Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi guys, first of all I want to congratulate everyone for the vast preparation and experience that you distribute in this forum.
I'm sorry for my english.
So..I have been in a strange situation for months and months ... from all the tests I have done and the study I have a Mifare classic 1k on my hands that does not make me sleep at night.
I would like to share with you, at least someone maybe can show me the light !!
I anticipate that in my tests I tried:
-ACRu122 in windows - Ubuntu VM and Kali linux non VM (mfoc, myLazyCracker ... etc.)
-Proxmark3 easy in windows - Ubuntu VM and Kali linux non VM (nested, hardnested, ...)
-MFCtools on Android
Let's then analyze the type of card that I will now call the "BASTARD CARD"
It's a 1K classif mifare with PRNG: WEAK, so in theory a simple nested would suffice (Since I have the other keys).
UID: …
ATQA: 00 04
SAK : 08 [2]
Type: NXP MIFARE CLASSIC 1K | Plus 2k sl1
PROPRIETARY NON ISO1443-4 CARD FOUND, RATS NOT SUPPORTED
No chinese ,agic Backdoor command detected
Prn detection :WEAK
Valis Iso14443a Tag Found – Quiting Search
Let's see the proxmark3:
[ARM]
Bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2020-01-29 11:58:42
Os: iceman/master/ice_v3.1.0-1097-ga23414fe 2020-01-29 11:58:44
[FPGA]
LF IMAGE built for 2s30vq100 on 2017/10/25 at ….
HF image built for 2s30vq100 on 2018/9/3 at…
Uc: AT91SAM7S153 Rev B
…..
hw status
bigbuf_ size…40000
Available memory……40000
Tracing
Tracing….0
Tracelen…..123
Mode……. HF image built for 2s30vq100 on 2018/9/3 at…
Flash Memory
Init…..FAIL
Smart Card module ( iso 7816)
Version……Failed
LF Sempling config
Divisor….95 (125 Khz)
Bps…8
Decimation….1
Averaging….Yes
Trigger …..0
USB Speed
Sending USB packets to client….
Time elapsed…1500ms
Byte transferred….761344
USB transfer speed PM3-> Client = 507562 Bytes/s
…..
hw tune
LF Antenna : …48.81 V @ 125 Khz
Lf antenna : -1366360.06 V @ 134 Khz
Lf optional: -663486.46 V @ 129.03 Khz
HF antenna…29.21 V @ 13.56 Mhz
Your Lf antenna is unusable.
Now let's move on to viewing the dump with the mfc tools
Sector 0:
KEYA=FFFFFFFFFFFF keyb= FFFFFFFFFFFF
Sector1:
No keys found (or dead sector)
Sector 2:
No keys found (or dead sector)
Sector 3:
KEYA=FFFFFFFFFFFF keyb= FFFFFFFFFFFF
Sector 4:
KEYA=FFFFFFFFFFFF keyb= FFFFFFFFFFFF
Sector 5:
KEYA=FFFFFFFFFFFF keyb= FFFFFFFFFFFF
…..
Sector 15:
KEYA=FFFFFFFFFFFF keyb= FFFFFFFFFFFF
Therefore:
hf mf chk * 1?
And we map the known keys by default: FFFFFFFFFFFF for the key A and KEY B.
All sectors except 1 and 2 which are to be calculated.
So .. on the fact that it is a PRNG: we apply a nested weak:
Hf mf nested 1 9 A ffffffffffff d
Testing Know keys. Sector count=16
Nested…
…………………………………………………………
Error: No response from Proxmark.
Post scriptum: I want to point out that nested I have tried for various sectors… .but the output is always the same: The proxmark3 crashes!
Is my case?
I read on Proxmark3 documentationt this :
1)MifareS50/S70KeeptheS50tagintheantennafield. Enterthe"hfmfmifare"commandtorunit.
Note: Crack PRNG vulnerability, Success rate is low. Usually it causes the USB connection line off the PC. Common error: "Can't select card".According to our testing, firmware 816 is the bestversionfor thiscommand. If youwant to trytocrack inthis way,we recommendyou to degrade the firmware to 816 version. Anyway, remember that the success rate is low, but possible.
Also because I tried the usual cracking techniques on mini Mifare (the coffee one MIZIP) and they work.
I don't understand if the problem is hardware...software...or is a BASTARD CARD!!!
Offline
You seem to run a firmware/client compiled for RDV4 on a Pm3 Easy clone. That is a bad thing, your device/client will not work well.
Offline
Thanks iceman! I’ll install the corre t firmware and i’ll try again.
Wich version of firmware is more stable in pm3?
Thank again
I’ll try
Offline
Hi Guys
i tried to downgrade the firmware...but the problem there is again!
1)First ATTEMPT
-Driver all Ok and is the same of package uploaded
-version win 64 uploaded
-hw version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-382-gab20cc3-suspect 2018-08-04 11:41:58
os: master/v3.0.1-382-gab20cc3-suspect 2018-08-04 11:42:01
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 194665 bytes (37%). Free: 329623 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
-hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Fgpa
#db# mode....................HF
#db# LF Sampling config:
#db# [q] divisor: 95
#db# bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# USB Speed:
#db# Sending USB packets to client...
#db# Time elapsed: 1500ms
#db# Bytes transferred: 814592
#db# USB Transfer Speed PM3 -> Client = 543061 Bytes/s
#db# Various
#db# MF_DBGLEVEL......2
#db# ToSendMax........1341806586
#db# ToSendBit........0
-hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 48.81 V @ 125.00 kHz
# LF antenna: 44.69 V @ 134.00 kHz
# LF optimal: 55.41 V @ 129.03 kHz
# HF antenna: 32.15 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
-now i check the card
hf search
UID : XX XX 65 78
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
- now i check if there is a valid key. ( Iknow that all sector has FFFFFFFFFFFF exclude sector 1 and sector 2)
hf mf chk 13 A FFFFFFFFFFFF default_keys.dic
chk key[ 0] ffffffffffff
chk custom key[ 1] ffffffffffff
chk custom key[ 2] 000000000000
chk custom key[ 3] a0a1a2a3a4a5
chk custom key[ 4] b0b1b2b3b4b5
......
chk custom key[92] a9f953def0a3
Found valid key:[13:A]ffffffffffff
- for confirm i re-execute mf chk
hf mf chk * 1?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
......
chk default key[17] 8fd0a4f256e9
To cancel this operation press the button on the proxmark...
--o
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |<--------Unknow KEY A
|002| ffffffffffff | 0 | ffffffffffff | 0 |<--------Unknow KEY A
|003| ffffffffffff | 1 | ffffffffffff | 0 |
|004| ffffffffffff | 1 | ffffffffffff | 0 |
|005| ffffffffffff | 1 | ffffffffffff | 0 |
|006| ffffffffffff | 1 | ffffffffffff | 0 |
|007| ffffffffffff | 1 | ffffffffffff | 0 |
|008| ffffffffffff | 1 | ffffffffffff | 0 |
|009| ffffffffffff | 1 | ffffffffffff | 0 |
|010| ffffffffffff | 1 | ffffffffffff | 0 |
|011| ffffffffffff | 1 | ffffffffffff | 0 |
|012| ffffffffffff | 1 | ffffffffffff | 0 |
|013| ffffffffffff | 1 | ffffffffffff | 0 |
|014| ffffffffffff | 1 | ffffffffffff | 0 |
|015| ffffffffffff | 1 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
So i see that SEctor 001 and sector 002 the keys is unknowen.
the PRng is : Prng detection: WEAK so i have to do nested attack.
and.....always the same results:
proxmark3> hf mf nested 1 13 A ffffffffffff t
hf mf nested 1 13 A ffffffffffff t
--nested. sectors:16, block no: 13, key type:A, eml:y, dmp=n checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Error: No response from Proxmark.
proxmark3>
Proxmark crashed..and the Trhee les are ON : A C D fix.
now for restars i must unplug Proxmark3 easy and recconect.
but..i see if i remove the Mifare card from proxmark3 happend this: (with 3 leds ON always)
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
#db# Nested: Can't select card
If i reput the card... return
proxmark3>
is like prokmark3 easy is go in loop mode.
P.S. on the box i read firmware Version 2.0.0 and above...
now i'll triy to upload other firmwares ..32 and other...
Please can you
indicate which firmware to load for easy proxmark3...and the link where i can download ( if the problem is this! )
Offline
Downgrading the firmware is definitely not a good idea if you want to use features which had been introduced only recently.
Precompiled: http://www.proxmark.org/forum/viewtopic.php?id=3975
Official Repo: https://github.com/Proxmark/proxmark3
RRG Repo: https://github.com/RfidResearchGroup
Offline
Hi Piwi,
Ok.
but for Proxmark3 Easy 3.0 ( i suppose Chinese clone)...wich version precompiled is correct?
Official x64: Precompiled builds for Official x64 is correct?
on win10 64 bits
Offline
I uplad the last version on 64 bit from :
Precompiled: http://www.proxmark.org/forum/viewtopic.php?id=3975
all perfect.
Now work!!!
I see the light!!!
All keys Found!
For me is Closed!
the problem was the firmware version!
Offline