Help needed to identify access-card

Hi.

I just got my PM3 easy from here and I’m trying to identify my access-card to work.

A little bit of history.

Right now I’m using a Pagopace Payment-Ring together with the Fidesmo/Curve-App and I’m very
pleased in using it.

Using an implant is just the next logical step.
My plans are:
I. Identify my access-card with the PM3 easy
II. Clone the access-card to a card which came with the PM3, just to see if I’m on the right way.
III. Clone the card to a Magic Ring if it has the right chip for it.
IV. Get the correct implant for the access-card.
V. If available switch from the Pagopace-Ring to for example to Vivokey Apex Flex as a second
implant to pay with my other hand.

Ok. I’m right now just with step I.
Here ist what it looks like. Everything is done on a Ubuntu Linux Laptop.

the PM3:

[+] loaded from JSON file /home/cbode/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
[ Proxmark3 RFID instrument ]

MCU....... AT91SAM7S512 Rev A
Memory.... 512 Kb ( 60% used )

Client.... Iceman/master/v4.16191-85-g9b331b37a-dirty 2023-02-20 12:16:28
Bootrom... Iceman/master/v4.16191-85-g9b331b37a-dirty-unclean 2023-02-20 12:16:05
OS........ Iceman/master/v4.16191-85-g9b331b37a-dirty-unclean 2023-02-20 12:16:22
Target.... PM3 GENERIC

Looks like its working. So I started to test some of my access-cards.

the first one:

[usb|script] pm3 → hf search

[+] UID: 04 1B 68 82 80 0F 90
[+] ATQA: 03 44
[+] SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE DESFire CL2
[+] MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+] MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+] MIFARE DESFire EV3 2K/4K/8K
[+] MIFARE DESFire Light 640B
[+] NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 0F 75 77 81 02 53 45 20 44 45 53 46 69 72 65 [ 53 00 ]
[=] 0F… TL length is 15 bytes
[=] 75… T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=] 77… TA1 different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=] 81… TB1 SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=] 02… TC1 NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+] 53452044455346697265

[?] Hint: try hf mfdes info

[+] Valid ISO 14443-A tag found

the second one:

[usb|script] pm3 → hf search

[+] UID: 24 AE 3A 34
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] — Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: [ …signature public key deleted but I get one…]
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: […signature deleted but I get one…]
[+] Signature verification: successful
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

the third and interesting one I like to clone:

[usb|script] pm3 → hf search
[!] No known/supported 13.56 MHz tags found

Some more tests:

One NFC-for my home:

[usb|script] pm3 → hf search

[+] UID: E0 07 C5 35 4F AD 89 90
[+] TYPE: Texas Instrument; Tag-it HF-I Pro; 8x23bit; password

[+] Valid ISO 15693 tag found

Apple AirTag:

[usb|script] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]

[!] command execution time out

[-] No data found!
[?] Maybe not an LF tag?

[usb|script] pm3 → hf search
[!] No known/supported 13.56 MHz tags found

For me it looks like the PM3 Easy is working but at this point it does not support the interesting
access-card.

Do I need a RDV4 or RDV4.1 to get it identify or are there other tricks to get the needed
information.

I’m just new in the NFC/RFID business and this was just my first test.

Any help will be appreciated.

Regards

Christian

Youll probably have to enroll in this system

Looks promising for an “easy” clone

Try
lf search

You’ll be able to enroll into this one, xSLX is probably the equivalent of what you have, BUT it may accept other chip types

No, the easy can do what the RDV4 can do, for a fraction of the cost.

What are you trying to do with the airtag?

You did awesome

I should have mentioned that I tried “lf search”

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
Searching for COTAG tag…

[-] No data found!
[?] Maybe not an LF tag?

The first two card conviced me that the PM3 is working but these two ones are not very
interessting to clone because I don’t use them too much to have them as an implant.

The third card which does not like to respond is right now the most interessting one to clone
but it does not seem to to respond to anything.

not at lf neither on hf.

Try a
lf t5 detect

It may be blank

It was just a try. I’m using several Airtags in use and I had one on my keys just to see if I
get any response on lf or hf from it.

It was just a “prove of concept” → Is the PM3 working? So I just tried everything that might
respond.

Regards

Christian

Or try writing something like

lf em 410x clone --id 0102030405

[usb] pm3 → lf t5 detect
[!] Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

hmmm blank? It is a working access-card.

Ah, my bad, I missed that

you PM3 looks like it is working correctly, it may be the placement if your card,
Try your searches again, giving it some seperation put a (non conductive) spacer between card and PM3 antenna.

Alternatively, try scanning with TagInfo and see if you get a result.

Do you have any info on the readers?

Make?
model?
Photos?

Any writing on the card?

This is the manufacturer of the access system.

I tried an “auto” search.

[=] Failed both LF / HF SEARCH,
[=] Trying lf read and save a trace for you
[#] LF Sampling config
[#] [q] divisor… 95 ( 125.00 kHz )
[#] [b] bits per sample… 8
[#] [d] decimation… 1
[#] [a] averaging… no
[#] [t] trigger threshold… 0
[#] [s] samples to skip… 0
[#]
[=] FILE PATH: lf_unknown_2023-02-21_10:18.pm3
[+] saved 40000 bytes to PM3 file ‘lf_unknown_2023-02-21_10:18.pm3’

Ok…I’m getting some light into the dark…

It was my fault. That one that is not responding…is correct not to respond. There is no
chip in it. I used the light of my iPhone to check.

This is the real one to clone:

[=] hf search
Searching for ISO14443-A tag…
[+] UID: 04 1B 68 82 80 0F 90
[+] ATQA: 03 44
[+] SAK: 20 [1]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE DESFire CL2
[+] MIFARE DESFire EV1 256B/2K/4K/8K CL2
[+] MIFARE DESFire EV2 2K/4K/8K/16K/32K
[+] MIFARE DESFire EV3 2K/4K/8K
[+] MIFARE DESFire Light 640B
[+] NTAG 4xx
[=] -------------------------- ATS --------------------------
[+] ATS: 0F 75 77 81 02 53 45 20 44 45 53 46 69 72 65 [ 53 00 ]
[=] 0F… TL length is 15 bytes
[=] 75… T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=] 77… TA1 different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=] 81… TB1 SFGI = 1 (SFGT = 8192/fc), FWI = 8 (FWT = 1048576/fc)
[=] 02… TC1 NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[+] 53452044455346697265

[?] Hint: try hf mfdes info

[+] Valid ISO 14443-A tag found

Sorry my fault.

[usb|script] pm3 → hf mfdes info

[=] ---------------------------------- Tag Information ----------------------------------
[+] UID: 04 1B 68 82 80 0F 90
[+] Batch number: CF 5B 96 61 90
[+] Production date: week 39 / 2021
[+] Product type: MIFARE DESFire native IC (physical card)

[=] — Hardware Information
[=] raw: 04010112001605
[=] Vendor Id: NXP Semiconductors Germany
[=] Type: 0x01
[=] Subtype: 0x01
[=] Version: 12.0 ( DESFire EV2 )
[=] Storage size: 0x16 ( 2048 bytes )
[=] Protocol: 0x05 ( ISO 14443-2, 14443-3 )

[=] — Software Information
[=] raw: 04010102011605
[=] Vendor Id: NXP Semiconductors Germany
[=] Type: 0x01
[=] Subtype: 0x01
[=] Version: 2.1
[=] Storage size: 0x16 ( 2048 bytes )
[=] Protocol: 0x05 ( ISO 14443-3, 14443-4 )

[=] --------------------------------- Card capabilities ---------------------------------

[=] — Tag Signature
[=] IC signature public key name: DESFire Ev2
[=] IC signature public key value: […existing but deleted…]
[=] Elliptic curve parameters: NID_secp224r1
[=] TAG IC Signature: […existing but deleted …]
[+] Signature verification: successful

[+] — AID list
[+] AIDs: ffffff, e56918, e56919, e5691a, f52318, 1023f5

[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 6 free memory 1344 bytes
[+] PICC level auth commands:
[+] Auth… NO
[+] Auth ISO… NO
[+] Auth AES… YES
[+] Auth Ev2… YES
[+] Auth ISO Native… YES
[+] Auth LRP… NO
[+] PICC level rights:
[+] [1…] CMK Configuration changeable : YES
[+] [.1…] CMK required for create/delete : NO
[+] […1.] Directory list access with CMK : NO
[+] […1] CMK is changeable : YES
[+]
[+]
[+] Key: AES
[+] key count: 1
[+] PICC key 0 version: 1 (0x01)

[=] — Free memory
[+] Available free memory on card : 1344 bytes

[=] Standalone DESFire

@Pilgrimsmaster

So the next logical step to test would be to order some of your mentioned cards from LAB401

and clone the original card to it.

But since it is a MIFARE DESFire ev2 with 7byte UID…that might be the
end of my journey?

No ring…no implant ???

Desfire unfortunately cannot be cloned.

It will still be highly unlikey you will be cloning the card, That is a magic card, but that will only let you change the UID, that’s pretty much all)
It may work, but just unlikely if they have implemented the DESFire capabilites

There is not NO chance, just a LOW chance.
DESFire EV2, you really have 3 options:

The magic card (if it works) in a custom conversion by Amal
Have the original card converted by Amal
Enroll a FlexDF2 into the Access system

When you have a device that is not responding to HF search or LF search, then the next step is to use the “tune” commands like lf tune and hf tune and present the device to each. If the voltage doesn’t drop or doesn’t drop hardly at all, then you likely don’t have a device with an RFID chip inside… but if say, for example, the LF tune numbers drop significantly then it just means there is something in there that the proxmark3 currently can’t detect / read. It might then make sense to reach out to iceman on his discord server to see what next steps might be. He’s always looking for new fobs and chip types to work with and integrate support for on the proxmark3.

I had a talk with the guy who is responsible for the access-card. Ok. His response was not a
HURRAY but it also not a NO.

Product type: MIFARE DESFire native IC (physical card)
[=] Version: 12.0 ( DESFire EV2 )
UID: 04 1B 68 82 80 0F 90

Ist the basic information from the card, so the flexDF2 DESFire EV2 would be the right
choice to test.

Is it delivered in a form that the registration and function can be tested before I get it implanted?

Yes Buddy, Its in a sealed pouch that you can easily read and write to