Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-05-05 13:13:22

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Changing Security Level of Mifare Plus cards to test HardNested

Has anyone acquired factory fresh MF PLus cards for testing hardnested?  Can the proxmark configure cards as well?  Otherwise can someone suggest some open software+reader which we can commission test cards for this sort of thing.  Or is everyone testing with a known commissioned card?

Sorry a bit new to proxmark world - let me know if this has been answered elsewhere.

Offline

#2 2016-05-05 18:01:57

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Changing Security Level of Mifare Plus cards to test HardNested

Quite an interesting topic! What about catching AES keys while transition between SL1 and SL2 using snoop?

Offline

#3 2016-05-05 18:24:22

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Changing Security Level of Mifare Plus cards to test HardNested

can anyone help in describing what I would need to change the security level?  A real wall reader with the real configuration software or can the Pm3 send the command to change security levels?

Offline

#4 2016-05-05 18:46:00

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Changing Security Level of Mifare Plus cards to test HardNested

As far as I can see, there is no special command for PM3 to raise up SL. You may want to try to snoop the communication while raising SL and proceed with the analysis of communication bytes.

Offline

#5 2016-05-05 19:22:35

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Changing Security Level of Mifare Plus cards to test HardNested

Makes sense - so it seems I need a reader and configure software to raise the SL, anyone know something cheap off eBay (used wall reader?) I can get to do this, or if it can be done with the cheap SLC readers and open source tools?

Offline

#6 2016-05-05 19:31:41

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Changing Security Level of Mifare Plus cards to test HardNested

A long way to go. I personally haven't seen any examples to do this. You may want to snoop the communication during level up right at the place.

Offline

#7 2016-05-06 05:01:12

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Changing Security Level of Mifare Plus cards to test HardNested

Once again - I have never comminsioned a card, nor do I have anything but a PM3 - so any direction in moving from SL0 to SL1 is appreciated from the forum, even if that means a datasheet with raw 14443a command structures for these types of commands, or what hardware I would need beyond proxmark.

Also, any help in finding a place to acquire a used/programmed mifare plus SL1 card is appreciated as well!

Offline

#8 2016-05-06 06:49:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Changing Security Level of Mifare Plus cards to test HardNested

Sorry, Havn't seen a full data sheet with how the mifare commands looks like when changing SL modes. 

Use yr google-fu for "mifare plus full data sheet" should be a beginnning

Offline

#9 2016-05-07 17:39:00

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Changing Security Level of Mifare Plus cards to test HardNested

Is SAM storage/module available using pm3? If changing sl will be somehow feasible using pm, on the certain level SAM will be required.

Offline

#10 2016-06-03 12:23:27

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Changing Security Level of Mifare Plus cards to test HardNested

Gents,

I've found some information on Mifare Plus operational stuff, including commands and operating with security levels in particular.
https://www.idrive.com/idrive/sh/sh?k=b9w8g1h2a6

Last edited by osys (2016-06-03 12:25:35)

Offline

#11 2016-06-28 21:04:32

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Changing Security Level of Mifare Plus cards to test HardNested

I was able to capture the transition from SL0 to SL1 (maybe missed a few transactions I can do more).  But, I still don't have a card which is vulnerable to hardnested, it cannot auth to the card during the attack even though I know the keys, however it appears this is only making AES keys not 100% backwards compatible with Classic AND using AES.

I assume the Mifare Plus has the capability to be used as a transitional card, where there can be an old CRYPTO1 app/keys for old readers, and AES for the new readers?

In any case, here is my attempt to move a card from SL0 to SL1:

{\rtf1\ansi\ansicpg1252\cocoartf1404\cocoasubrtf460
{\fonttbl\f0\fnil\fcharset0 Menlo-Regular;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww18060\viewh10140\viewkind0
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\partightenfactor0

\f0\fs22 \cf0 \CocoaLigature0 hf list 14a\
Waiting for a response from the proxmark...          \
Don't forget to cancel its operation first by pressing on the button          \
#db# cancelled by button                 \
#db# maxDataLen=4, Uart.state=0, Uart.len=0                 \
#db# traceLen=427, Uart.output[0]=0000000a                 \
Recorded Activity (TraceLen = 427 bytes)          \
          \
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          \
iso14443a - All times are in carrier periods (1/13.56Mhz)          \
iClass    - Timings are not as accurate          \
          \
       Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          \
 ------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          \
           0 |       1056 | Rdr | 26                                                              |     | REQA          \
        2260 |       4628 | Tag | 04  00                                                          |     |           \
        8192 |      10656 | Rdr | 93  20                                                          |     | ANTICOLL          \
       11860 |      17748 | Tag | a6  d3  31  4c  08                                              |     |           \
       24320 |      33888 | Rdr | 93  70  a6  d3  31  4c  08  89  02                              | !crc| SELECT_UID          \
  -198150336 | -198150048 | Rdr |00!                                                              |     | ?          \
       36036 |      39620 | Tag | 20  fc  70                                                      |     |           \
       47428 |      63684 | Tag | 0c  75  77  80  02  c1  05  2f  2f  00  35  c7  60  d3          |  ok |           \
   570462528 |  570489184 | Rdr | 0a  08  a8  00  90  00  00  00  00  00  00  00  00  00  00  00  |     | * 0x9000 Card Master Key         \
             |            |     | 00  00  00  00  00  2a  e9                                      |  ok | ?          \
   570688004 |  570693892 | Tag | 0a  08  90  27  8c                                              |     |           \
  1292093456 | 1292120112 | Rdr | 0b  08  a8  01  90  11  11  11  11  11  11  11  11  00  00  00  |     | * 0x9001 Card Config Key          \
             |            |     | 00  00  00  00  00  f2  ec                                      |  ok | ?          \
  1292318788 | 1292324676 | Tag | 0b  08  90  fb  d6                                              |     |           \
  1515023216 | 1515049872 | Rdr | 0a  08  a8  02  90  11  11  11  11  11  11  11  11  11  11  11  |     | * 0x9002 Level2 Switch Key(NA)         \
             |            |     | 11  11  11  11  11  f0  5e                                      |  ok | ?          \
  1515058244 | 1515064132 | Tag | 0a  08  09  6f  85                                              |     |           \
 -1696103312 | -1696076720| Rdr | 0b  08  a8  03  90  aa  bb  cc  dd  ee  ff  00  00  00  00  aa  |     | * 0x9003 Level3 Switch Key          \
             |            |     | bb  cc  dd  ee  ff  86  aa                                      |  ok | ?         \
 -1695877708 | -1695871820| Tag | 0b  08  90  fb  d6                                              |     |           \
 -1368682928 | -1368656272| Rdr | 0a  08  a8  03  90  aa  bb  cc  dd  ee  ff  00  00  00  00  aa  |     | * 0x9004 SL1 Card Auth Key          \
             |            |     | bb  cc  dd  ee  ff  ea  9d                                      |  ok | ?            \
 -1368457468 | -1368451580| Tag | 0a  08  90  27  8c                                              |     |           \
 -1243767136 | -1243740544| Rdr | 0b  08  a8  04  90  aa  bb  cc  dd  ee  ff  00  00  00  00  aa  |     | *Commit Perso          \
             |            |     | bb  cc  dd  ee  ff  11  50                                      |  ok | ?          \
 -1243541660 | -1243535772| Tag | 0b  08  90  fb  d6                                              |     |           \
 -1059605648 | -1059599792| Rdr | 0a  08  aa  fe  12                                              |  ok | ?          \
 -1059383372 | -1059377484| Tag | 0a  08  90  27  8c                                              |     | }

Offline

Board footer

Powered by FluxBB