Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Just another short notice:
A lot of people asked me (in the forum and via email) where to buy the block 0
writable tags that work with MCT. A friend of mine found a reliable source:
Mifare Classic 1k
Mifare Classic 4k
Mifare Classic 1k (7 byte UID)
This company also sells the tags via ebay.
I'm sure that is not the only good source to buy them.
And I'm pretty sure there are cheaper ones, but least these tags work!
Have a nice day!
ikarus
Offline
Bummer, I thought the MCT had the pm3 client under the shell...
Well then, maybe Ikarus might figure something out. However a lua-script is a lua-script, you only need LUA installed to run them I guess.
Sorry for the inconvenience.
Offline
https://github.com/Proxmark/proxmark3/blob/master/client/pm3_eml2mfd.py - i found that, changed file extenstion of mct dump to xxx.eml and there is a problem. In mct dumps are nonhexadecimal digits and that results error. Could someone give me sample of pm3 dump to check how it's written?
Offline
Sorry, at the moment I don't know how .eml and how .mfd files are formated.
When I have some spare time I will try to write a convert tool for both formats
(mct dump -> eml & mct dump -> mfd).
Last edited by ikarus (2014-08-27 20:26:37)
Offline
eml and mct dumps are ascii interpretations of the data, but mct dumps have extra comments inside..
pm3 dump and .mfd dumps are binary (looks the same)
Offline
mct dumps are hex, in mct is only an option to show data as ascii.
ikarus: it would be great
Offline
Not that Marcoss will be helped from it, but I made a eml2bin.lua script and send it to Holiman for evalutation and publishing.
Offline
Thanks for info iceman.
Offline
It would be very nice to be able to extract keys from a sniffer card from MCT.
Is it possible to send raw 14a APDU's from Android?
See example data exchange at http://proxmark.org/forum/viewtopic.php?pid=12278#p12278
(sorry can't hyperlink).
As long as the raw pdu's can be sent, the rest (des decryption and mfkey algo) should be possible to implement in java and thus in an app.
Offline
No it is not possible to send raw commands using mobile phones.
Offline
No it is not possible to send raw commands using mobile phones.
I found the android function NfcA.transceive().
Won't work? According to docs it seems to be a perfect fit.
Offline
You asked, I answered but I was not clear and I am sorry for that.
Raw commands can be sent but NOT ALL raw commands (this topic it is already covered in this thread, at page4's bottom):
Mifare tags (and other tags) are not full ISO14443A comaptible, sometimes they use proprietary 7bits commands that ARE IMPOSSIBLE to send using mobile phone firmware nfc chips (they are full ISO14443A/B compliants but they do not support single specific special commands even if they are mifare compatible); the only way will be to modify internal nfc chip firmware that is not possible at this time.
Last edited by asper (2014-09-20 12:50:56)
Offline
Another notice: when buying clonemykey cards from ebay, make sure the UID Modification method is NOT(!) "Proxmark3 backdoor (csetuid) ACR122U LibNFC"!.
Only "Block 0 Direct Write Default Key "FFFFFFFF"" as UID Modification method works with MCT. Otherwise you need to buy a ACR122u or Proxmark3 device.
Offline
@pedro.m.reis:
I don't think that it is possible lock your card with non-legitimate comands.
MCT uses only the most common Mifare Classic commands from the Android NFC-API
(like readBlock, writeBlock, authenticateSectorWithKeyA, etc.).
You can try to switch on the "Auto reconnect" setting in MCT. Maybe it will work.
@fuzhouzj:
What type of block0 writable tag do you have? There are two types.
Some tags require a special command sequence to put them into the
state where writing to the manufacturer block is possible. These tags will not work.
Offline
This can be a good addition to your already great tool
Source code available !
Last edited by asper (2014-10-18 10:28:03)
Offline
This can be a good addition to your already great tool
Oh, thats an nice blog post And the app looks fine too. But I think I will not add Mifare Ultralight support the MCT.
The differences between these two technologies are just to big. And I like the UNIX philosophy: one program for one task.
In other words: MCT for Mifare Classic and MUT (Mifare Ultralight Tool) for Mifare Ultralight.
... Somebody should really write an app like that.
OT:
I saw Matteo Beccaro, the guy who developed NFCuIT live at the 30C3. He talked about
"Building a safe NFC ticketing system".
Offline
New release! (Version 1.8.0: APK-file, Google Play, F-Droid)
(See: original post, updated)
* New Feature: You can compare dumps using the Diff Tool.
* Partial Spanish translation. Thanks to "ozcho".
* Fixed the share dump functionality.
* Some bug fixes.
Regarding the new feature: this is what it looks like.
Kind regards
ikarus
Last edited by ikarus (2014-12-07 16:20:36)
Offline
Comparing is a really good feature ! Thank you !
Offline
Great work Ikarus!
I'm waiting for iphone to join the nfc train, should be iphone 6, but I have no clue if the nfc-chip inside will be able to work with tools like yours.
Offline
@iceman:
Qote from iFixit:
NXP 65V10 NFC module + Secure Element (likely contains an NXP PN544 NFC controller inside)
I'm not sure what the NXP 65V10 is. Maybe it's custom made for Apple. But as long as it is a NXP-Chip
Mifare Classic should work.
@salfai77:
As far as I can see the HTC One (m8) has a NXP 44701 NFC-controller that contains the PN544.
So MCT should work with it... At least there are over 150 installations of MCT on the HTC One (m8).
And over 100 on the Motorola Moto X which also has the NXP 44701 NFC-controller.
Regarding the translation I have to say the same thing I said to other people that wanted to help me:
First of all: Thank you!
I really like to see more and good translations of MCT. But for now I
have to find a good platform for that. Turned out that translating the
raw XML file is not a good idea. It doesn't get along well with the
development process.I will checkout sites like http://www.lokaligo.com/ or
http://weblate.org/en/ . When I set up a good translation system I will
contact you again!
Have a nice day!
ikarus
Offline
Hi MC Philis,
You're like the 3rd person asking me this. Hmm maybe I should give it a try.
But there are some issues. Please read this.
he biggest problem is still the last one: "I'm really low on time lately."
So no promises.
Offline
If you want to support external USB devices you must be sure that the Android mobile phone you will use has the right .ko kernel modules; those modules must support usb->serial conversion chip or direct serial communication (like in proxdroid); here is a list of the most common (thanks to jonor)
cdc-acm.ko ---> Serial module
cp210x.ko ---> Prolific USB->Serial module
cypress_m8.ko ---> Cypress USB->Serial module
ftdi_sio.ko ---> FTDI USB->Serial module
Each module must be compiled for the kernel in use in the mobile phone. They are not all necessary, you need to find which chip is inside the ACR122U (a picture of ACR122U internals is needed).
If needed I can provide an I9300 modified kernel (Siyah 1.9.0-MOD) with the above mentioned kernel-specific modules (always thanks to jonor).
The second step will be understanding how to send the correct commands through USB via ACR122U APDUs (here you can find a detailed datasheet); for example at page 13 you can see how to use mifare auth. Remember that hardware clones can use different undocumented APDUs to send commands to the tag!
The best way will be sniffing an USB communication to see which commands are sent by the official software to the reader you want to talk with.
GOOD LUCK IKARUS !
P.S.
In that way you can also support the SL500F device!
Last edited by asper (2014-11-11 16:37:12)
Offline
Great work Ikarus!
Some
I tested this program with JCOP card (mifare emulation). Program read only 16 sectors (0..15) - but real sectors count is 40 (0..39)...
Card Info (PM3):
ATQA : 04 00
UID : xx xx xx xx
SAK : 28 [1]
TYPE : JCOP31 or JCOP41 v2.3.1
ATS : 11 78 80 70 02 80 64 11 65 01 90 73 00 00 00 81 07 6d ad
- TL : length is 17 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8
- TA1 : different divisors are NOT supported, DR: [], DS: []
- TB1 : SFGI = 0, FWI = 0
- TC1 : NAD is NOT supported, CID is supported
Offline
Mifare Plus X (MF1PLUS60 SL1) also detected as 1K card.
ATQA: 0x4400
SAK: 0x08
ATS: 0x0C75778002C1052F2F01BCD6
Offline
@asper:
First of all: Thanks for the great write-up! Using Serial over USB on Android sounds really painful.
But if I only add support for the ACR122u there is a more easy way (at least I think so, haven't looked into it yet):
There is an official Android lib for the ACR122u! (Download-Tab, last item)
Maybe with this library using the ACR122u on Android will be easier...
@alexeybar200:
asper had a similar issue some time ago (but the other way around, a 1k tag was mistaken for a 4k tag).
Unfortunately there is nothing I can do about it.
MCT uses the getSectorCount() (and getSize()) of the Android Mifare Classic API.
I can't tell whether it is Androids or your tags fault.
(Source)
EDIT 1:
I have not checked this but as far as I know Android calculates the tag size from the
ATQA, SAK and ATS information. And I think read somewhere that it is possible to change these
information for some "special" or "emulated" tags.
EDIT 2:
Check out this flow chart. This is how it should work according to NXP.
I hope Android does it that way. Would make sense.
Last edited by ikarus (2014-11-11 21:06:40)
Offline
NXP tag info checks card type successfully. You may enable change Sector Number by user in this situation.
Offline
Ikarus, some hints,
if you look into the lualibs there is some more default keys.
you can also add
ATQA : 01 0f
SAK : 01 [2]
TYPE : NXP TNP3xxx Game item
size: 1K
to your tag identification list.
Offline
Just curious, which command does MCT use for formatting a card. Is this the 'nfc-mfclassic -f' from libnfc or the 'mifare-classic-format' command?
Another thing you guys possibly know:
I've got some ACs codes which are 00 00 00 00. Does this mean my card is corrupt? Or can I still write these sectors? (The keys of these sectors are visible though)
Last edited by wous (2014-11-13 17:19:22)
Offline
@alexeybar200:
This is a really good idea. I will try to implement something like this!
@iceman:
Thanks. I will add this to the tag identification list.
@wous:
MCT does not use any of these commands. It does not use any external library at all.
I programmed the format tool only using Android API.
Regarding the ACs: They are corrupt. "00 00 00" is not defined in NXP's data-sheet for Mifare Classic.
I'm not sure if writing is still possible. Maybe just try it?
Edit: Typo.
Last edited by ikarus (2014-11-13 21:53:41)
Offline
@wous:
MCT does not use any of these commands. It does not use any external library at all.
I programmed the format tool only using Android API.
Regarding the ACs: The are corrupt. "00 00 00" is not defined in NXP's data-sheet for Mifare Classic.
I'm not sure if writing is still possible. Maybe just try it?
You mean 'theY are corrupt'?
I can't format or write the card anymore, mfoc on my PC reads just 00 00 00 on the ACs. I guess I need to try a new card.
Offline
Hello guys. I had a little questions. Does LG L7 or L5 first generation support MCT?.
https://github.com/ikarus23/MifareClassicTool/issues/20
Offline
Hmm, strange...
What kind of tag do you got? The "backdoored" or the "direct write"?
What is the exact command you used to write block 0 with lib-nfc?
Did you enable the "write to manufacturer block" option?
(needed if you use the "Write Dump" method of MCT)
Offline
New release! (Version 1.8.1: APK-file, Google Play (Donate Version), F-Droid)
(See: original post, updated)
* Fixed diff tool for devices with a default monospace font that
does not have the block symbol (replaced block with "X").
* Added more keys to the "extended-std.keys" file.
(Remove the old and restart MCT to get the new key file.)
* Added a new tag to the tag identification list (TNP3xxx).
* Fixed multiple crash issues.
* Samsung Galaxy Note 4 does not support Mifare Classic.
Kind regards
ikarus
Last edited by ikarus (2014-12-07 16:21:41)
Offline
Hi guys,
Thank you ikarus for the great app!
I'd like to find a cheaper source for direct writable cards, so I'm asking you a favor.
Please download NXP's TagInfo (https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en) app and scan your cards. Then post here your IC type and manufacturer and if it's direct writable or not. This way we could build a nice list that helps filtering the Chinese offers.
I start with mine:
FM11RF08 (very popular, also called FM1108) by Fudan Microelectronics - NOT direct writable
Thanks
Offline
Hello ikarus,
First thank you for the great program.
I have a tag which respond as:
UID OK 4byte
ATQA 0004
SAK 00
ATS -
is there any chance to read it? may be to ignore SAK?
thanks
Offline
@stickymarm: Unfortunately, the type of the card can't be determined from the block 0 data. Could you read the card with the app that I linked? It's free, doesn't require strange permissions and takes only a minute.
Does anyone actually has a direct writable card and is willing to share the type of the IC (or a cheap source)?
Thanks
Offline
@pavlik1:
I don't know. Is it a Mifare Classic tag? What does MCT tool say? What do apps like NFC Taginfo say?
@teve00:
Great idea to create a list of Mifare Classic chips. I did not know that this is possible with
NXP's TagInfo. I have some MFC tags from different manufacturers but it seems like the
TagInfo app is broken. It doesn't detect any of my tag. The app thinks that NFC is disabled...
Am I the only one with this issue?
Does anyone actually has a direct writable card and is willing to share the type of the IC (or a cheap source)?
I have a working direct write tag. Unfortunately I don't know the source (it was a gift).
And unfortunately I can't read the chip infos with NXP's TagInfo...
Offline
@ikarus. I don't have that trouble with taginfo but I have noticed it sometimes fights with MCT, if both were active. Crashing one or the other. I did install taginfo first. Motorola maxx.
Also there is a list of MF classic clones datasheets here http://proxmark.org/files/Documents/13. … %20clones/
Offline
@ikarus: I'm sorry to hear that. :-(
@marshmellow: Thank you for the list. I found a manufacturer's site with the chips that are still produced (http://www.zotei.com/price/smart_card-IC_card_white_card_price.html). I did a bunch of Google searches but none of them (except the FM1108) are sold anywhere as UID rewritable.
Offline
@pavlik1:
I don't know. Is it a Mifare Classic tag? What does MCT tool say? What do apps like NFC Taginfo say?
Hi ikarus
the taginfo is:
and the fideo is:
http://youtu.be/tclUq0MhZyo
to me seems the card resets due to not receiving specific answer from the reader.
any idea?
Offline
video is here https://mega.co.nz/#!1oUVjAaA!xflHmjEbHk6il4-DRIq-BkjBmw1dxxw-xZ_VTrQ0tdM
Offline
Hi pavlik1,
there is definitively something weird going on with your tag (and/or your readers).
Regarding the screenshot: in the group "Android technology information" you can only see
"android.nfc.tech.NfcA". If both, device and tag, support Mifare Classic this should be
"android.nfc.techMifareClassic". By implications this means your tag or your Android device
does not support Mifare Classic. What device do you own?
Regarding the video: I'm not sure what is causing the tag to reconnect all the time. I have some
Chinese Mifare Classic tags that sometimes behave the same way due to their really bad antennas.
But I'm pretty sure this is not what's causing the issues in your case.
Do you own a proxmark3? If so, you can sniff the traffic between the reader and the tag to see what is going on.
Have a nice Christmas eve!
Offline
hi ikarus,
The phone is S3 and it is reading and writing other tags just perfect. The reader is also ok, reading and writing under linux. It is something with the badge. at the places it supposed to work it is ok.
unfortunately no proxmark here. any idea can i sniff the good comunication? and then compare with the ACR122
Merry Christmas
Offline
Hi, ikarus
I found something strange today on my OnePlus One with android 4.4.2.
1: some cards with Keys of "FFFFFFFFFFFF" were read/saved as "000000000000"
I confirm its real keys of sector 0 ~ 9 are "FFFFFFFFFFFF" because I wrote a dump with this key of sector 0 ~ 9 using MCT, and it could be read and shown as "FFFFFFFFFFFF" using acr122u and mfoc.
I wrote the dump with keys "FFFFFFFFFFFF" of sector 0 ~ 9 using MCT and then read it immediately, it showed "000000000000" to me.
Offline
Hi, ikarus
I found something strange today on my OnePlus One with android 4.4.2.
1: some cards with Keys of "FFFFFFFFFFFF" were read/saved as "000000000000"I confirm its real keys of sector 0 ~ 9 are "FFFFFFFFFFFF" because I wrote a dump with this key of sector 0 ~ 9 using MCT, and it could be read and shown as "FFFFFFFFFFFF" using acr122u and mfoc.
I wrote the dump with keys "FFFFFFFFFFFF" of sector 0 ~ 9 using MCT and then read it immediately, it showed "000000000000" to me.
http://www.proxmark.org/forum/img/6460/1419837233_qq20141229150050.jpg
http://www.proxmark.org/forum/img/6460/1419837259_qq20141229150103.jpg
http://www.proxmark.org/forum/img/6460/1419837296_screenshot_2014-12-29-15-08-24-76.jpg
http://www.proxmark.org/forum/img/6460/1419837326_screenshot_2014-12-29-15-08-29-289.jpg
http://www.proxmark.org/forum/img/6460/1419837094_screenshot_2014-12-29-15-08-37-260.jpg
2: I wrote a MCT dump witch keys of sector 0 ~ 9 are "000000000000" to a card and then read it immediately, MCT told me sector 0 ~ 9 "No keys found (or dead sector)".
Then I read it with acr122u and mfoc, keys of sector 0 ~ 9 could be read and shown as "000000000000"
Offline
What's more, do you think an optional function that automatically save dumps after a "read" operation is meaningful?
Offline
Hi, ikarus
I found something strange today on my OnePlus One with android 4.4.2.
1: some cards with Keys of "FFFFFFFFFFFF" were read/saved as "000000000000"I confirm its real keys of sector 0 ~ 9 are "FFFFFFFFFFFF" because I wrote a dump with this key of sector 0 ~ 9 using MCT, and it could be read and shown as "FFFFFFFFFFFF" using acr122u and mfoc.
I wrote the dump with keys "FFFFFFFFFFFF" of sector 0 ~ 9 using MCT and then read it immediately, it showed "000000000000" to me.
http://www.proxmark.org/forum/img/6460/1419837233_qq20141229150050.jpg
http://www.proxmark.org/forum/img/6460/1419837259_qq20141229150103.jpg
http://www.proxmark.org/forum/img/6460/1419837296_screenshot_2014-12-29-15-08-24-76.jpg
http://www.proxmark.org/forum/img/6460/1419837326_screenshot_2014-12-29-15-08-29-289.jpg
http://www.proxmark.org/forum/img/6460/1419837094_screenshot_2014-12-29-15-08-37-260.jpg
I'm using 1.8.1
Offline
Hi result,
This is really weird. Unfortunately I don't think there is much I can do about it. It's most likely
an issue with OnePlus One (or its image). I heard there are a lot of problems with Mifare Classic
and the OnePlus One. Two of my friends have one and they can't even detect Mifare Classic tag
(but other tags like Mifare Ultralight, ICode SLI, etc. are working fine).
What's more, do you think an optional function that automatically save dumps after a "read" operation is meaningful?
This is part of the "quick dump" feature I'm planing to implement. But not to soon. It's a lot of work and I don't have the time now.
Greetings from the 31c3
Offline
Hi result,
This is really weird. Unfortunately I don't think there is much I can do about it. It's most likely
an issue with OnePlus One (or its image). I heard there are a lot of problems with Mifare Classic
and the OnePlus One. Two of my friends have one and they can't even detect Mifare Classic tag
(but other tags like Mifare Ultralight, ICode SLI, etc. are working fine).result wrote:What's more, do you think an optional function that automatically save dumps after a "read" operation is meaningful?
This is part of the quick dump feature I'm planing to implement. But not to soon. It's a lot of work and I don't have the time now.
Greetings from the 31c3
Great!
I'll do some tests on other devices and send you the feedbacks.
Offline
New release! (Version 1.8.2: APK-file, Google Play (Donate Version), F-Droid)
(See: original post, updated)
* Improved Mifare Classic support check. Thanks to "domints".
* Show a dialog if there are unsaved changes (dump and key editor).
* File name suggestion for dumps.
* Reduced presses for comparing a dump via editor.
Thanks to "systemcrash".
* Fixed false positive results of the MF Classic support detection.
Thanks to "domints".
* Improved editor only mode.
* Some code cleanup. Thanks to "systemcrash".
* Some minor bug fixes.
* LG G2 mini, G3 S and F60 are not supported.
Happy new year!
ikarus
Offline