Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-06-19 20:30:25

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Help me find an error in getting the key to the sector Mifare Classic

Hi everyone, I have a keyfob that I can not decrypt

that's what proxmark command

that's what proxmark gives

###################

Proxmark3 RFID instrument


[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;

[ ARM ]
bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:06:57
      os: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:07:01

[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

[ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 235688 bytes (45%) Free: 288600 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory


pm3 --> hf search
UID : 46 0C 2F 48
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK

[+] Valid ISO14443-A Tag Found

pm3 --> hf mf darkside
--------------------------------------------------------------------------------

executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------

..
[-] card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.

##################

Well, I took a chameleon, and went to the reader

Here is what i got

[Taf slot 1] UID 460C2F48
[S8 / B32] KeyB [e2f02ea703a6]

then i used the command

pm3 --> hf mf fchk 1 d e2f02ea703a6
[ 0] key E2 F0 2E A7 03 A6
[+] Running strategy 1

[-] Chunk: 0.2s | found 0/32 keys (1)
[+] Running strategy 2

[-] Chunk: 0.7s | found 0/32 keys (1)
[+] Time in checkkeys (fast):  0.9s

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ------------  | 0 |
|001|  ------------  | 0 |  ------------  | 0 |
|002|  ------------  | 0 |  ------------  | 0 |
|003|  ------------  | 0 |  ------------  | 0 |
|004|  ------------  | 0 |  ------------  | 0 |
|005|  ------------  | 0 |  ------------  | 0 |
|006|  ------------  | 0 |  ------------  | 0 |
|007|  ------------  | 0 |  ------------  | 0 |
|008|  ------------  | 0 |  ------------  | 0 |
|009|  ------------  | 0 |  ------------  | 0 |
|010|  ------------  | 0 |  ------------  | 0 |
|011|  ------------  | 0 |  ------------  | 0 |
|012|  ------------  | 0 |  ------------  | 0 |
|013|  ------------  | 0 |  ------------  | 0 |
|014|  ------------  | 0 |  ------------  | 0 |
|015|  ------------  | 0 |  ------------  | 0 |
|---|----------------|---|----------------|---|
Printing keys to binary file ...
Found keys have been dumped to file . 0xffffffffffff has been inserted for unknown keys.

I think the key is wrong(((((

My chameleon Firmware version is

ChameleonMini-rebooted v1.3 (iceman: 887af96) last version

Questions
1 what am I doing wrong, can someone tell me???
2 maybe my chameleon is not working properly
3 Can I see maybe some other key is being transferred to the chameleon (how can i see it)

I use Chameleon Mini GUI V 1.3.0.3 Iceman Edition.
from all slots after mfkey32 I get only the key [S8 / B32] KeyB

Offline

#2 2020-06-19 21:00:32

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Help me find an error in getting the key to the sector Mifare Classic

try using "hf mf autopwn" it will do all the magic smile
or
"hf mf autopwn k 8 B e2f02ea703a6"

If it will not work - try using different dictionaries or try attack a reader with a proxmark for initial key.

Last edited by Monster1024 (2020-06-19 21:05:02)

Offline

#3 2020-06-19 21:10:23

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

Monster1024 wrote:

try using "hf mf autopwn" it will do all the magic smile
or
"hf mf autopwn k 8 B e2f02ea703a6"

If it will not work - try using different dictionaries or try attack a reader with a proxmark for initial key.

Monster1024 now i try this command

"hf mf autopwn"


pm3 --> hf mf autopwn
help             This help
darkside         Darkside attack. read parity error messages.
nested           Nested attack. Test nested authentication
hardnested       Nested attack for hardened Mifare cards
keybrute         J_Run's 2nd phase of multiple sector nested authentication key recovery
nack             Test for Mifare NACK bug
chk              Check keys
fchk             Check keys fast, targets all keys on card
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
-----------
dbg              Set default debug mode
rdbl             Read MIFARE classic block
rdsc             Read MIFARE classic sector
dump             Dump MIFARE classic tag to binary file
restore          Restore MIFARE classic binary file to BLANK tag
wrbl             Write MIFARE classic block
setmod           Set MIFARE Classic EV1 load modulation strength
-----------
sim              Simulate MIFARE card
eclr             Clear simulator memory block
eget             Get simulator memory block
eset             Set simulator memory block
eload            Load from file emul dump
esave            Save to file emul dump
ecfill           Fill simulator memory with help of keys from simulator
ekeyprn          Print keys from simulator memory
-----------
csetuid          Set UID for magic Chinese card
csetblk          Write block - Magic Chinese card
cgetblk          Read block - Magic Chinese card
cgetsc           Read sector - Magic Chinese card
cload            Load dump into magic Chinese card
csave            Save dump from magic Chinese card into file or emulator
ice              collect Mifare Classic nonces to file
pm3 --> hf mf autopwn k 8 b e2f02ea703a6
help             This help
darkside         Darkside attack. read parity error messages.
nested           Nested attack. Test nested authentication
hardnested       Nested attack for hardened Mifare cards
keybrute         J_Run's 2nd phase of multiple sector nested authentication key recovery
nack             Test for Mifare NACK bug
chk              Check keys
fchk             Check keys fast, targets all keys on card
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
-----------
dbg              Set default debug mode
rdbl             Read MIFARE classic block
rdsc             Read MIFARE classic sector
dump             Dump MIFARE classic tag to binary file
restore          Restore MIFARE classic binary file to BLANK tag
wrbl             Write MIFARE classic block
setmod           Set MIFARE Classic EV1 load modulation strength
-----------
sim              Simulate MIFARE card
eclr             Clear simulator memory block
eget             Get simulator memory block
eset             Set simulator memory block
eload            Load from file emul dump
esave            Save to file emul dump
ecfill           Fill simulator memory with help of keys from simulator
ekeyprn          Print keys from simulator memory
-----------
csetuid          Set UID for magic Chinese card
csetblk          Write block - Magic Chinese card
cgetblk          Read block - Magic Chinese card
cgetsc           Read sector - Magic Chinese card
cload            Load dump into magic Chinese card
csave            Save dump from magic Chinese card into file or emulator
ice              collect Mifare Classic nonces to file
pm3 -->

####################

Maybe This command is not supported by firmware from Iceman

what gives it command?

Offline

#4 2020-06-20 00:50:37

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Help me find an error in getting the key to the sector Mifare Classic

Software/firmware could be a little too old (2019).

bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:06:57
      os: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-07 20:07:01

Try with the latest.

Offline

#5 2020-06-20 08:34:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Help me find an error in getting the key to the sector Mifare Classic

...especially since he is using iceman fork....

Offline

#6 2020-06-20 14:25:48

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

iceman wrote:

...especially since he is using iceman fork....

I took the latest firmware from here

Iceman fork
https://drive.google.com/drive/folders/1mMgdfnSEgFvA77xvbG_VnaLrZJHnvcSP

I understood correctly that this is an old firmware?
this branch is deprecated and is no longer supported?

Tell me please. I have to get the NEW latest firmware from here?

RRG / Iceman repository (Proxmark3 rdv4):
RDV40 dedicated x86: Precompiled builds for RDV40 dedicated x86
RDV40 dedicated x64: Precompiled builds for RDV40 dedicated x64

Offline

#7 2020-06-20 14:29:03

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Help me find an error in getting the key to the sector Mifare Classic

Here is always actual firmware link: https://github.com/RfidResearchGroup/proxmark3 smile

Offline

#8 2020-06-20 14:32:00

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

My device is Proxmark3 EASY.
I do not have Proxmark3 rdv4((((

I can use these firmware for Proxmark3 EASY ???

RRG / Iceman repository (Proxmark3 rdv4):
RDV40 dedicated x86: Precompiled builds for RDV40 dedicated x86
RDV40 dedicated x64: Precompiled builds for RDV40 dedicated x64

Offline

#9 2020-06-20 14:33:15

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

Monster1024 wrote:

Here is always actual firmware link: https://github.com/RfidResearchGroup/proxmark3 smile


Do I need to compile the latest firmware? from here???

https://github.com/RfidResearchGroup/proxmark3

Offline

#10 2020-06-20 17:22:16

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Help me find an error in getting the key to the sector Mifare Classic

Key master wrote:

Do I need to compile the latest firmware? from here???

https://github.com/RfidResearchGroup/proxmark3

yep, compile and upload last changes. You can use proxspace to get environment on windows.

Last edited by Monster1024 (2020-06-20 17:22:28)

Offline

#11 2020-06-20 19:25:01

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

Monster1024 wrote:
Key master wrote:

Do I need to compile the latest firmware? from here???

https://github.com/RfidResearchGroup/proxmark3

yep, compile and upload last changes. You can use proxspace to get environment on windows.

Thanks Monster1024)) i find this

Generice Proxmark3 devices (non RDV4)

Precompiled builds for RRG / Iceman repository x86
Precompiled builds for RRG / Iceman repository x64

And I installed the latest firmware

and what is the difference between x86 and x64 ???
If i have Windows 10 x 64 I need to download 64 then??? or is it not???

Last edited by Key master (2020-06-20 19:26:45)

Offline

#12 2020-06-20 21:03:53

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Help me find an error in getting the key to the sector Mifare Classic

it is client architecture. if your windows is x64 - use x64.

Last edited by Monster1024 (2020-06-20 21:04:52)

Offline

#13 2020-06-20 21:14:24

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

success Im update the firmware, that's what I got

##################

success I managed to update the firmware, that's what I got

C:\FLASH-P3\win64\proxmark3.exe COM20
[=] Session log C:/Users/─хэшё/.proxmark3/logs/log_20200620.txt
[=] Loading preferences...
[+] loaded from JSON file C:/Users/─хэшё/.proxmark3/preferences.json
[=] Using UART port COM20
[=] Communicating with PM3 over USB-CDC


  ██████╗ ███╗   ███╗█████╗
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗       iceman@icesql.net
  ██║     ██║ ╚═╝ ██║█████╔╝    https://github.com/rfidresearchgroup/proxmark3/
  ╚═╝     ╚═╝     ╚═╝╚════╝   bleeding edge


[ Proxmark3 RFID instrument ]

[ CLIENT ]
  client: RRG/Iceman/master/v4.9237-399-g456cc66a 2020-06-19 13:46:09
  compiled with MinGW-w64 9.3.0 OS:Windows (64b) ARCH:x86_64

[ PROXMARK3 ]

[ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-399-g456cc66a 2020-06-19 13:46:55
       os: RRG/Iceman/master/v4.9237-399-g456cc66a 2020-06-19 13:47:12
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
  LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

[ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 224096 bytes (43%) Free: 300192 bytes (57%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory


[usb] pm3 --> hf search
[|]Searching for ISO14443-A tag...
[+]  UID: 46 0C 2F 48
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K / Classic 1K CL2
[+]    MIFARE Plus 2K / Plus EV1 2K
[+]    MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak

[+] Valid ISO14443-A tag found

[/]
[usb] pm3 --> hf mf darkside
[=] --------------------------------------------------------------------------------

[=] executing Darkside attack. Expected execution time: 25sec on average
[=] press pm3-button on the Proxmark3 device to abort both Proxmark3 and client.
[=] --------------------------------------------------------------------------------

..
[-] card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.
[usb] pm3 --> hf mf darkside
[=] --------------------------------------------------------------------------------

[=] executing Darkside attack. Expected execution time: 25sec on average
[=] press pm3-button on the Proxmark3 device to abort both Proxmark3 and client.
[=] --------------------------------------------------------------------------------

..
[-] card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.
[usb] pm3 --> hf mf fchk 1 d e2f02ea703a6
[ 0] key E2 F0 2E A7 03 A6
[=] Running strategy 1

[=] Chunk: 0.2s | found 0/32 keys (1)

[=] Running strategy 2

[=] Chunk: 0.4s | found 0/32 keys (1)

[=] Time in checkkeys (fast):  0.6s

[!] No keys found

[usb] pm3 --> hf mf fchk 1 d
[+] No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
[20] 0000014b5c31
[21] b578f38a5c61
[22] 96a301bce267
[=] Running strategy 1

[=] Chunk: 0.4s | found 0/32 keys (23)

[=] Running strategy 2
.
[=] Chunk: 3.9s | found 0/32 keys (23)

[=] Time in checkkeys (fast):  4.3s

[!] No keys found

[usb] pm3 --> hf mf autopwn k 8 B e2f02ea703a6
[-] Key is wrong. Can't authenticate to sector:  8 key type: B key: E2 F0 2E A7 03 A6
[!] falling back to dictionary
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1

[=] Chunk: 0.4s | found 0/32 keys (23)

[=] running strategy 2
.
[=] Chunk: 3.9s | found 0/32 keys (23)

[=] --------------------------------------------------------------------------------

[=] executing Darkside attack. Expected execution time: 25sec on average
[=] press pm3-button on the Proxmark3 device to abort both Proxmark3 and client.
[=] --------------------------------------------------------------------------------

........................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
............................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.........................................................................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
................................................................................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.................................................................................................................................................................................................................................................................................................

[-] key not found (lfsr_common_prefix list is null). Nt=04000000
[-] this is expected to happen in 25% of all cases. Trying again with a different reader nonce...
....................................................................................................


The last command  "hf mf autopwn k 8 B e2f02ea703a6 " has been working for more than 2 hours((((

I think the chameleon gave me the wrong key,.. So a mistake in the chameleon...
I don’t know what to do next, can anyone have any ideas?

Offline

#14 2020-06-20 21:30:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Help me find an error in getting the key to the sector Mifare Classic

You might have a card with static nonce. 

hf 14a info
hf mf rdbl 0 a ffffffffffff
hf 14a list

Offline

#15 2020-06-20 21:46:32

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

iceman wrote:

You might have a card with static nonce. 

hf 14a info
hf mf rdbl 0 a ffffffffffff
hf 14a list

Thanks Iceman. Now i try this command

Offline

#16 2020-06-20 21:50:41

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

This is what i get

###############

[usb] pm3 --> hf 14a info

[+]  UID: 46 0C 2F 48
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K / Classic 1K CL2
[+]    MIFARE Plus 2K / Plus EV1 2K
[+]    MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[usb] pm3 --> hf mf rdbl 0 a ffffffffffff
--block no:0, key type:A, key:FF FF FF FF FF FF
[#] Auth error
[-] failed reading block
[usb] pm3 --> hf 14a list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 120 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
[usb] pm3 -->


I think here we need a sniffer log between the reader and the card.
But I don’t have experience and knowledge how to do this, maybe someone will tell me which commands to enter. What is the order of input commands

Offline

#17 2020-06-20 21:56:28

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

Can I see the data log between the reader and the chameleon?
Maybe someone knows whether it is possible to see the chameleon log data?

Offline

#18 2020-06-30 20:34:08

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Help me find an error in getting the key to the sector Mifare Classic

Key master wrote:

Can I see the data log between the reader and the chameleon?
Maybe someone knows whether it is possible to see the chameleon log data?

python3 chamtool.py -p /dev/cu.usbmodem14101 -lm MEMORY

put the card on reader, then run

python3 chamlog.py -p /dev/cu.usbmodem14101

Offline

#19 2020-08-11 21:15:07

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

Hello everyone!!! Success I use a sniffer (proxmark3 easy) to get the correct key. For sector.  And I opened all sectors.

Now I know for sure that the mistake is in the chameleon. Please tell me where I should write about this about a bug in a chameleon.

Offline

#20 2020-08-11 21:25:01

Key master
Contributor
From: Moscow
Registered: 2020-01-08
Posts: 18

Re: Help me find an error in getting the key to the sector Mifare Classic

Monster1024 wrote:
Key master wrote:

Can I see the data log between the reader and the chameleon?
Maybe someone knows whether it is possible to see the chameleon log data?

python3 chamtool.py -p /dev/cu.usbmodem14101 -lm MEMORY

put the card on reader, then run

python3 chamlog.py -p /dev/cu.usbmodem14101



Hello Monster

if i have windows 10x64 how can i get the logs?

it would be a cool idea if the ability to write a chameleon log was built into the iceman's gui for chameleon.
then error search would be much more convenient and faster. Maybe someone knows where to write about this idea. So that through the gui it was possible to record and manage chameleon logs

Offline

Board footer

Powered by FluxBB