[solved] "-" "- -" and more "- - -"

pbtek · 2019-04-07 16:08:06

My 1 dump with 0.21 on the mifare classic card is equal to my dump with 0.64 on the card.

Mifare classic app shows KeyA and KeyB.
"-" "- -" and more "- - -" in many the sectors.
No errors. No message of missing keys.

Is this possible? Where is the data? Where are the values on the card?

Please advise.

Last edited by pbtek (2021-01-17 18:44:17)

gator96100 · 2019-04-08 20:10:30

"-" means MCT cannot access the data because of a missing key (Key B in this case).
I am familiar with these cards, they are based on the microtronic payment system, B-Keys are generated with a 3des based key diversification.
Nested attack does usually work on those cards although most of the mifare mini cards need hardnested to get the B-Keys.

pbtek · 2019-04-08 21:02:26

thank you gator96100
gezzzz... in my mind the sector 0 the A0A1A2A3A4A5 and B0B1B2B3B4B5 is the key A and key B....like forever... like in all the sectors in the card. oh boy!!

Nested attack or hardnested ?
i am waiting for my ACR122U to arrive...
any recommended reading?

pbtek · 2019-04-25 11:00:04

mfoc -P 500 -O original.dmp

edit1: ... and it keeps running forever and ever!
edit2: "mfoc: ERROR: No success, maybe you should increase the probes."
NO KEYS!

Last edited by pbtek (2019-04-27 12:13:34)

pbtek · 2019-04-25 14:27:14

Please help!!

gencat · 2019-04-26 11:52:06

mfoc implements Nested Authentication attack, you should try hardnested?

pbtek · 2019-04-26 12:28:02

now running...
mfcuk -C -R -1 -s 500 -S 500 -O original.dmp -v 3

edit1: auths: 12000. still nothing.
edit2: I aborted the execution at 22000 auths with no results

Last edited by pbtek (2019-04-27 12:07:08)

iceman · 2019-04-26 12:57:00

Maybe ask mfoc / mfuc questions in a libnfc / nfc-tools related forum? Or Github? This is a dedicated proxmark3 forum.

We use things like here.

pm3-->hf mf mifare 
pm3-->hf mf nested
pm3-->hf mf hardnest

or the separete tools
 $> cd tools/nonce2key
 $> cd tools/mfkey

pbtek · 2019-04-26 13:18:27

Hello Iceman. Sorry... did not find help anywhere. And you guys look professionals
Those "things" sound cool... but do they recover my missing keys? Yes? Where do i buy one unit proxmark3?

My brand new ACR122U does not support hf mf ***

gator96100 · 2019-04-26 20:58:34

It is simple...
mfcuk=DarkSide
mfoc=nested
miLazyCracker=hardnested
Those cards have the fixed PRNG, so they are no longer vulnerable to the card-only attacks performed by MFOC/MFCUK.
miLazyCracker should work with the ACR122U, but you will not receive support for it here.

pbtek · 2019-04-26 22:16:35

hello gator96100. Thank you. Thank you. Thank you.

Proceding to miLazyCracker ...

git clone https://github.com/nfc-tools/miLazyCracker
or
git clone https://github.com/ilumitr/miLazyCracker

cd miLazyCracker

(CraptEV1 / Crapto1 source packages are not available anymore by their author. Find a copy by yourself. I did.)

wget http://aaaaaaaaaaaa/craptev1-v1.1.tar.xz
wget http://bbbbbbbbbbbb/crapto1-v3.3.tar.xz
./miLazyCrackerFreshInstall.sh
mkdir mydumps
cd mydumps
miLazyCracker

edit: probes are increasing but distance is always 64.... hummm.....

Last edited by pbtek (2019-04-27 12:59:23)

pbtek · 2019-04-26 22:32:43

PRNG (Pseudo Random Number Generator) have been fixed in newer Mifare cards...

Details of my card:

Last edited by pbtek (2019-04-26 22:35:07)

piwi · 2019-04-27 09:39:43

Yes, and this is why you need hardnested instead of nested attack. But no support for your software and hardware here...

pbtek · 2019-04-27 09:42:29

A Sad Day for Mankind

In the end miLazyCracker retuns: "mfoc: ERROR: No success, maybe you should increase the probes."

edit:
gator96100, gencat, iceman, piwi: will proxmark3 recover my missing keys?
Running out of options!

Last edited by pbtek (2019-04-27 12:18:01)

piwi · 2019-04-27 14:55:54

Mankind will survive a few days more...

In the end miLazyCracker retuns: "mfoc: ERROR: No success, maybe you should increase the probes."

This is not the mfoc result for a hardened PRNG. Hardnested therefore did not run yet. Maybe it is something like a Fudan clone? Nevertheless, and we are repeating: this is the Proxmark forum. You should ask your questions in a more apropriate forum.

pbtek · 2019-05-24 14:54:58

No more options.... Are there any volunteers to experiment with my card? Like a challenge...

gator96100 · 2019-05-24 20:48:25

Today is your lucky day. I was bored, have an acr122u and have the same card. I hope you are not running Kali in a VM, I tried that and there is a bug with lib-nfc.
My card:

[usb] pm3 --> hf 14a info
 UID : 7A 39 6C CB
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD

The installation. If using https://github.com/ilumitr/miLazyCracker you will need to change miLazyCrackerFreshInstall.sh to use an older commit of mfoc in order to work.

root@localhost:~# git clone https://github.com/nfc-tools/libnfc.git
root@localhost:~# cd miLazyCracker/
root@localhost:~/miLazyCracker# wget http://www2.vaneay.fr/mifare/crapto1-v3.3.tar.xz
root@localhost:~/miLazyCracker# wget http://www2.vaneay.fr/mifare/craptev1-v1.1.tar.xz
root@localhost:~/miLazyCracker# ./miLazyCrackerFreshInstall.sh 
+ '[' -f /etc/debian_version ']'
+ pkgs=
+ for pkg in git libnfc-bin autoconf libnfc-dev
+ dpkg -l git
+ for pkg in git libnfc-bin autoconf libnfc-dev
+ dpkg -l libnfc-bin
+ for pkg in git libnfc-bin autoconf libnfc-dev
+ dpkg -l autoconf
+ for pkg in git libnfc-bin autoconf libnfc-dev
+ dpkg -l libnfc-dev
+ '[' '' '!=' '' ']'
+ '[' -d mfoc ']'
+ git clone https://github.com/nfc-tools/mfoc.git
Cloning into 'mfoc'...
remote: Enumerating objects: 526, done.
remote: Total 526 (delta 0), reused 0 (delta 0), pack-reused 526
Receiving objects: 100% (526/526), 230.11 KiB | 1.08 MiB/s, done.
Resolving deltas: 100% (330/330), done.
+ cd mfoc
+ git reset --hard
HEAD is now at ba072f1 update debian dir with up-to-date packaging
+ git clean -dfx
+ autoreconf -vfi
./miLazyCrackerFreshInstall.sh: line 30: autoreconf: command not found
+ ./configure
./miLazyCrackerFreshInstall.sh: line 31: ./configure: No such file or directory
+ make
make: *** No targets specified and no makefile found.  Stop.
+ sudo make install
make: *** No rule to make target 'install'.  Stop.
+ '[' -d crypto1_bs ']'
+ git clone https://github.com/aczid/crypto1_bs
Cloning into 'crypto1_bs'...
remote: Enumerating objects: 5, done.
remote: Counting objects: 100% (5/5), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 373 (delta 1), reused 2 (delta 0), pack-reused 368
Receiving objects: 100% (373/373), 136.17 KiB | 1.02 MiB/s, done.
Resolving deltas: 100% (238/238), done.
+ cd crypto1_bs
+ git reset --hard
HEAD is now at 873a384 Merge branch 'master' of github.com:aczid/crypto1_bs
+ git clean -dfx
+ patch -p1
patching file libnfc_crypto1_crack.c
+ tar Jxvf ../craptev1-v1.1.tar.xz
craptev1-v1.1/
craptev1-v1.1/readme
craptev1-v1.1/Makefile
craptev1-v1.1/craptev1.h
craptev1-v1.1/craptev1.c
craptev1-v1.1/solve.c
craptev1-v1.1/0xcafec0de.txt
+ mkdir crapto1-v3.3
+ tar Jxvf ../crapto1-v3.3.tar.xz -C crapto1-v3.3
crapto1.c
crapto1.h
crypto1.c
readme
+ make
gcc -std=gnu99 -O3 -march=native solve_bs.c crypto1_bs.c crypto1_bs_crack.c  crapto1-v3.3/crapto1.c crapto1-v3.3/crypto1.c -I crapto1-v3.3/  craptev1-v1.1/craptev1.c -I craptev1-v1.1/ -o solve_bs -lpthread -lm
gcc -std=gnu99 -O3 -march=native solve_piwi_bs.c crypto1_bs.c crypto1_bs_crack.c  crapto1-v3.3/crapto1.c crapto1-v3.3/crypto1.c -I crapto1-v3.3/  craptev1-v1.1/craptev1.c -I craptev1-v1.1/ -o solve_piwi_bs -lpthread -lm
gcc -std=gnu99 -O3 -march=native solve_piwi.c crypto1_bs.c crypto1_bs_crack.c  crapto1-v3.3/crapto1.c crapto1-v3.3/crypto1.c -I crapto1-v3.3/  craptev1-v1.1/craptev1.c -I craptev1-v1.1/ -o solve_piwi -lpthread
gcc -std=gnu99 -O3 -march=native libnfc_crypto1_crack.c crypto1_bs.c crypto1_bs_crack.c  crapto1-v3.3/crapto1.c crapto1-v3.3/crypto1.c -I crapto1-v3.3/  craptev1-v1.1/craptev1.c -I craptev1-v1.1/ -o libnfc_crypto1_crack -lpthread -lnfc -lm
+ sudo cp -a libnfc_crypto1_crack /usr/local/bin
+ sudo cp -a miLazyCracker.sh /usr/local/bin/miLazyCracker
+ echo Done.
Done.

And running of miLazyCracker:

root@localhost:~/miLazyCracker# mkdir mydumps
root@localhost:~/miLazyCracker# cd mydumps/
root@localhost:~/miLazyCracker/mydumps# miLazyCracker 
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 7a  39  6c  cb  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [////////////////]
[Key: d3f7d3f7d3f7] -> [////////////////]
[Key: 000000000000] -> [////////////////]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxx////]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxx////]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxx////]
[Key: aabbccddeeff] -> [xxxxxxxxxxxx////]
[Key: 714c5c886e97] -> [xxxxxxxxxxxx////]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxx////]
[Key: a0478cc39091] -> [xxxxxxxxxxxx////]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxx////]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxx////]

Sector 00 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 01 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 02 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 03 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 04 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 05 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 06 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 07 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 08 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 09 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 10 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 11 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 12 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 13 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 14 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 15 - Found   Key A: a0a1a2a3a4a5 Unknown Key B


Using sector 00 as an exploit sector
Card is not vulnerable to nested attack
MFOC not possible, detected hardened Mifare Classic
Trying HardNested Attack...
libnfc_crypto1_crack a0a1a2a3a4a5 60 A 60 B mfc_7a396ccb_foundKeys.txt
Found tag with uid 7a396ccb, collecting nonces for key B of block 60 (sector 15) using known key A a0a1a2a3a4a5 for block 60 (sector 15)
Collected 1300 nonces... leftover complexity 1332879000576 (~2^40.28) - press enter to start brute-force phase
.
.
.
Collected 5285 nonces... leftover complexity 1332879000576 (~2^40.28) - initializing brute-force phase...
Starting 12 threads to test 1332879000576 states using 256-way bitslicing
Cracking...  57.06%
Found key: 74a386ad0a6d
Tested 760986562058 states
74a386ad0a6d
mfoc -f mfc_7a396ccb_foundKeys.txt -O mfc_7a396ccb_dump.mfd -D mfc_7a396ccb_unknownMfocSectorInfo.txt
The custom key 0x74a386ad0a6d has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 7a  39  6c  cb  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: 74a386ad0a6d] -> [...............\]
[Key: ffffffffffff] -> [...............\]
[Key: a0a1a2a3a4a5] -> [///////////////x]
[Key: d3f7d3f7d3f7] -> [///////////////x]
[Key: 000000000000] -> [///////////////x]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxx///x]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxx///x]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxx///x]
[Key: aabbccddeeff] -> [xxxxxxxxxxxx///x]
[Key: 714c5c886e97] -> [xxxxxxxxxxxx///x]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxx///x]
[Key: a0478cc39091] -> [xxxxxxxxxxxx///x]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxx///x]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxx///x]

Sector 00 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 01 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 02 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 03 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 04 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 05 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 06 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 07 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 08 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 09 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 10 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 11 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 12 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 13 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 14 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 15 - Found   Key A: a0a1a2a3a4a5 Found   Key B: 74a386ad0a6d


Using sector 00 as an exploit sector
Card is not vulnerable to nested attack
MFOC not possible, detected hardened Mifare Classic
Trying HardNested Attack...
libnfc_crypto1_crack 74a386ad0a6d 60 B 56 B mfc_7a396ccb_foundKeys.txt
Found tag with uid 7a396ccb, collecting nonces for key B of block 56 (sector 14) using known key B 74a386ad0a6d for block 60 (sector 15)
Collected 125 nonces... ^C
root@localhost:~/miLazyCracker/mydumps#

Here an older card where nested does work:

root@localhost:~/miLazyCracker/mydumps# miLazyCracker 
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 42  55  04  1e  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [////////////////]
[Key: d3f7d3f7d3f7] -> [////////////////]
[Key: 000000000000] -> [////////////////]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxx////]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxx////]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxx////]
[Key: aabbccddeeff] -> [xxxxxxxxxxxx////]
[Key: 714c5c886e97] -> [xxxxxxxxxxxx////]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxx////]
[Key: a0478cc39091] -> [xxxxxxxxxxxx////]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxx////]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxx////]

Sector 00 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 01 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 02 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 03 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 04 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 05 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 06 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 07 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 08 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 09 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 10 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 11 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b0b1b2b3b4b5
Sector 12 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 13 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 14 - Found   Key A: a0a1a2a3a4a5 Unknown Key B
Sector 15 - Found   Key A: a0a1a2a3a4a5 Unknown Key B


Using sector 00 as an exploit sector
Sector: 12, type B, probe 0, distance 14998 .....
  Found Key: B [3f7a5c2dbd81]
Sector: 13, type B, probe 0, distance 14998 .....
  Found Key: B [21edf95e7433]
Sector: 14, type B, probe 0, distance 14998 .....
  Found Key: B [c121ff19f681]
Sector: 15, type B, probe 0, distance 15046 .....
Sector: 15, type B, probe 1, distance 15046 .....
  Found Key: B [3d5d9996359a]
Auth with all sectors succeeded, dumping keys to a file!
.
.
.
.
Dump left in: mfc_4255041e_dump.mfd
Do you want clone the card? Place card on reader now and press Y [y/n] n

My guess is that you did not setup miLazyCracker correct and it does not start hardnested.
The time the brute-force phase takes make me really appreciate the precalculated tables for the proxmark.

pbtek · 2019-08-06 10:09:55

proxmark RULEZZ

cd proxmark3/client/
./proxmark3 /dev/ttyACM0

hw ver
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-123-g5a446cb-suspect 2019-08-05 22:15:18
os: master/v3.1.0-123-g5a446cb-suspect 2019-08-05 22:15:20
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: not available
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 207233 bytes (40%). Free: 317055 bytes (60%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 25.99 V @ 125.00 kHz
# LF antenna: 31.35 V @ 134.00 kHz
# LF optimal: 33.00 V @ 130.43 kHz
# HF antenna: 36.26 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

hf search
UID : XX XX XX XX
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search

hf mf chk *1 ? d default_keys.dic
|000| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|001| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|002| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|003| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|004| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|005| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|006| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|007| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|008| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|009| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|010| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|011| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|012| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|013| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|014| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|015| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |

hf mf mifare
Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

hf mf hardnested 0 A a0a1a2a3a4a5 4 B w s
--target block no: 4, target key type:B, known target key: 0x000000000000 (not set), file action: write, Slow: Yes, Tests: 0
Using AVX SIMD core.

time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX SIMD core | |
0 | 0 | Brute force benchmark: 172 million (2^27.4) keys/s | 140737488355328 | 9d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 9d
5 | 0 | Writing acquired nonces to binary file nonces.bin | 140737488355328 | 9d
6 | 1 | Apply bit flip properties | 140737488355328 | 9d
7 | 1 | Apply bit flip properties | 140737488355328 | 9d
8 | 1 | Apply bit flip properties | 140737488355328 | 9d
9 | 1 | Apply bit flip properties | 140737488355328 | 9d
10 | 1 | Apply bit flip properties | 140737488355328 | 9d

1 "nonces" forever and ever... i am stuck!

hf mf nested 1 0 A A0A1A2A3A4A5 4 B
--nested. sectors:16, block no: 0, key type:A, eml:n, dmp=n checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Error: No response from Proxmark.
Proxmark turns on all the lights and does not respond anymore...
i am stuck!

Last edited by pbtek (2019-11-11 21:53:17)

piwi · 2019-08-06 21:58:55

Mixed client and Firmware versions?

pbtek · 2019-08-07 10:01:08

i followed the steps in https://github.com/Proxmark/proxmark3/wiki/Kali-Linux

hw ver
bootrom: master/v3.1.0-123-g5a446cb-suspect 2019-08-05 22:15:18
os: master/v3.1.0-123-g5a446cb-suspect 2019-08-05 22:15:20

piwi · 2019-08-07 17:05:46

I can see that you could flash a current firmware release. Did you also manage to compile the client software?

Prng detection: WEAK

Weird.

pbtek · 2019-08-09 22:51:29

sudo apt install git build-essential libreadline5 libreadline-dev gcc-arm-none-eabi libusb-0.1-4 libusb-dev libqt4-dev ncurses-dev perl pkg-config libpcsclite-dev pcscd

git clone https://github.com/Proxmark/proxmark3.git

cd proxmark3

make clean && make all

dmesg | grep -i usb

I found cdc_acm 1-1:1.0 : ttyACM0: USB ACM device

cd client

make

Holding down the button on the Proxmark3 and continue to hold it down i have attached the Proxmark3 to an empty USB port.

./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf

ERROR. cannot find proxmark3.

killall ModemManager <----- searching the web found this solution

TRY AGAIN: Holding down the button on the Proxmark3 and continue to hold it down i have attached the Proxmark3 to an empty USB port.

./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf

Loading ELF file '../bootrom/obj/bootrom.elf'...
Loading usable ELF segments:
0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
1: V 0x00200000 P 0x00100200 (0x00000c84->0x00000c84) [R X] @0x298

Waiting for Proxmark to appear on /dev/ttyACM0 .
Found.

Flashing...
Writing segments for file: ../bootrom/obj/bootrom.elf
0x00100000..0x001001ff [0x200 / 1 blocks]. OK
0x00100200..0x00100e83 [0xc84 / 7 blocks]....... OK

Resetting hardware...
All done.

Have a nice day!

Now i release the button on the Proxmark3.

./flasher /dev/ttyACM0 ../armsrc/obj/fullimage.elf
Loading ELF file '../armsrc/obj/fullimage.elf'...
Loading usable ELF segments:
0: V 0x00102000 P 0x00102000 (0x0002f098->0x0002f098) [R X] @0x94
1: V 0x00200000 P 0x00131098 (0x000018ec->0x000018ec) [RW ] @0x2f12c
Note: Extending previous segment from 0x2f098 to 0x30984 bytes

Waiting for Proxmark to appear on /dev/ttyACM0 .
Found.
Entering bootloader...
(Press and release the button only to abort)
Waiting for Proxmark to appear on /dev/ttyACM0 .......
Found.

Flashing...
Writing segments for file: ../armsrc/obj/fullimage.elf
0x00102000..0x00132983 [0x30984 / 389 blocks]..................................................................................................................................................................................................................................................................................................................................................................................................... OK

Resetting hardware...
All done.

Have a nice day!

Last edited by pbtek (2019-08-09 23:11:46)

pbtek · 2019-08-10 16:04:23

hf search
UID : 12 34 56 78
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search

VERSUS

hf mfp info
UID : 12 34 56 78
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
----------------------------------------------
Mifare Plus info:
ATQA: Mifare Plus 2k 4bUID
SAK: Mifare Plus 2k 7bUID
Mifare Plus SL mode: SL1

Last edited by pbtek (2019-11-11 23:13:45)

piwi · 2019-08-11 14:02:17

Did you try 'hf mf nested' ?

iceman · 2019-08-12 19:48:32

which device do you have?

pbtek · 2019-09-30 16:12:28

this one...

hummm.... i am thinking in snooping and/or sniffing

Last edited by pbtek (2019-10-02 21:12:46)

Ollibolli · 2019-10-01 07:31:39

Proxmark3 "Easy" Clone...?!

pbtek · 2019-10-02 21:12:03

decisions decisions...

hf 14a snoop or hf 14a sniff or hf mf sniff

Last edited by pbtek (2019-10-02 21:17:43)

pbtek · 2019-10-03 21:38:07

UPDATE: hf mf hardnested works (collects nonces fast and recovers the key) with a different card (another company, another purpose, same hf search info)

any ideas to solve 1 #nonces looping forever ??

UPDATE: hf mf nested Error: No response from Proxmark. My device turns on all the lights and does not respond anymore.

Last edited by pbtek (2019-11-03 17:06:07)

pbtek · 2019-10-30 12:44:08

making sense of contents of *.eml file after hf mf sniff d f:

57a8992d4b0804000000000000000000
2e000938093809380938093800000000
00000000000000000000000000000000
a0a1a2a3a4a561e789c1000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

a0a1a2a3a4a561e789c1000000000000 ------> a0a1a2a3a4a5 ------> valid key (tested)

using the same steps...

57a8992d4b0804000000000000000000 ------> 57a8992d4b08 ------> not a valid key
2e000938093809380938093800000000 ------> 2e0009380938 ------> not a valid key

Last edited by pbtek (2019-11-04 16:52:25)

pbtek · 2019-11-06 10:57:27

note to me:

hf mf hardnested 0 A a0a1a2a3a4a5 4 B

9 | 1 | Apply bit flip properties | 140737488355328 | 9d
300 | 1 | Apply bit flip properties | 140737488355328 | 9d
400 | 1 | Apply bit flip properties | 140737488355328 | 9d

1# nonces looping forever or unable to Apply bit flip properties ?? hummmm

Last edited by pbtek (2019-11-06 10:57:54)

pbtek · 2019-11-08 18:03:46

after hf mf sim u 12345678 n 0 x
Collected two pairs of AR/NR which can be used to extract keyB from reader for sector 5:
how can i run mfkey32?? where is it?
PS: now using the Official Precompiled x64 build and PM3UniversalGUI.exe

Last edited by pbtek (2019-11-08 23:54:22)

iceman · 2019-11-10 10:36:28

look under the folder /tools in the repo. I don't think the precompiled binary distros builds that folder. You should download latest ProxSpace v322 and clone the repo, then you will have easy access to everything.

ref
https://github.com/Gator96100/ProxSpace/

pbtek · 2019-11-10 21:44:51

ok. steps in kali:
1- clone, make, flash all the stuff again
2 - cd proxmark3/client/
3 - ./proxmark3 /dev/ttyACM0

Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-156-gea5e5d0-suspect 2019-11-10 18:00:51
os: master/v3.1.0-156-gea5e5d0-suspect 2019-11-10 18:00:53
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/10/15 at 18:34:30
SmartCard Slot: not available

uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 206682 bytes (39%). Free: 317606 bytes (61%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>

no matter what i try... i get the same help menu
proxmark3> mfkey ???
proxmark3> cd tools ???
proxmark3> ./tools ???
This help. Use '<command> help' for details of a particular command.
bla bla bla

mwalker · 2019-11-11 05:29:24

what happens if you try to find the tools folder outside of the proxmark client, i.e. at the command prompt/terminal ?

iceman · 2019-11-11 07:20:14

yes, like mwalker says, the tools folder isn't reached inside the Proxmark client.

pbtek · 2019-11-11 12:26:49

thank you. Proceeding...

root@kali:~/proxmark3/tools/mfkey# make clean && make all
rm -f crypto1.o crapto1.o parity.o util_posix.o mfkey.o mfkey32 mfkey64 mfkey32.exe mfkey64.exe
gcc -std=c99 -D_ISOC99_SOURCE -I../../include -I../../common -I../../client -Wall -O3 -c -o crypto1.o ../../common/crapto1/crypto1.c
gcc -std=c99 -D_ISOC99_SOURCE -I../../include -I../../common -I../../client -Wall -O3 -c -o crapto1.o ../../common/crapto1/crapto1.c
gcc -std=c99 -D_ISOC99_SOURCE -I../../include -I../../common -I../../client -Wall -O3 -c -o parity.o ../../common/parity.c
gcc -std=c99 -D_ISOC99_SOURCE -I../../include -I../../common -I../../client -Wall -O3 -c -o util_posix.o ../../client/util_posix.c
gcc -std=c99 -D_ISOC99_SOURCE -I../../include -I../../common -I../../client -Wall -O3 -c -o mfkey.o ../../client/mifare/mfkey.c
gcc -std=c99 -D_ISOC99_SOURCE -I../../include -I../../common -I../../client -Wall -O3 -o mfkey32 crypto1.o crapto1.o parity.o util_posix.o mfkey.o mfkey32.c
gcc -std=c99 -D_ISOC99_SOURCE -I../../include -I../../common -I../../client -Wall -O3 -o mfkey64 crypto1.o crapto1.o parity.o util_posix.o mfkey.o mfkey64.c
root@kali:~/proxmark3/tools/mfkey#

now running with data collectect from post #32.... (two pairs of AR/NR which can be used to extract keyB from reader for sector 5)
root@kali:~/proxmark3/tools/mfkey# ./mfkey32 12345678 12345678 12345678 12345678 12345678 12345678

recovered key was a0a1a2a3a4a5 (key already known) <---- "two pairs of AR/NR which can be used to extract keyB from reader for sector 5"

Another sad day for Mankind

Last edited by pbtek (2019-11-11 12:45:33)

pbtek · 2019-11-11 22:42:44

deleted

Last edited by pbtek (2020-01-12 14:19:20)

pbtek · 2019-11-12 00:01:28

deleted

Last edited by pbtek (2020-01-12 14:19:01)

pbtek · 2020-01-09 13:07:10

help please

iceman · 2020-01-09 13:48:49

Still if you post traces from the proxmark client maybe it would be easier.
However I see one problem in the data you provided.

The infamouse static nonce tag (01 20 01 45)

TAG(228):01 20 01 45  [0000] c[0000]

Normally no fix but just a week ago there was a solution to find keys on that specific bastard to card.
Download latest source code from official repo and run
HF MF NESTED

It will find keys eventually.

pbtek · 2020-01-09 16:08:48

sudo apt-get update

sudo apt install git build-essential libreadline5 libreadline-dev gcc-arm-none-eabi libusb-0.1-4 libusb-dev libqt4-dev ncurses-dev perl pkg-config libpcsclite-dev pcscd

git clone https://github.com/Proxmark/proxmark3.git

cd proxmark3

make clean && make all

cd client

make

killall ModemManager

./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf

./flasher /dev/ttyACM0 ../armsrc/obj/fullimage.elf

hw ver
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-173-ga749b1e-suspect 2020-01-09 14:36:52
os: master/v3.1.0-173-ga749b1e-suspect 2020-01-09 14:36:53
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2019/11/13 at 14:52:19

hf mf hardnested 0 A a0a1a2a3a4a5 4 B

1 nonces looping forever

ERROR

Last edited by pbtek (2020-01-09 16:34:29)

iceman · 2020-01-09 16:22:20

You don't seem to notice what ppl write. Now go back to my previous post and read again.

pbtek · 2020-01-10 22:50:13

iceman wrote:

You don't seem to notice what ppl write. Now go back to my previous post and read again.

really!! WTF it's so not me...

piwi · 2020-01-11 04:30:48

iceman wrote:

HF MF NESTED

iceman · 2020-01-11 08:46:03

pbtek wrote:

iceman wrote:
You don't seem to notice what ppl write. Now go back to my previous post and read again.
really!! WTF it's so not me...

Really its you.

pbtek · 2020-01-12 14:26:36

... and now i see the light!! it works... i have now the keys for this "bastard to card"

hf mf nested always responded by turning on all the lights from the proxmark and did not respond anymore. disconnect usb. connect usb. I was totally traumatized by this nested cmd (see post #18 and #29)!!

And so this story began in 2019-04-07 and it ends today!!
Many thanks to iceman, piwi, mwalker, gator96100, gencat and Ollibolli.
Thanks for the support.
Thanks for putting up with me.

"
This is the end
Hold your breath and count to ten
[...]
For this is the end
I've drowned and dreamt this moment
[...]
Let the sky fall
"

iceman · 2020-01-12 14:36:19

Good, may I suggest you edit your first post and add the prefix [solved] to your title

zorks56 · 2020-02-05 19:28:27

Hi,my case is identical of pbtek in this post. Infact i have the dame result.... loop for ever ...i tired nested but Mu pm3 crash.please help me.see my post.
http://www.proxmark.org/forum/viewtopic.php?id=7560

Proxmark3 community

Announcement

#1 2019-04-07 16:08:06

[solved] "-" "- -" and more "- - -"

#2 2019-04-08 20:10:30

Re: [solved] "-" "- -" and more "- - -"

#3 2019-04-08 21:02:26

Re: [solved] "-" "- -" and more "- - -"

#4 2019-04-25 11:00:04

Re: [solved] "-" "- -" and more "- - -"

#5 2019-04-25 14:27:14

Re: [solved] "-" "- -" and more "- - -"

#6 2019-04-26 11:52:06

Re: [solved] "-" "- -" and more "- - -"

#7 2019-04-26 12:28:02

Re: [solved] "-" "- -" and more "- - -"

#8 2019-04-26 12:57:00

Re: [solved] "-" "- -" and more "- - -"

#9 2019-04-26 13:18:27

Re: [solved] "-" "- -" and more "- - -"

#10 2019-04-26 20:58:34

Re: [solved] "-" "- -" and more "- - -"

#11 2019-04-26 22:16:35

Re: [solved] "-" "- -" and more "- - -"

#12 2019-04-26 22:32:43

Re: [solved] "-" "- -" and more "- - -"

#13 2019-04-27 09:39:43

Re: [solved] "-" "- -" and more "- - -"

#14 2019-04-27 09:42:29

Re: [solved] "-" "- -" and more "- - -"

#15 2019-04-27 14:55:54

Re: [solved] "-" "- -" and more "- - -"

#16 2019-05-24 14:54:58

Re: [solved] "-" "- -" and more "- - -"

#17 2019-05-24 20:48:25

Re: [solved] "-" "- -" and more "- - -"

#18 2019-08-06 10:09:55

Re: [solved] "-" "- -" and more "- - -"

#19 2019-08-06 21:58:55

Re: [solved] "-" "- -" and more "- - -"

#20 2019-08-07 10:01:08

Re: [solved] "-" "- -" and more "- - -"

#21 2019-08-07 17:05:46

Re: [solved] "-" "- -" and more "- - -"

#22 2019-08-09 22:51:29

Re: [solved] "-" "- -" and more "- - -"

#23 2019-08-10 16:04:23

Re: [solved] "-" "- -" and more "- - -"

#24 2019-08-11 14:02:17

Re: [solved] "-" "- -" and more "- - -"

#25 2019-08-12 19:48:32

Re: [solved] "-" "- -" and more "- - -"

#26 2019-09-30 16:12:28

Re: [solved] "-" "- -" and more "- - -"

#27 2019-10-01 07:31:39

Re: [solved] "-" "- -" and more "- - -"

#28 2019-10-02 21:12:03

Re: [solved] "-" "- -" and more "- - -"

#29 2019-10-03 21:38:07

Re: [solved] "-" "- -" and more "- - -"

#30 2019-10-30 12:44:08

Re: [solved] "-" "- -" and more "- - -"

#31 2019-11-06 10:57:27

Re: [solved] "-" "- -" and more "- - -"

#32 2019-11-08 18:03:46

Re: [solved] "-" "- -" and more "- - -"

#33 2019-11-10 10:36:28

Re: [solved] "-" "- -" and more "- - -"

#34 2019-11-10 21:44:51

Re: [solved] "-" "- -" and more "- - -"

#35 2019-11-11 05:29:24

Re: [solved] "-" "- -" and more "- - -"

#36 2019-11-11 07:20:14

Re: [solved] "-" "- -" and more "- - -"

#37 2019-11-11 12:26:49

Re: [solved] "-" "- -" and more "- - -"

#38 2019-11-11 22:42:44

Re: [solved] "-" "- -" and more "- - -"

#39 2019-11-12 00:01:28

Re: [solved] "-" "- -" and more "- - -"