Help me find an error in getting the key to the sector Mifare Classic

Key master · 2020-06-19 20:30:25

Hi everyone, I have a keyfob that I can not decrypt

that's what proxmark command

that's what proxmark gives

###################

Proxmark3 RFID instrument

[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;

[ ARM ]
bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:06:57
os: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:07:01

[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 235688 bytes (45%) Free: 288600 bytes (55%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory

pm3 --> hf search
UID : 46 0C 2F 48
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK

[+] Valid ISO14443-A Tag Found

pm3 --> hf mf darkside
--------------------------------------------------------------------------------

executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------

..
[-] card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.

##################

Well, I took a chameleon, and went to the reader

Here is what i got

[Taf slot 1] UID 460C2F48
[S8 / B32] KeyB [e2f02ea703a6]

then i used the command

pm3 --> hf mf fchk 1 d e2f02ea703a6
[ 0] key E2 F0 2E A7 03 A6
[+] Running strategy 1

[-] Chunk: 0.2s | found 0/32 keys (1)
[+] Running strategy 2

[-] Chunk: 0.7s | found 0/32 keys (1)
[+] Time in checkkeys (fast): 0.9s

|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ------------ | 0 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ------------ | 0 | ------------ | 0 |
|005| ------------ | 0 | ------------ | 0 |
|006| ------------ | 0 | ------------ | 0 |
|007| ------------ | 0 | ------------ | 0 |
|008| ------------ | 0 | ------------ | 0 |
|009| ------------ | 0 | ------------ | 0 |
|010| ------------ | 0 | ------------ | 0 |
|011| ------------ | 0 | ------------ | 0 |
|012| ------------ | 0 | ------------ | 0 |
|013| ------------ | 0 | ------------ | 0 |
|014| ------------ | 0 | ------------ | 0 |
|015| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file ...
Found keys have been dumped to file . 0xffffffffffff has been inserted for unknown keys.

I think the key is wrong(((((

My chameleon Firmware version is

ChameleonMini-rebooted v1.3 (iceman: 887af96) last version

Questions
1 what am I doing wrong, can someone tell me???
2 maybe my chameleon is not working properly
3 Can I see maybe some other key is being transferred to the chameleon (how can i see it)

I use Chameleon Mini GUI V 1.3.0.3 Iceman Edition.
from all slots after mfkey32 I get only the key [S8 / B32] KeyB

Monster1024 · 2020-06-19 21:00:32

try using "hf mf autopwn" it will do all the magic
or
"hf mf autopwn k 8 B e2f02ea703a6"

If it will not work - try using different dictionaries or try attack a reader with a proxmark for initial key.

Last edited by Monster1024 (2020-06-19 21:05:02)

Key master · 2020-06-19 21:10:23

Monster1024 wrote:

try using "hf mf autopwn" it will do all the magic
or
"hf mf autopwn k 8 B e2f02ea703a6"
If it will not work - try using different dictionaries or try attack a reader with a proxmark for initial key.

Monster1024 now i try this command

"hf mf autopwn"

pm3 --> hf mf autopwn
help This help
darkside Darkside attack. read parity error messages.
nested Nested attack. Test nested authentication
hardnested Nested attack for hardened Mifare cards
keybrute J_Run's 2nd phase of multiple sector nested authentication key recovery
nack Test for Mifare NACK bug
chk Check keys
fchk Check keys fast, targets all keys on card
decrypt [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
-----------
dbg Set default debug mode
rdbl Read MIFARE classic block
rdsc Read MIFARE classic sector
dump Dump MIFARE classic tag to binary file
restore Restore MIFARE classic binary file to BLANK tag
wrbl Write MIFARE classic block
setmod Set MIFARE Classic EV1 load modulation strength
-----------
sim Simulate MIFARE card
eclr Clear simulator memory block
eget Get simulator memory block
eset Set simulator memory block
eload Load from file emul dump
esave Save to file emul dump
ecfill Fill simulator memory with help of keys from simulator
ekeyprn Print keys from simulator memory
-----------
csetuid Set UID for magic Chinese card
csetblk Write block - Magic Chinese card
cgetblk Read block - Magic Chinese card
cgetsc Read sector - Magic Chinese card
cload Load dump into magic Chinese card
csave Save dump from magic Chinese card into file or emulator
ice collect Mifare Classic nonces to file
pm3 --> hf mf autopwn k 8 b e2f02ea703a6
help This help
darkside Darkside attack. read parity error messages.
nested Nested attack. Test nested authentication
hardnested Nested attack for hardened Mifare cards
keybrute J_Run's 2nd phase of multiple sector nested authentication key recovery
nack Test for Mifare NACK bug
chk Check keys
fchk Check keys fast, targets all keys on card
decrypt [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
-----------
dbg Set default debug mode
rdbl Read MIFARE classic block
rdsc Read MIFARE classic sector
dump Dump MIFARE classic tag to binary file
restore Restore MIFARE classic binary file to BLANK tag
wrbl Write MIFARE classic block
setmod Set MIFARE Classic EV1 load modulation strength
-----------
sim Simulate MIFARE card
eclr Clear simulator memory block
eget Get simulator memory block
eset Set simulator memory block
eload Load from file emul dump
esave Save to file emul dump
ecfill Fill simulator memory with help of keys from simulator
ekeyprn Print keys from simulator memory
-----------
csetuid Set UID for magic Chinese card
csetblk Write block - Magic Chinese card
cgetblk Read block - Magic Chinese card
cgetsc Read sector - Magic Chinese card
cload Load dump into magic Chinese card
csave Save dump from magic Chinese card into file or emulator
ice collect Mifare Classic nonces to file
pm3 -->

####################

Maybe This command is not supported by firmware from Iceman

what gives it command?

mwalker · 2020-06-20 00:50:37

Software/firmware could be a little too old (2019).

bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:06:57
os: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:07:01

Try with the latest.

iceman · 2020-06-20 08:34:32

...especially since he is using iceman fork....

Key master · 2020-06-20 14:25:48

iceman wrote:

...especially since he is using iceman fork....

I took the latest firmware from here

Iceman fork
https://drive.google.com/drive/folders/1mMgdfnSEgFvA77xvbG_VnaLrZJHnvcSP

I understood correctly that this is an old firmware?
this branch is deprecated and is no longer supported?

Tell me please. I have to get the NEW latest firmware from here?

RRG / Iceman repository (Proxmark3 rdv4):
RDV40 dedicated x86: Precompiled builds for RDV40 dedicated x86
RDV40 dedicated x64: Precompiled builds for RDV40 dedicated x64

Monster1024 · 2020-06-20 14:29:03

Here is always actual firmware link: https://github.com/RfidResearchGroup/proxmark3

Key master · 2020-06-20 14:32:00

My device is Proxmark3 EASY.
I do not have Proxmark3 rdv4((((

I can use these firmware for Proxmark3 EASY ???

RRG / Iceman repository (Proxmark3 rdv4):
RDV40 dedicated x86: Precompiled builds for RDV40 dedicated x86
RDV40 dedicated x64: Precompiled builds for RDV40 dedicated x64

Key master · 2020-06-20 14:33:15

Monster1024 wrote:

Here is always actual firmware link: https://github.com/RfidResearchGroup/proxmark3

Do I need to compile the latest firmware? from here???

https://github.com/RfidResearchGroup/proxmark3

Monster1024 · 2020-06-20 17:22:16

Key master wrote:

Do I need to compile the latest firmware? from here???
https://github.com/RfidResearchGroup/proxmark3

yep, compile and upload last changes. You can use proxspace to get environment on windows.

Last edited by Monster1024 (2020-06-20 17:22:28)

Key master · 2020-06-20 19:25:01

Monster1024 wrote:

Key master wrote:
Do I need to compile the latest firmware? from here???
https://github.com/RfidResearchGroup/proxmark3
yep, compile and upload last changes. You can use proxspace to get environment on windows.

Thanks Monster1024)) i find this

Generice Proxmark3 devices (non RDV4)

Precompiled builds for RRG / Iceman repository x86
Precompiled builds for RRG / Iceman repository x64

And I installed the latest firmware

and what is the difference between x86 and x64 ???
If i have Windows 10 x 64 I need to download 64 then??? or is it not???

Last edited by Key master (2020-06-20 19:26:45)

Monster1024 · 2020-06-20 21:03:53

it is client architecture. if your windows is x64 - use x64.

Last edited by Monster1024 (2020-06-20 21:04:52)

Key master · 2020-06-20 21:14:24

success Im update the firmware, that's what I got

##################

success I managed to update the firmware, that's what I got

C:\FLASH-P3\win64\proxmark3.exe COM20
[=] Session log C:/Users/─хэшё/.proxmark3/logs/log_20200620.txt
[=] Loading preferences...
[+] loaded from JSON file C:/Users/─хэшё/.proxmark3/preferences.json
[=] Using UART port COM20
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗ iceman@icesql.net
██║ ██║ ╚═╝ ██║█████╔╝ https://github.com/rfidresearchgroup/proxmark3/
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edge

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.9237-399-g456cc66a 2020-06-19 13:46:09
compiled with MinGW-w64 9.3.0 OS:Windows (64b) ARCH:x86_64

[ PROXMARK3 ]

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-399-g456cc66a 2020-06-19 13:46:55
os: RRG/Iceman/master/v4.9237-399-g456cc66a 2020-06-19 13:47:12
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 224096 bytes (43%) Free: 300192 bytes (57%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 --> hf search
[|]Searching for ISO14443-A tag...
[+] UID: 46 0C 2F 48
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K / Classic 1K CL2
[+] MIFARE Plus 2K / Plus EV1 2K
[+] MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak

[+] Valid ISO14443-A tag found

[/]
[usb] pm3 --> hf mf darkside
[=] --------------------------------------------------------------------------------

[=] executing Darkside attack. Expected execution time: 25sec on average
[=] press pm3-button on the Proxmark3 device to abort both Proxmark3 and client.
[=] --------------------------------------------------------------------------------

..
[-] card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.
[usb] pm3 --> hf mf darkside
[=] --------------------------------------------------------------------------------

[=] executing Darkside attack. Expected execution time: 25sec on average
[=] press pm3-button on the Proxmark3 device to abort both Proxmark3 and client.
[=] --------------------------------------------------------------------------------

..
[-] card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.
[usb] pm3 --> hf mf fchk 1 d e2f02ea703a6
[ 0] key E2 F0 2E A7 03 A6
[=] Running strategy 1

[=] Chunk: 0.2s | found 0/32 keys (1)

[=] Running strategy 2

[=] Chunk: 0.4s | found 0/32 keys (1)

[=] Time in checkkeys (fast): 0.6s

[!] No keys found

[usb] pm3 --> hf mf fchk 1 d
[+] No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
[20] 0000014b5c31
[21] b578f38a5c61
[22] 96a301bce267
[=] Running strategy 1

[=] Chunk: 0.4s | found 0/32 keys (23)

[=] Running strategy 2
.
[=] Chunk: 3.9s | found 0/32 keys (23)

[=] Time in checkkeys (fast): 4.3s

[!] No keys found

[usb] pm3 --> hf mf autopwn k 8 B e2f02ea703a6
[-] Key is wrong. Can't authenticate to sector: 8 key type: B key: E2 F0 2E A7 03 A6
[!] falling back to dictionary
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1

[=] Chunk: 0.4s | found 0/32 keys (23)

[=] running strategy 2
.
[=] Chunk: 3.9s | found 0/32 keys (23)

[=] --------------------------------------------------------------------------------

[=] executing Darkside attack. Expected execution time: 25sec on average
[=] press pm3-button on the Proxmark3 device to abort both Proxmark3 and client.
[=] --------------------------------------------------------------------------------

........................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
............................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.........................................................................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
................................................................................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.................................................................................................................................................................................................................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
....................................................................................................

The last command "hf mf autopwn k 8 B e2f02ea703a6 " has been working for more than 2 hours((((

I think the chameleon gave me the wrong key,.. So a mistake in the chameleon...
I don’t know what to do next, can anyone have any ideas?

iceman · 2020-06-20 21:30:09

You might have a card with static nonce.

hf 14a info
hf mf rdbl 0 a ffffffffffff
hf 14a list

Key master · 2020-06-20 21:46:32

iceman wrote:

You might have a card with static nonce.
hf 14a info
hf mf rdbl 0 a ffffffffffff
hf 14a list

Thanks Iceman. Now i try this command

Key master · 2020-06-20 21:50:41

This is what i get

###############

[usb] pm3 --> hf 14a info

[+] UID: 46 0C 2F 48
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K / Classic 1K CL2
[+] MIFARE Plus 2K / Plus EV1 2K
[+] MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[usb] pm3 --> hf mf rdbl 0 a ffffffffffff
--block no:0, key type:A, key:FF FF FF FF FF FF
[#] Auth error
[-] failed reading block
[usb] pm3 --> hf 14a list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 120 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)

Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
[usb] pm3 -->

I think here we need a sniffer log between the reader and the card.
But I don’t have experience and knowledge how to do this, maybe someone will tell me which commands to enter. What is the order of input commands

Key master · 2020-06-20 21:56:28

Can I see the data log between the reader and the chameleon?
Maybe someone knows whether it is possible to see the chameleon log data?

Monster1024 · 2020-06-30 20:34:08

Key master wrote:

Can I see the data log between the reader and the chameleon?
Maybe someone knows whether it is possible to see the chameleon log data?

python3 chamtool.py -p /dev/cu.usbmodem14101 -lm MEMORY

put the card on reader, then run

python3 chamlog.py -p /dev/cu.usbmodem14101

Key master · 2020-08-11 21:15:07

Hello everyone!!! Success I use a sniffer (proxmark3 easy) to get the correct key. For sector. And I opened all sectors.

Now I know for sure that the mistake is in the chameleon. Please tell me where I should write about this about a bug in a chameleon.

Key master · 2020-08-11 21:25:01

Monster1024 wrote:

Key master wrote:
Can I see the data log between the reader and the chameleon?
Maybe someone knows whether it is possible to see the chameleon log data?
python3 chamtool.py -p /dev/cu.usbmodem14101 -lm MEMORY
put the card on reader, then run
python3 chamlog.py -p /dev/cu.usbmodem14101

Hello Monster

if i have windows 10x64 how can i get the logs?

it would be a cool idea if the ability to write a chameleon log was built into the iceman's gui for chameleon.
then error search would be much more convenient and faster. Maybe someone knows where to write about this idea. So that through the gui it was possible to record and manage chameleon logs

Proxmark3 community

Announcement

#1 2020-06-19 20:30:25

Help me find an error in getting the key to the sector Mifare Classic

#2 2020-06-19 21:00:32

Re: Help me find an error in getting the key to the sector Mifare Classic

#3 2020-06-19 21:10:23

Re: Help me find an error in getting the key to the sector Mifare Classic

#4 2020-06-20 00:50:37

Re: Help me find an error in getting the key to the sector Mifare Classic

#5 2020-06-20 08:34:32

Re: Help me find an error in getting the key to the sector Mifare Classic

#6 2020-06-20 14:25:48

Re: Help me find an error in getting the key to the sector Mifare Classic

#7 2020-06-20 14:29:03

Re: Help me find an error in getting the key to the sector Mifare Classic

#8 2020-06-20 14:32:00

Re: Help me find an error in getting the key to the sector Mifare Classic

#9 2020-06-20 14:33:15

Re: Help me find an error in getting the key to the sector Mifare Classic

#10 2020-06-20 17:22:16

Re: Help me find an error in getting the key to the sector Mifare Classic

#11 2020-06-20 19:25:01

Re: Help me find an error in getting the key to the sector Mifare Classic

#12 2020-06-20 21:03:53

Re: Help me find an error in getting the key to the sector Mifare Classic

#13 2020-06-20 21:14:24

Re: Help me find an error in getting the key to the sector Mifare Classic

#14 2020-06-20 21:30:09

Re: Help me find an error in getting the key to the sector Mifare Classic

#15 2020-06-20 21:46:32

Re: Help me find an error in getting the key to the sector Mifare Classic

#16 2020-06-20 21:50:41

Re: Help me find an error in getting the key to the sector Mifare Classic

#17 2020-06-20 21:56:28

Re: Help me find an error in getting the key to the sector Mifare Classic

#18 2020-06-30 20:34:08

Re: Help me find an error in getting the key to the sector Mifare Classic

#19 2020-08-11 21:15:07

Re: Help me find an error in getting the key to the sector Mifare Classic

#20 2020-08-11 21:25:01

Re: Help me find an error in getting the key to the sector Mifare Classic

Board footer