HID proximity clone using proxmark3 rdv2

ogenex · 2016-09-02 14:44:52

Hi all,

I've recently purchased an Elechouse proxmark3 rdv2 and successfully flashed to the latest firmware.

It appears I have been able to clone a HID proximity card to a T5577 which came with the kit but the problem is the cloned card is not recognised by the reader. Strange thing is the reader doesn't even recognise the proxmark when emulating using the simulator. I must be missing a key piece of information but just can't work out what it is.

$ ./proxmark3 /dev/cu.usbmodem1411 
Prox/RFID mark3 RFID instrument          
bootrom: master/v2.2.0-227-g51b4267-suspect 2016-08-25 11:35:59
os: master/v2.2.0-227-g51b4267-suspect 2016-08-25 11:36:00
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 185630 bytes (35). Free: 338658 bytes (65).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory

I've followed the standard recipe to clone the card. Read the original HID card:

proxmark3> lf hid fsk 1
#db# DownloadFPGA(len: 42096)                 
#db# TAG ID: 2004e20750 (936) - Format Len: 26bit - FC: 113 - Card: 936

Clone the card to a T5577:

proxmark3> lf hid clone 2004e20750
Cloning tag with ID 2004e20750          
#db# DONE!

Check the new card contains the same information:

proxmark3> lf hid fsk 1
#db# TAG ID: 2004e20750 (936) - Format Len: 26bit - FC: 113 - Card: 936

Everything was going great up to this point but as mentioned the cloned card doesn't work at the reader. I don't have access to the reader's logs so I can't tell what is happening behind the scenes. The reader does absolutely nothing when the card is presented. I've even tried simulating the card directly from the proxmark3 and the reader still doesn't blink or do anything at all.

I've read through a ton of posts looking for a solution to no avail. I hope someone is able to help shed some light or give some pointers. Many thanks in advance.

Last edited by ogenex (2016-09-02 14:46:38)

iceman · 2016-09-02 15:31:47

As with all questions, you are not using the latest code. Pull git, compile and flash fullimage.

Try the "lf search" also, instead of the direct "lf hid" command when detecting your cloned tag.

marshmellow · 2016-09-02 21:26:02

might be a duel tech card.

ogenex · 2016-09-03 00:48:08

Thanks guys, I've flashed the pm3 by following the instructions on the wiki:

https://github.com/Proxmark/proxmark3/wiki/OSX

Prox/RFID mark3 RFID instrument          
bootrom: master/v2.2.0-227-g51b4267-suspect 2016-09-02 23:31:56
os: master/v2.2.0-227-g51b4267-suspect 2016-09-02 23:31:58
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

I'll give cloning another go and let you know. Many thanks for the pointers.

ogenex · 2016-09-03 01:00:06

Also lf search picks up the cloned card stating Valid HID Prox ID Found.

I have a feeling it still won't work but time will tell. Thanks again.

ogenex · 2016-09-03 02:38:51

Not sure if this has anything to do with the issue but I'm curious why lf t55xx dump only outputs blocks 4-7 from page 0 of the newly programmed t55x7:

proxmark3> lf t55xx dump 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  4 | 07FFFFFF | 00000111111111111111111111111111          
  5 | 07FFFFFF | 00000111111111111111111111111111          
  6 | 07FFFFFF | 00000111111111111111111111111111          
  7 | 07FFFFFF | 00000111111111111111111111111111          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------

I went ahead and did an lf t55xx wipe of the card and ran the lf hid clone <TagID> again and I still get the same results, only seeing blocks 4-7.

Here's the lf t55x7 info in case it helps any:

proxmark3> lf t55xx info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 3          
 reserved                  : 127          
 Data bit rate             : 7 - RF/128          
 eXtended mode             : Yes - Warning          
 Modulation                : 0x1F (Unknown)          
 PSK clock frequency       : 3          
 AOR - Answer on Request   : Yes          
 OTP - One Time Pad        : Yes - Warning          
 Max block                 : 7          
 Password mode             : Yes          
 Sequence Start Terminator : Yes          
 Fast Write                : Yes          
 Inverse data              : Yes          
 POR-Delay                 : Yes          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x3FFFFFFF  00111111111111111111111111111111          
-------------------------------------------------------------

Last edited by ogenex (2016-09-03 02:51:46)

iceman · 2016-09-03 07:37:14

Your version output: master/v2.2.0 which is not the latest release https://github.com/Proxmark/proxmark3/releases

Even if you go with the released package v.2.3.0, its out-of-date. The latest source has many more issues fixed, this is why we always instruct ppl to go for it. If you are not running the latest source, we will have a very hard time to figure out the problem.

ogenex · 2016-09-03 12:11:50

Thanks very much iceman. I thought I was up-to-date as I had the latest version of the repository cloned and was working from that.

git clone https://github.com/Proxmark/proxmark3.git
git pull
Already up-to-date.
git describe
v2.2.0-227-g51b4267

In any case I've downloaded the latest source from https://github.com/Proxmark/proxmark3/releases and reflashed the device. No biggie but now the master/version string doesn't appear at all:

proxmark3> hw ver
[[[ Cached information ]]]
          
Prox/RFID mark3 RFID instrument          
bootrom: /-suspect 2016-09-03 10:51:49
os: /-suspect 2016-09-03 10:51:50
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

Hope I'm on the right track. Let you know how it goes once I program the t55x7 and try the card against the reader. Thanks again.

iceman · 2016-09-03 14:08:22

perfect

ogenex · 2016-09-11 01:10:55

Spot on iceman, the card turned out to be dual tech! Haven't had a chance to test it at the reader yet but it seems right. Here's the process for the record.

proxmark3> lf search
Reading 30000 bytes from device memory
...
Valid HID Prox ID Found!

proxmark3> hf search u
...   
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO          

Valid ISO14443A Tag Found - Quiting Search

Then followed the excellent tutorial at https://pmo.io/blog/cloning-a-mifare-tag.html on cloning Mifare Classic 1k tags.

Read the UID:

proxmark3> hf 14a read

Check for default keys:

proxmark3> hf mf chk *1 ? t

Valid ffffffffffff keys were found but ran the mifare darkside attack anyway:

proxmark3> hf mf mifare

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 5 |  0  |0,1,1,0,1,0,1,0|
| 20 |00000020| 8 |  d  |0,1,1,1,0,1,0,0|
| 40 |00000040| d |  8  |0,1,1,1,0,0,1,1|
| 60 |00000060| b |  e  |0,1,1,0,0,0,1,1|
| 80 |00000080| 8 |  d  |0,1,1,1,1,0,1,0|
| a0 |000000a0| 8 |  d  |0,1,1,0,0,1,1,1|
| c0 |000000c0| 8 |  d  |0,1,1,0,0,0,1,1|
| e0 |000000e0| 0 |  5  |0,1,1,1,1,0,1,0|
key_count:1
------------------------------------------------------------------
Found valid key:ffffffffffff

Ran the nested authentication attack using the d flag to dump the keys to file:

proxmark3> hf mf nested 1 0 a ffffffffffff d
Testing known keys. Sector count=16      
...   
Printing keys to binary file dumpkeys.bin...

Dump the key data to file for later use with restore:

proxmark3> hf mf dump

Placing the Magic card on the HF antenna write the UID:

proxmark3> hf mf csetuid <UID>

Restore the data to the Magic card:

proxmark3> hf mf restore

iceman · 2016-09-11 07:00:28

Btw, you need to run

lf t55xx detect
lf t55xx dump

To see if pm3 client is configured in the right way to read from a t55x7 card. If not found, you need to set it manually before trying to read/dump/write to tag.

ogenex · 2016-09-14 12:52:52

Thanks very much for all your help on this one guys. The mifare clone works perfectly. Very cool indeed!

Proxmark3 community

Announcement

#1 2016-09-02 14:44:52

HID proximity clone using proxmark3 rdv2

#2 2016-09-02 15:31:47

Re: HID proximity clone using proxmark3 rdv2

#3 2016-09-02 21:26:02

Re: HID proximity clone using proxmark3 rdv2

#4 2016-09-03 00:48:08

Re: HID proximity clone using proxmark3 rdv2

#5 2016-09-03 01:00:06

Re: HID proximity clone using proxmark3 rdv2

#6 2016-09-03 02:38:51

Re: HID proximity clone using proxmark3 rdv2

#7 2016-09-03 07:37:14

Re: HID proximity clone using proxmark3 rdv2

#8 2016-09-03 12:11:50

Re: HID proximity clone using proxmark3 rdv2

#9 2016-09-03 14:08:22

Re: HID proximity clone using proxmark3 rdv2

#10 2016-09-11 01:10:55

Re: HID proximity clone using proxmark3 rdv2

#11 2016-09-11 07:00:28

Re: HID proximity clone using proxmark3 rdv2

#12 2016-09-14 12:52:52

Re: HID proximity clone using proxmark3 rdv2

Board footer