Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi everyone and thanx Iceman for granting write permissions !
As this is (after introduction) my first post, please try to be patient .... ;-)
Since a few days I'm owning a PM3 RDV2. I've followed the wiki and flashed the latest github version to the device:
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-377-gfdee1ff-suspect 2018-07-07 13:40:18
os: master/v3.0.1-377-gfdee1ff-suspect 2018-07-07 13:40:19
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 201676 bytes (38%). Free: 322612 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory Now as first step I'm trying to find keys for that card:
proxmark3> hf search
UID : ** d* *b a*
ATQA : 00 02
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDENED (hardnested)
Valid ISO14443A Tag Found - Quiting SearchI've searched the forum a bit and did read this and that topic.
First I tried
proxmark3> hf mf hardnested 0 A a0a1a2a3a4a5 4 A
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
Using AVX SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX SIMD core | |
0 | 0 | Brute force benchmark: 236 million (2^27,8) keys/s | 140737488355328 | 7d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 7d
6 | 112 | Apply bit flip properties | 10427863924736 | 12h
7 | 224 | Apply bit flip properties | 8847993339904 | 10h
8 | 336 | Apply bit flip properties | 8513965785088 | 10h
9 | 447 | Apply bit flip properties | 8412162162688 | 10h
10 | 557 | Apply bit flip properties | 8412162162688 | 10h
10 | 665 | Apply bit flip properties | 8378623459328 | 10h
11 | 775 | Apply bit flip properties | 8378623459328 | 10h
12 | 884 | Apply bit flip properties | 8378623459328 | 10h
13 | 993 | Apply bit flip properties | 8378623459328 | 10h
15 | 1105 | Apply Sum property. Sum(a0) = 0 | 142307000320 | 10min
15 | 1216 | Apply bit flip properties | 142307000320 | 10min
16 | 1325 | Apply bit flip properties | 142307000320 | 10min
17 | 1436 | Apply bit flip properties | 122364919808 | 9min
18 | 1544 | Apply bit flip properties | 117800845312 | 8min
18 | 1655 | Apply bit flip properties | 114275516416 | 8min
19 | 1762 | Apply bit flip properties | 113346232320 | 8min
20 | 1872 | Apply bit flip properties | 113346232320 | 8min
21 | 1982 | Apply bit flip properties | 113346232320 | 8min
22 | 2090 | Apply bit flip properties | 112378781696 | 8min
23 | 2199 | Apply bit flip properties | 112103956480 | 8min
24 | 2308 | Apply bit flip properties | 112103956480 | 8min
24 | 2413 | Apply bit flip properties | 111876759552 | 8min
25 | 2413 | (1. guess: Sum(a8) = 0) | 111876759552 | 8min
31 | 2413 | Apply Sum(a8) and all bytes bitflip properties | 24139712512 | 2min
236 | 2413 | Brute force phase completed. Key found: ffffffffffff | 0 | 0s
proxmark3> Unfortunately, that useless key didn't helped me with
proxmark3> hf mf chk 0 A ffffffffffff default_keys.dic
chk key[ 0] ffffffffffff
chk custom key[ 1] ffffffffffff
chk custom key[ 2] 000000000000
chk custom key[ 3] a0a1a2a3a4a5
chk custom key[ 4] b0b1b2b3b4b5
chk custom key[ 5] c0c1c2c3c4c5
chk custom key[ 6] d0d1d2d3d4d5
chk custom key[ 7] aabbccddeeff
chk custom key[ 8] 4d3a99c351dd
chk custom key[ 9] 1a982c7e459a
...
chk custom key[474] 6a1987c40a21
chk custom key[475] 7f33625bc129
chk custom key[476] de1fcbec764b
Found valid key:[0:A]a0a1a2a3a4a5
proxmark3> with the keyfile from icemans repository.
Is the only way to gather valid keys to snoop/sniff the interactions of the card with the reader ?
Best regards,
JD.
Offline
Pages: 1