Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-04-14 16:15:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

unknown hf tag

I've got a tag I can't seem to identify.
it doesn't respond to any of my hf readers (iclass, mifare, nfc phone, twn4...)
the pm3 shows a 4volt drop on the HF antenna.

a hf 14a read - hf list 14a f gives

proxmark3> hf 14a read
ATQA : 00 00
 UID : 00 00 00 00
 SAK : 00 [2]
TYPE : NXP MIFARE Ultralight | Ultralight C
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
proxmark3> hf list 14a f
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |       992 | Rdr | 52                                                              |     | WUPA
      2228 |      4596 | Tag | 00  00                                                          |     |
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL
     10676 |     16500 | Tag | 00  00  00  00  00                                              |     |
     18688 |     29216 | Rdr | 93  70  00  00  00  00  00  9c  d9                              |     | SELECT_UID
     30388 |     33972 | Tag | 00  fe  51                                                      |     |
    325248 |    330016 | Rdr | e0  80  31  73                                                  |     | RATS
    331188 |    331828 | Tag | 04                                                              |     |
    749184 |    750176 | Rdr | 40                                                              |     | MAGIC WUPC1
    885632 |    886944 | Rdr | 43                                                              |     | MAGIC WUPC2
   1022720 |   1027488 | Rdr | 50  00  57  cd                                                  |     | HALT

but it is not an ultralight mifare card (atqa 00 00, SAK 00)

i tried hf 15 read and got nothing
i also tried hf 14b read but got nothing.

Last edited by marshmellow (2015-04-14 16:17:16)

Offline

#2 2015-04-14 16:50:19

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: unknown hf tag

Do you have an oscilloscope and a sniffer to see what's going on between the reader and that tag?
I know a good hf sniffer that has connectors for oscilloscope and that has helped me quite a few times.

Or, if you can have access to your reader's antenna or your tag's antenna (for your osci) during reading transaction, that would be easier...

And there are not many "unknown" hf tags. How does it look like? Can you post a pic?

Last edited by app_o1 (2015-04-14 16:51:38)

Offline

#3 2015-04-14 17:08:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: unknown hf tag

Could be a "wiped" magic tag.

Try  "hf mf csetuid 11223344 0004 08" and see if you can read it afterwards. 

U also need to  comment these two breaks out, to force it to execute the magic commands anyway.
https://github.com/Proxmark/proxmark3/b … cmd.c#L945
https://github.com/Proxmark/proxmark3/b … cmd.c#L950


Worth a try at least smile

Offline

#4 2015-04-14 17:22:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

It is a used hotel key card with 4 languages on it.  I do not have a good oscilloscope available ATM.  I'm wondering if it has been damaged..  In one corner of the card it reads "1k SC". Everything else is hotel info.  I will look at the magic tag commands but as a last resort as I do not think that is the case with this tag...

Offline

#5 2015-04-14 17:23:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

And no I'm not near a hotel reader to sniff it sad

Offline

#6 2015-04-14 17:55:43

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: unknown hf tag

Or use this simple script to see if it is "magic" and if it writes block0:

hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -c -p -a A000
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01

Offline

#7 2015-04-14 17:56:30

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

is the tag spitting out garbage at me?

proxmark3> hf mf rdbl 1 A FFFFFFFFFFFF
--block no:1, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3> hf list 14a
Recorded Activity (TraceLen = 188 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |       992 | Rdr | 52                                                              |     | WUPA
      2228 |      4596 | Tag | 00  00                                                          |     |
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL
     10676 |     16500 | Tag | 00  00  00  00  00                                              |     |
     18688 |     29216 | Rdr | 93  70  00  00  00  00  00  9c  d9                              |     | SELECT_UID
     30388 |     33972 | Tag | 00  fe  51                                                      |     |
     35456 |     40160 | Rdr | 60  01  7c  6a                                                  |     | AUTH-A(1)
     41780 |     46516 | Tag | 05  91  ec  43                                                  |     |
     55296 |     64608 | Rdr | 31  ba  65  71  c4  02  99  46                                  | !crc| ?
     65844 |     70516 | Tag | 79! 89  3b! e4                                                  |     |
     76032 |     80800 | Rdr | 20  08  90  4b                                                  | !crc| ?
     81972 |    102772 | Tag | a6  50! 33  02! c6! 5f! 85! b4  dc  b5  b9! b6! e4  54! 8c  71  |     |
           |           |     | 35  54!                                                         | !crc|
    114944 |    119648 | Rdr | 19  4a  4e  be                                                  | !crc| ?

proxmark3> hf mf rdbl 2 A FFFFFFFFFFFF
--block no:2, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
proxmark3> hf list 14a
Recorded Activity (TraceLen = 188 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |       992 | Rdr | 52                                                              |     | WUPA
      2228 |      4596 | Tag | 00  00                                                          |     |
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL
     10676 |     16500 | Tag | 00  00  00  00  00                                              |     |
     18688 |     29216 | Rdr | 93  70  00  00  00  00  00  9c  d9                              |     | SELECT_UID
     30388 |     33972 | Tag | 00  fe  51                                                      |     |
     35456 |     40224 | Rdr | 60  02  e7  58                                                  |     | AUTH-A(2)
     41780 |     46516 | Tag | 54  10  c9  3e                                                  |     |
     55296 |     64608 | Rdr | 72  08  0d  bb  ba  51  c2  25                                  | !crc| ?
     65844 |     70580 | Tag | 8a  00! d6! c8                                                  |     |
     76032 |     80736 | Rdr | 9a  35  74  7d                                                  | !crc| ?
     81972 |    102836 | Tag | 67! 4b  01  44  0f  97! ef  8e! b2  c0  77! ca! ea! 33! 92  e8! |     |
           |           |     | 1d! 01                                                          | !crc|
    114944 |    119712 | Rdr | 5d  14  91  10                                                  | !crc| ?

Offline

#8 2015-04-14 17:59:26

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

it does not respond to the backdoor commands

Offline

#9 2015-04-14 18:00:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

i'm starting to think it is just a broken or VERY weak mifare 1k tag.

Offline

#10 2015-04-14 18:02:53

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

asper wrote:

Or use this simple script to see if it is "magic" and if it writes block0:

hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -c -p -a A000
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01

Thanks, i tried this and the tag had no response and it did not change the selected UID or the way the tag responds...

Offline

#11 2015-04-14 18:05:41

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

anyone ever do a data samples after a hf 14a read?  anyone know how to interpret it? 
i get the same sample length (133) for a mifare 1k as i do when i read my strange tag.  and many of the waves look identical.

Offline

#12 2015-04-14 18:17:46

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

bad tag:
4Mm6wMn.jpg


good tag:
4FRAa0r.jpg

Offline

#13 2015-04-14 18:43:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: unknown hf tag

Since yr tag is giving you a uid with zeros, and lots of the inital communications is zero:d
and the readblock2 is giving you sectortrailer data, it looks weird...

why not read the whole sector 0 and see?

Offline

#14 2015-04-14 18:48:47

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff

#db# READ SECTOR FINISHED
isOk:01
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

strange indeed

Offline

#15 2015-04-14 18:49:48

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

it does that for all sectors 0 - 15, then it gives auth error.

Offline

#16 2015-04-14 18:50:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

i think the tag is damaged and not strong enough to be read correctly.  (only the pm3 can get this far, other readers do not see anything), but i think it is just a basic Mifare 1k that isn't working anymore... smile

Offline

#17 2015-04-14 19:07:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: unknown hf tag

Looks strange, but I'm with you on the damaged tag part.  Talk to the reception and see if you can get a new key? smile
Why would the Pm3 client identify it as an Ultralight when the SAK & ATQA is zero, is what I wonder..

Offline

#18 2015-04-14 19:09:49

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: unknown hf tag

I was wondering that myself.. smile

Offline

#19 2015-04-14 22:06:46

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: unknown hf tag

Test1:
try to cut the chip out and insert it in a working card (soldering the 2 tips of the antenna): maybe the tag coil is damaged; if this is the case it will work again;

Test2:
also try to put the surely-good chip in the bad-tag antenna and see if it is still working; if so you will be sure the bad-tag chip is  damaged.

To eliminate the plastic part of the card you can dissolve it in aceton - submerge it  and cover it to avoid evaporation - only the metal parts will remain [chip+antenna]
Example:
tap-card-dissolved-use-acetone-transfer-rfid-tag-your-phone.w654.jpg

Last edited by asper (2015-04-14 22:10:40)

Offline

#20 2015-04-14 22:54:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: unknown hf tag

@marshmellow,

https://github.com/Proxmark/proxmark3/b … 14a.c#L165
fast answer to the SAK = 0x00 == Ultralight,  as you can see in the code (link above) the identification inside "hf 14a reader" is only based on SAK and not in union with ATQA.

Offline

Board footer

Powered by FluxBB