Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I hope i'm going about this the right way, I've been doing very well with LF/125Khz and I've been fine performing a darkside attack. Recently I've been stuck on this Mifare Classic EV1 and wanted to know if I can get some advice in making a successful clone (if it's possible).
I've understood that this is a [MIFARE CLASSIC EV1: MF1S50] with a product identifier of [MF1S503xX/V1]
pm3 --> hf sear
UID : BE F4 73 E5
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
[+] Valid ISO14443-A Tag Found Im using the latest 5/1 Iceman Fork.
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-1083-g05f43ba6 2019-05-01 13:40:37
os: iceman/master/ice_v3.1.0-1083-g05f43ba6 2019-05-01 13:40:41
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S256 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 256K bytes, Used: 237349 bytes (91%) Free: 24795 bytes ( 9%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash MemoryA darkside attempt shows this
pm3 --> hf mf dark
--------------------------------------------------------------------------------
executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------
[-] card is not vulnerable to Darkside attack (its random number generator is not predictable).Following a lot of research from the forum, I've understood I need to attempt a hardnested attack.
First, check default keys.
pm3 --> hf mf chk * ?
No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
Time in checkkeys: 0 seconds
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ------------ | 0 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ------------ | 0 | ------------ | 0 |
|005| ------------ | 0 | ------------ | 0 |
|006| ------------ | 0 | ------------ | 0 |
|007| ------------ | 0 | ------------ | 0 |
|008| ------------ | 0 | ------------ | 0 |
|009| ------------ | 0 | ------------ | 0 |
|010| ------------ | 0 | ------------ | 0 |
|011| ------------ | 0 | ------------ | 0 |
|012| ------------ | 0 | ------------ | 0 |
|013| ------------ | 0 | ------------ | 0 |
|014| ------------ | 0 | ------------ | 0 |
|015| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|then attempt at hardnested using FFFFFFFFFFFF on block 04
pm3 --> hf mf hard * A FFFFFFFFFFFF 4 A
#db# ChkKeys: Can't select card (ALL)
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX SIMD core | |
0 | 0 | Brute force benchmark: 279 million (2^28.1) keys/s | 140737488355328 | 6d
3 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 6d
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
###................ALOT OF THIS
###.......SOME OF THIS
9 | 112 | Apply bit flip properties | 9843136004096 | 10h
###...............THEN THIS...
76 | 3924 | (1. guess: Sum(a8) = 192) | 192771866624 | 12min
77 | 3924 | Apply Sum(a8) and all bytes bitflip properties | 157699440640 | 9min
82 | 3924 | Brute force phase completed. Key found: e2127c8b3458 | 0 | 0sSo it seems like it found a key?
Now, Im kind of at a wall. I think I need to add this key to the dictionary default_keys.dic or maybe that was a false positive or did something wrong?
Any advice for a next step would be greatly appreciated.
I wont have access to the actual reader for a couple weeks in the case that I need to "sniff" (havnt tried that yet either)
Thank You.
Offline
Pages: 1