May be a "hf mf mifare" bug

bigboyq · 2015-10-16 03:52:28

piwi wrote:

Yes, at least for this example the sync_clock was 1829. We have seen a nearly sync in another example at 170200. which could be 29 * 1829 but it is as well possible that the PRNG isn't clocked constantly. But as I said: without the card sending a NACK, that's not leading to practical results with hf mf mifare.

Is it possible to check NACK before calibrating?If so, the whole process might be optimized
Know you are working for harden nest, good luck.
Calibrating algorithm might be improved later:P

piwi · 2015-10-19 15:12:27

bigboyq wrote:

Is it possible to check NACK before calibrating?If so, the whole process might be optimized

No. You need to calibrate in order to force the card to send the same nonce every time. Only after 256 reader responses to the same nonce you can be sure that the card doesn't have the NACK bug.

bigboyq · 2015-10-21 08:10:51

Got it, thanks, when have any improvement in the calibrating stage, let me know, test for you soon:P @piwi

bigboyq · 2015-11-20 05:16:24

@piwi For what you have done, the hf mf mifare works properly, but bug came with it
For v2.2.0 I could use hf mf nested to crack the card, but with the up-to-date version, hf mf nested command failed

proxmark3> hf mf nested o 0 B FFFFFFFFFFFF 0 A
--target block no:  0, target key type:A
uid:bc6dd71d trgbl=0 trgkey=0
No valid key found
proxmark3> hf mf nested o 0 B FFFFFFFFFFFF 0 A
--target block no:  0, target key type:A
#db# Authentication failed. Card timeout.
#db# Nested: Auth1 error
#db# Nested: Auth1 error
Error: No response from Proxmark.

drakospart · 2016-02-11 21:55:15

Hello

Any news about this reset? I have the same problem with a mifare 1k when I try hf mf mifare.

iceman · 2016-02-11 22:13:21

if you set the dbg level to 3, you don't get the reset...

hf mf dbg 3 
hf mf mifare

See it as a workaround

Last edited by iceman (2016-02-11 22:13:36)

drakospart · 2016-02-11 22:53:07

#db# calibrating in cycle 31. nt_distance=23877, elapsed_prng_sequences=2, new s
ync_cycles: 37994

#db# calibrating in cycle 32. nt_distance=13005, elapsed_prng_sequences=3, new s
ync_cycles: 33659

...#db# ISO14443A Timeout set to 1050 (9ms)
.#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
.#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
.#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
#db# collected debug info[0][0] = -6459
#db# collected debug info[0][1] = 19620
#db# collected debug info[0][2] = -6411
#db# collected debug info[0][3] = 19476
#db# collected debug info[0][4] = -6843
#db# collected debug info[0][5] = 20772
#db# collected debug info[0][6] = -2947
#db# collected debug info[0][7] = 9076
#db# collected debug info[1][0] = 27476
#db# collected debug info[1][1] = 17173
#db# collected debug info[1][2] = -13755
#db# collected debug info[1][3] = -24011
#db# collected debug info[1][4] = 6773
#db# collected debug info[1][5] = 20564
#db# collected debug info[1][6] = -3579
#db# collected debug info[1][7] = 10972
#db# collected debug info[2][0] = -23645
#db# collected debug info[2][1] = 14403
#db# collected debug info[2][2] = -13341
#db# collected debug info[2][3] = -16533
#db# collected debug info[2][4] = -6949
#db# collected debug info[2][5] = 29818
#db# collected debug info[2][6] = -32604
#db# collected debug info[2][7] = -24236
#db# collected debug info[3][0] = 28239
#db# collected debug info[3][1] = 784
#db# collected debug info[3][2] = -705
#db# collected debug info[3][3] = 270
#db# collected debug info[3][4] = 450
#db# collected debug info[3][5] = -544
#db# collected debug info[3][6] = 559
#db# collected debug info[3][7] = -32

Card is not vulnerable to Darkside attack (its random number generator seems to
be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviou
r.

drakospart · 2016-02-11 22:55:47

This worked Iceman!
I just can't read this tag now. Might I should use try nested

iceman · 2016-02-11 22:58:45

When you set dbg level >1 , it usually messes with the timings so the darkside attack doesn't work always.

try setting dbg 2, and see if that works.

Nested should work, but set dbg to 0 before..

drakospart · 2016-02-11 23:07:12

With dbg 2 it resets again.

For nested I would need Key A, or not?

iceman · 2016-02-12 07:28:44

read the help text..

drakospart · 2016-02-12 07:59:40

For nested attack I need key A. hf mf nested 1 0 A XXXXXXXXXXXX

I tested other tag and it works fine in dbg 0 without reset. But the other few keys it is impossible. For one of them I know the Key A and the nested works. The others keys are same kind, same manufacturer, but I can't make a hf mf mifare.
Darkside with dbg 3 doesn't reset but also can't get key a from a key with Key A = FFFFFFFFFFFF

iceman · 2016-02-12 08:13:08

No, if you read the help text for nested it says a key for a block, eg any combo of key/block, not only Key A for block 0...

drakospart · 2016-02-12 10:57:58

I dont have any key. I know each sector needs a KEYA and KEYB that maybe they are different for each one.. But I only have the tag with no one else information.
As far as I understand, to make a nested test I need at least a key. Tell me please if I am wrong. I am a new in this.

iceman · 2016-02-12 11:20:47

Have you tried the "hf mf chk" with the default_keys.dic ?

drakospart · 2016-02-12 11:24:15

I tried it

hf mf chk *1 ? t

and not luck

drakospart · 2016-02-12 11:27:37

iceman · 2016-02-12 11:45:03

So you didn't use the default_keys.dic...

drakospart · 2016-02-12 11:50:50

Can you help me with this? I was thinking the default keys are included in the exe. I dont have this file

drakospart · 2016-02-12 12:05:23

proxmark3> hf mf chk *1 ? t default_keys.dic
File: default_keys.dic: not found or locked.

iceman · 2016-02-12 12:12:53

If you compiled latest version from GitHub , then you should have it in your client folder.

https://github.com/Proxmark/proxmark3/b … t_keys.dic

drakospart · 2016-02-12 12:25:20

Thanks, I have added this file.
Now it runs but not key is found

drakospart · 2016-02-12 12:26:23

chk custom key[83] f1d83f964314
chk custom key[84] fc00018778f7
chk custom key[85] fc0001877bf7
chk custom key[86] 44ab09010845
chk custom key[87] 85fed980ea5a
chk custom key[88] 314b49474956
chk custom key[89] 564c505f4d41
chk custom key[90] f4a9ef2afc6d
chk custom key[91] a9f953def0a3
--sector: 0, block: 3, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 1, block: 7, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 2, block: 11, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 3, block: 15, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 4, block: 19, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 5, block: 23, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 6, block: 27, key type:A, key count:92
#db# ChkKeys: Can't select card
--sector: 7, block: 31, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector: 8, block: 35, key type:A, key count:92
#db# Multiple tags detected. Collision after Bit 27
#db# ChkKeys: Can't select card
--sector: 9, block: 39, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:10, block: 43, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:11, block: 47, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:12, block: 51, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:13, block: 55, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:14, block: 59, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
--sector:15, block: 63, key type:A, key count:92
#db# ChkKeys: Can't select card
#db# ChkKeys: Can't select card
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been i

iceman · 2016-02-12 12:51:10

you seem to have a problem reading yr tag.
do you have a strong antenna? and you'll need to have 1cm distance between tag and antenna.

Nothing garanties that the default list has a key for you.
but it might help in your "hf mf mifare" run

drakospart · 2016-02-12 13:52:20

I have the board from xfpga-
I replaced to test the capacitor in the pcb for a trimmer capcitor to try tune the antenna. But i can't get more than 15V with the tag over the antenna and 17v withtout any tag over it.

I can't get more power, so looks like it is tunned. I tested with hf tune.

Maybe this is a problem for the board, I have read very bad feedback about xfpga.

iceman · 2016-02-12 13:54:19

if its one of the older modells, you might need to recompile the fullimage, with the older fpga hf image from feb,jan 2015.
There is a known fault here, that makes those modells not work with the latest fpga hf image.

You can see the threads here on the forum if you search

But that is not the subject of this thread.

There is also a known bug in "hf mf mifare" where it resets.

Last edited by iceman (2016-02-12 13:55:14)

drakospart · 2016-02-12 14:22:13

so... what should I do?

With fpga r651 it never reset, but also never read anything when run mf mifare
With newer version, it looks like work for some keys, but most of them provoke a reset.

If it is a board problem I could think of buy a new one from other provider, would be good your advice.

iceman · 2016-02-12 14:32:45

as I mentioned, there is separate thread about this problem, read it and undestand that there is a fix for it.

drakospart · 2016-02-12 14:56:38

This is the older I found. The links on the forum in first page are broken.
But it also reset.

iceman · 2016-02-12 16:13:47

read this thread: http://www.proxmark.org/forum/viewtopic … 870#p17870

drakospart · 2016-02-12 19:26:01

I tried this full image in this thread but then the hf antenna has 0v.

bigboyq · 2016-02-22 04:00:03

@drakospart please upgrade your pm3 board to up-to-date version, most time, the problem resolved
The board might not die

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...

Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.


proxmark3>

drakospart · 2016-02-26 19:41:17

Thank you!

I did. And I think it is a problem of the board or the tag. Only happens with some chinese tags

iceman · 2016-04-11 23:41:48

I think I found the bug, and a solution for this old WDT bug....

I can run serveral times in a row without triggering the bug. @pivi's NACK, PRNG detection works as promised too.

pm3 ~/client$ proxmark3.exe com3
Prox/RFID mark3 RFID instrument
bootrom: iceman/-suspect 2016-02-14 14:13:43
os: iceman/-suspect 2016-04-11 22:23:31
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 213005 bytes (81%). Free: 49139 bytes (19%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..........#db# Number of sent auth requestes: 298




uid(8444e9cf) nt(3650bc2c) par(25cd5d1525f5ad3d) ks(00040b01050f0d04) nr(25f5ad3d00000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 0 |  5  |1,0,1,0,0,1,0,0|
| 20 |00000020| 4 |  1  |1,0,1,1,0,0,1,1|
| 40 |00000040| b |  e  |1,0,1,1,1,0,1,0|
| 60 |00000060| 1 |  4  |1,0,1,0,1,0,0,0|
| 80 |00000080| 5 |  0  |1,0,1,0,0,1,0,0|
| a0 |000000a0| f |  a  |1,0,1,0,1,1,1,1|
| c0 |000000c0| d |  8  |1,0,1,1,0,1,0,1|
| e0 |000000e0| 4 |  1  |1,0,1,1,1,1,0,0|
+----+--------+---+-----+---------------+
Time in nonce2key: 312 ticks

Found valid key: fc00018778f7

Time in darkside: 24134 ticks

pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....#db# Number of sent auth requestes: 152




uid(8444e9cf) nt(0d142f4b) par(0c74044ce40c5c54) ks(06080800040a0a07) nr(e40c5c5400000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 6 |  3  |0,0,1,1,0,0,0,0|
| 20 |00000020| 8 |  d  |0,0,1,0,1,1,1,0|
| 40 |00000040| 8 |  d  |0,0,1,0,0,0,0,0|
| 60 |00000060| 0 |  5  |0,0,1,1,0,0,1,0|
| 80 |00000080| 4 |  1  |0,0,1,0,0,1,1,1|
| a0 |000000a0| a |  f  |0,0,1,1,0,0,0,0|
| c0 |000000c0| a |  f  |0,0,1,1,1,0,1,0|
| e0 |000000e0| 7 |  2  |0,0,1,0,1,0,1,0|
+----+--------+---+-----+---------------+
Time in nonce2key: 78 ticks

Found valid key: fc00018778f7

Time in darkside: 12387 ticks

pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.........#db# Number of sent auth requestes: 292




uid(8444e9cf) nt(da40f1b2) par(6d4d6555c5b54dbd) ks(0209010a090d010e) nr(c5b54dbd00000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 2 |  7  |1,0,1,1,0,1,1,0|
| 20 |00000020| 9 |  c  |1,0,1,1,0,0,1,0|
| 40 |00000040| 1 |  4  |1,0,1,0,0,1,1,0|
| 60 |00000060| a |  f  |1,0,1,0,1,0,1,0|
| 80 |00000080| 9 |  c  |1,0,1,0,0,0,1,1|
| a0 |000000a0| d |  8  |1,0,1,0,1,1,0,1|
| c0 |000000c0| 1 |  4  |1,0,1,1,0,0,1,0|
| e0 |000000e0| e |  b  |1,0,1,1,1,1,0,1|
+----+--------+---+-----+---------------+
Time in nonce2key: 172 ticks

Found valid key: fc00018778f7

Time in darkside: 23496 ticks

pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.......#db# Number of sent auth requestes: 228




uid(8444e9cf) nt(142f4bd8) par(ce3656ee46defe06) ks(0b0000000b04010f) nr(46defe0600000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| b |  e  |0,1,1,1,0,0,1,1|
| 20 |00000020| 0 |  5  |0,1,1,0,1,1,0,0|
| 40 |00000040| 0 |  5  |0,1,1,0,1,0,1,0|
| 60 |00000060| 0 |  5  |0,1,1,1,0,1,1,1|
| 80 |00000080| b |  e  |0,1,1,0,0,0,1,0|
| a0 |000000a0| 4 |  1  |0,1,1,1,1,0,1,1|
| c0 |000000c0| 1 |  4  |0,1,1,1,1,1,1,1|
| e0 |000000e0| f |  a  |0,1,1,0,0,0,0,0|
+----+--------+---+-----+---------------+
Time in nonce2key: 452 ticks

Found valid key: fc00018778f7

Time in darkside: 18775 ticks

pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
........#db# Number of sent auth requestes: 255


Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).


pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
#db# Number of sent auth requestes: 5


Card is not vulnerable to Darkside attack (its random number generator is not predictable).


pm3 --> hf mf mif 10
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
........#db# Number of sent auth requestes: 255


Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

drakospart · 2016-04-12 09:06:24

DAMN!!! THANK YOU!!!!

Can you just explain me in few words how to upgrade my board? I am so new with it

iceman · 2016-04-12 09:25:25

Lets see about that, I need to test things further before I make up my mind about it.

drakospart · 2016-04-12 09:32:55

Ok. so.. once you finish, tell me please. I also can test on my board

Proxmark3 community

Announcement

#51 2015-10-16 03:52:28

Re: May be a "hf mf mifare" bug

#52 2015-10-19 15:12:27

Re: May be a "hf mf mifare" bug

#53 2015-10-21 08:10:51

Re: May be a "hf mf mifare" bug

#54 2015-11-20 05:16:24

Re: May be a "hf mf mifare" bug

#55 2016-02-11 21:55:15

Re: May be a "hf mf mifare" bug

#56 2016-02-11 22:13:21

Re: May be a "hf mf mifare" bug

#57 2016-02-11 22:53:07

Re: May be a "hf mf mifare" bug

#58 2016-02-11 22:55:47

Re: May be a "hf mf mifare" bug

#59 2016-02-11 22:58:45

Re: May be a "hf mf mifare" bug

#60 2016-02-11 23:07:12

Re: May be a "hf mf mifare" bug

#61 2016-02-12 07:28:44

Re: May be a "hf mf mifare" bug

#62 2016-02-12 07:59:40

Re: May be a "hf mf mifare" bug

#63 2016-02-12 08:13:08

Re: May be a "hf mf mifare" bug

#64 2016-02-12 10:57:58

Re: May be a "hf mf mifare" bug

#65 2016-02-12 11:20:47

Re: May be a "hf mf mifare" bug

#66 2016-02-12 11:24:15

Re: May be a "hf mf mifare" bug

#67 2016-02-12 11:27:37

Re: May be a "hf mf mifare" bug

#68 2016-02-12 11:45:03

Re: May be a "hf mf mifare" bug

#69 2016-02-12 11:50:50

Re: May be a "hf mf mifare" bug

#70 2016-02-12 12:05:23

Re: May be a "hf mf mifare" bug

#71 2016-02-12 12:12:53

Re: May be a "hf mf mifare" bug

#72 2016-02-12 12:25:20

Re: May be a "hf mf mifare" bug

#73 2016-02-12 12:26:23

Re: May be a "hf mf mifare" bug

#74 2016-02-12 12:51:10

Re: May be a "hf mf mifare" bug

#75 2016-02-12 13:52:20

Re: May be a "hf mf mifare" bug

#76 2016-02-12 13:54:19

Re: May be a "hf mf mifare" bug

#77 2016-02-12 14:22:13

Re: May be a "hf mf mifare" bug

#78 2016-02-12 14:32:45

Re: May be a "hf mf mifare" bug

#79 2016-02-12 14:56:38

Re: May be a "hf mf mifare" bug

#80 2016-02-12 16:13:47

Re: May be a "hf mf mifare" bug

#81 2016-02-12 19:26:01

Re: May be a "hf mf mifare" bug

#82 2016-02-22 04:00:03

Re: May be a "hf mf mifare" bug

#83 2016-02-26 19:41:17

Re: May be a "hf mf mifare" bug

#84 2016-04-11 23:41:48

Re: May be a "hf mf mifare" bug

#85 2016-04-12 09:06:24

Re: May be a "hf mf mifare" bug

#86 2016-04-12 09:25:25

Re: May be a "hf mf mifare" bug

#87 2016-04-12 09:32:55

Re: May be a "hf mf mifare" bug

Board footer