Proxmark3 community

ikarus

Contributor

Registered: 2012-09-20

Posts: 249

Website

MIFARE Classic Emulator broken?!

Hi,

I used the "hf mf sim" command a "long" time ago and it worked like a charm.
Yesterday I used this command again and it was broken.
If I tried to read a full MF Classic 1k tag initialised like

> hf mf eclr
> hf mf eload data
> hf mf sim 12345678

but I don't get the data.

Getting the UID is still working...
... just reading all the data fails.

So I went back revision after revision in the svn repo...
Turnd out that the command work in revision
r554 and is broken in revision r555

This is odd because the commit message is:

------------------------------------------------------------------------
r555 | GooglePlus@YoungJules.net | 2012-06-12 14:21:26 +0200 (Di, 12. Jun 2012) | 1 Zeile

Commented out unused, set but never read variables (cause build to fail if warnings treated as errors)
------------------------------------------------------------------------

I did a "svn diff -r 554:555" and yeah, only the "unused" variables where commented out...

So can anybody help me?
Does anybody even get the same results? (broken emulator)
What causes the emulator to fail?
Is one of the variables not unused and the compiler warning was wrong?!

Kind regards
  ikarus

ikarus

Contributor

Registered: 2012-09-20

Posts: 249

Website

Re: MIFARE Classic Emulator broken?!

Seriously? No one?

Just take your Proxmark3 and a random reader, initialise the emulator with some data, "sim" a mifare tag
and then try to read the whole emulated tag.

Also, I get some other problems with the latests revisions (r652):
"hf mf nested 1 0 a ffffffffffff"
prints keys like

...uid:a75c8a90 len=3 trgbl=4 trgkey=0          
.uid:a75c8a90 len=4 trgbl=4 trgkey=0          
.uid:a75c8a90 len=4 trgbl=4 trgkey=0          
.uid:a75c8a90 len=4 trgbl=4 trgkey=0          
.uid:a75c8a90 len=4 trgbl=4 trgkey=0          
.------------------------------------------------------------------
Total keys count:1136824          
Found valid key:%012I64x

Valid key %012I64x ?!?

And second thing I observed:

proxmark3> hf mf eclr
proxmark3> hf mf ekeyprn
|---|----------------|----------------|          
|sec|key A           |key B           |          
|---|----------------|----------------|          
|000|  %012I64x  |  %012I64x  |          
|001|  %012I64x  |  %012I64x  |          
|002|  %012I64x  |  %012I64x  |          
|003|  %012I64x  |  %012I64x  |          

[...]
          
|038|  %012I64x  |  %012I64x  |          
|039|  %012I64x  |  %012I64x  |          
|---|----------------|----------------|

Just for the record:

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 617-unclean 2012-09-10 13:53:36                 
#db# os: svn 652 2013-02-05 12:20:49                 
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56 

Nobody else having this problems?
What is it I'm doing wrong?

Any help is appreciated!
Kind regards
  ikarus

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: MIFARE Classic Emulator broken?!

Mmm... Operating System?

%012I64x is to format the number to be printed.. it's really weird.. try to recompile...

I'm doing some research using the simulator and it's working fine. I'm trying to understand how to handle auth requests from a reader and answer "yes!"...

Be good.

ikarus

Contributor

Registered: 2012-09-20

Posts: 249

Website

Re: MIFARE Classic Emulator broken?!

Thx for your reply.

I'm using Ubuntu 12.10 (32Bit) with the latest devKitARM.
I tried recompiling and I tried it on a Kubuntu 12.04 LTS (64Bit)...
Nothing worked.

So I checked the svn revisions:
On r648 the "%012I64x" problem is not there, but on (and after) r649
I get the "%012I64x"...

Eumlating a full Mifare Classic 1k tag still fails in revision 648 like I descriebed in my first post...

Kind regards
  ikarus

rule

Member

Registered: 2008-05-21

Posts: 417

Re: MIFARE Classic Emulator broken?!

Hey Guys,

How does the format notation "%012llx" (long long, lowercase hex) performs in this context? I know UNIX would like such a notation, not sure if Windows (especially 32-bit) likes this.

Cheers,

  Roel

ikarus

Contributor

Registered: 2012-09-20

Posts: 249

Website

Re: MIFARE Classic Emulator broken?!

Thank you roel!

vim ./client/cmdhfmf.c

:%s/%012I64x/%012llx/g
:wq

make clean
make 

... and the "%012I64x"-issue is gone.

Can any Windows user state, if the "%012llx" notation works too?
If so, the problem could be fixed in the official svn repository code, right?

Unfortunately the emulator is still not working correctly...
Maybe it is my Proxmark3 or my Antenna... I will check that as
soon as possible.

Kind regards
  ikarus

Last edited by ikarus (2013-02-07 15:37:33)

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: MIFARE Classic Emulator broken?!

Hey Guys,

How does the format notation "%012llx" (long long, lowercase hex) performs in this context? I know UNIX would like such a notation, not sure if Windows (especially 32-bit) likes this.

Cheers,

  Roel

Hey, I'm using the Windows client in a WinXp 32b and it's working with I64 notation. I'm not being able to successfully authenticate to the emulated mifare, during the emulation there's no need to auth and then r or w, and I believe that we need to fully emulate an auth request, maybe always replying OK...

ikarus

Contributor

Registered: 2012-09-20

Posts: 249

Website

Re: MIFARE Classic Emulator broken?!

Hey, I'm using the Windows client in a WinXp 32b and it's working with I64 notation.

Could you please check if the "%012llx" notation works too on your WinXP 32Bit?
If it works, it could be changed in the svn repo so that the code works for
Windows and Linux.
Would be really great!

Kind regards
  ikarus

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: MIFARE Classic Emulator broken?!

Hey @ikarus, check this post: http://www.proxmark.org/forum/viewtopic.php?id=1474

That's why I moved from 012llx to I64.

Try using the latest update, and update your bootrom too. We can include some preprocessor lines to distinguish between Lin and Win...

ikarus

Contributor

Registered: 2012-09-20

Posts: 249

Website

Re: MIFARE Classic Emulator broken?!

Hey @ikarus, check this post: http://www.proxmark.org/forum/viewtopic.php?id=1474

That's why I moved from 012llx to I64.

Yeah... remember thant. I got these "0000ffffffff" keys some times too.

I checked out the latest svn version (r653) and flashed everything (bootrom, fpga and os).
With the original code I get the "%012I64x". Changeing "%012I64x" to "%012llx" solves the key
display problem (for Linux?!).

We can include some preprocessor lines to distinguish between Lin and Win...

I would relay appreciate something like that.

But there is still something wrong with the emulator. Ok, for all you other guys the emulator
seems to work perfectly, so I think there is somethin wrong with what I am doing
(and it's not the hardware, I checked that on a second proxmark).

Let's be more specific:

proxmark3> hf mf eclr
proxmark3> hf mf eset 0 44dcf4c5a9880400c185149859703412
proxmark3> hf mf eset 1 00000000000000000000000000000000
proxmark3> hf mf eset 2 00000000000000000000000000000000
proxmark3> hf mf eset 3 ffffffffffffff078069ffffffffffff
proxmark3> hf mf eset 4 00000000000000000000000000000000
proxmark3> hf mf eset 5 00000000000000000000000000000000
proxmark3> hf mf eset 6 00000000000000000000000000000000
proxmark3> hf mf eset 7 ffffffffffffff078069ffffffffffff
proxmark3> hf mf eset 8 00000000000000000000000000000000
proxmark3> hf mf eset 9 00000000000000000000000000000000
proxmark3> hf mf eset 10 00000000000000000000000000000000
proxmark3> hf mf eset 11 ffffffffffffff078069ffffffffffff
proxmark3> hf mf eset 12 00000000000000000000000000000000
proxmark3> hf mf eset 13 00000000000000000000000000000000
proxmark3> hf mf eset 14 00000000000000000000000000000000
proxmark3> hf mf eset 15 ffffffffffffff078069ffffffffffff

[...]

proxmark3> hf mf eset 60 00000000000000000000000000000000
proxmark3> hf mf eset 61 00000000000000000000000000000000
proxmark3> hf mf eset 62 00000000000000000000000000000000
proxmark3> hf mf eset 63 ffffffffffffff0780bcffffffffffff
proxmark3> hf mf sim 44dcf4c5
 uid:44 dc f4 c5            
#db# Started. 7buid=0                 
proxmark3> 

That is what I am doing. Cloning an empty Mifare Classic 1k tag.

The next step is to read this data. I tried this with multiple readers (Nexus7, Omnykey Cardman 5321 CR, SCL011).
All of the readers have no problems retrieving the UID.
But when I want to read, I get an error like "authentication error" (although I'm using the correct keys for that).
And another really strange thing I experience when I'm doing this is, that sometimes  the Cardman 5321 reader is
able to read the first sector! (and then goes on with "authentication error"). I can't explain why.

Is it some timing problem or something like that?

Thanks for all the help so far!
Kind regards
  ikarus

nick_name

Contributor

Registered: 2013-01-22

Posts: 15

Re: MIFARE Classic Emulator broken?!

But when I want to read, I get an error like "authentication error" (although I'm using the correct keys for that).
And another really strange thing I experience when I'm doing this is, that sometimes  the Cardman 5321 reader is
able to read the first sector! (and then goes on with "authentication error"). I can't explain why.

Is it some timing problem or something like that?

Hi @ikarus, you problem is suspiciously similar to mine, except I have an emulated card on Nexus S running Android JellyBean. I can read sector 0 with the default key (FFFFFFFFFFFF) with Proxmark, perform "hf 14a reader" and some other "hf mf" commands. But for every other sector, other than sector 0, I get auth failure.

Thinking that other sectors have different keys, I tried MFOC to crack the keys. But libnfc seems to have more trouble with itself (my reader is SCL3711). Libnfc authenticates OK with any  key for all sectors and then, as expected, fails to read that sector, including sector 0, which reads fine with Proxmark. Please share if you have more details.

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: MIFARE Classic Emulator broken?!

@ikarus, @nick_name, have you seen my post http://www.proxmark.org/forum/viewtopic.php?id=1529 ?

I'm stating that I'm not being able to authenticate to the emulated mifare that PM3 runs. I've read the code, but I wasn't able to find the error yet.

The code seems to be fine, It first does the auth and, if it's already authenticated, it does nested. But not sure why you can read the men without auth and the auth always kicks you out with "auth error" msg.

I'll take a look tonite. I suggest discussing this within the other topic.

thefkboss

Contributor

Registered: 2008-10-26

Posts: 198

Re: MIFARE Classic Emulator broken?!

Sorry for the offtopic but nick_name could you tell me how do you have and emulator in you nexus s are you using any modificated frimware?
I have an s3 and i was looking for this
i know that in the old versions of frimware works perfect but android erase this option in new frimwares could you tell me how do you this?
Or send me any link or something.
My email is my nikname follow @hotmail.com thanks

Last edited by thefkboss (2013-02-12 19:05:04)

ikarus

Contributor

Registered: 2012-09-20

Posts: 249

Website

Re: MIFARE Classic Emulator broken?!

@ moebius

But not sure why you can read the men without auth [...]

There is a little misunderstanding, sorry, my fault.

I can not read the first sector without auth.
The strange thing I experience is, that sometimes the first auth
(for sector 0) works and then I am able to read.
The second auth (for sector 1) however will fail.

I suggest discussing this within the other topic.

You are right.

Kind regards
  ikarus

holiman

Contributor

Registered: 2013-05-03

Posts: 566

Re: MIFARE Classic Emulator broken?!

continued in http://www.proxmark.org/forum/viewtopic.php?pid=9192#p9192