Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2018-02-15 00:15:15
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
hf list mf - new annotation
hf list mf A cool annotation, well done @merlokk!
So, what does this one do? Well, before we had hf list 14a. which gave us a ISO14443-a trace. We have all seen and used it much.
However Mifare Classic uses a propritary layer above 14A, which uses crypto-1 to encrypt the communication.
We have had simple commands, "trydecrypt", mfkey64 with extra bytes, mf_nonce_brut, in order to have a nice smooth decryption of the actual trace.
This has all changed now thanks to Merlokk.
As seen here, the normal hf list 14a output from reading a sector on a Mifare Classic tag.
pm3 --> hf mf rdsc 0 a fc00018778f7
--sector no:0 key type:A key:FC 00 01 87 78 F7
isOk:01
data : 4A 49 04 86 81 88 04 00 C1 85 14 99 65 40 46 12
data : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
data : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
trailer: 00 00 00 00 00 00 78 77 88 41 00 00 00 00 00 00
pm3 --> hf li 14a
Recorded Activity (TraceLen = 314 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16516 | Tag |4a 49 04 86 81 | |
19072 | 29536 | Rdr |93 70 4a 49 04 86 81 3e 95 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36352 | 41056 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
43076 | 47812 | Tag |5c 39 ea a1 | |
56960 | 66336 | Rdr |86 c1 1e 24! 21 7d! d6 ca! | !crc|
67524 | 72260 | Tag |c5! e5! 2e! 96! | |
77952 | 82656 | Rdr |8c! 44! b5! a7! | !crc|
84036 | 104900 | Tag |09! 1d 09 cb ab 09! 1d! 0e 70! 74! 4a! 09 01 4f 90 9d | |
| | |5b e8! | !crc|
117504 | 122208 | Rdr |9b e6 6b a8! | !crc|
123588 | 144452 | Tag |47! 6d 81 6f 8b 6d 65! 66! 2d 83! 1f! b5! 3e! bb 63! 61! | |
| | |6f ed! | !crc|
157056 | 161760 | Rdr |ff be fd 5d! | !crc|
163140 | 184004 | Tag |c4 2d 32 cc! 04! 63 80! eb 98 80! 1f! b3 5b ce 06! cf | |
| | |13 36! | !crc|
196608 | 201376 | Rdr |5d! bd bd! bd! | !crc|
202692 | 223492 | Tag |a1! da! 7e 14 36 94 89! 53 a2! 11! 75! a4! 5a a6 b4 52 | |
| | |a4! 15! | !crc|
236032 | 240736 | Rdr |c9! 4f 5c 96 | !crc|
pm3 -->And here we see the new annotation in action.
pm3 --> hf mf rdsc 0 a fc00018778f7
--sector no:0 key type:A key:FC 00 01 87 78 F7
isOk:01
data : 4A 49 04 86 81 88 04 00 C1 85 14 99 65 40 46 12
data : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
data : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
trailer: 00 00 00 00 00 00 78 77 88 41 00 00 00 00 00 00
pm3 --> hf li mf
Recorded Activity (TraceLen = 314 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16516 | Tag |4a 49 04 86 81 | |
19072 | 29536 | Rdr |93 70 4a 49 04 86 81 3e 95 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36352 | 41056 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
43076 | 47812 | Tag |5c 39 ea a1 | | AUTH: nt
56960 | 66336 | Rdr |86 c1 1e 24 21 7d d6 ca | !crc| AUTH: nr ar (enc)
67524 | 72260 | Tag |c5! e5! 2e! 96! | | AUTH: at (enc)
77952 | 82656 | Rdr |8c 44 b5 a7 | !crc|
| * | key | probable key:fc00018778f7 Prng:WEAK ks2:f99a3df7 ks3:066923a4 | |
| * | dec |30 00 02 A8 | ok | >READBLOCK(0)
84036 | 104900 | Tag |09! 1d 09 cb ab 09! 1d! 0e 70! 74! 4a! 09 01 4f 90 9d | |
| | |5b e8! | !crc|
| * | dec |4A 49 04 86 81 88 04 00 C1 85 14 99 65 40 46 12 F8 30 | ok |
117504 | 122208 | Rdr |9b e6 6b a8 | !crc|
| * | dec |30 01 8B B9 | ok | >READBLOCK(1)
123588 | 144452 | Tag |47! 6d 81 6f 8b 6d 65! 66! 2d 83! 1f! b5! 3e! bb 63! 61! | |
| | |6f ed! | !crc|
| * | dec |00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6 56 F9 | ok |
157056 | 161760 | Rdr |ff be fd 5d | !crc|
| * | dec |30 02 10 8B | ok | >READBLOCK(2)
163140 | 184004 | Tag |c4 2d 32 cc! 04! 63 80! eb 98 80! 1f! b3 5b ce 06! cf | |
| | |13 36! | !crc|
| * | dec |00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6 56 F9 | ok |
196608 | 201376 | Rdr |5d bd bd bd | !crc|
| * | dec |30 03 99 9A | ok | >READBLOCK(3)
202692 | 223492 | Tag |a1! da! 7e 14 36 94 89! 53 a2! 11! 75! a4! 5a a6 b4 52 | |
| | |a4! 15! | !crc|
| * | dec |00 00 00 00 00 00 78 77 88 41 00 00 00 00 00 00 23 B6 | ok |
236032 | 240736 | Rdr |c9 4f 5c 96 | !crc|
| * | dec |50 00 57 CD | ok | >HALT
pm3 -->Not only does it try to crack the keys on the run, it also tries to do nested authentications, but no, hardnested ones we don't manage yet. This whole new annotation is built upon the decode part from hf mf sniff and J-run's mf_nonce_brut.c
Offline
#2 2018-02-21 02:21:47
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: hf list mf - new annotation
Thanks @merlokk and @iceman . I can't wait to try this out.
Offline
Pages: 1