I tried MasterCards, Visas, bank cards, my HID Class card again - nothing.
Payment cards are a special situation with iPhone. They block access to those payment applications on the cards and only let Apple pay use those application identifiers. You got to find something that’s a standard NFC tag that complies with NFC forum type specifications.
Ahhh, I thought that they just didnt read NDEF on Mifare Classic, but otherwise worked
I’ll shut up now and just watch from the corner
Also to clarify, they can read ISO 15693 chips if they are formatted for NFC type 5.
absolutely i was rushing to make the distinction that the iclass mifare cards have two hf heh
OK Gents, thanks for your patience with me! Please stay with me me as I try to figure this out. I’ve read a lot of posts but still can’t figure out what exactly I need to do and what commands.
To date, all I did was copy the HID 125MHz info on to a blue pastiche tag but that does not work. Here are some screenshots I recently done:
But if I keep moving the card around a bit, the LF SEARCH finds an EM4X05 chip. Do I need to copy this info on another blue tag?
Not really sure what all this LF EM 4X05INFO and 4X05DUMP information means:
Oh yah, the HW VERSION info that likely tells you I’m running ancient software. Not sure how I update any of this.
So, where does this leave me? Who knows!
An HF SEARCH just crashes my Proxmark:
Any recommendations what I do next would me much appreciated. I’m using Windows 10. Please link any specific guides if available.
Thanks again for your patience! I will buy a new Proxmark some day but am hoping my Proxmark3 Easy can handle this task.
You look like you might need to do an update
Then you’ll at least be singing off the same song sheet, so fault finding should be easier
And these 7 commands above will magically find/get the new files somewhere?
Well done not just putting commands into your computer from a rando on the internet
But then asking the same person if the answer they originally gave was the truth…
Here’s a riddle for you:
Imagine you are a prisoner, you stand in a room and infront of you are 2 prison guards and 2 doors, one door leads to freedom, the other the electric chair, YOU dont know which one is which…
One of the guards always tells the truth and the other always lies YOU don’t know which one is which, HOWEVER both guards know each other.
You have to choose a door, and you may only ask one question of only one guard.
What question do you ask to gain your freedom?
Ha ha! What I meant was I see tonnes of forums using “git pull” commands followed by a specific website. I am not sure how this “git pull” can get all the update info I likley require.
means github pull.
pulling the information from the respository, to bring down any changes that were made in between the original time you git cloned (repo link) or made your last git pull.
this is a common way of downloading updates.
if this worries you for some reason, you can git checkout -v (release version) to set your branch to the release and compile from there
OK, that makes sense now. Thanks a million Equipter!
Before I update my software and firmware (and possibly brick my old Proxmark3 Easy), I am going to try something different.
I am going to try to clone the HID component of the card to a T5577 (already done) and also clone the EM4x05 chip component to another T5577. I just started a new thread for that. If I can do that, I’ll try and see what happens when I bring both cloned T5577 chips (HID and EM4x05) to the original reader.
OK, I updated everything (software, firmware, bootloader, full image) as per the Getting started with the proxmark3 easy instructions.
I followed the README.MD instructions for Proxmark3 Easy with 256kb.
Strangely, I can no longer do any LF SEARCH commands - this is what happens:
[usb] pm3 → hw version
[ Proxmark3 RFID instrument ]
[ CLIENT ]
Iceman/master/v4.16717-103-g5f8cd5cac 2023-07-14 22:36:05 cdf68ab2f
compiled with… MinGW-w64 10.3.0
platform… Windows (64b) / x86_64
Readline support… present
QT GUI support… present
native BT support… absent
Python script support… present
Lua SWIG support… present
Python SWIG support… present
[ ARM ]
bootrom: Iceman/master/v4.16717-103-g5f8cd5cac 2023-07-14 22:34:59 cdf68ab2f
os: Iceman/master/v4.16717-103-g5f8cd5cac 2023-07-14 22:35:14 cdf68ab2f
compiled with GCC 10.1.0
[ FPGA ]
fpga_pm3_lf.ncd image 2s30vq100 2023-07-12 16:12:04
fpga_pm3_hf.ncd image 2s30vq100 2023-07-12 16:12:14
fpga_pm3_felica.ncd image 2s30vq100 2023-07-12 16:12:34
fpga_pm3_hf_15.ncd image 2s30vq100 2023-07-12 16:12:24
[ Hardware ]
–= uC: AT91SAM7S256 Rev D
–= Embedded Processor: ARM7TDMI
–= Internal SRAM size: 64K bytes
–= Architecture identifier: AT91SAM7Sxx Series
–= Embedded flash memory 256K bytes ( 97% used )
Does anyone know whats going on with my build or Proxmarkw Easy hardware?
HOWEVER … it looks like my HF SEARCH commands do work - this is what I get:
[usb] pm3 → hf iclass info
[=] --------------------- Tag Information ----------------------
[+] CSN: 0D 40 FC 14 FE FF 12 E0 uid
[+] Config: 12 FF FF FF 7F 1F FF 3C card configuration
[+] E-purse: DE FF FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key ( hidden )
[+] Kc: 00 00 00 00 00 00 00 00 credit key ( hidden )
[+] AIA: FF FF FF FF FF FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF 7F 1F FF 3C
[=] 12… app limit
[=] FFFF ( 65535 )… OTP
[=] FF… block write lock
[=] 7F… chip
[=] 1F… mem
[=] FF… EAS
[=] 3C fuses
[+] mode… Application (locked)
[+] coding… ISO 14443-2 B / 15693
[+] crypt… Secured page, keys not locked
[=] RA… Read access not enabled
[=] PROD0/1… Default production fuses
[=] -------------------------- Memory --------------------------
[=] 2 KBits/2 App Areas ( 256 bytes )
[=] 1 books / 1 pages
[=] First book / first page configuration
[=] Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=] AA1 | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=] AA2 | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read AA1… debit
[=] Write AA1… debit
[=] Read AA2… credit
[=] Write AA2… credit
[=] Debit… debit or credit
[=] Credit… credit
[=] ------------------------ Fingerprint -----------------------
[+] CSN… HID range
[+] Credential… iCLASS legacy
[+] Card type… PicoPass 2K
[usb] pm3 →
Does anyone know how I clone the HF part/chip within this card? I already copied the HID Prox to T5577 (although my LF SEARCH no longer works) but how do I decipher all this stuff from my HF SEARCH? What type of blank card/fob do I need to clone into?
Any info would be much appreciated!!!
I might be getting closer … this is what Amal’s post states:
Cloning an HID iClass credential to your flexClass DT Info Aug 2021 Aug 2021 amal Aug '21 Steps to clone an HID iClass legacy / standard credential Put enrolled iClass credential on HF antenna of Proxmark3 100 hf ic dump --ki 0 hf ic wrbl --ki 0 -b 6 -d 030303030003E017 hf ic wrbl --ki 0 -b 7 -d 10A145919ED16F50
Here is what my "hf ic dump --ki 0: shows me:
[usb] pm3 → hf ic dump --ki 0
[+] Using AA1 (debit) key AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 255 (0xFF)
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] 0/0x00 | 4A 4B 16 12 FF FF 12 E0 | JK… | | CSN
[=] 1/0x01 | 12 FF FF FF E9 7F FF 3C | …< | | Config
[=] 2/0x02 | FF FF FF FF 0D F9 FF FF | … | | E-purse
[=] 3/0x03 | E7 98 4A 3C D9 F9 22 C9 | …J<…". | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | … | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | … | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 17 | … | | User / Cred
[=] 7/0x07 | C2 68 67 D2 CD 83 78 F7 | .hg…x. | | User / Cred
[=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Cred
[=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | … | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | … | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | … | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | … | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | … | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | … | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | … | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | … | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | … | | User
[?] yellow = legacy credential
[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file C:\ProxSpace\pm3/hf-iclass-4A4B1612FFFF12E0-dump-001.bin
[+] saved 19 blocks to text file C:\ProxSpace\pm3/hf-iclass-4A4B1612FFFF12E0-dump-001.eml
[+] saved to json file C:\ProxSpace\pm3/hf-iclass-4A4B1612FFFF12E0-dump-001.json
hf iclass decrypt -f to decrypt dump file
hf iclass view -f to view dump file
Does anyone have any ideas what I do next? Again, what type of blank card/fob do I need and where can I purchase them?
The messed up LF command makes me think something went haywire with the application image. J would do a pm3-flash-all again just to be sure?
in which you must have cut out the LF commands/other portions of the firmware to make it fit.
when you have a 256k board you can’t have the full firmware on it, it’s too small. what i recommend you do is make two Makefile.platform files corresponding to which flags you have skipped and use them interchangeably when you need that side of the proxmark
Oh good eye on that!
Fine Gents amal & Equipter - much appreciated!
But I still have issues. The only way I could do the ./pm3-flash-fullimage is by uncommenting everything in the section as the Readme file suggested - see below.
I only now clued in that the SKIP_LF=1 must be taking out my LF functions.
So, if I am correct, my Proxmark Easy is pretty well out of memory space. What else can I delete that will allow me to bring back the LF functions? I don’t see anything else I can take out that allows me to #SKIP_LF=1
Also, if did end up creating a new “Makefile.platform.WithLF” file, how do I switch back from the original Makefile.platform file and the new Makefile.platform.WithLF file without doing all the commands again (make clean && make -j8 all + ./pm3-flash-bootrom +./pm3-flash-fullimage) before running pm3?
I may have missed something and/or not understand something so any input would be much appreciated! I appreciate your patience with this newbie!
Nevermind … I figured it out!
|Definitions||Rough estimation of the saved space|
This is what I used for my setup: