cracking mifare keys

y0no · 2015-10-28 19:39:26

I got key A from sector 0 using mfoc. Concerning the key B I found it on this thread.

I got result like:

Sector 00 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b4c132439eef
Sector 01 - Unknown Key A               Unknown Key B
Sector 02 - Unknown Key A               Unknown Key B
Sector 03 - Unknown Key A               Unknown Key B
Sector 04 - Unknown Key A               Unknown Key B

I do not have a proxmarkIII, but I have read on this forum that it's possible to find other keys with xor operations. I am just curious to know what is the algo used to do that. If I am wrong, I will be happy to learn more on the mizip keys.

iceman · 2015-10-28 19:49:46

It looks like MIZIP,.. you'll have to ask ppl who has that algo, if you get luck they might trade it with you for other information.

y0no · 2015-10-28 20:13:42

Yep this is a MIZIP key. Because I have found information on this thread that I ask if someone can share its knowledge with me

iceman · 2015-10-28 20:24:19

usually you'll need something to trade with...

y0no · 2015-10-28 20:31:28

ah ok. Concenring the MiZip keys I have not many information to share. But I can share vulnerability on the MorphoAccess system in PM.

Christian22 · 2016-04-11 20:28:57

Hey guys,

I'm new and read in this forum a lot of time and find this topic, as I was search for MiZIP.
Is it correct, that someone has the correct algo for the MiZIP cards but it's not public yet?

iceman · 2016-05-06 09:18:49

it works.
I got bored and did a lua script.

pm3 --> sc r calc_mizip -u 11223344
--- Executing: ./scripts/calc_mizip.lua, args'-u 11223344'
============================================================

|UID|   11223344
|---|----------------|----------------|
|sec|key A           |key B           |
|---|----------------|----------------|
|000|  A0A1A2A3A4A5  |  B4C132439EEF  |
|001|  1830696198C7  |  C2689571EB65  |
|002|  BA57FA73830D  |  40A388DC0105  |
|003|  F35072EB3D2B  |  9909025465EA  |
|004|  2058846B55B2  |  835736051EB9  |
|---|----------------|----------------|

-----Finished

onlo · 2016-11-04 10:34:19

there is the possibility to start the lua script with windows or mac?

Last edited by onlo (2016-11-05 19:00:11)

onlo · 2016-11-06 12:35:09

it's possible?

genexis · 2016-11-14 13:56:01

I just moved into a new apartment and they are using Mifare Desfire
I'm thinking of using the snoop tomorrow to try and sniff out the key to duplicate the fob.

Are the steps in this thread useful for finding out the key for the Desfire?

proxmark3> hf 14a reader
UID : 04 54 20 22 02 44 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : c1 05 2f 2f 01 bc d6 -> MIFARE Plus X 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x1 -> VCS, VCSL, and SVC supported
#db# unknown command:: 0x0607
Waiting for a response from the proxmark...

iceman · 2016-11-14 14:42:04

The error message in the bottom of your posted output tells me you have not flashed the device with the fullimage from which you are using the client software.

The desfire is still quite locked down, so if there is no default keys then you can't do anything.

genexis · 2016-11-15 09:59:39

iceman wrote:

The error message in the bottom of your posted output tells me you have not flashed the device with the fullimage from which you are using the client software.
The desfire is still quite locked down, so if there is no default keys then you can't do anything.

Yep you are right... the firmware was flashed about 3 years ago. It was quite stable ... so i didn't flash it again.

genexis · 2016-11-15 10:22:33

genexis wrote:

iceman wrote:
The error message in the bottom of your posted output tells me you have not flashed the device with the fullimage from which you are using the client software.
The desfire is still quite locked down, so if there is no default keys then you can't do anything.

Yep you are right... the firmware was flashed about 3 years ago. It was quite stable ... so i didn't flash it again.

Just updated to the latest bootrom and fullimage that came with PM2.5

So a little more info about the DESFire tag i have... it is from this system called VITEZ. I think quite a few apartments in my area uses this company as their security system. Does anybody has any experience with this or may know their "default key"?

I will have access to do some snooping... is there a way to clone the card based on the snoop results?

iceman · 2016-11-15 11:18:56

There is a info command in my fork. It tries to read som stuff of your tag. In any case there is very little done with desfire tags in regards to the pm3 code. There were a sidechannel attack for the first desfire tag (not the newer ones) but still nothing proxmark3 related.

hf mfdes info

genexis · 2016-11-17 15:25:58

pm3 --> hw ver
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8

uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 169916 bytes (65). Free: 92228 bytes (35).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

pm3 --> hf 14a reader
UID : 04 54 20 22 02 44 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x1 -> VCS, VCSL, and SVC supported
Answers to magic commands (GEN1): NO
pm3 --> hf mfdes info
#db# unknown command:: 0x072d
Command execute timeout
pm3 -->

What went wrong?

Last edited by genexis (2016-11-17 15:26:40)

iceman · 2016-11-17 15:56:46

as always, run the same client as you flashed the device with.

genexis · 2016-11-19 07:52:18

got it! finally managed to compile on my Mac.

pm3 --> hf mfdes info
#db# halt error. response len: 3

-- Desfire Information --------------------------------------
-------------------------------------------------------------
UID : 04 54 20 22 02 44 80
Batch number : 00 00 00 00 00
Production date : week 00, 2000
-----------------------------------------------------------
Hardware Information
Vendor Id : no tag-info available
Type : 0x68
Subtype : 0x00
Version : 0.0 (Desfire MF3ICD40)
Storage size : 0x00 (1 bytes)
Protocol : 0x00 (Unknown)
-----------------------------------------------------------
Software Information
Vendor Id : no tag-info available
Type : 0x32
Subtype : 0x00
Version : 0.0
storage size : 0x00 (1 bytes)
Protocol : 0x00 (Unknown)
-------------------------------------------------------------
CMK - PICC, Card Master Key settings

#db# halt error. response len: 3
[0x08] Configuration changeable : YES
[0x04] CMK required for create/delete : NO
[0x02] Directory list access with CMK : YES
[0x01] CMK is changeable : YES
#db# halt error. response len: 3

Max number of keys : 104
Master key Version : 189 (0xbd)
----------------------------------------------------------
#db# halt error. response len: 3
[0x0A] Authenticate : YES
#db# halt error. response len: 3
[0x1A] Authenticate ISO : YES
#db# halt error. response len: 3
[0xAA] Authenticate AES : YES

----------------------------------------------------------
#db# halt error. response len: 3
Available free memory on card : 26813 bytes
-------------------------------------------------------------
pm3 -->

iceman · 2016-11-19 09:00:55

well, of course the presumption is that you flashed yr device with the fullimage from my fork.
I don't think your tag is desfire, it could be a Mifare plus. Too much zero's and wrong response lengths in your post.

genexis · 2016-11-19 16:00:23

Yep. Flashed with the lastest stable pull from your fork.
mifare plus... let me read up on it...

iceman · 2016-11-19 16:07:46

You can try hf hf mifare

genexis · 2016-11-20 09:33:42

tried that for the whole morning. Just kept showing dots even after a couple of hours. It is normal for this to happen? I know it says it should end after 25 secs, but ... mine is not ending... Is it still "Cracking in progress?"

iceman · 2016-11-20 12:01:12

Try

hf mf chk
hf list 14a

genexis · 2016-11-20 14:05:48

pm3 --> hf 14a reader
UID : 04 54 20 22 02 44 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x1 -> VCS, VCSL, and SVC supported
Answers to magic commands (GEN1): NO
pm3 --> hf mf chk *4 ? d
No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] aabbccddeeff
key[ 5] 4d3a99c351dd
key[ 6] 1a982c7e459a
key[ 7] d3f7d3f7d3f7
key[ 8] 714c5c886e97
key[ 9] 587ee5f9350f
key[10] a0478cc39091
key[11] 533cb6c723f6
key[12] 8fd0a4f256e9
................................................................................
Time in checkkeys: 1590767 ticks 92 seconds

testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 0 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| ffffffffffff | 0 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|016| ffffffffffff | 0 | ffffffffffff | 0 |
|017| ffffffffffff | 0 | ffffffffffff | 0 |
|018| ffffffffffff | 0 | ffffffffffff | 0 |
|019| ffffffffffff | 0 | ffffffffffff | 0 |
|020| ffffffffffff | 0 | ffffffffffff | 0 |
|021| ffffffffffff | 0 | ffffffffffff | 0 |
|022| ffffffffffff | 0 | ffffffffffff | 0 |
|023| ffffffffffff | 0 | ffffffffffff | 0 |
|024| ffffffffffff | 0 | ffffffffffff | 0 |
|025| ffffffffffff | 0 | ffffffffffff | 0 |
|026| ffffffffffff | 0 | ffffffffffff | 0 |
|027| ffffffffffff | 0 | ffffffffffff | 0 |
|028| ffffffffffff | 0 | ffffffffffff | 0 |
|029| ffffffffffff | 0 | ffffffffffff | 0 |
|030| ffffffffffff | 0 | ffffffffffff | 0 |
|031| ffffffffffff | 0 | ffffffffffff | 0 |
|032| ffffffffffff | 0 | ffffffffffff | 0 |
|033| ffffffffffff | 0 | ffffffffffff | 0 |
|034| ffffffffffff | 0 | ffffffffffff | 0 |
|035| ffffffffffff | 0 | ffffffffffff | 0 |
|036| ffffffffffff | 0 | ffffffffffff | 0 |
|037| ffffffffffff | 0 | ffffffffffff | 0 |
|038| ffffffffffff | 0 | ffffffffffff | 0 |
|039| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.

pm3 -->

pm3 --> hf list 14a
Recorded Activity (TraceLen = 313 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 54 20 f8 | |
18944 | 29408 | Rdr |93 70 88 04 54 20 f8 73 c3 | ok | SELECT_UID
30644 | 34164 | Tag |04 da 17 | |
35456 | 37920 | Rdr |95 20 | | ANTICOLL-2
39092 | 44916 | Tag |22 02 44 80 e4 | |
47360 | 57888 | Rdr |95 70 22 02 44 80 e4 cf 86 | ok | ANTICOLL-2
59060 | 62644 | Tag |20 fc 70 | |
64256 | 69024 | Rdr |e0 80 31 73 | ok | RATS
70196 | 86452 | Tag |0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3 | ok |
89088 | 93856 | Rdr |61 ff 55 6d | ok | AUTH-B(255)
1143552 | 1144800 | Rdr |00 | |
1160064 | 1161056 | Rdr |52 | | WUPA
2211712 | 2212704 | Rdr |52 | | WUPA
3263360 | 3264352 | Rdr |52 | | WUPA
4315008 | 4316000 | Rdr |52 | | WUPA
5366656 | 5367648 | Rdr |52 | | WUPA
6418304 | 6419296 | Rdr |52 | | WUPA
7469952 | 7470944 | Rdr |52 | | WUPA
8521600 | 8522592 | Rdr |52 | | WUPA
9573248 | 9574240 | Rdr |52 | | WUPA
10624896 | 10625888 | Rdr |52 | | WUPA
11676544 | 11677536 | Rdr |52 | | WUPA
12728192 | 12729184 | Rdr |52 | | WUPA
pm3 -->

Last edited by genexis (2016-11-20 14:09:16)

iceman · 2016-11-20 14:29:57

Ok, it doesn't seem to be a Mifare classic, since it doesn't answer the Auth 0x61 command.

Back to Desfire and Plus (in SL2 mode?)

hf mfdes info
hf list 14a

genexis · 2016-11-20 14:36:49

in the HF 14a READER command, it says that it is a
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41

what makes you feel otherwise about it?

iceman · 2016-11-20 15:06:07

As I mentioned earlier, the previous posted output from "hf mfdes info" has too many zero and read failures to be a Desfire tag.
Its not a Mifare Plus pretending as "mifare classic" so its either a Plus tag in SL1/SL2/SL3 mode or JCOP tag I would say.

There is no known attack to either, hence you need to open another thread if you have other questions, since this thread is about Mifare classic keys.

Proxmark3 community

Announcement

#51 2015-10-28 19:39:26

Re: cracking mifare keys

#52 2015-10-28 19:49:46

Re: cracking mifare keys

#53 2015-10-28 20:13:42

Re: cracking mifare keys

#54 2015-10-28 20:24:19

Re: cracking mifare keys

#55 2015-10-28 20:31:28

Re: cracking mifare keys

#56 2016-04-11 20:28:57

Re: cracking mifare keys

#57 2016-05-06 09:18:49

Re: cracking mifare keys

#58 2016-11-04 10:34:19

Re: cracking mifare keys

#59 2016-11-06 12:35:09

Re: cracking mifare keys

#60 2016-11-14 13:56:01

Re: cracking mifare keys

#61 2016-11-14 14:42:04

Re: cracking mifare keys

#62 2016-11-15 09:59:39

Re: cracking mifare keys

#63 2016-11-15 10:22:33

Re: cracking mifare keys

#64 2016-11-15 11:18:56

Re: cracking mifare keys

#65 2016-11-17 15:25:58

Re: cracking mifare keys

#66 2016-11-17 15:56:46

Re: cracking mifare keys

#67 2016-11-19 07:52:18

Re: cracking mifare keys

#68 2016-11-19 09:00:55

Re: cracking mifare keys

#69 2016-11-19 16:00:23

Re: cracking mifare keys

#70 2016-11-19 16:07:46

Re: cracking mifare keys

#71 2016-11-20 09:33:42

Re: cracking mifare keys

#72 2016-11-20 12:01:12

Re: cracking mifare keys

#73 2016-11-20 14:05:48

Re: cracking mifare keys

#74 2016-11-20 14:29:57

Re: cracking mifare keys

#75 2016-11-20 14:36:49

Re: cracking mifare keys

#76 2016-11-20 15:06:07

Re: cracking mifare keys

Board footer