Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2019-11-16 05:49:33
- 7_nebo_7
- Contributor
- Registered: 2019-09-19
- Posts: 3
NXP MIFARE CLASSIC 1k not showing all founded keys
Hi All, I have question regarding Mifare classic card. When I am scaning card and execute nested attack I am able to find 5 different keys. However When I do check with keys I have always missing key A or B on 15 block.
I have next Proxmark:
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: master/v3.0.1-377-gfdee1ff-suspect 2018-08-25 14:19:13
os: iceman/master/ice_v3.1.0-1094-g97128ad5 2019-08-28 01:59:00
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S256 Rev D
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 256K bytes, Used: 235688 bytes (90%) Free: 26456 bytes (10%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf tune
[+] Measuring HF antenna, press button to exit
#db# 26338 mV / 26 V
#db# 26338 mV / 26 V
#db# 26338 mV / 26 V
pm3 --> hf se
UID : xx xx xx xx
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
[+] Valid ISO14443-A Tag Found
pm3 --> hf mf chk *1 A MyKeys.keys
[+] Loaded 5 keys from MyKeys.keys
................
Time in checkkeys: 4 seconds
testing to read key B...
Reading block 3
Data:FF FF FF FF FF FF
Reading block 7
Data:FF FF FF FF FF FF
Reading block 11
Data:FF FF FF FF FF FF
Reading block 15
Data:FF FF FF FF FF FF
Reading block 19
Data:FF FF FF FF FF FF
Reading block 23
Data:FF FF FF FF FF FF
Reading block 27
Data:FF FF FF FF FF FF
Reading block 31
Data:FF FF FF FF FF FF
Reading block 35
Data:FF FF FF FF FF FF
Reading block 39
Data:FF FF FF FF FF FF
Reading block 43
Data:FF FF FF FF FF FF
Reading block 47
Data:FF FF FF FF FF FF
Reading block 51
Data:FF FF FF FF FF FF
Reading block 55
Data:FF FF FF FF FF FF
Reading block 59
Data:FF FF FF FF FF FF
Reading block 63
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| 131107094777 | 1 | ------------ | 0 |
|---|----------------|---|----------------|---|
pm3 --> hf mf chk *1 B MyKeys.keys
[+] Loaded 5 keys from MyKeys.keys
................
Time in checkkeys: 4 seconds
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ffffffffffff | 1 |
|001| ------------ | 0 | ffffffffffff | 1 |
|002| ------------ | 0 | ffffffffffff | 1 |
|003| ------------ | 0 | ffffffffffff | 1 |
|004| ------------ | 0 | ffffffffffff | 1 |
|005| ------------ | 0 | ffffffffffff | 1 |
|006| ------------ | 0 | ffffffffffff | 1 |
|007| ------------ | 0 | ffffffffffff | 1 |
|008| ------------ | 0 | ffffffffffff | 1 |
|009| ------------ | 0 | ffffffffffff | 1 |
|010| ------------ | 0 | ffffffffffff | 1 |
|011| ------------ | 0 | ffffffffffff | 1 |
|012| ------------ | 0 | ffffffffffff | 1 |
|013| ------------ | 0 | ffffffffffff | 1 |
|014| ------------ | 0 | ffffffffffff | 1 |
|015| ------------ | 0 | 131107094777 | 1 |
|---|----------------|---|----------------|---|When I run
pm3 --> hf mf chk *1 ? MyKeys.keys
[+] Loaded 5 keys from MyKeys.keys
Time in checkkeys: 0 seconds
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ------------ | 0 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ------------ | 0 | ------------ | 0 |
|005| ------------ | 0 | ------------ | 0 |
|006| ------------ | 0 | ------------ | 0 |
|007| ------------ | 0 | ------------ | 0 |
|008| ------------ | 0 | ------------ | 0 |
|009| ------------ | 0 | ------------ | 0 |
|010| ------------ | 0 | ------------ | 0 |
|011| ------------ | 0 | ------------ | 0 |
|012| ------------ | 0 | ------------ | 0 |
|013| ------------ | 0 | ------------ | 0 |
|014| ------------ | 0 | ------------ | 0 |
|015| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|Then I am trying to read sector 0
pm3 --> hf mf rdsc 0 A ffffffffffff
--sector no:0 key type:A key:FF FF FF FF FF FF
isOk:01
data : XX XX XX XX 47 88 04 00 C8 23 00 20 00 00 00 16
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FFAnd when I am reading sector 15
pm3 --> hf mf rdsc 15 A ffffffffffff
--sector no:15 key type:A key:FF FF FF FF FF FF
#db# Auth error
isOk:00
pm3 --> hf mf rdsc 15 A 131107094777
--sector no:15 key type:A key:13 11 07 09 47 77
isOk:01
data : 11 51 C8 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 7F 07 88 00 00 00 00 00 00 00
pm3 --> hf mf rdsc 15 B 131107094777
--sector no:15 key type:B key:13 11 07 09 47 77
isOk:01
data : 11 51 C8 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 7F 07 88 00 00 00 00 00 00 00
pm3 -->So Manually I am able to read each sectors with appropriate key. I am not sure why then Proxmark would not use this founded keys to dump key memeory
Also another question:
According readings from proxmark I have Mifare Clasic 1K. According manual it has 16 sectors and 64 blocs. But when I am trying nested attack against block 65, 66, 67, 68, 69, 70, 71, 72 Proxmark able to find another 3 keys??? Nested attack fail on blocks more then 73 with Lenth error.
pm3 --> hf mf hardnested 0 B ffffffffffff 70 B
--target block no: 70, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 1025 million (2^29.9) keys/s | 140737488355328 | 2d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
#db# AcquireNonces: Auth1 error
5 | 112 | Apply bit flip properties | 289912389632 | 5min
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
6 | 223 | Apply bit flip properties | 47289974784 | 46s
7 | 333 | Apply bit flip properties | 41648439296 | 41s
8 | 444 | Apply bit flip properties | 32583802880 | 32s
9 | 555 | Apply bit flip properties | 30989582336 | 30s
10 | 666 | Apply bit flip properties | 30691633152 | 30s
11 | 778 | Apply bit flip properties | 29741737984 | 29s
11 | 886 | Apply bit flip properties | 29741737984 | 29s
#db# AcquireNonces: Auth1 error
12 | 997 | Apply bit flip properties | 29741737984 | 29s
#db# AcquireNonces: Auth1 error
14 | 1107 | Apply Sum property. Sum(a0) = 136 | 1446876544 | 1s
14 | 1217 | Apply bit flip properties | 1446876544 | 1s
15 | 1327 | Apply bit flip properties | 1446876544 | 1s
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
15 | 1436 | Apply bit flip properties | 1446876544 | 1s
#db# AcquireNonces: Auth1 error
16 | 1436 | (1. guess: Sum(a8) = 64) | 1446876544 | 1s
17 | 1436 | Apply Sum(a8) and all bytes bitflip properties | 1445087360 | 1s
17 | 1436 | Brute force phase completed. Key found: 4b791bea7bcc | 0 | 0s
pm3 -->Does it mean that my card not actual 1K card?
I tried to check my kard with 2K mode and then get next results:
pm3 --> hf mf chk *2 B MyKeys.keys
[+] Loaded 5 keys from MyKeys.keys
................................
Time in checkkeys: 8 seconds
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ffffffffffff | 1 |
|001| ------------ | 0 | ffffffffffff | 1 |
|002| ------------ | 0 | ffffffffffff | 1 |
|003| ------------ | 0 | ffffffffffff | 1 |
|004| ------------ | 0 | ffffffffffff | 1 |
|005| ------------ | 0 | ffffffffffff | 1 |
|006| ------------ | 0 | ffffffffffff | 1 |
|007| ------------ | 0 | ffffffffffff | 1 |
|008| ------------ | 0 | ffffffffffff | 1 |
|009| ------------ | 0 | ffffffffffff | 1 |
|010| ------------ | 0 | ffffffffffff | 1 |
|011| ------------ | 0 | ffffffffffff | 1 |
|012| ------------ | 0 | ffffffffffff | 1 |
|013| ------------ | 0 | ffffffffffff | 1 |
|014| ------------ | 0 | ffffffffffff | 1 |
|015| ------------ | 0 | 131107094777 | 1 |
|016| ------------ | 0 | d01afeeb890a | 1 |
|017| ------------ | 0 | 4b791bea7bcc | 1 |
|018| ------------ | 0 | ------------ | 0 |
|019| ------------ | 0 | ------------ | 0 |
|020| ------------ | 0 | ------------ | 0 |
|021| ------------ | 0 | ------------ | 0 |
|022| ------------ | 0 | ------------ | 0 |
|023| ------------ | 0 | ------------ | 0 |
|024| ------------ | 0 | ------------ | 0 |
|025| ------------ | 0 | ------------ | 0 |
|026| ------------ | 0 | ------------ | 0 |
|027| ------------ | 0 | ------------ | 0 |
|028| ------------ | 0 | ------------ | 0 |
|029| ------------ | 0 | ------------ | 0 |
|030| ------------ | 0 | ------------ | 0 |
|031| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|
pm3 --> hf mf chk *2 A MyKeys.keys
[+] Loaded 5 keys from MyKeys.keys
................................
Time in checkkeys: 8 seconds
testing to read key B...
Reading block 3
Data:FF FF FF FF FF FF
Reading block 7
Data:FF FF FF FF FF FF
Reading block 11
Data:FF FF FF FF FF FF
Reading block 15
Data:FF FF FF FF FF FF
Reading block 19
Data:FF FF FF FF FF FF
Reading block 23
Data:FF FF FF FF FF FF
Reading block 27
Data:FF FF FF FF FF FF
Reading block 31
Data:FF FF FF FF FF FF
Reading block 35
Data:FF FF FF FF FF FF
Reading block 39
Data:FF FF FF FF FF FF
Reading block 43
Data:FF FF FF FF FF FF
Reading block 47
Data:FF FF FF FF FF FF
Reading block 51
Data:FF FF FF FF FF FF
Reading block 55
Data:FF FF FF FF FF FF
Reading block 59
Data:FF FF FF FF FF FF
Reading block 63
Reading block 67
#db# Cmd Error: 04
#db# Read block error
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| 131107094777 | 1 | ------------ | 0 |
|016| 5c8ff9990da2 | 1 | ------------ | 0 |
|017| ------------ | 0 | ------------ | 0 |
|018| ------------ | 0 | ------------ | 0 |
|019| ------------ | 0 | ------------ | 0 |
|020| ------------ | 0 | ------------ | 0 |
|021| ------------ | 0 | ------------ | 0 |
|022| ------------ | 0 | ------------ | 0 |
|023| ------------ | 0 | ------------ | 0 |
|024| ------------ | 0 | ------------ | 0 |
|025| ------------ | 0 | ------------ | 0 |
|026| ------------ | 0 | ------------ | 0 |
|027| ------------ | 0 | ------------ | 0 |
|028| ------------ | 0 | ------------ | 0 |
|029| ------------ | 0 | ------------ | 0 |
|030| ------------ | 0 | ------------ | 0 |
|031| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|I do understand that Proxmark can not read some blocks but why I am able read them manualy? And what type of my card if it able to read from blocks 65, 66, 67, 68, 69, 70, 71, 72
Sorry for long post but I am confused
Offline
#2 2019-11-16 08:30:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: NXP MIFARE CLASSIC 1k not showing all founded keys
You seem to be running on iceman fork, which a bit outdated and deprecated. I suggest you run on RRG/Iceman repo instead.
It might explain why some keys is missing when running hf mf chk. When it comes to be able to read blocks above 64 and card isn't a MFP 2k. It could be a MFC Ev1 1K card, which uses those 65,66,67 blocks as holders for the signature data.
Offline