ok a few things…
-
proxmark3 sniffing doesn’t always catch the entire conversation as I’m learning… on my first test, it totally missed the part where the password was actually updated… but it did work… changed back to FF FF FF FF and I can auth against it.
-
tagwriter also changes auth0 to 04 … without asking… boo.
-
tagwriter password functions are vastly different from the last time I’ve ever even looked at them. It wants hex now, which it did not before… we actually modeled our ascii input field on TagWriter, thinking it would be basically the same… but now it’s expecting hex data… so it looks like I have to update my thinking and my rally cry as well when it comes to tagwriter… and now I suppose I’ll have to look at NFC Tools again too… maybe everyone came to their senses and just moved to hex and did away with all this transform nonsense… maybe there is a possibility of being compatible now… I can definitely see a need to update DNFC to just go with hex now for the password setting.
-
I ran a few tests on a few tags and all results were the same, so I will just outline one “session” here. This is me using NFC Shell to set the password to 41 42 43 44;
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
-----------±-----------±----±------------------------------------------------------------------------±----±-------------------
1364368 | 1374832 | Rdr |93 70 88 04 03 2a a5 85 b8 | ok | SELECT_UID
1376068 | 1379588 | Tag |04 da 17 | |
1387664 | 1398192 | Rdr |95 70 72 d5 38 81 1e 82 38 | ok | SELECT_UID-2
1399380 | 1402964 | Tag |00 fe 51 | |
2072576 | 2081888 | Rdr |a2 e5 41 42 43 44 79 63 | ok | WRITEBLOCK(229) (?)
2083140 | 2083780 | Tag |00! | |
2140512 | 2145280 | Rdr |50 00 57 cd | ok | HALT
2246832 | 2247824 | Rdr |52 | | WUPA
Now this is me using TagWriter to “change” the password to FF FF FF FF;
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
20272480 | 20282944 | Rdr |93 70 88 04 03 2a a5 85 b8 | ok | SELECT_UID
20284180 | 20287700 | Tag |04 da 17 | |
20295280 | 20305808 | Rdr |95 70 72 d5 38 81 1e 82 38 | ok | SELECT_UID-2
20306996 | 20310580 | Tag |00 fe 51 | |
20374864 | 20383024 | Rdr |1b 41 42 43 44 16 22 | ok | PWD-AUTH KEY: 0x41424344
20384276 | 20388948 | Tag |00 00 a0 1e | |
20445472 | 20454784 | Rdr |a2 e5 ff ff ff ff 0c 41 | ok | WRITEBLOCK(229) (?)
20510436 | 20511012 | Tag |0a! | |
20552656 | 20561968 | Rdr |a2 e6 00 00 00 00 59 af | ok | WRITEBLOCK(230) (?)
20617604 | 20618180 | Tag |0a! | |
20651104 | 20655808 | Rdr |30 e3 97 7d | ok | READBLOCK(227)
20657044 | 20677908 | Tag |04 00 00 04 00 05 00 00 00 00 00 00 00 00 00 00 25 7c | ok |
20723104 | 20732416 | Rdr |a2 e3 04 00 00 04 c5 bd | ok | WRITEBLOCK(227) (?)
20788068 | 20788644 | Tag |0a! | |
20888528 | 20897904 | Rdr |a2 e4 00 05 00 00 6c 80 | ok | WRITEBLOCK(228) (?)
20953476 | 20954052 | Tag |0a! | |
21045072 | 21049840 | Rdr |50 00 57 cd | ok | HALT
21150672 | 21151664 | Rdr |52 | | WUPA
21152900 | 21155268 | Tag |44 00 | |
- The response to my attempt to write to page E5 from NFC Shell is 00, which supposedly is an error result, but it did work and the password was changed to 41 42 43 44. I’m not sure if this is a failure of the proxmark3 to catch the correct response or not, but I somehow doubt it’s the proxmark3’s fault.
-
At this point I think I will just assume that your 3 “survivors” have now somehow had their passwords changed to something other than what you specified… a brute force attempt would be quite interesting I think.
-
Let’s focus on the “dead” tags which did not “survive” the Dangerous NFC… do you have one of those that has not been altered in any way since the attempt to protect it with Dangerous NFC? If so, I’d like a full scan with TagInfo to be posted… specifically I want to see the static lock bytes, dynamic lock bytes, and all the config pages… so pages 02, 03, and E2-E4