Differences

This shows you the differences between two versions of the page.

--- project:freakcard:start [2019/09/01 16:26] – [Low Frequency card] Paradox card demod/clone/emulate abyssal
+++ project:freakcard:start [2019/12/02 01:26] – [High Frequency (HF) card] ISO-15693 magic cards abyssal
@@ Line 359: / Line 359: @@
 This shop sells [[https://www.rfxsecure.com/product/gen2-uid-changeable-fobs-1k-mf-4k-mf-ul-ul-c-df-ntag21x/ | lot of different changeable UID cards and keyfobs, 4-byte and 7-byte, including UID changeable Desfire]]/
+== Magic Desfire ==
+The "magic Desfire" is far from real Desfire, e.g.
+  * writing NDEF file seems to succeed, but read fails, you get just zeros
+  * libfreefare segfaults with the magic Desfire
+  * any SELECT APDU is responded to with OK, but there are no real applications
+In short, waste of money.
+Setting UID on magic Desfire with Proxmark:
+<code>
+hf 14a raw -s -c 02 00 ab 00 00 07 UID
+</code>
 == other mifare cards ==
@@ Line 414: / Line 430: @@
 Proxmark can read them and so can some android phones.
-They contain UID and 64 bytes of data. Reading with proxmark can be done with:
+They contain UID and 4-byte blocks of data. Reading with proxmark can be done with:
 <code>
-hf 15 dumpmemory
+pm3 --> hf 15 reader
+ UID  : E0 16 24 66 1E C1 A5 AD
+ TYPE : EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
+pm3 --> hf 15 dump
+[=] Using UID as filename
+Reading memory from tag UID E0 16 24 66 1E C1 A5 AD
+....................................................[-] Tag returned Error 15: Unknown error.
+block#   | data         |lck| ascii
+---------+--------------+---+----------
+/0x00 | 3F 08 1A 4D  | 0 | ?..M
+/0x01 | 82 18 60 20  | 0 | ..`
+/0x02 | 00 38 00 50  | 0 | .8.P
+/0x03 | 1C 48 33 00  | 0 | .H3.
+/0x04 | 1B 00 00 00  | 0 | ....
+/0x05 | 00 00 00 00  | 0 | ....
+/0x06 | 00 00 00 00  | 0 | ....
+/0x07 | 00 00 00 00  | 0 | ....
+/0x08 | 00 00 00 00  | 0 | ....
+/0x09 | 00 00 00 00  | 0 | ....
+/0x0A | 00 00 00 00  | 0 | ....
+/0x0B | 00 00 00 00  | 0 | ....
+/0x0C | 00 00 00 00  | 0 | ....
+/0x0D | 00 00 00 00  | 0 | ....
+/0x0E | 00 00 00 00  | 0 | ....
+/0x0F | 00 00 00 00  | 0 | ....
+/0x10 | 00 00 00 00  | 0 | ....
+/0x11 | 00 00 00 00  | 0 | ....
+/0x12 | 00 00 00 00  | 0 | ....
+/0x13 | 00 00 00 00  | 0 | ....
+/0x14 | 00 00 00 00  | 0 | ....
+/0x15 | 00 00 00 00  | 0 | ....
+/0x16 | 00 00 00 00  | 0 | ....
+/0x17 | 00 00 00 00  | 0 | ....
+/0x18 | 00 00 00 00  | 0 | ....
+/0x19 | 00 00 00 00  | 0 | ....
+/0x1A | 00 00 00 00  | 0 | ....
+/0x1B | 00 00 00 00  | 0 | ....
+/0x1C | 2A 80 53 42  | 0 | *.SB
+/0x1D | 1F 90 53 42  | 0 | ..SB
+/0x1E | 33 00 00 00  | 0 | 3...
+/0x1F | 00 00 00 00  | 0 | ....
+/0x20 | 00 00 00 00  | 0 | ....
+/0x21 | 00 00 00 00  | 0 | ....
+/0x22 | 00 00 00 00  | 0 | ....
+/0x23 | 00 00 00 00  | 0 | ....
+/0x24 | 00 00 00 00  | 0 | ....
+/0x25 | 00 00 00 00  | 0 | ....
+/0x26 | 00 00 00 00  | 0 | ....
+/0x27 | 00 00 00 00  | 0 | ....
+/0x28 | 00 00 00 00  | 0 | ....
+/0x29 | 00 00 00 00  | 0 | ....
+/0x2A | 22 00 E1 23  | 0 | "..#
+/0x2B | C0 05 1B 01  | 0 | ....
+/0x2C | 4A 5C A0 1D  | 0 | J\..
+/0x2D | 1A 30 00 12  | 0 | .0..
+/0x2E | 50 E7 AB EC  | 0 | P...
+/0x2F | 60 00 00 00  | 0 | `...
+/0x30 | 00 00 40 7B  | 0 | ..@{
+/0x31 | 00 68 20 15  | 0 | .h .
+/0x32 | 00 00 00 00  | 0 | ....
+/0x33 | 00 00 00 00  | 0 | ....
 </code>
-Latest proxmark 2.3.0 has some basic ISO 15693 simulation functionality, but it's not working properly yet.
+Rfxsecure.com sells magic ISO-15693 cards with changeable UID. Either you need the iso15_magic from RRG repo or "hf 15 csetuid" from the official repo. The official repo's client segfaults on this right now, although it seems to change UID before segfault (signed/unsigned integer confusion, negative received octet count, etc). Proxmark developers have abysmal code standards and can't even use tags in repos.
-AFAIK there are no "Chinese backdoored clones" that would allow changing of UID.
+Changing UID, depending on repo (you need iso15_magic from RRG + read15.lua) or the segfaulting official repo with "hf 15 csetuid":
+<code>
+proxmark3> hf 15 reader
+#db# 12 octets read from IDENTIFY request:
+#db# NoErr CrcOK
+#db# 00 00 bf a5 c1 1e 66 24
+#db# 16 e0 56 a3
+#db# UID = E01624661EC1A5BF
+proxmark3> hf 15 csetuid E01624661EC1A5CA
+new UID | e0 16 24 66 1e c1 a5 ca
+Using backdoor Magic tag function
+received -1 octets
+Thread 4 "WorkerThread" received signal SIGSEGV, Segmentation fault.
+</code>
+With the magic scripts:
+<code>
+script run iso15_magic.lua -u E004013344556677
+</code>
+Neither will work on the first time likely. Retry at least 3 times. Same with "hf 15 dump" and "hf 15 restore".
+Note on cloned skipass ISO-15693 cards - they have counter in sector 2, so as soon as your cloned cards will desync, one of them will stop working.
 ==== Low Frequency card ====
 Emulation in general: http://www.t4f.org/en/projects/open-rfid-tag/55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :)