project:freakcard:start
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
project:freakcard:start [2016/11/25 10:13] – ruza | project:freakcard:start [2019/12/02 01:26] – [High Frequency (HF) card] ISO-15693 magic cards abyssal | ||
---|---|---|---|
Line 7: | Line 7: | ||
hw=various| | hw=various| | ||
sw=various| | sw=various| | ||
- | status=active}} | + | }} |
+ | |||
+ | ~~META: | ||
+ | status = active | ||
+ | ~~ | ||
Aim of this project is to collect all physical access methods used these days, | Aim of this project is to collect all physical access methods used these days, | ||
Line 21: | Line 25: | ||
* old [[https:// | * old [[https:// | ||
* new [[https:// | * new [[https:// | ||
+ | * [[https:// | ||
The best revision for OS code is rev 838 from old SVN repo. All the stuff that I checked that should work works. | The best revision for OS code is rev 838 from old SVN repo. All the stuff that I checked that should work works. | ||
Line 27: | Line 32: | ||
There is also a library available for PC/SC readers that supports many kinds of cards, but you need specific reader for each separate card - https:// | There is also a library available for PC/SC readers that supports many kinds of cards, but you need specific reader for each separate card - https:// | ||
+ | |||
+ | ======= Proxmark new versions - RDV4, EVO and pack with PN532 reader with Chameleon mini ======= | ||
+ | |||
+ | There are new versions of Proxmark, which are more compact, see the comparison table in the links at the bottom of the page | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ======= PN532-based readers ======= | ||
+ | |||
+ | PN532 based readers: | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * [[http:// | ||
+ | |||
+ | ======= Software for PN532 readers ======= | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | * [[https:// | ||
====== Decision tree. ====== | ====== Decision tree. ====== | ||
Line 230: | Line 260: | ||
== Desfire == | == Desfire == | ||
- | Get id: Same as Mifare Classic. | + | |
- | < | + | Multiple versions available |
- | lsnfc: | + | |
- | UID=041343xxxxxx80 | + | * MIFARE DESFire D40 |
- | Several possible matches: | + | * MIFARE DESFire EV1 |
- | * NXP MIFARE DESFire 4k | + | * MIFARE DESFire EV2 |
- | * NXP MIFARE Plus 1k | + | |
- | * NXP MIFARE | + | In order to find out you have Desfire, check SAK in anticollision. Then use get version command to see which Desfire version it is. |
- | * NXP JCOP31 or JCOP41 | + | |
- | </code> | + | Has " |
+ | |||
+ | * Virtually no limitation on number of applications per PICC (new) | ||
+ | * Up to 32 files in each application (6 file types available: Standard Data file, Back-up Data file, Value file, Linear Record file, Cyclic Record file and Transaction MAC file) | ||
+ | * File size is determined during creation (not for Transaction MAC file) | ||
+ | * DES, 3DES, AES encryption, depending on version | ||
+ | * EV2 supports proximity check against relay and ECC signature for UID (originality check) | ||
+ | |||
+ | |||
+ | Command specifications (non-NDAed), | ||
+ | |||
+ | Short [[https:// | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | Has native and wrapped ISO 7816 command modes: [[https:// | ||
Full read: No working crpyto attack so far, unencrypted sectors can be read, also you can try to look for default keys. | Full read: No working crpyto attack so far, unencrypted sectors can be read, also you can try to look for default keys. | ||
Line 249: | Line 294: | ||
* MF3ICD40 hacked: [[http:// | * MF3ICD40 hacked: [[http:// | ||
- | Relay: see Relay attack | + | Relay: see Relay attack; EV2 spec says it has relay attack protection, but no details. |
+ | |||
+ | == Ultralight C, Ultralight EV1 and NTAG2 == | ||
+ | |||
+ | EV1 compared to old Ultralight has added 32-bit password for read/write access, ECC signature (static over UID, so copyable), OTP. | ||
+ | |||
+ | Ultralight C has 3DES authentication on top of Ultralight features. | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | Proxmark3 can simulate some of the features of Ultralight EV1/C, though the ECC signature seems missing (read works). There is [[https:// | ||
+ | which [[http:// | ||
+ | |||
+ | Ultralight EV1 and NTAG2/1 can be [[https:// | ||
+ | |||
+ | == Magic NTAG2x, magic Ultralight C and magic Desfire == | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | There is a special [[https:// | ||
+ | |||
+ | Information about the cards from proxmark (hf mfu i): | ||
+ | |||
+ | < | ||
+ | proxmark3> | ||
+ | |||
+ | --- Tag Information --------- | ||
+ | ------------------------------------------------------------- | ||
+ | TYPE : MIFARE Ultralight (MF0ICU1) < | ||
+ | UID : 11 22 33 55 66 77 88 | ||
+ | UID[0] : 11, Emosyn-EM Microelectronics USA | ||
+ | BCC0 : 44, crc should be 88 | ||
+ | BCC1 : FF, crc should be CC | ||
+ | Internal : FF, not default | ||
+ | Lock : ff ff - 1111111111111111 | ||
+ | OneTimePad : ff ff ff ff - 11111111111111111111111111111111 | ||
+ | |||
+ | |||
+ | proxmark3> | ||
+ | |||
+ | --- Tag Information --------- | ||
+ | ------------------------------------------------------------- | ||
+ | TYPE : MIFARE Ultralight C (MF0ULC) < | ||
+ | UID : 00 00 00 00 00 00 00 | ||
+ | UID[0] : 00, no tag-info available | ||
+ | BCC0 : 00, crc should be 88 | ||
+ | BCC1 : 00, Ok | ||
+ | Internal : 00, not default | ||
+ | Lock : 00 00 - 0000000000000000 | ||
+ | OneTimePad : 00 00 00 00 - 00000000000000000000000000000000 | ||
+ | |||
+ | --- UL-C Configuration | ||
+ | | ||
+ | | ||
+ | Auth0 [42/0x2A] : 00 00 00 00 default | ||
+ | Auth1 [43/0x2B] : 00 00 00 00 read and write access restricted | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | 3des key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
+ | </ | ||
+ | |||
+ | This shop sells [[https:// | ||
+ | |||
+ | == Magic Desfire == | ||
+ | |||
+ | The "magic Desfire" | ||
+ | |||
+ | * writing NDEF file seems to succeed, but read fails, you get just zeros | ||
+ | * libfreefare segfaults with the magic Desfire | ||
+ | * any SELECT APDU is responded to with OK, but there are no real applications | ||
+ | |||
+ | In short, waste of money. | ||
+ | |||
+ | Setting UID on magic Desfire with Proxmark: | ||
+ | |||
+ | < | ||
+ | hf 14a raw -s -c 02 00 ab 00 00 07 UID | ||
+ | </ | ||
== other mifare cards == | == other mifare cards == | ||
Line 256: | Line 381: | ||
but now widely deployed, at least no in .cz and .sk: | but now widely deployed, at least no in .cz and .sk: | ||
- | * Ultralight C | ||
* SmartMX | * SmartMX | ||
* DESFire EV1 | * DESFire EV1 | ||
Line 306: | Line 430: | ||
Proxmark can read them and so can some android phones. | Proxmark can read them and so can some android phones. | ||
- | They contain UID and 64 bytes of data. Reading with proxmark can be done with: | + | They contain UID and 4-byte blocks |
< | < | ||
- | hf 15 dumpmemory | + | pm3 --> |
+ | | ||
+ | TYPE : EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102 | ||
+ | pm3 --> hf 15 dump | ||
+ | [=] Using UID as filename | ||
+ | Reading memory from tag UID E0 16 24 66 1E C1 A5 AD | ||
+ | ....................................................[-] Tag returned Error 15: Unknown error. | ||
+ | |||
+ | |||
+ | block# | ||
+ | ---------+--------------+---+---------- | ||
+ | 0/0x00 | 3F 08 1A 4D | 0 | ?..M | ||
+ | 1/0x01 | 82 18 60 20 | 0 | ..` | ||
+ | 2/0x02 | 00 38 00 50 | 0 | .8.P | ||
+ | 3/0x03 | 1C 48 33 00 | 0 | .H3. | ||
+ | 4/0x04 | 1B 00 00 00 | 0 | .... | ||
+ | 5/0x05 | 00 00 00 00 | 0 | .... | ||
+ | 6/0x06 | 00 00 00 00 | 0 | .... | ||
+ | 7/0x07 | 00 00 00 00 | 0 | .... | ||
+ | 8/0x08 | 00 00 00 00 | 0 | .... | ||
+ | 9/0x09 | 00 00 00 00 | 0 | .... | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
</ | </ | ||
- | Latest proxmark 2.3.0 has some basic ISO 15693 simulation functionality, but it's not working properly yet. | + | Rfxsecure.com sells magic ISO-15693 cards with changeable UID. Either you need the iso15_magic from RRG repo or "hf 15 csetuid" |
+ | |||
+ | Changing UID, depending on repo (you need iso15_magic from RRG + read15.lua) or the segfaulting official repo with "hf 15 csetuid": | ||
+ | |||
+ | < | ||
+ | proxmark3> | ||
+ | #db# 12 octets read from IDENTIFY request: | ||
+ | #db# NoErr CrcOK | ||
+ | #db# 00 00 bf a5 c1 1e 66 24 | ||
+ | #db# 16 e0 56 a3 | ||
+ | #db# UID = E01624661EC1A5BF | ||
+ | proxmark3> | ||
+ | |||
+ | new UID | e0 16 24 66 1e c1 a5 ca | ||
+ | Using backdoor Magic tag function | ||
+ | received -1 octets | ||
+ | |||
+ | Thread 4 " | ||
+ | |||
+ | </ | ||
+ | |||
+ | With the magic scripts: | ||
+ | |||
+ | < | ||
+ | script run iso15_magic.lua -u E004013344556677 | ||
+ | </ | ||
- | AFAIK there are no "Chinese backdoored clones" | + | Neither will work on the first time likely. Retry at least 3 times. Same with "hf 15 dump" and "hf 15 restore". |
+ | Note on cloned skipass ISO-15693 cards - they have counter in sector 2, so as soon as your cloned cards will desync, one of them will stop working. | ||
==== Low Frequency card ==== | ==== Low Frequency card ==== | ||
Emulation in general: http:// | Emulation in general: http:// | ||
Line 413: | Line 626: | ||
Usage around: building access system | Usage around: building access system | ||
- | This information pertains to model Paradox C704. Full decoding in proxmark is not implemented, | + | This information pertains to model Paradox C704. Full decoding in proxmark is implemented, |
< | < | ||
proxmark3> | proxmark3> | ||
proxmark3> | proxmark3> | ||
- | proxmark3> | + | loaded 40000 samples |
+ | proxmark3> | ||
+ | proxmark3> | ||
+ | Paradox TAG ID: 000328176 (Full ID: 0ca05dadf) - FC: 50 - Card: 33142 - Checksum: b7 - RAW: 0f555555a5995566a699a6aa | ||
</ | </ | ||
Emulate: | Emulate: | ||
- | Not implemented in proxmark code, but the HID Prox emulation | + | Latest |
+ | |||
+ | < | ||
+ | pm3 --> lf paradox sim 50 33142 | ||
+ | Simulating Paradox - Facility | ||
+ | </code> | ||
=== T55x7 universal emulation card === | === T55x7 universal emulation card === | ||
Line 658: | Line 880: | ||
* [[http:// | * [[http:// | ||
* [[http:// | * [[http:// | ||
+ |
project/freakcard/start.txt · Last modified: 2021/06/05 17:28 by abyssal