Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2020-08-12 18:13:38
- jiangyi1985
- Contributor
- Registered: 2020-08-12
- Posts: 6
How should I crack this card?
I have 2 cards and they seem to be fully encrypted m1 cards with no vulnerability.
My hw info:
[usb] pm3 --> hw ver
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-620-g856a572f-dirty-unclean 2020-08-12 01:41:57
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64
[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: present
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-618-g84a49bf0-dirty-unclean 2020-07-27 01:30:44
os: RRG/Iceman/master/v4.9237-620-g856a572f-dirty-unclean 2020-08-12 01:42:46
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 258376 bytes (49%) Free: 265912 bytes (51%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait...
? 10
[=] ---------- LF Antenna ----------
[+] LF antenna: 71.30 V - 125.00 kHz
[+] LF antenna: 33.98 V - 134.83 kHz
[+] LF optimal: 71.30 V - 125.00 kHz
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 48.37 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.Tried to get keys but failed:
[usb] pm3 --> hf 14a info
[+] UID: 0A 00 00 00
[+] ATQA: 00 05
[+] SAK: 0a [2]
[+] Possible types:
[+] MIFARE Classic 1K / Classic 1K CL2
[+] MIFARE Plus 2K / Plus EV1 2K
[+] MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[+] Static nonce: yes
[usb] pm3 --> hf mf auto
[!] ⚠ no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
[=] Chunk: 0.4s | found 0/32 keys (23)
[=] running strategy 2
.
[=] Chunk: 2.8s | found 0/32 keys (23)
[=] --------------------------------------------------------------------------------
[=] executing Darkside attack. Expected execution time: 25sec on average
[=] press pm3-button on the Proxmark3 device to abort both Proxmark3 and client.
[=] --------------------------------------------------------------------------------
..........
[-] ⛔ Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).
[-] ⛔ No usable key was found!
[usb] pm3 --> hf mf fchk 1 Downloads/extended-std.keys.dic
[+] Loaded 692 keys from Downloads/extended-std.keys.dic
[=] Running strategy 1
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.8s | found 0/32 keys (85)
[=] Chunk: 0.3s | found 0/32 keys (12)
[=] Running strategy 2
....
[=] Chunk: 9.6s | found 0/32 keys (85)
....
[=] Chunk: 9.6s | found 0/32 keys (85)
....
[=] Chunk: 9.6s | found 0/32 keys (85)
....
[=] Chunk: 9.6s | found 0/32 keys (85)
....
[=] Chunk: 9.6s | found 0/32 keys (85)
....
[=] Chunk: 9.6s | found 0/32 keys (85)
....
[=] Chunk: 9.6s | found 0/32 keys (85)
....
[=] Chunk: 9.6s | found 0/32 keys (85)
[=] Chunk: 1.5s | found 0/32 keys (12)
[=] Time in checkkeys (fast): 85.0s
[!] ⚠ No keys foundThen I put the card with pm3 together and sniffed 2 scans. One scan for each card. Using standalone hf_14asniff.
I scan like this: reader|card|pm3
[usb] pm3 --> trace load 14asniff_trace_dushiguanguang20200812_150709.trace
[+] loaded 696 bytes from binary file 14asniff_trace_dushiguanguang20200812_150709.trace
[+] Recorded Activity (TraceLen = 696 bytes)
[usb] pm3 --> trace list 14a 1
[+] Recorded activity (trace len = 696 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | | REQA
222448 | 223504 | Rdr |26 | | REQA
224688 | 226960 | Rdr |fa! ff! | |
678000 | 679056 | Rdr |26 | | REQA
691440 | 692496 | Rdr |26 | | REQA
704496 | 709264 | Rdr |30 01 8b b9 | ok | READBLOCK(1)
817264 | 827792 | Rdr |93 70 09 e6 b6 13 4a d4 79 | ok | SELECT_UID
828960 | 829440 | Rdr |05! | |
952416 | 957120 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
1083872 | 1093184 | Rdr |e2 ad! 37 a5 32! 21! e4 d9! | !crc|
1218656 | 1223360 | Rdr |52! e9 8a! 47 | !crc| WUPA
1355104 | 1359872 | Rdr |73 29! 0e! ce | !crc|
1493600 | 1498368 | Rdr |4b 17! 71 8e! | !crc| VCSL
1499536 | 1506544 | Rdr |bb! 1a 61 eb df 83! | !crc|
1626080 | 1630848 | Rdr |0d 0b! 50! d2! | !crc|
1632016 | 1639024 | Rdr |ea! 30 c4! e6! bc d0! | !crc|
1761872 | 1766640 | Rdr |7d d7 10 1a | !crc|
1897296 | 1902000 | Rdr |38! ee! b8! 73! | !crc|
1903248 | 1910128 | Rdr |89 15! fe 89 e0! a1 | !crc|
2033232 | 2037936 | Rdr |3f 37 8e c6 | !crc|
2901696 | 2906464 | Rdr |2d 7a! 38 77! | !crc|
2981056 | 2988064 | Rdr |e0 cb da! 44! 2c a2! | !crc| RATS
3117248 | 3121952 | Rdr |21! 98! fc 1e | !crc|
3123184 | 3123664 | Rdr |04 | |
3255728 | 3262800 | Rdr |50 1c f9! 17! 8b! 2b! | !crc| HALT
3058978032 | 3058979088 | Rdr |26 | | REQA
3059188976 | 3059190032 | Rdr |26 | | REQA
3059191604 | 3059193588 | Tag |20 20 | |
3059202160 | 3059206928 | Rdr |30 01 8b b9 | ok | READBLOCK(1)
3059208436 | 3059208628 | Tag |01 | |
3059245296 | 3059255760 | Rdr |93 70 09 37 b5 13 98 ec 87 | ok | SELECT_UID
3059256992 | 3059257472 | Rdr |05! | |
3059384544 | 3059389248 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
3059514336 | 3059523648 | Rdr |cb! dc 80! de! b7! c7! b6! 49! | !crc|
3059524896 | 3059529600 | Rdr |1e! c7! f6 ee | !crc|
3059653728 | 3059658432 | Rdr |fb! d3 fc d1 | !crc|
3059787360 | 3059792064 | Rdr |a0 10! 54 af | !crc| WRITEBLOCK(16)
3059923040 | 3059927808 | Rdr |21 21! af aa! | !crc|
3059928976 | 3059931632 | Rdr |21! 8a 03! | !crc|
3060061520 | 3060066224 | Rdr |24! 3b 19 72 | !crc|
3060194128 | 3060198896 | Rdr |0e! e1! 7b! 92 | !crc|
3060329808 | 3060334576 | Rdr |f5 18 25 89 | !crc|
3060465360 | 3060470064 | Rdr |d4 df 5e! b4 | !crc|
3060471296 | 3060471520 | Rdr |01 | |
3061308480 | 3061313248 | Rdr |38 e8! 18! e2! | !crc|
3061416384 | 3061423392 | Rdr |ce d9 99! ea 30! cd! | !crc|
3061465712 | 3061466256 | Rdr |03! | |
3061549616 | 3061554320 | Rdr |81! d9! c9 ab! | !crc|
3061685424 | 3061692496 | Rdr |82 40! a0! fd! ff! 67 | !crc|
3061827888 | 3061832656 | Rdr |09! f1 99 f2 | !crc|
3061956144 | 3061963216 | Rdr |49! fe! 7f! 1f b8! a2 | !crc|
3062095024 | 3062099728 | Rdr |ff 4d! 03! b5! | !crc|
3062100960 | 3062101568 | Rdr |0e | |
3062227232 | 3062234304 | Rdr |15 c1 de 82 f3! 05! | !crc|What should I do next?
Last edited by jiangyi1985 (2020-08-12 18:20:39)
Offline
#2 2020-08-13 01:49:16
- wh201906
- Contributor
- Registered: 2020-04-29
- Posts: 39
Re: How should I crack this card?
Maybe you can try "trace list mf"?
Offline
#3 2020-08-13 03:33:20
- jiangyi1985
- Contributor
- Registered: 2020-08-12
- Posts: 6
Re: How should I crack this card?
wh201906 wrote:
Maybe you can try "trace list mf"?
[usb] pm3 --> trace list mf 1
[+] Recorded activity (trace len = 696 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | | REQA
222448 | 223504 | Rdr |26 | | REQA
224688 | 226960 | Rdr |fa ff | |
678000 | 679056 | Rdr |26 | | REQA
691440 | 692496 | Rdr |26 | | REQA
704496 | 709264 | Rdr |30 01 8b b9 | ok | READBLOCK(1)
817264 | 827792 | Rdr |93 70 09 e6 b6 13 4a d4 79 | ok | SELECT_UID
828960 | 829440 | Rdr |05 | |
952416 | 957120 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
1083872 | 1093184 | Rdr |e2 ad 37 a5 32 21 e4 d9 | |
1218656 | 1223360 | Rdr |52 e9 8a 47 | !crc| WUPA
1355104 | 1359872 | Rdr |73 29 0e ce | !crc|
1493600 | 1498368 | Rdr |4b 17 71 8e | !crc| VCSL
1499536 | 1506544 | Rdr |bb 1a 61 eb df 83 | !crc|
1626080 | 1630848 | Rdr |0d 0b 50 d2 | !crc|
1632016 | 1639024 | Rdr |ea 30 c4 e6 bc d0 | !crc|
1761872 | 1766640 | Rdr |7d d7 10 1a | !crc|
1897296 | 1902000 | Rdr |38 ee b8 73 | !crc|
1903248 | 1910128 | Rdr |89 15 fe 89 e0 a1 | !crc|
2033232 | 2037936 | Rdr |3f 37 8e c6 | !crc|
2901696 | 2906464 | Rdr |2d 7a 38 77 | !crc|
2981056 | 2988064 | Rdr |e0 cb da 44 2c a2 | !crc| RATS
3117248 | 3121952 | Rdr |21 98 fc 1e | !crc|
3123184 | 3123664 | Rdr |04 | |
3255728 | 3262800 | Rdr |50 1c f9 17 8b 2b | !crc| HALT
3058978032 | 3058979088 | Rdr |26 | | REQA
3059188976 | 3059190032 | Rdr |26 | | REQA
3059191604 | 3059193588 | Tag |20 20 | |
3059202160 | 3059206928 | Rdr |30 01 8b b9 | ok | READBLOCK(1)
3059208436 | 3059208628 | Tag |01 | |
3059245296 | 3059255760 | Rdr |93 70 09 37 b5 13 98 ec 87 | ok | SELECT_UID
3059256992 | 3059257472 | Rdr |05 | |
3059384544 | 3059389248 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
3059514336 | 3059523648 | Rdr |cb dc 80 de b7 c7 b6 49 | |
3059524896 | 3059529600 | Rdr |1e c7 f6 ee | !crc|
3059653728 | 3059658432 | Rdr |fb d3 fc d1 | !crc|
3059787360 | 3059792064 | Rdr |a0 10 54 af | !crc| WRITEBLOCK(16)
3059923040 | 3059927808 | Rdr |21 21 af aa | !crc|
3059928976 | 3059931632 | Rdr |21 8a 03 | !crc|
3060061520 | 3060066224 | Rdr |24 3b 19 72 | !crc|
3060194128 | 3060198896 | Rdr |0e e1 7b 92 | !crc|
3060329808 | 3060334576 | Rdr |f5 18 25 89 | !crc|
3060465360 | 3060470064 | Rdr |d4 df 5e b4 | !crc|
3060471296 | 3060471520 | Rdr |01 | |
3061308480 | 3061313248 | Rdr |38 e8 18 e2 | !crc|
3061416384 | 3061423392 | Rdr |ce d9 99 ea 30 cd | !crc|
3061465712 | 3061466256 | Rdr |03 | |
3061549616 | 3061554320 | Rdr |81 d9 c9 ab | !crc|
3061685424 | 3061692496 | Rdr |82 40 a0 fd ff 67 | !crc|
3061827888 | 3061832656 | Rdr |09 f1 99 f2 | !crc|
3061956144 | 3061963216 | Rdr |49 fe 7f 1f b8 a2 | !crc|
3062095024 | 3062099728 | Rdr |ff 4d 03 b5 | !crc|
3062100960 | 3062101568 | Rdr |0e | |
3062227232 | 3062234304 | Rdr |15 c1 de 82 f3 05 | !crc| Offline
#4 2020-08-13 04:35:48
- jiangyi1985
- Contributor
- Registered: 2020-08-12
- Posts: 6
Re: How should I crack this card?
Looks like the master branch is broken. Trace is not working properly.
With master branch I tried hf 14a info, then hf 14a list. And the trace list is empty.
I switched to proxmark3-4.9237 release and the trace list is working.
So the data from my last sniff might be corrupted? Maybe I have to sniff again?
Offline
#5 2020-08-13 07:48:41
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: How should I crack this card?
yes, sniff again.
Offline
#6 2020-08-13 09:34:35
- jiangyi1985
- Contributor
- Registered: 2020-08-12
- Posts: 6
Re: How should I crack this card?
I sniffed again with last release version but the communication still looks weird.
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/release (git)
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64
[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: present
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-618-g84a49bf0-dirty-unclean 2020-07-27 01:30:44
os: RRG/Iceman/master/release (git)
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 286585 bytes (55%) Free: 237703 bytes (45%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory[usb] pm3 --> trace list 14a 1
[+] Recorded activity (trace len = 277 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | | REQA
2240 | 4512 | Rdr |fa! ff! | |
13184 | 17952 | Rdr |30 01 8b b9 | ok | READBLOCK(1)
19136 | 26080 | Rdr |f6! c8! 4a! ec! fb! 3c! | !crc|
141696 | 152160 | Rdr |93 70 09 37 b5 13 98 ec 87 | ok | SELECT_UID
278784 | 283488 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
403968 | 413344 | Rdr |91! ce 18! a0 1f 07! 1b 22! | !crc|
414512 | 419152 | Rdr |d1! 69! 6d! 65! | !crc|
540912 | 545616 | Rdr |39! d0 c4 3e! | !crc| ?
546864 | 553872 | Rdr |57 2b! cb 16 99! 8a! | !crc|
680176 | 684944 | Rdr |71 4e! f9! 4b! | !crc|
686128 | 693072 | Rdr |53 d2 aa 1e b1! 4c | !crc|
812656 | 817360 | Rdr |da c6! 1b! c3 | !crc|
951280 | 956048 | Rdr |d8 e8 82 55! | !crc|
1083888 | 1088592 | Rdr |ce! 39 0a 2d | !crc|
1089824 | 1096832 | Rdr |10! ce 45 b6 a4 cf | !crc|
1219808 | 1224512 | Rdr |07! b0 4a! fe! | !crc|
1225760 | 1232704 | Rdr |03! cf a0 23! f5 60! | !crc|
1358176 | 1362880 | Rdr |67 6e! d5! 6e! | !crc|
1364116 | 1370836 | Tag |5d! 71 a5! 71! 3e! 7c | !crc| Here's a trace from hf 14a info.
[usb] pm3 --> hf 14a info
[+] UID: 0A 00 00 00
[+] ATQA: 00 05
[+] SAK: 0a [2]
[+] POSSIBLE TYPE: MIFARE Classic 1K / Classic 1K CL2
[+] POSSIBLE TYPE: MIFARE Plus 2K / Plus EV1 2K
[+] POSSIBLE TYPE: MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[+] Static nonce: yes
[usb] pm3 --> hf 14a list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 97 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2100 | 4468 | Tag |05 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10548 | 11124 | Tag |0a! | |
14080 | 24544 | Rdr |93 70 0a 00 00 00 0a 6e 3a | ok | SELECT_UID
25652 | 26228 | Tag |0a! | |
36352 | 41056 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
42548 | 47220 | Tag |0a 9b 71 42 | |Offline
#7 2020-08-13 12:01:48
- wh201906
- Contributor
- Registered: 2020-04-29
- Posts: 39
Re: How should I crack this card?
in the official repo, I use "hf 14a snoop" then "hf list mf" then I can get the decryped key.
I don't know how the Iceman repo works, but the #3 shows the PM3 can track the communication when writing to block.
Maybe you need to sniff more times. Actually you can sniff then save the trace file then sniff and save again.
Offline
Pages: 1