Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
This topic is come from https://github.com/Proxmark/proxmark3/pull/139#issuecomment-142077404 as pwpiwi suggested.
I found hf mf mifare might has some bug, might cause the board reset.
Under my test, if the card quality is bad, response time not stable or often time out, might cause "hf mf mifare" command failed.
See the log below
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-57-g9dd0ac5-suspect 2015-09-11 17:25:02
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 167318 bytes (64%). Free: 94826 bytes (36%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memoryhf mf dbg 3
#db# Debug level: 3
hf 14a read
#db# ISO14443A Timeout set to 1050 (9ms)
UID : bc 6d d7 1d
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NOhf mf nested
Usage:
all sectors: hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]
one sector: hf mf nested o <block number> <key A/B> <key (12 hex symbols)>
<target block number> <target key A/B> [t]
card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K
t - transfer keys into emulator memory
d - write keys to binary filesample1: hf mf nested 1 0 A FFFFFFFFFFFF
sample2: hf mf nested 1 0 A FFFFFFFFFFFF t
sample3: hf mf nested 1 0 A FFFFFFFFFFFF d
sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A
--target block no: 0, target key type:Ahf mf nested
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Authentication failed. Error card response.
#db# Nested: Auth2 error
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# rtr=17 isOK=0 min=160 max=160 avg=160, delta_time=2600
#db# Nonce#1: Testing nt1=4926202a nt2enc=80599d8e nt2par=90
#db# Nonce#1: valid, ntdist=159
#db# Nonce#1: dismissed (ambigous), ntdist=160
#db# Nonce#1: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=c7a3501a nt2enc=259cb6be nt2par=b0
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Authentication failed. Error card response.
#db# Nested: Auth1 error
#db# Nonce#2: Testing nt1=60495f88 nt2enc=4d9e42a8 nt2par=70
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=0 trgkey=0
Found valid key:000000008553hf mf mifare
#db# ISO14443A Timeout set to 1050 (9ms)
#db# calibrating in cycle 1. nt_distance=797, Sync_cycles: 64739
#db# calibrating in cycle 2. nt_distance=-4468, Sync_cycles: 69207
#db# calibrating in cycle 3. nt_distance=-27056, Sync_cycles: 96263
#db# calibrating in cycle 4. nt_distance=30301, Sync_cycles: 65962
#db# calibrating in cycle 5. nt_distance=-27698, Sync_cycles: 93660
#db# calibrating in cycle 6. nt_distance=-8948, Sync_cycles: 102608
#db# calibrating in cycle 7. nt_distance=20046, Sync_cycles: 82562
#db# calibrating in cycle 8. nt_distance=-18299, Sync_cycles: 100861
#db# calibrating in cycle 9. nt_distance=28941, Sync_cycles: 71920
#db# calibrating in cycle 10. nt_distance=-22867, Sync_cycles: 94787
#db# calibrating in cycle 11. nt_distance=8426, Sync_cycles: 86361
#db# calibrating in cycle 12. nt_distance=10682, Sync_cycles: 75679
#db# calibrating in cycle 13. nt_distance=-4649, Sync_cycles: 80328
#db# calibrating in cycle 14. nt_distance=26373, Sync_cycles: 53955
#db# calibrating in cycle 15. nt_distance=-22518, Sync_cycles: 76473
#db# calibrating in cycle 16. nt_distance=30331, Sync_cycles: 46142
#db# calibrating in cycle 17. nt_distance=-21934, Sync_cycles: 68076
#db# calibrating in cycle 18. nt_distance=27609, Sync_cycles: 40467
#db# calibrating in cycle 19. nt_distance=2810, Sync_cycles: 37657
#db# calibrating in cycle 20. nt_distance=32215, Sync_cycles: 5442
#db# calibrating in cycle 21. nt_distance=-7421, Sync_cycles: 12863
#db# calibrating in cycle 22. nt_distance=20532, Sync_cycles: -7669
Then after 13 dot, the board make sound, and reset automatically.
I guess the mifare command might have some errors, but due to my ability, I can't found. Anyone interested?
hf mf nested log is a proof that the card is vulnerable.
hf mf mifare log seems the card response time is not stable.
Offline
the reset is most likely the WDT (watchdog counter) and you should find the place on the device side code.
Offline
The reset bug during hf mf mifare is quite old and has been reported before. I still have no clue what would cause this.
But this is the first time that I see results of hf mf nested with a card causing hf mf mifare to reset. Quite interesting: the nonce distance between first and nested authentication is only 160, indicating a slow PRNG compared to normal cards. Furthermore, this card seems to send the same tag nonce 0xc7a3501a on (nearly) every first authentication. Consequentially the encoded tag nonce during the nested authentication is the same as well (0x259cb6be). I would assume that this is a (poor) Mifare clone.
hf mf mifare assumes that the PRNG sequence repeats every (approx.) 65536 SspClk cycles. This assumption would not hold for this slow PRNG. This would explain that hf mf mifare cannot sync - but I still miss the point where it would run into a loop without a WDT_HIT.
Anybode else seen this kind of tag/behavior?
Offline
the faulty logic should be inside iso14443a.c function ReaderMifare(bool first_try)
the interesting of the debug log is that the last entry has a negative sync_cycles value, the other ones is positive.
one spontantious idea would be the test:
if ( par[0] == 0x00) //assumes par[0] will increase stewise and eventually flow over to 0x00 again (ie 256 times)
but par[0] set to par_low and other values.
---
@bigboyq, Can we also get the tracelog for the above logfile? [ie: hf list 14a]
Offline
the interesting of the debug log is that the last entry has a negative sync_cycles value, the other ones is positive
YOU'RE GENIUS! (Well - partly :-)) With negative sync_cycles the
// if we missed the sync time already, advance to the next nonce repeat
while(GetCountSspClk() > sync_time) {
sync_time = (sync_time & 0xfffffff8) + sync_cycles;
}
will loop until the watchdog kicks in.
Now that we know the root cause for the resets it should be possible to fix it...
Still need some thoughts on syncing to slow PRNGs though...
I still would be interested to know if the other resets had been caused by similar tags as well...
Offline
I'm sure you would have seen the difference in the list of sync_cycles, moreof I'm glad you found the problematic while-loop.
There is some older clone tags I want to test with this bug of the system.
Slow prngs:
In the nested cmd, shouldn't the https://github.com/Proxmark/proxmark3/b … cmd.c#L699 line deal with slow prngs ? Don't know how its dealt with in the mifare cmd...
Offline
...
the place where the sync_time can get a negative value is the dist_nt at
Offline
@iceman
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-57-g9dd0ac5-suspect 2015-09-11 17:25:02
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 167318 bytes (64%). Free: 94826 bytes (36%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
#db# Debug level: 3
#db# ISO14443A Timeout set to 1050 (9ms)
iso14443a card select failed
#db# ISO14443A Timeout set to 1050 (9ms)
UID : bc 6d d7 1d
ATQA : 00 04
SAK : 01 [2]
TYPE : NXP TNP3xxx Activision Game Appliance
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Usage:
all sectors: hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]
one sector: hf mf nested o <block number> <key A/B> <key (12 hex symbols)>
<target block number> <target key A/B> [t]
card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K
t - transfer keys into emulator memory
d - write keys to binary filesample1: hf mf nested 1 0 A FFFFFFFFFFFF
sample2: hf mf nested 1 0 A FFFFFFFFFFFF t
sample3: hf mf nested 1 0 A FFFFFFFFFFFF d
sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A
--target block no: 0, target key type:A
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nested: calibrating... ntdist=160
#db# Authentication failed. Error card response.
#db# Nested: Auth1 error
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# rtr=17 isOK=0 min=160 max=160 avg=160, delta_time=2600
#db# Nonce#1: Testing nt1=ddf2a7cf nt2enc=d1b83a6e nt2par=10
#db# Nonce#1: valid, ntdist=160
#db# Nested: Auth2 error len=2
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# halt error. response len: 1
#db# Nested: Halt error
#db# Nested: Can't select card
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: valid, ntdist=160
uid:bc6dd71d trgbl=0 trgkey=0
#db# NESTED FINISHED
Found valid key:000000008553
Deprecated command, use 'hf list 14a' instead
Recorded Activity (TraceLen = 4467 bytes)Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurateStart | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 4768 | Rdr | 50 00 57 cd | | HALT
140160 | 141152 | Rdr | 52! | | WUPA
142388 | 144756 | Tag | 04 00 | |
147200 | 149664 | Rdr | 93 20 | | ANTICOLL
150836 | 156660 | Tag | bc 6d d7 1d 1b | |
158976 | 169440 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
170676 | 174196 | Tag | 08 b6 dd | |
175744 | 180512 | Rdr | 61 00 2d 62 | | AUTH-B(0)
182452 | 187188 | Tag | 91 2e 93 19 | |
196096 | 205408 | Rdr | 3d e4! e0! 35 af 7d! 87 32! | !crc| ?
206644 | 211380 | Tag | a0! 5c 96 00! | |
216832 | 221600 | Rdr | c2 04! 97 c5! | !crc| RESTORE(4)
223540 | 228276 | Tag | c7! 42 0b 23 | |
237184 | 246496 | Rdr | 26! 53 e5! b7! d7! a3 75 2d | !crc| REQA
247732 | 252468 | Tag | 80 a5! 96! a5! | |
361344 | 366048 | Rdr | 8b ce 7c! c2! | !crc| ?
501504 | 502496 | Rdr | 52! | | WUPA
503732 | 506100 | Tag | 04 00 | |
508544 | 511008 | Rdr | 93 20 | | ANTICOLL
512180 | 518004 | Tag | bc 6d d7 1d 1b | |
520320 | 530784 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
532020 | 535540 | Tag | 08 b6 dd | |
537088 | 541856 | Rdr | 61 00 2d 62 | | AUTH-B(0)
543796 | 548468 | Tag | 3a 04 92 55 | |
557440 | 566816 | Rdr | de 65! f4 9a! 57! 76 3a! c8 | !crc| ?
567988 | 569140 | Tag | 7c | |
797952 | 802656 | Rdr | 8a bb 6b 9d! | !crc| ?
938112 | 939104 | Rdr | 52 | | WUPA
940340 | 942708 | Tag | 04 00 | |
945152 | 947616 | Rdr | 93 20 | | ANTICOLL
948788 | 954612 | Tag | bc 6d d7 1d 1b | |
956928 | 967392 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
968628 | 972148 | Tag | 08 b6 dd | |
973696 | 978464 | Rdr | 61 00 2d 62 | | AUTH-B(0)
980404 | 985140 | Tag | 55 de f8 34 | |
994048 | 1003360 | Rdr | a1! 43! cd! 05 a6 2b bb! 96 | !crc| ?
1004596 | 1009332 | Tag | 66! fe! 58 d4! | |
1015296 | 1020000 | Rdr | e5 18 7b 86! | !crc| ?
1022004 | 1026740 | Tag | f2! 08! 2e 4f | |
1035648 | 1044960 | Rdr | be 71! b2! 2a! 71! f0 c3! 4e | !crc| ?
1046196 | 1050868 | Tag | a9! aa dc! d4 | |
1160064 | 1164832 | Rdr | ea! 60 fb 5f! | !crc| ?
1300224 | 1301216 | Rdr | 52 | | WUPA
1302452 | 1304820 | Tag | 04 00 | |
1307264 | 1309728 | Rdr | 93 20 | | ANTICOLL
1310900 | 1316724 | Tag | bc 6d d7 1d 1b | |
1319040 | 1329504 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
1330740 | 1334260 | Tag | 08 b6 dd | |
1335808 | 1340576 | Rdr | 61 00 2d 62 | | AUTH-B(0)
1342516 | 1347188 | Tag | d3 42 2b a0 | |
1356160 | 1365536 | Rdr | 1f 5a! 3c 11 9e 40! 5c! fd | !crc| ?
1366708 | 1371380 | Tag | 00 21! 7f e4 | |
1377408 | 1382176 | Rdr | 4e! 26 44! 9f! | !crc| ?
1384116 | 1388788 | Tag | 0f! 57! c9! 39 | |
1397760 | 1407072 | Rdr | 16 36 b3 94! fb! 70! a2! d5! | !crc| ?
1408308 | 1412980 | Tag | a6! 06 38 a5 | |
1520256 | 1525024 | Rdr | c4! de! 96 56! | !crc| ?
1660416 | 1661408 | Rdr | 52! | | WUPA
1662644 | 1665012 | Tag | 04 00 | |
1667456 | 1669920 | Rdr | 93 20 | | ANTICOLL
1671092 | 1676916 | Tag | bc 6d d7 1d 1b | |
1679232 | 1689696 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
1690932 | 1694452 | Tag | 08 b6 dd | |
1696000 | 1700768 | Rdr | 61 00 2d 62 | | AUTH-B(0)
1702708 | 1707380 | Tag | 9d 18 6d 95 | |
1716352 | 1725728 | Rdr | 3c e5! 03 e1 cd! ff 4b 7f | !crc| READ_SIG
1726900 | 1731572 | Tag | fd fa 13 29! | |
1737600 | 1742368 | Rdr | aa! aa f5! e1! | !crc| ?
1744308 | 1748980 | Tag | 7c! 9b! a2! 0e! | |
1757952 | 1767328 | Rdr | 4a ca! 7c fa! 5e d9! 40! 8d! | !crc| ?
1768500 | 1773236 | Tag | 83 13 0a f0! | |
1882112 | 1886880 | Rdr | b1 6c! e4! d3 | !crc| ?
2022272 | 2023264 | Rdr | 52 | | WUPA
2024500 | 2026868 | Tag | 04 00 | |
2029312 | 2031776 | Rdr | 93 20 | | ANTICOLL
2032948 | 2038772 | Tag | bc 6d d7 1d 1b | |
2041088 | 2051552 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
2052788 | 2056308 | Tag | 08 b6 dd | |
2057856 | 2062624 | Rdr | 61 00 2d 62 | | AUTH-B(0)
2064564 | 2069300 | Tag | d6 d7 67 e6 | |
2078208 | 2087584 | Rdr | 19 90! 98 fa ef! a9 70! 21! | !crc| ?
2088756 | 2093428 | Tag | 77 af f7! fa | |
2099456 | 2104224 | Rdr | be! e0! 2b d8! | !crc| ?
2106164 | 2110836 | Tag | 28! 69 73! 94! | |
2119808 | 2129184 | Rdr | 15 ea 74 6f! 0c c4! ce! f6! | !crc| ?
2130356 | 2135028 | Tag | 27 d3 75 2b | |
2243072 | 2247840 | Rdr | bf! b6 c2! 04 | !crc| ?
2383232 | 2384224 | Rdr | 52 | | WUPA
2385460 | 2387828 | Tag | 04 00 | |
2390272 | 2392736 | Rdr | 93 20 | | ANTICOLL
2393908 | 2399732 | Tag | bc 6d d7 1d 1b | |
2402048 | 2412512 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
2413748 | 2417268 | Tag | 08 b6 dd | |
2418816 | 2423584 | Rdr | 61 00 2d 62 | | AUTH-B(0)
2425524 | 2430260 | Tag | d2 7c 9a 7f | |
2439168 | 2448544 | Rdr | 32! bb! ae 32 7e! 05! 60! 3d | !crc| ?
2449716 | 2454388 | Tag | 92 0e 98! f3 | |
2460416 | 2465184 | Rdr | a1 0e f4 5b | !crc| ?
2467124 | 2471860 | Tag | 7f! 8f! 97 9c! | |
2480768 | 2490080 | Rdr | 58! a7 ba dc! 4c eb! 56! 93 | !crc| ?
2491316 | 2496052 | Tag | de! bf! cb e0 | |
2604416 | 2609184 | Rdr | b8 62! 8b de! | !crc| ?
2744576 | 2745568 | Rdr | 52 | | WUPA
2746804 | 2749172 | Tag | 04 00 | |
2751616 | 2754080 | Rdr | 93 20 | | ANTICOLL
2755252 | 2761076 | Tag | bc 6d d7 1d 1b | |
2763392 | 2773856 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
2775092 | 2778612 | Tag | 08 b6 dd | |
2780160 | 2784928 | Rdr | 61 00 2d 62 | | AUTH-B(0)
2786868 | 2791540 | Tag | ed 57 54 6a | |
2800512 | 2809824 | Rdr | ac d7 df! b5! e1 38! 9b fc | !crc| ?
2811060 | 2815732 | Tag | 32! 3e 06 aa | |
2821760 | 2826528 | Rdr | 6a! 86! c1! a0! | !crc| ?
2828468 | 2833204 | Tag | 3b! e9 d6! eb! | |
2842112 | 2851424 | Rdr | 7d 8f 12! ae 55 c5 75! 91! | !crc| ?
2852660 | 2857332 | Tag | 4a! 97! 3f! cc | |
2970496 | 2975200 | Rdr | b4! bf 72! 09 | !crc| ?
3110656 | 3111648 | Rdr | 52 | | WUPA
3112884 | 3115252 | Tag | 04 00 | |
3117696 | 3120160 | Rdr | 93 20 | | ANTICOLL
3121332 | 3127156 | Tag | bc 6d d7 1d 1b | |
3129472 | 3139936 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
3141172 | 3144692 | Tag | 08 b6 dd | |
3146240 | 3151008 | Rdr | 61 00 2d 62 | | AUTH-B(0)
3152948 | 3157620 | Tag | cf c5 2b 12 | |
3166592 | 3175904 | Rdr | 8e 3d! 79 34 78! 2d! 8d 51! | !crc| ?
3177140 | 3181876 | Tag | 84! c3 84! 97 | |
3187840 | 3192544 | Rdr | e1! 14! 54 29! | !crc| ?
3194548 | 3199220 | Tag | 98! 32 10! 72 | |
3208192 | 3217504 | Rdr | 8e 45 5c! 9c 16! cc! 22 8e | !crc| ?
3218740 | 3223412 | Tag | d1! e8 1b f4! | |
3332224 | 3336992 | Rdr | 40 1f! b1 04 | !crc| MAGIC WUPC1
3472384 | 3473376 | Rdr | 52 | | WUPA
3474612 | 3476980 | Tag | 04 00 | |
3479424 | 3481888 | Rdr | 93 20 | | ANTICOLL
3483060 | 3488884 | Tag | bc 6d d7 1d 1b | |
3491200 | 3501664 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
3502900 | 3506420 | Tag | 08 b6 dd | |
3507968 | 3512736 | Rdr | 61 00 2d 62 | | AUTH-B(0)
3514676 | 3519348 | Tag | 5c ed ca 5c | |
3528320 | 3537632 | Rdr | 2e! 80! e3! 55 c8 3c! 95 42 | !crc| ?
3538868 | 3543540 | Tag | 48 c8! 30! 54! | |
3549568 | 3554336 | Rdr | 77 6b a0 ce | !crc| ?
3556276 | 3560948 | Tag | d1! c8! 28 11 | |
3570048 | 3579424 | Rdr | 29 42! d0! 49 97 9b e2 68 | !crc| ?
3580596 | 3585268 | Tag | 1c 22 47 b3! | |
3694336 | 3699104 | Rdr | 42 dc! 7f! 66! | !crc| ?
3834496 | 3835488 | Rdr | 52 | | WUPA
3836724 | 3839092 | Tag | 04 00 | |
3841536 | 3844000 | Rdr | 93 20 | | ANTICOLL
3845172 | 3850996 | Tag | bc 6d d7 1d 1b | |
3853312 | 3863776 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
3865012 | 3868532 | Tag | 08 b6 dd | |
3870080 | 3874848 | Rdr | 61 00 2d 62 | | AUTH-B(0)
3876788 | 3881460 | Tag | e5 1d cf 41 | |
3890432 | 3899744 | Rdr | 68 4c e2 f1! 96! be! 50! 6a | !crc| ?
3900980 | 3905652 | Tag | 2a! 37 72! b4 | |
3911680 | 3916448 | Rdr | ab 98! 65 20 | !crc| ?
3918388 | 3923124 | Tag | 30! 11! 2a! 3f! | |
3932032 | 3941344 | Rdr | 3f! d6! ab 6e 32 e3! 0a b2 | !crc| ?
3942580 | 3947316 | Tag | 51 de! cb! 5c! | |
4055296 | 4060064 | Rdr | e5 eb 5b 51 | !crc| ?
4195456 | 4196448 | Rdr | 52 | | WUPA
4197684 | 4200052 | Tag | 04 00 | |
4202496 | 4204960 | Rdr | 93 20 | | ANTICOLL
4206132 | 4211956 | Tag | bc 6d d7 1d 1b | |
4214272 | 4224736 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
4225972 | 4229492 | Tag | 08 b6 dd | |
4231040 | 4235808 | Rdr | 61 00 2d 62 | | AUTH-B(0)
4237748 | 4242484 | Tag | f9 e9 f7 51 | |
4251392 | 4260704 | Rdr | a7 a6 ff 2d 96 f8 63 6f | !crc| ?
4261940 | 4266612 | Tag | dd! 78 f7 eb | |
4272640 | 4277408 | Rdr | ac! d8! d6 db! | !crc| ?
4279348 | 4284084 | Tag | 4c! bc! 13! 02 | |
4293120 | 4302496 | Rdr | 0b 64 62! 49 bf! c3 e2! 64 | !crc| ?
4303668 | 4308340 | Tag | 3d! 6d 92! a8! | |
4417024 | 4421792 | Rdr | 89! cc! e6 9d | !crc| ?
4557184 | 4558176 | Rdr | 52 | | WUPA
4559412 | 4561780 | Tag | 04 00 | |
4564224 | 4566688 | Rdr | 93 20 | | ANTICOLL
4567860 | 4573684 | Tag | bc 6d d7 1d 1b | |
4576000 | 4586464 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
4587700 | 4591220 | Tag | 08 b6 dd | |
4592768 | 4597536 | Rdr | 61 00 2d 62 | | AUTH-B(0)
4599476 | 4604212 | Tag | 43 98 99 01 | |
4613120 | 4622496 | Rdr | 82 fd! 7f 18 4a fe! a6 17! | !crc| ?
4623668 | 4628340 | Tag | b0 fc d9! 5c | |
4634368 | 4639136 | Rdr | b9 70! e7 f0! | !crc| ?
4641076 | 4645748 | Tag | d0! f0! 63! 33 | |
4654848 | 4664224 | Rdr | 06! de! 16 3a 44! 74! be 47! | !crc| ?
4665396 | 4670068 | Tag | c5! 76 ee 15! | |
4778880 | 4783584 | Rdr | c3! 43 0c d2 | !crc| ?
4919040 | 4920032 | Rdr | 52 | | WUPA
4921268 | 4923636 | Tag | 04 00 | |
4926080 | 4928544 | Rdr | 93 20 | | ANTICOLL
4929716 | 4935540 | Tag | bc 6d d7 1d 1b | |
4937856 | 4948320 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
4949556 | 4953076 | Tag | 08 b6 dd | |
4954624 | 4959392 | Rdr | 61 00 2d 62 | | AUTH-B(0)
4961332 | 4966004 | Tag | 71 c3 d8 2d | |
4974976 | 4984352 | Rdr | 67! a7! 79 a8 61! e1! d1 e9 | !crc| ?
4985524 | 4990260 | Tag | 53! b9! 7e! fc! | |
4996224 | 5000928 | Rdr | 36! 5a! 14! df! | !crc| ?
5002932 | 5007604 | Tag | 64! 0b! 8c! 27 | |
5016704 | 5026080 | Rdr | 80 8a! 39! 96! 36 16 f4! 59! | !crc| ?
5027252 | 5031924 | Tag | e6! 50! 5f! d5! | |
5140480 | 5145248 | Rdr | 1c! b4! 50 58 | !crc| ?
5280640 | 5281632 | Rdr | 52 | | WUPA
5282868 | 5285236 | Tag | 04 00 | |
5287680 | 5290144 | Rdr | 93 20 | | ANTICOLL
5291316 | 5297140 | Tag | bc 6d d7 1d 1b | |
5299456 | 5309920 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
5311156 | 5314676 | Tag | 08 b6 dd | |
5316224 | 5320992 | Rdr | 61 00 2d 62 | | AUTH-B(0)
5322932 | 5327668 | Tag | ef 37 56 cd | |
5336576 | 5345952 | Rdr | f2 f6 2b 71! 92 04 6a 72! | !crc| ?
5347124 | 5351796 | Tag | f7 7f! 96 a6 | |
5357824 | 5362592 | Rdr | 55 9f 15 c7 | !crc| ?
5364532 | 5369204 | Tag | 7f! a5! 83! f3 | |
5378176 | 5387488 | Rdr | 1a f6 ff! 94! 49! d2 aa 2a! | !crc| AUTH
5388724 | 5393460 | Tag | 02! 94! 80 00! | |
5501312 | 5506080 | Rdr | f1 f7! b5! 52 | !crc| ?
5641472 | 5642464 | Rdr | 52 | | WUPA
5643700 | 5646068 | Tag | 04 00 | |
5648512 | 5650976 | Rdr | 93 20 | | ANTICOLL
5652148 | 5657972 | Tag | bc 6d d7 1d 1b | |
5660288 | 5670752 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
5671988 | 5675508 | Tag | 08 b6 dd | |
5677056 | 5681824 | Rdr | 61 00 2d 62 | | AUTH-B(0)
5683764 | 5688500 | Tag | f7 27 cb d3 | |
5697408 | 5706784 | Rdr | 08! 6f! 46 bc 06 aa! 6c! 5d | !crc| ?
5707956 | 5712628 | Tag | b4! 8b ad! 69 | |
5718656 | 5723424 | Rdr | 40 f4 90 d6 | !crc| MAGIC WUPC1
5725364 | 5730036 | Tag | a2! 50 92 f1! | |
5739008 | 5748320 | Rdr | ee 15 d6 36 ac 33! bf e7 | !crc| ?
5749556 | 5754228 | Tag | c7! cd! 6a 7c! | |
5863168 | 5867872 | Rdr | 73! 52! 5b! ee | !crc| ?
6003328 | 6004320 | Rdr | 52 | | WUPA
6005556 | 6007924 | Tag | 04 00 | |
6010368 | 6012832 | Rdr | 93 20 | | ANTICOLL
6014004 | 6019828 | Tag | bc 6d d7 1d 1b | |
6022144 | 6032608 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
6033844 | 6037364 | Tag | 08 b6 dd | |
6038912 | 6043680 | Rdr | 61 00 2d 62 | | AUTH-B(0)
6045620 | 6050356 | Tag | e4 60 c6 07 | |
6059264 | 6068640 | Rdr | 2e ab! 09 b3 0c ff! fd e5 | !crc| ?
6069812 | 6074548 | Tag | 59! 17 8e! 38 | |
6080512 | 6085280 | Rdr | 7e! 66 51 ef | !crc| ?
6087220 | 6091956 | Tag | 4f! e6! 6b 93! | |
6100864 | 6110176 | Rdr | 73! 81! f4! 6b! 68 ab 6d 19! | !crc| ?
6111412 | 6116084 | Tag | b3 69 28 ab! | |
6225280 | 6230048 | Rdr | 67! 1e! e4! f5! | !crc| ?
6365440 | 6366432 | Rdr | 52! | | WUPA
6367668 | 6370036 | Tag | 04 00 | |
6372480 | 6374944 | Rdr | 93 20 | | ANTICOLL
6376116 | 6381940 | Tag | bc 6d d7 1d 1b | |
6384256 | 6394720 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
6395956 | 6399476 | Tag | 08 b6 dd | |
6401024 | 6405792 | Rdr | 61 00 2d 62 | | AUTH-B(0)
6407732 | 6412468 | Tag | d3 cd 73 d9 | |
6421376 | 6430752 | Rdr | 1d ab 2c! 0b! ba! d1! a0 c1 | !crc| ?
6431924 | 6436596 | Tag | 5f 53! ce! c9 | |
6442624 | 6447392 | Rdr | a8! 6d! dd! ed! | !crc| ?
6449332 | 6454004 | Tag | 6b! 3e 2a! f4! | |
6463104 | 6472480 | Rdr | ba 20! 51! 17! f0! 94 56! 3a! | !crc| ?
6473652 | 6478388 | Tag | a1 be 11 46 | |
6708480 | 6713184 | Rdr | 4c! ce be de | !crc| ?
6848640 | 6849632 | Rdr | 52 | | WUPA
6850868 | 6853236 | Tag | 04 00 | |
6855680 | 6858144 | Rdr | 93 20 | | ANTICOLL
6859316 | 6865140 | Tag | bc 6d d7 1d 1b | |
6867456 | 6877920 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
6879156 | 6882676 | Tag | 08 b6 dd | |
6884224 | 6888992 | Rdr | 61 00 2d 62 | | AUTH-B(0)
6890932 | 6895604 | Tag | dd f2 a7 cf | |
6904576 | 6913952 | Rdr | 5c 95! 6a! d8! c0! 00! ac! 83 | !crc| ?
6915124 | 6919860 | Tag | f3 84! 6f 4f | |
6925824 | 6930592 | Rdr | 7e 2e 8d 19 | !crc| ?
6932532 | 6937204 | Tag | d1! b8! 3a! 6e! | |
7164544 | 7169312 | Rdr | 5d e3! 43! 86 | !crc| ?
7304704 | 7305696 | Rdr | 52 | | WUPA
7306932 | 7309300 | Tag | 04 00 | |
7311744 | 7314208 | Rdr | 93 20 | | ANTICOLL
7315380 | 7321204 | Tag | bc 6d d7 1d 1b | |
7323520 | 7333984 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
7335220 | 7338740 | Tag | 08 b6 dd | |
7340288 | 7345056 | Rdr | 61 00 2d 62 | | AUTH-B(0)
7346996 | 7351732 | Tag | 91 2e 93 19 | |
7360640 | 7369952 | Rdr | 3d e4! e0! 35 af 7d! 87 32! | !crc| ?
7371188 | 7375924 | Tag | a0! 5c 96 00! | |
7381888 | 7386592 | Rdr | c3 04! 4f dc! | !crc| ?
7388596 | 7391028 | Tag | 30! e1! | |
7495168 | 7499872 | Rdr | d0 81! 72 3c | !crc| ?
7635328 | 7636320 | Rdr | 52 | | WUPA
7637556 | 7639924 | Tag | 04 00 | |
7642368 | 7644832 | Rdr | 93 20 | | ANTICOLL
7646004 | 7651828 | Tag | bc 6d d7 1d 1b | |
7654144 | 7664608 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
7665844 | 7669364 | Tag | 08 b6 dd | |
7670912 | 7675680 | Rdr | 61 00 2d 62 | | AUTH-B(0)
7677620 | 7682356 | Tag | 91 2e 93 19 | |
7691264 | 7700576 | Rdr | 3d e4! e0! 35 af 7d! 87 32! | !crc| ?
8062080 | 8066784 | Rdr | 8c! ea 5e 9d! | !crc| ?
8068020 | 8068660 | Tag | 05! | |
8306176 | 8310944 | Rdr | 1a! a0! 2c c7 | !crc| AUTH
8446336 | 8447328 | Rdr | 52 | | WUPA
8448564 | 8450932 | Tag | 04 00 | |
8453376 | 8455840 | Rdr | 93 20 | | ANTICOLL
8457204 | 8457844 | Tag | 01 | |
8460416 | 8470880 | Rdr | 93 70 01 00 00 00 01 51 c3 | | SELECT_UID
8708736 | 8713504 | Rdr | 48 58! 45! b2! | !crc| ?
8848896 | 8849888 | Rdr | 52 | | WUPA
8851124 | 8853492 | Tag | 04 00 | |
8855936 | 8858400 | Rdr | 93 20 | | ANTICOLL
8859572 | 8865396 | Tag | bc 6d d7 1d 1b | |
8867712 | 8878176 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
8879412 | 8882932 | Tag | 08 b6 dd | |
8884480 | 8889248 | Rdr | 61 00 2d 62 | | AUTH-B(0)
8891188 | 8895924 | Tag | 91 2e 93 19 | |
8904832 | 8914144 | Rdr | 3d e4! e0! 35 af 7d! 87 32! | !crc| ?
8915380 | 8920116 | Tag | a0! 5c 96 00! | |
8926080 | 8930784 | Rdr | c3 04! 4f dc! | !crc| ?
8932788 | 8937524 | Tag | 30! e1! 9c f4 | |
-97152 | -92384 | Rdr | 50 00 57 cd | | HALT
43008 | 44000 | Rdr | 52 | | WUPA
45236 | 47604 | Tag | 04 00 | |
50048 | 52512 | Rdr | 93 20 | | ANTICOLL
53684 | 59508 | Tag | bc 6d d7 1d 1b | |
61824 | 72288 | Rdr | 93 70 bc 6d d7 1d 1b f2 6a | | SELECT_UID
73524 | 77044 | Tag | 08 b6 dd | |
78720 | 83424 | Rdr | 60 00 f5 7b | | AUTH-A(0)
85428 | 90164 | Tag | 09 34 2a ae | |
99072 | 108384 | Rdr | 2b c7! fb! 21! a8 36! 0d! 62! | !crc| ?
109620 | 114356 | Tag | 03 51! e4 0f! | |
Log for hf 14a read and hf mf nested
first "iso14443a card select failed" caused by myself, as I forget to put card above
Wish helpful
Offline
For hf mf mifare, I can't get the trace log, as the board die!
But during the test, a short log got
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-57-g9dd0ac5-suspect 2015-09-11 17:25:02
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 167318 bytes (64%). Free: 94826 bytes (36%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
#db# Debug level: 3
#db# ISO14443A Timeout set to 1050 (9ms)
#db# calibrating in cycle 1. nt_distance=26143, Sync_cycles: 39393
#db# calibrating in cycle 2. nt_distance=31650, Sync_cycles: 7743
#db# calibrating in cycle 3. nt_distance=21750, Sync_cycles: -14007
Sending bytes to proxmark failed
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Offline
@piwi @iceman any other tests required? If so, let me know, happy to contribute with the community!
Offline
@bigboyq, not needed, @piwi found the loop which causes the WDT to reset the board during "hf mf mifare".
I'm quite sure he is working on a fix as we speak, once its done you can test to see if it solved your problem.
Offline
@iceman from what you and piwi talked, the problem caused by "slow PRNG"(I can't actually know the meaning, may be PRNG sequence is too short or too long), and "hf mf nested" could handle with it, but "hf mf mifare" failed:)
Offline
"hf mf nested" works weather or not PRNG is slow. You can see it in your output.
"hf mf mifare" has a bug "WDT hits when sync_cycles is negative", which will be fixed.
We have to see after it is fixed if the slow PRNG is an issue for "hf mf mifare".
Offline
I'm quite sure he is working on a fix as we speak, once its done you can test to see if it solved your problem.
Unfortunately not. I am currently on a hiking tour (without my Proxmark). Will fix when I am back.
We have to see after it is fixed if the slow PRNG is an issue for "hf mf mifare".
I am quite sure that it will remain an issue. Thinking about it while hiking...
Offline
Enjoy your hike!
About the slow issue, the dist_nt is calced so its not dependent on the actual speed on the PRNG?
Offline
I have pushed a fix to master. It will not find a key (yet), but should exit gracefully throwing an error message instead of resetting.
@bigboyq: Can you please post another debugging output (with hf mf dbg 3) with this new version?
Offline
@piwi Sorry for I am on vacation now. I will have a test after I back, the time should be around 10-5
Give you feedback then.
If additional test required, let me know.
Offline
@bigboyq: no problem. Enjoy your vacation.
Are there any others out there which had experienced the reset bug with specific cards?
Offline
@piwi, I just back, As I have upgraded my system from Yosemite to EI, spend quite a lot of time on reinstalling the compile environment, finally, the home-brew environment have done, but the MacPorts environment is compiling arm-none-wabi-gcc, and qt4-mac is still not support OS X EI, I am not sure MacPorts can work properly in the EI captain.(As I have two Mac working together).
Offline
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-58-gdfb387b-dirty-suspect 2015-10-04 15:51:41
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 167529 bytes (64). Free: 94615 bytes (36).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
#db# Debug level: 3
#db# ISO14443A Timeout set to 1050 (9ms)
#db# calibrating in cycle 1. nt_distance=26143, Sync_cycles: 39393
#db# calibrating in cycle 2. nt_distance=-10813, Sync_cycles: 50206
#db# calibrating in cycle 3. nt_distance=-20365, Sync_cycles: 70571
#db# calibrating in cycle 4. nt_distance=31187, Sync_cycles: 39384
#db# calibrating in cycle 5. nt_distance=-6795, Sync_cycles: 46179
#db# calibrating in cycle 6. nt_distance=8588, Sync_cycles: 37591
#db# calibrating in cycle 7. nt_distance=9455, Sync_cycles: 28136
#db# calibrating in cycle 8. nt_distance=-1659, Sync_cycles: 29795
#db# calibrating in cycle 9. nt_distance=-10868, Sync_cycles: 40663
#db# calibrating in cycle 10. nt_distance=-2961, Sync_cycles: 43624
#db# calibrating in cycle 11. nt_distance=-23322, Sync_cycles: 66946
#db# calibrating in cycle 12. nt_distance=-17174, Sync_cycles: 84120
#db# calibrating in cycle 13. nt_distance=6646, Sync_cycles: 77474
#db# calibrating in cycle 14. nt_distance=-29942, Sync_cycles: 107416
#db# calibrating in cycle 15. nt_distance=-32330, Sync_cycles: 139746
#db# calibrating in cycle 16. nt_distance=-30454, Sync_cycles: 170200
#db# Lost sync in cycle 30. nt_distance=18. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 31. nt_distance=22. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 32. nt_distance=29. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 33. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 34. nt_distance=19. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 35. nt_distance=34. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 36. nt_distance=22. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 37. nt_distance=20. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 38. nt_distance=27. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 39. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 40. nt_distance=26. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 41. nt_distance=9. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 44. nt_distance=1. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 46. nt_distance=6. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 47. nt_distance=8. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 48. nt_distance=16. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 49. nt_distance=12. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 50. nt_distance=11. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 51. nt_distance=17. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 52. nt_distance=29. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 53. nt_distance=22. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 54. nt_distance=31. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 55. nt_distance=31. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 56. nt_distance=17. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 57. nt_distance=36. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 58. nt_distance=26. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 59. nt_distance=19. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 60. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 61. nt_distance=27. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 62. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 63. nt_distance=25. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 64. nt_distance=22. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 65. nt_distance=22. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 66. nt_distance=25. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 67. nt_distance=19. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 68. nt_distance=20. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 69. nt_distance=31. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 70. nt_distance=28. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 71. nt_distance=32. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 72. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 73. nt_distance=21. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 74. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 75. nt_distance=32. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 76. nt_distance=26. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 77. nt_distance=32. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 78. nt_distance=22. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 79. nt_distance=21. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 80. nt_distance=21. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 81. nt_distance=36. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 82. nt_distance=33. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 83. nt_distance=20. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 84. nt_distance=22. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 85. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 86. nt_distance=23. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 87. nt_distance=20. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 88. nt_distance=26. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 89. nt_distance=31. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 90. nt_distance=18. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 91. nt_distance=30. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 92. nt_distance=32. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 93. nt_distance=19. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 94. nt_distance=33. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 95. nt_distance=34. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 96. nt_distance=22. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 97. nt_distance=21. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 98. nt_distance=31. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 99. nt_distance=23. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 100. nt_distance=21. Consecutive Resyncs = 0. Trying one time catch up...
……………
#db# Lost sync in cycle 2800. nt_distance=-33. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 2801. nt_distance=10957. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2802. nt_distance=-32. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2803. nt_distance=-32. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 2804. nt_distance=-32. Consecutive Resyncs = 2. Trying one time catch up...
#db# Lost sync in cycle 2805 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178287.
#db# Lost sync in cycle 2806 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178319.
#db# Lost sync in cycle 2807. nt_distance=-31. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2808. nt_distance=-15. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2809. nt_distance=-32. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2810. nt_distance=-32. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 2811. nt_distance=-32. Consecutive Resyncs = 2. Trying one time catch up...
#db# Lost sync in cycle 2812. nt_distance=-37. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2813. nt_distance=-35. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2814. nt_distance=-45. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2815. nt_distance=-36. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2816. nt_distance=-40. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2817. nt_distance=-49. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2818. nt_distance=-49. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 2819. nt_distance=-35. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2820. nt_distance=-32. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2821. nt_distance=-32. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 2822. nt_distance=-32. Consecutive Resyncs = 2. Trying one time catch up...
#db# Lost sync in cycle 2823 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178351.
#db# Lost sync in cycle 2824 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178383.
#db# Lost sync in cycle 2825 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178415.
#db# Lost sync in cycle 2826 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178447.
#db# Lost sync in cycle 2827 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178479.
#db# Lost sync in cycle 2828 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178511.
#db# Lost sync in cycle 2829 for the fourth time consecutively (nt_distance = -32). Adjusting sync_cycles to 178543.
#db# Lost sync in cycle 2830. nt_distance=-9. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2831. nt_distance=-11. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2832. nt_distance=-10. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2833. nt_distance=38. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2834. nt_distance=36. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2835. nt_distance=31. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2836. nt_distance=36. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2837. nt_distance=41. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2838. nt_distance=58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2839. nt_distance=58. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 2840. nt_distance=58. Consecutive Resyncs = 2. Trying one time catch up...
#db# Lost sync in cycle 2841. nt_distance=56. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2842. nt_distance=58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 2843. nt_distance=58. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 2844. nt_distance=58. Consecutive Resyncs = 2. Trying one time catch up...
#db# Lost sync in cycle 2845 for the fourth time consecutively (nt_distance = 58). Adjusting sync_cycles to 178485.
#db# Lost sync in cycle 2846. nt_distance=43. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
…..
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
Button pressed. Aborted.Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-58-gdfb387b-dirty-suspect 2015-10-04 15:51:41
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 167529 bytes (64). Free: 94615 bytes (36).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
#db# Debug level: 3
Usage:
all sectors: hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]
one sector: hf mf nested o <block number> <key A/B> <key (12 hex symbols)>
<target block number> <target key A/B> [t]
card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K
t - transfer keys into emulator memory
d - write keys to binary filesample1: hf mf nested 1 0 A FFFFFFFFFFFF
sample2: hf mf nested 1 0 A FFFFFFFFFFFF t
sample3: hf mf nested 1 0 A FFFFFFFFFFFF d
sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A
Testing known keys. Sector count=16
#db# Multiple tags detected. Collision after Bit 3
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
nested...
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# Nested: Can't select card
#db# Nested: calibrating... ntdist=160
#db# Nested: calibrating... ntdist=160
#db# rtr=17 isOK=0 min=160 max=160 avg=160, delta_time=2600
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nonce#1: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nested: Auth2 error len=5
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=912e9319 nt2enc=30e19cf4 nt2par=20
#db# Nonce#2: dismissed (= nonce#1), ntdist=160
#db# Nonce#2: Testing nt1=b55bf37c nt2enc=c12993e5 nt2par=90
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=0 trgkey=0
Found valid key:000000008553
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=7e42bd50 nt2enc=4d2b4e1f nt2par=20
#db# Nonce#1: valid, ntdist=160
#db# Nonce#1: dismissed (ambigous), ntdist=162
#db# Nonce#1: Testing nt1=13ea8502 nt2enc=825c2b9a nt2par=c0
#db# Nonce#1: valid, ntdist=159
#db# Nonce#1: dismissed (ambigous), ntdist=160
#db# Nonce#1: Testing nt1=3fa15e28 nt2enc=ba7bc79f nt2par=50
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=a15e2800 nt2enc=612dabad nt2par=b0
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=4 trgkey=0
Found valid key:000000008553
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=766b9ecf nt2enc=f18ee7bd nt2par=c0
#db# Nonce#1: valid, ntdist=159
#db# Nonce#1: dismissed (ambigous), ntdist=160
#db# Nonce#1: Testing nt1=5bf37cb6 nt2enc=aff20a7e nt2par=e0
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=e6f96c3f nt2enc=f1cae552 nt2par=d0
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=8 trgkey=0
Found valid key:000000008553
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=f96c3fa1 nt2enc=ca2b0080 nt2par=a0
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=f3d97e42 nt2enc=ad856ab7 nt2par=d0
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=12 trgkey=0
Found valid key:000000008553
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=67fb09f5 nt2enc=665ae303 nt2par=f0
#db# Nonce#1: valid, ntdist=160
#db# Nonce#1: dismissed (ambigous), ntdist=161
#db# Nonce#1: Testing nt1=d97e42bd nt2enc=078b258e nt2par=00
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=9fed27d4 nt2enc=e2b5dc3f nt2par=80
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=16 trgkey=0
Found valid key:000000008553
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=3fa15e28 nt2enc=5d1e6483 nt2par=90
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=a15e2800 nt2enc=964c0f1a nt2par=10
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=20 trgkey=0
Found valid key:ffffffffffff
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=ed27d40b nt2enc=aedb3fcd nt2par=b0
#db# Nonce#1: valid, ntdist=158
#db# Nonce#1: dismissed (ambigous), ntdist=160
#db# Nonce#1: Testing nt1=fd847aa1 nt2enc=75d123f0 nt2par=d0
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=6c3fa15e nt2enc=70bd9ade nt2par=d0
#db# Nonce#2: valid, ntdist=160
#db# Nonce#2: dismissed (ambigous), ntdist=161
#db# Nonce#2: Testing nt1=4fa8170a nt2enc=97ed1737 nt2par=f0
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=20 trgkey=1
Found valid key:ffffffffffff
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=42bd5000 nt2enc=2c193cf2 nt2par=b0
#db# Nonce#1: valid, ntdist=159
#db# Nonce#1: dismissed (ambigous), ntdist=160
#db# Nonce#1: Testing nt1=7e42bd50 nt2enc=ba9ca8d9 nt2par=b0
#db# Nonce#1: valid, ntdist=160
#db# Nonce#1: dismissed (ambigous), ntdist=162
#db# Nonce#1: Testing nt1=f5420130 nt2enc=64929607 nt2par=d0
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=9f502f14 nt2enc=2e5b8fc1 nt2par=60
#db# Nonce#2: valid, ntdist=158
#db# Nonce#2: dismissed (ambigous), ntdist=160
#db# Nonce#2: Testing nt1=3fa15e28 nt2enc=5d1e6483 nt2par=90
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=28 trgkey=0
Found valid key:ffffffffffff
-----------------------------------------------
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Nonce#1: Testing nt1=3c9fed27 nt2enc=a0c5e73b nt2par=70
#db# Nonce#1: valid, ntdist=160
#db# Nonce#2: Testing nt1=b3fd847a nt2enc=c075073c nt2par=50
#db# Nonce#2: valid, ntdist=159
#db# Nonce#2: dismissed (ambigous), ntdist=160
#db# Nonce#2: Testing nt1=cf67fb09 nt2enc=6881c1f2 nt2par=90
#db# Nonce#2: valid, ntdist=160
#db# Nonce#2: dismissed (ambigous), ntdist=161
#db# Nonce#2: Testing nt1=cf67fb09 nt2enc=6881c1f2 nt2par=90
#db# Nonce#2: valid, ntdist=160
#db# Nonce#2: dismissed (ambigous), ntdist=161
#db# Nonce#2: Testing nt1=9ecff613 nt2enc=d0a26361 nt2par=c0
#db# Nonce#2: valid, ntdist=160
#db# NESTED FINISHED
uid:bc6dd71d trgbl=44 trgkey=0
Found valid key:ffffffffffff
-----------------------------------------------
Iterations count: 9|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 000000008553 | 1 | ffffffffffff | 1 |
|001| 000000008553 | 1 | ffffffffffff | 1 |
|002| 000000008553 | 1 | ffffffffffff | 1 |
|003| 000000008553 | 1 | ffffffffffff | 1 |
|004| 000000008553 | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
As too many repeats, I eliminated some, using .... instead.
#db# Mifare: Can't select card Due to I removed the card
And aborted manually by press the button on the board
The auto reset problem resolved, but still not working on mifare command
works fine with "hf mf nested"
Offline
You need to test it with debug level 0.
Offline
do you think communicate by hangouts or wechat might be more convenient?
@iceman @piwi
Last edited by bigboyq (2015-10-04 18:35:23)
Offline
@iceman by dbg 0, auto reset again
Just as before, no error, no warning, just 16 dot, reset
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-58-gdfb387b-dirty-suspect 2015-10-04 15:51:41
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54
uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 167529 bytes (64). Free: 94615 bytes (36).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf mf dbg 3
#db# Debug level: 3
proxmark3> hf mf dbg 2
#db# Debug level: 2
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
....................................
Last edited by bigboyq (2015-10-04 18:34:54)
Offline
Well thats not too bad. It "nearly" synced to 170200 cycles which is about 3 times as amuch as usual.
On the downside: 1) the resync in the following cycles didn't work for some reason. And 2) still resetting with hf mf dbg other than 3?
Still some work to do...
Any chance that you can send me this card?
Offline
@piwi I am living in China, how long should the card be delivered? Ha
I guess the resync procedure of the nested command working properly, how about copy that one?
Offline
Well thats not too bad. It "nearly" synced to 170200 cycles which is about 3 times as amuch as usual.
On the downside: 1) the resync in the following cycles didn't work for some reason. And 2) still resetting with hf mf dbg other than 3?
Still some work to do...
Any chance that you can send me this card?
Reset also, as mentioned
Offline
Nested doesn't sync. It fixes the time between first and nested authentication to a more or less arbitrary time. The nonce distance between the first (unencrypted) and the second (encrypted) tag nonce will then be the same, I.e. we can guess the second tag nonce no matter what the first nonce was.
In hf mf mifare we need to force the tag to send the same tag nonce every time in order to try different reader responses. I.e. we need to determine the time when the PRNG starts over (repeats) and then send authentication requests at this interval.
Offline
@piwi
More tests have be done
#db# calibrating in cycle 199. nt_distance=16335, Sync_cycles: 72007
#db# collected debug info[0] = 18701
#db# collected debug info[1] = -6300
#db# collected debug info[2] = 1
#db# collected debug info[3] = -7
#db# collected debug info[4] = 2
#db# collected debug info[5] = -2
#db# collected debug info[6] = -11
#db# collected debug info[7] = 10
#db# collected debug info[8] = 1
#db# collected debug info[9] = -10
#db# collected debug info[10] = 4
#db# collected debug info[11] = 4
#db# collected debug info[12] = -2
#db# collected debug info[13] = 4
#db# collected debug info[14] = -6
#db# collected debug info[15] = 1
The card's random number generator is vulnerable but behaves somewhat weird (Mifare clone?). This needs to be fixed.
Offline
@piwi, And one more funny thing is, No matter how long the Sync_cycles will be, the nt_distance will be the same.
Such as
#db# Lost sync in cycle 5769. nt_distance=-97. Consecutive Resyncs = 0. T rying one time catch up...
#db# Lost sync in cycle 5770. nt_distance=-97. Consecutive Resyncs = 1. T rying one time catch up...
#db# Lost sync in cycle 5771. nt_distance=-97. Consecutive Resyncs = 2. T rying one time catch up...
#db# Lost sync in cycle 5772 for the fourth time consecutively (nt_distan ce = -97). Adjusting sync_cycles to 15416.
#db# Lost sync in cycle 5773 for the fourth time consecutively (nt_distan ce = -97). Adjusting sync_cycles to 15513.
#db# Lost sync in cycle 5774 for the fourth time consecutively (nt_distan ce = -97). Adjusting sync_cycles to 15610.
..........#db# Lost sync in cycle 15985 for the fourth time consecutively (nt_distance = -97). Adjusting sync_cycles to 298283.
#db# Lost sync in cycle 15986 for the fourth time consecutively (nt_distance = -97). Adjusting sync_cycles to 298380.
#db# Lost sync in cycle 15987 for the fourth time consecutively (nt_distance = -97). Adjusting sync_cycles to 298477.
#db# Lost sync in cycle 15988 for the fourth time consecutively (nt_distance = -97). Adjusting sync_cycles to 298574.
#db# Lost sync in cycle 15989 for the fourth time consecutively (nt_distance = -97). Adjusting sync_cycles to 298671.
#db# Lost sync in cycle 15990 for the fourth time consecutively (nt_distance = -97). Adjusting sync_cycles to 298768.
#db# Lost sync in cycle 15991 for the fourth time consecutively (nt_distance = -97). Adjusting sync_cycles to 298865.
May be change the nt_attacked is more effective than change the sync_cycles?
Quite poor card I got, haha
I think u could leave a mailbox, I can sent you some detailed log.
Offline
Hmmm. That would imply that the PRNG stops instead of running all the time. Let me fix a few bugs with the synchronization piece (still resetting) and then lets have a closer look.
Offline
If that can be of any help here, I did a test using 2 different proxmark flashed with the same bootrom/fullimage and attacking the same mifare card.
First proxmark, from Rysccorp running a 256kB rev B Atmel, printed 1 dot and rebooted.
Second proxmark, from elechouse.com running a 512kB Atmel processor printed several dots before exiting the loop with the new error message and no reboot.
Another difference between the 2 proxmark units are the antennas of course (~13 volts for the first unit and more than 20 volts for the second). I also see a lot of slow downs with the first proxmark: I have to wait more than 5 seconds after entering "hf mf mifare" command and before the proxmark actually does something). And people seem to experience even more issues with older CPU (e.g. rev. A).
Offline
Either that there is an issue with the revision, or that we might have a mem-leak on the device side...
Offline
Hmmm. That would imply that the PRNG stops instead of running all the time. Let me fix a few bugs with the synchronization piece (still resetting) and then lets have a closer look.
A few days not hearing from you, any news? Or any tests I can do? Ha
Offline
I just pushed another commit to master. The watchdog reset should be finally fixed now (hopefully). In addition I have added a few more tests which are carried out when debugging. Looking forward to see the results with your card.
Offline
With piwi's latest commit, the old tags gets cracked, the tags with problems is magic and modern.
But so far no WDR or endless loops.. Which is good.
---
--- Mifare 4k S70 - MAGIC.
---
pm3 --> hf 14a re
UID : 01 02 03 04
ATQA : 00 02
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1
SAK incorrectly claims that card doesn't support RATS
ATS : 09 78 00 91 02 DA BC 19 10 F0 05
- TL : length is 9 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 9 (FWT = 2097152/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : DA BC 19 10
Answers to chinese magic backdoor commands: NO
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
....#db# Mifare: Can't select card
....
Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.
---
--- Mifare 1k S50 - MAGIC GEN1.
---
pm3 --> hf 14a re
UID : 11 22 33 44
ATQA : 00 44
SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....................
Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).
---
--- Mifare 1K S50 - 7byte UID
pm3 --> hf 14a re
UID : 04 9D xx xx xx xx xx
ATQA : 00 44
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...
Card is not vulnerable to Darkside attack (its random number generator is not predictable).
Offline
Like the previous commit this isn't meant to break more cards than before. It just should fix the watchdog reset bug.
However, I have added some additional debugging routines. If you set hf mf dbg 3 and then run hf mf mifare and it would abort with the "... unexpected behaviour" message, then it should print a table of nonce distances. With your examples this should be the case with the Generation 2 Magic Card. I have one of these cards too but I don't see a pattern yet to predict its random numbers. It seems to emit the same range of random numbers like the classic card (i.e. the same 2^16 different numbers only) but in another order. Maybe an ASG?
bigboyq's card seems to be another type and I hope to get something out of the additional debugging print.
Offline
I just fetched up-to-date code, and complied by my Mac
Just wondering whether I can flash the board with the image compiled by the Mac? Any one have done that before, I haven't done before and be aware of my board become bricks....
I will done the test while my board was updated. It might be done by 11:00AM China, or 22:00 China tomorrow, depends on whether the image could be flashed by windows
Anyone could answer my question? Thanks
Offline
This could be nothing, but I just realised that when we run "hf mf mifare", the trace is set on, which would be eating up a lot of memory as long as the execution of the command goes. Question: Do we need tracing to be on for this command?
Offline
Doesn't hurt.
Offline
If you want to look at the extra log for the s70 magic,
Offline
@iceman @piwi
Done some tests, the board still reset randomly,firstly, give an example which might be expected by piwi
Ignore the output of the last line, as my proxmark3.exe still at the version of 2.2.0, I know the last output was changed in the updated version.
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-59-g8c6b229-suspect 2015-10-11 15:18:49
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54
uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 168046 bytes (64%). Free: 94098 bytes (36%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
#db# Debug level: 3
#db# ISO14443A Timeout set to 1050 (9ms)
#db# calibrating in cycle 1. nt_distance=26143, elapsed_prng_sequences=1, new sync_cycles: 39393
#db# calibrating in cycle 2. nt_distance=31970, elapsed_prng_sequences=3, new sync_cycles: 28737
#db# calibrating in cycle 3. nt_distance=-18177, elapsed_prng_sequences=4, new sync_cycles: 33281
#db# calibrating in cycle 4. nt_distance=-26016, elapsed_prng_sequences=2, new sync_cycles: 46289
#db# calibrating in cycle 5. nt_distance=8896, elapsed_prng_sequences=2, new sync_cycles: 41841
#db# calibrating in cycle 6. nt_distance=4832, elapsed_prng_sequences=1, new sync_cycles: 37009
#db# calibrating in cycle 7. nt_distance=30272, elapsed_prng_sequences=1, new sync_cycles: 6737
#db# calibrating in cycle 8. nt_distance=-25984, elapsed_prng_sequences=16, new sync_cycles: 8361
#db# calibrating in cycle 9. nt_distance=-11232, elapsed_prng_sequences=11, new sync_cycles: 9382
#db# calibrating in cycle 10. nt_distance=-1068, elapsed_prng_sequences=5, new sync_cycles: 9595
#db# calibrating in cycle 11. nt_distance=12820, elapsed_prng_sequences=2, new sync_cycles: 3185
#db# calibrating in cycle 12. nt_distance=-15912, elapsed_prng_sequences=16, new sync_cycles: 4179
#db# calibrating in cycle 13. nt_distance=-7384, elapsed_prng_sequences=14, new sync_cycles: 4706
#db# calibrating in cycle 14. nt_distance=1564, elapsed_prng_sequences=7, new sync_cycles: 4483
#db# calibrating in cycle 15. nt_distance=10596, elapsed_prng_sequences=4, new sync_cycles: 1834
#db# calibrating in cycle 16. nt_distance=-5348, elapsed_prng_sequences=24, new sync_cycles: 2056
#db# calibrating in cycle 17. nt_distance=-5384, elapsed_prng_sequences=13, new sync_cycles: 2470
#db# calibrating in cycle 18. nt_distance=1016, elapsed_prng_sequences=11, new sync_cycles: 2378
#db# calibrating in cycle 19. nt_distance=1712, elapsed_prng_sequences=6, new sync_cycles: 2093
#db# calibrating in cycle 20. nt_distance=1676, elapsed_prng_sequences=8, new sync_cycles: 1884
#db# calibrating in cycle 21. nt_distance=1084, elapsed_prng_sequences=9, new sync_cycles: 1764
#db# calibrating in cycle 22. nt_distance=-4160, elapsed_prng_sequences=8, new sync_cycles: 2284
#db# calibrating in cycle 23. nt_distance=-2655, elapsed_prng_sequences=10, new sync_cycles: 2549
#db# calibrating in cycle 24. nt_distance=8547, elapsed_prng_sequences=8, new sync_cycles: 1481
#db# calibrating in cycle 25. nt_distance=-5040, elapsed_prng_sequences=25, new sync_cycles: 1682
#db# calibrating in cycle 26. nt_distance=1924, elapsed_prng_sequences=16, new sync_cycles: 1562
#db# calibrating in cycle 27. nt_distance=-800, elapsed_prng_sequences=11, new sync_cycles: 1634
#db# calibrating in cycle 28. nt_distance=-2720, elapsed_prng_sequences=8, new sync_cycles: 1974
#db# calibrating in cycle 29. nt_distance=3152, elapsed_prng_sequences=10, new sync_cycles: 1659
#db# calibrating in cycle 30. nt_distance=-4300, elapsed_prng_sequences=12, new sync_cycles: 2017
#db# calibrating in cycle 31. nt_distance=3288, elapsed_prng_sequences=12, new sync_cycles: 1743
#db# calibrating in cycle 32. nt_distance=-1032, elapsed_prng_sequences=12, new sync_cycles: 1829
#db# Lost sync in cycle 37. nt_distance=1. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 39. nt_distance=1. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 56. nt_distance=1. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 81. nt_distance=1. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 179. nt_distance=8905. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 199. nt_distance=-736. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 208. nt_distance=-736. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 222. nt_distance=-736. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 246. nt_distance=1. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 257. nt_distance=1. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Can't select card
#db# Lost sync in cycle 261. nt_distance=-736. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Lost sync in cycle 286. nt_distance=5. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 300. nt_distance=-736. Consecutive Resyncs = 0. Trying one time catch up...
Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).
another example is the board keep on going
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-59-g8c6b229-suspect 2015-10-11 15:18:49
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54
uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 168046 bytes (64%). Free: 94098 bytes (36%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
#db# ISO14443A Timeout set to 1050 (9ms)
UID : bc 6d d7 1d
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
#db# ISO14443A Timeout set to 1050 (9ms)
#db# calibrating in cycle 1. nt_distance=747, elapsed_prng_sequences=1, new sync_cycles: 64789
#db# calibrating in cycle 2. nt_distance=-4012, elapsed_prng_sequences=1, new sync_cycles: 68801
#db# calibrating in cycle 3. nt_distance=-23728, elapsed_prng_sequences=1, new sync_cycles: 92529
#db# calibrating in cycle 4. nt_distance=-13570, elapsed_prng_sequences=1, new sync_cycles: 106099
#db# calibrating in cycle 5. nt_distance=-19061, elapsed_prng_sequences=1, new sync_cycles: 125160
#db# calibrating in cycle 6. nt_distance=9620, elapsed_prng_sequences=1, new sync_cycles: 115540
#db# calibrating in cycle 7. nt_distance=10769, elapsed_prng_sequences=1, new sync_cycles: 104771
#db# calibrating in cycle 8. nt_distance=8315, elapsed_prng_sequences=1, new sync_cycles: 96456
#db# calibrating in cycle 9. nt_distance=-3500, elapsed_prng_sequences=1, new sync_cycles: 99956
#db# calibrating in cycle 10. nt_distance=7249, elapsed_prng_sequences=1, new sync_cycles: 92707
#db# calibrating in cycle 11. nt_distance=-9061, elapsed_prng_sequences=1, new sync_cycles: 101768
#db# calibrating in cycle 12. nt_distance=14164, elapsed_prng_sequences=1, new sync_cycles: 87604
#db# calibrating in cycle 13. nt_distance=12329, elapsed_prng_sequences=1, new sync_cycles: 75275
#db# Mifare: Couldn't receive tag nonce
#db# calibrating in cycle 15. nt_distance=28674, elapsed_prng_sequences=1, new sync_cycles: 46601
#db# Multiple tags detected. Collision after Bit 1
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# calibrating in cycle 27. nt_distance=3440, elapsed_prng_sequences=6, new sync_cycles: 46028
#db# calibrating in cycle 28. nt_distance=-2383, elapsed_prng_sequences=1, new sync_cycles: 48411
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Multiple tags detected. Collision after Bit 1
#db# Mifare: Couldn't receive tag nonce
#db# calibrating in cycle 34. nt_distance=22705, elapsed_prng_sequences=1, new sync_cycles: 25706
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Multiple tags detected. Collision after Bit 1
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# calibrating in cycle 54. nt_distance=32449, elapsed_prng_sequences=11, new sync_cycles: 22757
#db# calibrating in cycle 55. nt_distance=-5615, elapsed_prng_sequences=5, new sync_cycles: 23880
#db# calibrating in cycle 56. nt_distance=-3635, elapsed_prng_sequences=2, new sync_cycles: 25697
#db# calibrating in cycle 57. nt_distance=1603, elapsed_prng_sequences=1, new sync_cycles: 24094
#db# calibrating in cycle 58. nt_distance=18132, elapsed_prng_sequences=1, new sync_cycles: 5962
#db# calibrating in cycle 59. nt_distance=30319, elapsed_prng_sequences=11, new sync_cycles: 3206
#db# calibrating in cycle 60. nt_distance=-560, elapsed_prng_sequences=32, new sync_cycles: 3223
#db# calibrating in cycle 61. nt_distance=3460, elapsed_prng_sequences=4, new sync_cycles: 2358
#db# calibrating in cycle 62. nt_distance=-1956, elapsed_prng_sequences=9, new sync_cycles: 2575
#db# calibrating in cycle 63. nt_distance=5540, elapsed_prng_sequences=7, new sync_cycles: 1784
#db# calibrating in cycle 64. nt_distance=-1276, elapsed_prng_sequences=16, new sync_cycles: 1863
#db# calibrating in cycle 65. nt_distance=-2756, elapsed_prng_sequences=8, new sync_cycles: 2207
#db# calibrating in cycle 66. nt_distance=1568, elapsed_prng_sequences=9, new sync_cycles: 2033
#db# calibrating in cycle 67. nt_distance=456, elapsed_prng_sequences=8, new sync_cycles: 1976
#db# calibrating in cycle 68. nt_distance=-4100, elapsed_prng_sequences=6, new sync_cycles: 2659
#db# Mifare: Can't select card
#db# Mifare: Couldn't receive tag nonce
#db# Lost sync in cycle 80. nt_distance=-9425. Consecutive Resyncs = 0. Trying one time catch up...
#db# Multiple tags detected. Collision after Bit 5
#db# Mifare: Couldn't receive tag nonce
#db# Lost sync in cycle 82. nt_distance=-318. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 83. nt_distance=-28. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Lost sync in cycle 86. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 87. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 88. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 89. nt_distance=-63. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 90. nt_distance=-72. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 91. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 92. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 93. nt_distance=-65. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Lost sync in cycle 95. nt_distance=-11. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 96. nt_distance=-11. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 103. nt_distance=-61. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 109. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 110. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 111. nt_distance=-60. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 114. nt_distance=-58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 115. nt_distance=-58. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 116. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 117. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 118. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Multiple tags detected. Collision after Bit 4
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 129. nt_distance=-7. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 130. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 131. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 132. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 133. nt_distance=-58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 134. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 135. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 136. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 137. nt_distance=-58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 138. nt_distance=-58. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 139. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 140. nt_distance=-65. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 141. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 142. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 143. nt_distance=-62. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 144. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 149. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 150. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 151. nt_distance=-58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 152. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 153. nt_distance=-62. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 154. nt_distance=-61. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Multiple tags detected. Collision after Bit 1
#db# Mifare: Can't select card
#db# Lost sync in cycle 157. nt_distance=-48. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 158. nt_distance=-3. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 159. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 166. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 167. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 168. nt_distance=-57. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 169. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 170. nt_distance=-59. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 173. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Multiple tags detected. Collision after Bit 9
#db# Mifare: Can't select card
#db# Lost sync in cycle 177. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 178. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 179. nt_distance=-57. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Lost sync in cycle 182. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 183. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 184. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 185. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 186. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 187. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 188. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 189. nt_distance=-66. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 192. nt_distance=-64. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 193. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 194. nt_distance=-58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 195. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Multiple tags detected. Collision after Bit 20
#db# Mifare: Can't select card
#db# Lost sync in cycle 197. nt_distance=-67. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 198. nt_distance=-67. Consecutive Resyncs = 2. Trying one time catch up...
#db# Lost sync in cycle 199. nt_distance=-61. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 200. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 201. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 202. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 203. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 204. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 205. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 206. nt_distance=-64. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 207. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 210. nt_distance=-58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 211. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 212. nt_distance=-65. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 213. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 214. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 215. nt_distance=-795. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 216. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 217. nt_distance=-65. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 218. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 219. nt_distance=-69. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 220. nt_distance=4257. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 221. nt_distance=-72. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 222. nt_distance=-61. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 227. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 228. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 229. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 230. nt_distance=-61. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 231. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 232. nt_distance=-65. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 233. nt_distance=-64. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 234. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 235. nt_distance=-801. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 236. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 237. nt_distance=-57. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 238. nt_distance=-790. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 242. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 243. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 244. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 245. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 246. nt_distance=-64. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 247. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Lost sync in cycle 249. nt_distance=-804. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Lost sync in cycle 252. nt_distance=-804. Consecutive Resyncs = 1. Trying one time catch up...
#db# Lost sync in cycle 253. nt_distance=-62. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 254. nt_distance=-72. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 255. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 258. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 259. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 260. nt_distance=-803. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 261. nt_distance=-804. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 262. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 263. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 264. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 265. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 266. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 267. nt_distance=-58. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 268. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Multiple tags detected. Collision after Bit 1
#db# Mifare: Can't select card
#db# Lost sync in cycle 270. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 271. nt_distance=-62. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 272. nt_distance=-69. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 273. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 274. nt_distance=-60. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 275. nt_distance=-71. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 276. nt_distance=-57. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 277. nt_distance=-64. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 278. nt_distance=-61. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 279. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 280. nt_distance=-66. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 281. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 282. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 283. nt_distance=-61. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 284. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 285. nt_distance=-59. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 286. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 287. nt_distance=-798. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 288. nt_distance=-65. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 289. nt_distance=-65. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Lost sync in cycle 292. nt_distance=-59. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 293. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 294. nt_distance=-67. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 295. nt_distance=-59. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 296. nt_distance=-73. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Lost sync in cycle 301. nt_distance=-59. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 302. nt_distance=-70. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 303. nt_distance=-57. Consecutive Resyncs = 0. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Lost sync in cycle 306. nt_distance=-63. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 307. nt_distance=-56. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 308. nt_distance=-57. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 309. nt_distance=-62. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 310. nt_distance=-68. Consecutive Resyncs = 0. Trying one time catch up...
#db# Lost sync in cycle 311. nt_distance=-68. Consecutive Resyncs = 1. Trying one time catch up...
#db# Mifare: Couldn't receive tag nonce
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
Button pressed. Aborted.
#db# Debug level: 0
All the tests was done by the same card as I mentioned before
Offline
@piwi
From the code, I just found that the new cycle was calculated by the current_cycle and nt_distance, and the code assume that every clock_cycle will resulting a nt_distance
Is it possible to analyze the the relationship between nt_distance and clock_cycle by add a new command
such as "hf mf dialogue", which might keep on auth for 1000 times, and send the "clock, random number", the main program might analyze the relationship.......
From the output, I think the stage 1 ---calibrating is not succcess, so the sync stage might useless.....
Offline
Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).
This means that eventually and most probably by chance the PM successfully synced (calibration completed) to the cards PRNG. The same nonce has been received 256 times (only a few re-syncs in between) but the card didn't send a NACK on any of the reader responses. The hf mf mifare therefore won't work with this card. For me the time has come to surrender.
Done some tests, the board still reset randomly
Damn. Did you at least notice that it happens less often?
@piwi
From the code, I just found that the new cycle was calculated by the current_cycle and nt_distance, and the code assume that every clock_cycle will resulting a nt_distance
Yes, hf mf mifare makes several assumptions on the cards PRNG. It assumes that it is clocked at (nearly) 13,56MHz/8 and that we know the sequence of numbers it produces at this rate. At least one of those assumptions doesn't hold with your card.
Is it possible to analyze the the relationship between nt_distance and clock_cycle by add a new command
such as "hf mf dialogue", which might keep on auth for 1000 times, and send the "clock, random number", the main program might analyze the relationship.......
Unfortunately you cannot get succeeding random numbers off the card. What you get are random numbers (tag nonces) at an unknown distance which makes it IMHO impossible to reverse engineer it, you can only guess and assume that it works similar to the original. The function of the PRNG of Mifare Classic had been discovered by analyzing the chip under the microscope...
Offline
Damn. Did you at least notice that it happens less often?
Yes!
Unfortunately you cannot get succeeding random numbers off the card.
As we currently have the key of the card, we could get the encrypted random number, assume we know the sequence of the random number, and obviously, the range is limited.
So, we could calculate the actual sequence of the random number, in order to detect whether the assumption is right (PRNG assumption)
If true, then we can detect whether the clock of the card runs on the assumptions, if not, we could calculate it.(Clock assumption)
At last, we could see how to improve the mifare process, which could crack more kinds of clone card?
I will be kindly devote to this work, wish your suggestion.
Offline
Yes, we could continue to try several things to find out how the PRNG of this card works. And eventually we might be successful. However, it would not help because the card doesn't send encrypted NACKs, i.e. doesn't give us anything which could be used to recover the keystream.
Offline
@piwi
In fact, I have only seen no NACK once
Anyway to confirm NACK or not.
Offline
There had been only one successful calibration with not too many re-syncs afterwards. Only in this case the PM3 had the chance to try all 256 combinations of the 8 parity bits in its {nr}{ar} response. One of these combinations must have been correct and in this case the Mifare Classic would have responded with an (encrypted) NACK. Your card didn't. No NACK - no information - no possibility to extract the key.
Offline
There had been only one successful calibration with not too many re-syncs afterwards. Only in this case the PM3 had the chance to try all 256 combinations of the 8 parity bits in its {nr}{ar} response. One of these combinations must have been correct and in this case the Mifare Classic would have responded with an (encrypted) NACK. Your card didn't. No NACK - no information - no possibility to extract the key.
Which means this card is not crack able?
We have no chance to crack this card by this NACK way.
The only thing left for us is to resolve the calibrating progress, avoid reset, whether you still interested?
If so, I may contribute to test, if not, let me know. Thanks @piwi
Offline
@piwi, just reviewed process of that success one (no NACK)
Found round 32, calibrating put the sync_clock=1829, so, probably, This card might have a sync_clock=1800 or around it?
Offline
Which means this card is not crack able?
We have no chance to crack this card by this NACK way.
You still can recover the keys - but not with hf mf mifare. You have already shown that e.g. hf mf nested works.
The only thing left for us is to resolve the calibrating progress, avoid reset, whether you still interested?
Yes, I did not give up fixing the watchdog reset bug.
@piwi, just reviewed process of that success one (no NACK)
Found round 32, calibrating put the sync_clock=1829, so, probably, This card might have a sync_clock=1800 or around it?
Yes, at least for this example the sync_clock was 1829. We have seen a nearly sync in another example at 170200. which could be 29 * 1829 but it is as well possible that the PRNG isn't clocked constantly. But as I said: without the card sending a NACK, that's not leading to practical results with hf mf mifare.
Offline