Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2015-09-07 14:55:12
- pusinato
- Member
- Registered: 2013-12-20
- Posts: 7
Mifare Classic Broken ? CMD 04 Key A recovered
uid(d80eeXXX) nt(c4977XX) par(2e1646fee6deXXX6) ks(0d0c0b05050XXX1) nr(7ffdec0000000XX0)
Key found:000000000000
Found valid key:000000000000
--block no:0, key type:A, key:00 00 00 00 00 00
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
--block no:0, key type:B, key:00 00 00 00 00 00
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
Darkside works great i get the key, but when to read the card Block 0 it seems keys are wrong,
I cant get any access to block 0, 1, 2 and 3
have tested diffrent firmware and same result.
Any tips how to get acces to the card ?
Offline
#2 2015-09-09 00:33:23
- abyjk
- Member
- Registered: 2014-11-27
- Posts: 7
Re: Mifare Classic Broken ? CMD 04 Key A recovered
Hi!
Which command did you use? "hf mf mifare"? or the chk?
Is the tag use-able in the normal environment (can it still open doors or still pay the bus ride etc.)?
Offline
#3 2015-09-09 09:15:42
- pusinato
- Member
- Registered: 2013-12-20
- Posts: 7
Re: Mifare Classic Broken ? CMD 04 Key A recovered
the command was "hf mf mifare"
the card is not use-able
is it possible to use sniff or snoop command to get the A key for the block
the UID is visable when read but not giving me acces to read the block 0
Offline
#4 2015-09-09 10:21:22
- abyjk
- Member
- Registered: 2014-11-27
- Posts: 7
Re: Mifare Classic Broken ? CMD 04 Key A recovered
That's weird because, as you know, the first block contains "free data".
I would guess, the sniffed key is wrong (every sniff I tried myself gone wrong, but maybe I'm too stupid for that 
only the encrypted one works for me).
You could try the other one: "hf mf chk *1 ? t" assuming, it's a MFC 1k, checking all the default keys.
So maybe it shows a different Key to you. If you're a bit lucky, it shows you any key, you can use for the nested attack and THEN get a key for the first sector (or "another" one).
On every MFC1k tag at home, the fist sector can be read with "a0a1a2a3a4a5" (type a).
Offline
#5 2015-09-10 08:16:41
- pusinato
- Member
- Registered: 2013-12-20
- Posts: 7
Re: Mifare Classic Broken ? CMD 04 Key A recovered
Thank you for the suggestion,
hf mf chk *1 ? t gave me the same key, fault key found again,
also your type A key was auth error, but thank you again
Offline
#6 2015-09-10 09:20:00
- abyjk
- Member
- Registered: 2014-11-27
- Posts: 7
Re: Mifare Classic Broken ? CMD 04 Key A recovered
Okay then I have two last ideas.
1) try with another reader. I use the ACR122U to verify correctness of tags.
2) Or try to change block 4 (key A, access bits, key B) with your type b key, if you got one during attacks, because it sounds like you won't use the tag in real life anyway. But, as you know, writing a block with keys can be tricky.
Offline
#7 2015-09-11 09:15:08
- pusinato
- Member
- Registered: 2013-12-20
- Posts: 7
Re: Mifare Classic Broken ? CMD 04 Key A recovered
yes, I have ordered a ACR122U so I will try that way, thank you for the suggestion,
Perheps it will work better with MFCUK and MFOC
Offline