Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-11-16 05:49:33

7_nebo_7
Contributor
Registered: 2019-09-19
Posts: 3

NXP MIFARE CLASSIC 1k not showing all founded keys

Hi All, I have question regarding Mifare classic card. When I am scaning card and execute nested attack I am able to find 5 different keys. However When I do check with keys I have always missing key A or B on 15 block.
I have next Proxmark:

Proxmark3 RFID instrument

 [ CLIENT ]
 client: iceman build for RDV40 with flashmem; smartcard;

 [ ARM ]
 bootrom: master/v3.0.1-377-gfdee1ff-suspect 2018-08-25 14:19:13
      os: iceman/master/ice_v3.1.0-1094-g97128ad5 2019-08-28 01:59:00

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

 [ Hardware ]
  --= uC: AT91SAM7S256 Rev D
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 235688 bytes (90%) Free: 26456 bytes (10%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf tune
[+] Measuring HF antenna, press button to exit
#db# 26338 mV /    26 V
#db# 26338 mV /    26 V
#db# 26338 mV /    26 V

pm3 --> hf se
 UID : xx xx xx xx
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD

[+] Valid ISO14443-A Tag Found

pm3 --> hf mf chk *1 A MyKeys.keys
[+] Loaded  5 keys from MyKeys.keys
................
Time in checkkeys: 4 seconds

testing to read key B...
Reading block 3
Data:FF FF FF FF FF FF
Reading block 7
Data:FF FF FF FF FF FF
Reading block 11
Data:FF FF FF FF FF FF
Reading block 15
Data:FF FF FF FF FF FF
Reading block 19
Data:FF FF FF FF FF FF
Reading block 23
Data:FF FF FF FF FF FF
Reading block 27
Data:FF FF FF FF FF FF
Reading block 31
Data:FF FF FF FF FF FF
Reading block 35
Data:FF FF FF FF FF FF
Reading block 39
Data:FF FF FF FF FF FF
Reading block 43
Data:FF FF FF FF FF FF
Reading block 47
Data:FF FF FF FF FF FF
Reading block 51
Data:FF FF FF FF FF FF
Reading block 55
Data:FF FF FF FF FF FF
Reading block 59
Data:FF FF FF FF FF FF
Reading block 63
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  131107094777  | 1 |  ------------  | 0 |
|---|----------------|---|----------------|---|

pm3 --> hf mf chk *1 B MyKeys.keys
[+] Loaded  5 keys from MyKeys.keys
................
Time in checkkeys: 4 seconds

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ffffffffffff  | 1 |
|001|  ------------  | 0 |  ffffffffffff  | 1 |
|002|  ------------  | 0 |  ffffffffffff  | 1 |
|003|  ------------  | 0 |  ffffffffffff  | 1 |
|004|  ------------  | 0 |  ffffffffffff  | 1 |
|005|  ------------  | 0 |  ffffffffffff  | 1 |
|006|  ------------  | 0 |  ffffffffffff  | 1 |
|007|  ------------  | 0 |  ffffffffffff  | 1 |
|008|  ------------  | 0 |  ffffffffffff  | 1 |
|009|  ------------  | 0 |  ffffffffffff  | 1 |
|010|  ------------  | 0 |  ffffffffffff  | 1 |
|011|  ------------  | 0 |  ffffffffffff  | 1 |
|012|  ------------  | 0 |  ffffffffffff  | 1 |
|013|  ------------  | 0 |  ffffffffffff  | 1 |
|014|  ------------  | 0 |  ffffffffffff  | 1 |
|015|  ------------  | 0 |  131107094777  | 1 |
|---|----------------|---|----------------|---|

When I run

pm3 --> hf mf chk *1 ? MyKeys.keys
[+] Loaded  5 keys from MyKeys.keys

Time in checkkeys: 0 seconds

testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ------------  | 0 |
|001|  ------------  | 0 |  ------------  | 0 |
|002|  ------------  | 0 |  ------------  | 0 |
|003|  ------------  | 0 |  ------------  | 0 |
|004|  ------------  | 0 |  ------------  | 0 |
|005|  ------------  | 0 |  ------------  | 0 |
|006|  ------------  | 0 |  ------------  | 0 |
|007|  ------------  | 0 |  ------------  | 0 |
|008|  ------------  | 0 |  ------------  | 0 |
|009|  ------------  | 0 |  ------------  | 0 |
|010|  ------------  | 0 |  ------------  | 0 |
|011|  ------------  | 0 |  ------------  | 0 |
|012|  ------------  | 0 |  ------------  | 0 |
|013|  ------------  | 0 |  ------------  | 0 |
|014|  ------------  | 0 |  ------------  | 0 |
|015|  ------------  | 0 |  ------------  | 0 |
|---|----------------|---|----------------|---|

Then I am trying to read sector 0

pm3 --> hf mf rdsc 0 A ffffffffffff
--sector no:0 key type:A key:FF FF FF FF FF FF

isOk:01
data   : XX XX XX XX 47 88 04 00 C8 23 00 20 00 00 00 16
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

And when I am reading sector 15

pm3 --> hf mf rdsc 15 A ffffffffffff
--sector no:15 key type:A key:FF FF FF FF FF FF

#db# Auth error
isOk:00
pm3 --> hf mf rdsc 15 A 131107094777
--sector no:15 key type:A key:13 11 07 09 47 77

isOk:01
data   : 11 51 C8 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 7F 07 88 00 00 00 00 00 00 00
pm3 --> hf mf rdsc 15 B 131107094777
--sector no:15 key type:B key:13 11 07 09 47 77

isOk:01
data   : 11 51 C8 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 7F 07 88 00 00 00 00 00 00 00
pm3 -->

So Manually I am able to read each sectors with appropriate key. I am not sure why then Proxmark would not use this founded keys to dump key memeory

Also another question:
According readings from proxmark I have Mifare Clasic 1K. According manual it has 16 sectors and 64 blocs. But when I am trying nested attack against block 65, 66, 67, 68, 69, 70, 71, 72 Proxmark able to find another 3 keys??? Nested attack fail on blocks more then 73 with Lenth error.

pm3 --> hf mf hardnested 0 B ffffffffffff 70 B
--target block no: 70, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0  



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 1025 million (2^29.9) keys/s     | 140737488355328 |    2d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    2d
#db# AcquireNonces: Auth1 error
       5 |     112 | Apply bit flip properties                               |    289912389632 |  5min
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
       6 |     223 | Apply bit flip properties                               |     47289974784 |   46s
       7 |     333 | Apply bit flip properties                               |     41648439296 |   41s
       8 |     444 | Apply bit flip properties                               |     32583802880 |   32s
       9 |     555 | Apply bit flip properties                               |     30989582336 |   30s
      10 |     666 | Apply bit flip properties                               |     30691633152 |   30s
      11 |     778 | Apply bit flip properties                               |     29741737984 |   29s
      11 |     886 | Apply bit flip properties                               |     29741737984 |   29s
#db# AcquireNonces: Auth1 error
      12 |     997 | Apply bit flip properties                               |     29741737984 |   29s
#db# AcquireNonces: Auth1 error
      14 |    1107 | Apply Sum property. Sum(a0) = 136                       |      1446876544 |    1s
      14 |    1217 | Apply bit flip properties                               |      1446876544 |    1s
      15 |    1327 | Apply bit flip properties                               |      1446876544 |    1s
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
      15 |    1436 | Apply bit flip properties                               |      1446876544 |    1s
#db# AcquireNonces: Auth1 error
      16 |    1436 | (1. guess: Sum(a8) = 64)                                |      1446876544 |    1s
      17 |    1436 | Apply Sum(a8) and all bytes bitflip properties          |      1445087360 |    1s
      17 |    1436 | Brute force phase completed. Key found: 4b791bea7bcc    |               0 |    0s
pm3 -->

Does it mean that my card not actual 1K card?
I tried to check my kard with 2K mode and then get next results:

pm3 --> hf mf chk *2 B MyKeys.keys
[+] Loaded  5 keys from MyKeys.keys
................................
Time in checkkeys: 8 seconds

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ffffffffffff  | 1 |
|001|  ------------  | 0 |  ffffffffffff  | 1 |
|002|  ------------  | 0 |  ffffffffffff  | 1 |
|003|  ------------  | 0 |  ffffffffffff  | 1 |
|004|  ------------  | 0 |  ffffffffffff  | 1 |
|005|  ------------  | 0 |  ffffffffffff  | 1 |
|006|  ------------  | 0 |  ffffffffffff  | 1 |
|007|  ------------  | 0 |  ffffffffffff  | 1 |
|008|  ------------  | 0 |  ffffffffffff  | 1 |
|009|  ------------  | 0 |  ffffffffffff  | 1 |
|010|  ------------  | 0 |  ffffffffffff  | 1 |
|011|  ------------  | 0 |  ffffffffffff  | 1 |
|012|  ------------  | 0 |  ffffffffffff  | 1 |
|013|  ------------  | 0 |  ffffffffffff  | 1 |
|014|  ------------  | 0 |  ffffffffffff  | 1 |
|015|  ------------  | 0 |  131107094777  | 1 |
|016|  ------------  | 0 |  d01afeeb890a  | 1 |
|017|  ------------  | 0 |  4b791bea7bcc  | 1 |
|018|  ------------  | 0 |  ------------  | 0 |
|019|  ------------  | 0 |  ------------  | 0 |
|020|  ------------  | 0 |  ------------  | 0 |
|021|  ------------  | 0 |  ------------  | 0 |
|022|  ------------  | 0 |  ------------  | 0 |
|023|  ------------  | 0 |  ------------  | 0 |
|024|  ------------  | 0 |  ------------  | 0 |
|025|  ------------  | 0 |  ------------  | 0 |
|026|  ------------  | 0 |  ------------  | 0 |
|027|  ------------  | 0 |  ------------  | 0 |
|028|  ------------  | 0 |  ------------  | 0 |
|029|  ------------  | 0 |  ------------  | 0 |
|030|  ------------  | 0 |  ------------  | 0 |
|031|  ------------  | 0 |  ------------  | 0 |
|---|----------------|---|----------------|---|

pm3 --> hf mf chk *2 A MyKeys.keys
[+] Loaded  5 keys from MyKeys.keys
................................
Time in checkkeys: 8 seconds

testing to read key B...
Reading block 3
Data:FF FF FF FF FF FF
Reading block 7
Data:FF FF FF FF FF FF
Reading block 11
Data:FF FF FF FF FF FF
Reading block 15
Data:FF FF FF FF FF FF
Reading block 19
Data:FF FF FF FF FF FF
Reading block 23
Data:FF FF FF FF FF FF
Reading block 27
Data:FF FF FF FF FF FF
Reading block 31
Data:FF FF FF FF FF FF
Reading block 35
Data:FF FF FF FF FF FF
Reading block 39
Data:FF FF FF FF FF FF
Reading block 43
Data:FF FF FF FF FF FF
Reading block 47
Data:FF FF FF FF FF FF
Reading block 51
Data:FF FF FF FF FF FF
Reading block 55
Data:FF FF FF FF FF FF
Reading block 59
Data:FF FF FF FF FF FF
Reading block 63
Reading block 67
#db# Cmd Error: 04
#db# Read block error
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  131107094777  | 1 |  ------------  | 0 |
|016|  5c8ff9990da2  | 1 |  ------------  | 0 |
|017|  ------------  | 0 |  ------------  | 0 |
|018|  ------------  | 0 |  ------------  | 0 |
|019|  ------------  | 0 |  ------------  | 0 |
|020|  ------------  | 0 |  ------------  | 0 |
|021|  ------------  | 0 |  ------------  | 0 |
|022|  ------------  | 0 |  ------------  | 0 |
|023|  ------------  | 0 |  ------------  | 0 |
|024|  ------------  | 0 |  ------------  | 0 |
|025|  ------------  | 0 |  ------------  | 0 |
|026|  ------------  | 0 |  ------------  | 0 |
|027|  ------------  | 0 |  ------------  | 0 |
|028|  ------------  | 0 |  ------------  | 0 |
|029|  ------------  | 0 |  ------------  | 0 |
|030|  ------------  | 0 |  ------------  | 0 |
|031|  ------------  | 0 |  ------------  | 0 |
|---|----------------|---|----------------|---|

I do understand that Proxmark can not read some blocks but why I am able read them manualy? And what type of my card if it able to read from blocks 65, 66, 67, 68, 69, 70, 71, 72
Sorry for long post but I am confused

Offline

#2 2019-11-16 08:30:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: NXP MIFARE CLASSIC 1k not showing all founded keys

You seem to be running on iceman fork,  which a bit outdated and deprecated.  I suggest you run on RRG/Iceman repo instead.
It might explain why some keys is missing when running hf mf chk.   When it comes to be able to read blocks above 64 and card isn't a MFP 2k.  It could be a MFC Ev1 1K card,  which uses those 65,66,67 blocks as holders for the signature data.

Offline

Board footer

Powered by FluxBB