Anyone Know this new TAG

Dan from OZ · 2017-09-27 09:11:23

hi has any one see this before

tag

Last edited by Dan from OZ (2017-09-27 11:13:57)

marshmellow · 2017-09-28 05:11:18

Stick it on a pm3 and 'lf search u' it and post the results.

atmel9077 · 2017-09-28 17:07:58

I have an alarm system, which uses a tag of exactly this shape (except that they are white). I know that the tag is 125khz.

Onisan · 2017-09-29 10:52:29

I copied one this shape for a customer a while back, Very thin. It was an EM Marin Tag.

Dan from OZ · 2017-10-04 07:56:27

HI i done lf search U

this is what came up

#db# DownloadFPGA(len: 42096)
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found:
EM TAG ID : 0004EA0351
Unique TAG ID : 002057C08A
Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8 : 15336273
DEZ 10 : 0082445137
DEZ 5.5 : 01258.00849
DEZ 3.5A : 000.00849
DEZ 3.5B : 004.00849
DEZ 3.5C : 234.00849
DEZ 14/IK2 : 00000082445137
DEZ 15/IK3 : 000000542621834
DEZ 20/ZK : 00000200050712000810
}
Other : 00849_234_15336273
Pattern Paxton : 16662865 [0xFE4151]
Pattern 1 : 12321674 [0xBC038A]
Pattern Sebury : 849 106 6947665 [0x351 0x6A 0x6A0351]
Valid EM410x ID Found!

Dan from OZ · 2017-10-04 07:57:44

copied the card and it didn't work it opened my front door but not the entrance or elevator

Dan from OZ · 2017-10-04 07:58:48

then i did hf search u

and this came up

UID : 04 34 24 aa 8e 56 80
ATQA : 03 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 06 75 77 81 02 80 02 f0
- TL : length is 6 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : 80
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search

Onisan · 2017-10-04 09:07:37

So are you saying it;s a dual technology tag, EM Marin like the one I copied and Mifare?
the access control companies are getting wise. I'm seeing more and more of these tags come through the door.

Dan from OZ · 2017-10-04 11:13:05

no sure as am new to this myself but is this card able to clone i tried to sniff it but it wont read between antenna and tag the tag has to touch the reader, no brand or marking on reader either any help would be appreciated,

iceman · 2017-10-04 11:38:08

You would need a dual card, one with t55x7 for LF, one with magic HF.. But since its desfire/jcop, you would need to sniff some traffic to see whats going on.

I have only seen ONE dual card in existence with T55x7 and magic Mifare classic.

Alternatively, two cards would be needed,

But start with sniffing the HF part, with a pm3 when you try the elevator.. Thats the starting point

Dan from OZ · 2017-10-04 12:39:36

OK thanks iceman, but putting the card between the reader and the antenna it wont read the card has to touch the reader how do i go around that

ntk · 2017-10-04 12:42:00

this card is dual and the mifare part is a "NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41" I thought this type "MIFARE DESFire" or "JCOP " can not be simulated or copy yet, even when you have had a good sniff trace

Last edited by ntk (2017-10-04 12:50:38)

Dan from OZ · 2017-10-04 12:47:17

I didn't know that, so this Tag can not be done yet at all

717 · 2017-10-04 12:50:18

Don't give up just yet.
Send us the lf search and hf search result from as much different tags as you can, that will be helpful.

717

Last edited by 717 (2017-10-04 12:53:44)

Dan from OZ · 2017-10-04 13:16:37

OK will do but have to ask neighbors to borrow different keys and the sniff or snoop command cause they changed the system in my building and they want $250 for one card

717 · 2017-10-04 13:20:31

Dan from OZ wrote:

OK will do but have to ask neighbors to borrow different keys and the sniff or snoop command cause they changed the system in my building and they want $250 for one card

That is quite over the top indeed... Is it made of gold?
Send us more tag info and we will help you

717

Last edited by 717 (2017-10-04 13:20:47)

ntk · 2017-10-04 13:53:15

I was surprised too that nobody had point the fingers on the word Desfire EV, But as long as Iceman says Tries it something someway might be / could be done

iceman · 2017-10-04 14:08:12

...hehe.. I did notice it, but since we can't tell if system uses UID only or more data from HF part of card, I suggested to sniff the trafic.

Once we see the trace from the sniff, we know more on what is possible. Until then its pure speculation.

iceman · 2017-10-04 14:10:59

@DanFromOz, you could either put

READER -> PM3 -> CARD
READER -> CARD -> PM3

Both should work but as with all sniffing, its a fiddle to find a good sniffing spot. Trial and error is your friend.

Dan from OZ · 2017-10-04 14:23:29

i cant get my snoop to work when i do it nothing happened then i pressed the button on the pm3 and these results came out

Dan from OZ · 2017-10-04 14:24:50

proxmark3> #db# cancelled by button
proxmark3> #db# COMMAND FINISHED
proxmark3> #db# maxDataLen=5, Uart.state=0, Uart.len=0
proxmark3> #db# traceLen=14556, Uart.output[0]=000000e0
proxmark3> #db# Stand-alone mode! No PC necessary.
proxmark3> #db# Enabling iso14443a reader mode for [Bank: 0]...
proxmark3> #db# Read UID:
proxmark3> #db# 04 34 24 aa 8e 56 80 00
proxmark3> #db# 00 00
proxmark3> #db# Bank[0] received a 7-byte UID
proxmark3> #db# ATQA = 4403
proxmark3> #db# SAK = 20
proxmark3> #db# Playing
proxmark3> #db# Simulating ISO14443a tag with uid[0]: 00043424, uid[1]: aa8e5680 [Bank: 0]
proxmark3> #db# Unrecognized tag type -- defaulting to Mifare Classic emulation
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=7):
proxmark3> #db# 02 5a c0 1b f5 e7 c4
proxmark3> #db# Received unknown command (len=5):
proxmark3> #db# 03 aa 01 76 09
proxmark3> #db# Received unknown command (len=36):
proxmark3> #db# 02 af 34 2e 97 df 9d 49
proxmark3> #db# e5 f0 49 8e 79 a7 d0 bc
proxmark3> #db# 57 c7 13 9f 0a 3e 05 58
proxmark3> #db# c4 50 c6 7e 94 79 03 99
proxmark3> #db# a9 0e 1b 62
proxmark3> #db# Received unknown command (len=11):
proxmark3> #db# 03 bd 01 00 00 00 03 00
proxmark3> #db# 00 8d a4
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=7):
proxmark3> #db# 02 5a c0 1b f5 e7 c4
proxmark3> #db# Received unknown command (len=5):
proxmark3> #db# 03 aa 01 76 09
proxmark3> #db# Received unknown command (len=36):
proxmark3> #db# 02 af d8 c3 fb e2 b1 0b
proxmark3> #db# 8e 2b c8 13 68 ab 06 59
proxmark3> #db# c4 b3 f5 25 1e 84 40 d9
proxmark3> #db# f4 c3 7d 02 50 41 a3 79
proxmark3> #db# f9 b4 63 07
proxmark3> #db# Received unknown command (len=11):
proxmark3> #db# 03 bd 01 00 00 00 03 00
proxmark3> #db# 00 8d a4
proxmark3> #db# Received unknown command (len=2):
proxmark3> #db# 97 20
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=2):
proxmark3> #db# 97 20
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=7):
proxmark3> #db# 02 5a c0 1b f5 e7 c4
proxmark3> #db# Received unknown command (len=5):
proxmark3> #db# 03 aa 01 76 09
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 00
proxmark3> #db# Received unknown command (len=36):
proxmark3> #db# 02 af 56 ff 23 08 60 eb
proxmark3> #db# 96 ca 7d 13 9e ed e7 b1
proxmark3> #db# 06 31 13 7e e9 96 97 dd
proxmark3> #db# 59 e2 6c df 39 e3 d3 36
proxmark3> #db# 29 d0 97 d5
proxmark3> #db# Received unknown command (len=11):
proxmark3> #db# 03 bd 01 00 00 00 03 00
proxmark3> #db# 00 8d a4
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=1):
proxmark3> #db# 04
proxmark3> #db# Received unknown command (len=7):
proxmark3> #db# 02 5a c0 1b f5 e7 c4
proxmark3> #db# Received unknown command (len=5):
proxmark3> #db# 03 aa 01 76 09
proxmark3> #db# Received unknown command (len=2):
proxmark3> #db# 48 02
proxmark3> #db# Received unknown command (len=36):
proxmark3> #db# 02 af 6a ed 1a f5 25 a4
proxmark3> #db# d1 f0 25 65 6e 76 73 cd
proxmark3> #db# fe d2 8d f2 6b ac 40 0d
proxmark3> #db# 24 79 d8 cc 4f 6d 4f 81
proxmark3> #db# 89 07 0e e5
proxmark3> #db# Received unknown command (len=11):
proxmark3> #db# 03 bd 01 00 00 00 03 00
proxmark3> #db# 00 8d a4
proxmark3> #db# Button press
proxmark3> #db# 0 0 1a1
proxmark3> #db# Done playing. Switching to record mode on bank 1
proxmark3> #db# Enabling iso14443a reader mode for [Bank: 1]...
proxmark3> #db# Read UID:
proxmark3> #db# 04 34 24 aa 8e 56 80 00
proxmark3> #db# 00 00
proxmark3> #db# Bank[1] received a 7-byte UID
proxmark3> #db# ATQA = 4403
proxmark3> #db# SAK = 20
proxmark3> #db# Playing
proxmark3> #db# Simulating ISO14443a tag with uid[0]: 00043424, uid[1]: aa8e5680 [Bank: 1]
proxmark3> #db# Unrecognized tag type -- defaulting to Mifare Classic emulation

iceman · 2017-10-04 14:42:50

It seems like the button press, just enabled your standalone mode. The sniff / snoop usually is quite until you issue a hf list 14a ...

Did you use hf mf sniff or hf 14a snoop ?
You should be able to get some trace from hf list 14a

But from the simulation fail, it seems your door uses APDU's and reads data from card.
If true, your HF part can't be cloned as of today.

well, you could test hf mfdes info from iceman fork, to see if there is some desfire default keys. Highly doubtful though.

Dan from OZ · 2017-10-05 09:06:30

hf list 14a dosent work at all for me am using the pm3 bin 2.4.0 and i think it has your fork iceman

Dan from OZ · 2017-10-05 09:11:27

Last night our security company identified this email address as being used in an attempt to illegally duplicate the fobs in """%^%^t, Sydney. An attempt was made to duplicate fob 849. This fob has now been cancelled and the tenant of unit %% will need to personally attend reception to obtain another working fob with a copy of the lease and his/her ID. Any further attempts to hack the fob system will result in a report directly to Police. Unit %%% is now on the watch list and the agent will be notified.

Dan from OZ · 2017-10-05 09:19:10

I got this email this morning which i don't know how they got my email and was told by strata that they seen my post on this site as a warning to me little did they know i own the apartment. my sniffing last night must have triggered something. "this is a message to the security company watching our post and spying. Your key will be cracked your new system will be useless maybe not to day maybe not tomorrow. and before threatening to call the police, copying your own key is not freaking illegal."

iceman · 2017-10-05 10:25:17

...not the first time HID / lock related ppl is on this forum warning ppl. We have law enforment, company ppl, researchers, black hats, all of which is here to keep track of security status of different products. Whenever they find something they warn or threathen the user.

I've said it before and say it again, don't be naive on this forum.

Dan from OZ · 2017-10-05 11:09:38

thanks but they can do what you they like i own the key and the place so not going to back down but now very interested where can i go from here to clone this card, and what study and research needed

brantz · 2019-02-27 14:23:37

Dan from OZ wrote:

thanks but they can do what you they like i own the key and the place so not going to back down but now very interested where can i go from here to clone this card, and what study and research needed

I doubt they just saw you from the surveillance. sniffing traffic interact anything with the system, it's just listening.

Last edited by brantz (2019-02-27 14:24:29)

Proxmark3 community

Announcement

#1 2017-09-27 09:11:23

Anyone Know this new TAG

#2 2017-09-28 05:11:18

Re: Anyone Know this new TAG

#3 2017-09-28 17:07:58

Re: Anyone Know this new TAG

#4 2017-09-29 10:52:29

Re: Anyone Know this new TAG

#5 2017-10-04 07:56:27

Re: Anyone Know this new TAG

#6 2017-10-04 07:57:44

Re: Anyone Know this new TAG

#7 2017-10-04 07:58:48

Re: Anyone Know this new TAG

#8 2017-10-04 09:07:37

Re: Anyone Know this new TAG

#9 2017-10-04 11:13:05

Re: Anyone Know this new TAG

#10 2017-10-04 11:38:08

Re: Anyone Know this new TAG

#11 2017-10-04 12:39:36

Re: Anyone Know this new TAG

#12 2017-10-04 12:42:00

Re: Anyone Know this new TAG

#13 2017-10-04 12:47:17

Re: Anyone Know this new TAG

#14 2017-10-04 12:50:18

Re: Anyone Know this new TAG

#15 2017-10-04 13:16:37

Re: Anyone Know this new TAG

#16 2017-10-04 13:20:31

Re: Anyone Know this new TAG

#17 2017-10-04 13:53:15

Re: Anyone Know this new TAG

#18 2017-10-04 14:08:12

Re: Anyone Know this new TAG

#19 2017-10-04 14:10:59

Re: Anyone Know this new TAG

#20 2017-10-04 14:23:29

Re: Anyone Know this new TAG

#21 2017-10-04 14:24:50

Re: Anyone Know this new TAG

#22 2017-10-04 14:42:50

Re: Anyone Know this new TAG

#23 2017-10-05 09:06:30

Re: Anyone Know this new TAG

#24 2017-10-05 09:11:27

Re: Anyone Know this new TAG

#25 2017-10-05 09:19:10

Re: Anyone Know this new TAG

#26 2017-10-05 10:25:17

Re: Anyone Know this new TAG

#27 2017-10-05 11:09:38

Re: Anyone Know this new TAG

#28 2019-02-27 14:23:37

Re: Anyone Know this new TAG

Board footer