Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device!

You are not logged in.

#1 2012-02-15 20:37:08

axxe
Member
Registered: 2012-02-15
Posts: 7

Mifare Classic 1k - it doesn't answer with a NACK

I think to have a mifare1k, with ATQA 0400 and SAK 08... Some sectors are protected with default keys so with the help of MFOC I got the other keys.

With my own tool im trying to get a NACK answer, fixing the tagNonce, the readerNonce and the readerAnswer, I'm trying to change all the possibility parity bits (128possibilities for 8parity bits) and try a fake authentication to get the 4bits NACK answer from the tag.

I've tried it on another mifare1k and I usually get the NACK before reaching the 128 authentications.
On another mifare1k i have a NACK each time i try an authentication as explained on some online pdf...

But with the last mifare1k that i am testing I can't get any NACK answer! how its possible?
maybe its not a mifare classic? but MFOC worked well with it...

any suggest?

Thanks! and sorry for the crossposting from libnfc.org smile

Offline

#2 2012-02-18 13:07:31

vivat
Contributor
Registered: 2010-10-26
Posts: 314

Re: Mifare Classic 1k - it doesn't answer with a NACK

axxe wrote:

With my own tool im trying to get a NACK answer, fixing the tagNonce, the readerNonce and the readerAnswer, I'm trying to change all the possibility parity bits (128possibilities for 8parity bits) and try a fake authentication to get the 4bits NACK answer from the tag.

Why? Do you want to get the keys or what?

axxe wrote:

I've tried it on another mifare1k and I usually get the NACK before reaching the 128 authentications.
On another mifare1k i have a NACK each time i try an authentication as explained on some online pdf...

But with the last mifare1k that i am testing I can't get any NACK answer! how its possible?
maybe its not a mifare classic? but MFOC worked well with it...

any suggest?

Maybe your second mifare classic tag is not original mifare(OEM), or it have protection from darkside and nested attacks(Newer mifare1k from NXP/Philips have this protection).

axxe wrote:

on some online pdf...

Sorry, our telepath is on vacation now.

Offline

#3 2012-02-18 13:24:09

axxe
Member
Registered: 2012-02-15
Posts: 7

Re: Mifare Classic 1k - it doesn't answer with a NACK

vivat wrote:

Do you want to get the keys or what?

Yes, i'm trying to implement the darkside attack with my own NFC reader. So as first step I was trying to get a NACK answer from the tag.

vivat wrote:

Maybe your second mifare classic tag is not original mifare(OEM), or it have protection from darkside and nested attacks(Newer mifare1k from NXP/Philips have this protection).

The nested attack worked well, so probably It has some protection for darkside attack or its not an original card.

vivat wrote:

our telepath is on vacation now.

I was talking about the "THE DARK SIDE OF SECURITY BY OBSCURITY" pdf.


So without any NACK answer and any sector protected with default keys it's impossible to attack the card somehow, yes?

Offline

#4 2012-02-19 07:35:57

vivat
Contributor
Registered: 2010-10-26
Posts: 314

Re: Mifare Classic 1k - it doesn't answer with a NACK

with my own NFC reader

What reader?
What card?
What is your setup?

So without any NACK answer and any sector protected with default keys it's impossible to attack the card somehow, yes?

No, you can still  retrieve the keys by sniffing transaction between genuine reader and your card(using proxmark3) or by MITM attack using 2 NFC devices. Then just use crapto1 to decrypt sniffed/realyed data.

Offline

#5 2012-02-19 20:36:34

axxe
Member
Registered: 2012-02-15
Posts: 7

Re: Mifare Classic 1k - it doesn't answer with a NACK

I'm using my homemade prototype of NFC reader based on the TRF7970A from Texas Instruments.

So, yes, the only way to attack the card in such cases is the transaction sniffing.

Thanks again for the reply smile

Offline

Board footer

Powered by FluxBB