Proxmark3低频卡使用

作者:蓝逸 日期:2024-12-26 浏览:18℃ 分类:编程

先说一下救砖操作,使用 JLink,选择芯片 AT91SAM7S256,连接然后刷固件就行,国产的一些 PM3 开着什么读写保护,虽然设备留了 JTAG 接口,但是是连接不上的,需要把 55 引脚与 3V3 短接 一下(3秒左右),然后再与 GND 短接一下(一秒左右)

正常的固件更新直接通过 USB 线就解决了,一般买的国产 PM3 都不是最新的固件,要是用冰人 GitHub 上的源码自己编译出来工具是识别不了设备的,需要更新一下固件,可以直接去下面这个链接下载最新编译好的固件,Windows 用户直接执行 .bat 文件就可以,很方便

https://www.proxmarkbuilds.org/

下载好解压出来会看到这么几个 .bat 文件

其中带 flash 的这几个就是刷固件的脚本了,先刷 bootrom 再刷 all 就可以了

刷好新的固件执行 pm3.bat 就来到了命令行操作界面,这篇文章主要介绍一下低频卡的操作,因为我接触到的卡也有限,所以主要是 EM410X 和 T55X 卡

首先可以通过 lf search 搜索低频卡

代码语言:javascript
复制 
[usb] pm3 --> lf search [=] NOTE: some demods output possible binary [=] if it finds something that looks like a tag [=] False Positives ARE possible [=] [=] Checking for known tags... [=] [+] EM 410x ID 33002964BA [+] EM410x ( RF/64 ) [=] -------- Possible de-scramble patterns --------- [+] Unique TAG ID : CC0094265D [=] HoneyWell IdentKey [+] DEZ 8 : 02712762 [+] DEZ 10 : 0002712762 [+] DEZ 5.5 : 00041.25786 [+] DEZ 3.5A : 051.25786 [+] DEZ 3.5B : 000.25786 [+] DEZ 3.5C : 041.25786 [+] DEZ 14/IK2 : 00219046044858 [+] DEZ 15/IK3 : 000876183037533 [+] DEZ 20/ZK : 12120000090402060513 [=] [+] Other : 25786_041_02712762 [+] Pattern Paxton : 859677370 [0x333DA2BA] [+] Pattern 1 : 1481773 [0x169C2D] [+] Pattern Sebury : 25786 41 2712762 [0x64BA 0x29 0x2964BA] [+] VD / ID : 051 / 0002712762 [=] ------------------------------------------------ [+] Valid EM410x ID found! [+] Chipset detection: T55xx

可以看到识别到一张 EM410X 卡,这种卡只有一个 ID 没有其他数据,但其实这是一张 T55XX 卡克隆来的,T55XX 卡除了 ID 之外还有个扇区可以存储数据

通过 lf em 410x reader 读取 EM410X 卡片 ID

代码语言:javascript
复制 
[usb] pm3 --> lf em 410x reader [+] EM 410x ID 330029ABCD

EM410X 也就是 ID 卡,出厂固化 ID,只能读不能写,这里用一张 T55XX 卡通过 lf em 410x clone --id 330029abcd 指定 ID 克隆

代码语言:javascript
复制 
[usb] pm3 --> lf em 410x clone --id 330029abcd [+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 330029ABCD (RF/64) [#] Clock rate: 64 [#] Tag T55x7 written with 0xff98c001654be376 [+] Done [?] Hint: try `lf em 410x reader` to verify

可以通过 lf t55xx detect 专门对 T55XX 卡进行探测

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx detect [=] Chip type......... T55x7 [=] Modulation........ ASK [=] Bit rate.......... 5 - RF/64 [=] Inverted.......... No [=] Offset............ 33 [=] Seq. terminator... Yes [=] Block0............ 00148040 (auto detect) [=] Downlink mode..... default/fixed bit length [=] Password set...... No

通过 lf t55x dump 获取到 T55X 卡的内容,整个卡片中存储的数据就是下面这些

代码语言:javascript
复制 
[usb] pm3 --> lf t55x dump [+] Reading Page 0: [+] blk | hex data | binary | ascii [+] ----+----------+----------------------------------+------- [+] 00 | 00148040 | 00000000000101001000000001000000 | ...@ [+] 01 | FF98C001 | 11111111100110001100000000000001 | .... [+] 02 | 64C4DE90 | 01100100110001001101111010010000 | d... [+] 03 | 69659A99 | 01101001011001011001101010011001 | ie.. [+] 04 | 00000123 | 00000000000000000000000100100011 | ...# [+] 05 | 00000000 | 00000000000000000000000000000000 | .... [+] 06 | 00000000 | 00000000000000000000000000000000 | .... [+] 07 | 00000000 | 00000000000000000000000000000000 | .... [+] Reading Page 1: [+] blk | hex data | binary | ascii [+] ----+----------+----------------------------------+------- [+] 00 | 00148040 | 00000000000101001000000001000000 | ...@ [+] 01 | E0152403 | 11100000000101010010010000000011 | ..$. [+] 02 | 2A37D2F3 | 00101010001101111101001011110011 | *7.. [+] 03 | 00A00003 | 00000000101000000000000000000011 | ....

通过 lf t55xx write -b 3 -d 11223344 指定区块号和数据写入 T55X 卡

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx write -b 3 -d 11223344 [=] Writing page 0 block: 03 data: 0x11223344

另外 T55X 卡片是可以设置密码保护的,首先我们先通过 lf t55xx wipe 把卡清除一下

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx wipe [=] Target T55x7 tag [=] Default configuration block 000880E0 [=] Begin wiping... [=] Writing page 0 block: 00 data: 0x000880E0 [=] Writing page 0 block: 01 data: 0x00000000 [=] Writing page 0 block: 02 data: 0x00000000 [=] Writing page 0 block: 03 data: 0x00000000 [=] Writing page 0 block: 04 data: 0x00000000 [=] Writing page 0 block: 05 data: 0x00000000 [=] Writing page 0 block: 06 data: 0x00000000 [=] Writing page 0 block: 07 data: 0x00000000

然后通过往第七个区块写入数据的方式给卡片设置一个密码

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx write -b 7 -d 12345678 [=] Writing page 0 block: 07 data: 0x12345678

此时的卡状态应该是是这样的

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx dump [+] Reading Page 0: [+] blk | hex data | binary | ascii [+] ----+----------+----------------------------------+------- [+] 00 | 000880E0 | 00000000000010001000000011100000 | .... [+] 01 | 00000000 | 00000000000000000000000000000000 | .... [+] 02 | 00000000 | 00000000000000000000000000000000 | .... [+] 03 | 00000000 | 00000000000000000000000000000000 | .... [+] 04 | 00000000 | 00000000000000000000000000000000 | .... [+] 05 | 00000000 | 00000000000000000000000000000000 | .... [+] 06 | 00000000 | 00000000000000000000000000000000 | .... [+] 07 | 12345678 | 00010010001101000101011001111000 | .4Vx

我们只需要设置第 0 块的某一个二进制位为 1 就可以使密码生效

十六进制

二进制

000880E0

0000000000001000100000001110 0000

000880F0

0000000000001000100000001111 0000

因此,我们把 0 块写为 000880F0

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx write -b 0 -d 000880f0 [=] Writing page 0 block: 00 data: 0x000880F0

这样一来再去探测卡片就探测不出来了,因为它加密了

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx detect [!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

我们需要带着密码去探测

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx detect -p 12345678 [=] Chip type......... T55x7 [=] Modulation........ ASK [=] Bit rate.......... 2 - RF/32 [=] Inverted.......... No [=] Offset............ 33 [=] Seq. terminator... Yes [=] Block0............ 000880F0 (auto detect) [=] Downlink mode..... default/fixed bit length [=] Password set...... Yes [=] Password.......... 12345678

后续读写操作也得带着密码进行,另外带着密码读取没有设置密码的卡片可能会导致锁卡,所以官方软件对带着密码读取做了限制,需要加上 -o 的参数,除非你知道卡片真用了密码,否则不建议乱读

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx read -b 1 -p 12345678 -o [+] Reading Page 0: [+] blk | hex data | binary | ascii [+] ----+----------+----------------------------------+------- [=] Safety check overridden - proceeding despite risk [+] 01 | 00000000 | 00000000000000000000000000000000 | ....

如果想把密码取消掉可以把 0 块重新写回 000880E0

代码语言:javascript
复制 
[usb] pm3 --> lf t55xx write -b 0 -d 000880e0 -p 12345678 [=] Writing page 0 block: 00 data: 0x000880E0 pwd: 0x12345678 [usb] pm3 --> lf t55xx detect [=] Chip type......... T55x7 [=] Modulation........ ASK [=] Bit rate.......... 2 - RF/32 [=] Inverted.......... No [=] Offset............ 33 [=] Seq. terminator... Yes [=] Block0............ 000880E0 (auto detect) [=] Downlink mode..... default/fixed bit length [=] Password set...... No

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://dixi.eu.org/32149.html

上一篇 多个Serv00需要SSH登录保活脚本
下一篇 Proxmark3 Easy 复制4100卡到T5577卡