Proxmark3低频卡使用
先说一下救砖操作,使用 JLink,选择芯片 AT91SAM7S256,连接然后刷固件就行,国产的一些 PM3 开着什么读写保护,虽然设备留了 JTAG 接口,但是是连接不上的,需要把 55 引脚与 3V3 短接 一下(3秒左右),然后再与 GND 短接一下(一秒左右)
正常的固件更新直接通过 USB 线就解决了,一般买的国产 PM3 都不是最新的固件,要是用冰人 GitHub 上的源码自己编译出来工具是识别不了设备的,需要更新一下固件,可以直接去下面这个链接下载最新编译好的固件,Windows 用户直接执行 .bat 文件就可以,很方便
https://www.proxmarkbuilds.org/
下载好解压出来会看到这么几个 .bat 文件
其中带 flash 的这几个就是刷固件的脚本了,先刷 bootrom 再刷 all 就可以了
刷好新的固件执行 pm3.bat 就来到了命令行操作界面,这篇文章主要介绍一下低频卡的操作,因为我接触到的卡也有限,所以主要是 EM410X 和 T55X 卡
首先可以通过 lf search 搜索低频卡
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 33002964BA
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : CC0094265D
[=] HoneyWell IdentKey
[+] DEZ 8 : 02712762
[+] DEZ 10 : 0002712762
[+] DEZ 5.5 : 00041.25786
[+] DEZ 3.5A : 051.25786
[+] DEZ 3.5B : 000.25786
[+] DEZ 3.5C : 041.25786
[+] DEZ 14/IK2 : 00219046044858
[+] DEZ 15/IK3 : 000876183037533
[+] DEZ 20/ZK : 12120000090402060513
[=]
[+] Other : 25786_041_02712762
[+] Pattern Paxton : 859677370 [0x333DA2BA]
[+] Pattern 1 : 1481773 [0x169C2D]
[+] Pattern Sebury : 25786 41 2712762 [0x64BA 0x29 0x2964BA]
[+] VD / ID : 051 / 0002712762
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[+] Chipset detection: T55xx
可以看到识别到一张 EM410X 卡,这种卡只有一个 ID 没有其他数据,但其实这是一张 T55XX 卡克隆来的,T55XX 卡除了 ID 之外还有个扇区可以存储数据
通过 lf em 410x reader 读取 EM410X 卡片 ID
[usb] pm3 --> lf em 410x reader
[+] EM 410x ID 330029ABCD
EM410X 也就是 ID 卡,出厂固化 ID,只能读不能写,这里用一张 T55XX 卡通过 lf em 410x clone --id 330029abcd 指定 ID 克隆
[usb] pm3 --> lf em 410x clone --id 330029abcd
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 330029ABCD (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff98c001654be376
[+] Done
[?] Hint: try `lf em 410x reader` to verify
可以通过 lf t55xx detect 专门对 T55XX 卡进行探测
[usb] pm3 --> lf t55xx detect
[=] Chip type......... T55x7
[=] Modulation........ ASK
[=] Bit rate.......... 5 - RF/64
[=] Inverted.......... No
[=] Offset............ 33
[=] Seq. terminator... Yes
[=] Block0............ 00148040 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
通过 lf t55x dump 获取到 T55X 卡的内容,整个卡片中存储的数据就是下面这些
[usb] pm3 --> lf t55x dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00148040 | 00000000000101001000000001000000 | ...@
[+] 01 | FF98C001 | 11111111100110001100000000000001 | ....
[+] 02 | 64C4DE90 | 01100100110001001101111010010000 | d...
[+] 03 | 69659A99 | 01101001011001011001101010011001 | ie..
[+] 04 | 00000123 | 00000000000000000000000100100011 | ...#
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00148040 | 00000000000101001000000001000000 | ...@
[+] 01 | E0152403 | 11100000000101010010010000000011 | ..$.
[+] 02 | 2A37D2F3 | 00101010001101111101001011110011 | *7..
[+] 03 | 00A00003 | 00000000101000000000000000000011 | ....
通过 lf t55xx write -b 3 -d 11223344 指定区块号和数据写入 T55X 卡
[usb] pm3 --> lf t55xx write -b 3 -d 11223344
[=] Writing page 0 block: 03 data: 0x11223344
另外 T55X 卡片是可以设置密码保护的,首先我们先通过 lf t55xx wipe 把卡清除一下
[usb] pm3 --> lf t55xx wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Begin wiping...
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
然后通过往第七个区块写入数据的方式给卡片设置一个密码
[usb] pm3 --> lf t55xx write -b 7 -d 12345678
[=] Writing page 0 block: 07 data: 0x12345678
此时的卡状态应该是是这样的
[usb] pm3 --> lf t55xx dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] 04 | 00000000 | 00000000000000000000000000000000 | ....
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
[+] 07 | 12345678 | 00010010001101000101011001111000 | .4Vx
我们只需要设置第 0 块的某一个二进制位为 1 就可以使密码生效
十六进制 | 二进制 |
|---|---|
000880E0 | 0000000000001000100000001110 0000 |
000880F0 | 0000000000001000100000001111 0000 |
因此,我们把 0 块写为 000880F0
[usb] pm3 --> lf t55xx write -b 0 -d 000880f0
[=] Writing page 0 block: 00 data: 0x000880F0
这样一来再去探测卡片就探测不出来了,因为它加密了
[usb] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
我们需要带着密码去探测
[usb] pm3 --> lf t55xx detect -p 12345678
[=] Chip type......... T55x7
[=] Modulation........ ASK
[=] Bit rate.......... 2 - RF/32
[=] Inverted.......... No
[=] Offset............ 33
[=] Seq. terminator... Yes
[=] Block0............ 000880F0 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... Yes
[=] Password.......... 12345678
后续读写操作也得带着密码进行,另外带着密码读取没有设置密码的卡片可能会导致锁卡,所以官方软件对带着密码读取做了限制,需要加上 -o 的参数,除非你知道卡片真用了密码,否则不建议乱读
[usb] pm3 --> lf t55xx read -b 1 -p 12345678 -o
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[=] Safety check overridden - proceeding despite risk
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
如果想把密码取消掉可以把 0 块重新写回 000880E0
[usb] pm3 --> lf t55xx write -b 0 -d 000880e0 -p 12345678
[=] Writing page 0 block: 00 data: 0x000880E0 pwd: 0x12345678
[usb] pm3 --> lf t55xx detect
[=] Chip type......... T55x7
[=] Modulation........ ASK
[=] Bit rate.......... 2 - RF/32
[=] Inverted.......... No
[=] Offset............ 33
[=] Seq. terminator... Yes
[=] Block0............ 000880E0 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2023-07-15,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
相关产品与服务
对象存储
对象存储(Cloud Object Storage,COS)是由腾讯云推出的无目录层次结构、无数据格式限制,可容纳海量数据且支持 HTTP/HTTPS 协议访问的分布式存储服务。腾讯云 COS 的存储桶空间无容量上限,无需分区管理,适用于 CDN 数据分发、数据万象处理或大数据计算与分析的数据湖等多种场景。
腾讯云开发者
