Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-12-17 21:58:48

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Trying to clone Disney Infinity tokens

I found on the Internet the key algo for the Disney Infinity tokens. I can calculate my tokens' paswords and I've succesfully dumped them. I have some magic cards but they are mifare classic (SAK 0x08), 4 byte UID, and Disney Infinity tags are mifare mini (SAK 0x09), 7 byte UID. I tried to make some clones by using Mifare Classic Tool android app but I can't make proper clones so I've ordered a proxmark3 easy. I hope it´s here in 10 days and till it arrives I'm reading quite a lot about the commands and possibilities of the proxmark3. When I have it I'll try again but in the meantime I would like to know if I need anything else. When the proxmak3 easy arrives will I have anything I need or do I need other kind of magic cards? I have my dumps in .eml format ready to use and I'll try to load them to the magic cards directly. In other words, I'm assuming mifare classic cards are compatible with mifare mini. Will it work? I know the best way to know it's to try it but I'm asking because if I had to order anything else, I'd like to do it asap (things from China take weeks to arrive). Thanks in advance.

Edit:
This is what my Ahsoka Tano dump looks like (in case it helps)

0497CA4A913780894400C20000000000
C2DC29FB34DF2A68404A3E8AB9AFC501
76971F19239F6054ECC95E243EA042B6
80D12B916E7117878E0080D12B916E71
6DB500D07EBD9DE11B9AC40AF97DA962
6DB500D07EBD9DE11B9AC40AF97DA962
00000000000000000000000000000000
80D12B916E717787880080D12B916E71
6DB500D07EBD9DE11B9AC40AF97DA962
6DB500D07EBD9DE11B9AC40AF97DA962
00000000000000000000000000000000
80D12B916E717787880080D12B916E71
6DB500D07EBD9DE11B9AC40AF97DA962
6DB500D07EBD9DE11B9AC40AF97DA962
00000000000000000000000000000000
80D12B916E717787880080D12B916E71
00000000000000000000000000000000
00000000000000000000000000000000
A23A00003591602200000000696F6AB0
80D12B916E717787880080D12B916E71

[27/12/2018]
I got my proxmark3 today. I flashed the bootrom and the firmware. I followed this guide https://github.com/Proxmark/proxmark3/wiki/Windows So far so good. It took me some time as I'm a noob but I did it. I can communicate with my proxmark3. Some captures:

Hardware:

proxmark3> hw version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-35-g0d5545c-dirty-suspect 2018-12-13 21:51:14
os: master/v3.1.0-35-g0d5545c-dirty-suspect 2018-12-27 21:15:15
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/09/12 at 15:18:46
SmartCard Slot: not available

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 194961 bytes (37%). Free: 329327 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

Tunning:

proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 31.76 V @   125.00 kHz
# LF antenna: 24.34 V @   134.00 kHz
# LF optimal: 32.04 V @   122.45 kHz
# HF antenna: 24.71 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

One of my UID changeable chinese cards:

proxmark3> hf search

 UID : 1d ae da 3c
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search

I read the first sector from my Ahsoka Tano token:

proxmark3> hf mf rdsc 0 a 80d12b916e71
--sector no:0 key type:A key:80 d1 2b 91 6e 71

#db# READ SECTOR FINISHED
isOk:01
data   : 04 97 ca 4a 91 37 80 89 44 00 c2 00 00 00 00 00
data   : c2 dc 29 fb 34 df 2a 68 40 4a 3e 8a b9 af c5 01
data   : 76 97 1f 19 23 9f 60 54 ec c9 5e 24 3e a0 42 b6
trailer: 00 00 00 00 00 00 17 87 8e 00 00 00 00 00 00 00
Trailer decoded:
Access block 0: read AB; write AB; increment AB; decrement transfer restore AB
Access block 1: read AB
Access block 2: read AB
Access block 3: read ACCESS by AB
UserData: 00

I'm trying to do a propper dump of my figure but I don't know how. How can I make a full dump of it? I know I have to get it into the emulator first but I don't know how. I tried nested attack (I used the one key) but it didn't work. I finally got a propper dump (see below). Now I want to clone it but I need some help.

@Iceman
Considering I want to work with mifare mini tags, should I download your fork and start it over? You know, make/compile the files again. I copied the lua scripts and the lua libs from the fork. That should be enough. Shouldn't it?

I think I'm getting closer. I created a txt file called mydictionary (.dic) and added Ahsoka Tano´s pass. After that I used:

proxmark3> hf mf chk *0 ? d mydictionary.dic
--chk keys. sectors: 5, block no:  0, key type:B, eml:n, dmp=y checktimeout=471 us
chk custom key[ 0] 80d12b916e71

To cancel this operation press the button on the proxmark...
--o
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  80d12b916e71  | 1 |  80d12b916e71  | 1 |
|001|  80d12b916e71  | 1 |  80d12b916e71  | 1 |
|002|  80d12b916e71  | 1 |  80d12b916e71  | 1 |
|003|  80d12b916e71  | 1 |  80d12b916e71  | 1 |
|004|  80d12b916e71  | 1 |  80d12b916e71  | 1 |
|---|----------------|---|----------------|---|
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.

And then

proxmark3> hf mf dump 0
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  1.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  2.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  3.
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  4.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  4.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  4.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  4.
Dumped 20 blocks (320 bytes) to file dumpdata.bin

And

proxmark3> script run dumptoemul -o Ahsoka.eml
--- Executing: dumptoemul.lua, args '-o Ahsoka.eml'
Wrote an emulator-dump to the file Ahsoka.eml

But when I try to clone the token

proxmark3> hf mf cload Ahsoka
Chinese magic backdoor commands (GEN 1a) detected
Loading magic mifare 1K
File reading error.

I also get an error when trying to load the dump into the emulator

proxmark3> hf mf eload Ahsoka
....................File reading error.

Not a propper .eml file? A permission problem? Any help would be much appreciated.

I also tried this after using "hf mf dump 0":

proxmark3> hf mf cload e
Chinese magic backdoor commands (GEN 1a) detected
Loading magic mifare 1K

I didn't get an error but it seems I couldn't clone it propperly as the proxmark3 no loger identifies the card I used to make the clone:

proxmark3> hf search

Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

no known/supported 13.56 MHz tags found

I noticed that the first dump (the one I made by using MFCT android app) and the one I've made with the proxmark3 don't match. This is the last dump:

0497ca4a913780894400c20000000000
c2dc29fb34df2a68404a3e8ab9afc501
76971f19239f6054ecc95e243ea042b6
80d12b916e7117878e0080d12b916e71
9d7e47fb92381a3273ec0aa2aec58b9b
6db500d07ebd9de11b9ac40af97da962
00000000000000000000000000000000
80d12b916e717787880080d12b916e71
91f811dec78a0beda814069136018514
6db500d07ebd9de11b9ac40af97da962
00000000000000000000000000000000
80d12b916e717787880080d12b916e71
adde486341214df7262cfdc87c35480a
adde486341214df7262cfdc87c35480a
00000000000000000000000000000000
80d12b916e717787880080d12b916e71
00000000000000000000000000000000
00000000000000000000000000000000
a23a00003591602200000000696f6ab0
80d12b916e717787880080d12b916e71

The first block of sectors 1, 2 and 3 are different. Same for the second block on sector 3. Why?

While I wait for help I´m reading scripts from Iceman's fork. For instance, I tried calc_di script and I got the same key:

proxmark3> script run calc_di -u 0497ca4a913780
--- Executing: calc_di.lua, args '-u 0497ca4a913780'
============================================================

|UID|   0497ca4a913780
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  80D12B916E71  | 1 |  80D12B916E71  | 1 |
|001|  80D12B916E71  | 1 |  80D12B916E71  | 1 |
|002|  80D12B916E71  | 1 |  80D12B916E71  | 1 |
|003|  80D12B916E71  | 1 |  80D12B916E71  | 1 |
|004|  80D12B916E71  | 1 |  80D12B916E71  | 1 |
|---|----------------|---|----------------|---|
###     dumping keys to file
Do you wish to save the keys to dumpfile? [y/n] ?n

-----Finished

I also tried didump script but I'm not sure about how to use it

proxmark3> script run didump -r
--- Executing: didump.lua, args '-r'
TESTDATA    :: 000F42430D0A14000001D11F5D738517
DATA        :: 000F42430D0A14000001D11F
CHKSUM      :: 5D738517
CHKSUM CALC :: 5D738517
UPDATE CHKSUM :: 000F42430D0A14000001D11F5D738517
#db# Debug level: 0
0497CA4A913780  6dd747e86975

Where is the raw dump? Is it in the emulator?

I've just discovered remagic script and I recovered 5 UID magic cards. Thanks!

proxmark3> script run remagic
--- Executing: remagic.lua, args ''
hf 14a raw -p -a -b 7 40
received 1 bytes:
0A
hf 14a raw -p -a 43
received 1 bytes:
0A
hf 14a raw -c -p -a A000
received 1 bytes:
0A
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
received 1 bytes:
0A

-----Finished

By the way, could this script be modified so that it turns block 0 into whatever we need? 0497CA4A913780894400C20000000000 for Ahsoka Tano dump. I tried it by writing [3] = "hf 14a raw -c -p -a 04 97 ca 4a 91 37 80 89 44 00 c2 00 00 00 00 00", but it seems that I have to modify something else.

Last edited by zantzue (2018-12-30 14:19:31)

Offline

#2 2018-12-28 22:52:03

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: Trying to clone Disney Infinity tokens

I'm running out of ideas. Is there any way I can clone my DI tokens? Is it possible by using mifare classic 1k UID rewritable tags? I know a seller at aliexpress that may produce some round shape 25 mm NFC UID rewritable mf1 s20 tags for me (they don't sell that item) but the sample wouldn't be cheap. Would it be possible if I used them?

Edit: Now I'm using Iceman's fork. This is how far I got (Anakin token from DI3):

pm3 --> hf mf nested 0 0 A 90db1509f253 d
[+] Testing known keys. Sector count=5

[-] Chunk: 1.1s | found 10/10 keys (21)
[+] Time to check 20 known keys: 1 seconds

[+] enter nested attack
[+] time in nested: 1 seconds

[+] trying to read key B...
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  90db1509f253  | 1 |  90db1509f253  | 1 |
|001|  90db1509f253  | 1 |  90db1509f253  | 1 |
|002|  90db1509f253  | 1 |  90db1509f253  | 1 |
|003|  90db1509f253  | 1 |  90db1509f253  | 1 |
|004|  90db1509f253  | 1 |  90db1509f253  | 1 |
|---|----------------|---|----------------|---|
[+] saving keys to binary file hf-mf-043867628B3A80-key.bin...
pm3 --> hf mf dump 0
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
[+] successfully read block  0 of sector  0.
[+] successfully read block  1 of sector  0.
[+] successfully read block  2 of sector  0.
[+] successfully read block  3 of sector  0.
[+] successfully read block  0 of sector  1.
[+] successfully read block  1 of sector  1.
[+] successfully read block  2 of sector  1.
[+] successfully read block  3 of sector  1.
[+] successfully read block  0 of sector  2.
[+] successfully read block  1 of sector  2.
[+] successfully read block  2 of sector  2.
[+] successfully read block  3 of sector  2.
[+] successfully read block  0 of sector  3.
[+] successfully read block  1 of sector  3.
[+] successfully read block  2 of sector  3.
[+] successfully read block  3 of sector  3.
[+] successfully read block  0 of sector  4.
[+] successfully read block  1 of sector  4.
[+] successfully read block  2 of sector  4.
[+] successfully read block  3 of sector  4.
[+] dumped 20 blocks (320 bytes) to file hf-mf-043867628B3A80-data.bin
pm3 --> script run dumptoemul -i hf-mf-043867628b3a80-data.bin -o Anakin.eml
[+] Executing: dumptoemul.lua, args '-i hf-mf-043867628b3a80-data.bin -o Anakin.eml'

Wrote an emulator-dump to the file Anakin.eml

[+] Finished

pm3 --> hf mf cload Anakin
....................

[!] File content error. There must be 64 blocks

I edited Anakin.eml file so that now it contains 64 blocks (filled it with zeros), I successfully wrote the magic card but the game doesn't recognize it.

I also tried with no luck:

pm3 --> hf mf eload 0 Anakin
....................

[+] Loaded 20 blocks from file: Anakin.eml
pm3 --> hf mf cload e
................................................................
pm3 -->

Edit: Could "hf mf csetuid" command be used to turn a mifare classic magic card into a mifare mini one? I tried it and apparently I did it.

pm3 --> hf mf csetuid 0497ca4a 0004 09
--wipe card:NO  uid:04 97 CA 4A
[+] old block 0:  4A A1 83 A5 CD 09 04 00 44 00 C2 00 00 00 00 00
[+] new block 0:  04 97 CA 4A 13 09 04 00 44 00 C2 00 00 00 00 00
[+] old UID:00 00 00 00
[+] new UID:04 97 CA 4A
pm3 --> hf search
 UID : 04 97 CA 4A
ATQA : 00 04
 SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK

[+] Valid ISO14443-A Tag Found

Then I loaded a dump.

pm3 --> hf mf eload 0 Ahsoka
....................

[+] Loaded 20 blocks from file: Ahsoka.eml
pm3 --> hf mf cload e
................................................................

But when I use "hf search" the proxmark3 doesn't recognize it as a mifare mini tag (and the DI game I'm trying to use it with doesn't either).

pm3 --> hf search
Card doesn't support standard iso14443-3 anticollision
ATQA : 89 80

[+] Valid ISO14443-A Tag Found

Last edited by zantzue (2018-12-31 00:12:46)

Offline

#3 2019-05-24 21:46:50

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: Trying to clone Disney Infinity tokens

Me again...
Now I'm trying to sim DI tokens with the proxmark. I made a raw clone.

script run didump -r

I got a file called datadump.json. I want to load it into the emulator by using

hf mf eload 0 "file"

I guess I have to convert it to .eml but I don't know how. I opened the file by using HxD program and I copied and pasted the content in an .eml file. I can load 20 blocks but when I use

hf 14a sim t 6 u "7byteUID"

the game doesn´t recognize it. I also tried to export the file. This is my dump https://www.dropbox.com/s/biag6gfprsgf8n6/dumpdata.json?dl=0. Any help would be much appreciated.

Edit:
If I open datadump.json file with HxD I see

046549222B3580894400C20000000000
000F425B0D0C1C020001D11FBF288149
148DC0BE1BD7D2B40C77E6E653363FBC
513F3A2456B817878E00513F3A2456B8
000000DF021973570080001080DA37D8
00000000000000000000000000000000
00000000000000000000000000000000
513F3A2456B877878800513F3A2456B8
000000DF021973554080000FEC063170
0000000000000000000000FF2D02EF8D
00000000000000000000000000000000
513F3A2456B877878800513F3A2456B8
000000000000000087A68A028219BEBD
000000000000000087A68A028219BEBD
00000000000000000000000000000000
513F3A2456B877878800513F3A2456B8
00000000000000000000000000000000
00000000000000000000000000000000
B33600002DD2B83100000000F7586F8E
513F3A2456B877878800513F3A2456B8

But if I use key A to read the token by using Mifare Classic Tool I see

046549222B3580894400C20000000000
7527B1ACD719792A0C22507E15B1668A
CD1DE5E7DB79DA532A82C71E7D2AAEA0
513F3A2456B817878E00513F3A2456B8
3E40FE42F077BC2DAE7A6F9349CCA3EE
D0324FB6DD7E52D39892D3CC32115023
00000000000000000000000000000000
513F3A2456B877878800513F3A2456B8
40314AE7A153AB45038FFBB38391B0FA
3B7F4DD1A9AB14BDAC77981029F03395
00000000000000000000000000000000
513F3A2456B877878800513F3A2456B8
ADDD8F1136503731FAFEB2A862360D76
ADDD8F1136503731FAFEB2A862360D76
00000000000000000000000000000000
513F3A2456B877878800513F3A2456B8
00000000000000000000000000000000
00000000000000000000000000000000
B33600002DD2B83100000000F7586F8E
513F3A2456B877878800513F3A2456B8

Does it make any sense? None of both work if I try to simulate them.

Last edited by zantzue (2019-05-27 06:44:23)

Offline

Board footer

Powered by FluxBB