Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hey everybody,
My first post here, so far reading the topics has been of great help in general. Hopefully someone can help me out. I bought the UID changeable 1k card from xfpga but it doesn't seem to be working correctly...
Basically most hf mf commands don't work, see the list below:
csetuid, csetblk, cgetblk, cgetsc; also running either nested or darkside attacks fails.
What does seem to work is wrbl/rdbl (even on block0) but that means that i will need to authenticate each sector with it's appropriate key if i want to rewrite the card and since i cannot recover the keys with nested/darkside that is really bothersome!
I hope someone can help me out!!
Firmware:
proxmark3> #db# Prox/RFID mark3 RFID instrument
proxmark3> #db# bootrom: svn 756 2013-07-13 08:11:47
proxmark3> #db# os: svn 756 2013-07-13 08:11:52
proxmark3> #db# FPGA image built on 2012/ 1/ 6 at 15:27:56
Card Specs:
proxmark3> hf 14a read
ATQA : 04 00
UID : b3 3f b3 3f
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k
proprietary non iso14443a-4 card found, RATS not supported
Sample Errors:
proxmark3> hf mf csetuid 11111111
--wipe card:00 uid:11 11 11 11
#db# Can't select card
Can't set UID. error=2
proxmark3> hf mf cgetblk 2
--block number:02
#db# wupC1 error
Can't read block. error=2
proxmark3> hf mf cgetsc 0
--sector number:00
#db# wupC1 error
Can't read block. 00 error=2
What does work:
proxmark3> hf mf wrbl 0 a ffffffffffff 11111111111111111111111111111111
--block no:00 key type:00 key:ff ff ff ff ff ff
--data: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf mf rdbl 0 a ffffffffffff
--block no:00 key type:00 key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
Offline
I just want to tell you to be very careful while writing block 0! The UID is followed by a little checksum that you're not taking care of.
I'll try at home in a couple of hours what you're asking with the same cards from xfpga and tell you my results...
Have you tried the libnfc command?
Offline
Hey moebius,
Much appreciated let me know how it works out with your card, feeling a bit annoyed with this.
Ok I found information about the checksum online thanks for pointing that out. Is it really an issue if i don't take care of it, I can always overwrite block0 with a known good block and fix the error right (or calculate the checksum for my bogus block).
Which libnfc command? I have played with the card on a debian build with mfoc and mfcuk. It seems like mfoc is able to use default keys to dump the card contents but mfcuk has been broken for a while. There is a ticket but i don't think anyone will fix it, mfcuk consistently finds the wrong key although the last 4-bytes are always correct (https://code.google.com/p/mfcuk/issues/detail?id=21).
Offline
Commands:
$ nfc-list
$ nfc-mfsetuid deadbeef
$ nfc-listOffline
Pages: 1