Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2013-11-04 23:31:30

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Card select failed?

I tried searching to see if any else had this same error.

When running the command "hf 14a read"
It returns "iso14443a card select failed"

proxmark3> hf 14a read
iso14443a card select failed

I have tried restarting the computer and it still shows this error.

HW VERSION:

#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 793 2013-10-03 14:31:33                 
#db# os: svn 793 2013-10-03 14:31:34                 
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56 

Let me know if you have figured out how to fix this error or if its something I am doing.

Thanks!

Offline

#2 2013-11-05 09:10:14

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

Maybe the card is not a 14a card ? Maybe the card is not a card but a small tag so your antenna is too big to detect it ? Post a picture.

Offline

#3 2013-11-05 16:28:11

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

Here is a picture of my proxmark3 setup with the High Frequency antenna:

th_A821C9B9-14C7-4E9D-ADD1-FD4629D9A394-30605-00000AB3F3E07BA7_zps651539ae.jpg

Here is a picture of the XceedID 9540 RFID card:

th_EA17AAA4-23EF-4770-9D20-6973AA60B317-30605-00000AB3FDB7DEC6_zps0904f82c.jpg

I am performing somework onsite at a clients. I have access to plenty of readers to be able to snoop on. This card doesn't allow me into higher security doors and we would like to test it to see if I can get it by possibly bruteforcing.

This is the information I found online about the card:
The XceedID 9540 is a ISO contactless smart card (13.56 MHz Credential: ISOX) with Secure Multi-App 10k bit memory/15693

Maybe I'm using the proxmark3 wrong..... I'm use to the easy LF HID commands I have never dealt with a HF card yet.

Offline

#4 2013-11-05 17:11:13

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

In fact it is not an ISO14443A card but an ISO15693 one.

Try to send one of those 2 commands and post eventual answers:

hf 15 read

or

hf 15 reader

Here and here is a quite exaustive list of their RF products; below a sum-up of the above sheets:
UpYrgZj.png

Anyway, almost 300$ for an IOS15693 card ?!?!?! They are crazy...

Offline

#5 2013-11-05 17:13:21

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Card select failed?

memory/15693

Your card is  using the ISO15693 protocol not the ISO14443A/B, try using the 15693 Commands

Edit: I curse my slow internet connection!

Last edited by midnitesnake (2013-11-05 17:14:29)

Offline

#6 2013-11-05 17:17:55

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

Yeah I saw that online.... 300$ is CRAZY!

Here are my results

proxmark3> hf 15 reader
#db# 12 octets read from IDENTIFY request:                 
#db# NoErr CrcOK                 
#db# ..uf.... 00 00 75 66 aa 00 00 10                 
#db# ...5     05 e0 c7 35                 
#db# UID = E005100000AA6675                 
#db# 0 octets read from SELECT request:                 
#db# 0 octets read from XXX request:

Offline

#7 2013-11-05 17:44:30

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

Well, there is an Infineon chip inside that card, probably an SRF 55V, exactly a SRF 55V10S (HC), used mainly for Ticketing, Brand protection,
Loyalty Schemes, Access Control.

Here is a memory scheme of that IC:
AhSdIp2.png

For further info send this:

hf 15 cmd sysinfo -2 u

To dump card content try this command:

hf 15 dumpmemory

if it doesn't work try this one:

hf 15 cmd readmulti -2 u 0 7

that means "from block/page 0 to 7"; increment last value until you reach the end of IC memory (it has 1024bytes = 128 blocks of 8bytes each = 80 in Hex).

If you use Windows this last dump function (read each block singularly) can be automatized by the Windows GUI under "read multiple block" section.


EDIT: well, the single chip costs lot less (less than half a dollar)... 300$ for a little plastic case...

Last edited by asper (2013-11-05 17:54:46)

Offline

#8 2013-11-05 17:55:17

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

If you can please post a full dump of your tag.

Offline

#9 2013-11-05 19:47:44

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

I'm trying to run the commands..... for some reason it keeps freezing my Ubuntu 12.04 machine.  It has done it like the last 8 times I tried to run through all of those commands.

proxmark3> hf 15 dumpmemory
Reading memory from tag UID=E005100000AA6675          
Tag Info: Infineon          
Block  0   FF FF FF FF    ....          
Block  1   FF FF FF FF    ....          
Block  2   FF FF FF FF    ....          
Block  3   FF FF FF FF    ....          
Block  4   FF FF FF FF    ....          
Block  5   FF FF FF FF    ....          
Block  6   FF FF FF FF    ....          
Block  7   FF FF FF FF    ....          
Block  8   FF FF FF FF    ....          
Block  9   FF FF FF FF    ....          
Block 10   FF FF FF FF    ....          
Block 11   FF FF FF FF    ....          
Block 12   FF FF FF FF    ....          
Block 13   FF FF FF FF    ....          
Block 14   FF FF FF FF    ....          
Block 15   FF FF FF FF    ....          
Block 16   FF FF FF FF    ....          
Block 17   FF FF FF FF    ....          
Block 18   FF FF FF FF    ....          
Block 19   FF FF FF FF    ....          
Block 20   FF FF FF FF    ....          
Block 21   FF FF FF FF    ....          
Block 22   FF FF FF FF    ....          
Block 23   FF FF FF FF    ....          
Block 24   FF FF FF FF    ....          
Block 25   FF FF FF FF    ....          
Block 26   FF FF FF FF    ....          
Block 27   FF FF FF FF    ....          
Block 28   FF FF FF FF    ....          
Block 29   FF FF FF FF    ....          
Block 30   FF FF FF FF    ....          
Block 31   FF FF FF FF    ....          
Block 32   FF FF FF FF    ....          
proxmark3> hf 15 cmd readmulti -2 u 0 7
no answer          
proxmark3> hf 15 cmd sysinfo -2 u
Sending bytes to proxmark failed          
timeout: no answer

Offline

#10 2013-11-05 19:53:10

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

Maybe the tag uses proprietary commands to read blocks data, you must find a complete (full) and specific datasheet for the chip.

Offline

#11 2013-11-05 20:56:02

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

When running command it tells me this card does not support it sad

proxmark3> hf 15 cmd sysinfo -2 u
Tag returned Error 1: The command is not supported

But I can get inquiry to work

proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675          
Tag Info: Infineon

Offline

#12 2013-11-05 23:43:45

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

Well, the above memory area picture seems to be related to SRF 55V10P (HC) and not to SRF 55V10S (HC).

SRF 55V10S (HC) memory organization is written here; difference is more security "layers" in this last one. Without the proprietary command set you will not be able to read that card so you need to find a datasheet with them.

You can also try to sniff traffic with PM3. If you manage to sniff post results here.

The command to sniff is:

hf iclass snoop

(used with success with oter ISO15693 tags - protocol and crc calculation are different but it should capture raw data/frames).

Last edited by asper (2013-11-06 00:08:22)

Offline

#13 2013-11-06 16:44:14

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

Using the iclass snoop i got it to return this:

proxmark3> hf iclass snoop
#db# COMMAND FINISHED                 
#db# 5 0 5                 
#db# 20 bbc 26                 
#db# 5 0 5                 
#db# 20 bbc 26   

I can do it more if this isn't all of the information you need

Offline

#14 2013-11-06 17:02:56

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

Also I performed the command again but then also afterwards did the "hf iclass list"

proxmark3> hf iclass snoop
#db# COMMAND FINISHED                 
#db# 5 0 0                 
#db# 20 bc6 26                 
#db# 5 0 0                 
#db# 20 bc6 26                 
proxmark3> hf iclass list
recorded activity:          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +      0:   0: TAG bb! d4! bb! 0f! 0c! 00! 01  bb!    !crc          
 +  24031:   0: TAG bb! d4! bb! 08  00! 00! 02  bb!    !crc          
 +  24960:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +   1336:    :     12  a0  05  20  03  00  04  87  8e     !crc          
 +   9696:    :     12  a0  05  b6  f5  fa  fa  3a  d2  13  f9  cb  0d  84  68  67  76  b6  18  bf  ad     !crc          
 +   1757:   0: TAG 00  78  f0              
 +   4033:    :     12  a0  05  10  0e  00  fd  1d  04  f0  21  d7     !crc          
 +    862:   0: TAG 00  10  01  01  82  c0  00  7e  18  02  20  3c  30  b4  54     !crc          
 +  47308:    :     0a              
 +  16180:    :     26  01  00  f6  0a     !crc          
 +     93:   0: TAG 00  00  75  66  aa  00  00  10  05  e0  c7  35     !crc          
 +   2038:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +     94:   0: TAG 00  78  f0              
 +  21153:    :     26  01  00  f6  0a     !crc          
 +     93:   0: TAG 00! 00! 75  bb! 33! bb! 00! 0f! 00  04! bb!    !crc          
 +    615:   0: TAG bb! d4! bb! 08  00! 0f! 08  bb!    !crc          
 +     36:   0: TAG bb! d4! bb! 08  0f! 08  08  bb!    !crc          
 +     36:   0: TAG bb! d4! bb! 08  00! 0f! 08  bb!    !crc          
 +     36:   0: TAG bb! d4! bb! 00! 0f! 0f! f0! c6!    !crc  

Offline

#15 2013-11-06 17:06:47

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

I also believe that the door I "snooped" on I do not have access to get through. Does that make a difference?

Offline

#16 2013-11-06 19:42:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

Well:

20 01 00 = inquiry command (last omitted 2bytes should be ISO15693 crc)
22  25  75  66  aa  00  00  10  05  e0 = tag answer with it's UID (bytes in reverse order)

12  a0  05  20  03  00  04 = ???
12  a0  05  [b6  f5  fa  fa  3a  d2  13  f9  cb  0d  84  68  67  76  b6  18] = probably 16 bytes answer to the above command

it seems that command "12 0A" or better "12 0A 05" is doing something... maybe it is a "read block 05" ? No, probably not, because each block is 8bytes and not 16... so maybe it is the authentication sequence...

1 - Try to send the inquiry command first and then send that "raw command" (12 0A or 12 05 05).

2 - Also try to snoop the same activity and look if bytes of 12 0A command (and respective answers) are always the same or the change.

3 - Try to snoop both a door where you can access and where you cannot access... we need more commands log ! wink


EDIT
Clarification: the command should be A0 (starting form A0 to DF are "Custom" commands - for example "inquiry" command is 01 and not 20).

Last edited by asper (2013-11-06 19:57:51)

Offline

#17 2013-11-06 20:29:26

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

Part #1:

proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675          
Tag Info: Infineon          
proxmark3> hf 15 cmd raw 12 05 05
received 0 octets          
          
proxmark3> hf 15 cmd raw 12 0A
received 0 octets    

I'll do the next parts now

Offline

#18 2013-11-06 20:35:52

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

First snoop is a door I have access. Second snoop is a door I don't have access too

proxmark3> hf iclass snoop
#db# COMMAND FINISHED                 
#db# 5 0 5                 
#db# 20 bbd 26                 
#db# 5 0 5                 
#db# 20 bbd 26                 
proxmark3> hf iclass snoop
#db# COMMAND FINISHED                 
#db# 5 0 c                 
#db# 20 bbc 22                 
#db# 5 0 c                 
#db# 20 bbc 22 

Offline

#19 2013-11-06 20:37:08

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

I just ran the list command twice and on the second run I got all of this output...... This includes a door I don't have access too.

proxmark3> hf iclass list
recorded activity:          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +      0:   0: TAG bb! 33! bb! 00! 00! 00! 04  bb!    !crc          
 +  23384:   0: TAG bb! d4! bb! 00! 00! 00! 04  bb!    !crc          
 +   1559:    :     26  01  00  f6  0a     !crc          
 +  24022:    :     26  01  00  f6  0a     !crc          
 +     95:   0: TAG bb! d4! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  00! 0f! 04  bb!    !crc          
 +     40:   0: TAG bb! 03! bb! 0f! 0f! 0e  04  bb!    !crc          
 +    120:   0: TAG bb! 03! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     48:   0: TAG ff! ff! bb! 33! bb! 00! 01  0e  04! bb     !crc          
 +   1701:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +     95:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     40:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  00! 00! 04  bb!    !crc          
 +   1025:    :     12  a0  05  20  03  00  04  87  8e     !crc          
 +    479:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0e  01  0f! 04  bb!    !crc          
 +     40:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     40:   0: TAG bb! 03! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     48:   0: TAG bb! 03! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  01  0f! 04  bb!    !crc          
 +     40:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     40:   0: TAG bb! d4! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  01  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0f! 0f! 04  bb!    !crc          
 +     56:   0: TAG bb! d4! bb! 0e  01  0f! 04  bb!    !crc          
 +     56:   0: TAG 0e              
 +   8149:    :     12  a0  05  99  f5  fa  fa  7e  fd  b4  da  28  9d  3c  b6  d4  a7  c0  9b  26  1c     !crc          
 +   5788:    :     12  a0  05  10  0e  00  e7  69  85  36  b9  1d     !crc          
 +  64352:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +     95:   0: TAG bb! d4! bb! 0f! 0f! 0d  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0d  0f! 0d  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0d  0f! 0d  04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0d  0f! 04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0d  0f! 0d  04  bb!    !crc          
 +     40:   0: TAG bb! d4! bb! 0f! 0d  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0c! 00! 00! 04  bb!    !crc          
 +  20924:    :     26  01  00  f6  0a     !crc          
 +     94:   0: TAG 00! bb! 33! bb! 00! 00! 00! 01  bb     !crc          
 +   2037:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21872:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21234:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21871:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21235:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +     94:   0: TAG bb! 33! bb! 00! 00! 00! 02  bb!    !crc          
 +  21776:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21236:    :     26  01  00  f6  0a     !crc          
 +   2131:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21871:    :     26  01  00  f6  0a     !crc          
 +     94:   0: TAG 00! bb! 33! bb! 00! 00! 00! 02  bb     !crc          
 +   2038:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21234:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21872:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +    313:   0: TAG bb! 33! bb! 00! 00! 00! 01  bb!    !crc          
 +  20921:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +    314:   0: TAG bb! 33! bb! 00! 00! 00! 02  bb!    !crc          
 +  21556:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +     95:   0: TAG 00! bb! 33! bb! 00! 00! 00! 04  bb     !crc          
 +  21141:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21866:    :     26  01  00  f6  0a     !crc          
 +     94:   0: TAG bb! 33! bb! 00! 00! 00! 02  bb!    !crc          
 +    796:   0: TAG bb! 33! bb! 00! 00! 00! 02  bb!    !crc          
 +   1242:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21234:    :     26  01  00  f6  0a     !crc          
 +     97:   0: TAG bb! d4! bb! 0f! 0f! 00! 01  bb!    !crc          
 +   2035:    :     22  25  75  3e  b0  33  61  3f  7f  00  00  1b     !crc          
 +-1984691:    :     31  61  3f  7f  00  00  a6  1e  00  eb  09  00  00  0c  00  00  00  00  aa  00  00  10  1f  00  00  00  69  f9  1e  00  9c  e5  44  00  00  00  00  00  f6  0a  bd  01  1f  00  eb  09  00  00  00  00  25     !crc          
 +11167349:    :     44  b0  44  9b  f9  5d  3f  7f  00  00  26  01  00  f6  0a  04  5d  1f  00  eb  09  00  00  0c  22  25  75  66  aa     !crc   

Last edited by bad biddy (2013-11-06 20:38:24)

Offline

#20 2013-11-06 20:41:37

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

I restarted proxmark to gather new fresh information:

Another snoop on a door I don't have access too:

proxmark3> hf iclass snoop
#db# COMMAND FINISHED                 
#db# 5 0 0                 
#db# 20 bc1 26                 
#db# 5 0 0                 
#db# 20 bc1 26 

List output after that:

proxmark3> hf iclass list
recorded activity:          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +      0:    :     26  01  00  f6  0a     !crc          
 +     94:   0: TAG bb! d4! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  00! 0f! 04  bb!    !crc          
 +     40:   0: TAG bb! 03! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     56:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     40:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0e  0f! 0e  04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  00! 0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0e  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0e  0f! 0e  04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0e  00! 00! 04  bb!    !crc          
 +   1245:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +     95:   0: TAG bb! d4! bb! 0f! 0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0e  0f! 04  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0e  0f! 0e  04  bb!    !crc          
 +     40:   0: TAG bb! d4! bb! 0f! 0e  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0e  00! 00! 04  bb!    !crc          
 +   1025:    :     12  a0  05  20  03  00  04  87  8e     !crc          
 +   9680:    :     12  a0  05  96  f5  fa  fa  a1  55  d0  9d  f1  bb  ed  aa  4a  e5  38  97  1c  7f     !crc          
 +   1759:   0: TAG 00  78  f0              
 +   4001:    :     12  a0  05  10  0e  00  42  2b  2f  7d  45  cc     !crc          
 +    861:   0: TAG 00  10  01  01  82  c0  00  7e  18  21  03  14  5c  ec  56     !crc          
 +  63491:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21235:    :     26  01  00  f6  0a     !crc          
 +     94:   0: TAG bb! d4! bb! 0b  0f! 0f! 01  bb!    !crc          
 +     35:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 08  03! 0f! 02  bb!    !crc          
 +     37:   0: TAG bb! 03! bb! 0b  0f! 0f! 01  bb!    !crc          
 +     56:   0: TAG bb! d4! bb! 0f! 0b  0f! 01  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 0b  0f! 01  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 03! 0f! 0f! 01  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0f! 0b  0f! 01  bb!    !crc          
 +     35:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     37:   0: TAG bb! d4! bb! 0f! 0b  0f! 01  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 0b  0f! 01  bb!    !crc          
 +     51:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 08  03! 0f! 02  bb!    !crc          
 +     36:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     36:   0: TAG bb! d4! bb! 08  03! 0f! 02  bb!    !crc          
 +     36:   0: TAG bb! 03! bb! 03! 0f! 0b  02  bb!    !crc          
 +     52:   0: TAG bb! d4! bb! 0b  0f! 0f! 02  bb!    !crc          
 +   1259:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +     94:   0: TAG bb! d4! bb! 0b  0f! 0f! 01  bb!    !crc          
 +     35:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     45:   0: TAG bb! d4! bb! 0b  0f! 0b  01  bb!    !crc          
 +     35:   0: TAG bb! d4! bb! 0b  0f! 0b  02  bb!    !crc          
 +     37:   0: TAG bb! d4! bb! 0b  0f! 0b  01  bb!    !crc          
 +     35:   0: TAG bb! d4! bb! 08  00! 00! 02  bb!    !crc          
 +  21558:    :     26  01  00  f6  0a     !crc          
 +     94:   0: TAG bb! d4! bb! 07  0f! 0f! 02  bb!    !crc          
 +     31:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 00! 07  04  bb!    !crc          
 +     41:   0: TAG bb! 03! bb! 07  0f! 0f! 02  bb!    !crc          
 +     56:   0: TAG bb! d4! bb! 0f! 07  0f! 02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 07  0f! 02  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 07  0f! 0f! 02  bb!    !crc          
 +     48:   0: TAG bb! d4! bb! 0f! 07  0f! 02  bb!    !crc          
 +     31:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     41:   0: TAG bb! d4! bb! 0f! 07  0f! 02  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 07  0f! 02  bb!    !crc          
 +     47:   0: TAG bb! d4! bb! 0f! 07  0f! 04  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 00! 07  04  bb!    !crc          
 +     33:   0: TAG bb! d4! bb! 07  0f! 07  02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 0f! 07  0f! 02  bb!    !crc          
 +     32:   0: TAG bb! d4! bb! 07  0f! 0f! 02  bb!    !crc          
 +     32:   0: TAG bb! 03! bb! 0f! 07  0f! 02  bb!    !crc          
 +     47:   0: TAG bb! d4! bb! 0f! 00! 00! 04  bb!    !crc          
 +   1247:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21234:    :     26  01  00  f6  0a     !crc          
 +   2132:    :     22  25  75  66  aa  00  00  10  05  e0  1d  44     !crc          
 +  21872:    :     26  01  00  f6  0a     !crc          
 +     93:   0: TAG 0f              

Offline

#21 2013-11-06 22:03:54

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

The command after inquiry is 12 0A 05, i wrote it wrong in my post, sorry. Try also to send the same sniffed command (remember to enable/disable crc with raw commands).

Offline

#22 2013-11-06 22:22:23

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

Here is the command again--- I got some wierd symbol at the end as well.

proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675          
Tag Info: Infineon          
proxmark3> hf 15 cmd raw 12 0A 05
received 0 octets          
 $h    

Offline

#23 2013-11-06 22:29:45

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

I was messing around with the raw commands:

proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675          
Tag Info: Infineon          
proxmark3> hf 15 cmd raw -c 12 0A 05
received 4 octets          
01 01 16 07    

Offline

#24 2013-11-07 00:08:23

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

Yes last one is an answer! If you send it again is it the same? Try to resend with raw  the same bytes as appeared in the sniffed log 12 0A 05 ....... (with crc if you omit last 2 bytes).

Offline

#25 2013-11-07 00:13:18

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

Yeah I get the same response

proxmark3> hf 15 cmd raw -c 12 0A 05
received 4 octets          
01 01 16 07  

Offline

#26 2013-11-07 01:06:56

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

Try to send also the other bytes after 05...

Offline

#27 2013-11-07 02:25:21

bad biddy
Contributor
Registered: 2013-11-04
Posts: 16

Re: Card select failed?

I think I tried what your asking here:

proxmark3> hf 15 cmd inquiry
#db# SEND                 
#db# &....    26 01 00 f6 0a                 
#db# RECV                 
#db# NoErr CrcOK                 
#db# ..uf.... 00 00 75 66 aa 00 00 10                 
#db# ...5     05 e0 c7 35                 
UID=E005100000AA6675          
Tag Info: Infineon          
proxmark3> hf 15 cmd raw -c 12 a0 05 20 03 00 04
#db# SEND                 
#db# ... .... 12 a0 05 20 03 00 04 87                 
#db# .        8e                 
#db# RECV                 
received 0 octets          
          
proxmark3> hf 15 cmd raw -c 12 a0 05 20 03 00 04 87 
#db# SEND                 
#db# ... .... 12 a0 05 20 03 00 04 87                 
#db# ..       f6 f0                 
#db# RECV                 
received 0 octets          

Offline

#28 2013-11-07 10:54:47

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Card select failed?

So the card must be selected before sending the A0 command; send the following raw commands in sequence (use the -c option to auto-calculate crc):

26 01 00    <-- inquiry
22  25  75  66  aa  00  00  10  05  e0    <-- select [25] card using its UID
then try to send:
12 A0 05 and log the answer

now repeat the above but substitute 12 A0 05 with 12  a0  05  20  03  00  04, and then send:
12  a0  05  96  f5  fa  fa  a1  55  d0  9d  f1  bb  ed  aa  4a  e5  38  97

trag should answer 00 (or gives an error if the last byte sequence is generated in an uknown way).


Probably the reader is trying to authenticate using the static value 20 03 00 04 (password ? start of challenge/response?) and then send a sequence of unknow bytes to the card waiting a correct answer.

Offline

Board footer

Powered by FluxBB