Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device!

You are not logged in.

#1 2012-02-15 20:37:08

axxe
Member
Registered: 2012-02-15
Posts: 7

Mifare Classic 1k - it doesn't answer with a NACK

I think to have a mifare1k, with ATQA 0400 and SAK 08... Some sectors are protected with default keys so with the help of MFOC I got the other keys.

With my own tool im trying to get a NACK answer, fixing the tagNonce, the readerNonce and the readerAnswer, I'm trying to change all the possibility parity bits (128possibilities for 8parity bits) and try a fake authentication to get the 4bits NACK answer from the tag.

I've tried it on another mifare1k and I usually get the NACK before reaching the 128 authentications.
On another mifare1k i have a NACK each time i try an authentication as explained on some online pdf...

But with the last mifare1k that i am testing I can't get any NACK answer! how its possible?
maybe its not a mifare classic? but MFOC worked well with it...

any suggest?

Thanks! and sorry for the crossposting from libnfc.org smile

Offline

#2 2012-02-18 13:07:31

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Mifare Classic 1k - it doesn't answer with a NACK

axxe wrote:

With my own tool im trying to get a NACK answer, fixing the tagNonce, the readerNonce and the readerAnswer, I'm trying to change all the possibility parity bits (128possibilities for 8parity bits) and try a fake authentication to get the 4bits NACK answer from the tag.

Why? Do you want to get the keys or what?

axxe wrote:

I've tried it on another mifare1k and I usually get the NACK before reaching the 128 authentications.
On another mifare1k i have a NACK each time i try an authentication as explained on some online pdf...

But with the last mifare1k that i am testing I can't get any NACK answer! how its possible?
maybe its not a mifare classic? but MFOC worked well with it...

any suggest?

Maybe your second mifare classic tag is not original mifare(OEM), or it have protection from darkside and nested attacks(Newer mifare1k from NXP/Philips have this protection).

axxe wrote:

on some online pdf...

Sorry, our telepath is on vacation now.

Offline

#3 2012-02-18 13:24:09

axxe
Member
Registered: 2012-02-15
Posts: 7

Re: Mifare Classic 1k - it doesn't answer with a NACK

vivat wrote:

Do you want to get the keys or what?

Yes, i'm trying to implement the darkside attack with my own NFC reader. So as first step I was trying to get a NACK answer from the tag.

vivat wrote:

Maybe your second mifare classic tag is not original mifare(OEM), or it have protection from darkside and nested attacks(Newer mifare1k from NXP/Philips have this protection).

The nested attack worked well, so probably It has some protection for darkside attack or its not an original card.

vivat wrote:

our telepath is on vacation now.

I was talking about the "THE DARK SIDE OF SECURITY BY OBSCURITY" pdf.


So without any NACK answer and any sector protected with default keys it's impossible to attack the card somehow, yes?

Offline

#4 2012-02-19 07:35:57

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Mifare Classic 1k - it doesn't answer with a NACK

with my own NFC reader

What reader?
What card?
What is your setup?

So without any NACK answer and any sector protected with default keys it's impossible to attack the card somehow, yes?

No, you can still  retrieve the keys by sniffing transaction between genuine reader and your card(using proxmark3) or by MITM attack using 2 NFC devices. Then just use crapto1 to decrypt sniffed/realyed data.

Offline

#5 2012-02-19 20:36:34

axxe
Member
Registered: 2012-02-15
Posts: 7

Re: Mifare Classic 1k - it doesn't answer with a NACK

I'm using my homemade prototype of NFC reader based on the TRF7970A from Texas Instruments.

So, yes, the only way to attack the card in such cases is the transaction sniffing.

Thanks again for the reply smile

Offline

#6 2016-08-12 11:11:48

felix_lol
Contributor
Registered: 2016-08-01
Posts: 2

Re: Mifare Classic 1k - it doesn't answer with a NACK

Greetings, axxe

I came across the same situation.

I also have my homemade reader, which is an NXP MFRC522 baseband driven by a STM32 mcu.
And i implemented part of the darkside attack on the device.

I find that there are five types of card behavior:

1) The card returns a small range of nT, and always answer with NACK no matter what spoof data (and parity bits) are. This type of card agrees with the description of weaker cards in the paper (the dark side of security by obscurity).
2) The card returns a medium range of nT, sometimes answer with NACK. (normal Mifare Classic Card)
3) The card returns a large range of nT, no NACK is returned, no matter what the parity is.
4) The card returns a different nT each time. There is a possibility when NACK is answered by the card.
5) The card returns the same nT each time. (UID changeable card)

in the above 5 behaviors, 3) is exactly what you described. I don't know what the card is, or what the manufacturer is.

I guess the type 3) card is also some kind of illegal or unlicensed mifare classic card.

Please feel free to reply below if you have further discovery

Offline

Board footer

Powered by FluxBB