Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-07-27 18:21:27

Stanger
Contributor
Registered: 2015-07-22
Posts: 21

Mifare basic understanding

I'm researching one of my mifare classic card for a better understanding about the security of the data on the card. Now I recently found out about the access bits and after a lot of reading I still had some question marks.

For every sector trailer the developers used a access condition that only leaves the access bits readable. Key A|B may never be read or written. I made several dumps of the data with the pm3 and the MCT app and they both showed the keys in the dump.
So did they fill in the used keys or is there a security leak and did they manage to really read the keys from the data?

The card also contains 12 value block's separated over 12 sectors. Now the first one is slightly different as the rest witch are all the same. On all these value blocks the developers gave permission to only decrement, transfer or restore the value stored on the block.
Now I know that the cards are reusable and so the value must be incremented or be written I wonder how they are capable to reuse these cards.
What are the pro's for developers the store a value 11 times the same?

I assumed that the data from the dumps are not from the internal data register so all increment and decrement commands are followed by a transfer command to change data of a value block?  If so by blocking decrement.restore and transfer ability with access bits, makes increment impossible?

Thanks in advance

Last edited by Stanger (2015-07-27 18:23:05)

Offline

#2 2015-07-29 16:58:34

Stanger
Contributor
Registered: 2015-07-22
Posts: 21

Re: Mifare basic understanding

I hope this is helpful for anyone starting with mifare classic.

So did they fill in the used keys or is there a security leak and did they manage to really read the keys from the data?

As far as I can read there is no way to bypass a read restriction.

I assumed that the data from the dumps are not from the internal data register so all increment and decrement commands are followed by a transfer command to change data of a value block?  If so by blocking decrement.restore and transfer ability with access bits, makes increment impossible?

There is no access bit combination for value block who allows this combination.

Data Sheet wrote:

Remark: The MIFARE Increment, Decrement, and Restore commands require a MIFARE
Transfer to store the value into a destination block.

The card also contains 12 value block's separated over 12 sectors. Now the first one is slightly different as the rest witch are all the same. On all these value blocks the developers gave permission to only decrement, transfer or restore the value stored on the block.
Now I know that the cards are reusable and so the value must be incremented or be written I wonder how they are capable to reuse these cards.

This is still not very clear for me. There are ways to bypass these increment and write restrictions on value blocks if there is a writeable block in the same sector. By writing the wanted value in a writeable block in the same sector as the restricted value you are able to restore this value to the data register. Now you are able to transfer the data in the data register to the restricted value and with this you bypass the increment command.

I am not sure if they use this when they are recharging, something tells me that I oversee something.

Offline

Board footer

Powered by FluxBB