Proxmark3 community

tng

Contributor

Registered: 2020-07-23

Posts: 9

[solved] How to read all sectors at once from a MIFARE card?

hi

1) is there a way to read data from all sectors (encrypted card) at once using "hf mf rdsc"? just like this picture below.
If not, I hope this command will be implemented in the new Proxmark3 release:
hf mf rdsc * * keys.dic (similar to hf mf chk)

2) there are 16 sectors a 4 blocks, total 64 blocks. each block has 16 hex a 2 bytes
16x4x32 = 2048bytes

the dump file from hf mf dump:
dumpdata.bin  1024bytes 

I wonder why the dump is only 1024bytes?

proxmark3> hf search
 UID : 1b 36 fc 49
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK

proxmark3> hf mf chk *1 ? d 
--chk keys. sectors:16, block no:  0, key type:?, eml:n, dmp=y checktimeout=471 us
--o
|---|----------------|----------------|
|sec|key A           |key B           |
|---|----------------|----------------|
|000|  b7129a511266  |  b0b1b2b3b4b5  |
|001|  ffffffffffff  |  ffffffffffff  |
|002|  ffffffffffff  |  ffffffffffff  |
|003|  ffffffffffff  |  ffffffffffff  |
.....
|014|  ffffffffffff  |  ffffffffffff  |
|015|  ffffffffffff  |  ffffffffffff  |
|---|----------------|----------------|
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.

proxmark3> hf mf rdsc 1 A FFFFFFFFFFFF
--sector no:1 key type:A key:ff ff ff ff ff ff

isOk:01
data   : 74 20 3f d3 93 fe 19 33 93 f0 e9 e6 cd e4 31 8b
data   : a2 67 c7 1b fa 26 de e4 f5 ee cf 63 e3 46 92 7f
data   : 83 2b 2c 45 61 c7 88 10 50 cd 11 46 92 9d d2 e8
trailer: 00 00 00 00 00 00 f7 8f 00 5a 00 00 00 00 00 00
Trailer decoded:
Access block 4: read AB; write AB; increment AB; decrement transfer restore AB
Access block 5: read AB; write AB; increment AB; decrement transfer restore AB
Access block 6: read AB; write AB; increment AB; decrement transfer restore AB
Access block 7: write A by B; read ACCESS by AB; write B by B
UserData: 5a
proxmark3> hf mf rdsc 9 A FFFFFFFFFFFF
--sector no:9 key type:A key:ff ff ff ff ff ff

isOk:01
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 1a e5 0a 01 42 91 71 81 20 04 e4 80 80 01 00
data   : 43 97 9a d2 92 fb 23 29 0f f9 ea 70 fc 8c a5 46
trailer: 00 00 00 00 00 00 f7 8f 00 5a 00 00 00 00 00 00
Trailer decoded:
Access block 36: read AB; write AB; increment AB; decrement transfer restore AB
Access block 37: read AB; write AB; increment AB; decrement transfer restore AB
Access block 38: read AB; write AB; increment AB; decrement transfer restore AB
Access block 39: write A by B; read ACCESS by AB; write B by B
UserData: 5a
proxmark3> hf mf rdsc 4 B FFFFFFFFFFFF
--sector no:4 key type:B key:ff ff ff ff ff ff

isOk:01
data   : a0 22 f5 dc 06 8f 6e b3 fa 56 05 2e 4b 07 e4 d0
data   : 81 83 8d 2c 8d 3a 9c 77 a2 33 4c e3 e5 c8 8a 66
data   : 2d 5c b3 ee c4 f5 df 3d 58 7b 46 20 0d 15 c8 6a
trailer: 00 00 00 00 00 00 f7 8f 00 5a 00 00 00 00 00 00
Trailer decoded:
Access block 16: read AB; write AB; increment AB; decrement transfer restore AB
Access block 17: read AB; write AB; increment AB; decrement transfer restore AB
Access block 18: read AB; write AB; increment AB; decrement transfer restore AB
Access block 19: write A by B; read ACCESS by AB; write B by B
UserData: 5a
proxmark3> hf mf rdsc * * FFFFFFFFFFFF
Key type must be A or B
proxmark3>

Thanks in advance.

Last edited by tng (2020-07-28 20:11:27)

tng

Contributor

Registered: 2020-07-23

Posts: 9

Re: [solved] How to read all sectors at once from a MIFARE card?

I found another way using xxd, all the sectors are there plus the keys at the "sector trailer" (https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf )

xxd dumpdata.bin

or this one
proxmark3> script run htmldump.lua
--- Executing: htmldump.lua, args ''
Wrote a HTML dump to the file 2020-07-27_204642.html

>>2) there are 16 sectors a 4 blocks, total 64 blocks. each block has 16 hex a 2 bytes
16x4x32 = 2048bytes

My fault, one hex = 4 bits, 2 hex = 1 byte

so it is: 16x4x16 = 1048bytes 

Thanks.

Last edited by tng (2020-07-27 19:48:19)

tng

Contributor

Registered: 2020-07-23

Posts: 9

Re: [solved] How to read all sectors at once from a MIFARE card?

btw I can see all the 32 keys clearly with xxd, but when using "chk", it just show ffffffffffff
proxmark3> hf mf chk *1 ? d keys.dic  (inside this file there are the keys. When using the same command on the original FOB, it shows the keys correctly)

below only the first sector the keys are shown, all the remain are fffff*. Do you know why?

|---|----------------|----------------|
|sec|key A           |key B           |
|---|----------------|----------------|
|000|  b7129a511266  |  b0b1b2b3b4b5  |
|001|  ffffffffffff  |  ffffffffffff  |
|002|  ffffffffffff  |  ffffffffffff  |
|003|  ffffffffffff  |  ffffffffffff  |
|004|  ffffffffffff  |  ffffffffffff  |
...

tng

Contributor

Registered: 2020-07-23

Posts: 9

Re: [solved] How to read all sectors at once from a MIFARE card?

the  ffffffffffff is due to this one I guess, i didnt used a blank card

http://www.proxmark.org/forum/viewtopic.php?id=4951

Exactly. But this means that you don't write to a blank card. Access Conditions on blank cards allow writing the sector trailer with key A (transport configuration). Please note the capitalized "BLANK" in the help text of hf mf restore:
Restore MIFARE classic binary file to BLANK tag

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: [solved] How to read all sectors at once from a MIFARE card?

I believe you are looking for the hf mf dump command.

tng

Contributor

Registered: 2020-07-23

Posts: 9

Re: [solved] How to read all sectors at once from a MIFARE card?

I clone using "dump/restore" successfully. all questions are answered (thanks to the forum many old threads :-) ). The last question why "hf mf chk *1 ? d keys.dic"  show ffffffffffff and not the real key, and the answer from piwi (old post) was "need to use a blank tag"  (i didn't, i had used the tag several times).

it is not a big issue (the tag work well, i can open the door), BUT a big issue if someone borrow this "new tag"  and do a clone with "hardnested", she will only get ffffffffffff and not a correct key. Without the correct keys, no clone.

Thanks

proxmark3>  hf mf hardnested 0 B b0b1b2b3b4b5 10 B w
--target block no: 10, target key type:B, known target key: 0x000000000000 (not set), file action: write, Slow: No, Tests: 0
Using AVX2 SIMD core.
 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 205 million (2^27.6) keys/s      | 140737488355328 |    8d
       7 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    8d
      18 |       0 | Writing acquired nonces to binary file nonces.bin       | 140737488355328 |    8d
      19 |     112 | Apply bit flip properties                               |  14171829698560 |   19h
....
     325 |    2312 | Brute force phase:  24.59%                              |     23700084736 |  2min
     331 |    2312 | Brute force phase:  49.22%                              |     17422151680 |   85s
     341 |    2312 | Brute force phase completed. Key found: ffffffffffff    |               0 |    0s

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: [solved] How to read all sectors at once from a MIFARE card?

Its very confusing reading your posts about Mifare Classic keys.
I understand that you don't have a correct picture of how it works.

1. reading keys will result on zeros on a normal mifare classic card.
2. reading keys on a magic mifare card can result in seeing the keys instead of zeros. depeding on magic tech behind.
3. the proxmark3 finds and prints is the keys currently programmed on a tag.

if your found keys from original doesn't match the found keys on your programmed magic ,  then its because you didn't do a one-to-one copy.

And I think its here I will stop trying to explain further.  Look at the dump files you have,  understand the mifare classic memory layout by reading a datasheet.

Good luck!

tng

Contributor

Registered: 2020-07-23

Posts: 9

Re: [solved] How to read all sectors at once from a MIFARE card?

As I wrote, all questions are answered.
Dont know what you talk about , the 1) 2) and 3)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: [solved] How to read all sectors at once from a MIFARE card?

Good thing you solved your issue.  I suggest you edit your first post and add the prefix [solved] to your subject line