Trouble with Mifare PLUS

CrazyKidz · 2017-08-14 14:52:37

Trying to crack Mifare PLUS using hardnested but getting nan

C:\Users\Ky\Downloads\Compressed\proxmark3\win32>proxmark3 COM5
Proxmark3 RFID instrument
bootrom: iceman/master/v1.1.0-2174-g69c89702 2017-08-14 12:25:10
os: iceman/master/v1.1.0-2174-g69c89702 2017-08-14 12:25:15
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 217895 bytes (83%). Free: 44249 bytes (17%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf mf hardnested 8 A A0A1A2A3A4A5 0 A
--target block no:  0, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
Couldn't read benchmark data. Assuming brute force rate of 120000000 states per second



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX SIMD core                 |                 |
       0 |       0 | Brute force benchmark: 120 million (2^26.8) keys/s      | 140737488355328 |   14d
       0 |       0 | Using 0 precalculated bitflip state tables              | 140737488355328 |   14d
       5 |     112 | Apply bit flip properties                               | 140737488355328 |   14d
       6 |     224 | Apply bit flip properties                               | 140737488355328 |   14d
       6 |     336 | Apply bit flip properties                               | 140737488355328 |   14d
       7 |     448 | Apply bit flip properties                               | 140737488355328 |   14d
       8 |     558 | Apply bit flip properties                               | 140737488355328 |   14d
       9 |     670 | Apply bit flip properties                               | 140737488355328 |   14d
      10 |     782 | Apply bit flip properties                               | 140737488355328 |   14d
      11 |     892 | Apply bit flip properties                               | 140737488355328 |   14d
      12 |    1003 | Apply bit flip properties                               | 140737488355328 |   14d
      13 |    1113 | Apply bit flip properties                               | 140737488355328 |   14d
      13 |    1221 | Apply bit flip properties                               | 140737488355328 |   14d
      14 |    1329 | Apply bit flip properties                               | 140737488355328 |   14d
      15 |    1438 | Apply Sum property. Sum(a0) = 128                       |             nan |  nand
      16 |    1548 | Apply bit flip properties                               |             nan |  nand
      17 |    1658 | Apply bit flip properties                               |             nan |  nand
      18 |    1766 | Apply bit flip properties                               |             nan |  nand
      19 |    1873 | Apply bit flip properties                               |             nan |  nand
      20 |    1981 | Apply bit flip properties                               |             nan |  nand
      20 |    2086 | Apply bit flip properties                               |             nan |  nand
      21 |    2196 | Apply bit flip properties                               |             nan |  nand
      22 |    2307 | Apply bit flip properties                               |             nan |  nand
      23 |    2416 | Apply bit flip properties                               |             nan |  nand
      24 |    2527 | Apply bit flip properties                               |             nan |  nand
      25 |    2634 | Apply bit flip properties                               |             nan |  nand
      26 |    2744 | Apply bit flip properties                               |             nan |  nand
      27 |    2853 | Apply bit flip properties                               |             nan |  nand
      27 |    2961 | Apply bit flip properties                               |             nan |  nand
      28 |    3066 | Apply bit flip properties                               |             nan |  nand
      34 |    3171 | Apply bit flip properties                               |             nan |  nand
      .
      .
      .

pm3 --> hf 14a reader
 UID : FD 4B BA 33
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
SAK incorrectly claims that card doesn't support RATS
 ATS : 0C 75 77 80 02 C1 05 2F 2F 00 35 C7 60 D3
       -  TL : length is 12 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : C1 05 2F 2F 00 35 C7 -> MIFARE Plus S 2K or 4K
               c1 -> Mifare or (multiple) virtual cards of various type
                  05 -> Length is 5 bytes
                     2x -> MIFARE Plus
                        2x -> Released
                           x0 -> Only VCSL supported
Answers to magic commands: NO
Sending bytes to proxmark failed
Prng detection: HARDEND (hardnested)
pm3 -->

iceman · 2017-08-14 15:19:48

That looks broken in many ways....
first, lets try the offical firmware, compile /flash and test again.

CrazyKidz · 2017-08-23 05:31:07

Tried official firmware but it crashes everytime I try hardnested

C:\Users\Ky\Desktop\proxmark3\win32>proxmark3 COM6
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-70-g930763e-suspect 2017-08-22 11:37:54
os: master/v3.0.1-70-g930763e-suspect 2017-08-22 11:37:58
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 197233 bytes (75%). Free: 64911 bytes (25%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf mf hardnested 8 A A0A1A2A3A4A5 0 A
--target block no:  0, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0

marshmellow · 2017-08-23 06:06:19

Is there a file permission issue with your system / client?

CrazyKidz · 2017-08-23 06:12:49

Nope. Got full access to the system

Got this error.

Last edited by CrazyKidz (2017-08-23 06:16:54)

marshmellow · 2017-08-23 06:20:37

Sometimes Windows likes to play with folder and file permissions and I've seen similar errors from that, but it may not be in this case, just something to check.

CrazyKidz · 2017-08-23 06:38:13

So any idea what is the problem? When uses iceman firmware, it doesnt crash but crashes on official firmware

iceman · 2017-08-23 06:39:24

... I've gotten several forum users the last two, three weeks saying that just hardnested crashes their client.
since my env compiles and runs the hardnested without issues its hard to replicate. I use the @gator92600 proxspace, this is the offical one the community supports. found here https://github.com/Gator96100/ProxSpace To reduce some uncertanties,

@OP, would you mind download and compile/flash from that environment? What are your normal env setup? Like os and gcc version.

CrazyKidz · 2017-08-23 07:36:20

I'm using windows 10 but unsure about gcc version. I just flash the already compiled firmware from @gator96100.

Downloaded ProxSpace but when I try to run runme.bat it close immediately.

gator96100 · 2017-08-23 09:17:55

CrazyKidz wrote:

I'm using windows 10 but unsure about gcc version. I just flash the already compiled firmware from @gator96100.
Downloaded ProxSpace but when I try to run runme.bat it close immediately.

Be sure you do not use the autoBuild branch as it would finish immediately if no repository is found. If this problem still occurs I recommend open a new topic on that.
It could be an issue with Windows 10. I do test my precompiled images on Windows 7.
What CPU do you have?

Last edited by gator96100 (2017-08-23 09:24:29)

CrazyKidz · 2017-08-23 09:42:08

Using master branch

CPU Info

UPDATE:
Able to run runme.bat now but it still crash when using hardnested attack.

Last edited by CrazyKidz (2017-08-23 10:00:33)

marshmellow · 2017-08-23 13:16:01

In your proxspace environment you should compile and flash from it, after making sure it has the latest code from github.

gator96100 · 2017-08-23 13:46:16

Why did nobody tell me that my precompiled builds have problems loading the precalculated bitflip state tables. Anyway it is fixed now and I don't think that this was causing the problem. I will check if hardnested works on one of my Windows 10 machines.

Last edited by gator96100 (2017-08-23 13:51:39)

marshmellow · 2017-08-23 13:53:08

At compile time it makes a few system checks and optimizes for that system. It is always best to compile on the system you run on.

iceman · 2017-08-23 14:00:30

@gator96100, that happens alot... Ppl don't want to say something is wrong, don't ask why.
So was the access right problems in yr build? I don't use yr precompiled build so I've missed it.

piwi · 2017-08-23 15:29:35

marshmellow wrote:

At compile time it makes a few system checks and optimizes for that system. It is always best to compile on the system you run on.

Yeah, compiling for binary distribution isn't easy. You need to compile to a common instruction set for all kinds of CPUs. But that shouldn't be an issue if compiled with -march=generic (the default). Afaik this is the case for both iceman and official repo binaries (@gator96100: confirmed?).

gator96100 · 2017-08-23 15:37:32

@iceman: I can't remember having access right problems in my builds.

Compiler optimization isn't an issue. I even compile with the same architecture(i7-2600).
After raging about 10 times about Windows 10, I managed to get the proxmark running on Windows 10 and there is no crash on hardnested.

Last edited by gator96100 (2017-08-23 15:47:10)

marshmellow · 2017-08-23 17:14:32

so it sounds like we are saying we can't reproduce the CrazyKidz's issue to identify it.

has anyone used hardnested on a mifare plus in classic mode before? i know i haven't. (or is it another chip emulating classic?)

piwi · 2017-08-23 17:58:26

marshmellow wrote:

has anyone used hardnested on a mifare plus in classic mode before?

Yes, this was my test vehicle during development.

gator96100 · 2017-08-23 18:53:29

@CrazyKidz: Anti-Malware is turned off?

This is the card I tested hardnested on:

proxmark3> hf 14a reader
 UID : 7a 39 6c cb
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Last edited by gator96100 (2017-08-23 18:53:57)

CrazyKidz · 2017-08-24 15:33:40

Now both iceman and official will crash using latest gator96100 compiled firmware. Maybe i will try compiling myself.

Any guide for me to follow on how to compile the firmware??

**
Update: Tried compiling but perl.exe crash.

make[1]: Entering directory `/pm3/proxmark3/armsrc'
perl ../tools/mkversion.pl .. > version.c || cp ../common/default_version.c version.c
      3 [main] perl 1480 child_copy: linked dll data write copy failed, 0xC2000..0xC2370, done 0, windows pid 1480, Win32 error 998

Any idea which step I did wrong?

1) Git clone
2) cd proxmark3
3) git pull
4) make clean && make all

Last edited by CrazyKidz (2017-08-24 16:06:23)

marshmellow · 2017-08-24 16:16:54

That error indicates your client does not have the proper file access permissions.

Give "Everyone" full access to your proxspace folders.

Or try elevating.

gator96100 · 2017-08-24 16:30:13

Don't forget to run the proxspace environment as admin and disable uac.

Last edited by gator96100 (2017-08-24 16:31:10)

CrazyKidz · 2017-08-25 03:44:07

How to run the environment as admin?

717 · 2017-08-25 16:59:31

CrazyKidz wrote:

How to run the environment as admin?

How do you run anything on WIN as admin, google it...

gaucho · 2017-09-30 12:09:50

Deleted

Last edited by gaucho (2017-09-30 12:13:03)

Proxmark3 community

Announcement

#1 2017-08-14 14:52:37

Trouble with Mifare PLUS

#2 2017-08-14 15:19:48

Re: Trouble with Mifare PLUS

#3 2017-08-23 05:31:07

Re: Trouble with Mifare PLUS

#4 2017-08-23 06:06:19

Re: Trouble with Mifare PLUS

#5 2017-08-23 06:12:49

Re: Trouble with Mifare PLUS

#6 2017-08-23 06:20:37

Re: Trouble with Mifare PLUS

#7 2017-08-23 06:38:13

Re: Trouble with Mifare PLUS

#8 2017-08-23 06:39:24

Re: Trouble with Mifare PLUS

#9 2017-08-23 07:36:20

Re: Trouble with Mifare PLUS

#10 2017-08-23 09:17:55

Re: Trouble with Mifare PLUS

#11 2017-08-23 09:42:08

Re: Trouble with Mifare PLUS

#12 2017-08-23 13:16:01

Re: Trouble with Mifare PLUS

#13 2017-08-23 13:46:16

Re: Trouble with Mifare PLUS

#14 2017-08-23 13:53:08

Re: Trouble with Mifare PLUS

#15 2017-08-23 14:00:30

Re: Trouble with Mifare PLUS

#16 2017-08-23 15:29:35

Re: Trouble with Mifare PLUS

#17 2017-08-23 15:37:32

Re: Trouble with Mifare PLUS

#18 2017-08-23 17:14:32

Re: Trouble with Mifare PLUS

#19 2017-08-23 17:58:26

Re: Trouble with Mifare PLUS

#20 2017-08-23 18:53:29

Re: Trouble with Mifare PLUS

#21 2017-08-24 15:33:40

Re: Trouble with Mifare PLUS

#22 2017-08-24 16:16:54

Re: Trouble with Mifare PLUS

#23 2017-08-24 16:30:13

Re: Trouble with Mifare PLUS

#24 2017-08-25 03:44:07

Re: Trouble with Mifare PLUS

#25 2017-08-25 16:59:31

Re: Trouble with Mifare PLUS

#26 2017-09-30 12:09:50

Re: Trouble with Mifare PLUS

Board footer