Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2018-02-20 23:56:58
- davmarie1
- Contributor
- Registered: 2018-02-19
- Posts: 15
Help Cloning a Mifare Classic 1k Please
Good morning, I am working on cloning a mifare 1k tag with a Proxmark3 v3 easy and have run into a wall. I need to clone the tag for my apartment (which I own), I have only been issued with 2 access tags and need 2 more for my daughters.
I am new to this and it has been fun and enjoyable steep learning curve. These are the steps I have done so far:
Windows 10 op system.
This is the hw version I'm using:
proxmark3> hw version
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-347-gb8196bf-suspect 2018-02-17 12:12:12
os: master/v3.0.1-347-gb8196bf-suspect 2018-02-17 12:12:16
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 199577 bytes (76%). Free: 62567 bytes (24%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
This is the tag I am cloning:
proxmark3> hf search
UID : b3 55 b8 8d
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDEND (hardnested)
Valid ISO14443A Tag Found - Quiting Search
I have found the defult key of "FFFFFFFFFFFF":
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
When I do a nested scan, this is what I get:
proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF t
--nested. sectors:16, block no: 0, key type:A, eml:y, dmp=n checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).
I tried a hardnested attack and only finds the ffffffffffff key:
proxmark3> hf mf hardnested 0 A FFFFFFFFFFFF 4 a s
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: Yes, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 384 million (2^28.5) keys/s | 140737488355328 | 4d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 4d
6 | 112 | Apply bit flip properties | 11282118868992 | 8h
7 | 224 | Apply bit flip properties | 9668906713088 | 7h
8 | 336 | Apply bit flip properties | 8696235556864 | 6h
9 | 448 | Apply bit flip properties | 8600218501120 | 6h
10 | 559 | Apply bit flip properties | 8542033543168 | 6h
11 | 670 | Apply bit flip properties | 8438421127168 | 6h
12 | 782 | Apply bit flip properties | 8404254851072 | 6h
13 | 891 | Apply bit flip properties | 8378623459328 | 6h
14 | 1002 | Apply bit flip properties | 8378623459328 | 6h
15 | 1114 | Apply bit flip properties | 8378623459328 | 6h
15 | 1225 | Apply bit flip properties | 8378623459328 | 6h
16 | 1334 | Apply bit flip properties | 8378623459328 | 6h
17 | 1445 | Apply bit flip properties | 8378623459328 | 6h
18 | 1555 | Apply bit flip properties | 8378623459328 | 6h
21 | 1667 | Apply Sum property. Sum(a0) = 0 | 122373234688 | 5min
21 | 1778 | Apply bit flip properties | 117808128000 | 5min
22 | 1886 | Apply bit flip properties | 117808128000 | 5min
23 | 1998 | Apply bit flip properties | 113353940992 | 5min
23 | 2106 | Apply bit flip properties | 113353940992 | 5min
24 | 2216 | Apply bit flip properties | 113353940992 | 5min
25 | 2323 | Apply bit flip properties | 112791142400 | 5min
26 | 2323 | (1. guess: Sum(a8) = 256) | 112791142400 | 5min
32 | 2323 | Apply Sum(a8) and all bytes bitflip properties | 32668717056 | 85s
32 | 2323 | Starting brute force... | 112791142400 | 5min
191 | 2323 | Brute force phase: 24.32% | 25119037440 | 65s
197 | 2323 | Brute force phase: 74.32% | 9601144832 | 25s
197 | 2323 | Brute force phase completed. Key found: ffffffffffff | 0 | 0s
I then snooped the reader and have the results but not sure what to do from here:
proxmark3> hf 14a snoop
proxmark3> hf list 14a
Sending bytes to proxmark failed
#db# cancelled by button
#db# COMMAND FINISHED
#db# maxDataLen=3, Uart.state=0, Uart.len=0
#db# traceLen=1467, Uart.output[0]=00000093
Recorded Activity (TraceLen = 1467 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 2368 | Tag | 04 00 | |
13936 | 19824 | Tag | b3 55 b8 8d d3 | |
40048 | 43568 | Tag | 08 b6 dd | |
323808 | 326176 | Tag | 04 00 | |
1793276 | 1794332 | Rdr | 26 | | REQA
1795536 | 1797904 | Tag | 04 00 | |
1805692 | 1808156 | Rdr | 93 20 | | ANTICOLL
1809344 | 1815232 | Tag | b3 55 b8 8d d3 | |
1823724 | 1834252 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
1835440 | 1838960 | Tag | 08 b6 dd | |
1858012 | 1859068 | Rdr | 26 | | REQA
1901020 | 1902076 | Rdr | 26 | | REQA
1903280 | 1905648 | Tag | 04 00 | |
1913948 | 1924476 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
1925664 | 1929184 | Tag | 08 b6 dd | |
1937612 | 1942316 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
1947152 | 1951824 | Tag | cd 17 00 2e | |
1953244 | 1962620 | Rdr | 70 79! ee! 17! e8 e4 5a! d2! | !crc| ?
2022364 | 2023420 | Rdr | 26 | | REQA
2024608 | 2026976 | Tag | 04 00 | |
2035276 | 2045804 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
2046992 | 2050512 | Tag | 08 b6 dd | |
2058940 | 2063708 | Rdr | 60 3c 1a 80 | ok | AUTH-A(60)
2068496 | 2073168 | Tag | e8 50 b5 b4 | |
2074572 | 2083948 | Rdr |f4! 81! ef! 2d 6c 72! 13! ca! | !crc| ?
2085136 | 2089872 | Tag |e7! 40! 4a e1! | |
2096700 | 2101404 | Rdr |c3! 8d! 14 f1! | !crc| ?
2102656 | 2123520 | Tag | c2 4b! b7! e1! b7! 4f 34 4e 35 77! 90! b8! 48! d8! 43! de | | | |7a! 95! | !crc|
2132412 | 2137180 | Rdr | 7b 67! 95! 0c! | !crc| ?
2138368 | 2159168 | Tag | 84 6f cc! f0 de 21 f9! 9f! 2a! 90 6e! ea! 02 75 e1! f5! | |
| | | 6d 1a! | !crc|
2167724 | 2172428 | Rdr |c0! 6b 73 b3! | !crc| INC(107)
2173680 | 2194544 | Tag | 8e 57 bf b5 6d 1f! c1! b9! 86! 0a! 0a! 19! 24 11 49 e7 | |
| | |9a! 81! | !crc|
2214300 | 2215356 | Rdr | 26 | | REQA
2257308 | 2258364 | Rdr | 26 | | REQA
2259568 | 2261936 | Tag | 04 00 | |
2270236 | 2280764 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
2281952 | 2285472 | Tag | 08 b6 dd | |
2293900 | 2298604 | Rdr | 60 38 3e c6 | ok | AUTH-A(56)
2303440 | 2308112 | Tag | b3 78 a9 69 | |
2309516 | 2318828 | Rdr | 0e a1! 14 09! 67 98 65 7f! | !crc| ?
2320096 | 2324768 | Tag | cd 61! 6a! fa | |
2331660 | 2336428 | Rdr |8b! 37 c5 09! | !crc| ?
2337616 | 2358416 | Tag |8f! f5 8a! d2 05 10 1c ff ac! 15 55 f4 d9 da! 72! 07! | |
| | |1c! f2! | !crc|
2487676 | 2488732 | Rdr | 26 | | REQA
2530684 | 2531740 | Rdr | 26 | | REQA
2532928 | 2535296 | Tag | 04 00 | |
2543596 | 2554124 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
2555328 | 2558848 | Tag | 08 b6 dd | |
2577516 | 2578572 | Rdr | 26 | | REQA
2620524 | 2621580 | Rdr | 26 | | REQA
2622768 | 2625136 | Tag | 04 00 | |
2633436 | 2643964 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
2645152 | 2648672 | Tag | 08 b6 dd | |
2657228 | 2661932 | Rdr | 60 38 3e c6 | ok | AUTH-A(56)
2666784 | 2671456 | Tag | f8 92 ce b8 | |
2672860 | 2682172 | Rdr | 42 40 cb eb 24! c9! 45 9d! | !crc| ?
2683424 | 2688096 | Tag | 35 62 d5! ab! | |
2803020 | 2807788 | Rdr | 49 12! 2f e8! | !crc| ?
2808976 | 2829840 | Tag |02! 3b! 92 ee! 59 4c! 97 bd f5! 2d! a9 0d! 1c! 89! 0c! 52 | |
| | | 3b 43 | !crc|
2838348 | 2843116 | Rdr |5d! f9 f8 14! | !crc| ?
2844304 | 2865168 | Tag |d2! 10 25! a3 d4! cb 3c 6a 57 2d 96! 00 50! 18 a0 1d | |
| | | 88 88! | !crc|
2873532 | 2878236 | Rdr | d3 0d bc! 64! | !crc| ?
2879488 | 2900288 | Tag |99! 4f ba! ca 9b! 00 7e! 75! a6! fa! a8! 08! 82 cb a6! 49! | |
| | |8e! 21 | !crc|
2920108 | 2921164 | Rdr | 26 | | REQA
2963116 | 2964172 | Rdr | 26 | | REQA
2965376 | 2967744 | Tag | 04 00 | |
2976044 | 2986572 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
2987760 | 2991280 | Tag | 08 b6 dd | |
2999708 | 3004412 | Rdr | 60 34 52 0c | ok | AUTH-A(52)
3009248 | 3013984 | Tag | 6b 47 0a a8 | |
3015324 | 3024636 | Rdr |58! 4c! 0e cb a4 cd 42! 49! | !crc| ?
3025904 | 3030576 | Tag | 58 83! 42! e9! | |
3037468 | 3042172 | Rdr |a8! b4 44 71 | !crc| ?
3043424 | 3064288 | Tag |77! 1d! 5a! 56 05 16 cc b8! 54! d4! d0! cd 24 9f! a7! c0! | |
| | |b6! 93! | !crc|
3072780 | 3077548 | Rdr | ee d7 1c 32 | !crc| ?
3078736 | 3099536 | Tag | fb 31! 9f 5e 44! cd! 29! 71! 02 5e! 6e! 15! be! 18! 33! 90 | |
| | | 45 d4 | !crc|
3107964 | 3112668 | Rdr | 4e c4! cb! 54! | !crc| ?
3113936 | 3134736 | Tag |f1! 09 f2! 8a 5d! 65! 99 d3! 1d! 6e! 75! 25 fe 0a 65! 07! | |
| | | 67 a8! | !crc|
11324204 | 11325260 | Rdr | 26 | | REQA
11326448 | 11328816 | Tag | 04 00 | |
11336988 | 11347516 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
11348704 | 11352224 | Tag | 08 b6 dd | |
11769548 | 11770604 | Rdr | 26 | | REQA
11771792 | 11774160 | Tag | 04 00 | |
11782460 | 11792988 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
11794176 | 11797696 | Tag | 08 b6 dd | |
12214988 | 12216044 | Rdr | 26 | | REQA
12217232 | 12219600 | Tag | 04 00 | |
12227900 | 12238428 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
12239616 | 12243136 | Tag | 08 b6 dd | |
12660396 | 12661452 | Rdr | 26 | | REQA
12662656 | 12665024 | Tag | 04 00 | |
12673196 | 12683724 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
12684912 | 12688432 | Tag | 08 b6 dd | |
13105900 | 13106956 | Rdr | 26 | | REQA
13108144 | 13110512 | Tag | 04 00 | |
13118812 | 13129340 | Rdr | 93 70 b3 55 b8 8d d3 b7 b5 | ok | SELECT_UID
13130528 | 13134048 | Tag | 08 b6 dd | |
13553504 | 13555872 | Tag | 04 00 | |
13575888 | 13577680 | Tag | 08 06! | |
13644368 | 13646736 | Tag | 04 00 | |
(sorry, couldn't work out how to get the terminal into this)
I have read some stuff about the program Crapto1 but can't find it anywhere, is this still current?
Hope all this makes more sense to you than it does to me. haha.
Thanks in advance for your help.
Dave.
Offline
#2 2018-02-21 01:52:40
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: Help Cloning a Mifare Classic 1k Please
I'm not familiar with deriving keys from sniff/traces, notice that the key search puts out a table by sector and the hardnested command requires block. I think you want block number 20 or 23 instead of the 4 you have in your hardnested command. Try that and see if it works(also maybe dump s flag unless you know you need it).
Offline
#3 2018-02-21 02:14:05
- davmarie1
- Contributor
- Registered: 2018-02-19
- Posts: 15
Re: Help Cloning a Mifare Classic 1k Please
thanks for your replay, I tried that and have received a key:
proxmark3> hf mf hardnested 0 A ffffffffffff 20 a s
--target block no: 20, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: Yes, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 384 million (2^28.5) keys/s | 140737488355328 | 4d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 4d
6 | 112 | Apply bit flip properties | 14467286016 | 38s
7 | 224 | Apply bit flip properties | 6424177664 | 17s
8 | 336 | Apply bit flip properties | 6251522048 | 16s
9 | 448 | Apply bit flip properties | 5790986752 | 15s
10 | 560 | Apply bit flip properties | 5790986752 | 15s
11 | 672 | Apply bit flip properties | 4861267968 | 13s
12 | 783 | Apply bit flip properties | 4861267968 | 13s
13 | 894 | Apply bit flip properties | 4666720256 | 12s
14 | 1005 | Apply bit flip properties | 4068652032 | 11s
15 | 1115 | Apply bit flip properties | 4068652032 | 11s
15 | 1226 | Apply bit flip properties | 4068652032 | 11s
17 | 1337 | Apply Sum property. Sum(a0) = 136 | 453547520 | 1s
17 | 1447 | Apply bit flip properties | 312693408 | 1s
18 | 1559 | Apply bit flip properties | 453547520 | 1s
19 | 1666 | Apply bit flip properties | 453547520 | 1s
20 | 1775 | Apply bit flip properties | 453547520 | 1s
21 | 1883 | Apply bit flip properties | 453547520 | 1s
22 | 1883 | (Ignoring Sum(a8) properties) | 453547520 | 1s
23 | 1883 | Starting brute force... | 453547520 | 1s
24 | 1883 | Brute force phase completed. Key found: 6a1987c40a21 | 0 | 0s
What do I do with that now?
Thanks
Offline
#4 2018-02-21 02:18:56
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: Help Cloning a Mifare Classic 1k Please
I find a lot of keys on a card repeat...... so I would examine the default_keys.dic file to understand the format and then create a new file with your known working keys (FFFFFFFF and the new one) and then run hf mf chk again to see if you can now access all sectors or if you need to run the hardnested attack on another sector/block.
Offline
#5 2018-02-21 02:26:52
- davmarie1
- Contributor
- Registered: 2018-02-19
- Posts: 15
Re: Help Cloning a Mifare Classic 1k Please
hmmm, ok, I will have to do some research to find out how to do that.
thanks.
Offline
#6 2018-02-21 02:33:24
- davmarie1
- Contributor
- Registered: 2018-02-19
- Posts: 15
Re: Help Cloning a Mifare Classic 1k Please
Do I create a new dumpdata.bin file with all block as ffffffffffff except for block 20, or create a new default keys file?
sorry for the dumb question.
Offline
#7 2018-02-21 03:08:07
- davmarie1
- Contributor
- Registered: 2018-02-19
- Posts: 15
Re: Help Cloning a Mifare Classic 1k Please
Ok, I think I have worked it out, I added the found keys to the default_keys.dic and this is the results from hf mf chk:
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|006| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|007| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|008| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|009| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|010| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|011| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|012| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|013| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|014| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|015| 6a1987c40a21 | 1 | 7f33625bc129 | 1 |
|---|----------------|---|----------------|---|
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.
does this look right?
thanks
Offline
#8 2018-02-21 04:40:20
- dontlook
- Contributor
- Registered: 2017-01-28
- Posts: 57
Re: Help Cloning a Mifare Classic 1k Please
Yep looks like you got all the keys :-D
Offline
#9 2018-02-21 04:49:42
- davmarie1
- Contributor
- Registered: 2018-02-19
- Posts: 15
Re: Help Cloning a Mifare Classic 1k Please
Thanks for your help, this has now been solved.
Offline
#10 2018-04-07 19:07:14
- draser
- Contributor
- Registered: 2018-03-29
- Posts: 6
Re: Help Cloning a Mifare Classic 1k Please
@davmarie1 I have exactly the same problen, can you post exactly the commands that you executed?
Offline
Pages: 1