Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2009-06-19 15:23:45
- kazola
- Member
- Registered: 2008-11-20
- Posts: 8
Some doubts about the results I've obtained
Hi people,
first of all sorry for my English, I'm from Catalonia.
Several weeks ago, I get some results from a trace of a bus ticketing system of my village. It is based on Mifare cards.
I've already achieved good results in other situations. I eavesdropped the authentication process and run crapto to obtain the key.
But this time I obtained a trace I think it does not adjust to the "good trace" or "typical trace" concept that is posted in several places of the forum. There is no "Reader" and "Tag" typical conversation. After reviewing several parts of the forum I've decided I was not able to identify a similar situation and post my problem. Next, I attach the trace.
>> Started prox, built Apr 15 2009 15:14:53
>> Connected to device
> hi14asnoop
#db# blew circular buffer!
#db# 00000191, 00000000, 00000004
#db# 00000020, 0000022e, 00000031
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 52
+ 1464: : 93 70 aa 4d 06 5c bd 28 20
+ 1736: : 60 3c 1a 80
+ 1320: : e2 a0 c5 f0 d9 9c bf 06 !crc
+ 1936: : b4 51 8c 93 !crc
+ 1672: : f6 bc 35 04 !crc
+ 1376: : 52
+ 64: 0: TAG 02 00
+ 1400: : 93 70 aa 4d 06 5c bd 28 20
+ 64: 0: TAG 18 37 cd
+ 1656: : 60 0c 99 b1
+ 112: 0: TAG 13 cf 4d 6b
+ 760: : 8c 13
+ 512: 0: TAG 64 df! f6! 94
+ 1087: : 66 fc bf 9a !crc
+ 73: 0: TAG f1 3d! 7f 73 17 99 8d! f0! 8d! 9c 14 d8 28 c4! 18! 7e e2 9a !crc
+ 3103: : 96 98 ac 68 !crc
+ 1376: : 52
+ 64: 0: TAG 02 00
+ 1408: : 93 70 aa 4d 06 5c bd 28 20
+ 64: 0: TAG 18 37 cd
+ 1656: : 60 14 50 2d
+ 112: 0: TAG 1f 05 d3 3c
+ 1208: : a0 e2 dc ba 38 84 2f 85 !crc
+ 64: 0: TAG c6 35 46 22!
+ 1096: : bc a1 41 19 !crc
+ 72: 0: TAG 35 c0 ff b2 ac 62! 9e 7b 0d! a5 d3 5d 01! c7 1b! 35! 43 d0 !crc
+ 3040: : 8a 41 db 75 !crc
+ 1375: : 52
+ 65: 0: TAG 02 00
+ 1407: : 93 70 aa 4d 06 5c bd 28 20
+ 64: 0: TAG 18 37 cd
+ 1656: : 60 0d 10 a0
+ 112: 0: TAG 31 a9 12 c3
+ 1208: : e7 28 80 94 99 9c a8 57 !crc
+ 64: 0: TAG 10 f0 e0 1e
+ 1096: : 3e 53 0d 33 !crc
+ 72: 0: TAG d6! 26! 40! ea 3b 9b! 28! 23! 30 b8! a7 63 72! f3 1e! f0! 86 aa! !crc
+ 2296: : 31 9d 80 b6 !crcI understand the "!" characters since the parity bits are calculated from the plaintext 
I hope I'm explaining myself. I built the USB antenna and I got more or less 5700mV on it. Here are my questions:
1) First of all... perhaps there is a buffer overflow in my trace? Perhaps it would be interesting to reprogram the proxmark firmware to make it stop "recording" after, for example, the first 20 steps?
2) I'm able to identify typical traces (I think so) but perhaps this one was not well recorded? Perhaps the antenna wasn't sensible enough?
3) I'm sorry if this question is out of scope or wrong but... perhaps this is a case where "multiple sector authentication" is taking place? I really don't know why to decrement a counter, and validate a date, for example (I think what is being done by the system) so much information is needed.
4) Why there is an extra "!crc" at the end? What does it means?
Well, I'll be waiting for any kind of suggestions you could have. I'm working with the latest firmware. Please don't hesitate to contact me if some additional info is required. I hope this seems interesting to everyone.
Thanks for all, I think this is a great community and Proxmark an interesting device. I can't wait to start programming it.
Offline
#2 2009-06-19 16:23:02
- TomBu
- Contributor
- From: Delft, The Netherlands
- Registered: 2008-10-27
- Posts: 55
- Website
Re: Some doubts about the results I've obtained
Hello,
As far as I can see the trace seems to be perfectly OK.
From the tags reply to the readers Select All ( 0x93 0x70) you can deduct that its a 4K card.
From here:
+ 1376: : 52
+ 64: 0: TAG 02 00
+ 1408: : 93 70 aa 4d 06 5c bd 28 20
+ 64: 0: TAG 18 37 cd
+ 1656: : 60 14 50 2d
+ 112: 0: TAG 1f 05 d3 3c
+ 1208: : a0 e2 dc ba 38 84 2f 85 !crc
+ 64: 0: TAG c6 35 46 22! I get the following:
UID = aa4d065c
Tag Chal = 1f05d33c
Reader Chal = a0e2dcba
Reader Resp = 38842f85
Tag Resp = c6354622
Key to sector 0x14 = XX YX 00 00 00 00
I don't see the problem....
And the key to sector 0x0d is very similar, only 1 nibble diff.
So my guess is that:
- the nibble that changes relates to the block number (Y = sector number / 4)
- the first byte and the 4 trailing bytes of the key stay the same (X)
Cheers,
Tom
Last edited by TomBu (2009-06-19 16:50:06)
Offline
#3 2009-06-19 16:54:41
- kazola
- Member
- Registered: 2008-11-20
- Posts: 8
Re: Some doubts about the results I've obtained
What the h...
I'm very sorry. I think I've made you waste your time.
I work with other devices that signal when the data come from the PCD device. I got confused and I was waiting to see the "PCD" term before the traces coming from the proxmark and I thought it was not working. I'm very sorry 
Thanks a lot for your answer and your time and also for your patience to not crash me 
I'm going to analyze it. Thanks again.
Have a good weekend.
Offline