Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2015-10-16 03:52:28

bigboyq
Contributor
From: China
Registered: 2015-09-22
Posts: 38

Re: May be a "hf mf mifare" bug

piwi wrote:

Yes, at least for this example the sync_clock was 1829. We have seen a nearly sync in another example at 170200. which could be 29 * 1829 but it is as well possible that the PRNG isn't clocked constantly. But as I said: without the card sending a NACK, that's not leading to practical results with hf mf mifare.

Is it possible to check NACK before calibrating?If so, the whole process might be optimized
Know you are working for harden nest, good luck.
Calibrating algorithm might be improved later:P

Offline

#52 2015-10-19 15:12:27

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: May be a "hf mf mifare" bug

bigboyq wrote:

Is it possible to check NACK before calibrating?If so, the whole process might be optimized

No. You need to calibrate in order to force the card to send the same nonce every time. Only after 256 reader responses to the same nonce you can be sure that the card doesn't have the NACK bug.

Offline

#53 2015-10-21 08:10:51

bigboyq
Contributor
From: China
Registered: 2015-09-22
Posts: 38

Re: May be a "hf mf mifare" bug

Got it, thanks, when have any improvement in the calibrating stage, let me know, test for you soon:P @piwi

Offline

#54 2015-11-20 05:16:24

bigboyq
Contributor
From: China
Registered: 2015-09-22
Posts: 38

Re: May be a "hf mf mifare" bug

@piwi For what you have done, the hf mf mifare works properly, but bug came with it
For v2.2.0 I could use hf mf nested to crack the card, but with the up-to-date version, hf mf nested command failed

proxmark3> hf mf nested o 0 B FFFFFFFFFFFF 0 A
--target block no:  0, target key type:A
uid:bc6dd71d trgbl=0 trgkey=0
No valid key found
proxmark3> hf mf nested o 0 B FFFFFFFFFFFF 0 A
--target block no:  0, target key type:A
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Auth1 error
Error: No response from Proxmark.

Offline

#55 2016-02-11 21:55:15

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

Hello

Any news about this reset? I have the same problem with a mifare 1k when I try hf mf mifare.

Offline

#56 2016-02-11 22:13:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

if you set the dbg level to 3,  you don't get the reset... hmm 

hf mf dbg 3 
hf mf mifare

See it as a workaround

Last edited by iceman (2016-02-11 22:13:36)

Offline

#57 2016-02-11 22:53:07

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

#db# calibrating in cycle 31. nt_distance=23877, elapsed_prng_sequences=2, new s
ync_cycles: 37994

#db# calibrating in cycle 32. nt_distance=13005, elapsed_prng_sequences=3, new s
ync_cycles: 33659

...#db# ISO14443A Timeout set to 1050 (9ms)
.#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
.#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
.#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
#db# collected debug info[0][0] = -6459
#db# collected debug info[0][1] = 19620
#db# collected debug info[0][2] = -6411
#db# collected debug info[0][3] = 19476
#db# collected debug info[0][4] = -6843
#db# collected debug info[0][5] = 20772
#db# collected debug info[0][6] = -2947
#db# collected debug info[0][7] = 9076
#db# collected debug info[1][0] = 27476
#db# collected debug info[1][1] = 17173
#db# collected debug info[1][2] = -13755
#db# collected debug info[1][3] = -24011
#db# collected debug info[1][4] = 6773
#db# collected debug info[1][5] = 20564
#db# collected debug info[1][6] = -3579
#db# collected debug info[1][7] = 10972
#db# collected debug info[2][0] = -23645
#db# collected debug info[2][1] = 14403
#db# collected debug info[2][2] = -13341
#db# collected debug info[2][3] = -16533
#db# collected debug info[2][4] = -6949
#db# collected debug info[2][5] = 29818
#db# collected debug info[2][6] = -32604
#db# collected debug info[2][7] = -24236
#db# collected debug info[3][0] = 28239
#db# collected debug info[3][1] = 784
#db# collected debug info[3][2] = -705
#db# collected debug info[3][3] = 270
#db# collected debug info[3][4] = 450
#db# collected debug info[3][5] = -544
#db# collected debug info[3][6] = 559
#db# collected debug info[3][7] = -32


Card is not vulnerable to Darkside attack (its random number generator seems to
be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviou
r.

Offline

#58 2016-02-11 22:55:47

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

This worked Iceman!
I just can't read this tag now. Might I should use try nested

Offline

#59 2016-02-11 22:58:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

When you set dbg level >1 ,  it usually messes with the timings so the darkside attack doesn't work always.

try setting dbg 2,  and see if that works.

Nested should work,  but set dbg to 0 before..

Offline

#60 2016-02-11 23:07:12

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

With dbg 2 it resets again.

For nested I would need Key A, or not?

Offline

#61 2016-02-12 07:28:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

read the help text..

Offline

#62 2016-02-12 07:59:40

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

For nested attack I need key A. hf mf nested 1 0 A XXXXXXXXXXXX

I tested other tag and it works fine in dbg 0 without reset. But the other few keys it is impossible. For one of them I know the Key A and the nested works. The others keys are same kind, same manufacturer, but I can't make a hf mf mifare.
Darkside with dbg 3 doesn't reset but also can't get key a from a key with Key A = FFFFFFFFFFFF

Offline

#63 2016-02-12 08:13:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

No,  if you read the help text for nested it says a key for a block,    eg any combo of key/block, not only Key A for block 0...

Offline

#64 2016-02-12 10:57:58

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

I dont have any key. I know each sector needs a KEYA and KEYB that maybe they are different for each one.. But I only have the tag with no one else information.
As far as I understand, to make a nested test I need at least a key. Tell me please if I am wrong. I am a new in this.

Offline

#65 2016-02-12 11:20:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

Have you tried the "hf mf chk"  with the default_keys.dic ?

Offline

#66 2016-02-12 11:24:15

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

I tried it

hf mf chk *1 ? t

and not luck

Offline

#67 2016-02-12 11:27:37

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

1455272813_chk.jpg

Offline

#68 2016-02-12 11:45:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

So you didn't use the default_keys.dic...

Offline

#69 2016-02-12 11:50:50

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

Can you help me with this? I was thinking the default keys are included in the exe. I dont have this file

Offline

#70 2016-02-12 12:05:23

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

proxmark3> hf mf chk *1 ? t default_keys.dic
File: default_keys.dic: not found or locked.

Offline

#71 2016-02-12 12:12:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

If you compiled latest version from GitHub , then you should have it in your client folder.

https://github.com/Proxmark/proxmark3/b … t_keys.dic

Offline

#72 2016-02-12 12:25:20

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

Thanks, I have added this file.
Now it runs but not key is found

Offline

#73 2016-02-12 12:26:23

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

chk custom key[83] f1d83f964314
chk custom key[84] fc00018778f7
chk custom key[85] fc0001877bf7
chk custom key[86] 44ab09010845
chk custom key[87] 85fed980ea5a
chk custom key[88] 314b49474956
chk custom key[89] 564c505f4d41
chk custom key[90] f4a9ef2afc6d
chk custom key[91] a9f953def0a3
--sector: 0, block:  3, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 1, block:  7, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 2, block: 11, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 3, block: 15, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 4, block: 19, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 5, block: 23, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 6, block: 27, key type:A, key count:92
#db# ChkKeys: Can't select card
--sector: 7, block: 31, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 8, block: 35, key type:A, key count:92
#db# Multiple tags detected. Collision after Bit 27
#db# ChkKeys: Can't select card
--sector: 9, block: 39, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:10, block: 43, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:11, block: 47, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:12, block: 51, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:13, block: 55, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:14, block: 59, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:15, block: 63, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been i

Offline

#74 2016-02-12 12:51:10

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

you seem to have a problem reading yr tag.
do you have a strong antenna?  and you'll need to have 1cm distance between tag and antenna.

Nothing garanties that the default list has a key for you.
but it might help in your "hf mf mifare" run

Offline

#75 2016-02-12 13:52:20

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

I have the board from xfpga-
I replaced to test the capacitor in the pcb for a trimmer capcitor to try tune the antenna. But i can't get more than 15V with the tag over the antenna and 17v withtout any tag over it.

I can't get more power, so looks like it is tunned. I tested with hf tune.

Maybe this is a problem for the board, I have read very bad feedback about xfpga.

Offline

#76 2016-02-12 13:54:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

if its one of the older modells,  you might need to recompile the fullimage,  with the older fpga hf image from feb,jan 2015.
There is a known fault here,  that makes those modells not work with the latest fpga hf image.

You can see the threads here on the forum if you search


But that is not the subject of this thread.

There is also a known bug in "hf mf mifare"  where it resets.

Last edited by iceman (2016-02-12 13:55:14)

Offline

#77 2016-02-12 14:22:13

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

so... what should I do?

With fpga r651 it never reset, but also never read anything when run mf mifare
With newer version, it looks like work for some keys, but most of them provoke a reset.

If it is a board problem I could think of buy a new one from other provider, would be good your advice.

Offline

#78 2016-02-12 14:32:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

as I mentioned, there is separate thread about this problem,   read it and undestand that there is a fix for it.

Offline

#79 2016-02-12 14:56:38

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

1455285320_ver.jpg

This is the older I found. The links on the forum in first page are broken.
But it also reset.

Offline

#80 2016-02-12 16:13:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

Offline

#81 2016-02-12 19:26:01

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

I tried this full image in this thread but then the hf antenna has 0v.

Offline

#82 2016-02-22 04:00:03

bigboyq
Contributor
From: China
Registered: 2015-09-22
Posts: 38

Re: May be a "hf mf mifare" bug

@drakospart please upgrade your pm3 board to up-to-date version, most time, the problem resolved
The board might not die

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...

Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.


proxmark3>

Offline

#83 2016-02-26 19:41:17

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

Thank you!

I did. And I think it is a problem of the board or the tag. Only happens with some chinese tags

Offline

#84 2016-04-11 23:41:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

I think I found the bug,  and a solution for this old WDT bug....  smile

I can run serveral times in a row without triggering the bug.   @pivi's NACK, PRNG detection works as promised too.



pm3 ~/client$ proxmark3.exe com3
Prox/RFID mark3 RFID instrument
bootrom: iceman/-suspect 2016-02-14 14:13:43
os: iceman/-suspect 2016-04-11 22:23:31
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 213005 bytes (81%). Free: 49139 bytes (19%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..........#db# Number of sent auth requestes: 298




uid(8444e9cf) nt(3650bc2c) par(25cd5d1525f5ad3d) ks(00040b01050f0d04) nr(25f5ad3d00000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 0 |  5  |1,0,1,0,0,1,0,0|
| 20 |00000020| 4 |  1  |1,0,1,1,0,0,1,1|
| 40 |00000040| b |  e  |1,0,1,1,1,0,1,0|
| 60 |00000060| 1 |  4  |1,0,1,0,1,0,0,0|
| 80 |00000080| 5 |  0  |1,0,1,0,0,1,0,0|
| a0 |000000a0| f |  a  |1,0,1,0,1,1,1,1|
| c0 |000000c0| d |  8  |1,0,1,1,0,1,0,1|
| e0 |000000e0| 4 |  1  |1,0,1,1,1,1,0,0|
+----+--------+---+-----+---------------+
Time in nonce2key: 312 ticks

Found valid key: fc00018778f7

Time in darkside: 24134 ticks

pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....#db# Number of sent auth requestes: 152




uid(8444e9cf) nt(0d142f4b) par(0c74044ce40c5c54) ks(06080800040a0a07) nr(e40c5c5400000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 6 |  3  |0,0,1,1,0,0,0,0|
| 20 |00000020| 8 |  d  |0,0,1,0,1,1,1,0|
| 40 |00000040| 8 |  d  |0,0,1,0,0,0,0,0|
| 60 |00000060| 0 |  5  |0,0,1,1,0,0,1,0|
| 80 |00000080| 4 |  1  |0,0,1,0,0,1,1,1|
| a0 |000000a0| a |  f  |0,0,1,1,0,0,0,0|
| c0 |000000c0| a |  f  |0,0,1,1,1,0,1,0|
| e0 |000000e0| 7 |  2  |0,0,1,0,1,0,1,0|
+----+--------+---+-----+---------------+
Time in nonce2key: 78 ticks

Found valid key: fc00018778f7

Time in darkside: 12387 ticks

pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.........#db# Number of sent auth requestes: 292




uid(8444e9cf) nt(da40f1b2) par(6d4d6555c5b54dbd) ks(0209010a090d010e) nr(c5b54dbd00000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 2 |  7  |1,0,1,1,0,1,1,0|
| 20 |00000020| 9 |  c  |1,0,1,1,0,0,1,0|
| 40 |00000040| 1 |  4  |1,0,1,0,0,1,1,0|
| 60 |00000060| a |  f  |1,0,1,0,1,0,1,0|
| 80 |00000080| 9 |  c  |1,0,1,0,0,0,1,1|
| a0 |000000a0| d |  8  |1,0,1,0,1,1,0,1|
| c0 |000000c0| 1 |  4  |1,0,1,1,0,0,1,0|
| e0 |000000e0| e |  b  |1,0,1,1,1,1,0,1|
+----+--------+---+-----+---------------+
Time in nonce2key: 172 ticks

Found valid key: fc00018778f7

Time in darkside: 23496 ticks

pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.......#db# Number of sent auth requestes: 228




uid(8444e9cf) nt(142f4bd8) par(ce3656ee46defe06) ks(0b0000000b04010f) nr(46defe0600000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| b |  e  |0,1,1,1,0,0,1,1|
| 20 |00000020| 0 |  5  |0,1,1,0,1,1,0,0|
| 40 |00000040| 0 |  5  |0,1,1,0,1,0,1,0|
| 60 |00000060| 0 |  5  |0,1,1,1,0,1,1,1|
| 80 |00000080| b |  e  |0,1,1,0,0,0,1,0|
| a0 |000000a0| 4 |  1  |0,1,1,1,1,0,1,1|
| c0 |000000c0| 1 |  4  |0,1,1,1,1,1,1,1|
| e0 |000000e0| f |  a  |0,1,1,0,0,0,0,0|
+----+--------+---+-----+---------------+
Time in nonce2key: 452 ticks

Found valid key: fc00018778f7

Time in darkside: 18775 ticks

pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
........#db# Number of sent auth requestes: 255


Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).


pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
#db# Number of sent auth requestes: 5


Card is not vulnerable to Darkside attack (its random number generator is not predictable).


pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
........#db# Number of sent auth requestes: 255


Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

Offline

#85 2016-04-12 09:06:24

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

DAMN!!! THANK YOU!!!!

Can you just explain me in few words how to upgrade my board? I am  so new with it

Offline

#86 2016-04-12 09:25:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: May be a "hf mf mifare" bug

Lets see about that, I need to test things further before I make up my mind about it.

Offline

#87 2016-04-12 09:32:55

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: May be a "hf mf mifare" bug

Ok. so.. once you finish, tell me please. I also can test on my board

Offline

Board footer

Powered by FluxBB