Playing with a Proxmark3 / 2023-06-02

2023-06-02 Playing with a Proxmark3
It's been a while since I played with rfid technology but recently some news around LF cards has made me interested again. The proxmark3 is the best device for going deep with rfid technology so I considered buying one.

Reading various sources about the availability of proxmark3 hardware taught me the latest and greatest version (currently Proxmark3 RDV4) has not a lot of advantages over the previous version (RDV3) which is available at seriously lower prices from several webshops. So I ordered one using aliexpress and the wait started.

Today the proxmark3 came in. I built the software for Linux using the guide at proxmark3 Linux Installation Instructions where I noticed I had to add packages libbz2-dev and gcc-arm-none-eabi by hand to get things to compile/build correctly.

After doing the firmware upgrade dance I started testing and looking around. The proxmark3 detects 125 kHz (LF) and 13.56 MHz (HF) cards fine. With the order came a blank card which is both a 13.56 MHz Mifare 1K with changeable UID and a 125 kHz T5577. There were also two small keyring tags, a mifare 1K and a mifare 4K.

First attempts

The proxmark3 shows information for all the cards I tried. To my surprise the skipass from our last ski trip to Austria was an HF only card, I thought ski passes used 125 kHz technology so they could be read through jackets or other layers more easily. It's an ISO 15693 tag and I can access all data easily.
[usb] pm3 --> hf search 
 🕗  Searching for ISO15693 tag...            
[+]  UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102

[+] Valid ISO 15693 tag found
[usb] pm3 --> hf 15 info

[+]  UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] Using UID... E0 16 24 66 09 99 B3 70

[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+]       TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+]        UID: E0 16 24 66 09 99 B3 70
[+]    SYSINFO: 00 0F 70 B3 99 09 66 24 16 E0 02 00 33 03 02 
[+]      - DSFID supported        [0x02]
[+]      - AFI   supported        [0x00]
[+]      - IC reference supported [0x02]
[+]      - Tag provides info on memory layout (vendor dependent)
[+]            4 (or 3) bytes/blocks x 52 blocks
As all the tag readers in that ski area are on-line anyway, I guess the card is just a big serial number and all the checking whether the user isn't trying to do something that wasn't paid for is done in central computers.

First error

While trying to clone an LF card into the T5577 I managed to make the T5577 card end up in a weird state: it now only returns 0x0000 or 0xFFFF patterns on read depending on the communication configuration.

Tags: , , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.009565 seconds.