Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Topic closed
#1 2023-10-13 19:50:11
- Dose13
- Contributor
- Registered: 2019-09-26
- Posts: 29
hf mf autopwn finds wrong keys
Good evening,
I have a Mifare Classic 1K card:
[usb] pm3 --> hf search
? Searching for ISO14443-A tag...
[+] UID: 14 0E 66 5F
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag foundrunning the hf mf autopwn results in the following output:
[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector 17 key type B -- using valid key [ 4B791BEA7BCC ] (used for nested / hardnested attack)
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1,5s | found 34/36 keys (56)
[=] running strategy 2
[=] Chunk 1,3s | found 34/36 keys (56)
[+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 1 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector 16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector 17 key type A -- found valid key [ 75CCB59C9BED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2000 million (2^30,9) keys/s | 140737488355328 | 20h
[=] 0 | 0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 151 ms | 140737488355328 | 20h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 20h
[=] 3 | 112 | Apply bit flip properties | 25885241344 | 13s
[=] 4 | 224 | Apply bit flip properties | 2556349696 | 1s
[=] 5 | 335 | Apply bit flip properties | 1396081024 | 1s
[=] 6 | 447 | Apply bit flip properties | 1180857600 | 1s
[=] 7 | 559 | Apply bit flip properties | 1180857600 | 1s
[=] 8 | 669 | Apply bit flip properties | 1180857600 | 1s
[=] 8 | 781 | Apply bit flip properties | 1180857600 | 1s
[=] 9 | 893 | Apply bit flip properties | 1180857600 | 1s
[=] 10 | 1005 | Apply bit flip properties | 1180857600 | 1s
[=] 10 | 1116 | Apply bit flip properties | 1180857600 | 1s
[=] 11 | 1227 | Apply bit flip properties | 1180857600 | 1s
[=] 12 | 1336 | Apply bit flip properties | 1180857600 | 1s
[=] 13 | 1444 | Apply bit flip properties | 1180857600 | 1s
[=] 14 | 1549 | Apply bit flip properties | 1180857600 | 1s
[=] 15 | 1660 | Apply bit flip properties | 1180857600 | 1s
[=] 16 | 1768 | Apply Sum property. Sum(a0) = 144 | 41649300 | 0s
[=] 16 | 1768 | (Ignoring Sum(a8) properties) | 41649300 | 0s
[=] 17 | 1768 | Brute force phase completed. Key found: 8627C10A7014 | 0 | 0s
[+] target sector 0 key type B -- found valid key [ 8627C10A7014 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1946 million (2^30,9) keys/s | 140737488355328 | 20h
[=] 0 | 0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 159 ms | 140737488355328 | 20h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 20h
[=] 3 | 112 | Apply bit flip properties | 9824572014592 | 84min
[=] 4 | 224 | Apply bit flip properties | 8600731779072 | 74min
[=] 5 | 336 | Apply bit flip properties | 8389646090240 | 72min
[=] 6 | 447 | Apply bit flip properties | 8378623459328 | 72min
[=] 6 | 558 | Apply bit flip properties | 8378623459328 | 72min
[=] 7 | 669 | Apply bit flip properties | 8378623459328 | 72min
[=] 8 | 780 | Apply bit flip properties | 8378623459328 | 72min
[=] 9 | 891 | Apply bit flip properties | 8378623459328 | 72min
[=] 9 | 1001 | Apply bit flip properties | 8378623459328 | 72min
[=] 10 | 1112 | Apply bit flip properties | 8378623459328 | 72min
[=] 12 | 1221 | Apply Sum property. Sum(a0) = 0 | 740766121984 | 6min
[=] 12 | 1331 | Apply bit flip properties | 740766121984 | 6min
[=] 13 | 1441 | Apply bit flip properties | 613979586560 | 5min
[=] 14 | 1550 | Apply bit flip properties | 613979586560 | 5min
[=] 14 | 1659 | Apply bit flip properties | 332301336576 | 3min
[=] 15 | 1768 | Apply bit flip properties | 332301336576 | 3min
[=] 16 | 1878 | Apply bit flip properties | 332301336576 | 3min
[=] 17 | 1990 | Apply bit flip properties | 369056808960 | 3min
[=] 18 | 2098 | Apply bit flip properties | 172788613120 | 89s
[=] 19 | 2206 | Apply bit flip properties | 324740481024 | 3min
[=] 20 | 2314 | Apply bit flip properties | 324740481024 | 3min
[=] 20 | 2420 | Apply bit flip properties | 324740481024 | 3min
[=] 21 | 2529 | Apply bit flip properties | 324740481024 | 3min
[=] 22 | 2529 | (1. guess: Sum(a8) = 256) | 324740481024 | 3min
[=] 22 | 2529 | Apply Sum(a8) and all bytes bitflip properties | 298232905728 | 3min
[=] 22 | 2529 | Brute force phase completed. Key found: 00008627C10A | 0 | 0s
[+] target sector 1 key type B -- found valid key [ 00008627C10A ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | D | 8627C10A7014 | H
[+] 001 | 007 | A0A1A2A3A4A5 | D | 00008627C10A | H
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | D
[+] 017 | 071 | 75CCB59C9BED | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try `hf mf mad` for more details
[+] Generating binary key file
[+] Found keys have been dumped to /home/dose/hf-mf-140E665F-key.bin
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[#] Block 4 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 1 block 0
[#] Block 5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 7 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY A, swapping to KEY B
[#] Block 8 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 2 block 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 12 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 3 block 0
[#] Block 13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 16 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 4 block 0
[#] Block 17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 20 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 5 block 0
[#] Block 21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 24 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 6 block 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 28 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 7 block 0
[#] Block 29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 32 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 8 block 0
[#] Block 33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 36 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 9 block 0
[#] Block 37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 40 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 10 block 0
[#] Block 41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 44 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 11 block 0
[#] Block 45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 48 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 12 block 0
[#] Block 49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 52 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 13 block 0
[#] Block 53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 56 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 14 block 0
[#] Block 57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 60 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 15 block 0
[#] Block 61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 63 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 63 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY B
[-] ⛔ Dump file is PARTIAL complete
[=] downloading card content from emulator memory
[+] saved 1024 bytes to binary file /home/dose/hf-mf-140E665F-dump.bin
[+] saved to json file /home/dose/hf-mf-140E665F-dump.json
[=] autopwn execution time: 49 secondshf mf nack fails:
[usb] pm3 --> hf mf nack
[=] Checking for NACK bug
[=] ....
[!] ⚠️ detection failedhf mf mad:
[usb] pm3 --> hf mf mad
[=] Authentication ( ok )
[#] Auth error
[=] --- MIFARE App Directory Information ----------------
[=] -----------------------------------------------------
[=] ------------ MAD v1 details -------------
[!] ⚠️ Card publisher not present 0x00
[=] ---------------- Listing ----------------
[=] 00 MAD v1
[=] 01 [2EC0] (unknown)
[=] 02 [0000] free
[=] 03 [0000] free
[=] 04 [0000] free
[=] 05 [0000] free
[=] 06 [0000] free
[=] 07 [0000] free
[=] 08 [0000] free
[=] 09 [0000] free
[=] 10 [0000] free
[=] 11 [0000] free
[=] 12 [0000] free
[=] 13 [0000] free
[=] 14 [0000] free
[=] 15 [0000] freeWhen trying to access block 4 with the password found by "hf mf autopwn" I am receiving also an error message
[usb] pm3 --> hf mf rdbl --blk 4 -k ffffffffffff
[#] Auth errorI then ran the hf mf hardnested and I was receiving the following sector key:
[usb] pm3 --> hf mf rdbl --blk 4 -k ffffffffffff
[#] Auth error
[usb] pm3 --> hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 4 --tb
[=] Target block no 4, target key type: B, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1858 million (2^30,8) keys/s | 140737488355328 | 21h
[=] 0 | 0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 151 ms | 140737488355328 | 21h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 21h
[=] 3 | 112 | Apply bit flip properties | 10365789274112 | 2h
[=] 4 | 224 | Apply bit flip properties | 8683303993344 | 78min
[=] 5 | 335 | Apply bit flip properties | 8449560674304 | 76min
[=] 6 | 447 | Apply bit flip properties | 8378623459328 | 75min
[=] 7 | 558 | Apply bit flip properties | 8378623459328 | 75min
[=] 7 | 668 | Apply bit flip properties | 8378623459328 | 75min
[=] 8 | 778 | Apply bit flip properties | 8378623459328 | 75min
[=] 8 | 887 | Apply bit flip properties | 8378623459328 | 75min
[=] 9 | 999 | Apply bit flip properties | 8378623459328 | 75min
[=] 10 | 1110 | Apply bit flip properties | 8378623459328 | 75min
[=] 11 | 1221 | Apply bit flip properties | 8378623459328 | 75min
[=] 12 | 1330 | Apply bit flip properties | 8378623459328 | 75min
[=] 13 | 1442 | Apply bit flip properties | 8378623459328 | 75min
[=] 14 | 1553 | Apply Sum property. Sum(a0) = 0 | 452560977920 | 4min
[=] 14 | 1661 | Apply bit flip properties | 452560977920 | 4min
[=] 15 | 1772 | Apply bit flip properties | 252655468544 | 2min
[=] 16 | 1881 | Apply bit flip properties | 252655468544 | 2min
[=] 17 | 1988 | Apply bit flip properties | 238848901120 | 2min
[=] 18 | 2099 | Apply bit flip properties | 238848901120 | 2min
[=] 19 | 2208 | Apply bit flip properties | 238848901120 | 2min
[=] 20 | 2318 | Apply bit flip properties | 238848901120 | 2min
[=] 20 | 2318 | (1. guess: Sum(a8) = 256) | 238848901120 | 2min
[=] 21 | 2318 | Apply Sum(a8) and all bytes bitflip properties | 212369932288 | 2min
[=] 21 | 2318 | Brute force phase completed. Key found: 00008627C10A | 0 | 0sWith "KEY B" I can access the sector:
[usb] pm3 --> hf mf rdbl --blk 4 -v -b -k 00008627c10a
[=] # | sector 01 / 0x01 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 4 | 0D 4C 00 00 06 00 00 00 00 00 00 00 00 FF FF FF | .L.............. I then tried to get "KEY A" with the hardnested attack but this one fails:
[usb] pm3 --> hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 4 --ta
[=] Target block no 4, target key type: A, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1986 million (2^30,9) keys/s | 140737488355328 | 20h
[=] 0 | 0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 72 ms | 140737488355328 | 20h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 20h
[=] 3 | 112 | Apply bit flip properties | 156684779520 | 79s
[=] 4 | 223 | Apply bit flip properties | 21349662720 | 11s
[=] 5 | 335 | Apply bit flip properties | 4731800576 | 2s
[=] 5 | 445 | Apply bit flip properties | 1430008960 | 1s
[=] 6 | 556 | Apply bit flip properties | 1247843200 | 1s
[=] 7 | 666 | Apply bit flip properties | 1247843200 | 1s
[=] 7 | 776 | Apply bit flip properties | 1247843200 | 1s
[=] 8 | 886 | Apply bit flip properties | 1247843200 | 1s
[=] 9 | 996 | Apply bit flip properties | 1247843200 | 1s
[=] 10 | 1107 | Apply bit flip properties | 1247843200 | 1s
[=] 11 | 1218 | Apply bit flip properties | 1247843200 | 1s
[=] 11 | 1328 | Apply bit flip properties | 1247843200 | 1s
[=] 12 | 1436 | Apply bit flip properties | 1247843200 | 1s
[=] 14 | 1546 | Apply Sum property. Sum(a0) = 120 | 248405696 | 0s
[=] 14 | 1546 | (Ignoring Sum(a8) properties) | 248405696 | 0s
[-] ⛔ Failed to recover a keyAt first I thought that this one is related to this github report: https://github.com/RfidResearchGroup/pr … issues/960 but honestly I am not too sure.
My questions are:
- why does hf mf autopwn find different keys then the hardnested attack?
- why is it not possible to derive "KEY A" for some blocks with the sector 0 key?
- any ideas on what is needed to dump the entire file?
Thank's in advance!
Offline
#2 2023-10-13 22:36:45
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: hf mf autopwn finds wrong keys
try some distance between tag and antenna. You get too much communications errors.
Offline
#3 2023-10-14 09:22:17
- Dose13
- Contributor
- Registered: 2019-09-26
- Posts: 29
Re: hf mf autopwn finds wrong keys
I am quite sure that it is not distance related since it worked on other sectors. However, I found that this is a Mifare Classic 1k EV1 card. Not sure if the problem is related to that.
Offline
#4 2023-10-14 09:45:46
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: hf mf autopwn finds wrong keys
ok, you know best
Offline
Pages: 1
Topic closed