Found FFFFFFFFFFFF but cannot perform Nested

polynom · 2016-01-21 01:52:49

Hi there,

I had this card sitting on my table for a while.
Test block keys, find FFFFFFFFFFFF
but then the nested command crashes.

"Collision after Bit 2"
And then it goes to "Card timeout + Auth1 error"

I tried a few different distance/angle to antenna. But no chance so far.

Last edited by polynom (2016-01-22 11:03:14)

iceman · 2016-01-21 07:41:36

Antenna output?
Version of firmware/client you are using?
Is it a "older" model of the PM3? Like the one bought from http://www.proxmark3.com/ ? There is a problem with the latest fpga firmware and that kind of model, you'll need to recompile with an older fpga-firmware, for it work properly.

polynom · 2016-01-21 13:39:54

#db# 20525 mV
latest from piwi's repo (with hardnested capabilities)
i haven't had any other similar problems with different S50 cards. Just distances issues so far.

I do have an old board (from 2010 I think).
I went back to an old one r839:
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 839 2013-12-05 07:11:23
#db# os: svn 839 2013-12-05 07:11:28
#db# FPGA image built on 2013/11/19 at 18:17:10

Same problem though. Should I go even older? Before CDC?

iceman · 2016-01-21 15:21:26

No... There is a thread about the fpga.bit file problem.

So early versions of the source like r839, it has many issues with the HF commands. So I wouldnt recommend it.

Solution:
From the pm3 master, for the fpga.bit file go back until january 2015, and replace the one in your clone of piwi'. I guess since you want to test the hardnested.

Recompile, and flash it, that should bring back your pm3 capabilites to normal.
With all fixes to HF/LF commands and piwi's hardnested..

polynom · 2016-01-22 10:14:51

First of all, thanks a lot for your support iceman.

I replaced with the one from r645c960. (assuming you were talking about fpga_hf.bit)
Re-compiled.
"HF FPGA image built for 2s30vq100 on 2015/01/15 at 12:19:06"

But, exact same problem again.

How can I know that I have an old board with the problematic part?
uC: AT91SAM7S256 Rev B

btw, I just realized the the 12*Fs are a B not A key.
This Key is for sector 7 to 15.

Weird thing:
When I try to read a sector (for the first time) that has this Key, I get a "command execute timeout"
If I send the same command a second time right after the timeout, it works and show partial sector.

iceman · 2016-01-22 10:27:13

You have serveral different issues, which you'll need to understand.

Yes, I meant the fpga_hf.bit This will fix your old board and "collision"/ bad snoop etc problems. Which I assume you don't get anymore.

Then is the next part is about getting a key with darkside.. Which you most likley gotten, ie it works.

Next step is "nested attack", which I think you are at now in you last post "key is for sector 7 to 15"..
This attack is not absolute, you'll need to run it serveral times to get all keys if you are unlucky. Sometimes you'll need to cut and paste between keys to get a complete keys.bin file..

which you use for the "hf mf dump" / "hf mf restore"

All of this depends on the tag. Which you haven't presented some output for (14a reader?) (hw tune) Your HF antenna seems ok. Your problems could also be because of tag positioning and distance over antenna.

I would say you have some reading up on the wiki and forum todo. Blind guessing when trying to help is hard.

Last edited by iceman (2016-01-22 10:28:38)

polynom · 2016-01-22 11:02:44

Sorry the title of my topic is wrong.
"Found FFFFFFFFFFFF but cannot perform Nested*"

As said in the first post, I found the Fs with the test block key command.
It tells me it found it for sectors 7 to 15. That is how I know. And it is confirm when reading those sector with the Fs. I did not perform the nested attack.
I am familiar with the other steps. I tried different angle/distance as specified in the first post.

I did not try Darkside attack as I already got one of the keys. Now that I am trying, it is saying "card is not vulnerable to darkside..." which I have seen before with other cards and tend to ignore.

ATQA : 00 04
SAK : 08 [2]

polynom · 2016-01-22 12:45:18

Not sure what is "wrong".
I am trying to test with your fork this time.

It could be some not classic mifare classic card... As I've never had any persistent similar issue in the past

Unfortunately, I have no access to a reader for sniffing the communication ...

Last edited by polynom (2016-01-22 12:46:01)

iceman · 2016-01-22 12:45:46

ok,
you have a newer s50 tag or a strange clone (fudan) which the darkside or nested attack doesn't work on.

You can only get the key from the new hardnested attack.

or if the keys on your tag is calc by an algo, you may figure that one out...

polynom · 2016-01-22 13:12:06

We posted at the same time.

I did try hardnested but failed. There seems to have been some improvement since I tested last time.

Thanks a lot iceman!

I will update here if I was successful with hardnested or in the appropriate topic if I encounter some problem. But I guess I have some reading to do first.

polynom · 2016-01-22 13:13:09

.

Last edited by polynom (2016-01-22 14:13:23)

iceman · 2016-01-22 14:15:51

Looks like hardnested worked, so your PM3 device works like it should.

If you have access to the reader, you can alwars sniff and get the key from the tracelog that way.

lohcm88 · 2016-03-13 05:50:50

Hi.. may I borrow your thread as I do not want to open up too many threads on similar problem... as I can't do nested operation on my friend's condo card as well...

My HW and SW

Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-04-02 15:12:04
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 169916 bytes (65%). Free: 92228 bytes (35%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

My Test Block Keys

proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:A, key count:13
--sector: 5, block: 23, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[000000000000]
--sector: 1, block: 7, key type:B, key count:13
Found valid key:[000000000000]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[000000000000]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[000000000000]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[000000000000]
--sector: 5, block: 23, key type:B, key count:13
Found valid key:[000000000000]
--sector: 6, block: 27, key type:B, key count:13
Found valid key:[000000000000]
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[000000000000]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[000000000000]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[000000000000]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[000000000000]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[000000000000]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[000000000000]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[000000000000]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[000000000000]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[000000000000]
proxmark3>

My Nested Attack

Testing known keys. Sector count=16
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
nested...
-----------------------------------------------
Error: No response from Proxmark.
#db# Nested: Can't select card
#db# Nested: Auth2 error len=1
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Nested: Auth1 error
#db# Authentication failed. Error card response.
#db# Nested: Auth1 error
#db# Nested: Auth2 error len=1
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Auth1 error
#db# Authentication failed. Error card response.
#db# Nested: Auth1 error
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Authentication failed. Error card response.
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Nested: Auth1 error
#db# Nested: Can't select card
#db# Authentication failed. Error card response.
#db# Nested: Auth1 error
#db# Authentication failed. Error card response.
#db# Nested: Auth1 error

I hope someone can give me guidance... My Nested Attack has been successful in 2 other cards but not for this particular card. Appreciate your help!!

iceman · 2016-03-13 06:51:55

try different angles and distance between tag and antenna. as you can see in your output, "can't select card"..
Try "hf 14a read" and test until you get the distance and position right. Then run nested,

lohcm88 · 2016-03-13 07:09:55

iceman wrote:

try different angles and distance between tag and antenna. as you can see in your output, "can't select card"..
Try "hf 14a read" and test until you get the distance and position right. Then run nested,

Thx for your suggestion but I am still getting the following error despite adjusting various angles and distances. I can get it done for 2 other mifare cards (1 with pw protected and the other 1 does not have). This is the only card that I am having problem with.

proxmark3> hf mf nested 1 43 A ffffffffffff d
Testing known keys. Sector count=16
#db# ChkKeys: Can't select card
nested...
-----------------------------------------------
#db# Authentication failed. Card timeout.
#db# Nested: Auth2 error
Error: No response from Proxmark.
proxmark3>
proxmark3> #db# Authentication failed. Error card response.
proxmark3> #db# Nested: Auth1 error
proxmark3> #db# Nested: Auth1 error
proxmark3> #db# Authentication failed. Error card response.
proxmark3> #db# Nested: Auth1 error
proxmark3> #db# Nested: Auth1 error
proxmark3> #db# Nested: Can't select card
proxmark3> #db# Nested: Can't select card
proxmark3> #db# Authentication failed. Error card response.
proxmark3> #db# Nested: Auth1 error
proxmark3> #db# Authentication failed. Error card response.
proxmark3> #db# Nested: Auth1 error
proxmark3> #db# Nested: Auth1 error

iceman · 2016-03-13 07:33:23

Can you run "hf 14a read" and post the output?

lohcm88 · 2016-03-13 07:36:50

iceman wrote:

Can you run "hf 14a read" and post the output?

Here it goes:

proxmark3> hf 14a reader
UID : 6e e4 2d 1d
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
proxmark3>

iceman · 2016-03-13 07:39:26

since its a magic card... you don't need nested...
You can read all using the "hf mf cgetsc" command...

lohcm88 · 2016-03-13 07:50:46

iceman wrote:

since its a magic card... you don't need nested...
You can read all using the "hf mf cgetsc" command...

I see... thx alot for the info! I will read up on how to get it duplicated wit these info..

Proxmark3 community

Announcement

#1 2016-01-21 01:52:49

Found FFFFFFFFFFFF but cannot perform Nested

#2 2016-01-21 07:41:36

Re: Found FFFFFFFFFFFF but cannot perform Nested

#3 2016-01-21 13:39:54

Re: Found FFFFFFFFFFFF but cannot perform Nested

#4 2016-01-21 15:21:26

Re: Found FFFFFFFFFFFF but cannot perform Nested

#5 2016-01-22 10:14:51

Re: Found FFFFFFFFFFFF but cannot perform Nested

#6 2016-01-22 10:27:13

Re: Found FFFFFFFFFFFF but cannot perform Nested

#7 2016-01-22 11:02:44

Re: Found FFFFFFFFFFFF but cannot perform Nested

#8 2016-01-22 12:45:18

Re: Found FFFFFFFFFFFF but cannot perform Nested

#9 2016-01-22 12:45:46

Re: Found FFFFFFFFFFFF but cannot perform Nested

#10 2016-01-22 13:12:06

Re: Found FFFFFFFFFFFF but cannot perform Nested

#11 2016-01-22 13:13:09

Re: Found FFFFFFFFFFFF but cannot perform Nested

#12 2016-01-22 14:15:51

Re: Found FFFFFFFFFFFF but cannot perform Nested

#13 2016-03-13 05:50:50

Re: Found FFFFFFFFFFFF but cannot perform Nested

#14 2016-03-13 06:51:55

Re: Found FFFFFFFFFFFF but cannot perform Nested

#15 2016-03-13 07:09:55

Re: Found FFFFFFFFFFFF but cannot perform Nested

#16 2016-03-13 07:33:23

Re: Found FFFFFFFFFFFF but cannot perform Nested

#17 2016-03-13 07:36:50

Re: Found FFFFFFFFFFFF but cannot perform Nested

#18 2016-03-13 07:39:26

Re: Found FFFFFFFFFFFF but cannot perform Nested

#19 2016-03-13 07:50:46

Re: Found FFFFFFFFFFFF but cannot perform Nested

Board footer