brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Projects » FreakCard
project:freakcard:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
project:freakcard:start [2018/11/15 21:23] – Magic NTAG21x + Magic Ultralight C abyssalproject:freakcard:start [2019/11/05 22:54] – [High Frequency (HF) card] Magic Desfire abyssal
Line 32: Line 32:
  
 There is also a library available for PC/SC readers that supports many kinds of cards, but you need specific reader for each separate card - https://github.com/islog/liblogicalaccess/wiki There is also a library available for PC/SC readers that supports many kinds of cards, but you need specific reader for each separate card - https://github.com/islog/liblogicalaccess/wiki
 +
 +======= Proxmark new versions - RDV4, EVO and pack with PN532 reader with Chameleon mini =======
 +
 +There are new versions of Proxmark, which are more compact, see the comparison table in the links at the bottom of the page
 +
 +  * https://lab401.com/collections/hardware/products/proxmark-3-rdv4
 +  * https://lab401.com/collections/hardware/products/proxmark-3-evo
 +  * https://lab401.com/collections/hardware/products/rfid-pentester-pack?variant=12470762307695 (has Proxmark + Chameleon + PN532 reader)
 +  * https://lab401.com/products/chameleon-mini-reve-rebooted
 +  * https://lab401.com/collections/hardware/products/usb-rfid-reader-writer-scl-3711
 +
 +======= PN532-based readers =======
 +
 +PN532 based readers:
 +
 +  * https://www.acs.com.hk/en/products/3/acr122u-usb-nfc-reader/
 +  * https://www.acs.com.hk/en/products/109/acr122t-usb-tokens-nfc-reader/
 +  * https://www.adafruit.com/product/789 - there are two board versions, one as Arduino shield, other has different pinout, but are in essence the same
 +  * [[http://nfc-tools.org/index.php/Devices_compatibility_matrix | compatibility matrix with libnfc]]
 +
 +======= Software for PN532 readers =======
 +
 +  * https://github.com/nfc-tools/libnfc
 +  * https://github.com/nfc-tools/libfreefare
 +  * [[https://github.com/KaiQ/dat | Desfire Access Tool]] - there is ''v2.0'' branch with new stuff and rewrite
 ====== Decision tree. ====== ====== Decision tree. ======
  
Line 284: Line 309:
 Ultralight EV1 and NTAG2/1 can be [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | copied onto Magic NTAG21x]] with proxmark. Ultralight EV1 and NTAG2/1 can be [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | copied onto Magic NTAG21x]] with proxmark.
  
-== Magic NTAG2x and magic Ultralight C ==+== Magic NTAG2xmagic Ultralight C and magic Desfire ==
  
 [[http://proxmark3.tictail.com/ | IceSql]] sells "magic" cards to simulate NTAG2/NTAG1, Ultralight EV1 and others. [[http://proxmark3.tictail.com/ | IceSql]] sells "magic" cards to simulate NTAG2/NTAG1, Ultralight EV1 and others.
Line 331: Line 356:
  
  3des key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00             3des key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
 +</code>
 +
 +This shop sells [[https://www.rfxsecure.com/product/gen2-uid-changeable-fobs-1k-mf-4k-mf-ul-ul-c-df-ntag21x/ | lot of different changeable UID cards and keyfobs, 4-byte and 7-byte, including UID changeable Desfire]]/
 +
 +== Magic Desfire ==
 +
 +The "magic Desfire" is far from real Desfire, e.g.
 +
 +  * writing NDEF file seems to succeed, but read fails, you get just zeros
 +  * libfreefare segfaults with the magic Desfire
 +  * any SELECT APDU is responded to with OK, but there are no real applications
 +
 +In short, waste of money.
 +
 +Setting UID on magic Desfire with Proxmark:
 +
 +<code>
 +hf 14a raw -s -c 02 00 ab 00 00 07 UID
 </code> </code>
  
Line 396: Line 439:
  
 AFAIK there are no "Chinese backdoored clones" that would allow changing of UID. AFAIK there are no "Chinese backdoored clones" that would allow changing of UID.
 +
 +
  
  
Line 496: Line 541:
 Usage around: building access system Usage around: building access system
  
-This information pertains to model Paradox C704. Full decoding in proxmark is not implemented, but the modulation is Fc/8/10 FSK, thus raw data transmitted by the tag can be read with:+This information pertains to model Paradox C704. Full decoding in proxmark is implemented, in the latest git version. The modulation is Fc/8/10 FSK, thus raw data transmitted by the tag can be read with:
  
 <code> <code>
 proxmark3> lf read proxmark3> lf read
 proxmark3> data samples 40000 proxmark3> data samples 40000
-proxmark3> data fskdemod+loaded 40000 samples           
 +proxmark3> data plot 
 +proxmark3> lf paradox demod 
 +Paradox TAG ID: 000328176 (Full ID: 0ca05dadf) - FC: 50 - Card: 33142 - Checksum: b7 - RAW: 0f555555a5995566a699a6aa          
 </code> </code>
  
 Emulate: Emulate:
  
-Not implemented in proxmark code, but the HID Prox emulation is very similar. Code in CmdHIDsimTAG() function of armsrc/lfops.c can be modified to transmit Paradox code. Frame marker needs to be modified to use 0x1F instead of 0x1D. The bits after frame marker do not seem to employ Manchester encoding.+Latest proxmark code has clone Paradox to T5577 command. Iceman's fork has emulation. 
 + 
 +<code> 
 +pm3 --> lf paradox sim 50 33142 
 +Simulating Paradox - Facility Code: 50, CardNumber: 33142 
 +</code
  
 === T55x7 universal emulation card === === T55x7 universal emulation card ===
project/freakcard/start.txt · Last modified: 2021/06/05 17:28 by abyssal