Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2013-11-04 23:31:30
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Card select failed?
I tried searching to see if any else had this same error.
When running the command "hf 14a read"
It returns "iso14443a card select failed"
proxmark3> hf 14a read
iso14443a card select failed
I have tried restarting the computer and it still shows this error.
HW VERSION:
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 793 2013-10-03 14:31:33
#db# os: svn 793 2013-10-03 14:31:34
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56
Let me know if you have figured out how to fix this error or if its something I am doing.
Thanks!
Offline
#2 2013-11-05 09:10:14
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
Maybe the card is not a 14a card ? Maybe the card is not a card but a small tag so your antenna is too big to detect it ? Post a picture.
Offline
#3 2013-11-05 16:28:11
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
Here is a picture of my proxmark3 setup with the High Frequency antenna:
Here is a picture of the XceedID 9540 RFID card:
I am performing somework onsite at a clients. I have access to plenty of readers to be able to snoop on. This card doesn't allow me into higher security doors and we would like to test it to see if I can get it by possibly bruteforcing.
This is the information I found online about the card:
The XceedID 9540 is a ISO contactless smart card (13.56 MHz Credential: ISOX) with Secure Multi-App 10k bit memory/15693
Maybe I'm using the proxmark3 wrong..... I'm use to the easy LF HID commands I have never dealt with a HF card yet.
Offline
#4 2013-11-05 17:11:13
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
In fact it is not an ISO14443A card but an ISO15693 one.
Try to send one of those 2 commands and post eventual answers:
hf 15 reador
hf 15 readerHere and here is a quite exaustive list of their RF products; below a sum-up of the above sheets:
Anyway, almost 300$ for an IOS15693 card ?!?!?! They are crazy...
Offline
#5 2013-11-05 17:13:21
- midnitesnake
- Contributor
- Registered: 2012-05-11
- Posts: 151
Re: Card select failed?
memory/15693
Your card is using the ISO15693 protocol not the ISO14443A/B, try using the 15693 Commands
Edit: I curse my slow internet connection!
Last edited by midnitesnake (2013-11-05 17:14:29)
Offline
#6 2013-11-05 17:17:55
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
Yeah I saw that online.... 300$ is CRAZY!
Here are my results
proxmark3> hf 15 reader
#db# 12 octets read from IDENTIFY request:
#db# NoErr CrcOK
#db# ..uf.... 00 00 75 66 aa 00 00 10
#db# ...5 05 e0 c7 35
#db# UID = E005100000AA6675
#db# 0 octets read from SELECT request:
#db# 0 octets read from XXX request:
Offline
#7 2013-11-05 17:44:30
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
Well, there is an Infineon chip inside that card, probably an SRF 55V, exactly a SRF 55V10S (HC), used mainly for Ticketing, Brand protection,
Loyalty Schemes, Access Control.
Here is a memory scheme of that IC:
For further info send this:
hf 15 cmd sysinfo -2 uTo dump card content try this command:
hf 15 dumpmemoryif it doesn't work try this one:
hf 15 cmd readmulti -2 u 0 7
that means "from block/page 0 to 7"; increment last value until you reach the end of IC memory (it has 1024bytes = 128 blocks of 8bytes each = 80 in Hex).If you use Windows this last dump function (read each block singularly) can be automatized by the Windows GUI under "read multiple block" section.
EDIT: well, the single chip costs lot less (less than half a dollar)... 300$ for a little plastic case...
Last edited by asper (2013-11-05 17:54:46)
Offline
#8 2013-11-05 17:55:17
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
If you can please post a full dump of your tag.
Offline
#9 2013-11-05 19:47:44
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
I'm trying to run the commands..... for some reason it keeps freezing my Ubuntu 12.04 machine. It has done it like the last 8 times I tried to run through all of those commands.
proxmark3> hf 15 dumpmemory
Reading memory from tag UID=E005100000AA6675
Tag Info: Infineon
Block 0 FF FF FF FF ....
Block 1 FF FF FF FF ....
Block 2 FF FF FF FF ....
Block 3 FF FF FF FF ....
Block 4 FF FF FF FF ....
Block 5 FF FF FF FF ....
Block 6 FF FF FF FF ....
Block 7 FF FF FF FF ....
Block 8 FF FF FF FF ....
Block 9 FF FF FF FF ....
Block 10 FF FF FF FF ....
Block 11 FF FF FF FF ....
Block 12 FF FF FF FF ....
Block 13 FF FF FF FF ....
Block 14 FF FF FF FF ....
Block 15 FF FF FF FF ....
Block 16 FF FF FF FF ....
Block 17 FF FF FF FF ....
Block 18 FF FF FF FF ....
Block 19 FF FF FF FF ....
Block 20 FF FF FF FF ....
Block 21 FF FF FF FF ....
Block 22 FF FF FF FF ....
Block 23 FF FF FF FF ....
Block 24 FF FF FF FF ....
Block 25 FF FF FF FF ....
Block 26 FF FF FF FF ....
Block 27 FF FF FF FF ....
Block 28 FF FF FF FF ....
Block 29 FF FF FF FF ....
Block 30 FF FF FF FF ....
Block 31 FF FF FF FF ....
Block 32 FF FF FF FF ....
proxmark3> hf 15 cmd readmulti -2 u 0 7
no answer
proxmark3> hf 15 cmd sysinfo -2 u
Sending bytes to proxmark failed
timeout: no answerOffline
#10 2013-11-05 19:53:10
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
Maybe the tag uses proprietary commands to read blocks data, you must find a complete (full) and specific datasheet for the chip.
Offline
#11 2013-11-05 20:56:02
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
When running command it tells me this card does not support it 
proxmark3> hf 15 cmd sysinfo -2 u
Tag returned Error 1: The command is not supportedBut I can get inquiry to work
proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675
Tag Info: InfineonOffline
#12 2013-11-05 23:43:45
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
Well, the above memory area picture seems to be related to SRF 55V10P (HC) and not to SRF 55V10S (HC).
SRF 55V10S (HC) memory organization is written here; difference is more security "layers" in this last one. Without the proprietary command set you will not be able to read that card so you need to find a datasheet with them.
You can also try to sniff traffic with PM3. If you manage to sniff post results here.
The command to sniff is:
hf iclass snoop(used with success with oter ISO15693 tags - protocol and crc calculation are different but it should capture raw data/frames).
Last edited by asper (2013-11-06 00:08:22)
Offline
#13 2013-11-06 16:44:14
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
Using the iclass snoop i got it to return this:
proxmark3> hf iclass snoop
#db# COMMAND FINISHED
#db# 5 0 5
#db# 20 bbc 26
#db# 5 0 5
#db# 20 bbc 26 I can do it more if this isn't all of the information you need
Offline
#14 2013-11-06 17:02:56
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
Also I performed the command again but then also afterwards did the "hf iclass list"
proxmark3> hf iclass snoop
#db# COMMAND FINISHED
#db# 5 0 0
#db# 20 bc6 26
#db# 5 0 0
#db# 20 bc6 26
proxmark3> hf iclass list
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: 0: TAG bb! d4! bb! 0f! 0c! 00! 01 bb! !crc
+ 24031: 0: TAG bb! d4! bb! 08 00! 00! 02 bb! !crc
+ 24960: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 1336: : 12 a0 05 20 03 00 04 87 8e !crc
+ 9696: : 12 a0 05 b6 f5 fa fa 3a d2 13 f9 cb 0d 84 68 67 76 b6 18 bf ad !crc
+ 1757: 0: TAG 00 78 f0
+ 4033: : 12 a0 05 10 0e 00 fd 1d 04 f0 21 d7 !crc
+ 862: 0: TAG 00 10 01 01 82 c0 00 7e 18 02 20 3c 30 b4 54 !crc
+ 47308: : 0a
+ 16180: : 26 01 00 f6 0a !crc
+ 93: 0: TAG 00 00 75 66 aa 00 00 10 05 e0 c7 35 !crc
+ 2038: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 94: 0: TAG 00 78 f0
+ 21153: : 26 01 00 f6 0a !crc
+ 93: 0: TAG 00! 00! 75 bb! 33! bb! 00! 0f! 00 04! bb! !crc
+ 615: 0: TAG bb! d4! bb! 08 00! 0f! 08 bb! !crc
+ 36: 0: TAG bb! d4! bb! 08 0f! 08 08 bb! !crc
+ 36: 0: TAG bb! d4! bb! 08 00! 0f! 08 bb! !crc
+ 36: 0: TAG bb! d4! bb! 00! 0f! 0f! f0! c6! !crc Offline
#15 2013-11-06 17:06:47
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
I also believe that the door I "snooped" on I do not have access to get through. Does that make a difference?
Offline
#16 2013-11-06 19:42:58
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
Well:
20 01 00 = inquiry command (last omitted 2bytes should be ISO15693 crc)
22 25 75 66 aa 00 00 10 05 e0 = tag answer with it's UID (bytes in reverse order)
12 a0 05 20 03 00 04 = ???
12 a0 05 [b6 f5 fa fa 3a d2 13 f9 cb 0d 84 68 67 76 b6 18] = probably 16 bytes answer to the above command
it seems that command "12 0A" or better "12 0A 05" is doing something... maybe it is a "read block 05" ? No, probably not, because each block is 8bytes and not 16... so maybe it is the authentication sequence...
1 - Try to send the inquiry command first and then send that "raw command" (12 0A or 12 05 05).
2 - Also try to snoop the same activity and look if bytes of 12 0A command (and respective answers) are always the same or the change.
3 - Try to snoop both a door where you can access and where you cannot access... we need more commands log ! 
EDIT
Clarification: the command should be A0 (starting form A0 to DF are "Custom" commands - for example "inquiry" command is 01 and not 20).
Last edited by asper (2013-11-06 19:57:51)
Offline
#17 2013-11-06 20:29:26
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
Part #1:
proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675
Tag Info: Infineon
proxmark3> hf 15 cmd raw 12 05 05
received 0 octets
proxmark3> hf 15 cmd raw 12 0A
received 0 octets I'll do the next parts now
Offline
#18 2013-11-06 20:35:52
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
First snoop is a door I have access. Second snoop is a door I don't have access too
proxmark3> hf iclass snoop
#db# COMMAND FINISHED
#db# 5 0 5
#db# 20 bbd 26
#db# 5 0 5
#db# 20 bbd 26
proxmark3> hf iclass snoop
#db# COMMAND FINISHED
#db# 5 0 c
#db# 20 bbc 22
#db# 5 0 c
#db# 20 bbc 22 Offline
#19 2013-11-06 20:37:08
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
I just ran the list command twice and on the second run I got all of this output...... This includes a door I don't have access too.
proxmark3> hf iclass list
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: 0: TAG bb! 33! bb! 00! 00! 00! 04 bb! !crc
+ 23384: 0: TAG bb! d4! bb! 00! 00! 00! 04 bb! !crc
+ 1559: : 26 01 00 f6 0a !crc
+ 24022: : 26 01 00 f6 0a !crc
+ 95: 0: TAG bb! d4! bb! 0f! 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 00! 0f! 04 bb! !crc
+ 40: 0: TAG bb! 03! bb! 0f! 0f! 0e 04 bb! !crc
+ 120: 0: TAG bb! 03! bb! 0f! 0f! 0e 04 bb! !crc
+ 48: 0: TAG ff! ff! bb! 33! bb! 00! 01 0e 04! bb !crc
+ 1701: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 95: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0f! 0f! 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 40: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 00! 00! 04 bb! !crc
+ 1025: : 12 a0 05 20 03 00 04 87 8e !crc
+ 479: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0f! 0e 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0e 01 0f! 04 bb! !crc
+ 40: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 40: 0: TAG bb! 03! bb! 0f! 0f! 0f! 04 bb! !crc
+ 48: 0: TAG bb! 03! bb! 0f! 0f! 0f! 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 01 0f! 04 bb! !crc
+ 40: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0f! 0e 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0f! 0e 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0f! 0f! 0f! 04 bb! !crc
+ 40: 0: TAG bb! d4! bb! 0f! 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 01 0f! 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0f! 0f! 04 bb! !crc
+ 56: 0: TAG bb! d4! bb! 0e 01 0f! 04 bb! !crc
+ 56: 0: TAG 0e
+ 8149: : 12 a0 05 99 f5 fa fa 7e fd b4 da 28 9d 3c b6 d4 a7 c0 9b 26 1c !crc
+ 5788: : 12 a0 05 10 0e 00 e7 69 85 36 b9 1d !crc
+ 64352: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 95: 0: TAG bb! d4! bb! 0f! 0f! 0d 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0d 0f! 0d 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0d 0f! 0d 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0d 0f! 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0d 0f! 0d 04 bb! !crc
+ 40: 0: TAG bb! d4! bb! 0f! 0d 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0c! 00! 00! 04 bb! !crc
+ 20924: : 26 01 00 f6 0a !crc
+ 94: 0: TAG 00! bb! 33! bb! 00! 00! 00! 01 bb !crc
+ 2037: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21872: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21234: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21871: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21235: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 94: 0: TAG bb! 33! bb! 00! 00! 00! 02 bb! !crc
+ 21776: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21236: : 26 01 00 f6 0a !crc
+ 2131: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21871: : 26 01 00 f6 0a !crc
+ 94: 0: TAG 00! bb! 33! bb! 00! 00! 00! 02 bb !crc
+ 2038: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21234: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21872: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 313: 0: TAG bb! 33! bb! 00! 00! 00! 01 bb! !crc
+ 20921: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 314: 0: TAG bb! 33! bb! 00! 00! 00! 02 bb! !crc
+ 21556: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 95: 0: TAG 00! bb! 33! bb! 00! 00! 00! 04 bb !crc
+ 21141: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21866: : 26 01 00 f6 0a !crc
+ 94: 0: TAG bb! 33! bb! 00! 00! 00! 02 bb! !crc
+ 796: 0: TAG bb! 33! bb! 00! 00! 00! 02 bb! !crc
+ 1242: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21234: : 26 01 00 f6 0a !crc
+ 97: 0: TAG bb! d4! bb! 0f! 0f! 00! 01 bb! !crc
+ 2035: : 22 25 75 3e b0 33 61 3f 7f 00 00 1b !crc
+-1984691: : 31 61 3f 7f 00 00 a6 1e 00 eb 09 00 00 0c 00 00 00 00 aa 00 00 10 1f 00 00 00 69 f9 1e 00 9c e5 44 00 00 00 00 00 f6 0a bd 01 1f 00 eb 09 00 00 00 00 25 !crc
+11167349: : 44 b0 44 9b f9 5d 3f 7f 00 00 26 01 00 f6 0a 04 5d 1f 00 eb 09 00 00 0c 22 25 75 66 aa !crc Last edited by bad biddy (2013-11-06 20:38:24)
Offline
#20 2013-11-06 20:41:37
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
I restarted proxmark to gather new fresh information:
Another snoop on a door I don't have access too:
proxmark3> hf iclass snoop
#db# COMMAND FINISHED
#db# 5 0 0
#db# 20 bc1 26
#db# 5 0 0
#db# 20 bc1 26 List output after that:
proxmark3> hf iclass list
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26 01 00 f6 0a !crc
+ 94: 0: TAG bb! d4! bb! 0f! 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 00! 0f! 04 bb! !crc
+ 40: 0: TAG bb! 03! bb! 0f! 0f! 0e 04 bb! !crc
+ 56: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0f! 0e 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 40: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0e 0f! 0e 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 00! 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0e 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0e 0f! 0e 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0e 00! 00! 04 bb! !crc
+ 1245: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 95: 0: TAG bb! d4! bb! 0f! 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0e 0f! 04 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0e 0f! 0e 04 bb! !crc
+ 40: 0: TAG bb! d4! bb! 0f! 0e 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0e 00! 00! 04 bb! !crc
+ 1025: : 12 a0 05 20 03 00 04 87 8e !crc
+ 9680: : 12 a0 05 96 f5 fa fa a1 55 d0 9d f1 bb ed aa 4a e5 38 97 1c 7f !crc
+ 1759: 0: TAG 00 78 f0
+ 4001: : 12 a0 05 10 0e 00 42 2b 2f 7d 45 cc !crc
+ 861: 0: TAG 00 10 01 01 82 c0 00 7e 18 21 03 14 5c ec 56 !crc
+ 63491: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21235: : 26 01 00 f6 0a !crc
+ 94: 0: TAG bb! d4! bb! 0b 0f! 0f! 01 bb! !crc
+ 35: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 08 03! 0f! 02 bb! !crc
+ 37: 0: TAG bb! 03! bb! 0b 0f! 0f! 01 bb! !crc
+ 56: 0: TAG bb! d4! bb! 0f! 0b 0f! 01 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 0b 0f! 01 bb! !crc
+ 32: 0: TAG bb! 03! bb! 03! 0f! 0f! 01 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0f! 0b 0f! 01 bb! !crc
+ 35: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 37: 0: TAG bb! d4! bb! 0f! 0b 0f! 01 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 0b 0f! 01 bb! !crc
+ 51: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 08 03! 0f! 02 bb! !crc
+ 36: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 36: 0: TAG bb! d4! bb! 08 03! 0f! 02 bb! !crc
+ 36: 0: TAG bb! 03! bb! 03! 0f! 0b 02 bb! !crc
+ 52: 0: TAG bb! d4! bb! 0b 0f! 0f! 02 bb! !crc
+ 1259: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 94: 0: TAG bb! d4! bb! 0b 0f! 0f! 01 bb! !crc
+ 35: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 45: 0: TAG bb! d4! bb! 0b 0f! 0b 01 bb! !crc
+ 35: 0: TAG bb! d4! bb! 0b 0f! 0b 02 bb! !crc
+ 37: 0: TAG bb! d4! bb! 0b 0f! 0b 01 bb! !crc
+ 35: 0: TAG bb! d4! bb! 08 00! 00! 02 bb! !crc
+ 21558: : 26 01 00 f6 0a !crc
+ 94: 0: TAG bb! d4! bb! 07 0f! 0f! 02 bb! !crc
+ 31: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 00! 07 04 bb! !crc
+ 41: 0: TAG bb! 03! bb! 07 0f! 0f! 02 bb! !crc
+ 56: 0: TAG bb! d4! bb! 0f! 07 0f! 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 07 0f! 02 bb! !crc
+ 32: 0: TAG bb! 03! bb! 07 0f! 0f! 02 bb! !crc
+ 48: 0: TAG bb! d4! bb! 0f! 07 0f! 02 bb! !crc
+ 31: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 41: 0: TAG bb! d4! bb! 0f! 07 0f! 02 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 07 0f! 02 bb! !crc
+ 47: 0: TAG bb! d4! bb! 0f! 07 0f! 04 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 00! 07 04 bb! !crc
+ 33: 0: TAG bb! d4! bb! 07 0f! 07 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 0f! 07 0f! 02 bb! !crc
+ 32: 0: TAG bb! d4! bb! 07 0f! 0f! 02 bb! !crc
+ 32: 0: TAG bb! 03! bb! 0f! 07 0f! 02 bb! !crc
+ 47: 0: TAG bb! d4! bb! 0f! 00! 00! 04 bb! !crc
+ 1247: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21234: : 26 01 00 f6 0a !crc
+ 2132: : 22 25 75 66 aa 00 00 10 05 e0 1d 44 !crc
+ 21872: : 26 01 00 f6 0a !crc
+ 93: 0: TAG 0f Offline
#21 2013-11-06 22:03:54
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
The command after inquiry is 12 0A 05, i wrote it wrong in my post, sorry. Try also to send the same sniffed command (remember to enable/disable crc with raw commands).
Offline
#22 2013-11-06 22:22:23
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
Here is the command again--- I got some wierd symbol at the end as well.
proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675
Tag Info: Infineon
proxmark3> hf 15 cmd raw 12 0A 05
received 0 octets
$h Offline
#23 2013-11-06 22:29:45
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
I was messing around with the raw commands:
proxmark3> hf 15 cmd inquiry
UID=E005100000AA6675
Tag Info: Infineon
proxmark3> hf 15 cmd raw -c 12 0A 05
received 4 octets
01 01 16 07 Offline
#24 2013-11-07 00:08:23
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
Yes last one is an answer! If you send it again is it the same? Try to resend with raw the same bytes as appeared in the sniffed log 12 0A 05 ....... (with crc if you omit last 2 bytes).
Offline
#25 2013-11-07 00:13:18
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
Yeah I get the same response
proxmark3> hf 15 cmd raw -c 12 0A 05
received 4 octets
01 01 16 07 Offline
#26 2013-11-07 01:06:56
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
Try to send also the other bytes after 05...
Offline
#27 2013-11-07 02:25:21
- bad biddy
- Contributor
- Registered: 2013-11-04
- Posts: 16
Re: Card select failed?
I think I tried what your asking here:
proxmark3> hf 15 cmd inquiry
#db# SEND
#db# &.... 26 01 00 f6 0a
#db# RECV
#db# NoErr CrcOK
#db# ..uf.... 00 00 75 66 aa 00 00 10
#db# ...5 05 e0 c7 35
UID=E005100000AA6675
Tag Info: Infineon
proxmark3> hf 15 cmd raw -c 12 a0 05 20 03 00 04
#db# SEND
#db# ... .... 12 a0 05 20 03 00 04 87
#db# . 8e
#db# RECV
received 0 octets
proxmark3> hf 15 cmd raw -c 12 a0 05 20 03 00 04 87
#db# SEND
#db# ... .... 12 a0 05 20 03 00 04 87
#db# .. f6 f0
#db# RECV
received 0 octets Offline
#28 2013-11-07 10:54:47
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Card select failed?
So the card must be selected before sending the A0 command; send the following raw commands in sequence (use the -c option to auto-calculate crc):
26 01 00 <-- inquiry
22 25 75 66 aa 00 00 10 05 e0 <-- select [25] card using its UID
then try to send:
12 A0 05 and log the answer
now repeat the above but substitute 12 A0 05 with 12 a0 05 20 03 00 04, and then send:
12 a0 05 96 f5 fa fa a1 55 d0 9d f1 bb ed aa 4a e5 38 97
trag should answer 00 (or gives an error if the last byte sequence is generated in an uknown way).
Probably the reader is trying to authenticate using the static value 20 03 00 04 (password ? start of challenge/response?) and then send a sequence of unknow bytes to the card waiting a correct answer.
Offline
Pages: 1