Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-04-28 16:36:57

Pancakes
Contributor
Registered: 2017-04-28
Posts: 6

How to compile Mfkey?

EDIT: Please see response post for more information.

Hi there. Noob question.

I have downloaded mfkey from the github and tried compiling in visual studio with no success. Can't seem to find a compiled mfkey or tutorial anywhere.

Any help is appreciated.

Last edited by Pancakes (2017-04-29 16:15:11)

Offline

#2 2017-04-28 20:29:05

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: How to compile Mfkey?

I know one "mfkey" as part of the Proxmark SW

From where you download, do you get also common, crapto1 and client directories

As you see here is the content of the Makefile to compile mfkey. they are needed too.

"VPATH = ../../common ../../common/crapto1 ../../client
CC = gcc
LD = gcc
CFLAGS = -std=c99 -D_ISOC99_SOURCE -I../../common -I../../client -Wall -O3
LDFLAGS =

OBJS = crypto1.o crapto1.o parity.o util.o mfkey.o
EXES = mfkey32 mfkey64
WINEXES = $(patsubst %, %.exe, $(EXES))

all: $(OBJS) $(EXES)

%.o : %.c
    $(CC) $(CFLAGS) -c -o $@ $<

% : %.c $(OBJS)
    $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS) $<

clean:
    rm -f $(OBJS) $(EXES) $(WINEXES)
"

Offline

#3 2017-04-29 16:07:56

Pancakes
Contributor
Registered: 2017-04-28
Posts: 6

Re: How to compile Mfkey?

Thanks for your reply ntk. I have found that makefile before but I don't understand what it means and what I should do next.

Let me start from the beginning. This is the key I need to duplicate.

g0WCJZW.png

So I have followed Gator's setup video: https://www.youtube.com/watch?v=I4N3fq87lAk
I'm running on the new Gator proxspace environment. With the newest Iceman fork installed and the usual commands such as hf mf and hf 14a sniff are working fine on the Proxmark3. You can see in the image below that everything seems to be running smoothly.

6mG06dR.png

Unfortunately my card is not vulnerable to nested attacks. Which means I will need to do some hardnested attacks once I have obtained a key through sniffing?

I have been sniffing traffic between authenticated key and a reader. Now my understanding is I now need to use mfkey or crapto1 to decrypt a key? When I try to open the mfkey64.exe or mfkey32.exe in this folder they close immediately.

4fqrXR1.png

If anyone can tell me exactly what I need to do from here? I am not familiar with GNU bash and have no idea what this makefile does. Any help is greatly appreciated..

Thanks.

Offline

#4 2017-04-29 16:44:17

gator96100
Contributor
From: Austria
Registered: 2016-03-25
Posts: 177

Re: How to compile Mfkey?

The reason why mfkey64.exe closes immediately is because it is a console application, you are not supposed to open them with a double click, instead open a command terminal and call mfkey64 with the required parameters.
How do you know your card is not vulnerable to nested attacks without having a key?
Did you check the default keys (90% of the time at least 1 key is a default key)?

Offline

#5 2017-04-29 18:26:30

Pancakes
Contributor
Registered: 2017-04-28
Posts: 6

Re: How to compile Mfkey?

gator96100 wrote:

The reason why mfkey64.exe closes immediately is because it is a console application, you are not supposed to open them with a double click, instead open a command terminal and call mfkey64 with the required parameters.
How do you know your card is not vulnerable to nested attacks without having a key?
Did you check the default keys (90% of the time at least 1 key is a default key)?

Thanks Gator for the help. What is the command to call / run? I know 'script run' works for scripts but I can't seem to find how to call .exe files.

I have indeed checked all default keys and found that there are multiple ffffffffffff keys and two a0a1a2a3a4a5 keys. You can see this in the screenshot below:

kg44vmU.png

Unfortunately when I try a nested attack on any of these keys the result is always the following:

3lqt86i.png

Sniffing results:

This leads me to believe that sniffing and then a hard nested attack would be the best course of action. Now I'm just stuck on how to use mfkey64.

Thankyou.

Last edited by Pancakes (2017-04-29 18:49:32)

Offline

#6 2017-04-29 18:57:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: How to compile Mfkey?

iceman fork:

cd tools/mfkey
make
./mfkey64

PM3 Master

make mfkey
cd tools/mfkey
./mfkey64

Offline

#7 2017-04-29 18:58:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: How to compile Mfkey?

if you run icemanfork with hf mf chk  you'll see a nice printout of found keys.  Looks like chk finds most of your keys

Offline

#8 2017-04-29 19:13:50

gator96100
Contributor
From: Austria
Registered: 2016-03-25
Posts: 177

Re: How to compile Mfkey?

I am not sure why you want to sniff a key and then run a hardnested attack, you alredy have keys that can be used for hardnested.

Offline

#9 2017-04-30 15:56:53

Pancakes
Contributor
Registered: 2017-04-28
Posts: 6

Re: How to compile Mfkey?

gator96100 wrote:

I am not sure why you want to sniff a key and then run a hardnested attack, you alredy have keys that can be used for hardnested.

That's a good point thanks Gator. I ran the following hardnested attack yesterday:
hf mf hardnested 3 A a0a1a2a3a4a5 7 A w
I know block 3 key type A is a0a1a2a3a4a5. But I don't know block 7 key type A so I decided to attack that block.

I let it run for a few hours with no success. It didn't fail but seemed to decrease in speed substantially (it took longer and longer to obtain nonces) until I eventually gave up. Perhaps I should let it attack for a few days? It has to find the key eventually right?

iceman wrote:

iceman fork:

cd tools/mfkey
make
./mfkey64

PM3 Master

make mfkey
cd tools/mfkey
./mfkey64

Thanks once again iceman. Unfortunately mfkey doesn't seem to be functioning correctly for me. For example I collected the following trace:

received trace len: 460 packages: 1
RDR(0):ff ff ee 34 3e ca 00 00 00 00 00 00 04 00 08 ff ff
RDR(1):60 00 f5 7b
TAG(2):f0 bf 34 79
RDR(3):28 05 8c ca dd 4c 3e f5
TAG(4):12 70 66 70
RDR(5):1d 24 3c aa
TAG(6):0c c5 c9 d4 fe 61 8c db 48 55 62 80 15 d7 c3 1e 68 4b
RDR(7):61 47 68 f0
TAG(8):18 d5 56 71 50 e2 9e cd c6 5f cf ad 18 be da aa e8 21
RDR(9):c6 19 de fc
TAG(10):20 0d 34 83 53 5a 63 56 92 4d fd 2f 66 47 65 04 4c 8c
RDR(11):ec 38 1c 6f
TAG(12):4d 70 2c e2
RDR(13):27 c4 c3 60 7f 90 24 26
TAG(14):a8 9c c5 6a
RDR(15):84 58 d5 aa
TAG(16):c2 74 dc d6
RDR(17):ff ff ee 34 3e ca 00 00 00 00 00 00 04 00 08 ff ff
RDR(18):61 18 e4 fe
TAG(19):41 65 d4 e2
RDR(20):92 62 c0 9c d6 11 a8 85
TAG(21):10 53 ac 1d
RDR(22):7a 97 9c 73
TAG(23):07 b2 52 39 16 5f d9 54 fb da db a7 25 9d 73 f4 de f0
RDR(24):98 c7 1c a2
TAG(25):3d fd 59 f3 b0 76 0a 87 b7 06 f8 74 4e ff db 0a 22 09
cancelled by button
#db# maxDataLen=2, Uart.state=0, Uart.len=0

If I'm not mistaken this should be the mfkey command for this trace:

./mfkey64 ee 34 3e ca f0 bf 34 79 28 05 8c ca dd 4c 3e f5 12 70 66 70 1d 24 3c aa c2 74 dc d6 ff ff ee 34 3e ca 00 00 00 00 00 00 04 00 08 ff ff 61 18 e4 fe 41 65 d4 e2 92 62 c0 9c d6 11 a8 85 10 53 ac 1d 7a 97 9c 73 07 b2 52 39 16 5f d9 54 fb da db a7 25 9d 73 f4 de f0 98 c7 1c a2 3d fd 59 f3 b0 76 0a 87 b7 06 f8 74 4e ff db 0a 22 09

However when I run the task the uid,nt,nr,ar and at values are always read incorrectly.

s0sMTJv.png

Furthermore no matter what trace I put in I always seem to end up with the same key, which is definitely not a correct key.

lDYMBEB.png

This is definitely not a correct key. As proven with a hf mf chk.

howqa8s.png

This leads me to think that my Proxspace is not configured correctly as mfkey clearly isn't working. I noticed that in Gator's tutorial that he does not edit the 'runme' file to change the installation paths before entering 'make all' during setup. Perhaps this is the issue.

2UZdns2.png

Thanks for the support. Will throw a donation your way sometime.

Offline

#10 2017-04-30 16:19:50

Pancakes
Contributor
Registered: 2017-04-28
Posts: 6

Re: How to compile Mfkey?

Just tried hardnested again today (hf mf hardnested 3 A a0a1a2a3a4a5 7 A w). Unfortunately it always seems to crash at the start of the brute force phase.

Hq9bSJc.png

bootrom and os info. Trying various iceman builds. The newest build from Gator's thread (https://drive.google.com/drive/u/0/folders/0B03wIb-JZ6VQOUJQQVI5NUN2bWc) doesn't even have hardnested included:

uTLl8fm.png

Offline

#11 2017-04-30 20:48:05

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: How to compile Mfkey?

... and that you call "a noob question" ....

How many blocks are in a sectors ?

hf mf hardnested 3 A a0a1a2a3a4a5 7 A w

Is that, "I know block 3 key type A is a0a1a2a3a4a5. But I don't know block 7 key type A so I decided to attack that block.", what the command above will do?

Last edited by ntk (2017-04-30 20:50:40)

Offline

#12 2017-04-30 21:58:08

gator96100
Contributor
From: Austria
Registered: 2016-03-25
Posts: 177

Re: How to compile Mfkey?

Pancakes wrote:

I let it run for a few hours with no success. It didn't fail but seemed to decrease in speed substantially

All my builds as well as when you compile with my ProxSpace env will be 32 bit applications, this will be a problem when a hardnested attack takes longer as it will exceed the 1.5GB Memory limit. You should see a out of memory exception when the brute force begins. The collection of nonces will go on and you end up in an endless loop. To solve this it is recommended to run a Linix distribution on a live stick/in a VM.

Pancakes wrote:

This leads me to think that my Proxspace is not configured correctly as mfkey clearly isn't working. I noticed that in Gator's tutorial that he does not edit the 'runme' file to change the installation paths before entering 'make all' during setup. Perhaps this is the issue.

The runme need no changes all paths are relative to where your Proxspace is located.

Pancakes wrote:

If I'm not mistaken this should be the mfkey command for this trace:

The mfkey commands paramters are wrong, they need to be in this format(no spaces in the uid,nt,...): ./mfkey32 <uid> <nt> <nr_0> <ar_0> <nr_1> <ar_1>
Have a look at some examples: example_trace.txt

Pancakes wrote:

Just tried hardnested again today (hf mf hardnested 3 A a0a1a2a3a4a5 7 A w). Unfortunately it always seems to crash at the start of the brute force phase.
.
.
.
bootrom and os info. Trying various iceman builds. The newest build from Gator's thread (https://drive.google.com/drive/u/0/folders/0B03wIb-JZ6VQOUJQQVI5NUN2bWc) doesn't even have hardnested included:

I retested the hardnested command and it's still working and included in my iceman builds. What is different in your setup than before? Are you sure you are running the client with the corresponding firmware, as this would explain crashes and the none existing hardnested command?

ntk wrote:

... and that you call "a noob question" ....

How many blocks are in a sectors ?

There are 4 blocks per sector(always starting at 0). The command will run a hardnested attack on block 7(sector 1 block 3) key A with the known A key from block 3 (sector 0 block 3)

Last edited by gator96100 (2017-04-30 22:16:52)

Offline

#13 2017-05-01 13:45:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: How to compile Mfkey?

don't call mfkey64 with spaces...  you need to keep the numbers grouped accordingly to uint32.  Look at the example_trace.txt.

Offline

#14 2017-05-02 10:40:23

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: How to compile Mfkey?

@gator96100

There are 4 blocks per sector(always starting at 0). The command will run a hardnested attack on block 7(sector 1 block 3) key A with the known A key from block 3 (sector 0 block 3)

Thank you for your explanation. I am all ear, and found your words very imaginative.

Offline

Board footer

Powered by FluxBB