Proxmark3 community

caioxmag

Member

Registered: 2011-07-22

Posts: 6

NEW MIFARE 1K Dump and Restore functionalities

Hello,

I just got my hands on my Proxmark and I wrote 2 functions for 2 new commands.

One is mf hf mf dump1k which, provided the right keys, dumps the EEPROM of a MIFARE Classic 1K card to a binary file called dumpdata.bin.

The other one, hf mf restore1k clones the dumped card to a blank MIFARE Classic 1K in transport configuration (default keys and access rights)

The keys are provided by dumpkeys.bin binary file. I added the option of creating this file from the hf mf nested command. If asked (d parameter instead of t) it should create 'dumpkeys.bin' from the nested atack output. I say "should" because this last change hasn't been tested as have been the other two. If anyone wants to test it I would appreciate.

I am commiting this to the SVN now if anyone wants to have a look at it. If not feel free to delete it .

I've added these functionalities only by changing cmdhfmf.c. They are quite slow commands as they rely on sending a new USB command for each iteration but they worked fine for me. I'm under the impression that if the algorithms are embedded on the ARM they should work a lot faster, is it so?

Also, as far as I could see the nested and mifare dakside attack are also quite slow... Is it possible to run them entirely on the ARM? wouldn't it be a lot faster?

Caio

Last edited by caioxmag (2011-08-25 14:07:06)

caioxmag

Member

Registered: 2011-07-22

Posts: 6

Re: NEW MIFARE 1K Dump and Restore functionalities

Actually no, I can't add it to the SVN... Can I have the password or is it restricted?

thanks,

Caio.

merlok

Contributor

Registered: 2011-05-16

Posts: 132

Re: NEW MIFARE 1K Dump and Restore functionalities

Hi,

Also, as far as I could see the nested and mifare dakside attack are also quite slow... Is it possible to run them entirely on the ARM? wouldn't it be a lot faster?

Caio

it  is possible...
but there is too less memory on th ARM. I have tried to port some crapto1 functions, but there must be more memory than cpu has

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: NEW MIFARE 1K Dump and Restore functionalities

Hello,

I just got my hands on my Proxmark and I wrote 2 functions for 2 new commands.

One is mf hf mf dump1k which, provided the right keys, dumps the EEPROM of a MIFARE Classic 1K card to a binary file called dumpdata.bin.

The other one, hf mf restore1k clones the dumped card to a blank MIFARE Classic 1K in transport configuration (default keys and access rights)

The keys are provided by dumpkeys.bin binary file. I added the option of creating this file from the hf mf nested command. If asked (d parameter instead of t) it should create 'dumpkeys.bin' from the nested atack output. I say "should" because this last change hasn't been tested as have been the other two. If anyone wants to test it I would appreciate.

I am commiting this to the SVN now if anyone wants to have a look at it. If not feel free to delete it .

I've added these functionalities only by changing cmdhfmf.c. They are quite slow commands as they rely on sending a new USB command for each iteration but they worked fine for me. I'm under the impression that if the algorithms are embedded on the ARM they should work a lot faster, is it so?

Also, as far as I could see the nested and mifare dakside attack are also quite slow... Is it possible to run them entirely on the ARM? wouldn't it be a lot faster?

Caio

Nice functionalities! As Roel or Merlok for permissions.

Also, please, share some sample files in order to understand your work.

Thanks!

vivat

Contributor

Registered: 2010-10-26

Posts: 332

Re: NEW MIFARE 1K Dump and Restore functionalities

caioxmag
Can you share your code?

rule

Member

Registered: 2008-05-21

Posts: 417

Re: NEW MIFARE 1K Dump and Restore functionalities

mail me your google account for svn access

caioxmag

Member

Registered: 2011-07-22

Posts: 6

Re: NEW MIFARE 1K Dump and Restore functionalities

I'm uploading the code now. I should say I'm not very proud of it as I wrote it quickly just to test some cards, so don't expect much

Last edited by caioxmag (2011-08-30 13:43:06)

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: NEW MIFARE 1K Dump and Restore functionalities

I'm uploading the code now. I should say I'm note very proud of it as I wrote it quickly just to test some cards, so don't expect much

Try to clean it a little bit or insert some nice comments

Thanks for for code.. I'll try it in a couple of days.

thefkboss

Contributor

Registered: 2008-10-26

Posts: 198

Re: NEW MIFARE 1K Dump and Restore functionalities

there is an error in the code and it can´t be compiled

obj/cmdhfmf.o: In function `CmdHF14AMfNested':
C:\MinGW\msys\1.0\home\thefkboss\ProxSpace\pm3\client/cmdhfmf.c:644: undefined r
eference to `rintAndLog'
collect2: ld returned 1 exit status
make[1]: *** [proxmark3] Error 1
make[1]: Leaving directory `/home/pm3/client'
make: *** [client/all] Error 2

vivat

Contributor

Registered: 2010-10-26

Posts: 332

Re: NEW MIFARE 1K Dump and Restore functionalities

thefkboss
go to file ../client/cmdhfmf.c, line 644
add Print instead of rint
have fun
here is some warnings:

gcc -std=gnu99 -I. -I../include -I../common -I/opt/local/include -Wall -Wno-unus
ed-function  -g -O3 -DHAVE_GUI -c -o obj/cmdhfmf.o cmdhfmf.c
cmdhfmf.c: In function 'CmdHF14AMfDump1k':
cmdhfmf.c:269: warning: unused variable 'data'
cmdhfmf.c:268: warning: unused variable 'isOK'
cmdhfmf.c:263: warning: unused variable 'c'
cmdhfmf.c:262: warning: unused variable 'keyType'
cmdhfmf.c: In function 'CmdHF14AMfRestore1k':
cmdhfmf.c:396: warning: unused variable 'fdebug'
cmdhfmf.c:391: warning: unused variable 'cmdp'
cmdhfmf.c:384: warning: unused variable 'blockNo'
cmdhfmf.c: In function 'CmdHF14AMfNested':
cmdhfmf.c:649: warning: passing argument 1 of 'fwrite' makes pointer from integer without a cast

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: NEW MIFARE 1K Dump and Restore functionalities

@Vivat, do you have access to the SVN? If so, please change that line ... or maybe @caioxmag can thanks guys! please, post your results.

thefkboss

Contributor

Registered: 2008-10-26

Posts: 198

Re: NEW MIFARE 1K Dump and Restore functionalities

thanks vivat now works perfect.

I try to make nested with d option but it dosen´t make de bin file, is this a bug or i have to write another thing in the command line.
I have tried with (d and d example.bin) whit no results in both cases.

caioxmag

Member

Registered: 2011-07-22

Posts: 6

Re: NEW MIFARE 1K Dump and Restore functionalities

Wow, sorry, I must have hit the keyboard yesterday before committing and erased the "P".

Some of these warnings are because there are variables initialized within ifs, so the compiler thinks they could be left unused... Others shouldn't be there and I removed already.

And for nested I'm sorry but I have no more tags available so I can't test the function... I have a "guess" and just uploaded it, can you try again now?

thefkboss

Contributor

Registered: 2008-10-26

Posts: 198

Re: NEW MIFARE 1K Dump and Restore functionalities

nested command d dosen´t work.
what is the structure of the bin file (the key file and the dump) could you put an example of both.
i want to try hf mf dump1k and hf mf restore1k

caioxmag

Member

Registered: 2011-07-22

Posts: 6

Re: NEW MIFARE 1K Dump and Restore functionalities

Sorry I wont have much time to look at the code this week... I made some modifications and it might work now. If not just don't use the d option and it should work as before.

The key file is structured like this

KeyA_Sector0
KeyA_Sector1
KeyA_Sector2
KeyA_Sector3
KeyA_Sector4
KeyA_Sector5
KeyA_Sector6
KeyA_Sector7
KeyA_Sector8
KeyA_Sector9
KeyA_Sector10
KeyA_Sector11
KeyA_Sector12
KeyA_Sector13
KeyA_Sector14
KeyA_Sector15
KeyB_Sector0
KeyB_Sector1
KeyB_Sector2
KeyB_Sector3
KeyB_Sector4
KeyB_Sector5
KeyB_Sector6
KeyB_Sector7
KeyB_Sector8
KeyB_Sector9
KeyB_Sector10
KeyB_Sector11
KeyB_Sector12
KeyB_Sector13
KeyB_Sector14
KeyB_Sector15

Writen straight out in plain binary values. There is no newline (no LF or CR) characters, just plain binary values reflecting the keys and written in the order I described above. You should be able to create or edit dumpkey.bin with a HEX editor.

The dumpdata.bin file contains all of the data of the dumped card in plain binary values. Block by block from block 0 to 63.

Remember that often reading the keys returns zeroes instead of returning the actual key value, so dumdata.bin might have zeroes instead of the respective key values on the third block of each sector. This is taken into account in restore1k by by reading dumpkeys.bin again and writing the correct values to the cloned card instead of the zeroes.

Maybe I should change this in the future so that dumpdata.bin already contain the keys and not the zeroes... but I won't be able to do it right now...

Last edited by caioxmag (2011-09-01 09:34:18)

thefkboss

Contributor

Registered: 2008-10-26

Posts: 198

Re: NEW MIFARE 1K Dump and Restore functionalities

works pefect.

only one think if you have time you could do
hf mf dump with a menu where you could select mifare mini, 1k, 4k....
and hf mf restore with the same menu, like nested where you can select the type of the card

Last edited by thefkboss (2011-09-01 20:46:46)

caioxmag

Member

Registered: 2011-07-22

Posts: 6

Re: NEW MIFARE 1K Dump and Restore functionalities

Just implemented what I said above about the masked keys. dump1k now writes the keys A and B to dumpdata.bin even when reading the sector trailer returns zeroes instead of key values so that dumpdata.bin is a complete dump of the 1k EEPROM.

moebius

Contributor

Registered: 2011-03-10

Posts: 206

Re: NEW MIFARE 1K Dump and Restore functionalities

Thanks @caioxmag.

Did you read my post about sending APDU commands? Maybe you can help with your knowledge.