Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-08-27 02:22:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

reading SEOS card?

A user over at the discord server sniffed his SEOS card,  as seen below,  where I extracted the commands send by the reader and make the equivelent for Proxmark3.   You can now get the same data out of your card but I have no idea what the command APDU's does.
When I say the same,  its the same until the last command.   That one gives an error on my card vs the users card.


[usb] pm3 --> hf search

[+]  UID: 0x 4x 8x 0x 
[+] ATQA: 00 01
[+]  SAK: 20 [1]
[+] Possible types:
[+]    MIFARE Plus 2K/4K / Plus EV1 2K/4K
[+]    MIFARE Plus CL2 2K/4K / Plus CL2 EV1 2K/4K
[+]  ATS: 05 78 77 80 02 9C 3A 
[+]        -  TL : length is 5 bytes
[+]        -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
[+]        - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[+]        - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[+]        - TC1 : NAD is NOT supported, CID is supported

[+] Valid ISO14443-A tag found

* RRG/Iceman repo based commands *

clear
hf 14a raw -s -c -p d01100
hf 14a apdu -k 00a404000aa000000440000101000100
hf 14a apdu -k 80a504001306112b0601040181e43801010201180101020200
hf 14a apdu -k 00870001047c02810000
hf 14a apdu -k 008700012c7c2a8228ba59c0ace0edc4c550f0053d4857c3ab74153cb7f1e507fcf12437acd30e7eff8bc138a26cd62ef200
hf 14a apdu -d 0ccb3fff168508dce59bd2a233b32d97008e0820f5d036ead124ee
hf 14a list

Ouputs:

[usb] pm3 --> hf 14a raw -s -c -p d01100
Card selected. UID[4]:
08 D8 E1 93
received 3 bytes
D0 73 87

[usb] pm3 --> hf 14a apdu -k 00a404000aa000000440000101000100
>>>>[keep ] 00 A4 04 00 0A A0 00 00 04 40 00 01 01 00 01 00
<<<< 6F 0C 84 0A A0 00 00 04 40 00 01 01 00 01 90 00
[+] APDU response: 90 00 - Command successfully executed (OK).

[usb] pm3 --> hf 14a apdu -k 80a504001306112b0601040181e43801010201180101020200
>>>>[keep ] 80 A5 04 00 13 06 11 2B 06 01 04 01 81 E4 38 01 01 02 01 18 01 01 02 02 00
<<<< CD 02 09 07 85 40 CD 12 99 54 6D E8 33 BD 73 2B 63 9A 63 C6 DA 14 F5 DF 9C 4E 07 F4 DB BF 4D A7 29 08 E8 A7 94 23 3A E9 94 7B 70 05 55 A2 F9 5E 8A 93 0C 47 01 B0 02 A5 08 0A B2 2E 37 60 D6 69 41 F5 23 85 CB 61 8E 08 9E BA AE 38 15 08 9E 47 90 00
[+] APDU response: 90 00 - Command successfully executed (OK).

[usb] pm3 --> hf 14a apdu -k 00870001047c02810000
>>>>[keep ] 00 87 00 01 04 7C 02 81 00 00
<<<< 7C 0A 81 08 CF 57 F4 A3 59 2C 30 BC 90 00
[+] APDU response: 90 00 - Command successfully executed (OK).

[usb] pm3 --> hf 14a apdu -k 008700012c7c2a8228ba59c0ace0edc4c550f0053d4857c3ab74153cb7f1e507fcf12437acd30e7eff8bc138a26cd62ef200
>>>>[keep ] 00 87 00 01 2C 7C 2A 82 28 BA 59 C0 AC E0 ED C4 C5 50 F0 05 3D 48 57 C3 AB 74 15 3C B7 F1 E5 07 FC F1 24 37 AC D3 0E 7E FF 8B C1 38 A2 6C D6 2E F2 00
<<<< 7C 2A 82 28 71 F8 FE 38 48 66 44 E0 E2 FB 31 55 BC 27 7D 56 D0 48 0E D0 BF A4 42 9A FE 74 04 E7 10 20 E4 23 13 A2 70 74 66 3A 1A CD 90 00
[+] APDU response: 90 00 - Command successfully executed (OK).

[usb] pm3 --> hf 14a apdu -d 0ccb3fff168508dce59bd2a233b32d97008e0820f5d036ead124ee
>>>>[] 0C CB 3F FF 16 85 08 DC E5 9B D2 A2 33 B3 2D 97 00 8E 08 20 F5 D0 36 EA D1 24 EE
[=] APDU: case=0x03 cla=0x0c ins=0xcb p1=0x3f p2=0xff Lc=0x16(22) Le=0x00(0)
<<<< 67 00
[+] APDU response: 67 00 - Wrong length
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 575 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52(7)                                                                    |     | WUPA
       2116 |       4484 | Tag |01  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10564 |      16452 | Tag |08  d8  e1  93  a2                                                       |     |
      19200 |      29664 | Rdr |93  70  08  d8  e1  93  a2  4c  78                                       |  ok | SELECT_UID
      30788 |      34372 | Tag |20  fc  70                                                               |     |
      36096 |      40864 | Rdr |e0  80  31  73                                                           |  ok | RATS
      42692 |      50820 | Tag |05  78  77  80  02  9c  3a                                               |  ok |
      63232 |      69088 | Rdr |d0  11  00  52  a6                                                       |  ok |
      70980 |      74500 | Tag |d0  73  87                                                               |     |
     390528 |     412576 | Rdr |02  00  a4  04  00  0a  a0  00  00  04  40  00  01  01  00  01  00  fe   |     |
            |            |     |6b                                                                       |  ok |
     430660 |     452676 | Tag |02  6f  0c  84  0a  a0  00  00  04  40  00  01  01  00  01  90  00  fb   |     |
            |            |     |e3                                                                       |  ok |
     766848 |     799200 | Rdr |03  80  a5  04  00  13  06  11  2b  06  01  04  01  81  e4  38  01  01   |     |
            |            |     |02  01  18  01  01  02  02  00  2a  71                                   |  ok |
     878788 |     878788 | Tag |03  cd  02  09  07  85  40  cd  12  99  54  6d  e8  33  bd  73  2b  63   |     |
            |            |     |9a  63  c6  da  14  f5  df  9c  4e  07  f4  db  bf  4d  a7  29  08  e8   |     |
            |            |     |a7  94  23  3a  e9  94  7b  70  05  55  a2  f9  5e  8a  93  0c  47  01   |     |
            |            |     |b0  02  a5  08  0a  b2  2e  37  60  d6  69  41  f5  23  85  cb  61  8e   |     |
            |            |     |08  9e  ba  ae  38  15  08  9e  47  90  00  93  22                       |  ok |
    1293440 |    1308512 | Rdr |02  00  87  00  01  04  7c  02  81  00  00  70  5c                       |  ok |
    1332420 |    1352068 | Tag |02  7c  0a  81  08  cf  57  f4  a3  59  2c  30  bc  90  00  73  d8       |  ok |
    1676160 |    1737312 | Rdr |03  00  87  00  01  2c  7c  2a  82  28  ba  59  c0  ac  e0  ed  c4  c5   |     |
            |            |     |50  f0  05  3d  48  57  c3  ab  74  15  3c  b7  f1  e5  07  fc  f1  24   |     |
            |            |     |37  ac  d3  0e  7e  ff  8b  c1  38  a2  6c  d6  2e  f2  00  2a  cc       |  ok |
    1880132 |    1936644 | Tag |03  7c  2a  82  28  71  f8  fe  38  48  66  44  e0  e2  fb  31  55  bc   |     |
            |            |     |27  7d  56  d0  48  0e  d0  bf  a4  42  9a  fe  74  04  e7  10  20  e4   |     |
            |            |     |23  13  a2  70  74  66  3a  1a  cd  90  00  06  9a                       |  ok |
    2254208 |    2288864 | Rdr |02  0c  cb  3f  ff  16  85  08  dc  e5  9b  d2  a2  33  b3  2d  97  00   |     |
            |            |     |8e  08  20  f5  d0  36  ea  d1  24  ee  1a  48                           |  ok |
    2297412 |    2303300 | Tag |02  67  00  f1  38                                                       |     |

Offline

#2 2020-09-01 20:13:57

higbnua3rwxg
Contributor
Registered: 2019-03-07
Posts: 3

Re: reading SEOS card?

I was looking through a device the other day and found this information in the setup.

Seos Configuration

ADF OID : 2A8570811E1000070000020000

Total Tag : 08

Tag : C0

My knowledge on RFID is limited and i'm not sure how helpful (if at all )this is though.

Offline

#3 2020-09-02 05:03:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: reading SEOS card?

Which device is this?  You got a picture of it? Tried sniffing some traffic?

Offline

#4 2020-09-02 11:06:18

higbnua3rwxg
Contributor
Registered: 2019-03-07
Posts: 3

Re: reading SEOS card?

Sorry, it is from an “Invixium TITAN” a non-HID, biometric reader with a configuration page for smart cards. I would hope they wouldn’t auto fill any sensitive information on the default seos configuration but don’t know enough about it to tell.

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB