Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
OK thank you - have tried asking twice with no response. Not sure if its only given out to forum admins or those with major contributions to the project already. I was in a training session at TROOPERS which we talked about this a bit and I was interested to try it out. @blapost if you can share I would like to try this out as well.
Offline
OK thank you - have tried asking twice with no response. Not sure if its only given out to forum admins or those with major contributions to the project already. I was in a training session which we talked about this a bit and I was interested to try it out. @blapost if you can share I would like to try this out as well.
Offline
Hello
I have finally compiled piwi repository.
but I can not run the hardnested.
I have this
proxmark3> read hf 14th
ATQA: 00 44 UID: April 96 f1 af 0a 48 80 SAK: 08 [2]
MANUFACTURER: NXP Semiconductors Germany
TYPE: NXP Mifare Classic 1k | 2k Plus SL1
proprietary non ISO14443-4 card found, not supported RATS
Answers to chinese magic backdoor commands: NO
you may find a key B on this card with the repository piwi ??
do not run this command..
please helpme
Offline
your pasted text look scrambled.
Offline
sorry for my English
I have compiled the repository piwi, but still can not get hardnested run the command.
on this card
ATQA: 00 44 UID: April 96 f1 af 0a 48 80 SAK: 08 [2]
MANUFACTURER: NXP Semiconductors Germany
TYPE: NXP Mifare Classic 1k | 2k Plus SL1
proprietary non ISO14443-4 card found, not supported RATS
Answers to chinese magic backdoor commands: NO
I wonder if this card is a NXP Mifare Classic 1k | 2k Plus SL1
it is possible to obtain a key b
Offline
No, your pasted atqa info, looks scrambled. Don't translate it.
Offline
sorry
ATQA : 00 44
UID : 04 96 f1 0a af 48 80
SAK : 08 [2]
MANUFACTURER : NXP Semiconductors Germany
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Offline
the easy questions first; Are you running the latest version from GitHub?
[edit] ok, piwi's hardnested. You need to flash firmware and run the same client as you compiled.
Offline
LaserByte, don't forget to implement bruteforce in advance
Offline
the easy questions first; Are you running the latest version from GitHub?
[edit] ok, piwi's hardnested. You need to flash firmware and run the same client as you compiled.
I've noticed youve implemented piwi's code, I've compiled the latest master branch, but cant use that function hf mf hardnested function or hf mf hard or hf mf parity.
Should I still use the code form piwi's repo?
Offline
Check iceman's branch which is confirmed to be working.
Offline
Check iceman's branch which is confirmed to be working.
Do you mean this one? https://github.com/iceman1001/proxmark3/branches
Im getting this when trying to compile:
In file included from nonce2key/crypto1_bs.c:25:
nonce2key/crypto1_bs.h:25: error: alignment of array elements is greater than element size
make[1]: *** [obj/nonce2key/crypto1_bs.o] Error 1
make[1]: Leaving directory `/pm3/client'
make: *** [client/all] Error 2
Offline
As stated before, always compile / flash and use same client from the fork you want to test.
side note, I've never seen a "hf mf parity" command before in the client.
Offline
That error tells me you are using an older GCC compiler. Most likely 4.4 from the proxspace mingw-environment.
Use a linux distro or the docker container, GCC4.8.4 and above works.
Offline
Is mifare plus SL1 the only card type that has hardened the PRNG or are others hardened as well just under a different marketing name? Looking to get my hands on one to test with and want to make sure I buy/find the right thing.
Are there any resources (legal and honest....) that you can buy used/old cards from with a known type?
Is there any good way to tell if the card I am testing is a Mifare Plus or at least has a hardened prng? Other than the fact darkside attack just doesn't work? Is the hardnested attack
Seems like when I do the simple read of the card for info, it gives 4 different answers as to what it MAY be.
Offline
I tried darkside to see if the card was vulnerable, and it never returned anything - just kept going and going like 3 hours....any ideas?
pm3 --> hf mf mifare
-------------------------------------------------------------------------
Executing darkside attack. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
A standard 1k card that comes with the Proxmark kit comes back in like 20 seconds for me with:
pm3 --> hf mf mifare
-------------------------------------------------------------------------
Executing darkside attack. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..
Card isn't vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.
Offline
Thanks a lot guys for your help!!! Just compiled it under Kali.
One question is, why it doesnt work with JCOP41 in Mifare Classic emulation?
Offline
@my_fair_cats_sick, if you did hear a loud click sound, then you have stumbled into the "hf mf mifare" bug. There is threads about it here, even a issue on github.
Your last entry shows that the card could be a chinese clone
Offline
I try with jcop41 with emulation classuc 1k, but get error: root@kali:~/crypto1_bs# ./libnfc_crypto1_crack a0a1a2a3a4a5 5 B 0 B
Error while requesting plain tag-nonce Some other error occurred.
Found tag with uid 671234d1, collecting nonces for key B of block 0 using known key B a0a1a2a3a4a5 for block 5
Don't move the tag! Can you advice how fix this bag ?
Offline
open a issue on github, in the crypto_bs project? Its really not a proxmark3 problem.
Offline
Are chinese clones usable for testing with or do they have basically "undefined" characteristics because they are not necessarily conforming to standards and there could be 10000000 different varieties?
I guess this strays from the original topic and I'll ask it elsewhere as well.
Offline
Don't know of any chinese clones, like fudan, to use the newer hardend prng. You don't know untill you can test the tags with your pm3...
Offline
Hi!
I used hardnested. That's what I got:
--target block no: 0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
Allocating memory for partial statelists...
Generating partial statelists...
Generating bitflip statelist...
Reading nonces from file nonces.bin...
Read 18144 nonces from file. cuid=923f3380, Block=16, Keytype=B
Checking for Filter Flip Properties...
Tests: Actual BitFlipProperties odd/even:
[00]: [01]: [02]: [03]: [04]: [05]: [06]: [07]:
[08]: [09]: [0a]: [0b]: [0c]: [0d]: [0e]: [0f]:
[10]: [11]: [12]: [13]: [14]: [15]: [16]: [17]:
[18]: [19]: [1a]: [1b]: [1c]: [1d]: [1e]: [1f]:
[20]: [21]: [22]: [23]: [24]: [25]: [26]: [27]:
[28]: [29]: [2a]: [2b]: [2c]: [2d]: [2e]: [2f]:
[30]: [31]: [32]: [33]: [34]: [35]: [36]: [37]:
[38]: [39]: [3a]: [3b]: [3c]: [3d]: [3e]: [3f]:
[40]: [41]: [42]: [43]: [44]: [45]: [46]: [47]:
[48]: [49]: [4a]: [4b]: [4c]: [4d]: [4e]: [4f]:
[50]: [51]: [52]: [53]: [54]: [55]: [56]: [57]:
[58]: [59]: [5a]: [5b]: [5c]: [5d]: [5e]: [5f]:
[60]: [61]: [62]: [63]: [64]: [65]: [66]: [67]:
[68]: [69]: [6a]: [6b]: [6c]: [6d]: [6e]: [6f]:
[70]: [71]: [72]: [73]: [74]: [75]: [76]: [77]:
[78]: [79]: [7a]: [7b]: [7c]: [7d]: [7e]: [7f]:
[80]: [81]: [82]: [83]: [84]: [85]: [86]: [87]:
[88]: [89]: [8a]: [8b]: [8c]: [8d]: [8e]: [8f]:
[90]: [91]: [92]: [93]: [94]: [95]: [96]: [97]:
[98]: [99]: [9a]: [9b]: [9c]: [9d]: [9e]: [9f]:
[a0]: [a1]: [a2]: [a3]: [a4]: [a5]: [a6]: [a7]:
[a8]: [a9]: [aa]: [ab]: [ac]: [ad]: [ae]: [af]:
[b0]: [b1]: [b2]: [b3]: [b4]: [b5]: [b6]: [b7]:
[b8]: [b9]: [ba]: [bb]: [bc]: [bd]: [be]: [bf]:
[c0]: [c1]: [c2]: [c3]: [c4]: [c5]: [c6]: [c7]:
[c8]: [c9]: [ca]: [cb]: [cc]: [cd]: [ce]: [cf]:
[d0]: [d1]: [d2]: [d3]: [d4]: [d5]: [d6]: [d7]:
[d8]: [d9]: [da]: [db]: [dc]: [dd]: [de]: [df]:
[e0]: [e1]: [e2]: [e3]: [e4]: [e5]: [e6]: [e7]:
[e8]: [e9]: [ea]: [eb]: [ec]: [ed]: [ee]: [ef]:
[f0]: [f1]: [f2]: [f3]: [f4]: [f5]: [f6]: [f7]:
[f8]: [f9]: [fa]: [fb]: [fc]: [fd]: [fe]: [ff]:
Tests: Sorted First Bytes:
#000 Byte: 28, n = 81, k = 11, Sum(a8): 32, Confidence: 95.0%, Bitflip:
#001 Byte: a1, n = 69, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#002 Byte: 25, n = 68, k = 68, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#003 Byte: 96, n = 63, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#004 Byte: 94, n = 63, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#005 Byte: c4, n = 62, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#006 Byte: 58, n = 62, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#007 Byte: 48, n = 61, k = 61, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#008 Byte: eb, n = 60, k = 60, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#009 Byte: 0a, n = 60, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#010 Byte: 08, n = 60, k = 60, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#011 Byte: c6, n = 59, k = 59, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#012 Byte: 5a, n = 59, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#013 Byte: 1a, n = 56, k = 56, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#014 Byte: 86, n = 55, k = 55, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#015 Byte: d4, n = 49, k = 49, Sum(a8): 256, Confidence: 100.0%, Bitflip:
#016 Byte: 78, n = 69, k = 65, Sum(a8): 224, Confidence: 99.9%, Bitflip:
#017 Byte: 0c, n = 66, k = 62, Sum(a8): 224, Confidence: 99.9%, Bitflip:
#018 Byte: 83, n = 69, k = 5, Sum(a8): 32, Confidence: 99.9%, Bitflip:
#019 Byte: 60, n = 82, k = 73, Sum(a8): 224, Confidence: 99.5%, Bitflip:
#020 Byte: 72, n = 57, k = 4, Sum(a8): 32, Confidence: 99.3%, Bitflip:
#021 Byte: c0, n = 70, k = 7, Sum(a8): 32, Confidence: 99.2%, Bitflip:
#022 Byte: f4, n = 64, k = 6, Sum(a8): 32, Confidence: 98.9%, Bitflip:
#023 Byte: fe, n = 57, k = 52, Sum(a8): 224, Confidence: 98.3%, Bitflip:
#024 Byte: 62, n = 57, k = 52, Sum(a8): 224, Confidence: 98.3%, Bitflip:
#025 Byte: 4d, n = 81, k = 71, Sum(a8): 224, Confidence: 98.3%, Bitflip:
#026 Byte: c9, n = 63, k = 7, Sum(a8): 32, Confidence: 96.5%, Bitflip:
#027 Byte: 23, n = 63, k = 7, Sum(a8): 32, Confidence: 96.5%, Bitflip:
#028 Byte: a7, n = 58, k = 52, Sum(a8): 224, Confidence: 96.4%, Bitflip:
#029 Byte: ac, n = 57, k = 6, Sum(a8): 32, Confidence: 95.7%, Bitflip:
#030 Byte: 6f, n = 72, k = 0, Sum(a8): 0, Confidence: 100.0%, Bitflip:
#031 Byte: 81, n = 56, k = 50, Sum(a8): 224, Confidence: 94.7%, Bitflip:
#032 Byte: 1c, n = 70, k = 9, Sum(a8): 32, Confidence: 93.8%, Bitflip:
#033 Byte: ef, n = 73, k = 16, Sum(a8): 64, Confidence: 93.8%, Bitflip:
#034 Byte: 07, n = 59, k = 52, Sum(a8): 224, Confidence: 92.4%, Bitflip:
#035 Byte: 06, n = 66, k = 52, Sum(a8): 192, Confidence: 91.7%, Bitflip:
#036 Byte: d8, n = 65, k = 51, Sum(a8): 192, Confidence: 91.5%, Bitflip:
#037 Byte: 68, n = 63, k = 8, Sum(a8): 32, Confidence: 90.9%, Bitflip:
#038 Byte: 80, n = 73, k = 10, Sum(a8): 32, Confidence: 90.8%, Bitflip:
#039 Byte: 8b, n = 80, k = 60, Sum(a8): 192, Confidence: 90.1%, Bitflip:
#040 Byte: a0, n = 63, k = 50, Sum(a8): 192, Confidence: 90.0%, Bitflip:
#041 Byte: 65, n = 68, k = 52, Sum(a8): 192, Confidence: 90.0%, Bitflip:
#042 Byte: 0f, n = 61, k = 13, Sum(a8): 64, Confidence: 89.9%, Bitflip:
#043 Byte: c8, n = 65, k = 15, Sum(a8): 64, Confidence: 89.7%, Bitflip:
#044 Byte: 4e, n = 52, k = 6, Sum(a8): 32, Confidence: 89.1%, Bitflip:
#045 Byte: fc, n = 57, k = 7, Sum(a8): 32, Confidence: 89.1%, Bitflip:
#046 Byte: b4, n = 57, k = 50, Sum(a8): 224, Confidence: 89.1%, Bitflip:
#047 Byte: 8a, n = 58, k = 12, Sum(a8): 64, Confidence: 88.1%, Bitflip:
#048 Byte: d9, n = 61, k = 14, Sum(a8): 64, Confidence: 88.0%, Bitflip:
#049 Byte: 92, n = 56, k = 49, Sum(a8): 224, Confidence: 87.0%, Bitflip:
#050 Byte: 69, n = 61, k = 53, Sum(a8): 224, Confidence: 86.9%, Bitflip:
#051 Byte: e6, n = 69, k = 52, Sum(a8): 192, Confidence: 86.6%, Bitflip:
#052 Byte: a6, n = 66, k = 50, Sum(a8): 192, Confidence: 86.6%, Bitflip:
#053 Byte: f6, n = 63, k = 15, Sum(a8): 64, Confidence: 86.5%, Bitflip:
#054 Byte: 46, n = 55, k = 43, Sum(a8): 192, Confidence: 86.5%, Bitflip:
#055 Byte: a5, n = 54, k = 11, Sum(a8): 64, Confidence: 85.6%, Bitflip:
#056 Byte: ee, n = 68, k = 13, Sum(a8): 64, Confidence: 85.3%, Bitflip:
#057 Byte: 20, n = 60, k = 52, Sum(a8): 224, Confidence: 84.4%, Bitflip:
#058 Byte: ad, n = 59, k = 14, Sum(a8): 64, Confidence: 84.2%, Bitflip:
#059 Byte: 05, n = 75, k = 11, Sum(a8): 32, Confidence: 83.5%, Bitflip:
#060 Byte: 7a, n = 58, k = 44, Sum(a8): 192, Confidence: 81.7%, Bitflip:
#061 Byte: 16, n = 64, k = 16, Sum(a8): 64, Confidence: 81.7%, Bitflip:
#062 Byte: e4, n = 59, k = 51, Sum(a8): 224, Confidence: 81.5%, Bitflip:
#063 Byte: 30, n = 52, k = 12, Sum(a8): 64, Confidence: 81.1%, Bitflip:
#064 Byte: 5c, n = 65, k = 53, Sum(a8): 192, Confidence: 79.4%, Bitflip:
#065 Byte: 6b, n = 46, k = 37, Sum(a8): 192, Confidence: 79.2%, Bitflip:
#066 Byte: da, n = 57, k = 14, Sum(a8): 64, Confidence: 78.7%, Bitflip:
#067 Byte: 17, n = 57, k = 43, Sum(a8): 192, Confidence: 78.7%, Bitflip:
#068 Byte: d2, n = 71, k = 13, Sum(a8): 64, Confidence: 78.2%, Bitflip:
#069 Byte: 0e, n = 66, k = 12, Sum(a8): 64, Confidence: 76.5%, Bitflip:
#070 Byte: 91, n = 62, k = 46, Sum(a8): 192, Confidence: 74.8%, Bitflip:
#071 Byte: 2f, n = 61, k = 50, Sum(a8): 192, Confidence: 74.7%, Bitflip:
#072 Byte: 4b, n = 80, k = 40, Sum(a8): 128, Confidence: 74.6%, Bitflip:
#073 Byte: 7f, n = 65, k = 17, Sum(a8): 64, Confidence: 74.6%, Bitflip:
#074 Byte: 44, n = 65, k = 48, Sum(a8): 192, Confidence: 74.6%, Bitflip:
#075 Byte: 74, n = 71, k = 24, Sum(a8): 96, Confidence: 73.9%, Bitflip:
#076 Byte: b2, n = 73, k = 24, Sum(a8): 96, Confidence: 73.6%, Bitflip:
#077 Byte: 35, n = 70, k = 23, Sum(a8): 96, Confidence: 72.1%, Bitflip:
#078 Byte: df, n = 68, k = 34, Sum(a8): 128, Confidence: 72.1%, Bitflip:
#079 Byte: 9e, n = 69, k = 35, Sum(a8): 128, Confidence: 72.1%, Bitflip:
#080 Byte: 5f, n = 69, k = 35, Sum(a8): 128, Confidence: 72.1%, Bitflip:
#081 Byte: f0, n = 66, k = 33, Sum(a8): 128, Confidence: 71.6%, Bitflip:
#082 Byte: bb, n = 66, k = 33, Sum(a8): 128, Confidence: 71.6%, Bitflip:
#083 Byte: 4f, n = 69, k = 45, Sum(a8): 160, Confidence: 71.3%, Bitflip:
#084 Byte: 15, n = 69, k = 45, Sum(a8): 160, Confidence: 71.3%, Bitflip:
#085 Byte: 36, n = 73, k = 35, Sum(a8): 128, Confidence: 71.2%, Bitflip:
#086 Byte: 73, n = 64, k = 32, Sum(a8): 128, Confidence: 71.2%, Bitflip:
#087 Byte: 3d, n = 64, k = 32, Sum(a8): 128, Confidence: 71.2%, Bitflip:
#088 Byte: 21, n = 58, k = 43, Sum(a8): 192, Confidence: 71.0%, Bitflip:
#089 Byte: 5e, n = 56, k = 48, Sum(a8): 224, Confidence: 70.7%, Bitflip:
#090 Byte: 38, n = 62, k = 31, Sum(a8): 128, Confidence: 70.7%, Bitflip:
#091 Byte: 6d, n = 67, k = 45, Sum(a8): 160, Confidence: 70.5%, Bitflip:
#092 Byte: f7, n = 64, k = 31, Sum(a8): 128, Confidence: 70.3%, Bitflip:
#093 Byte: a4, n = 64, k = 31, Sum(a8): 128, Confidence: 70.3%, Bitflip:
#094 Byte: 82, n = 64, k = 33, Sum(a8): 128, Confidence: 70.3%, Bitflip:
#095 Byte: ca, n = 60, k = 30, Sum(a8): 128, Confidence: 70.2%, Bitflip:
#096 Byte: 42, n = 65, k = 43, Sum(a8): 160, Confidence: 69.9%, Bitflip:
#097 Byte: 34, n = 65, k = 43, Sum(a8): 160, Confidence: 69.9%, Bitflip:
#098 Byte: b9, n = 67, k = 32, Sum(a8): 128, Confidence: 69.8%, Bitflip:
#099 Byte: 2d, n = 67, k = 32, Sum(a8): 128, Confidence: 69.8%, Bitflip:
#100 Byte: 90, n = 57, k = 47, Sum(a8): 192, Confidence: 69.5%, Bitflip:
#101 Byte: 75, n = 72, k = 38, Sum(a8): 128, Confidence: 69.5%, Bitflip:
#102 Byte: 8f, n = 65, k = 34, Sum(a8): 128, Confidence: 69.3%, Bitflip:
#103 Byte: 53, n = 79, k = 42, Sum(a8): 128, Confidence: 69.3%, Bitflip:
#104 Byte: 51, n = 60, k = 31, Sum(a8): 128, Confidence: 69.3%, Bitflip:
#105 Byte: 04, n = 60, k = 29, Sum(a8): 128, Confidence: 69.3%, Bitflip:
#106 Byte: 99, n = 57, k = 28, Sum(a8): 128, Confidence: 69.2%, Bitflip:
#107 Byte: 84, n = 56, k = 28, Sum(a8): 128, Confidence: 69.2%, Bitflip:
#108 Byte: 8e, n = 68, k = 24, Sum(a8): 96, Confidence: 69.0%, Bitflip:
#109 Byte: cd, n = 66, k = 43, Sum(a8): 160, Confidence: 68.9%, Bitflip:
#110 Byte: e9, n = 70, k = 25, Sum(a8): 96, Confidence: 68.9%, Bitflip:
#111 Byte: dd, n = 58, k = 28, Sum(a8): 128, Confidence: 68.7%, Bitflip:
#112 Byte: ab, n = 79, k = 54, Sum(a8): 160, Confidence: 68.7%, Bitflip:
#113 Byte: 03, n = 64, k = 43, Sum(a8): 160, Confidence: 68.7%, Bitflip:
#114 Byte: e0, n = 63, k = 42, Sum(a8): 160, Confidence: 68.6%, Bitflip:
#115 Byte: f3, n = 61, k = 32, Sum(a8): 128, Confidence: 68.3%, Bitflip:
#116 Byte: be, n = 75, k = 35, Sum(a8): 128, Confidence: 68.2%, Bitflip:
#117 Byte: ec, n = 56, k = 27, Sum(a8): 128, Confidence: 68.2%, Bitflip:
#118 Byte: ba, n = 52, k = 26, Sum(a8): 128, Confidence: 68.2%, Bitflip:
#119 Byte: 26, n = 66, k = 31, Sum(a8): 128, Confidence: 67.9%, Bitflip:
#120 Byte: bd, n = 59, k = 31, Sum(a8): 128, Confidence: 67.7%, Bitflip:
#121 Byte: 3b, n = 54, k = 26, Sum(a8): 128, Confidence: 67.7%, Bitflip:
#122 Byte: 57, n = 51, k = 26, Sum(a8): 128, Confidence: 67.6%, Bitflip:
#123 Byte: aa, n = 64, k = 30, Sum(a8): 128, Confidence: 67.4%, Bitflip:
#124 Byte: 9f, n = 64, k = 30, Sum(a8): 128, Confidence: 67.4%, Bitflip:
#125 Byte: 1b, n = 64, k = 30, Sum(a8): 128, Confidence: 67.4%, Bitflip:
#126 Byte: 70, n = 76, k = 48, Sum(a8): 160, Confidence: 67.3%, Bitflip:
#127 Byte: bf, n = 49, k = 25, Sum(a8): 128, Confidence: 67.1%, Bitflip:
#128 Byte: 1d, n = 49, k = 24, Sum(a8): 128, Confidence: 67.1%, Bitflip:
#129 Byte: b0, n = 61, k = 20, Sum(a8): 96, Confidence: 66.8%, Bitflip:
#130 Byte: 1e, n = 69, k = 37, Sum(a8): 128, Confidence: 66.6%, Bitflip:
#131 Byte: 7e, n = 65, k = 23, Sum(a8): 96, Confidence: 66.3%, Bitflip:
#132 Byte: 45, n = 62, k = 20, Sum(a8): 96, Confidence: 66.3%, Bitflip:
#133 Byte: 52, n = 63, k = 22, Sum(a8): 96, Confidence: 66.3%, Bitflip:
#134 Byte: 8c, n = 60, k = 28, Sum(a8): 128, Confidence: 66.2%, Bitflip:
#135 Byte: 77, n = 67, k = 36, Sum(a8): 128, Confidence: 66.1%, Bitflip:
#136 Byte: 64, n = 67, k = 43, Sum(a8): 160, Confidence: 66.0%, Bitflip:
#137 Byte: 55, n = 58, k = 31, Sum(a8): 128, Confidence: 65.6%, Bitflip:
#138 Byte: 3f, n = 58, k = 31, Sum(a8): 128, Confidence: 65.6%, Bitflip:
#139 Byte: b5, n = 59, k = 39, Sum(a8): 160, Confidence: 65.3%, Bitflip:
#140 Byte: a9, n = 56, k = 26, Sum(a8): 128, Confidence: 65.0%, Bitflip:
#141 Byte: 49, n = 71, k = 26, Sum(a8): 96, Confidence: 65.0%, Bitflip:
#142 Byte: fa, n = 72, k = 33, Sum(a8): 128, Confidence: 64.9%, Bitflip:
#143 Byte: 56, n = 72, k = 33, Sum(a8): 128, Confidence: 64.9%, Bitflip:
#144 Byte: e1, n = 63, k = 43, Sum(a8): 160, Confidence: 64.8%, Bitflip:
#145 Byte: bc, n = 34, k = 30, Sum(a8): 224, Confidence: 64.8%, Bitflip:
#146 Byte: 63, n = 59, k = 19, Sum(a8): 96, Confidence: 64.5%, Bitflip:
#147 Byte: 97, n = 70, k = 32, Sum(a8): 128, Confidence: 64.3%, Bitflip:
#148 Byte: 1f, n = 61, k = 28, Sum(a8): 128, Confidence: 64.2%, Bitflip:
#149 Byte: 32, n = 64, k = 53, Sum(a8): 192, Confidence: 63.5%, Bitflip:
#150 Byte: cb, n = 62, k = 40, Sum(a8): 160, Confidence: 63.3%, Bitflip:
#151 Byte: db, n = 66, k = 36, Sum(a8): 128, Confidence: 63.1%, Bitflip:
#152 Byte: d7, n = 66, k = 30, Sum(a8): 128, Confidence: 63.1%, Bitflip:
#153 Byte: 66, n = 57, k = 26, Sum(a8): 128, Confidence: 62.9%, Bitflip:
#154 Byte: c1, n = 56, k = 18, Sum(a8): 96, Confidence: 62.5%, Bitflip:
#155 Byte: b7, n = 66, k = 42, Sum(a8): 160, Confidence: 62.4%, Bitflip:
#156 Byte: 98, n = 64, k = 35, Sum(a8): 128, Confidence: 62.4%, Bitflip:
#157 Byte: e7, n = 44, k = 11, Sum(a8): 64, Confidence: 62.3%, Bitflip:
#158 Byte: 6a, n = 71, k = 22, Sum(a8): 96, Confidence: 61.8%, Bitflip:
#159 Byte: 9c, n = 68, k = 43, Sum(a8): 160, Confidence: 61.7%, Bitflip:
#160 Byte: 02, n = 71, k = 39, Sum(a8): 128, Confidence: 61.5%, Bitflip:
#161 Byte: 9a, n = 61, k = 42, Sum(a8): 160, Confidence: 61.1%, Bitflip:
#162 Byte: cf, n = 60, k = 33, Sum(a8): 128, Confidence: 61.0%, Bitflip:
#163 Byte: 3a, n = 53, k = 17, Sum(a8): 96, Confidence: 60.5%, Bitflip:
#164 Byte: 01, n = 53, k = 36, Sum(a8): 160, Confidence: 60.5%, Bitflip:
#165 Byte: 6c, n = 58, k = 32, Sum(a8): 128, Confidence: 60.3%, Bitflip:
#166 Byte: b1, n = 55, k = 19, Sum(a8): 96, Confidence: 60.3%, Bitflip:
#167 Byte: fb, n = 54, k = 17, Sum(a8): 96, Confidence: 59.7%, Bitflip:
#168 Byte: 54, n = 54, k = 17, Sum(a8): 96, Confidence: 59.7%, Bitflip:
#169 Byte: 40, n = 56, k = 31, Sum(a8): 128, Confidence: 59.6%, Bitflip:
#170 Byte: 50, n = 65, k = 29, Sum(a8): 128, Confidence: 59.4%, Bitflip:
#171 Byte: ff, n = 63, k = 23, Sum(a8): 96, Confidence: 59.1%, Bitflip:
#172 Byte: 7d, n = 52, k = 29, Sum(a8): 128, Confidence: 58.1%, Bitflip:
#173 Byte: 09, n = 55, k = 38, Sum(a8): 160, Confidence: 58.0%, Bitflip:
#174 Byte: f2, n = 61, k = 34, Sum(a8): 128, Confidence: 58.0%, Bitflip:
#175 Byte: a2, n = 61, k = 34, Sum(a8): 128, Confidence: 58.0%, Bitflip:
#176 Byte: 0d, n = 50, k = 33, Sum(a8): 160, Confidence: 56.9%, Bitflip:
#177 Byte: b6, n = 57, k = 25, Sum(a8): 128, Confidence: 56.4%, Bitflip:
#178 Byte: b3, n = 58, k = 37, Sum(a8): 160, Confidence: 56.3%, Bitflip:
#179 Byte: d3, n = 77, k = 43, Sum(a8): 128, Confidence: 56.0%, Bitflip:
#180 Byte: 5d, n = 48, k = 15, Sum(a8): 96, Confidence: 55.8%, Bitflip:
#181 Byte: 39, n = 55, k = 31, Sum(a8): 128, Confidence: 55.6%, Bitflip:
#182 Byte: 18, n = 55, k = 24, Sum(a8): 128, Confidence: 55.6%, Bitflip:
#183 Byte: b8, n = 60, k = 22, Sum(a8): 96, Confidence: 55.6%, Bitflip:
#184 Byte: 2c, n = 60, k = 22, Sum(a8): 96, Confidence: 55.6%, Bitflip:
#185 Byte: c2, n = 55, k = 46, Sum(a8): 192, Confidence: 55.5%, Bitflip:
#186 Byte: 2b, n = 56, k = 39, Sum(a8): 160, Confidence: 55.5%, Bitflip:
#187 Byte: 79, n = 58, k = 42, Sum(a8): 192, Confidence: 55.4%, Bitflip:
#188 Byte: d5, n = 64, k = 36, Sum(a8): 128, Confidence: 55.2%, Bitflip:
#189 Byte: 11, n = 64, k = 36, Sum(a8): 128, Confidence: 55.2%, Bitflip:
#190 Byte: 61, n = 46, k = 15, Sum(a8): 96, Confidence: 55.1%, Bitflip:
#191 Byte: 5b, n = 53, k = 23, Sum(a8): 128, Confidence: 54.8%, Bitflip:
#192 Byte: a3, n = 62, k = 23, Sum(a8): 96, Confidence: 54.7%, Bitflip:
#193 Byte: ed, n = 63, k = 10, Sum(a8): 32, Confidence: 54.6%, Bitflip:
#194 Byte: 2a, n = 62, k = 35, Sum(a8): 128, Confidence: 54.4%, Bitflip:
#195 Byte: 0b, n = 62, k = 27, Sum(a8): 128, Confidence: 54.4%, Bitflip:
#196 Byte: 7b, n = 64, k = 24, Sum(a8): 96, Confidence: 53.6%, Bitflip:
#197 Byte: 76, n = 60, k = 34, Sum(a8): 128, Confidence: 53.6%, Bitflip:
#198 Byte: 88, n = 60, k = 18, Sum(a8): 96, Confidence: 53.3%, Bitflip:
#199 Byte: 93, n = 45, k = 30, Sum(a8): 160, Confidence: 53.3%, Bitflip:
#200 Byte: c3, n = 70, k = 21, Sum(a8): 96, Confidence: 52.2%, Bitflip:
#201 Byte: f5, n = 56, k = 24, Sum(a8): 128, Confidence: 51.9%, Bitflip:
#202 Byte: d6, n = 56, k = 24, Sum(a8): 128, Confidence: 51.9%, Bitflip:
#203 Byte: 85, n = 56, k = 24, Sum(a8): 128, Confidence: 51.9%, Bitflip:
#204 Byte: 2e, n = 56, k = 32, Sum(a8): 128, Confidence: 51.9%, Bitflip:
#205 Byte: 19, n = 56, k = 32, Sum(a8): 128, Confidence: 51.9%, Bitflip:
#206 Byte: a8, n = 57, k = 21, Sum(a8): 96, Confidence: 51.9%, Bitflip:
#207 Byte: f8, n = 65, k = 37, Sum(a8): 128, Confidence: 51.2%, Bitflip:
#208 Byte: 31, n = 54, k = 31, Sum(a8): 128, Confidence: 51.0%, Bitflip:
#209 Byte: ae, n = 57, k = 9, Sum(a8): 32, Confidence: 51.0%, Bitflip:
#210 Byte: 3c, n = 54, k = 38, Sum(a8): 160, Confidence: 50.9%, Bitflip:
#211 Byte: 4c, n = 63, k = 27, Sum(a8): 128, Confidence: 50.4%, Bitflip:
#212 Byte: 33, n = 64, k = 45, Sum(a8): 160, Confidence: 50.2%, Bitflip:
#213 Byte: 14, n = 64, k = 45, Sum(a8): 160, Confidence: 50.2%, Bitflip:
#214 Byte: 41, n = 61, k = 23, Sum(a8): 96, Confidence: 49.8%, Bitflip:
#215 Byte: c7, n = 61, k = 35, Sum(a8): 128, Confidence: 49.5%, Bitflip:
#216 Byte: 43, n = 61, k = 35, Sum(a8): 128, Confidence: 49.5%, Bitflip:
#217 Byte: 87, n = 44, k = 13, Sum(a8): 96, Confidence: 49.3%, Bitflip:
#218 Byte: fd, n = 61, k = 43, Sum(a8): 160, Confidence: 49.2%, Bitflip:
#219 Byte: 10, n = 72, k = 28, Sum(a8): 96, Confidence: 48.6%, Bitflip:
#220 Byte: 47, n = 63, k = 18, Sum(a8): 64, Confidence: 48.4%, Bitflip:
#221 Byte: ce, n = 48, k = 20, Sum(a8): 128, Confidence: 48.3%, Bitflip:
#222 Byte: dc, n = 57, k = 24, Sum(a8): 128, Confidence: 47.7%, Bitflip:
#223 Byte: 4a, n = 57, k = 33, Sum(a8): 128, Confidence: 47.7%, Bitflip:
#224 Byte: 3e, n = 57, k = 24, Sum(a8): 128, Confidence: 47.7%, Bitflip:
#225 Byte: 89, n = 71, k = 50, Sum(a8): 160, Confidence: 47.2%, Bitflip:
#226 Byte: de, n = 74, k = 45, Sum(a8): 160, Confidence: 47.1%, Bitflip:
#227 Byte: 8d, n = 64, k = 37, Sum(a8): 128, Confidence: 46.0%, Bitflip:
#228 Byte: 27, n = 60, k = 35, Sum(a8): 128, Confidence: 44.2%, Bitflip:
#229 Byte: e8, n = 62, k = 24, Sum(a8): 96, Confidence: 43.4%, Bitflip:
#230 Byte: c5, n = 58, k = 24, Sum(a8): 128, Confidence: 43.3%, Bitflip:
#231 Byte: 12, n = 58, k = 34, Sum(a8): 128, Confidence: 43.3%, Bitflip:
#232 Byte: ea, n = 69, k = 29, Sum(a8): 128, Confidence: 43.1%, Bitflip:
#233 Byte: 24, n = 56, k = 33, Sum(a8): 128, Confidence: 42.3%, Bitflip:
#234 Byte: 37, n = 73, k = 44, Sum(a8): 160, Confidence: 41.6%, Bitflip:
#235 Byte: 95, n = 65, k = 38, Sum(a8): 128, Confidence: 41.3%, Bitflip:
#236 Byte: 00, n = 57, k = 35, Sum(a8): 160, Confidence: 40.8%, Bitflip:
#237 Byte: cc, n = 63, k = 37, Sum(a8): 128, Confidence: 40.4%, Bitflip:
#238 Byte: d0, n = 61, k = 25, Sum(a8): 128, Confidence: 39.5%, Bitflip:
#239 Byte: 29, n = 48, k = 19, Sum(a8): 128, Confidence: 38.5%, Bitflip:
#240 Byte: e5, n = 70, k = 28, Sum(a8): 96, Confidence: 37.7%, Bitflip:
#241 Byte: 9b, n = 70, k = 28, Sum(a8): 96, Confidence: 37.7%, Bitflip:
#242 Byte: 71, n = 57, k = 34, Sum(a8): 128, Confidence: 37.6%, Bitflip:
#243 Byte: 67, n = 57, k = 23, Sum(a8): 128, Confidence: 37.6%, Bitflip:
#244 Byte: 22, n = 57, k = 23, Sum(a8): 128, Confidence: 37.6%, Bitflip:
#245 Byte: af, n = 45, k = 28, Sum(a8): 160, Confidence: 36.7%, Bitflip:
#246 Byte: 6e, n = 63, k = 38, Sum(a8): 160, Confidence: 36.7%, Bitflip:
#247 Byte: 13, n = 63, k = 25, Sum(a8): 96, Confidence: 36.7%, Bitflip:
#248 Byte: f1, n = 53, k = 32, Sum(a8): 128, Confidence: 35.7%, Bitflip:
#249 Byte: e3, n = 53, k = 21, Sum(a8): 128, Confidence: 35.7%, Bitflip:
#250 Byte: f9, n = 62, k = 25, Sum(a8): 128, Confidence: 34.6%, Bitflip:
#251 Byte: e2, n = 62, k = 25, Sum(a8): 128, Confidence: 34.6%, Bitflip:
#252 Byte: 7c, n = 62, k = 25, Sum(a8): 128, Confidence: 34.6%, Bitflip:
#253 Byte: d1, n = 58, k = 35, Sum(a8): 160, Confidence: 34.3%, Bitflip:
#254 Byte: 59, n = 60, k = 24, Sum(a8): 128, Confidence: 33.7%, Bitflip:
#255 Byte: 9d, n = 71, k = 29, Sum(a8): 128, Confidence: 33.2%, Bitflip:
Sum(a0) = 112
Number of first bytes with confidence > 95.0%: 30
Generating crypto1 state candidates...
Number of possible keys with Sum(a0) = 112: 13750076573696 (2^43.6)
Reducing Partial Statelists (p,q) = (4,6) with lengths 74240, 178706
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Odd state candidates: 24 (2^4.6)
Even state candidates: 54116 (2^15.7)
Odd state candidates: 33 (2^5.0)
Even state candidates: 54838 (2^15.7)
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Reducing Partial Statelists (p,q) = (6,4) with lengths 181736, 74304
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Odd state candidates: 412 (2^8.7)
Even state candidates: 19048 (2^14.2)
Odd state candidates: 568 (2^9.1)
Even state candidates: 18622 (2^14.2)
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Reducing Partial Statelists (p,q) = (10,12) with lengths 182032, 73356
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Odd state candidates: 416 (2^8.7)
Even state candidates: 17350 (2^14.1)
Odd state candidates: 456 (2^8.8)
Even state candidates: 17216 (2^14.1)
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Reducing Partial Statelists (p,q) = (12,10) with lengths 73420, 185062
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Odd state candidates: 30 (2^4.9)
Even state candidates: 56028 (2^15.8)
Odd state candidates: 27 (2^4.8)
Even state candidates: 56462 (2^15.8)
Odd state candidates: 0 (2^-inf)
Even state candidates: 0 (2^-inf)
Number of remaining possible keys: 39806920 (2^25.2)
Time for generating key candidates list: 5 seconds
Brute Force phase is not implemented.
Sorry for the stupid question.
How do I get the key candidates list?) And how long will it take for bruteforce (2^25)?
Offline
From here you can go two ways,
1. use @aczid separate solver
2. use my fork, where his solver is merged into.
Unless you are a great programmer with lots of times left over to make your own solver.
And a suggestion, use pastebin.com for the big traces/logs.
Offline
iceman, thx. I try the first way.
ps Now I will use pastebin.com
Offline
What does it mean when hardnested fails? Is it worth trying again and again or if it fails once will it always fail?
I have all keys known but Sector 14, I have tried the command:
pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 14 B
--target block no: 14, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
Allocating memory for partial statelists...
Generating partial statelists...
Generating bitflip statelist...
Acquiring nonces...
Checking for Filter Flip Properties...
Acquired 1456 nonces ( 1440 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 1568 nonces ( 1550 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 2016 nonces ( 1992 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 2576 nonces ( 2532 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 3024 nonces ( 2959 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 3584 nonces ( 3490 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 4032 nonces ( 3913 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 4592 nonces ( 4436 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 5040 nonces ( 4846 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 5600 nonces ( 5355 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 6048 nonces ( 5769 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 6608 nonces ( 6285 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 7056 nonces ( 6680 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 7504 nonces ( 7096 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 8064 nonces ( 7602 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 8512 nonces ( 8001 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 9072 nonces ( 8508 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 9520 nonces ( 8889 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 10080 nonces ( 9367 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 10528 nonces ( 9752 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 11088 nonces (10223 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 11536 nonces (10590 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 12096 nonces (11068 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 12544 nonces (11426 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 13104 nonces (11892 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 13552 nonces (12260 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 14112 nonces (12716 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 14560 nonces (13063 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 15008 nonces (13423 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 15568 nonces (13879 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 16016 nonces (14231 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 16576 nonces (14665 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 17024 nonces (15012 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 17584 nonces (15436 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 18032 nonces (15784 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 18592 nonces (16194 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 19040 nonces (16534 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 19600 nonces (16976 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 20048 nonces (17289 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 20608 nonces (17705 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 21056 nonces (18024 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 21504 nonces (18350 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 22064 nonces (18737 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 22512 nonces (19054 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 23072 nonces (19471 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 23520 nonces (19792 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 24080 nonces (20185 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 24528 nonces (20496 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 25088 nonces (20868 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 25536 nonces (21164 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 26096 nonces (21556 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 26544 nonces (21857 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 27104 nonces (22235 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 27552 nonces (22530 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 28112 nonces (22901 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 28560 nonces (23198 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 29008 nonces (23484 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 29568 nonces (23828 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 30016 nonces (24110 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 30576 nonces (24470 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 31024 nonces (24745 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 31584 nonces (25096 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 32032 nonces (25371 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 32592 nonces (25707 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 33040 nonces (25967 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 33600 nonces (26318 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 34048 nonces (26588 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 34608 nonces (26912 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 35056 nonces (27183 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 35504 nonces (27456 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 36064 nonces (27797 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 36512 nonces (28059 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 37072 nonces (28380 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 37520 nonces (28632 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 38080 nonces (28941 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 38528 nonces (29202 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 39088 nonces (29513 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 39536 nonces (29771 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 40096 nonces (30087 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 40544 nonces (30331 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 41104 nonces (30645 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 41552 nonces (30900 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 42112 nonces (31201 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 42560 nonces (31433 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 43008 nonces (31680 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 43568 nonces (31960 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 44016 nonces (32189 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 44576 nonces (32471 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 45024 nonces (32700 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 45584 nonces (32984 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 46032 nonces (33211 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 46592 nonces (33493 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 47040 nonces (33729 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 9
Acquired 47600 nonces (33963 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 48048 nonces (34174 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 48608 nonces (34446 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 49056 nonces (34654 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 49504 nonces (34868 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 50064 nonces (35133 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 50512 nonces (35338 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 51072 nonces (35607 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 51520 nonces (35810 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 52080 nonces (36063 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 52528 nonces (36255 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 53088 nonces (36490 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 53536 nonces (36693 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 54096 nonces (36932 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 54544 nonces (37137 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 55104 nonces (37376 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 55552 nonces (37564 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 56112 nonces (37804 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 56560 nonces (38011 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 9
Acquired 57008 nonces (38189 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 57568 nonces (38423 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 58016 nonces (38616 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 58576 nonces (38859 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 59024 nonces (39042 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 59584 nonces (39286 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 60032 nonces (39465 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 60592 nonces (39682 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 61040 nonces (39831 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 61600 nonces (40055 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 62048 nonces (40234 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 62608 nonces (40437 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 63056 nonces (40590 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 63504 nonces (40750 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 64064 nonces (40958 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 64512 nonces (41127 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 65072 nonces (41348 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 65520 nonces (41508 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 66080 nonces (41716 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 66528 nonces (41861 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 67088 nonces (42060 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 67536 nonces (42228 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 68096 nonces (42411 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 68544 nonces (42587 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 69104 nonces (42783 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 69552 nonces (42948 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 70112 nonces (43155 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 70560 nonces (43310 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 71008 nonces (43457 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 71568 nonces (43654 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 72016 nonces (43807 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 72576 nonces (43989 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 73024 nonces (44133 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 73584 nonces (44326 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 74032 nonces (44457 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 74592 nonces (44637 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 75040 nonces (44773 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 75600 nonces (44954 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 76048 nonces (45094 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 76608 nonces (45247 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 77056 nonces (45378 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 77504 nonces (45513 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 78064 nonces (45685 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 78512 nonces (45834 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 79072 nonces (45992 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 79520 nonces (46123 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 80080 nonces (46295 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 80528 nonces (46440 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 81088 nonces (46611 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 81536 nonces (46744 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 82096 nonces (46914 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 20
Acquired 82544 nonces (47050 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 83104 nonces (47192 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 83552 nonces (47328 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 84112 nonces (47470 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 20
Acquired 84560 nonces (47598 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 21
Acquired 85008 nonces (47726 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 85568 nonces (47885 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 86016 nonces (48009 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 86576 nonces (48158 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 87024 nonces (48274 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 21
Acquired 87584 nonces (48416 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 23
Acquired 88032 nonces (48514 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 26
Acquired 88592 nonces (48674 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 27
Acquired a total of 88928 nonces in 74.7 seconds (71425 nonces/minute)
Number of first bytes with confidence > 95.0%: 28
Generating crypto1 state candidates...
Number of possible keys with Sum(a0) = 136: 16937635385344 (2^43.9)
Reducing Partial Statelists (p,q) = (6,10) with lengths 181736, 185062
Reducing Partial Statelists (p,q) = (10,6) with lengths 182032, 178706
Number of remaining possible keys: 81850292 (2^26.3)
Time for generating key candidates list: 4 seconds
Brute force phase starting.
Using 128-bit bitslices
Bitslicing best_first_byte^uid[3] (rollback byte): 51...
Bitslicing nonces...
Starting 1 cracking threads to search 8 buckets containing a total of 81850292 states...
........Fail! Tested 81850292 states, in 1 seconds
Last edited by my_fair_cats_sick (2016-07-05 16:53:40)
Offline
Try different combination of known blocks - keys. Usually when specifying not the first sector block it gives good results.
Offline
and as mentioned before, don't confuse blocks with sectors when you use the "HF MF" commands
Offline
Ok so for attempting to recover key for sector 14 on a 1K card I would do something like:
hf mf hardnested 14 A FFFFFFFFFFFF 52 A?
I am looking at this page for reference:
https://www.supremainc.com/en/node/477
Offline
Ha! I got it to work....finally and thanks much @osys! I had the sector/block confused!
Offline
@my_fair_cats_sick: how did you do? Just changing the source block for the hardnested attack did the trick?
Offline
hf mf hardnested 26 A FFFFFFFFFFFF 56 B
(I was looking to get Sector 14 key B, and I had a Mifare 4K so the sector was higher than the 1k card).
Offline
Has anyone ported this to work with the simple $10 off the shelf reader as this thread states? I assume just using the little black SCL3711? Would be interesting to do a comparison of the time to crack between the two!
Offline
From here you can go two ways,
1. use @aczid separate solver
Aczid's separate solver has a libnfc version which should support common nfc readers though.
Offline
Great thanks - could you kindly point me to this post or where its available? Or do I need to ask @aczid?
This is 100% solution using libnfc, getting Nonces and solver?
Offline
This already has been shared several times across the forums
Offline
Thanks much - sorry I just noticed there is a separate search menu option, I was looking for it at the forum top level. Still learning - I appreciate your help!
Offline
I have a quick demo of this on youtube if that helps:
https://youtu.be/THY7WH3WI2Q
Offline
So my cards take between 5-10 minutes to crack, using @iceman's branch which I believe has piwi's changes - does anyone know what is the best way to start looking to improve that timing? Or have things been optimized to hell and its just processor power?
Offline
The nonce collection part is as fast as you can get from that particular protocol.
The BF solver is the fastest around,
so, I suggest you look into the attack itself if you want to find shortcuts or optimizations.
Offline
If you say 5 - 10 minutes, is this the whole cycle acquisition - key space reduction - brute force? Which of those three steps takes how much time? (I know that total time can vary very much. If you are unlucky, you can spend hours in brute force. So let's stick to an average example).
Offline
Good Point, I should clarify, this is the whole acquisition. For one card - it takes about 10 minutes total. 95% of that time is attempting to get to the 95% confidence threshold:
Acquired 1792 nonces ( 1763 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 2352 nonces ( 2307 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 2912 nonces ( 2847 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 3472 nonces ( 3372 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 4032 nonces ( 3902 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 4592 nonces ( 4422 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 5152 nonces ( 4937 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 5712 nonces ( 5443 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 6272 nonces ( 5955 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 6832 nonces ( 6450 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
The brute forcer is peanuts (like 5-6 seconds) compared to the time spent getting to that confidence level.
Offline
When I spoken with ppl about this, I've only divided it into two parts. The collecting and the solving but I'll use @piwi's division instead.
Considering first part "nonce acquisition"
The collecting part, @piwi found a faster way of getting a nonce out from the card then noone (publicly) before, is takes long time.
Considering the second part - "keyspace reduction"
According to @blapost, optimizing the keyspace reduction part doesn't make the solving part much faster.
Considering third part "BF solving"
Since the solver can be increased with faster hardware and its implementation is the fastest one when @azcid measured with @blapost solvers. I don't think the solver can be much faster, its down to keyspace and hardware.
Conclusion
The only way of making "hardnested" attack better would to find a way of getting less needed nonces for the attack to work.
Is there a way of collecting nonces which are considered "good" ? Is there a way of re-using already collected nonces to attack another block?
Final note,
this attack will never be fast enough to be a "drive-by" attack, it will always need physical access to the card.
Offline
I appreciate the advice - I am not attempting to make it a drive by attack, simply trying to make this a research project to improve a few aspects (and learn a lot about the inner workings in the process). I tried performing some improvements to the client code itself but that appears to be fairly negligible as well (like performing multiplies instead of log functions in loops, removing some unecessary initializations and memcopies within loops).
I'll keep any progress posted. As always suggestions are welcome!
Offline
Is there any way to precompute anything to help with the bruteforcing that would help reduce the time?
Last edited by my_fair_cats_sick (2016-07-16 20:32:46)
Offline
So I have a few ideas but would like to run them by those of you who have already tried, @iceman, @piwi, @blapost
In some cases we may only have 1 sector where we don't know the key. Could we specify more known blocks and key pairs such that the authentication to known good blocks varies? Would that have a positive effect maybe in getting more "good" nonces? One thing I did notice is that rate of collecting "good" nonces goes down each "SendCommand" as time goes on - is this expected or any ideas why this would be?
total nonces Nonces/cmd Num unique Num unique/cmd
1792 560 1763 543
2352 560 2307 544
2912 560 2847 540
3472 560 3372 525
4032 560 3902 530
4592 560 4422 520
5152 560 4937 515
5712 560 5443 506
6272 560 5955 512
6832 560 6450 495
7392 560 6961 511
7952 560 7456 495
8512 560 7929 473
9072 560 8395 466
9632 560 8867 472
10192 560 9359 492
10752 560 9841 482
11312 560 10325 484
11872 560 10788 463
12432 560 11261 473
12992 560 11710 449
13552 560 12167 457
14112 560 12620 453
14672 560 13073 453
15232 560 13523 450
15792 560 13958 435
16352 560 14391 433
16912 560 14822 431
17472 560 15246 424
18032 560 15676 430
18592 560 16088 412
19152 560 16512 424
19712 560 16944 432
20272 560 17364 420
20832 560 17755 391
21392 560 18170 415
21952 560 18565 395
22512 560 18970 405
23072 560 19376 406
23632 560 19787 411
24192 560 20177 390
24752 560 20548 371
25312 560 20924 376
25872 560 21302 378
26432 560 21672 370
26992 560 22041 369
27552 560 22413 372
28112 560 22787 374
28672 560 23166 379
29232 560 23533 367
29792 560 23871 338
30352 560 24231 360
30912 560 24575 344
31472 560 24941 366
32032 560 25292 351
32592 560 25618 326
33152 560 25939 321
33712 560 26247 308
34272 560 26560 313
34832 560 26870 310
35392 560 27169 299
35952 560 27484 315
36512 560 27836 352
37072 560 28163 327
37632 560 28489 326
38192 560 28784 295
38752 560 29135 351
39312 560 29444 309
39872 560 29757 313
40432 560 30059 302
40992 560 30371 312
41552 560 30665 294
42112 560 30956 291
42672 560 31238 282
43232 560 31524 286
43792 560 31819 295
44352 560 32097 278
44912 560 32394 297
45472 560 32680 286
46032 560 32936 256
46592 560 33230 294
47152 560 33504 274
47712 560 33805 301
48272 560 34063 258
48832 560 34336 273
49392 560 34595 259
49952 560 34859 264
50512 560 35129 270
51072 560 35391 262
51632 560 35643 252
52192 560 35890 247
52752 560 36122 232
53312 560 36371 249
53872 560 36628 257
54432 560 36857 229
54992 560 37109 252
55552 560 37332 223
56112 560 37577 245
56672 560 37803 226
57232 560 38039 236
57792 560 38267 228
58352 560 38476 209
58912 560 38717 241
59472 560 38942 225
60032 560 39177 235
60592 560 39386 209
61152 560 39593 207
61712 560 39812 219
62272 560 40027 215
62832 560 40242 215
Could either of you explain what in fact a "good" nonce is? I know the comments say that it has distinct 1 and 0's but maybe if there is a bit more of a layman's version of that without having to read the paper in detail it would help. I will have to go back and re-read that either way likely to make any real improvement but I wanted to start at a higher level.
Also, would authenticating to other known good sectors and not the same one, decrease the amount of "timeout" needed before trying again? I'm guessing not since a smart card is likely too "dumb" for that, but figured it was worth asking if that is even worth trying.
Let me know if my ideas are way off base or at least something worth trying.
Last edited by my_fair_cats_sick (2016-07-18 00:17:05)
Offline
We are collecting 4 Byte random numbers which are encrypted with the unknown key. Only the first two bytes are used for key space reduction. After having collected some nonces, it becomes more and more likely that we get nonces with the same two first bytes as already collected. Therefore the number of "good" nonces goes down to 0 when we are approaching 65536.
Using other sectors doesn't help because those nonces would be encrypted with another key.
Offline
Ok thanks - that makes sense. It was suggested on another thread that authenticating to different blocks (with the proper key) may increase the chances of the attack working at well, or maybe that only was a suggestion to use non-zero blocks. What is the proper block and key used for in this process if the nonce collection is only from the block with the unknown key?
Offline
The attack needs two blocks:
A block for which we know the key already. It doesn't matter which block or which key this is. It is just required to authenticate for this block to be able to then do a nested authentication for another block with the unknown key.
A block for which we try to find out the unknown key. Again, it doesn't matter which block this is, as long as it belongs to the same sector (i.e. requires the same key).
A good portion of the attack is about guessing the Sum property. If we are guessing wrong, then the attack might fail. In this case it is sufficient to repeat the attack with the same parameters. (Of course including the nonce acquisition. Repeating it with pre-acquired nonces will have the same result).
A side note: the attack as published on my github repository is still in conceptual phase because the discussion half year ago pissed me off. It doesn't implement 2nd byte bitflip properties and the nonce acquisition is somewhat "one size fits all". You should be able to decrease the nonce acquisition time by setting
#define GOOD_BYTES_REQUIRED 10
without too much disadvantages for average problems. Of course it would be best to somehow "predict" how many nonces would be required for a decent key space reduction...
Offline
Great - thanks so much for your detailed reply. I would be happy to help focus on the known areas of needed improvement. I will look into these for a bit and ask more specific questions once I understand the problem further in those areas.
Offline