Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
HI,
1. fixed hf 14a mifare. added functionality to ignore one Nt
2. completed hf 14a nested
3. added hf 14a chk to check keys
5. added check keys to hf 14a mifare and hf 14a nested
6. added debug level to mifare commands
7. small bugs and improvements
and fixed kbhit() for linux )
please, test it )
Offline
maybe it is need to add command hf mf xxxx? to separate mifare commands from standart iso 14443a?
Offline
Thank you merlok,
The client (r474) doesn't compile on my Linux box.
It does with the following changes:
Index: include/common.h
===================================================================
--- include/common.h (revision 474)
+++ include/common.h (working copy)
@@ -12,6 +12,8 @@
#ifndef __COMMON_H
#define __COMMON_H
+#include <stdint.h>
+
//-----------------------------------------------------------------------------
// ISO 14443A
//-----------------------------------------------------------------------------
Index: client/mifarehost.h
===================================================================
--- client/mifarehost.h (revision 474)
+++ client/mifarehost.h (working copy)
@@ -11,7 +11,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
-#include <conio.h>
#include "common.h"
#include "cmdmain.h"
#include "ui.h"
Index: client/util.c
===================================================================
--- client/util.c (revision 474)
+++ client/util.c (working copy)
@@ -15,6 +15,10 @@
#include "util.h"
#ifdef __linux__
+
+#include <termios.h>
+#include <sys/ioctl.h>
+
int ukbhit(void)
{
int cnt = 0;
I will test it tonight.
wil
Offline
HI,
1. fixed hf 14a mifare. added functionality to ignore one Nt
2. completed hf 14a nested
3. added hf 14a chk to check keys
5. added check keys to hf 14a mifare and hf 14a nested
6. added debug level to mifare commands
7. small bugs and improvementsand fixed kbhit() for linux )
please, test it )
1. fixed hf 14a mifare. added functionality to ignore one Nt-------works fine, but what is the parameter to ignore Nt??????
2. completed hf 14a nested-----works fine but you forgot MIFARE MINI is also mifare classic but is less than 1k may be you could include this type of card
3. added hf 14a chk to check keys----works fine
5. added check keys to hf 14a mifare and hf 14a nested---- works fine
6. added debug level to mifare commands---who can i see this??what is the command??
i have another question this new frimware works with this version of proxmark
http://wiki.032.la/nsl/Proxmark3_LCD
may be in the next week i will make one.your firmware works with this version or is possible to port your code to this version ( i know that some commands need a keyboard, but other not) so your frimware works whit this proxmark ??
for me is enought if it work with keyboard but i need to know if is going to work before i make one.
thanks
Last edited by thefkboss (2011-06-07 14:54:15)
Offline
Thank you merlok,
The client (r474) doesn't compile on my Linux box.
It does with the following changes:
Offline
1. fixed hf 14a mifare. added functionality to ignore one Nt-------works fine, but what is the parameter to ignore Nt??????
2. completed hf 14a nested-----works fine but you forgot MIFARE MINI is also mifare classic but is less than 1k may be you could include this type of card
3. added hf 14a chk to check keys----works fine
5. added check keys to hf 14a mifare and hf 14a nested---- works fine
6. added debug level to mifare commands---who can i see this??what is the command??
i have another question this new frimware works with this version of proxmark
http://wiki.032.la/nsl/Proxmark3_LCDmay be in the next week i will make one.your firmware works with this version or is possible to port your code to this version ( i know that some commands need a keyboard, but other not) so your frimware works whit this proxmark ??
for me is enought if it work with keyboard but i need to know if is going to work before i make one.
thanks
1. time from time command returned invalid key, so if you want to get valid key you may test some other Nt (card nonce)
so.
hf 14a mifare -- returned invalid key woth some Nt
hf 14a mifare Nt - would return right key
2. fixed in my version of code
6. internal value. some commands returns too many debug messages. it slows them.
i add this to increase speed of work mifare and nested commands
I dont have proxmark with LCD, so i cant test it...
ut if the oldest firmwares worked on it, so the new one wold work too
Offline
works great but i don´t know how to do mifare Nt command
i do hf 14a mifare Nt ABABABAB and doesn´t work it tells me that i have to put 8 hex digits may be i type wrong command
i have a little change in hf 14a reader to detect the type of the card may be you could implement better
int CmdHF14AReader(const char *Cmd)
{
UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
SendCommand(&c);
UsbCommand * resp = WaitForResponse(CMD_ACK);
uint8_t * uid = resp->d.asBytes;
iso14a_card_select_t * card = uid + 12;
if(resp->arg[0] == 0) {
PrintAndLog("iso14443a card select failed");
return 0;
}
PrintAndLog("ATQA : %02x %02x", card->atqa[0], card->atqa[1]);
PrintAndLog(" UID : %s", sprint_hex(uid, 12));
PrintAndLog(" SAK : %02x [%d]", card->sak, resp->arg[0]);
if(card->sak == 9){
PrintAndLog(" CARD TYPE: MIFARE MINI");}
else if(card->sak == Cool{
PrintAndLog(" CARD TYPE: MIFARE CLASSIC 1K");}
else if(card->sak == 24){
PrintAndLog(" CARD TYPE: MIFARE CLASSIC 4K");}
else if(card->sak == 32){
PrintAndLog(" CARD TYPE: MIFARE DESFIRE D40");}
else {
PrintAndLog(" CARD TYPE: uknown card");}
here are all the types
Offline
I've tried "hf 14a mifare" command many times and on various platforms (win xp, win 7, ubuntu 10.04)
unfortunately it never returns the right key
but I've noticed that the wrong keys it found always end with "0000"
anyone in the same situation?
or the command works fine for you guys?
Offline
I dont have proxmark with LCD, so i cant test it...
ut if the oldest firmwares worked on it, so the new one wold work too
i think it has different fpgas is this a problem??? the new one is XC3S250E Spartan 3
********************************************************************************
* The binary FPGA image compiled for the Spartan 2 is absolutely not *
* compatible with the Spartan 3 and the source code must be recompiled *
********************************************************************************
The FPGA is initialized by the ARM through the FPGA_* pins DIN, DOUT, CLK, INITB
PROGB and DONE.
An external oscillator is implemented as before with IC203 and fed to two FPGA
global clock pins though I believe only one is needed. Additionally I believe any
clock frequency could be fed to these pins and the final required frequency be
synthesized internally to the FPGA via it's Digital Clock Modules (DCM).
The usual SSP and SPI buses are still present as before however a notable change
is the fact that the ARM no longer drives the analog multiplexer IC403 directly
but instead via the FPGA pins MUX_LO and MUX_HI. This was done in order to free
up more pins on the ARM.
The antenna drivers are driven by the pins PRW_LO, PWR_HI and PWR_OE1..4, so no
change there.
Finally a new ADC rated to run down to 3v is used in the form of the IC202
ADC08060 chip. This A/D can sample up to 70MSPS according to the datasheet.
Also despite the datasheet claiming a minimum sample rate of 20MSPS in practice
it seems to do a good job when driver in LF mode at 125KSPS.
Last edited by thefkboss (2011-06-07 19:00:43)
Offline
I've tried "hf 14a mifare" command many times and on various platforms (win xp, win 7, ubuntu 10.04)
unfortunately it never returns the right key
but I've noticed that the wrong keys it found always end with "0000"anyone in the same situation?
or the command works fine for you guys?
My result is just like yours.And what's worse is all the keys I got start with"0000" and end with "0000"....
There is still some kinds of my cards will hung up the PM3 when I running the "hf 14a mifare "and "hf 14a mifare nt"
Offline
In my experiment of R474,I got to question:
My cards are all Mifare Classic 1K.
1.the nested command runs well and I have got 3 right keys in a card.
However,when I try to recover the 4th key for that card ,it shows the key"55000000aaff" is valid, and the "hf 14a chk **" shows it's valid too.But I can read/write that block neither though the "hf 14a mfrdbl" nor though my RC500 M1 reader.
2.The nested command seems not work on the kind of card I mentioned above.It can't get any keys.
Offline
for me. it works perfect
Offline
w
i have a little change in hf 14a reader to detect the type of the card may be you could implement better
Thanks, I have added it into next release
Offline
ok, something like howto)
1. hf14a mifare
2. if it returned a wrong key:
hf 14a mifare 1499bbd0
where 1499bbd0- line form:
uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)
3. hf 14a nested 1 0 a ffffffffffff
4. you got all the keys )
Offline
i think it has different fpgas is this a problem??? the new one is XC3S250E Spartan 3
its not a problem if you have compiled core for your fpga.
i have not touched the loader code.
Offline
1.the nested command runs well and I have got 3 right keys in a card.
However,when I try to recover the 4th key for that card ,it shows the key"55000000aaff" is valid, and the "hf 14a chk **" shows it's valid too.But I can read/write that block neither though the "hf 14a mfrdbl" nor though my RC500 M1 reader.
some keys can authenticate and cant read sector
it depends on security settings written into the chip by an issuer
maybe try key B instead of key A
2.The nested command seems not work on the kind of card I mentioned above.It can't get any keys.
there is many new card wich have defense against this types of attack.
especially:
new MIFARE CLASSIC (with 7 byte UID)
MIFARE Plus S/X in SL1
so.... just try another card (preferentially the oldest one)
Last edited by merlok (2011-06-08 08:42:49)
Offline
ok, something like howto)
1. hf14a mifare
2. if it returned a wrong key:
hf 14a mifare 1499bbd0where 1499bbd0- line form:
uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)
)
thanks
its not a problem if you have compiled core for your fpga.
i have not touched the loader code.
yes i have the fpga.elf and s19 of this version
so i only need to change bootrom and osimage or only osimage from yours?????
nemer wrote:
2.The nested command seems not work on the kind of card I mentioned above.It can't get any keys.
there is many new card wich have defense against this types of attack.
especially:
new MIFARE CLASSIC (with 7 byte UID)
MIFARE Plus S/X in SL1so.... just try another card (preferentially the oldest one)
mifare command is not possible to implemente for any sector. i mean for example mfcuk yo could select the sector and the key you want an it recover that key doing darkside is not the same for proxmark??
thanks merlok
Offline
i have tried
ok, something like howto)
1. hf14a mifare
2. if it returned a wrong key:
hf 14a mifare 1499bbd0
where 1499bbd0- line form:
uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)
)
but everytime i execute the command the card always give me a new nt how is this possible?? this card is the only one that i have that i never recover the key.(i know the key but i want to recover it with proxmark)
Offline
so i only need to change bootrom and osimage or only osimage from yours?????
yes
mifare command is not possible to implemente for any sector. i mean for example mfcuk yo could select the sector and the key you want an it recover that key doing darkside is not the same for proxmark??
yes, this command can work with any sector.
but now there is lack of implementation
i can implement it after simulator
is this feature needed?
Offline
but everytime i execute the command the card always give me a new nt how is this possible?? this card is the only one that i have that i never recover the key.(i know the key but i want to recover it with proxmark)
Is mfcuk recovered it? (can you test it?)
Offline
I'm using r475.
hf 14a mifare doesn't work-red led is blinking, all screen is filled with dots. I tried to run it for 1 hour, but couldn't recover any key.
I have same problem with r473.
Offline
I'm using r475.
hf 14a mifare doesn't work-red led is blinking, all screen is filled with dots. I tried to run it for 1 hour, but couldn't recover any key.
I have same problem with r473.
yes.one of my card shows the same result as yours.how about the feedback of your card when running hf 14a nested?
Offline
nemer
proxmark3> hf 14a nested o 0 A FFFFFFFFFFFF 1 A
--block no:00 key type:00 key:ff ff ff ff ff ff
--target block no:01 target key type:00
proxmark3> Got 0 keys from proxmark.
Nested error.
proxmark3> hf 14a nested 1 0 A FFFFFFFFFFFF
--block no:00 key type:00 key:ff ff ff ff ff ff
Block shift=0
Testing known keys. Sector count=16
proxmark3> nested...
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
Iterations count: 0
|---|----------------|---|----------------|---|
|blk|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 0000ffffffff | 65535 | 000000000001 | -1 |
|001| 000000000000 | 0 | 000000000000 | 0 |
|002| 0000ffffffff | 65535 | 000000000001 | -1 |
|003| 0000ffffffff | 65535 | 000000000001 | -1 |
|004| 0000ffffffff | 65535 | 000000000001 | -1 |
|005| 0000ffffffff | 65535 | 000000000001 | -1 |
|006| 0000ffffffff | 65535 | 000000000001 | -1 |
|007| 0000ffffffff | 65535 | 000000000001 | -1 |
|008| 0000ffffffff | 65535 | 000000000001 | -1 |
|009| 0000ffffffff | 65535 | 000000000001 | -1 |
|010| 0000ffffffff | 65535 | 000000000001 | -1 |
|011| 0000ffffffff | 65535 | 000000000001 | -1 |
|012| 0000ffffffff | 65535 | 000000000001 | -1 |
|013| 0000ffffffff | 65535 | 000000000001 | -1 |
|014| 0000ffffffff | 65535 | 000000000001 | -1 |
|015| 0000ffffffff | 65535 | 000000000001 | -1 |
|---|----------------|---|----------------|---|
I know the keys for blocks 0, 2-15, it is FFFFFFFFFFFF, but I don't know the 1 block key. My card is unlicensed Mifare 1K, from Sankt Petersburg.
Offline
Got 0 keys from proxmark.
it happend, when proxmark cant init card and got Nt
it seems that there is a new card. this type of attack doesnt work on the newest cards
Offline
thefkboss wrote:so i only need to change bootrom and osimage or only osimage from yours?????
yes
but only bootrom
or only osimage
or both?????
thefkboss wrote:mifare command is not possible to implemente for any sector. i mean for example mfcuk yo could select the sector and the key you want an it recover that key doing darkside is not the same for proxmark??
yes, this command can work with any sector.
but now there is lack of implementationi can implement it after simulator
is this feature needed?
may be if you can´t recover key 0 you could have luck and you could recover other keys
thefkboss wrote:but everytime i execute the command the card always give me a new nt how is this possible?? this card is the only one that i have that i never recover the key.(i know the key but i want to recover it with proxmark)
Is mfcuk recovered it? (can you test it?)
i´m testing it but the problem with this card is that mfcuk has done like 200000 auth but only 80 nt auth so that could be one week to recover the key if there is 655xx nt possibilities.
i let the computer working from one week is not a problem
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
proxmark3> Got 0 keys from proxmark.
Iterations count: 0
|---|----------------|---|----------------|---|
|blk|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 0000ffffffff | 65535 | 000000000001 | -1 |
|001| 000000000000 | 0 | 000000000000 | 0 |
|002| 0000ffffffff | 65535 | 000000000001 | -1 |
|003| 0000ffffffff | 65535 | 000000000001 | -1 |
|004| 0000ffffffff | 65535 | 000000000001 | -1 |
|005| 0000ffffffff | 65535 | 000000000001 | -1 |
|006| 0000ffffffff | 65535 | 000000000001 | -1 |
|007| 0000ffffffff | 65535 | 000000000001 | -1 |
|008| 0000ffffffff | 65535 | 000000000001 | -1 |
|009| 0000ffffffff | 65535 | 000000000001 | -1 |
|010| 0000ffffffff | 65535 | 000000000001 | -1 |
|011| 0000ffffffff | 65535 | 000000000001 | -1 |
|012| 0000ffffffff | 65535 | 000000000001 | -1 |
|013| 0000ffffffff | 65535 | 000000000001 | -1 |
|014| 0000ffffffff | 65535 | 000000000001 | -1 |
|015| 0000ffffffff | 65535 | 000000000001 | -1 |
|---|----------------|---|----------------|---|I know the keys for blocks 0, 2-15, it is FFFFFFFFFFFF, but I don't know the 1 block key. My card is unlicensed Mifare 1K, from Sankt Petersburg.
if you make hf 14a reader what SAK give the key 08 or other different
Last edited by thefkboss (2011-06-09 14:41:40)
Offline
My card is unlicensed Mifare 1k:
proxmark3> hf 14a reader
proxmark3> ATQA : 04 00
UID : 41 fb * * 00 00 00 00 8e 59 41 5e
SAK : 08 [2]
proprietary non-iso14443a card found, RATS not supported
proxmark3> hf 14a list
proxmark3> recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 52
+ 236: 0: TAG 04 00
+ 0: : 93 20
+ 452: 0: TAG 41 fb * * a4
+ 0: : 93 70 41 fb * * a4 7a aa
+ 308: 0: TAG 08 b6 dd // It says "I'm Mifare 1k"
Offline
hi vivat ,we are using the same cards and facing the same problems.
Offline
but only bootrom
or only osimage
or both?????
osimage only
Offline
for that cards there is a problem. here the code:
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(200);
davg = dmax = 0;
dmin = 2000;
// test nonce distance
for (rtr = 0; rtr < 10; rtr++) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(100);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
after first drop field - it works,
but after second - it dont respond on the commands
so.... it seems that it need just to increase the delay to maybe 500ms or more
but.... in that cards there is fixed random generator
so the Nt generation not depends on field switching on time and....
I guess that it will need too much time to implement this type of attack (
and i think that one week is too less time
p.s. IMHO there is only one possibility of attack: darkside.
p.p.s. nobody was forbid sniff the protocol and hack sniffed trace offline
Last edited by merlok (2011-06-10 08:59:14)
Offline
I have too say running the darkside attack on the special card mentioned above is limited to the delay time too....merlok,which parameter should I edit if I want to get a longer delay?thanks!
Offline
SpinDelay(100);
100 - milliseconds
you should try at least 300-500 ms... up to 1000ms
Last edited by merlok (2011-06-11 22:05:22)
Offline
I've tried to change SpinDelay time for 300, then 500 and 1000, but this didn't give me any key. Can anyone explain to me darkside attack?
Offline
Hi,
as I have seen:
there is no correlation between Nt and time of auth query in the new cards.
but maybe there will be another ways to get the same Nt....
or there would way to get the key withouth same Nt
but)
there is a way: sniffing attack. just avoid crypto1 and this attack wouldnt work...
p.s. about change delay:
some new cards cant work if delay too small.
it was implemented to avoid this types of atatck
Last edited by merlok (2011-06-16 16:03:45)
Offline
hi
"got 0 keys from proxmark",
so by changing 32bits lfsr which produces the Nt in the new cards, mifare classic cards have become secure again ? (i mean againt offline attacks ).?
Offline
hi
"hf 14a mifare " command returns values of Nt which after 2-3 times puts me in a loop .also par() and ks() are always zero
any help would be appreciated.
ok, something like howto)
1. hf14a mifare
2. if it returned a wrong key:
hf 14a mifare 1499bbd0where 1499bbd0- line form:
uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)3. hf 14a nested 1 0 a ffffffffffff
4. you got all the keys )
Last edited by aminbakhtvar62 (2012-01-28 08:09:23)
Offline
is anything new about the "got 0 keys from proxmark" problem?
Offline
Pages: 1