Darkside attack not working ??

joe · 2014-12-19 10:00:02

I can't crack this mifare classic 1k , anyone can help ?? unknown key at sector 5. thanks.

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2014-09-19 10:31:37
#db# os: /-suspect 2014-09-13 11:21:04
#db# HF FPGA image built on 2014/ 6/19 at 21:26: 2
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>
proxmark3> hw tune
proxmark3>
proxmark3> #db# Measuring antenna characteristics, please wait...
proxmark3> #db# Measuring complete, sending report back to host
proxmark3>
proxmark3> # LF antenna: 0.00 V @ 125.00 kHz
proxmark3> # LF antenna: 0.00 V @ 134.00 kHz
proxmark3> # LF optimal: 0.00 V @ 12000.00 kHz
proxmark3> # HF antenna: 11.18 V @ 13.56 MHz
proxmark3> # Your LF antenna is unusable.

proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:A, key count:13
--sector: 6, block: 27, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:B, key count:13
--sector: 6, block: 27, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
proxmark3>

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..................................................
Proxmark can't get statistic info. Execution aborted.
proxmark3>

proxmark3> script run mifare_autopwn
--- Executing: ./scripts/mifare_autopwn.lua, args''
Card found, commencing crack 30102808
ERROR: Error occurred
-----Finished
proxmark3>

piwi · 2014-12-19 11:56:20

You may have a newer model of Mifare Classic. The Random Number Generator in these cards has been fixed and is therefore no longer predictable (which was the prerequisite for the Darkside and the Nested attacks).

You can still try hf mf sim x at a legitimate reader.

joe · 2015-01-28 10:31:11

This is another mf card, any chance to clone it ? anyone can help please..

proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count:13
--sector: 2, block: 11, key type:A, key count:13
--sector: 3, block: 15, key type:A, key count:13
--sector: 4, block: 19, key type:A, key count:13
--sector: 5, block: 23, key type:A, key count:13
--sector: 6, block: 27, key type:A, key count:13
--sector: 7, block: 31, key type:A, key count:13
--sector: 8, block: 35, key type:A, key count:13
--sector: 9, block: 39, key type:A, key count:13
--sector:10, block: 43, key type:A, key count:13
--sector:11, block: 47, key type:A, key count:13
--sector:12, block: 51, key type:A, key count:13
--sector:13, block: 55, key type:A, key count:13
--sector:14, block: 59, key type:A, key count:13
--sector:15, block: 63, key type:A, key count:13
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
proxmark3>
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..........................................
Proxmark can't get statistic info. Execution aborted.
proxmark3>

joe · 2015-01-28 10:44:05

proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3>
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14
proxmark3>
proxmark3> hf mf rdbl 1 A FFFFFFFFFFFF
--block no:1, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3>
proxmark3> hf mf rdbl 2 A FFFFFFFFFFFF
--block no:2, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3>
proxmark3> hf mf rdbl 3 A FFFFFFFFFFFF
--block no:3, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3>

iceman · 2015-01-28 13:36:14

Since you got the keys, ffffffffffff, you will not have an issue with copying it.

hint:  use the lua script for checking keys instead. It uses a lot more for found default keys.

piwi · 2015-01-28 13:52:41

Or try hf mf chk * ? defaultkeys.dic

iceman · 2015-01-28 15:27:16

There you go, another option.. I've forgotten that Piwi added that option to the command.

piwi · 2015-01-28 15:52:50

The option to read a keyfile had been there for ages. I just provided the file with all the keys from the script.

joe · 2015-01-28 17:36:40

This is a fully encrypted card, any other commands to try ??

proxmark3> hf mf chk * ? ffffffffffff
chk key[ 0] ffffffffffff
--sector: 0, block: 3, key type:A, key count: 1
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count: 1
--sector: 2, block: 11, key type:A, key count: 1
--sector: 3, block: 15, key type:A, key count: 1
--sector: 4, block: 19, key type:A, key count: 1
--sector: 5, block: 23, key type:A, key count: 1
--sector: 6, block: 27, key type:A, key count: 1
--sector: 7, block: 31, key type:A, key count: 1
--sector: 8, block: 35, key type:A, key count: 1
--sector: 9, block: 39, key type:A, key count: 1
--sector:10, block: 43, key type:A, key count: 1
--sector:11, block: 47, key type:A, key count: 1
--sector:12, block: 51, key type:A, key count: 1
--sector:13, block: 55, key type:A, key count: 1
--sector:14, block: 59, key type:A, key count: 1
--sector:15, block: 63, key type:A, key count: 1
--sector: 0, block: 3, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count: 1
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count: 1
Found valid key:[ffffffffffff]
proxmark3>
proxmark3> script run mifare_autopwn
--- Executing: ./scripts/mifare_autopwn.lua, args''
Card found, commencing crack 04265F82F43880
ERROR: Error occurred
-----Finished
proxmark3>

iceman · 2015-01-28 18:27:06

But you don't need to autopwn. You already have most of the keys... You should be able to read the tag with them.

joe · 2015-01-28 18:42:41

what are the steps to read it ? thanks

iceman · 2015-01-28 21:18:37

the "hf mf rdbl" commands..

joe · 2015-01-29 07:37:50

cannot read, the uid with 14 digits ?? normal uid is 8 only.

proxmark3> hf 14a cuids
Collecting 1 UIDs
Start: 1422510184
04265F82F43880
End: 1422510185
proxmark3>
proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 85386415 | Rdr | 44 05 24 00 00 40 09 02 80 44 00 c0 d1 36 00 00 a0 09 02 00 93 20 80 05 45 00 00 c0 16 05 80 88 04 26 5f f5 98 d1 63 00 00 20 29 09 00 93 70 88 04 26 5f f5 fa 5e a7 00 85 91 00 00 c0 0d 03 80 04 da 17 20 51 a4 00 00 a0 09 02 00 95 20 80 85 b2 00 !crc
1364288893 | 83920554 | Tag | 00! 95! 70 82! f4 38 80 ce 99! !crc
proxmark3>

joe · 2015-01-29 07:42:18

joe · 2015-01-29 15:29:07

can darkside attack work with 7 byte uid ?? anyone know ?? thanks.

piwi · 2015-01-29 15:46:13

Yes and No.

Yes - it can handle 7 Byte UIDs.
No - Mifare classic cards with 7 Byte UIDs are of a newer generation and newer Mifare cards come usually with a fixed Random Number Generator - Dark Side needs "predictable random" numbers to work.

BTW: your PM software version is quite old. The hf 14a cuids with following hf list 14a produces a meaningful trace on my PM3.

joe · 2015-01-29 16:22:53

You mean this new mifare card cannot be cracked and cloned by PM3 ??

iceman · 2015-01-29 16:24:34

The new tags can't be "cracked" with DarkSide.

If you are lucky that your tag has known default keys, then you can clone it. (ie hf mf chk)

joe · 2015-01-29 16:42:56

Thanks , iceman , but there is no 7 byte uid blank card to be cloned at the moments. only 4 byte uid available.

iceman · 2015-01-29 16:51:34

However, you should (as Piwi mentioned earlier) update your pm3 software to the latest one from GitHub.

Meanwhile check around taobao.com and see if there is any new blank 7bytes uid tags there.

joe · 2015-01-29 17:12:21

proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC
-----------|-----------|-----|-----------------------------------------------------------------------
0 | 992 | Rdr | 52 |
2228 | 4596 | Tag | 44 00 |
7040 | 9504 | Rdr | 93 20 |
10676 | 16500 | Tag | 88 04 26 5f f5 |
18560 | 29088 | Rdr | 93 70 88 04 26 5f f5 fa 5e |
30260 | 33780 | Tag | 04 da 17 |
35072 | 37536 | Rdr | 95 20 |
38708 | 44596 | Tag | 82 f4 38 80 ce |
46592 | 57120 | Rdr | 95 70 82 f4 38 80 ce 99 fb |
58292 | 61812 | Tag | 08 b6 dd |
proxmark3>
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-01-01 15:28:15
#db# os: /-suspect 2015-01-01 15:28:20
#db# HF FPGA image built on 2014/ 6/19 at 21:26: 2
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>
proxmark3> hw tune
Reading 255 samples
Done! Divisor 89 is 134khz, 95 is 125khz.
proxmark3>

updated, but the newer 006 cannot tune with reading ..

iceman · 2015-01-29 18:17:33

You don't seem to download the soucecode and compile it. In that case you can wait until Asper makes a new compilation.

asper · 2015-01-29 20:47:17

It will come shortly (hope less than a week); it will be marked as "unstable" or "test" or "beta" due to the fact that there are LOT of new added stuff.

zhans · 2015-01-30 00:51:50

The svn build already fixed tune problem.

joe · 2015-02-09 16:24:35

Hi, iceman, I can't read most of the blocks, any idea ? thanks..

proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14
proxmark3>
proxmark3> hf mf rdbl 0 B FFFFFFFFFFFF
--block no:0, key type:B, key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 1 A FFFFFFFFFFFF
--block no:1, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3>
proxmark3> hf mf rdbl 1 B FFFFFFFFFFFF
--block no:1, key type:B, key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 2 A FFFFFFFFFFFF
--block no:2, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3>
proxmark3> hf mf rdbl 2 B FFFFFFFFFFFF
--block no:2, key type:B, key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 3 A FFFFFFFFFFFF
--block no:3, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3>
proxmark3> hf mf rdbl 3 B FFFFFFFFFFFF
--block no:3, key type:B, key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 4 A FFFFFFFFFFFF
--block no:4, key type:A, key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 4 B FFFFFFFFFFFF
--block no:4, key type:B, key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 5 A FFFFFFFFFFFF
--block no:5, key type:A, key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 5 B FFFFFFFFFFFF
--block no:5, key type:B, key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 6 A FFFFFFFFFFFF
--block no:6, key type:A, key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 6 B FFFFFFFFFFFF
--block no:6, key type:B, key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error

joe · 2015-02-09 16:40:14

iceman wrote:

the "hf mf rdbl" commands..

can't read... using " hf mf rdbl "

iceman · 2015-02-09 16:52:44

First, when you successfully read a block with one key, you don't need to test the other key.

proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff           
#db# READ BLOCK FINISHED                 
isOk:01 data:04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14           
proxmark3>
proxmark3> hf mf rdbl 0 B FFFFFFFFFFFF
--block no:0, key type:B, key:ff ff ff ff ff ff           
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
isOk:00

You need to ask yourself some questions.
If you get read errors, are you sure you have all right keys? And is your sector access right? (ie are you allowed to read the block)

joe · 2015-02-11 11:18:09

Thanks iceman, I just wanted to create a dump file in order to copy this tag, how do I so ?? I noticed that the trailer are not the same as usual ..

proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

iceman · 2015-02-11 17:35:48

if you have all keys, then look into the "hf mf" commands to find a command that dumps the content of a tag to file.

If you don't have all keys.. try getting them.. with some of the "hf mf" commands.

joe · 2015-02-14 09:21:27

After successfully writing to block 0, why now unable to read the block 0 ? and it can't rewrite anymore, is locked, iceman, can you help ?

ATQA : 00 44
UID : 00 00 00 00 00 00 00
SAK : 08 [2]
MANUFACTURER : no tag-info available
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
SAK incorrectly claims that card doesn't support RATS
ATS : 09 78 00 91 02 da bc 19 10 f0 05
- TL : length is 9 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 9 (FWT = 2097152/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : da bc 19 10
Answers to chinese magic backdoor commands: NO
--sector no:0 key type:A key:ff ff ff ff ff ff

#db# READ SECTOR FINISHED
isOk:01
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
--block no:0, key type:B, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: 04 26 5f 82 f4 38 80 08 44 00 12 01 00 00 15 14
#db# WRITE BLOCK FINISHED
isOk:01
--sector no:0 key type:A key:ff ff ff ff ff ff

#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
isOk:00
ATQA : 00 44
UID : 04 26 5f 82 f4 38 80
SAK : 08 [2]
MANUFACTURER : NXP Semiconductors Germany
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
SAK incorrectly claims that card doesn't support RATS
ATS : 09 78 00 91 02 da bc 19 10 f0 05
- TL : length is 9 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 9 (FWT = 2097152/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : da bc 19 10
Answers to chinese magic backdoor commands: NO
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
isOk:00

joe · 2015-02-14 10:42:48

iceman wrote:

Since you got the keys, ffffffffffff, you will not have an issue with copying it.
hint:  use the lua script for checking keys instead. It uses a lot more for found default keys.

I use this keys to copy, but it is not working ? anyone help, thanks..

iceman · 2015-02-14 12:21:58

There seem to be some commands missing in your pasted output.

It looks like you have a Magic card generation2, but thats my guess.
If that is the case, you would need to write a valid block0, ( uid + bbc + sak + atqa ). And make sure your block3 has correct access bytes.

joe · 2015-02-14 15:44:53

now the cloned card already locked, I can't unlock it ? any ideas

joe · 2015-02-14 15:49:14

just after I wrote the block 0, and it can't be read, locked, can't write anymore

joe · 2015-02-14 16:18:13

iceman wrote:

First, when you successfully read a block with one key, you don't need to test the other key.
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff           
#db# READ BLOCK FINISHED                 
isOk:01 data:04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14           
proxmark3>
proxmark3> hf mf rdbl 0 B FFFFFFFFFFFF
--block no:0, key type:B, key:ff ff ff ff ff ff           
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
isOk:00      
You need to ask yourself some questions.
If you get read errors, are you sure you have all right keys? And is your sector access right? (ie are you allowed to read the block)

proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3>
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14
proxmark3>
proxmark3> hf mf rdbl 1 A FFFFFFFFFFFF
--block no:1, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3>
proxmark3> hf mf rdbl 2 A FFFFFFFFFFFF
--block no:2, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
proxmark3>
proxmark3> hf mf rdbl 3 A FFFFFFFFFFFF
--block no:3, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3>

The block 3 data already posted earlier ... now I left only a valid blank card , 2 blank cards are locked ...

iceman · 2015-02-14 16:46:58

I dont understand, you say you can't read block0, then you show from the output that you can read...

proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff           
#db# READ SECTOR FINISHED                 
isOk:01         
data   : 04 7c 5e 82 f4 38 80 08 44 00 12 01 11 00 15 14           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff           
proxmark3>

iceman · 2015-02-14 16:48:27

1. You can read block 0 on original tag.
2 You can read block 0 on clone tag.

You need to be a bit more detailed.

joe · 2015-02-14 17:26:19

cloned card data here, can't read

proxmark3> hf 14a reader
ATQA : 00 44
UID : 04 7c 5e 82 f4 38 80
SAK : 08 [2]
MANUFACTURER : NXP Semiconductors Germany
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
SAK incorrectly claims that card doesn't support RATS
ATS : 09 78 00 91 02 da bc 19 10 f0 05
- TL : length is 9 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 9 (FWT = 2097152/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : da bc 19 10
Answers to chinese magic backdoor commands: NO
proxmark3>
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
proxmark3>
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>

joe · 2015-02-14 18:34:46

anyone can help ? I need to reset my clone card .... in order to test again. thanks .

iceman · 2015-02-15 14:15:44

Try reading your sector trailer on the clone-tag.
Btw, is it a magic one or just a blank tag you are using?

joe · 2015-02-15 15:33:07

The card was locked, can't read anything.

Btw, have you ever successfully clone a mf 7 bytes ??

iceman · 2015-02-15 15:54:04

I can't test it since I don't have a mifare classic w 7b UID.
how did you write to the clone-tag? Did you write to the Sector0 Block0? And you didn't answer my question on what type of clone tag you are using.

joe · 2015-02-15 16:16:18

iceman wrote:

Since you got the keys, ffffffffffff, you will not have an issue with copying it.
hint:  use the lua script for checking keys instead. It uses a lot more for found default keys.

I see, I thought you have successful cloned the 7 bytes UID before.
now I.m trying to find a way to recover the cloned cards. hope it will.

The blank card info below, already posted earlier.

ATQA : 00 44
UID : 00 00 00 00 00 00 00
SAK : 08 [2]
MANUFACTURER : no tag-info available
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
SAK incorrectly claims that card doesn't support RATS
ATS : 09 78 00 91 02 da bc 19 10 f0 05
- TL : length is 9 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 9 (FWT = 2097152/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : da bc 19 10
Answers to chinese magic backdoor commands: NO
--sector no:0 key type:A key:ff ff ff ff ff ff

iceman · 2015-02-15 19:43:22

The only 7uid tags I've seen is the MifareDesfire.

But now I understand better.
Your card doesn't work since block0 seems to be clear.. (UID: 0x00 0x00 0x00...)

It seems to me that your tag is a chinese magic generation 2 tag. And given that you can't use the normal "hf mf wrbl 0" ? (yes/no)
Then you need to use the "hf 14a raw" command to write a new block0.

asper · 2015-02-15 22:14:57

A magic card with 7bytes uid? Can you tell where you bought it?

iceman · 2015-02-15 22:51:37

Yeah, I also want to know that.

marshmellow · 2015-02-15 23:09:18

Did he 0 the UID so as not to release his tags UID?

iceman · 2015-02-15 23:33:40

hm, could be that. then he doesn't have a magic tag..
but what does he mean with "tag is locked" , he uses a default key (ffffffffffff) .. He should maybe do a "hf mf nested" to get the present keys from his blank tag..

joe · 2015-02-16 04:14:13

All the answers are posted earlier, from the output, please take a closer look .

The UID successfully written to blank card, but can't be accessed, that's it.

I'm more concern how to recover the cloned cards. Can't find any other cmd to access it.

joe · 2015-02-16 16:41:19

iceman wrote:

hm, could be that. then he doesn't have a magic tag..
but what does he mean with "tag is locked" , he uses a default key (ffffffffffff) .. He should maybe do a "hf mf nested" to get the present keys from his blank tag..

Since you don't have 7 bytes tag, you can try 4 bytes magic card with this cmd " hf mf wrbl 0 A FFFFFFFFFFFF 04265f82f43880084400120111001514 ".

Then you tell me what happen.

Proxmark3 community

Announcement

#1 2014-12-19 10:00:02

Darkside attack not working ??

#2 2014-12-19 11:56:20

Re: Darkside attack not working ??

#3 2015-01-28 10:31:11

Re: Darkside attack not working ??

#4 2015-01-28 10:44:05

Re: Darkside attack not working ??

#5 2015-01-28 13:36:14

Re: Darkside attack not working ??

#6 2015-01-28 13:52:41

Re: Darkside attack not working ??

#7 2015-01-28 15:27:16

Re: Darkside attack not working ??

#8 2015-01-28 15:52:50

Re: Darkside attack not working ??

#9 2015-01-28 17:36:40

Re: Darkside attack not working ??

#10 2015-01-28 18:27:06

Re: Darkside attack not working ??

#11 2015-01-28 18:42:41

Re: Darkside attack not working ??

#12 2015-01-28 21:18:37

Re: Darkside attack not working ??

#13 2015-01-29 07:37:50

Re: Darkside attack not working ??

#14 2015-01-29 07:42:18

Re: Darkside attack not working ??

#15 2015-01-29 15:29:07

Re: Darkside attack not working ??

#16 2015-01-29 15:46:13

Re: Darkside attack not working ??

#17 2015-01-29 16:22:53

Re: Darkside attack not working ??

#18 2015-01-29 16:24:34

Re: Darkside attack not working ??

#19 2015-01-29 16:42:56

Re: Darkside attack not working ??

#20 2015-01-29 16:51:34

Re: Darkside attack not working ??

#21 2015-01-29 17:12:21

Re: Darkside attack not working ??

#22 2015-01-29 18:17:33

Re: Darkside attack not working ??

#23 2015-01-29 20:47:17

Re: Darkside attack not working ??

#24 2015-01-30 00:51:50

Re: Darkside attack not working ??

#25 2015-02-09 16:24:35

Re: Darkside attack not working ??

#26 2015-02-09 16:40:14

Re: Darkside attack not working ??

#27 2015-02-09 16:52:44

Re: Darkside attack not working ??

#28 2015-02-11 11:18:09

Re: Darkside attack not working ??

#29 2015-02-11 17:35:48

Re: Darkside attack not working ??

#30 2015-02-14 09:21:27

Re: Darkside attack not working ??

#31 2015-02-14 10:42:48

Re: Darkside attack not working ??

#32 2015-02-14 12:21:58

Re: Darkside attack not working ??

#33 2015-02-14 15:44:53

Re: Darkside attack not working ??

#34 2015-02-14 15:49:14

Re: Darkside attack not working ??

#35 2015-02-14 16:18:13

Re: Darkside attack not working ??

#36 2015-02-14 16:46:58

Re: Darkside attack not working ??

#37 2015-02-14 16:48:27

Re: Darkside attack not working ??

#38 2015-02-14 17:26:19

Re: Darkside attack not working ??

#39 2015-02-14 18:34:46

Re: Darkside attack not working ??