Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi, I am using a PM3 with Winter'10 software/firmware, under WinXP Pro. At home, I have a Cardman 5321 reader (that doesn't know the keys for the MIFARE Classic 1K tags I am testing) and use the OmniKey Diagnostic Tool to check tags presence ...
I have used "hf 14a snoop -> hf 14a list" successfully (I think) under this setup, to capture the data exchange between the Cardman and the MIFARE tag (see capture at the bottom).
Today I tried to "snoop" the data exchange between the tag and the real reader for the system (the one with the keys) and it received information successfully, but upon further inspection of the "hf 14 list", we see that every time, after the TAG tells the reader that it is a MIFARE 1K (08 b6 dd), we see again the TAG immediately answering REQA (04 00) and starting all over again ... Never gets past that ... Here is the result of "hf 14a list":
proxmark3> recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: 0: TAG 04 00
+ 1056: 0: TAG 9e f0 9a 8d 79
+ 2240: 0: TAG 08 b6 dd
+ 47818: 0: TAG 04 00
+ 1056: 0: TAG 9e f0 9a 8d 79
+ 2238: 0: TAG 08 b6 dd
+ 72576: 0: TAG 04 00
+ 1056: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47691: : 52
+ 64: 0: TAG 04 00
+ 1054: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 81468: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47754: 0: TAG 04 00
+ 1056: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 63: 0: TAG 08 b6 dd
+ 81852: : 52
+ 64: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 2088: : 93 70 9e f0 9a 8d 79 6b !crc
+ 150: 0: TAG 08 b6 dd
+ 47692: : 52
+ 64: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2175: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47753: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47691: : 52
+ 63: 0: TAG 04 00
+ 1056: 0: TAG 9e f0 9a 8d 79
+ 2238: 0: TAG 08 b6 dd
+ 47692: : 52
+ 64: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47754: : 52
+ 64: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 1744: : 93 70 9e !crc
+ 495: 0: TAG 08 b6 dd
+ 47755: : 52
+ 64: 0: TAG 04 00
+ 1054: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47755: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2175: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47690: : 52
+ 64: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2139: : 10
+ 100: 0: TAG 08 b6 dd
+ 47691: : 52
+ 62: 0: TAG 04 00
+ 1056: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47691: : 52
+ 64: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 2238: 0: TAG 08 b6 dd
+ 47692: : 52
+ 64: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47754: : 52
+ 64: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2104: : 93 70 9e f0 9a 8d 79 eb !crc
+ 135: 0: TAG 08 b6 dd
+ 47755: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2174: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47819: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2139: : 10
+ 100: 0: TAG 08 b6 dd
+ 47754: : 52
+ 64: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47691: : 52
+ 64: 0: TAG 04 00
+ 1054: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47755: : 52
+ 64: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 2238: 0: TAG 08 b6 dd
+ 47692: : 52
+ 64: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47754: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47754: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2042: : 86 10
+ 96: : 10
+ 100: 0: TAG 08 b6 dd
+ 47755: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47754: : 52
+ 64: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2239: 0: TAG 08 b6 dd
+ 47691: : 52
+ 64: 0: TAG 04 00
+ 1054: 0: TAG 9e f0 9a 8d 79
+ 2176: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47755: : 52
+ 64: 0: TAG 04 00
+ 1055: 0: TAG 9e f0 9a 8d 79
+ 1960: : 93 70 9e f0 9a 8d !crc
+ 278: 0: TAG 08 b6 dd
+ 47692: : 52
+ 64: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
+ 2175: : 93 70 9e f0 9a 8d 79 eb d9
+ 64: 0: TAG 08 b6 dd
+ 47753: 0: TAG 04 00
+ 992: : 93 20
+ 64: 0: TAG 9e f0 9a 8d 79
proxmark3>As you can see, the TAG does most of the talking here. Am I doing something wrong ? The tag worked fine on the system (got authenticated) while the PM3 snooped, so I know the communication was complete, just somehow not snooped.
About my setup: Since the "hf 14a snoop" takes around 5 seconds to show "COMMAND FINISHED", what I did (on both readers - home and corporate) was: I held the tag right next to the HF antenna (this one: http://www.proxmark3.com/item_hfapcb.html) which is the same size, together without any space between them. Placed them both on top of the reader, and left them there for around 8 secs (until I saw the "COMMAND FINISHED" sign. The antenna is between the tag and the reader.
This is a communication snooped between the tag and my CardMan reader at home:
proxmark3> hf 14a snoop
#db# COMMAND FINISHED
#db# 2 0 1
#db# 20 bc2 52
#db# 2 0 1
#db# 20 bc2 52
proxmark3> hf 14a list
proxmark3> recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26
+ 64: 0: TAG 04 00
+ 7648: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10696: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 4568: : e0 81 b8 62
+ 64: 0: TAG 04
+ 7536: : 50 00 57 cd
+ 12504: : 52
+ 64: 0: TAG 04 00
+ 7648: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10690: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 939488: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7488: : 50 00 57 cd
+ 12528: : 52
+ 64: 0: TAG 04 00
+ 7640: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10729: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91009: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7496: : 50 00 57 cd
+ 15072: : 52
+ 64: 0: TAG 04 00
+ 7674: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10656: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91058: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7496: : 50 00 57 cd
+ 12528: : 52
+ 64: 0: TAG 04 00
+ 7672: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10664: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91044: : 30 00 02 a8
+ 71: 0: TAG 04
+ 7505: : 50 00 57 cd
+ 12504: : 52
+ 64: 0: TAG 04 00
+ 7664: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10704: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 90995: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7648: : 50 00 57 cd
+ 12568: : 52
+ 64: 0: TAG 04 00
+ 7505: : 93 20
+ 63: 0: TAG 6a 23 0e c7 80
+ 10681: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91042: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7512: : 50 00 57 cd
+ 12521: : 52
+ 64: 0: TAG 04 00
+ 7656: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10680: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91889: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7650: : 50 00 57 cd
+ 12360: : 52
+ 64: 0: TAG 04 00
+ 7640: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10728: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 90994: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7544: : 50 00 57 cd
+ 12504: : 52
+ 64: 0: TAG 04 00
+ 7664: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10706: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91018: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7512: : 50 00 57 cd
+ 12520: : 52
+ 64: 0: TAG 04 00
+ 7656: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10704: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91011: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7505: : 50 00 57 cd
+ 12520: : 52
+ 64: 0: TAG 04 00
+ 7672: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10680: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91051: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7512: : 50 00 57 cd
+ 12496: : 52
+ 64: 0: TAG 04 00
+ 7680: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10657: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91058: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7488: : 50 00 57 cd
+ 12496: : 52
+ 64: 0: TAG 04 00
+ 7689: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10704: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91017: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7512: : 50 00 57 cd
+ 12506: : 52
+ 64: 0: TAG 04 00
+ 7672: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10664: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91898: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7488: : 50 00 57 cd
+ 12520: : 52
+ 64: 0: TAG 04 00
+ 7672: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10706: : 93 70 6a 23 0e c7 80 a8 8d
+ 62: 0: TAG 08 b6 dd
+ 90948: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7544: : 50 00 57 cd
+ 12528: : 52
+ 64: 0: TAG 04 00
+ 7672: : 93 20
+ 64: 0: TAG 6a 23 0e c7 80
+ 10704: : 93 70 6a 23 0e c7 80 a8 8d
+ 64: 0: TAG 08 b6 dd
+ 91051: : 30 00 02 a8
+ 72: 0: TAG 04
+ 7504: : 50 00 57 cd
proxmark3>Any help will be greatly appreciated.
Last question: What document/standard/paper describes the commands (like 26=REQA, 93 20=SELECT or 93 70=SELECT WITH UID) ? If you can post a link to it, that would be great ....
Thanks
Offline
This is generally a tuning/antenna issue... Try placing the antenna in slightly different positions (closer/further away), or varying the relationship between antenna and card/reader (i.e. try it with reader/antenna/card and reader/card/antenna).
As far as the commands go, there are many public documents that describe them... This is as good as any:
Offline
Hi, Adam. Thanks for you reply ...
Since the "snooping" works (apparently) on the CardMan 5321 at home, and doesn't work on the real corporate reader, I assume then that antenna/tag/reader configuration/location/position are different for different readers, due to varying power, size, etc. and that you have to find out yourself the best configuration for each type of new reader you will use, right ?
I read somewhere in the forum that one of the best configurations is to place the antenna directly on top of the reader, and the tag about 1cm above the antenna. Tried that before and didn't work very well with the home reader, and that is why I found the best config home, and use that on the corporate reader, but now I will try that ...
About my hardware/software: I have firmware/os/bootloader from Winter'10 package (r412) and I am using the windows software (proxmark3.exe) from the same package. Is there any other better configuration (at least to work with Mifare Classic 1K)?
Thank you
Offline
You are correct in your assumption - every reader behaves differently.
As far as software goes, the snooping functionality hasn't really changed so you're probably fine with what you've got. Unless there's a new feature you particularly want to use then I wouldn't upgrade as the development versions can be quite unstable.
Offline