Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-06-03 10:27:15

nobody42
Contributor
Registered: 2020-06-03
Posts: 6

incomplete MFC1k dump after autopwn related to FastDumpWithEcFill ?

hi,

i have a MIFARE 1K gym card -

- all data sectors empty
- only sector 14 has data and is crypted with a NON default key
- all other sectors have default keys

i run "hf mf autopwn" all keys are recovered (also the secret sector 14 key)
autopwn is then also dumping the card ("downloading the card content from emulator memory")

BUT sector 14 is empty after this way of dumping.

when i dump with "hf mf dump 1" after i get a correct dump of the full card including sector 14 data

i tried to follow in source to

// use ecfill trick
FastDumpWithEcFill(sectors_cnt);

is here maybe something going wrong with "fast" dumping ?

or can maybe someone explain what i am doing wrong ?

kind regards
nobody

Offline

#2 2020-06-03 11:11:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: incomplete MFC1k dump after autopwn related to FastDumpWithEcFill ?

You need to post your output from running the commands to help understanding what is happening.

Offline

#3 2020-06-03 11:48:34

nobody42
Contributor
Registered: 2020-06-03
Posts: 6

Re: incomplete MFC1k dump after autopwn related to FastDumpWithEcFill ?

UID is replaced by XXXXXXXX

[usb] pm3 --> hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1

[=] Chunk: 0.8s | found 31/32 keys (23)

[=] running strategy 2

[=] Chunk: 0.6s | found 31/32 keys (23)

[+] target sector:  0 key type: A -- found valid key [A0 A1 A2 A3 A4 A5 ] (used for nested / hardnested attack)
[+] target sector:  0 key type: B -- found valid key [B0 B1 B2 B3 B4 B5 ]
[+] target sector:  1 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  1 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  2 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  2 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  3 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  3 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  4 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  4 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  5 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  5 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  6 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  6 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  7 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  7 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  8 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  8 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  9 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector:  9 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 10 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 11 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 11 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 12 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 12 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 13 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 13 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 14 key type: A -- found valid key [A0 A1 A2 A3 A4 A5 ]
[+] target sector: 15 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [FF FF FF FF FF FF ]
[+] target block: 56 key type: B
[-] Nested attack failed, trying again (1/10)
[+] target block: 56 key type: B
[-] Nested attack failed, trying again (2/10)
[+] Found 1 key candidates
[+] target block: 56 key type: B  -- found valid key [00 00 86 27 C1 0A ]
[+] target sector: 14 key type: B -- found valid key [00 00 86 27 C1 0A ]

[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | a0a1a2a3a4a5   | D | b0b1b2b3b4b5   | D |
[+] | 001 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 002 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 003 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 004 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 005 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 006 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 007 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 008 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 009 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 010 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 011 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 012 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 013 | ffffffffffff   | D | ffffffffffff   | D |
[+] | 014 | a0a1a2a3a4a5   | D | 00008627c10a   | N |
[+] | 015 | ffffffffffff   | D | ffffffffffff   | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )

[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-XXXXXXXX-key-1.bin--> 0xffffffffffff has been inserted for unknown keys
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
#db# Cmd Error: 04
#db# Cmd Error: 04
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-XXXXXXXX-dump-1.bin
[+] saved 64 blocks to text file hf-mf-XXXXXXXX-dump-1.eml
[+] saved to json file hf-mf-XXXXXXXX-dump-1.json
[=] autopwn execution time: 7 seconds
[usb] pm3 -->
[usb] pm3 --> hf mf dump 1
[=] Reading sector access bits...
................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
[+] successfully read block  0 of sector  0.
[+] successfully read block  1 of sector  0.
[+] successfully read block  2 of sector  0.
[+] successfully read block  3 of sector  0.
[+] successfully read block  0 of sector  1.
[+] successfully read block  1 of sector  1.
[+] successfully read block  2 of sector  1.
[+] successfully read block  3 of sector  1.
[+] successfully read block  0 of sector  2.
[+] successfully read block  1 of sector  2.
[+] successfully read block  2 of sector  2.
[+] successfully read block  3 of sector  2.
[+] successfully read block  0 of sector  3.
[+] successfully read block  1 of sector  3.
[+] successfully read block  2 of sector  3.
[+] successfully read block  3 of sector  3.
[+] successfully read block  0 of sector  4.
[+] successfully read block  1 of sector  4.
[+] successfully read block  2 of sector  4.
[+] successfully read block  3 of sector  4.
[+] successfully read block  0 of sector  5.
[+] successfully read block  1 of sector  5.
[+] successfully read block  2 of sector  5.
[+] successfully read block  3 of sector  5.
[+] successfully read block  0 of sector  6.
[+] successfully read block  1 of sector  6.
[+] successfully read block  2 of sector  6.
[+] successfully read block  3 of sector  6.
[+] successfully read block  0 of sector  7.
[+] successfully read block  1 of sector  7.
[+] successfully read block  2 of sector  7.
[+] successfully read block  3 of sector  7.
[+] successfully read block  0 of sector  8.
[+] successfully read block  1 of sector  8.
[+] successfully read block  2 of sector  8.
[+] successfully read block  3 of sector  8.
[+] successfully read block  0 of sector  9.
[+] successfully read block  1 of sector  9.
[+] successfully read block  2 of sector  9.
[+] successfully read block  3 of sector  9.
[+] successfully read block  0 of sector 10.
[+] successfully read block  1 of sector 10.
[+] successfully read block  2 of sector 10.
[+] successfully read block  3 of sector 10.
[+] successfully read block  0 of sector 11.
[+] successfully read block  1 of sector 11.
[+] successfully read block  2 of sector 11.
[+] successfully read block  3 of sector 11.
[+] successfully read block  0 of sector 12.
[+] successfully read block  1 of sector 12.
[+] successfully read block  2 of sector 12.
[+] successfully read block  3 of sector 12.
[+] successfully read block  0 of sector 13.
[+] successfully read block  1 of sector 13.
[+] successfully read block  2 of sector 13.
[+] successfully read block  3 of sector 13.
[+] successfully read block  0 of sector 14.
[+] successfully read block  1 of sector 14.
[+] successfully read block  2 of sector 14.
[+] successfully read block  3 of sector 14.
[+] successfully read block  0 of sector 15.
[+] successfully read block  1 of sector 15.
[+] successfully read block  2 of sector 15.
[+] successfully read block  3 of sector 15.
[+] time: 18 seconds


[+] Succeeded in dumping all blocks

[+] saved 1024 bytes to binary file hf-mf-XXXXXXXX-dump-2.bin
[+] saved 64 blocks to text file hf-mf-XXXXXXXX-dump-2.eml
[+] saved to json file hf-mf-XXXXXXXX-dump-2.json
[usb] pm3 -->

sector 14 in 1st dump (hf-mf-XXXXXXXX-dump-1.bin):

00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
A0A1A2A3A4A50000000000008627C10A

sector 14 in 2nd dump (hf-mf-XXXXXXXX-dump-2.bin)

05640000060000000000000000000000
0000000000FFFF670000000000000000
00000000000000000000000000000000
A0A1A2A3A4A50F00FFAA00008627C10A

Offline

#4 2020-06-03 17:48:14

nobody42
Contributor
Registered: 2020-06-03
Posts: 6

Re: incomplete MFC1k dump after autopwn related to FastDumpWithEcFill ?

so summazied: ist that expected behaviour or should i get the same results for both dumps ?

tnx !

Offline

Board footer

Powered by FluxBB