Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-02-15 00:15:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

hf list mf - new annotation

hf list mf A cool annotation,  well done @merlokk!

So, what does this one do?   Well, before we had  hf list 14a.  which gave us a ISO14443-a trace.   We have all seen and used it much.
However Mifare Classic uses a propritary layer above 14A,  which uses crypto-1 to encrypt the communication.   
We have had simple commands,  "trydecrypt",  mfkey64 with extra bytes, mf_nonce_brut,  in order to have a nice smooth decryption of the actual trace.

This has all changed now thanks to Merlokk.

As seen here,  the normal  hf list 14a output from reading a sector on a Mifare Classic tag.

pm3 --> hf mf rdsc 0 a fc00018778f7
--sector no:0 key type:A key:FC 00 01 87 78 F7

isOk:01
data   : 4A 49 04 86 81 88 04 00 C1 85 14 99 65 40 46 12
data   : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
data   : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
trailer: 00 00 00 00 00 00 78 77 88 41 00 00 00 00 00 00
pm3 --> hf li 14a
Recorded Activity (TraceLen = 314 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

          0 |        992 | Rdr |52                                                               |     | WUPA
       2244 |       4612 | Tag |04  00                                                           |     |
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
      10692 |      16516 | Tag |4a  49  04  86  81                                               |     |
      19072 |      29536 | Rdr |93  70  4a  49  04  86  81  3e  95                               |  ok | SELECT_UID
      30788 |      34308 | Tag |08  b6  dd                                                       |     |
      36352 |      41056 | Rdr |60  00  f5  7b                                                   |  ok | AUTH-A(0)
      43076 |      47812 | Tag |5c  39  ea  a1                                                   |     |
      56960 |      66336 | Rdr |86  c1  1e  24! 21  7d! d6  ca!                                  | !crc|
      67524 |      72260 | Tag |c5! e5! 2e! 96!                                                  |     |
      77952 |      82656 | Rdr |8c! 44! b5! a7!                                                  | !crc|
      84036 |     104900 | Tag |09! 1d  09  cb  ab  09! 1d! 0e  70! 74! 4a! 09  01  4f  90  9d   |     |
            |            |     |5b  e8!                                                          | !crc|
     117504 |     122208 | Rdr |9b  e6  6b  a8!                                                  | !crc|
     123588 |     144452 | Tag |47! 6d  81  6f  8b  6d  65! 66! 2d  83! 1f! b5! 3e! bb  63! 61!  |     |
            |            |     |6f  ed!                                                          | !crc|
     157056 |     161760 | Rdr |ff  be  fd  5d!                                                  | !crc|
     163140 |     184004 | Tag |c4  2d  32  cc! 04! 63  80! eb  98  80! 1f! b3  5b  ce  06! cf   |     |
            |            |     |13  36!                                                          | !crc|
     196608 |     201376 | Rdr |5d! bd  bd! bd!                                                  | !crc|
     202692 |     223492 | Tag |a1! da! 7e  14  36  94  89! 53  a2! 11! 75! a4! 5a  a6  b4  52   |     |
            |            |     |a4! 15!                                                          | !crc|
     236032 |     240736 | Rdr |c9! 4f  5c  96                                                   | !crc|
pm3 -->

And here we see the new annotation in action.


pm3 --> hf mf rdsc 0 a fc00018778f7
--sector no:0 key type:A key:FC 00 01 87 78 F7

isOk:01
data   : 4A 49 04 86 81 88 04 00 C1 85 14 99 65 40 46 12
data   : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
data   : 00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6
trailer: 00 00 00 00 00 00 78 77 88 41 00 00 00 00 00 00
pm3 --> hf li mf
Recorded Activity (TraceLen = 314 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

          0 |        992 | Rdr |52                                                               |     | WUPA
       2244 |       4612 | Tag |04  00                                                           |     |
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
      10692 |      16516 | Tag |4a  49  04  86  81                                               |     |
      19072 |      29536 | Rdr |93  70  4a  49  04  86  81  3e  95                               |  ok | SELECT_UID
      30788 |      34308 | Tag |08  b6  dd                                                       |     |
      36352 |      41056 | Rdr |60  00  f5  7b                                                   |  ok | AUTH-A(0)
      43076 |      47812 | Tag |5c  39  ea  a1                                                   |     | AUTH: nt
      56960 |      66336 | Rdr |86  c1  1e  24  21  7d  d6  ca                                   | !crc| AUTH: nr ar (enc)

      67524 |      72260 | Tag |c5! e5! 2e! 96!                                                  |     | AUTH: at (enc)
      77952 |      82656 | Rdr |8c  44  b5  a7                                                   | !crc|
            |          * | key | probable key:fc00018778f7 Prng:WEAK   ks2:f99a3df7 ks3:066923a4 |     |
            |          * | dec |30 00 02 A8                                                      |  ok | >READBLOCK(0)
      84036 |     104900 | Tag |09! 1d  09  cb  ab  09! 1d! 0e  70! 74! 4a! 09  01  4f  90  9d   |     |
            |            |     |5b  e8!                                                          | !crc|
            |          * | dec |4A 49 04 86 81 88 04 00 C1 85 14 99 65 40 46 12 F8 30            |  ok |
     117504 |     122208 | Rdr |9b  e6  6b  a8                                                   | !crc|
            |          * | dec |30 01 8B B9                                                      |  ok | >READBLOCK(1)
     123588 |     144452 | Tag |47! 6d  81  6f  8b  6d  65! 66! 2d  83! 1f! b5! 3e! bb  63! 61!  |     |
            |            |     |6f  ed!                                                          | !crc|
            |          * | dec |00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6 56 F9            |  ok |
     157056 |     161760 | Rdr |ff  be  fd  5d                                                   | !crc|
            |          * | dec |30 02 10 8B                                                      |  ok | >READBLOCK(2)
     163140 |     184004 | Tag |c4  2d  32  cc! 04! 63  80! eb  98  80! 1f! b3  5b  ce  06! cf   |     |
            |            |     |13  36!                                                          | !crc|
            |          * | dec |00 00 44 19 EC 86 01 52 27 01 00 81 02 00 17 D6 56 F9            |  ok |
     196608 |     201376 | Rdr |5d  bd  bd  bd                                                   | !crc|
            |          * | dec |30 03 99 9A                                                      |  ok | >READBLOCK(3)
     202692 |     223492 | Tag |a1! da! 7e  14  36  94  89! 53  a2! 11! 75! a4! 5a  a6  b4  52   |     |
            |            |     |a4! 15!                                                          | !crc|
            |          * | dec |00 00 00 00 00 00 78 77 88 41 00 00 00 00 00 00 23 B6            |  ok |
     236032 |     240736 | Rdr |c9  4f  5c  96                                                   | !crc|
            |          * | dec |50 00 57 CD                                                      |  ok | >HALT
pm3 -->

Not only does it try to crack the keys on the run,  it also tries to do nested authentications,   but no, hardnested ones we don't manage yet.   This whole new annotation is built upon the decode part from hf mf sniff and J-run's mf_nonce_brut.c

Offline

#2 2018-02-21 02:21:47

dontlook
Contributor
Registered: 2017-01-28
Posts: 57

Re: hf list mf - new annotation

Thanks @merlokk and @iceman .  I can't wait to try this out.

Offline

Board footer

Powered by FluxBB