Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2020-10-21 15:11:23

JohnDoePM
Contributor
Registered: 2018-07-08
Posts: 49

Problems to decode Mifare 1K

Dear community,

I have an "old" PM3

pm3 --> hw ver

Proxmark3 RFID instrument
          

 [ CLIENT ]          
 client: iceman build for RDV40 with flashmem; smartcard;  
          
 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-29 15:16:33
      os: iceman/master/ice_v3.1.0-1097-ga23414fe 2019-11-29 15:16:36

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 238663 bytes (46%) Free: 285625 bytes (54%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

and that card:

pm3 --> hf 14a info
 UID : ** B* ** B7           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
[=] proprietary non iso14443-4 card found, RATS not supported          
[=] Answers to magic commands: NO          
[+] Prng detection: WEAK

A hardnested attempt leads to

pm3 --> hf mf hardnested 0 A a0a1a2a3a4a5 6 A
Key is wrong. Can't authenticate to block:  0 key type:A

That is also the case for other combinations:

pm3 --> hf mf hardnested 0 A ffffffffffff 4 A
Key is wrong. Can't authenticate to block:  0 key type:A

Could there be a hardware failure or what am I missing ?
Best regards

JD.

Last edited by JohnDoePM (2020-10-28 14:27:23)

Offline

#2 2020-10-21 15:53:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,506
Website

Re: Problems to decode Mifare 1K

you need a known key for that tag in order for hardnested to work

Offline

#3 2020-10-21 16:01:27

JohnDoePM
Contributor
Registered: 2018-07-08
Posts: 49

Re: Problems to decode Mifare 1K

Hi iceman,

I do know that so I tried to decode the card with "standard keys" like a0a1a2a3a4a5 or ffffffffffff and different blocks.
Also I tried hf mf chk *1 d default_keys.dic with no luck.
Am I to buy a new PM4 and try autopwn ?

Offline

#4 2020-10-21 18:47:29

fazer
Contributor
Registered: 2019-03-02
Posts: 153

Re: Problems to decode Mifare 1K

Hi JohnDoePM, first I would update my proxmark.
Good night.

Offline

#5 2020-10-28 13:58:12

JohnDoePM
Contributor
Registered: 2018-07-08
Posts: 49

Re: Problems to decode Mifare 1K

Dear community,

I've updated my PM3 V3 successfully to the latest Repo.

[usb] pm3 --> hf 14a info

[+]  UID: ** B* ** B7 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] 1 static nonce 01200145
[+] Static nonce: yes

Since I read here about static nonces, I tried

~/Githubs/proxmark3/tools/mfkey$ ./mfkey32 12345678 12345678 12345678 12345678 12345678 12345678
MIFARE Classic key recovery - based on 32 bits of keystream
Recover key from two 32-bit reader authentication answers only!

Recovering key for:
    uid: 12345678
     nt: 12345678
 {nr_0}: 12345678
 {ar_0}: 12345678
 {nr_1}: 12345678
 {ar_1}: 12345678

LFSR succesors of the tag challenge:
  nt': cdd2b112
 nt'': dea454bc

Keystream used to generate {ar} and {at}:
  ks2: dfe6e76a

Found Key: [e8261241d7f7]

But in which way could that eventually help ?
I've tried all blocks "manually" with that key but without any luck, example

[usb] pm3 --> hf mf staticnested 1 7 B e8261241d7f7
[#] 1 static nonce 01200145
[!] ⚠️  Wrong key. Can't authenticate to block:   7 key type: B

Any hints are appreciated!
Regards

JD.

Offline

#6 2020-10-28 15:04:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,506
Website

Re: Problems to decode Mifare 1K

if you collected the traces,  and I see you are on RRG/Iceman repo, 
try using 

sniff/sim
 
hf mf list

And how sure are you that it is block 7 b key you found?
have you manually tested it with rdbl or fchk?

Offline

#7 2020-10-28 15:11:02

JohnDoePM
Contributor
Registered: 2018-07-08
Posts: 49

Re: Problems to decode Mifare 1K

Iceman,

of course you're right: I need to sniff the traffic between tag and reader. Then I will try to generate one key with mfkey32 like here.
I'll keep the thread updated if I get further.

Offline

Pages: 1

Board footer

Powered by FluxBB