Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-01-21 01:52:49

polynom
Contributor
Registered: 2016-01-15
Posts: 23

Found FFFFFFFFFFFF but cannot perform Nested

Hi there,

I had this card sitting on my table for a while.
Test block keys, find FFFFFFFFFFFF
but then the nested command crashes.

"Collision after Bit 2"
And then it goes to "Card timeout + Auth1 error"

I tried a few different distance/angle to antenna. But no chance so far.

Last edited by polynom (2016-01-22 11:03:14)

Offline

#2 2016-01-21 07:41:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

Antenna output?
Version of firmware/client you are using?
Is it a "older" model of the PM3?  Like the one bought from http://www.proxmark3.com/ ?  There is a problem with the latest fpga firmware and that kind of model,  you'll need to recompile with an older fpga-firmware, for it work properly.

Offline

#3 2016-01-21 13:39:54

polynom
Contributor
Registered: 2016-01-15
Posts: 23

Re: Found FFFFFFFFFFFF but cannot perform Nested

#db# 20525 mV
latest from piwi's repo (with hardnested capabilities)
i haven't had any other similar problems with different S50 cards. Just distances issues so far.

I do have an old board (from 2010 I think).
I went back to an old one r839:
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 839 2013-12-05 07:11:23
#db# os: svn 839 2013-12-05 07:11:28
#db# FPGA image built on 2013/11/19 at 18:17:10

Same problem though. Should I go even older? Before CDC?

Offline

#4 2016-01-21 15:21:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

No...  There is a thread about the fpga.bit file problem. 

So early versions of the source like r839,  it has many issues with the HF commands.  So I wouldnt recommend it.

Solution:
From the pm3 master,   for the fpga.bit  file go back until january 2015,  and replace the one in your clone of piwi'.  I guess since you want to test the hardnested.

Recompile, and flash it,  that should bring back your pm3 capabilites to normal.
With all fixes to HF/LF commands and piwi's hardnested..

Offline

#5 2016-01-22 10:14:51

polynom
Contributor
Registered: 2016-01-15
Posts: 23

Re: Found FFFFFFFFFFFF but cannot perform Nested

First of all, thanks a lot for your support iceman.

I replaced with the one from  r645c960. (assuming you were talking about fpga_hf.bit)
Re-compiled.
"HF FPGA image built for 2s30vq100 on 2015/01/15 at 12:19:06"

But, exact same problem again.

How can I know that I have an old board with the problematic part?
uC: AT91SAM7S256 Rev B

btw, I just realized the the 12*Fs are a B not A key.
This Key is for sector 7 to 15.

Weird thing:
When I try to read a sector (for the first time) that has this Key, I get a "command execute timeout"
If I send the same command a second time right after the timeout, it works and show partial sector.

Offline

#6 2016-01-22 10:27:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

You have serveral different issues,  which you'll need to understand.


Yes,  I meant the fpga_hf.bit This will fix your old board and "collision"/ bad snoop etc problems.   Which I assume you don't get anymore.

Then is the next part is about getting a key with darkside..  Which you most likley gotten,  ie it works.

Next step is  "nested attack",   which I think you are at now in you last post "key is for sector 7 to 15"..
This attack is not absolute, you'll need to run it serveral times to get all keys if you are unlucky.  Sometimes you'll need to cut and paste between keys to get a complete keys.bin file..

which you use for the "hf mf dump" / "hf mf restore"

All of this depends on the tag.  Which you haven't presented some output for (14a reader?)  (hw tune) Your HF antenna seems ok.  Your problems could also be because of tag positioning and distance over antenna.

I would say you have some reading up on the wiki and forum todo.  Blind guessing when trying to help is hard.

Last edited by iceman (2016-01-22 10:28:38)

Offline

#7 2016-01-22 11:02:44

polynom
Contributor
Registered: 2016-01-15
Posts: 23

Re: Found FFFFFFFFFFFF but cannot perform Nested

Sorry the title of my topic is wrong.
"Found FFFFFFFFFFFF but cannot perform Nested*"

As said in the first post, I found the Fs with the test block key command.
It tells me it found it for sectors 7 to 15. That is how I know. And it is confirm when reading those sector with the Fs. I did not perform the nested attack.
I am familiar with the other steps. I tried different angle/distance as specified in the first post.

I did not try Darkside attack as I already got one of the keys. Now that I am trying, it is saying "card is not vulnerable to darkside..." which I have seen before with other cards and tend to ignore.

ATQA : 00 04
SAK : 08 [2]

Offline

#8 2016-01-22 12:45:18

polynom
Contributor
Registered: 2016-01-15
Posts: 23

Re: Found FFFFFFFFFFFF but cannot perform Nested

Not sure what is "wrong".
I am trying to test with your fork this time.

It could be some not classic mifare classic card... As I've never had any persistent similar issue in the past

Unfortunately, I have no access to a reader for sniffing the communication ...

Last edited by polynom (2016-01-22 12:46:01)

Offline

#9 2016-01-22 12:45:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

ok,
you have a newer s50 tag or a strange clone (fudan) which the darkside or nested attack doesn't work on.

You can only get the key from the new hardnested attack. 

or if the keys on your tag is calc by an algo, you may figure that one out...

Offline

#10 2016-01-22 13:12:06

polynom
Contributor
Registered: 2016-01-15
Posts: 23

Re: Found FFFFFFFFFFFF but cannot perform Nested

We posted at the same time.  tongue

I did try hardnested but failed. There seems to have been some improvement since I tested last time.

Thanks a lot iceman!

I will update here if I was successful with hardnested or in the appropriate topic if I encounter some problem. But  I guess I have some reading to do first.

Offline

#11 2016-01-22 13:13:09

polynom
Contributor
Registered: 2016-01-15
Posts: 23

Re: Found FFFFFFFFFFFF but cannot perform Nested

.

Last edited by polynom (2016-01-22 14:13:23)

Offline

#12 2016-01-22 14:15:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

Looks like hardnested worked, so your PM3 device works like it should.

If you have access to the reader,  you can alwars sniff and get the key from the tracelog that way.

Offline

#13 2016-03-13 05:50:50

lohcm88
Contributor
Registered: 2016-02-05
Posts: 59

Re: Found FFFFFFFFFFFF but cannot perform Nested

Hi.. may I borrow your thread as I do not want to open up too many threads on similar problem...  as I can't do nested operation on my friend's condo card as well...

My HW and SW

Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-04-02 15:12:04
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 169916 bytes (65%). Free: 92228 bytes (35%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

My Test Block Keys

proxmark3> hf mf chk * ?   
No key specified, trying default keys         
chk default key[ 0] ffffffffffff         
chk default key[ 1] 000000000000         
chk default key[ 2] a0a1a2a3a4a5         
chk default key[ 3] b0b1b2b3b4b5         
chk default key[ 4] aabbccddeeff         
chk default key[ 5] 4d3a99c351dd         
chk default key[ 6] 1a982c7e459a         
chk default key[ 7] d3f7d3f7d3f7         
chk default key[ 8] 714c5c886e97         
chk default key[ 9] 587ee5f9350f         
chk default key[10] a0478cc39091         
chk default key[11] 533cb6c723f6         
chk default key[12] 8fd0a4f256e9         
--sector: 0, block:  3, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 1, block:  7, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 2, block: 11, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 3, block: 15, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 4, block: 19, key type:A, key count:13           
--sector: 5, block: 23, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 6, block: 27, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 7, block: 31, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 8, block: 35, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 9, block: 39, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector:10, block: 43, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector:11, block: 47, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector:12, block: 51, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector:13, block: 55, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector:14, block: 59, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector:15, block: 63, key type:A, key count:13           
Found valid key:[ffffffffffff]         
--sector: 0, block:  3, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 1, block:  7, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 2, block: 11, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 3, block: 15, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 4, block: 19, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 5, block: 23, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 6, block: 27, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 7, block: 31, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 8, block: 35, key type:B, key count:13           
Found valid key:[000000000000]         
--sector: 9, block: 39, key type:B, key count:13           
Found valid key:[000000000000]         
--sector:10, block: 43, key type:B, key count:13           
Found valid key:[000000000000]         
--sector:11, block: 47, key type:B, key count:13           
Found valid key:[000000000000]         
--sector:12, block: 51, key type:B, key count:13           
Found valid key:[000000000000]         
--sector:13, block: 55, key type:B, key count:13           
Found valid key:[000000000000]         
--sector:14, block: 59, key type:B, key count:13           
Found valid key:[000000000000]         
--sector:15, block: 63, key type:B, key count:13           
Found valid key:[000000000000]         
proxmark3>

My Nested Attack

Testing known keys. Sector count=16
#db# ChkKeys: Can't select card       
#db# ChkKeys: Can't select card       
#db# ChkKeys: Can't select card       
#db# ChkKeys: Can't select card       
nested...
-----------------------------------------------
Error: No response from Proxmark.

#db# Nested: Can't select card       
#db# Nested: Auth2 error len=1       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Nested: Can't select card       
#db# Nested: Can't select card       
#db# Nested: Can't select card       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Nested: Auth2 error len=1       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Authentication failed. Card timeout.       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Nested: Auth1 error       
#db# Nested: Can't select card       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error       
#db# Authentication failed. Error card response.       
#db# Nested: Auth1 error

     

I hope someone can give me guidance... My Nested Attack has been successful in 2 other cards but not for this particular card. Appreciate your help!! smile

Offline

#14 2016-03-13 06:51:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

try different angles and distance between tag and antenna.  as you can see in your output,  "can't select card"..
Try "hf 14a read" and test until you get the distance and position right.  Then run nested,

Offline

#15 2016-03-13 07:09:55

lohcm88
Contributor
Registered: 2016-02-05
Posts: 59

Re: Found FFFFFFFFFFFF but cannot perform Nested

iceman wrote:

try different angles and distance between tag and antenna.  as you can see in your output,  "can't select card"..
Try "hf 14a read" and test until you get the distance and position right.  Then run nested,


Thx for your suggestion but I am still getting the following error despite adjusting various angles and distances.  I can get it done for 2 other mifare cards (1 with pw protected and the other 1 does not have).  This is the only card that I am having problem with.


proxmark3> hf mf nested 1 43 A ffffffffffff   d
Testing known keys. Sector count=16         
#db# ChkKeys: Can't select card                 
nested...         
-----------------------------------------------         
#db# Authentication failed. Card timeout.                 
#db# Nested: Auth2 error                 
Error: No response from Proxmark.
proxmark3>
proxmark3> #db# Authentication failed. Error card response.                 
proxmark3> #db# Nested: Auth1 error                 
proxmark3> #db# Nested: Auth1 error                 
proxmark3> #db# Authentication failed. Error card response.                 
proxmark3> #db# Nested: Auth1 error                 
proxmark3> #db# Nested: Auth1 error                 
proxmark3> #db# Nested: Can't select card                 
proxmark3> #db# Nested: Can't select card                 
proxmark3> #db# Authentication failed. Error card response.                 
proxmark3> #db# Nested: Auth1 error                 
proxmark3> #db# Authentication failed. Error card response.                 
proxmark3> #db# Nested: Auth1 error                 
proxmark3> #db# Nested: Auth1 error

Offline

#16 2016-03-13 07:33:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

Can you run "hf 14a read" and post the output?

Offline

#17 2016-03-13 07:36:50

lohcm88
Contributor
Registered: 2016-02-05
Posts: 59

Re: Found FFFFFFFFFFFF but cannot perform Nested

iceman wrote:

Can you run "hf 14a read" and post the output?


Here it goes: smile

proxmark3> hf 14a reader
UID : 6e e4 2d 1d           
ATQA : 00 04         
SAK : 88 [2]         
TYPE : Infineon MIFARE CLASSIC 1K         
proprietary non iso14443-4 card found, RATS not supported         
Answers to chinese magic backdoor commands: YES         
proxmark3>

Offline

#18 2016-03-13 07:39:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Found FFFFFFFFFFFF but cannot perform Nested

since its a magic card...   you don't need nested...
You can read all using the "hf mf cgetsc" command...

Offline

#19 2016-03-13 07:50:46

lohcm88
Contributor
Registered: 2016-02-05
Posts: 59

Re: Found FFFFFFFFFFFF but cannot perform Nested

iceman wrote:

since its a magic card...   you don't need nested...
You can read all using the "hf mf cgetsc" command...


I see... thx alot for the info! I will read up on how to get it duplicated wit these info..  smile

Offline

Board footer

Powered by FluxBB