Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2019-12-06 18:11:45
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Define type correctly
ATQA : 00 04
[+] SAK : 08 [2]
[+] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
----
SAK : 08 means
MIFARE CLASSIC 1k
or
Plus 2k SL1
or
1k Ev1
I don't know what is [2] in SAK
how to define correct type?
The result of research is
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---| hf mf darkside - no result
nested or hardnested result -> UART error and disconnect (macOS and Debian tested)
other Mifare classic cards with NACK bug
nested - no problem
what to do? may be it's wrong card type?
Offline
#2 2019-12-08 15:15:36
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Define type correctly
Need some more info...
Your card should work with darkside/nested. Have you killed modem manager?
gcc version?
pm3-> hw version
pm3-> hw statusOffline
#3 2019-12-09 16:45:52
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
macOS - NO modem manager
gcc - actual Xcode – Apple clang version 11.0.0 (clang-1100.0.33.12)
...dedicated to RDV40
[=] Using UART port /dev/tty.usbmodemiceman1
[=] Communicating with PM3 over USB-CDC
pm3-> hw version
[ CLIENT ]
client: RRG/Iceman
compiled with Clang/LLVM 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.12) OS:OSX ARCH:x86_64
[ PROXMARK3 ]
[ ARM ]
bootrom: RRG/Iceman/master/5773919f 2019-12-06 18:48:12
os: RRG/Iceman/master/5773919f 2019-12-06 18:48:23
compiled with GCC 6.3.1 20170620
[ FPGA ]
LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
HF image built for 2s30vq100 on 2018-09-03 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 244210 bytes (47%) Free: 280078 bytes (53%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory[usb] pm3 --> hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image
#db# mode.................... HF image built for 2s30vq100 on 2018-09-03 at 21:40:23
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz )
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# LF T55XX config
#db# [r] [a] [b] [c] [d] [e] [f] [g]
#db# mode |start|write|write|write| read|write|write
#db# | gap | gap | 0 | 1 | gap | 2 | 3
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------
#db# fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# leading zero | 31 | 20 | 18 | 40 | 15 | N/A | N/A |
#db# 1 of 4 coding reference | 31 | 20 | 18 | 34 | 15 | 50 | 66 |
#db#
#db# Transfer Speed
#db# Sending packets to client...
#db# Time elapsed............500ms
#db# Bytes transferred.......337920
#db# Transfer Speed PM3 -> Client = 675840 bytes/s
#db# Various
#db# DBGLEVEL................1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Slow clock..............32092 Hz
#db# Installed StandAlone Mode
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)normal mf 1k card process (with no problem on nested and hardnested)
[usb] pm3 --> hf search
[=] Checking for known tags...
[-] Searching for ISO14443-A tag...[+] UID : E4 CB AD 91
[+] ATQA : 00 04
[+] SAK : 08 [2]
[+] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf mf fchk 1 mfc_default_keys.dic
[+] Loaded 865 keys from mfc_default_keys.dic
[+] Running strategy 1
[+] Chunk: 1.1s | found 0/32 keys (85)
[+] Running strategy 2
....
[+] Chunk: 8.3s | found 15/32 keys (85)
[+] Chunk: 1.6s | found 15/32 keys (15)
[+] Time in checkkeys (fast): 95.6s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ------------ | 0 |
|001| ------------ | 0 | ffffffffffff | 1 |
|002| ------------ | 0 | ffffffffffff | 1 |
|003| ------------ | 0 | ffffffffffff | 1 |
|004| ------------ | 0 | ffffffffffff | 1 |
|005| ------------ | 0 | ffffffffffff | 1 |
|006| ------------ | 0 | ffffffffffff | 1 |
|007| ------------ | 0 | ffffffffffff | 1 |
|008| ------------ | 0 | ffffffffffff | 1 |
|009| ------------ | 0 | ffffffffffff | 1 |
|010| ------------ | 0 | ffffffffffff | 1 |
|011| ------------ | 0 | ffffffffffff | 1 |
|012| ------------ | 0 | ffffffffffff | 1 |
|013| ------------ | 0 | ffffffffffff | 1 |
|014| ------------ | 0 | ffffffffffff | 1 |
|015| ------------ | 0 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[usb] pm3 --> hf mf nested 1 4 B FFFFFFFFFFFF d
[+] Testing known keys. Sector count=16
[+] Chunk: 0.5s | found 0/32 keys (24)
[+] Time to check 23 known keys: 0 seconds
[+] enter nested attack
[+] target block: 0 key type: A -- found valid key [984108740138]
[+] Chunk: 0.6s | found 2/32 keys (1)
[+] target block: 0 key type: A -- found valid key [0707e4cbad91]
[+] Chunk: 0.5s | found 16/32 keys (1)
[+] Chunk: 0.6s | found 16/32 keys (1)
[+] time in nested: 31 seconds
[=] trying to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 984108740138 | 1 | 08b5d80b09ce | 1 |
|001| 0707e4cbad91 | 1 | ffffffffffff | 1 |
|002| 0b0be4cbad91 | 1 | ffffffffffff | 1 |
|003| 0f0fe4cbad91 | 1 | ffffffffffff | 1 |
|004| 1313e4cbad91 | 1 | ffffffffffff | 1 |
|005| 1717e4cbad91 | 1 | ffffffffffff | 1 |
|006| 1b1be4cbad91 | 1 | ffffffffffff | 1 |
|007| 1f1fe4cbad91 | 1 | ffffffffffff | 1 |
|008| 2323e4cbad91 | 1 | ffffffffffff | 1 |
|009| 2727e4cbad91 | 1 | ffffffffffff | 1 |
|010| 2b2be4cbad91 | 1 | ffffffffffff | 1 |
|011| 2f2fe4cbad91 | 1 | ffffffffffff | 1 |
|012| 3333e4cbad91 | 1 | ffffffffffff | 1 |
|013| 3737e4cbad91 | 1 | ffffffffffff | 1 |
|014| 3b3be4cbad91 | 1 | ffffffffffff | 1 |
|015| 3f3fe4cbad91 | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[+] saving keys to binary file hf-mf-E4CBAD91-key.bin
[usb] pm3 --> hf mf hardnested 0 B FFFFFFFFFFFF 4 B
[!] Key is wrong. Can't authenticate to block: 0 key type:B
[usb] pm3 --> hf mf hardnested 4 B FFFFFFFFFFFF 4 B
--target block no: 4, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 1280 million (2^30.3) keys/s | 140737488355328 | 31h
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 31h
4 | 112 | Apply bit flip properties | 10408560689152 | 2h
5 | 224 | Apply bit flip properties | 8477623713792 | 2h
6 | 336 | Apply bit flip properties | 8411181744128 | 2h
7 | 448 | Apply bit flip properties | 8378623459328 | 2h
7 | 558 | Apply bit flip properties | 8378623459328 | 2h
8 | 670 | Apply bit flip properties | 8378623459328 | 2h
9 | 782 | Apply bit flip properties | 8378623459328 | 2h
10 | 892 | Apply bit flip properties | 8378623459328 | 2h
10 | 1004 | Apply bit flip properties | 8378623459328 | 2h
11 | 1111 | Apply bit flip properties | 8378623459328 | 2h
12 | 1223 | Apply bit flip properties | 8378623459328 | 2h
13 | 1332 | Apply bit flip properties | 8378623459328 | 2h
13 | 1440 | Apply bit flip properties | 8378623459328 | 2h
14 | 1550 | Apply bit flip properties | 8378623459328 | 2h
15 | 1661 | Apply bit flip properties | 8378623459328 | 2h
16 | 1773 | Apply bit flip properties | 8378623459328 | 2h
17 | 1884 | Apply bit flip properties | 8378623459328 | 2h
18 | 1993 | Apply bit flip properties | 8378623459328 | 2h
18 | 2100 | Apply bit flip properties | 8378623459328 | 2h
19 | 2204 | Apply bit flip properties | 8378623459328 | 2h
20 | 2316 | Apply bit flip properties | 8378623459328 | 2h
21 | 2427 | Apply bit flip properties | 8378623459328 | 2h
23 | 2537 | Apply Sum property. Sum(a0) = 0 | 114275516416 | 89s
23 | 2644 | Apply bit flip properties | 113346232320 | 89s
24 | 2755 | Apply bit flip properties | 112783368192 | 88s
24 | 2855 | Apply bit flip properties | 112378781696 | 88s
25 | 2855 | (1. guess: Sum(a8) = 0) | 112378781696 | 88s
28 | 2855 | Apply Sum(a8) and all bytes bitflip properties | 20987203584 | 16s
67 | 2855 | Brute force phase: 24.27% | 16191698944 | 13s
70 | 2855 | Brute force phase completed. Key found: ffffffffffff | 0 | 0s
[usb] pm3 --> Abnormal card
[usb] pm3 --> hf search
[=] Checking for known tags...
[-] Searching for ISO14443-A tag...[+] UID : 79 85 DF 4D
[+] ATQA : 00 04
[+] SAK : 08 [2]
[+] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf mf fchk 1 mfc_default_keys.dic
[+] Loaded 865 keys from mfc_default_keys.dic
[+] Running strategy 1
....
[+] Chunk: 8.3s | found 26/32 keys (85)
[+] Chunk: 1.6s | found 26/32 keys (15)
[+] Time in checkkeys (fast): 116.1s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[usb] pm3 --> hf mf nested 1 0 A FFFFFFFFFFFF d
[+] Testing known keys. Sector count=16
.
[+] Chunk: 2.7s | found 26/32 keys (24)
[+] Time to check 23 known keys: 3 seconds
[+] enter nested attack
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
[+] time in nested: 93 seconds
[=] trying to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
UART:: write time-out
[!] iso14443a card select failed
[!] No tag found.
[usb] pm3 --> UART:: write time-outdevice on hold
same time CPU overload on kore_process
only power reset usb reconnect will help
Offline
#4 2019-12-09 22:41:51
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
checked on Proxmark/proxmark3 repo - the same (similar) problem and only with this card
mentioned below is related to other repo! but interesting
proxmark3> hf mf nested 1 40 A FFFFFFFFFFFF t
--nested. sectors:16, block no: 40, key type:A, eml:y, dmp=n checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Error: No response from Proxmark.if the proxmark release the prompt
proxmark3>
the device is still busy
and not accept any commands
proxmark3> hf search
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button LEDS are ON
but
if to remove card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select cardif to put near 2nd card
#db# Multiple tags detected. Collision after Bit 1
#db# Nested: Can't select card
#db# Multiple tags detected. Collision after Bit 1
#db# Nested: Can't select card
#db# Multiple tags detected. Collision after Bit 1
#db# Nested: Can't select card
#db# Multiple tags detected. Collision after Bit 1
#db# Nested: Can't select card
#db# Multiple tags detected. Collision after Bit 1if to replace a card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Auth1 error
proxmark3> and the device is ready, no need to reboot, reconnect usb
Offline
#5 2019-12-09 22:59:12
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
I think my case is similar with
https://github.com/RfidResearchGroup/pr … issues/408
Offline
#6 2019-12-10 10:06:08
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Define type correctly
If you on latest rrg/iceman the info command should indicate if you suffer from a fixed nonce tag.
hf 14a infoOffline
#7 2019-12-10 11:02:12
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
latest rrg/iceman - confirm
[ ARM ]
bootrom: RRG/Iceman/master/b748a79 2019-12-10 12:32:27
os: RRG/Iceman/master/b748a79 2019-12-10 12:32:37
compiled with GCC 5.4.1 20160919 (release) [ARM/embedded-5-branch revision 240496]
[usb] pm3 --> hf 14a info is equal to [usb] pm3 --> hf search
[usb] pm3 --> hf 14a info
[+] UID : 79 85 DF 4D
[+] ATQA : 00 04
[+] SAK : 08 [2]
[+] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: WEAK
Offline
#8 2019-12-10 16:29:49
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Define type correctly
hace you tried distance between antenna and tag? 1-2cm?
Offline
#9 2019-12-10 17:16:54
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
Maximum reading distance 45mm (on bigger distance cannot detect)
100% reliable reading on 40mm
have try 0mm / 10mm / 20mm / 40mm / 45mm
no any differences
always same result for all tests 
something like this
[usb] pm3 --> hf mf autopwn f mfc_default_keys.dic
[!] no known key was supplied, key recovery might fail
[+] loaded 0 keys from dictionary file /usr/local/Cellar/proxmark3/HEAD-b748a79/bin/../share/proxmark3/dictionaries/mfc_default_keys.dic
[-] An error occurred while loading the dictionary! (we will use the default keys now)
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
.
[+] Chunk: 2.6s | found 26/32 keys (23)
[=] running strategy 2
.
[+] Chunk: 2.6s | found 26/32 keys (23)
[+] target sector: 0 key type: A -- found valid key [ FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 10 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 11 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 11 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 12 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 12 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 13 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 13 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 14 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 14 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 15 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [ FF FF FF FF FF FF ]
[-] Nested attack failed, trying again (1/10)
[-] Nested attack failed, trying again (2/10)
[-] Nested attack failed, trying again (3/10)
[-] Nested attack failed, trying again (4/10)
[-] Nested attack failed, trying again (5/10)
[-] Nested attack failed, trying again (6/10)
[-] Nested attack failed, trying again (7/10)
[-] Nested attack failed, trying again (8/10)
[-] Nested attack failed, trying again (9/10)
[-] Nested attack failed, trying again (10/10)
[-] Nested attack failed, moving to hardnested
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 577 million (2^29.1) keys/s | 140737488355328 | 3d
2 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 3d
[!!] Error: No response from Proxmark3.Offline
#10 2019-12-10 18:07:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Define type correctly
Hm, I see two wrongs with that output. One the dictionary file wasn't loaded and second the nested went into hardnested...
Offline
#11 2019-12-11 14:42:37
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
nested
[usb] pm3 --> hf mf nested 1 0 A FFFFFFFFFFFF
[+] Testing known keys. Sector count=16
.
[+] Chunk: 2.7s | found 26/32 keys (24)
[+] Time to check 23 known keys: 3 seconds
[+] enter nested attack
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
UART:: write time-out
[+] time in nested: 93 seconds
[=] trying to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[usb] pm3 --> device is busy ON ON OFF ON
no commands accepted
For the reference - TOP, kernel_task - 100% CPU load
PID COMMAND %CPU
0 kernel_task 100.8
USB disconnect/connect
kernel_task 0.1 CPU
detected on
[ CLIENT ]
client: RRG/Iceman
compiled with Clang/LLVM 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.12) OS:OSX ARCH:x86_64
[ PROXMARK3 ]
[ ARM ]
bootrom: RRG/Iceman/master/75a5b2e 2019-12-11 13:23:24
os: RRG/Iceman/master/75a5b2e 2019-12-11 13:23:35
compiled with GCC 5.4.1 20160919 (release) [ARM/embedded-5-branch revision 240496]Last edited by Mashid0 (2019-12-11 14:46:20)
Offline
#12 2019-12-13 10:59:33
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
what means if all nonces during hardnested like this
00000000: 79 85 df 4d 04 00 d9 26 69 e2 d9 26 69 e2 22 d9 :y..M...&i..&i.".
00000010: 26 69 e2 d9 26 69 e2 22 d9 26 69 e2 d9 26 69 e2 :&i..&i.".&i..&i.
00000020: 22 d9 26 69 e2 d9 26 69 e2 22 d9 26 69 e2 d9 26 :".&i..&i.".&i..&
00000030: 69 e2 22 d9 26 69 e2 d9 26 69 e2 22 d9 26 69 e2 :i.".&i..&i.".&i.
00000040: d9 26 69 e2 22 d9 26 69 e2 d9 26 69 e2 22 d9 26 :.&i.".&i..&i.".&
00000050: 69 e2 d9 26 69 e2 22 d9 26 69 e2 d9 26 69 e2 22 :i..&i.".&i..&i."
00000060: d9 26 69 e2 d9 26 69 e2 22 d9 26 69 e2 d9 26 69 :.&i..&i.".&i..&i
00000070: e2 22 d9 26 69 e2 d9 26 69 e2 22 d9 26 69 e2 d9 :.".&i..&i.".&i..
00000080: 26 69 e2 22 d9 26 69 e2 d9 26 69 e2 22 d9 26 69 :&i.".&i..&i.".&i
00000090: e2 d9 26 69 e2 22 d9 26 69 e2 d9 26 69 e2 22 d9 :..&i.".&i..&i.".
000000a0: 26 69 e2 d9 26 69 e2 22 d9 26 69 e2 d9 26 69 e2 :&i..&i.".&i..&i.
000000b0: 22 d9 26 69 e2 d9 26 69 e2 22 d9 26 69 e2 d9 26 :".&i..&i.".&i..&file begins with
UID : 79 85 DF 4D
ATQA : 00 04
than continually repeating unchangeable pattern
d9 26 69 e2 - d9 26 69 e2 - 22
hf mf ice
collects other pattern
00000000: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .E
00000010: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .E[usb] pm3 --> hf mf list
[+] Recorded Activity (TraceLen = 11289 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |79 85 df 4d 6e | |
19072 | 29600 | Rdr |93 70 79 85 df 4d 6e 9c 67 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36096 | 40800 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
42820 | 47556 | Tag |01 20 01 45 | | AUTH: nt
48768 | 50016 | Rdr |00 | | As i understand
nonce1: 01 20 01 45
nonce2: d9 26 69 e2 and it's encrypted
I have only card and can't capture the traffic between original reader and card so to continue my research I need some suggestion
Last edited by Mashid0 (2019-12-13 14:51:52)
Offline
#13 2019-12-13 15:14:18
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Define type correctly
You mentioned it already above:
I think my case is similar with
https://github.com/RfidResearchGroup/pr … issues/408
Your card's "random number" is constant. 'hf mf hardnested' collects encrypted nonces, 'hf mf ice' collects unencrypted nonces. If both are in fact the same, then ...
Offline
#14 2019-12-13 17:42:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Define type correctly
The hf 14a info should have reported fixed nonce
Offline
#15 2019-12-13 19:32:18
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
The latest version of sw installed.
No messages about fixed nonce.
[usb] pm3 --> hf 14a info
[+] UID : 79 85 DF 4D
[+] ATQA : 00 04
[+] SAK : 08 [2]
[+] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: WEAKI'm still under the question
hf mf ice collect unencrypted: 01 20 01 45
hardnested collect encrypted: d9 26 69 e2
How to get A / B for the locked sectors if we know
that FFFFFFFFFFFF A / B keys is valid for some other sectors
Last edited by Mashid0 (2019-12-13 19:38:46)
Offline
#16 2019-12-13 20:12:31
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Define type correctly
nested/hardnested/ doesn't work well with a fixed nonce tag.
Have you flashed the latest firmware?!? I am surpriced that the client doesn't identify it correctly
Offline
#17 2019-12-15 11:41:11
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
Latest firmware - yes.
Reported fixed nonce - no.
[ ARM ]
bootrom: RRG/Iceman/master/64d08de 2019-12-12 11:58:35
os: RRG/Iceman/master/64d08de 2019-12-12 11:58:44
compiled with GCC 5.4.1 20160919 (release) [ARM/embedded-5-branch revision 240496]
[ FPGA ]
LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
HF image built for 2s30vq100 on 2018-09-03 at 21:40:23
[usb] pm3 --> hf 14a info
[+] UID : 79 85 DF 4D
[+] ATQA : 00 04
[+] SAK : 08 [2]
[+] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: WEAK
[usb] pm3 --> but the nonces looks fixed
[usb] pm3 --> hf mf ice
Collecting 50000 nonces
[=] Total nonces 3048
...
[=] Total nonces 48006
[+] time: 208 seconds
[usb] pm3 -->
hf-mf-7985DF4D-nonces.bin
00000000: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .E
00000010: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .E
00000020: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .E
00000030: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .E
00000040: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .E
00000050: 01 20 01 45 01 20 01 45 01 20 01 45 01 20 01 45 :. .E. .E. .E. .ELast edited by Mashid0 (2019-12-15 11:47:48)
Offline
#18 2019-12-15 11:51:20
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Define type correctly
read a block and post the trace list from that transaction
Offline
#19 2019-12-16 11:28:40
- Mashid0
- Contributor
- Registered: 2019-12-02
- Posts: 28
Re: Define type correctly
The card makes me creasy
I'm sending
[usb] pm3 --> hf mf rdbl 24 A FFFFFFFFFFFF
[usb] pm3 --> trace list
each time different trace result
have change distance to the card - no changes, often for the same request new trace
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |79 85 df 4d 6e | |
19072 | 29600 | Rdr |93 70 79 85 df 4d 6e 9c 67 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36352 | 41056 | Rdr |60 18 3c e7 | ok | AUTH-A(24)
43076 | 47812 | Tag |01 20 01 45 | |
56832 | 66144 | Rdr |21 52 15 29! e7! fc! 50 8c! | !crc|
67396 | 72068 | Tag |70 6a! 52 44 | |
77824 | 82592 | Rdr |0a 3e! 37! 57 | !crc|
83780 | 104580 | Tag |7a 71 00 48 82! c7! 2a! 88! 37! aa! 17 dc! ee! 87 b0 07 fc! cf | !crc|
117248 | 121952 | Rdr |3d 5d 58! 48 | !crc|
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |79 85 df 4d 6e | |
19072 | 29600 | Rdr |93 70 79 85 df 4d 6e 9c 67 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36352 | 41056 | Rdr |60 18 3c e7 | ok | AUTH-A(24)
43076 | 47812 | Tag |01 20 01 45 | |
56832 | 66144 | Rdr |61 50! e1 a7! 32! 4f d2! 79! | !crc| AUTH-B(80)
67396 | 72068 | Tag |e6! 0f! 8e 3d! | |
77824 | 82592 | Rdr |64! ca 6b 6c! | !crc|
83780 | 104644 | Tag |6e 61 9d! 6e ed! 9f a6! c3 a2! b6 d1 12 a2! 00! ff 44 8f 2d! | !crc|
117248 | 122016 | Rdr |b4! e1 89 95! | !crc|
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |79 85 df 4d 6e | |
19072 | 29600 | Rdr |93 70 79 85 df 4d 6e 9c 67 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36352 | 41056 | Rdr |60 18 3c e7 | ok | AUTH-A(24)
43076 | 47812 | Tag |01 20 01 45 | |
56832 | 66144 | Rdr |1e 33! ba! b0! 69! 62! f1 bd | !crc|
67396 | 72068 | Tag |4c! f3 67! 45! | |
77824 | 82528 | Rdr |54 11! 30! d4 | !crc|
83780 | 104580 | Tag |81 5a 42! 53! 0b e1 92! f6 84! 71! 23! 6e! 6c! 63 dc 71 af! b5! | !crc|
117248 | 121952 | Rdr |45 67 e2 62! | !crc|
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |79 85 df 4d 6e | |
19072 | 29600 | Rdr |93 70 79 85 df 4d 6e 9c 67 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36352 | 41056 | Rdr |60 18 3c e7 | ok | AUTH-A(24)
43076 | 47812 | Tag |01 20 01 45 | |
56832 | 66144 | Rdr |2b 5d b5! 84! 4d! 80! 99! 71 | !crc|
67396 | 72132 | Tag |a0 e5! 1d 65! | |
77824 | 82528 | Rdr |29 bd 77! 92! | !crc|
83780 | 104644 | Tag |d7! 3f! ff! f7 b7! 67! 7e fc! 25 33! d1! 27 04! 56! c7! 10 fa! 0d | !crc|
117248 | 122016 | Rdr |26 0f 97! 84! | !crc| REQA
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |79 85 df 4d 6e | |
19072 | 29600 | Rdr |93 70 79 85 df 4d 6e 9c 67 | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36352 | 41056 | Rdr |60 18 3c e7 | ok | AUTH-A(24)
43076 | 47812 | Tag |01 20 01 45 | |
56832 | 66144 | Rdr |dd! 05 39 63 d9 ac 6f be | !crc|
67396 | 72068 | Tag |f0 49 5a! c0 | |
77824 | 82528 | Rdr |3e f3 eb 09 | !crc| CHK TEARING(243)
83780 | 104644 | Tag |41 2a 2f! 34! 24 2a! 74! 27 3c! 8f! a6! 07 23 f3! 47 94 0c 6c! | !crc|
117248 | 121952 | Rdr |20 49! 33! 09 | !crc| current dump looks like
{
"Created": "proxmark3",
"FileType": "mfcard",
"blocks": {
"0": "7985DF4D6E0804006263646566676869",
"1": "00000000000000000000000000000000",
"2": "00000000000000000000000000000000",
"3": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"4": "00000000000000000000000000000000",
"5": "00000000000000000000000000000000",
"6": "00000000000000000000000000000000",
"7": "00000000000000000000000000000000",
"8": "00000000000000000000000000000000",
"9": "00000000000000000000000000000000",
"10": "00000000000000000000000000000000",
"11": "00000000000000000000000000000000",
"12": "00000000000000000000000000000000",
"13": "00000000000000000000000000000000",
"14": "00000000000000000000000000000000",
"15": "00000000000000000000000000000000",
"16": "00000000000000000000000000000000",
"17": "00000000000000000000000000000000",
"18": "00000000000000000000000000000000",
"19": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"20": "00000000000000000000000000000000",
"21": "00000000000000000000000000000000",
"22": "00000000000000000000000000000000",
"23": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"24": "00000000000000000000000000000000",
"25": "00000000000000000000000000000000",
"26": "00000000000000000000000000000000",
"27": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"28": "00000000000000000000000000000000",
"29": "00000000000000000000000000000000",
"30": "00000000000000000000000000000000",
"31": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"32": "00000000000000000000000000000000",
"33": "00000000000000000000000000000000",
"34": "00000000000000000000000000000000",
"35": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"36": "00000000000000000000000000000000",
"37": "00000000000000000000000000000000",
"38": "00000000000000000000000000000000",
"39": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"40": "00000000000000000000000000000000",
"41": "00000000000000000000000000000000",
"42": "00000000000000000000000000000000",
"43": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"44": "00000000000000000000000000000000",
"45": "00000000000000000000000000000000",
"46": "00000000000000000000000000000000",
"47": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"48": "00000000000000000000000000000000",
"49": "00000000000000000000000000000000",
"50": "00000000000000000000000000000000",
"51": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"52": "00000000000000000000000000000000",
"53": "00000000000000000000000000000000",
"54": "00000000000000000000000000000000",
"55": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"56": "00000000000000000000000000000000",
"57": "00000000000000000000000000000000",
"58": "00000000000000000000000000000000",
"59": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"60": "00000000000000000000000000000000",
"61": "00000000000000000000000000000000",
"62": "00000000000000000000000000000000",
"63": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF"
},Offline
Pages: 1