Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I found this inside the libnfc,
https://github.com/nfc-tools/libnfc/blo … dNavigo.sh
Where it looks like the 14b' protocol is used.
Too fast Iceman !
I try to snoop my old Navigo and as Asper said => Nothing was capture (hf 14b snoop).
So, it confirm Navigo have 2 versions with a 14B'
Sadly, I don't' have another reader to test the script.
During this WE, I decompile the java app used to read the navigo card on the official RATP website.
I found 2 infos which could be usefull and confirm the 2 versions of the navigo :
String selectAPDUs = "00A4040008315449432E494341|9000;94A40800022000|9000";
I found 2 source code which could be interesting to implement 14B'
http://docs.ros.org/hydro/api/rfid_drivers/html/classFedmIscTagHandler__ISO14443__Innovatron.html#details
http://apidoc.springcard.com/springprox/sprox_14443-bi_c.html#robo4 (source)
I try to analyse it and extract (what I suppose to be ) some useful information.
In Hydro API, a new struct is added to the ISO 14443-B for B':
[== C++ ==]
struct {
unsigned char m_ucAtr [33] // Array with ATR (only applicable with ISO 14443-B' Innovatron Tag)
unsigned char m_ucAtrLen // ATR Length (only applicable with ISO 14443-B' Innovatron Tag)
unsigned char m_ucConfig // Config (only applicable with ISO 14443-B' Innovatron Tag)
unsigned char m_ucVerlog // Verlog (only applicable with ISO 14443-B' Innovatron Tag)
}
In Spingprox:
[== C++ ==]
/* B' (Innovatron) */
/* --------------- */
/* Those function are only avalaible for Calypso-enabled readers */
SPRINGPROX_LIB SWORD SPRINGPROX_API SPROX_Bi_Apgen(BYTE uid[4], BYTE atr[32], BYTE *atrlen);
I wonder if you are able to use the apdu for 14b' with the "hf 14b raw" commands.
UID - 4bytes, ok.
ATR as a max of 33/32bytes but is defined with a atrlen variable.
CONFIG - 1byte
VERLOG - 1byte
APDU:
00A4040008315449432E494341
-----------------------------------------
00 - normal CLA?
A4 - CMD
04 - P1
00 - P2
08 - LEN of next data.
[31 54 49 43] [2E 49 43 41] (Directory/Files} ?
But what is the REQB / ATTRIB commands for 14b' ? Thats the question.
Or did your tag answer to the 05 00 08 ??
Finally,
just to enhance some functionality of the "hf 14b raw" command meant that I had to rewrite a lot of it.
but the upside is that codewise the new raw command looks and behavies just like "hf 14a raw".
Since I'm thinking a lua imp for dealing with Calypso tags I started with that. Since there was not much to start with, I had to write that aswell. Now that I have everything I need for it, I can start with my lua script. Below is a sample of reading a calypso tag, and selecting the AID 2000. With a nice answer from the tag, verified with the output from "hf list 14b"
pm3 --> sc r f
--- Executing: ./scripts/f.lua, args''
Waiting for card... press any key to quit
Card UID 2618ADC4
Card Number 639151556
>> 0a0094a40800043f000002
<< 0A0085170204021D011F000000010101010000000000000000000090003425
pm3 --> hf li 14b
Recorded Activity (TraceLen = 137 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr |05 00 08 39 73 | ok | WUPB
696 | 696 | Tag |50 26 18 ad c4 00 00 00 00 00 71 81 8c 74 | ok |
0 | 0 | Rdr |1d 26 18 ad c4 00 08 01 00 a5 8f | ok | ATTRIB
264 | 264 | Tag |00 78 f0 | ok |
0 | 0 | Rdr |0a 00 94 a4 08 00 04 3f 00 00 02 d3 59 | ok | AUTHENTICATE
1948 | 1948 | Tag |0a 00 85 17 02 04 02 1d 01 1f 00 00 00 01 01 01 | |
| | |01 00 00 00 00 00 00 00 00 00 00 90 00 34 25 | ok |
Looking way better.
The ISO 7816 annotation works, and the calypso tag gives happily out data.
pm3 --> sc r calypso
--- Executing: ./scripts/calypso.lua, args''
Waiting for card... press any key to quit
Card UID 2618ADC4
Card Number 639151556
>> 01.Select ICC file
<< no answer
>> 02.ICC
<< no answer
>> 03.Select EnvHol file
<< no answer
>> 04.EnvHol1
<< no answer
>> 05.Select EvLog file
SW 9000 OK
<< 0285170804041D031F12121201030303000000000000000000009000FB5F
>> 06.EvLog1
SW 9000 OK
<< 036D2168900068A18818F2808828002040000000000000000000000000009000BA5D
>> 07.EvLog2
SW 9000 OK
<< 026D2167900068A18818F20088100020400000000000000000000000000090002E75
>> 08.EvLog3
SW 9000 OK
<< 036D2165900068A2B818F6818A100090400000000000000000000000000090009B5D
>> 09.Select ConList file
SW 9000 OK
<< 0285171E04021D011F120000010301010000000000000000000090002D92
>> 10.ConList
SW 9000 OK
<< 031C1FF2100000000000000000000000000000000000000000000000000090009F06
>> 11.Select Contra file
SW 9000 OK
<< 0285170904021D041F121200010203010000000000000000000090008E98
>> 12.Contra1
SW 9000 OK
<< 035A506000001166109A456D21B4E1FD6D200C9E3404019CFFFFFFFFFFFF90000FBB
>> 13.Contra2
SW 9000 OK
<< 0200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9000E179
>> 14.Contra3
SW 9000 OK
<< 0300000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9000830E
>> 15.Contra4
SW 9000 OK
<< 0200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9000E179
>> 16.Select Counter file
SW 9000 OK
<< 0385171904091D011F1212120102030200000000000000FFFFFF9000C9D7
>> 17.Counter
SW 9000 OK
<< 0200000000000000000000000000000000000000000000000000000000009000E93A
>> 18.Select SpecEv file
SW 9000 OK
<< 0385171D04021D031F12000001030101000000000000000000009000663E
>> 19.SpecEv1
SW 9000 OK
<< 0200000000000000000000000000000000000000000000000000000000009000E93A
-----Finished
pm3 --> hf li 7816
Recorded Activity (TraceLen = 1031 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr |05 00 08 39 73 | | ?
698 | 698 | Tag |50 26 18 ad c4 00 00 00 00 00 71 81 8c 74 | |
0 | 0 | Rdr |1d 26 18 ad c4 00 08 01 00 a5 8f | | ?
264 | 264 | Tag |00 78 f0 | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 10 41 1b | | SELECT FILE
2182 | 2182 | Tag |02 85 17 08 04 04 1d 03 1f 12 12 12 01 03 03 03 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 fb 5f | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1622 | 1622 | Tag |03 6d 21 68 90 00 68 a1 88 18 f2 80 88 28 00 20 | |
| | |40 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |ba 5d | |
0 | 0 | Rdr |02 94 b2 02 04 1d 8a ad | | READ RECORDS
1624 | 1624 | Tag |02 6d 21 67 90 00 68 a1 88 18 f2 00 88 10 00 20 | |
| | |40 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |2e 75 | |
0 | 0 | Rdr |02 94 b2 03 04 1d 56 f7 | | READ RECORDS
1622 | 1622 | Tag |03 6d 21 65 90 00 68 a2 b8 18 f6 81 8a 10 00 90 | |
| | |40 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |9b 5d | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 50 45 59 | | SELECT FILE
1682 | 1682 | Tag |02 85 17 1e 04 02 1d 01 1f 12 00 00 01 03 01 01 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 2d 92 | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1626 | 1626 | Tag |03 1c 1f f2 10 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |9f 06 | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 20 c2 2a | | SELECT FILE
1698 | 1698 | Tag |02 85 17 09 04 02 1d 04 1f 12 12 00 01 02 03 01 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 8e 98 | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1620 | 1620 | Tag |03 5a 50 60 00 00 11 66 10 9a 45 6d 21 b4 e1 fd | |
| | |6d 20 0c 9e 34 04 01 9c ff ff ff ff ff ff 90 00 | |
| | |0f bb | |
0 | 0 | Rdr |02 94 b2 02 04 1d 8a ad | | READ RECORDS
1620 | 1620 | Tag |02 00 00 0f ff ff ff ff ff ff ff ff ff ff ff ff | |
| | |ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 | |
| | |e1 79 | |
0 | 0 | Rdr |02 94 b2 03 04 1d 56 f7 | | READ RECORDS
1622 | 1622 | Tag |03 00 00 0f ff ff ff ff ff ff ff ff ff ff ff ff | |
| | |ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 | |
| | |83 0e | |
0 | 0 | Rdr |02 94 b2 04 04 1d 53 7b | | READ RECORDS
1624 | 1624 | Tag |02 00 00 0f ff ff ff ff ff ff ff ff ff ff ff ff | |
| | |ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 | |
| | |e1 79 | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 69 07 f5 | | SELECT FILE
1692 | 1692 | Tag |03 85 17 19 04 09 1d 01 1f 12 12 12 01 02 03 02 | |
| | |00 00 00 00 00 00 00 ff ff ff 90 00 c9 d7 | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1618 | 1618 | Tag |02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |e9 3a | |
0 | 0 | Rdr |02 94 a4 08 00 04 20 00 20 40 c4 49 | | SELECT FILE
1694 | 1694 | Tag |03 85 17 1d 04 02 1d 03 1f 12 00 00 01 03 01 01 | |
| | |00 00 00 00 00 00 00 00 00 00 90 00 66 3e | |
0 | 0 | Rdr |02 94 b2 01 04 1d ee 42 | | READ RECORDS
1628 | 1628 | Tag |02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 | |
| | |e9 3a | |
pm3 -->
But my usb communication between device and client over a vmware client is so slow that it drops some packages. Thats why the "<< no answer" rows from executing the script.
Someone up for starting mapping data?
Sorry for bumping this. Are there any news on the matter? Were you able to read the data fully?