Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi guys,
Recently, I brought the proxmark to my vacation. I cloned the room key (ultralight) and the cloned card is able to access my room. However, I am not able to use the cloned card to access the lift, but the original issued card is able to. Quite strange to me.
Initial thought is that perhaps some portion of the cloned card is not written probably. I read back the content(512 bits) of both cards, the contents are the same.
Anyone has any explanation?
Perhaps this is better.
Contents shown below:
04 0b 34 b3
5a dc 3f 81
38 48 08 00
44 06 db 09
70 f1 8f 73
d7 2c eb d6
21 c3 38 64
94 b5 d6 37
a1 a1 57 5e
69 9a d1 6e
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
Thanks iceman
Last edited by Erictsk (2017-08-29 06:27:37)
Original card has been returned to hotel. Find below the result from the cloned version.
**** hf 14a read ****
ATQA : 00 44
UID : 04 0b 34 5a dc 3f 81
SAK : 00 [2]
MANUFACTURER : NXP Semiconductors Germany
TYPE : NXP MIFARE Ultralight | Ultralight C
SAK incorrectly claims that card doesn't support RATS
ATS : 0a 78 00 81 02 db a0 c1 19 40 2a b5
- TL : length is 10 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : db a0 c1 19 40
Answers to chinese magic backdoor commands: NO
**** hf mfu info ****
#db# Pages 4
#db# Pages read 4
-- Mifare Ultralight / Ultralight-C Tag Information ---------
-------------------------------------------------------------
MANUFACTURER : NXP Semiconductors Germany
UID : 04 0b 34 5a dc 3f 81
BCC0 : b3 - Ok
BCC1 : 38 - Ok
Internal : 48
Lock : 08 00 - 0000000000001000
OneTimePad : 44 06 db 09
enc(RndB):89 b0 7b 35 a1 b3 f4 7e
RndA :01 01 01 01 01 01 01 01
e_RndB:89 b0 7b 35 a1 b3 f4 7e
RndB:49 7c ce 32 a6 96 02 19
RA+B:01 01 01 01 01 01 01 01 7c ce 32 a6 96 02 19 49
enc(RA+B):94 ca 64 7e 5d c0 1f 84 36 50 13 2b 3c 77 15 95
enc(RndA'):82 63 e0 f4 d5 3c 90 90
Seems to be a Ultralight -C