Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-02-22 09:42:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

[solved] uid changeable 1k MFC w static nonce

Now,  these cards has a fixed nonce.  Always the same nonce,  it doesn't have the NACK bug.
Current implementation of darkside depends on NACK bug existence.
Current implementation of nested,  well, it finds all default keys,  but I don't think it will work because of same nonce.
Current implementation of hardnested depends on parity from different authentications, ie nonces.

How to approach this style of card?   Well,  check keys will give successes for known keys,   sniffing a trace of reader / tag trafic will give that keys.

yes,  the keen eyed noticed it answer to chinese backdoor commands meaning we can just read the card without keys.
However, if this was a gen2 uid card we wouldn't have that option.

Long time since I looked into darkside, but reverse from a given nonce and uid ,  will that be a alternative forward?


pm3 --> hf 14a info n
 UID : 28 79 53 3C
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
........................................
[+] No NACK bug detected
pm3 --> hf 14a raw -s  -p -c 6000
Card selected. UID[4]:
28 79 53 3C
received 4 bytes
01 20 01 45
pm3 --> hf 14a raw -s  -p -c 6000
Card selected. UID[4]:
28 79 53 3C
received 4 bytes
01 20 01 45
pm3 --> hf 14a raw -s  -p -c 6000
Card selected. UID[4]:
28 79 53 3C
received 4 bytes
01 20 01 45
pm3 --> hf 14a raw -s  -p -c 6000
Card selected. UID[4]:
28 79 53 3C
received 4 bytes
01 20 01 45

Offline

#2 2019-12-20 11:32:28

Mashid0
Contributor
Registered: 2019-12-02
Posts: 28

Re: [solved] uid changeable 1k MFC w static nonce

Is there any strategy for this case
If no Chinese backdoor, no access to the reader for sniffing a trace?

some keys known (defaults)

Offline

#3 2019-12-20 11:41:46

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [solved] uid changeable 1k MFC w static nonce

You may try @uzlonewolf's PR#900 on official repo. If you are unlucky it can take hours, but succeeds.

This is a nested attack with one known nonce only.

Offline

Board footer

Powered by FluxBB