Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2012-09-20 14:20:00
- ikarus
- Contributor
- Registered: 2012-09-20
- Posts: 249
- Website
Last 2 key-bytes always 0 (only on NXP card 1K)
Hello,
i have a problem with "hf mf mifare".
My setup consists of 2 cards (Mifare Classic 1K):
proxmark3> hf 14a reader
ATQA : 04 00
UID : 52 70 ab 48 00 00 00 00 9b a7 5d 8d
SAK : 08 [2]
SAK : NXP MIFARE CLASSIC 1k | Plus 2k
proprietary non-iso14443a card found, RATS not supported
proxmark3> hf 14a reader
ATQA : 04 00
UID : 87 3d ec 09 00 00 00 00 9b a7 5d 8d
SAK : 88 [2]
SAK : Infineon MIFARE CLASSIC 1K
proprietary non-iso14443a card found, RATS not supported and
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 617-unclean 2012-09-10 13:53:36
#db# os: svn 621-unclean 2012-09-20 10:59:42
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56 The "hf mf mifare" command works perfectly on the second card (Infineon), but
on the first card (NXP, MF Classic 1K i know that, not Plus 2k) it runs forever like:
uid(5270ab48) nt(f7cc33d8) par(08a02828c8886870) ks(03070e090f0b020a)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000000| 3 | 6 |0,0,0,1,0,0,0,0|
| 20 |00000020| 7 | 2 |0,0,0,0,0,1,0,1|
| 40 |00000040| e | b |0,0,0,1,0,1,0,0|
| 60 |00000060| 9 | c |0,0,0,1,0,1,0,0|
| 80 |00000080| f | a |0,0,0,1,0,0,1,1|
| a0 |000000a0| b | e |0,0,0,1,0,0,0,1|
| c0 |000000c0| 2 | 7 |0,0,0,1,0,1,1,0|
| e0 |000000e0| a | f |0,0,0,0,1,1,1,0|
#db# COMMAND mifare FINISHED
------------------------------------------------------------------
Key found:73185f940000
Found invalid key. ( Nt=f7cc33d8 ,Trying use it to run again... A valid key was never found. Only keys where the last two bytes are 0...
Why is that? What can I do?
Thx for your help!
Offline
#2 2012-09-20 14:34:43
- ikarus
- Contributor
- Registered: 2012-09-20
- Posts: 249
- Website
Re: Last 2 key-bytes always 0 (only on NXP card 1K)
Edit...
I have a 3rd card. Also from NXP like the one that dont work (but with the std. key (0xFFF....))
Surprisingly this card is cackable via "hf mf mifare"... Ok not that surprisingly. A lot of the cards out there are from NXP and dont mess with "hf mf mifare"
proxmark3> hf 14a reader
ATQA : 04 00
UID : f4 d4 76 b9 00 00 00 00 9a a7 55 cc
SAK : 08 [2]
SAK : NXP MIFARE CLASSIC 1k | Plus 2k
proprietary non-iso14443a card found, RATS not supported Additional info to the "bad" card:
I know the key of that card. It is possible to read sectors or do the nested command. Only the "hf mf mifare" dont work...
Offline
#3 2012-09-21 04:46:50
- kra
- Contributor
- Registered: 2011-01-19
- Posts: 59
Re: Last 2 key-bytes always 0 (only on NXP card 1K)
http://www.proxmark.org/forum/viewtopic.php?id=1374
Offline
#4 2012-09-21 07:22:04
- ikarus
- Contributor
- Registered: 2012-09-20
- Posts: 249
- Website
Re: Last 2 key-bytes always 0 (only on NXP card 1K)
Thx. I will try that.
(I thought this is a different problem because genik1111's parity is always 0.
This is why I opend a new thread...)
Offline
#5 2012-09-21 16:49:35
- RadioWar
- Contributor
- From: China
- Registered: 2012-09-15
- Posts: 96
Re: Last 2 key-bytes always 0 (only on NXP card 1K)
Thx. I will try that.
(I thought this is a different problem because genik1111's parity is always 0.
This is why I opend a new thread...)
Mifare PLUS have not PRNG vulnerability when us test in proxmark3.
maybe you just can use snoop to crack it.
"hf mf mifare" just can use for MIFARE Classic!!Not MIFARE PLUS Card
Offline
#6 2012-10-15 16:30:50
- ikarus
- Contributor
- Registered: 2012-09-20
- Posts: 249
- Website
Re: Last 2 key-bytes always 0 (only on NXP card 1K)
It is Mifare Classic! I know that.
A great help was:
Your problem is the misplacement of a card, put a book or notebook between the card and the reader and try again the command
That worked for me! Unfortunately not for all cards but for some of them.
One card is still showing the zero bytes at the end...
Offline
#7 2012-11-08 10:51:48
- merlok
- Contributor
- Registered: 2011-05-16
- Posts: 132
Re: Last 2 key-bytes always 0 (only on NXP card 1K)
ok. I have found why it happend.
http://code.google.com/p/proxmark3/source/detail?r=627
but(
There are several thoughts:
1. lfsr_common_prefix for some cards allways return 0 records
2. maybe we need to have random sleep into the beginning of cycle. because we have got only several Nt from 1 card(
3. maybe we need to fix this line: uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
maybe theese cards sensitive to it....
Roel, what do you think?
And maybe someone have ideas?
Last edited by merlok (2012-11-08 11:03:36)
Offline
#8 2012-12-06 09:21:22
- thefkboss
- Contributor
- Registered: 2008-10-26
- Posts: 198
Re: Last 2 key-bytes always 0 (only on NXP card 1K)
hi merlok.
with the version 627
i alway have this error.
lfsr_common_prefix for some cards allways return 0 records
i have tried with several mifare cards that i used to recover the key wiht old´s version, but with this new version i always have that error.
may be is to fast 50 ms or there is a bug??
thanks
Offline