Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2016-07-07 14:47:43
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Mifare Plus Attack Improvements
Could anyone summarize the Mifare Plus Attack in some plain english? I am looking into the paper and trying to understand it further but it would help somewhat to understand better the attack type up front, and where improvements could be made? I am looking to do some research into this topic and help improve the attack if possible, I am a programmer by day so code optimizations would be one but I am also trying to understand the crypto (no pun intended) portion and make improvements in that realm as well, but I will have to understand that further first. Suggestions here would be greatly appreciated and all results would be posted right here!
I have posted some snoops of transitioning security levels of the Plus card - if those help I can certainly post some more for transitioning to different levels.
Offline
#2 2016-07-08 11:33:42
- osys
- Contributor
- From: Nearby
- Registered: 2016-03-28
- Posts: 62
Re: Mifare Plus Attack Improvements
Great initiative! The most interesting part for Plus is SL1 -> SL2 transition, catching AES keys during the process (if keys are re-enrolled of course). To begin with, I would rather start on extracting AES keys from snoop trace during SL0 -> SL1 and then switch to more advanced level SL1 -> SL2 knowing crypto1 keys.
Offline
#3 2016-07-08 14:09:37
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Mifare Plus Attack Improvements
Ok - not sure if this is working quite right, looks like a lot of parity errors. I place first the reader on my desk, then the card on the reader, then a small plastic jar cap which is a few CM thick, then the proxmark with the HF antenna on that.
I did "hf 14a sniff" (running @iceman's branch) and then "hf 14a list" and here is what I got:
hf list 14a
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# cancelled by button
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=446, Uart.output[0]=0000000b
Recorded Activity (TraceLen = 446 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 26592 | Rdr |0a 08 a8 00 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f 6a 55 | ok | ?
230068 | 235956 | Tag |0a 08 90 27 8c | |
48412480 | 48414816 | Rdr |7f 7f | | ?
48415552 | 48423648 | Rdr |ff 13! 3f! ff! 7e! 3e! 7c | !crc| ?
48423872 | 48424672 | Rdr |0f! | | ?
48424896 | 48429280 | Rdr |1e! fe! 3c 1c | !crc| ?
48429760 | 48430688 | Rdr |07 | | ?
48430912 | 48432864 | Rdr |3f! 07 | | ?
48433088 | 48437344 | Rdr |3e 1e! 8e 01 | !crc| CHK_TEARING(30)
48437824 | 48438496 | Rdr |02 | | ?
48641828 | 48647716 | Tag |0b 08 90 fb d6 | |
106462496 | 106465664 | Rdr |0a 08 28! | !crc| ?
106465904 | 106474256 | Rdr |f9! 4f fe fc! f9! f8 f2 00! | !crc| ?
106474480 | 106475280 | Rdr |0f! | | ?
106475504 | 106479888 | Rdr |1e! fe! 3c 1c | !crc| ?
106480368 | 106481296 | Rdr |07 | | ?
106481520 | 106483472 | Rdr |3f! 07 | | ?
106483696 | 106486928 | Rdr |3e 1e! 0e | !crc| CHK_TEARING(30)
-312309312 | -312282464 | Rdr |2c 20 a0! 0d 42! 03! 06! 08 0c! 12! 14! 1a 1e! 20 24! 2a | |
| | |2e! 30! 36! 38 3c! fa! 8c 02 | !crc| ?
175995764 | 176001652 | Tag |0b 08 90 fb d6 | |
230623824 | 230626160 | Rdr |67 7f | | ?
230626640 | 230634992 | Rdr |f3! 4f fe fc! f9! f8 f2 00! | !crc| ?
230635216 | 230636016 | Rdr |0f! | | ?
230636240 | 230640624 | Rdr |1e! fe! 3c 1c | !crc| ?
230641104 | 230642032 | Rdr |07 | | ?
230642256 | 230644208 | Rdr |3f! 07 | | ?
230644432 | 230647664 | Rdr |3e 1e! 0e | !crc| CHK_TEARING(30)
230647888 | 230648688 | Rdr |03! | | ?
230648912 | 230649200 | Rdr |00! | | ?
230649680 | 230649904 | Rdr |01 | | ?
230853188 | 230859076 | Tag |0a 08 90 27 8c | |
256722480 | 256728336 | Rdr |0b 08 aa 22 48 | ok | ?
256950244 | 256956132 | Tag |0b 08 90 fb d6 | | Last edited by my_fair_cats_sick (2016-07-08 14:11:05)
Offline
#4 2016-07-08 15:20:22
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Mifare Plus Attack Improvements
thats a bad sniff-trace.
Try reader - pm3 antenna - card where the pm3 antenna and card is very close to each other.
Offline
#5 2016-07-09 01:16:50
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Mifare Plus Attack Improvements
Hmm ok I thought it was necessary to have a few cm in between to get a good reading. I'll try again.
Offline
#6 2016-07-09 21:47:08
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Mifare Plus Attack Improvements
Here is one more trace with the PM3 HF antenna between the reader and the card:
pm3 --> hf 14a sniff
pm3 --> hf 14a list
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# cancelled by button
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=438, Uart.output[0]=0000000b
Recorded Activity (TraceLen = 438 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
2260 | 4628 | Tag |44 00 | |
8192 | 10656 | Rdr |93 20 | | ANTICOLL
11860 | 17684 | Tag |88 04 5f! 9f 4c! | |
24320 | 34848 | Rdr |93 70 88 04 5d 95 44 5c 64 | ok | SELECT_UID
36052 | 39572 | Tag |04 da 17 | |
42880 | 45344 | Rdr |95 20 | | ANTICOLL-2
46532 | 52356 | Tag |4a 95 36 80 69 | |
58880 | 69408 | Rdr |95 70 4a 95 36 80 69 3f ae | ok | ANTICOLL-2
70612 | 74196 | Tag |20 fc 70 | |
75904 | 80608 | Rdr |e0 88 79 ff | ok | RATS
81876 | 98132 | Tag |0c 75 77 80 02 c1 05 2f 2f 00 35 c7 60 d3 | ok |
82152464 | 82179056 | Rdr |0a 08 a8 00 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f 6a 55 | ok | ?
82379460 | 82385348 | Tag |0a 08 90 27 8c | |
173839568 | 173866160 | Rdr |0b 08 a8 01 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f e1 9a | ok | ?
174066324 | 174072212 | Tag |0b 08 90 fb d6 | |
217195952 | 217222544 | Rdr |0a 08 a8 02 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f b5 ac | ok | ?
217230980 | 217236868 | Tag |0a 08 09 6f 85 | |
261475936 | 261502528 | Rdr |0b 08 a8 03 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f 3e 63 | ok | ?
261702548 | 261708436 | Tag |0b 08 90 fb d6 | |
318566336 | 318592992 | Rdr |0a 08 a8 04 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f c5 ae | ok | ?
318793092 | 318798980 | Tag |0a 08 90 27 8c | |
359423248 | 359429104 | Rdr |0b 08 aa 22 48 | ok | ?
359647060 | 359652948 | Tag |0b 08 90 fb d6 | | Offline
#7 2016-07-09 21:48:30
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Re: Mifare Plus Attack Improvements
And another:
pm3 --> hf 14a sniff
pm3 --> hf 14a list
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# cancelled by button
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=445, Uart.output[0]=00000000
Recorded Activity (TraceLen = 445 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
2244 | 4612 | Tag |44 00 | |
8192 | 10656 | Rdr |93 20 | | ANTICOLL
11844 | 12356 | Tag |00! | |
-77954912 | -77954560 | Rdr |02 | | ?
-77954912 | -77954304 | Rdr |0a! | | ?
24192 | 34720 | Rdr |93 70 88 04 5c 95 45 09 2f | ok | SELECT_UID
35908 | 36292 | Tag |00! | |
-77954912 | -77954560 | Rdr |02 | | ?
42880 | 45344 | Rdr |95 20 | | ANTICOLL-2
46532 | 52356 | Tag |4a 95 36 80 69 | |
59008 | 69536 | Rdr |95 70 4a 95 36 80 69 3f ae | ok | ANTICOLL-2
70724 | 74308 | Tag |20 fc 70 | |
76160 | 80864 | Rdr |e0 88 79 ff | ok | RATS
82116 | 83268 | Tag |0c! | |
264517600 | 264544192 | Rdr |0a 08 a8 00 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f 6a 55 | ok | ?
-77954912 | -77954560 | Rdr |02 | | ?
302950400 | 302976992 | Rdr |0b 08 a8 01 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f e1 9a | ok | ?
339622000 | 339648592 | Rdr |0a 08 a8 02 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f b5 ac | ok | ?
339657156 | 339658308 | Tag |0a! | |
-77954912 | -77953792 | Rdr |b6 | | ?
380835872 | 380862464 | Rdr |0b 08 a8 03 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f 3e 63 | ok | ?
424831552 | 424858208 | Rdr |0a 08 a8 04 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f c5 ae | ok | ?
425062832 | 425063376 | Rdr |00! | | ?
-77954912 | -77954624 | Rdr |00! | | ?
542290240 | 542296096 | Rdr |0b 08 aa 22 48 | ok | ?
542515460 | 542517124 | Tag |0b 00! | |
542518848 | 542519264 | Rdr |00! | | ?
-77954912 | -77954624 | Rdr |00! | | ? Offline
#8 2016-07-10 09:34:27
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Mifare Plus Attack Improvements
the first trace looks ok. You got reader sending and the card responses.
trace1, after the anticollision, the card answers then there is a long wait until reader requests again. From there on its ISO7816 format.
82152464 | 82179056 | Rdr |0a 08 a8 00 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f 6a 55 | ok | ?
82379460 | 82385348 | Tag |0a 08 90 27 8c | |
173839568 | 173866160 | Rdr |0b 08 a8 01 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f e1 9a | ok | ?
174066324 | 174072212 | Tag |0b 08 90 fb d6 | |
217195952 | 217222544 | Rdr |0a 08 a8 02 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f b5 ac | ok | ?
217230980 | 217236868 | Tag |0a 08 09 6f 85 | |
261475936 | 261502528 | Rdr |0b 08 a8 03 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f 3e 63 | ok | ?
261702548 | 261708436 | Tag |0b 08 90 fb d6 | |
318566336 | 318592992 | Rdr |0a 08 a8 04 90 00 01 02 03 04 05 06 07 08 09 0a | |
| | |0b 0c 0d 0e 0f c5 ae if you run " hf list 7816" you'll get annotation for this part only..
Offline
Pages: 1