proxmark3
proxmark3 copied to clipboard
Published
20 hours ago •
RfidResearchGroup
RfidResearchGroup
FM11RF005SH support
It looks like hf 14a sim t 9 u 0a000000 could simulate FM11RF005SH but this is flawed.
Actually FM11RF005SH does not support anticollision, only WUPA/REQA.
High level:
[usb] pm3 --> hf 14a reader
UID : 0A 00 00 00
ATQA : 00 03
SAK : 0a [2]
[+] field dropped.
Simulated:
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |03 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16500 | Tag |0a 00 00 00 0a | |
19584 | 30112 | Rdr |93 70 0a 00 00 00 0a 6e 3a | ok | SELECT_UID
31284 | 34868 | Tag |0a a4 fe
Real:
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |03 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 11252 | Tag |0a! | |
14336 | 24800 | Rdr |93 70 0a 00 00 00 0a 6e 3a | ok | SELECT_UID
26036 | 26612 | Tag |0a!
To read the first 8 blocks which are accessible freely in read-only:
hf 14a raw -a -b 7 -p 26
hf 14a raw -p -c 3000
hf 14a raw -p -c 3001
hf 14a raw -p -c 3002
hf 14a raw -p -c 3003
hf 14a raw -p -c 3004
hf 14a raw -p -c 3005
hf 14a raw -p -c 3006
hf 14a raw -c 3007
Example:
[usb] pm3 --> hf 14a raw -a -b 7 -p 26
received 2 bytes
03 00
[usb] pm3 --> hf 14a raw -p -c 3000
received 6 bytes
03 00 02 90 F4 D4
[usb] pm3 --> hf 14a raw -p -c 3001
received 6 bytes
26 7D 4E 30 9B 00
[usb] pm3 --> hf 14a raw -p -c 3002
received 6 bytes
02 90 14 B2 67 82
[usb] pm3 --> hf 14a raw -p -c 3003
received 6 bytes
00 16 12 01 E4 B2
[usb] pm3 --> hf 14a raw -p -c 3004
received 6 bytes
EC BF 35 18 E8 E1
[usb] pm3 --> hf 14a raw -p -c 3005
received 6 bytes
18 15 9F 84 E8 94
[usb] pm3 --> hf 14a raw -p -c 3006
received 6 bytes
FF FF FF 00 E1 AA
[usb] pm3 --> hf 14a raw -c 3007
received 6 bytes
00 01 00 00 DC 0C
I added some improvements based on issue #1599
If you have a fudan card to test with?