Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2016-05-05 13:13:22
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Changing Security Level of Mifare Plus cards to test HardNested
Has anyone acquired factory fresh MF PLus cards for testing hardnested? Can the proxmark configure cards as well? Otherwise can someone suggest some open software+reader which we can commission test cards for this sort of thing. Or is everyone testing with a known commissioned card?
Sorry a bit new to proxmark world - let me know if this has been answered elsewhere.
Offline
#2 2016-05-05 18:01:57
- osys
- Contributor
- From: Nearby
- Registered: 2016-03-28
- Posts: 62
Re: Changing Security Level of Mifare Plus cards to test HardNested
Quite an interesting topic! What about catching AES keys while transition between SL1 and SL2 using snoop?
Offline
#3 2016-05-05 18:24:22
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Changing Security Level of Mifare Plus cards to test HardNested
can anyone help in describing what I would need to change the security level? A real wall reader with the real configuration software or can the Pm3 send the command to change security levels?
Offline
#4 2016-05-05 18:46:00
- osys
- Contributor
- From: Nearby
- Registered: 2016-03-28
- Posts: 62
Re: Changing Security Level of Mifare Plus cards to test HardNested
As far as I can see, there is no special command for PM3 to raise up SL. You may want to try to snoop the communication while raising SL and proceed with the analysis of communication bytes.
Offline
#5 2016-05-05 19:22:35
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Changing Security Level of Mifare Plus cards to test HardNested
Makes sense - so it seems I need a reader and configure software to raise the SL, anyone know something cheap off eBay (used wall reader?) I can get to do this, or if it can be done with the cheap SLC readers and open source tools?
Offline
#6 2016-05-05 19:31:41
- osys
- Contributor
- From: Nearby
- Registered: 2016-03-28
- Posts: 62
Re: Changing Security Level of Mifare Plus cards to test HardNested
A long way to go. I personally haven't seen any examples to do this. You may want to snoop the communication during level up right at the place.
Offline
#7 2016-05-06 05:01:12
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Changing Security Level of Mifare Plus cards to test HardNested
Once again - I have never comminsioned a card, nor do I have anything but a PM3 - so any direction in moving from SL0 to SL1 is appreciated from the forum, even if that means a datasheet with raw 14443a command structures for these types of commands, or what hardware I would need beyond proxmark.
Also, any help in finding a place to acquire a used/programmed mifare plus SL1 card is appreciated as well!
Offline
#8 2016-05-06 06:49:37
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Changing Security Level of Mifare Plus cards to test HardNested
Sorry, Havn't seen a full data sheet with how the mifare commands looks like when changing SL modes.
Use yr google-fu for "mifare plus full data sheet" should be a beginnning
Offline
#9 2016-05-07 17:39:00
- osys
- Contributor
- From: Nearby
- Registered: 2016-03-28
- Posts: 62
Re: Changing Security Level of Mifare Plus cards to test HardNested
Is SAM storage/module available using pm3? If changing sl will be somehow feasible using pm, on the certain level SAM will be required.
Offline
#10 2016-06-03 12:23:27
- osys
- Contributor
- From: Nearby
- Registered: 2016-03-28
- Posts: 62
Re: Changing Security Level of Mifare Plus cards to test HardNested
Gents,
I've found some information on Mifare Plus operational stuff, including commands and operating with security levels in particular.
https://www.idrive.com/idrive/sh/sh?k=b9w8g1h2a6
Last edited by osys (2016-06-03 12:25:35)
Offline
#11 2016-06-28 21:04:32
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Changing Security Level of Mifare Plus cards to test HardNested
I was able to capture the transition from SL0 to SL1 (maybe missed a few transactions I can do more). But, I still don't have a card which is vulnerable to hardnested, it cannot auth to the card during the attack even though I know the keys, however it appears this is only making AES keys not 100% backwards compatible with Classic AND using AES.
I assume the Mifare Plus has the capability to be used as a transitional card, where there can be an old CRYPTO1 app/keys for old readers, and AES for the new readers?
In any case, here is my attempt to move a card from SL0 to SL1:
{\rtf1\ansi\ansicpg1252\cocoartf1404\cocoasubrtf460
{\fonttbl\f0\fnil\fcharset0 Menlo-Regular;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww18060\viewh10140\viewkind0
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\partightenfactor0
\f0\fs22 \cf0 \CocoaLigature0 hf list 14a\
Waiting for a response from the proxmark... \
Don't forget to cancel its operation first by pressing on the button \
#db# cancelled by button \
#db# maxDataLen=4, Uart.state=0, Uart.len=0 \
#db# traceLen=427, Uart.output[0]=0000000a \
Recorded Activity (TraceLen = 427 bytes) \
\
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer \
iso14443a - All times are in carrier periods (1/13.56Mhz) \
iClass - Timings are not as accurate \
\
Start | End | Src | Data (! denotes parity error) | CRC | Annotation | \
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| \
0 | 1056 | Rdr | 26 | | REQA \
2260 | 4628 | Tag | 04 00 | | \
8192 | 10656 | Rdr | 93 20 | | ANTICOLL \
11860 | 17748 | Tag | a6 d3 31 4c 08 | | \
24320 | 33888 | Rdr | 93 70 a6 d3 31 4c 08 89 02 | !crc| SELECT_UID \
-198150336 | -198150048 | Rdr |00! | | ? \
36036 | 39620 | Tag | 20 fc 70 | | \
47428 | 63684 | Tag | 0c 75 77 80 02 c1 05 2f 2f 00 35 c7 60 d3 | ok | \
570462528 | 570489184 | Rdr | 0a 08 a8 00 90 00 00 00 00 00 00 00 00 00 00 00 | | * 0x9000 Card Master Key \
| | | 00 00 00 00 00 2a e9 | ok | ? \
570688004 | 570693892 | Tag | 0a 08 90 27 8c | | \
1292093456 | 1292120112 | Rdr | 0b 08 a8 01 90 11 11 11 11 11 11 11 11 00 00 00 | | * 0x9001 Card Config Key \
| | | 00 00 00 00 00 f2 ec | ok | ? \
1292318788 | 1292324676 | Tag | 0b 08 90 fb d6 | | \
1515023216 | 1515049872 | Rdr | 0a 08 a8 02 90 11 11 11 11 11 11 11 11 11 11 11 | | * 0x9002 Level2 Switch Key(NA) \
| | | 11 11 11 11 11 f0 5e | ok | ? \
1515058244 | 1515064132 | Tag | 0a 08 09 6f 85 | | \
-1696103312 | -1696076720| Rdr | 0b 08 a8 03 90 aa bb cc dd ee ff 00 00 00 00 aa | | * 0x9003 Level3 Switch Key \
| | | bb cc dd ee ff 86 aa | ok | ? \
-1695877708 | -1695871820| Tag | 0b 08 90 fb d6 | | \
-1368682928 | -1368656272| Rdr | 0a 08 a8 03 90 aa bb cc dd ee ff 00 00 00 00 aa | | * 0x9004 SL1 Card Auth Key \
| | | bb cc dd ee ff ea 9d | ok | ? \
-1368457468 | -1368451580| Tag | 0a 08 90 27 8c | | \
-1243767136 | -1243740544| Rdr | 0b 08 a8 04 90 aa bb cc dd ee ff 00 00 00 00 aa | | *Commit Perso \
| | | bb cc dd ee ff 11 50 | ok | ? \
-1243541660 | -1243535772| Tag | 0b 08 90 fb d6 | | \
-1059605648 | -1059599792| Rdr | 0a 08 aa fe 12 | ok | ? \
-1059383372 | -1059377484| Tag | 0a 08 90 27 8c | | }Offline