Cracking Mifare Classic 1K

holiman · 2014-06-10 09:21:37

The listing above.. is that from "hf 14a list" ? It does not look right, both sides of the conversation is marked as "Tag", for one thing, and it mostly appears to be communication failures.

If you have access to the reader, could you please try this 'hf mf sim u 0419ace2972f81 x'. It's a 'reader attack', so issue the command and hold the antenna against the reader. If that does not work, try "hf mf sim x".
Also, you don't have to include screenshots, use instead the code-tag when pasting into the forum posts.

Edit: edited for clarity

Last edited by holiman (2014-06-10 09:22:25)

LaserByte · 2014-06-10 23:38:56

hello iceman

this is attack " hf mf sim u 0419ace2972f81 x " in balance reader...
-------------------------------------------------------------------------------
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
uid:04 19 ac e2 97 2f 81 , numreads:0, flags:12 (0x0c)
#db# 7B UID: (88)0419ace2972f81
proxmark3> a: 0.00 V @ 125.00 kHz
proxmark3> a: 0.00 V @ 134.00 kHz
proxmark3> l: 0.00 V @ 12000.00 kHz
proxmark3> a: 7.77 V @ 13.56 MHz
proxmark3> ntenna is unusable.
proxmark3> hf mf sim u 0419ace2972f81 x
proxmark3>
proxmark3>
proxmark3> hf 14a list
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Failed to obtain two AR/NR pairs!
#db# Emulator stopped. Tracing: 1 trace length: 1727
Recorded Activity

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer

All times are in carrier periods (1/13.56Mhz)

Start | End | Src | Data
-----------|-----------|-----|--------
0 | 1056 | Rdr | 26
2356 | 4724 | Tag | 44 00
22912 | 25376 | Rdr | 93 20
26932 | 32756 | Tag | 88 04 19 ac 6f
50944 | 53408 | Rdr | 93 20
54964 | 60788 | Tag | 88 04 19 ac 6f
78976 | 81440 | Rdr | 93 20
82996 | 88820 | Tag | 88 04 19 ac 6f
107008 | 109472 | Rdr | 93 20
111028 | 116852 | Tag | 88 04 19 ac 6f
6424342 | 6425398 | Rdr | 26
6426570 | 6428938 | Tag | 44 00
6447140 | 6449604 | Rdr | 93 20
6451160 | 6456984 | Tag | 88 04 19 ac 6f
6475172 | 6477636 | Rdr | 93 20
6479192 | 6485016 | Tag | 88 04 19 ac 6f
6503204 | 6505668 | Rdr | 93 20
6507224 | 6513048 | Tag | 88 04 19 ac 6f
6531364 | 6533828 | Rdr | 93 20
6535384 | 6541208 | Tag | 88 04 19 ac 6f
12849272 | 12850328 | Rdr | 26
12851564 | 12853932 | Tag | 44 00
12872312 | 12874776 | Rdr | 93 20
12876268 | 12882092 | Tag | 88 04 19 ac 6f
12900344 | 12902808 | Rdr | 93 20
12904300 | 12910124 | Tag | 88 04 19 ac 6f
12928376 | 12930840 | Rdr | 93 20
12932332 | 12938156 | Tag | 88 04 19 ac 6f
12956408 | 12958872 | Rdr | 93 20
12960364 | 12966188 | Tag | 88 04 19 ac 6f
19273692 | 19274748 | Rdr | 26
19276048 | 19278416 | Tag | 44 00
19296604 | 19299068 | Rdr | 93 20
19300624 | 19306448 | Tag | 88 04 19 ac 6f
19324636 | 19327100 | Rdr | 93 20
19328656 | 19334480 | Tag | 88 04 19 ac 6f
19352668 | 19355132 | Rdr | 93 20
19356688 | 19362512 | Tag | 88 04 19 ac 6f
19380700 | 19383164 | Rdr | 93 20
19384720 | 19390544 | Tag | 88 04 19 ac 6f
25698304 | 25699360 | Rdr | 26
25700788 | 25703156 | Tag | 44 00
25721216 | 25723680 | Rdr | 93 20
25725236 | 25731060 | Tag | 88 04 19 ac 6f
25749120 | 25751584 | Rdr | 93 20
25753140 | 25758964 | Tag | 88 04 19 ac 6f
25776770 | 25777826 | Rdr | 26
25779126 | 25781494 | Tag | 44 00
25799680 | 25802144 | Rdr | 93 20
25803700 | 25809524 | Tag | 88 04 19 ac 6f
25827840 | 25830304 | Rdr | 93 20
25831860 | 25837684 | Tag | 88 04 19 ac 6f
32145494 | 32146550 | Rdr | 26
32147786 | 32150154 | Tag | 44 00
32168484 | 32170948 | Rdr | 93 20
32172632 | 32178456 | Tag | 88 04 19 ac 6f
32196694 | 32199158 | Rdr | 93 20
32200650 | 32206474 | Tag | 88 04 19 ac 6f
32224726 | 32227190 | Rdr | 93 20
32228682 | 32234506 | Tag | 88 04 19 ac 6f
32252758 | 32255222 | Rdr | 93 20
32256714 | 32262538 | Tag | 88 04 19 ac 6f
38570554 | 38571610 | Rdr | 26
38572910 | 38575278 | Tag | 44 00
38593466 | 38595930 | Rdr | 93 20
38597486 | 38603310 | Tag | 88 04 19 ac 6f
38621498 | 38623962 | Rdr | 93 20
38625518 | 38631342 | Tag | 88 04 19 ac 6f
38649530 | 38651994 | Rdr | 93 20
38653550 | 38659374 | Tag | 88 04 19 ac 6f
38677562 | 38680026 | Rdr | 93 20
38681582 | 38687406 | Tag | 88 04 19 ac 6f
44995294 | 44996350 | Rdr | 26
44997778 | 45000146 | Tag | 44 00
45018334 | 45020798 | Rdr | 93 20
45022354 | 45028178 | Tag | 88 04 19 ac 6f
45046366 | 45048830 | Rdr | 93 20
45050386 | 45056210 | Tag | 88 04 19 ac 6f
45074398 | 45076862 | Rdr | 93 20
45078418 | 45084242 | Tag | 88 04 19 ac 6f
45102430 | 45104894 | Rdr | 93 20
45106450 | 45112274 | Tag | 88 04 19 ac 6f
proxmark3>

Bebeoix · 2014-07-06 13:44:28

Did anyone successfully gone through a MIFARE Plus (7 Byte UID) 4K, Security level 1 ?

LaserByte · 2014-07-19 14:22:11

Hi
there and after reading a little work, I finally found the key, I've taken the dumpkeys and dumpdata.bin and now I would like to know how to convert the dumpdata.bin to. eml file. to pass the data to the Chinese magic.
I'm doing well?

midnitesnake · 2014-07-19 18:02:16

./client/pm3_mfd2eml.py

LaserByte · 2014-07-20 14:27:03

Hi there
I have been unable to convert a dumpdata.bin to dumpdata.eml
I tried in every way and I could not.
I do not run any script.
------------------
pm3 ~$ client/proxmark3.exe com5
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2014-06-07 15:46:01
#db# os: /-suspect 2014-06-07 15:46:10
#db# FPGA image built on 2014/03/24 at 21:54:44
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> script run dumptoemul -i dumpdata.bin -o cap.eml
--- Executing: ./scripts/dumptoemul.lua, args'-i dumpdata.bin -o cap.eml'
cannot open ./scripts/dumptoemul.lua: No such file or directory

-----Finished
proxmark3>

holiman · 2014-07-20 20:00:53

C'mon...

pm3 ~$ client/proxmark3.exe com5

You are apparently executing from proxmark3/, not from proxmark3/client/ folder. So, current working directory is pm3 root folder.

cannot open ./scripts/dumptoemul.lua: No such file or directory

It tries to load <currentdir>/scripts/dumptoemul.lua. Did you look for that file? The scripts-folder is located at <pm3-root>/client/scripts/ .

So, go into client-directory and *then* start the client. The same goes for most load/save commands and a few other commands, they expect you to be there.

LaserByte · 2014-07-20 20:55:51

i change the <dir>\scripts to pm3 dir and say this..

pm3 ~$ client/proxmark3.exe com5
proxmark3> script run dumptoemul -i dumpdata.bin -o cap.eml
--- Executing: ./scripts/dumptoemul.lua, args'-i dumpdata.bin -o cap.eml'
./scripts/dumptoemul.lua:3: module 'getopt' not found:
no field package.preload['getopt']
no file 'C:\ProxSpace\pm3\client\lua\getopt.lua'
no file 'C:\ProxSpace\pm3\client\lua\getopt\init.lua'
no file 'C:\ProxSpace\pm3\client\getopt.lua'
no file 'C:\ProxSpace\pm3\client\getopt\init.lua'
no file '.\getopt.lua'
no file './lualibs/getopt.lua'
no file 'C:\ProxSpace\pm3\client\getopt.dll'
no file 'C:\ProxSpace\pm3\client\loadall.dll'
no file '.\getopt.dll'

-----Finished
proxmark3>
but into de dir\client no exist the dir\lua. neither getot..
this is the problem.... thanks for your help..

I will reinstall..

holiman · 2014-07-20 21:12:42

No no.. This is what you should do when starting the client:

$ cd client
$ ./proxmark3.exe com5

That's all.

Regarding your current problems the getopt is here:

[~/tools/proxmark3/client]
#find -name "getopt.*"
./lualibs/getopt.lua

As you can see from the error message, it tries to search ./lualibs/getopt.lua. If your '.'-folder (current working dir) had been client, it would have found it.

LaserByte · 2014-07-20 21:29:11

Thanks
is perfect..
-------------->
pm3 ~$ cd client
pm3 ~/client$ proxmark3.exe com5
proxmark3> script ru test
--- Executing: ./scripts/test.lua, args''
This shows how to use some standard libraries
Continue with this operation (y/n)? y
Ok then, whatever

-----Finished
proxmark3>

LaserByte · 2014-07-21 16:46:01

Hello
the cloning process was successful ..
authenticates a great ...
Thank you very much to Holiman, midnitesnake and iceman.
I will continue doing my tests and will tell you ...

thanks

LaserByte · 2014-08-11 23:47:45

Hello!
I'm trying to find the key to : NXP MIFARE 1k CLASSIC | 2k Plus SL1 high entropy, I have the key "A", but to make a nested 1 0 A,
just gives me zeros to the key "B"
I've tried almost everything, everything I know.
any idea or solution?

piwi · 2014-08-12 07:59:25

"high entropy" means that you have a card with a fixed random number generator. The card only attacks won't work.

LaserByte · 2014-08-12 11:54:39

could be more specific, do not understand

piwi · 2014-08-12 13:15:11

You can't use hf mf mifare and hf mf nested with these cards.

LaserByte · 2014-08-12 13:19:28

ahh yes..i know... but some idea..??

piwi · 2014-08-12 15:53:39

hf mf sim x would still work...

...but...

LaserByte wrote:

proxmark3> a: 7.77 V @ 13.56 MHz

... your antenna most probably needs improvement for successful simulation (and sniffing/snooping). See e.g. http://www.proxmark.org/files/Documents/Antennas/2009.03.01-proxmark_HF_13.56MHz_mifare_antenne.pdf

LaserByte · 2014-08-12 19:08:37

pm3 ~$ cd client
pm3 ~/client$ proxmark3.exe com5
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host

# LF antenna: 0.00 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 10.28 V @ 13.56 MHz
# Your LF antenna is unusable.
proxmark3>

piwi · 2014-08-13 14:50:37

Good improvement. Should be enough.

piwi · 2014-08-13 14:51:58

Good improvement. could be enough. Simply give it a try.

geekngadgets · 2014-08-16 03:47:37

Hi guys,

G'day!

Just wanna share with you that I have some of these Chinese Magic Cards, which allows you to modify the UID in Block 0. I have tried it on my personal project and it works. Just wanna give a shoutout in case any of you needs some of these Chinese Magic Cards, which I have some in excess.
Feel free to shoot me an email at geekngadgets@live.com

Cheers!

spawnrider · 2014-09-03 00:21:22

LaserByte,

Did you retrieved our key "B" using your system ?

I tried to use mfoc/mfcuk on my MIFARE Classic 1K (high entropy) but without any success.
Anybody have a solution? Using Proxmark reader sniffing technic ?

Proxmark3 community

Announcement

#51 2014-06-10 09:21:37

Re: Cracking Mifare Classic 1K

#52 2014-06-10 23:38:56

Re: Cracking Mifare Classic 1K

#53 2014-07-06 13:44:28

Re: Cracking Mifare Classic 1K

#54 2014-07-19 14:22:11

Re: Cracking Mifare Classic 1K

#55 2014-07-19 18:02:16

Re: Cracking Mifare Classic 1K

#56 2014-07-20 14:27:03

Re: Cracking Mifare Classic 1K

#57 2014-07-20 20:00:53

Re: Cracking Mifare Classic 1K

#58 2014-07-20 20:55:51

Re: Cracking Mifare Classic 1K

#59 2014-07-20 21:12:42

Re: Cracking Mifare Classic 1K

#60 2014-07-20 21:29:11

Re: Cracking Mifare Classic 1K

#61 2014-07-21 16:46:01

Re: Cracking Mifare Classic 1K

#62 2014-08-11 23:47:45

Re: Cracking Mifare Classic 1K

#63 2014-08-12 07:59:25

Re: Cracking Mifare Classic 1K

#64 2014-08-12 11:54:39

Re: Cracking Mifare Classic 1K

#65 2014-08-12 13:15:11

Re: Cracking Mifare Classic 1K

#66 2014-08-12 13:19:28

Re: Cracking Mifare Classic 1K

#67 2014-08-12 15:53:39

Re: Cracking Mifare Classic 1K

#68 2014-08-12 19:08:37

Re: Cracking Mifare Classic 1K

#69 2014-08-13 14:50:37

Re: Cracking Mifare Classic 1K

#70 2014-08-13 14:51:58

Re: Cracking Mifare Classic 1K

#71 2014-08-16 03:47:37

Re: Cracking Mifare Classic 1K

#72 2014-09-03 00:21:22

Re: Cracking Mifare Classic 1K

Board footer