3002
[?]   hf 14a raw -k -c 3003
[?]   hf 14a raw -k -c 3004
[?]   hf 14a raw -k -c 3005
[?]   hf 14a raw -k -c 3006
[?]   hf 14a raw -c 3007

[iceman1001]

There would need to be a hf fudan category of commands to fully support it.

Feel free to make it happen, meanwhile I close this issue.