Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
- Logged in as ikarus
- Last visit: Today 11:22:42
- Topics: Posted | New | Active | Unanswered
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2020-03-22 14:42:31
- Akisame
- Contributor
- Registered: 2020-03-22
- Posts: 8
Simulating not working
tl;dr: reading a simulated dump with the keys from the original tag gives me a "no keys were valid" error. It also doesn't work on the original reader
I am trying to simulate a key on my PM3 easy (mcu transplated to 512 kb and reflashed with JTAG) but this reader is doing some check that blocks this.
I can copy the tag to a OTW keyfob or a direct write card but using a gen2a magic card gives no response from the reader.
When I try to simulate my dump I get no reaction from the reader (no green or red light) and the same goes when I try to simulated the dump with my chameleon revE rebooted.
The steps I followed are as follows:
Discover all the keys (used hard nested because the Prng was hard)
[usb] pm3 --> hf 14a info
[+] UID: XX XX XX XX
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] TYPE: NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[usb] pm3 -->dumped the keys and dumped the card
[=] found keys:
|---|----------------|---|----------------|---|
|sec| key A |res| key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| 845c57165d3c | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[=] ( 0 :Failed / 1 :Success)Cleared emulation memory with
hf mf eclrloaded emulation file with
hf mf eload 1 dumpfile.emland simulated with
hf mf simAnd also with
hf 14a sim
hf 14a sim u xxxxxxxx ebut when I try to read it with MCT on android with the correct keys it shows that there were no valid keys.
running hf 14a sniff gives me this
[usb] pm3 --> hf 14a sniff #db# Starting to sniff #db# maxDataLen=3, Uart.state=0, Uart.len=0 #db# traceLen=74 , Uart.output[0]=00000000 [usb] pm3 --> hf list 14a [+] Recorded activity (trace len = 74 bytes) [=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer [=] ISO14443A - All times are in carrier periods (1/13.56MHz) Start | End | Src | Data (! denotes parity error) | CRC | Annotation ------------+------------+-----+-------------------------------------------------------------------------+-----+-------------------- 0 | 2368 | Tag |04 00 | | 17792 | 23680 | Tag |xx xx xx xx 31 | | 56320 | 59840 | Tag |08 b6 dd | | 95230480 | 95232848 | Tag |04 00 | | 95248272 | 95254160 | Tag |xx xx xx xx 31 | | 95286800 | 95290320 | Tag |08 b6 dd | |
[+] Recorded activity (trace len = 37 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2368 | Tag |04 00 | |
17792 | 23680 | Tag |xx xx xx xx 31 | |
56320 | 59840 | Tag |08 b6 dd | |I managed to get one reader response
97093740 | 97094796 | Rdr |26 | | REQA
but unfortunately it is just this.
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman
compiled with MinGW-w64 8.3.0 OS:Windows (64b) ARCH:x86_64
[ PROXMARK3 ]
[ ARM ]
bootrom: RRG/Iceman/master/cf47e502 2020-03-19 17:20:58
os: RRG/Iceman/master/cf47e502 2020-03-19 17:21:23
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 248481 bytes (47%) Free: 275807 bytes (53%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw status #db# Memory #db# BIGBUF_SIZE.............40000 #db# Available memory........39168 #db# Tracing #db# tracing ................0 #db# traceLen ...............37 #db# Currently loaded FPGA image #db# mode.................... HF image built for 2s30vq100 on 2020-01-12 at 15:31:16 #db# LF Sampling config #db# [q] divisor.............95 ( 125.00 kHz ) #db# [b] bits per sample.....8 #db# [d] decimation..........1 #db# [a] averaging...........Yes #db# [t] trigger threshold...0 #db# [s] samples to skip.....0 #db# LF T55XX config #db# [r] [a] [b] [c] [d] [e] [f] [g] #db# mode |start|write|write|write| read|write|write #db# | gap | gap | 0 | 1 | gap | 2 | 3 #db# ---------------------------+-----+-----+-----+-----+-----+-----+------ #db# fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | N/A | N/A | #db# long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A | #db# leading zero | 31 | 20 | 18 | 40 | 15 | N/A | N/A | #db# 1 of 4 coding reference | 31 | 20 | 18 | 34 | 15 | 50 | 66 | #db# #db# Transfer Speed #db# Sending packets to client... #db# Time elapsed............500ms #db# Bytes transferred.......310784 #db# Transfer Speed PM3 -> Client = 621568 bytes/s #db# Various #db# DBGLEVEL................1 #db# ToSendMax...............-1 #db# ToSendBit...............0 #db# ToSend BUFFERSIZE.......2308 #db# Slow clock..............31996 Hz #db# Installed StandAlone Mode #db# HF Mifare sniff/simulation - (Craig Young)
[usb] pm3 --> data tune [=] Measuring antenna characteristics, please wait... [=] You can cancel this operation by pressing the pm3 button .. [+] LF antenna: 42.90 V - 125.00 kHz [+] LF antenna: 43.17 V - 134.83 kHz [+] LF optimal: 52.52 V - 130.43 kHz [+] LF antenna is OK [+] HF antenna: 28.46 V - 13.56 MHz [+] HF antenna is OK [+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.Last edited by Akisame (2020-03-22 19:12:33)
