Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2013-10-15 02:02:06
- The Enterprise
- Contributor
- Registered: 2013-10-14
- Posts: 18
cracking mifare keys
I seem to be running into a few problems when cracking keys.
1: For some reason when i try *hf 14a reader* it says something like non-proprietary ISO14443A card but i know it is a mifare classic 1k card because my ACR122U reads it and says it is.
2: I used *hf 14a snoop* on the card traffic and got this
+ 0: 0: TAG 04 00
+ 299: 0: TAG 89 3c 64 80 51
+ 811: 0: TAG 88 be 59
+ 1379: 0: TAG 7a d1 80 f9
+ 699: 0: TAG cd! c5 bd! 8a
+ 475: 0: TAG 65! 58 3f! 7e a4 42! b1! 72 0d 84 38 03 35! c2! 8a 7b 06! 33 !crc
+ 451: 0: TAG 65! 02 9d 90 c5 bd 1f! 59 1f! 6d! f9 67! 75 0c 61! fb f0! 8d !crc
+ 435: 0: TAG b5! c8 0b 03 7e! 07! 96! 1d! 25! dc! 1c! 56 c4 2d! b1 86! df d9 !crc
+ 1347: 0: TAG 89 f3! 7f 78
+ 712: 0: TAG 3f! 23 a8 2c
+ 459: 0: TAG 77 c9! 65 32! 2d a9 56 0a! d9! fc ee 20 a5! e1 f2! 30! 60 bb! !crc
+ 451: 0: TAG f2 f2! d4 96 e4 86! 56 56 e6! 58! 70 a9 36 f8! be! f1 61 2a !crc
+ 435: 0: TAG 8f 6b! 8b! 18! 7b 54! 78! 67 25 69 6a! 47 5e! 2c! d4 fa! 4c! a6 !crc
+ 587: 0: TAG b4 39! d3 19!
+ 699: 0: TAG a3 0c 4a e3
+ 443: 0: TAG fa! 6a! c8 52 3a 41 dd! 1a! ef bf! 12! cb! 9e 53! c3! cf! ef 52 !crc
+ 443: 0: TAG 36 0d! 0d! e1! ad 32 0d! 61 f6 8b! c3! 5a ff 95 b6! e9! fc 43 !crc
+ 435: 0: TAG d2! ee! 08! 77 03! e1! 1e! 85 92 b8! ca! 5d! de dd! 8a! a5! e3! eb! !crc
+ 555: 0: TAG da d5 9e! 3a!
+ 691: 0: TAG 46 bb 9a! 6c!
+ 467: 0: TAG e7 4c ee aa 50! 39! 56! 64 a3 40! a9! 72! b8! c2! b2 2c c5 02 !crc
+ 6: 0: TAG 08
+ 451: 0: TAG 27! a6 dc! 00 a5 c9! f2 c1! e2! 8b! bb! 39 93! 2d 0a b4! 69! e3! !crc
+ 435: 0: TAG 2c 59! 66 8e 7c 87! 40! c6 ad 16 41! 34 63 14! 34 43 39! cf! !crc
+ 531: 0: TAG 62! 1e! cb! 17
+ 691: 0: TAG 4e! a3! f7 3e
+ 427: 0: TAG 81! f5! 43! a7! 09! 4a! 2a 28 8c a4 50! 5d! b9! e1! 37 47! 41! 3a! !crc
+ 435: 0: TAG 12! 19! 10 c4 9d! b0! da! 2e 8d b3! 74! fb 00 e3 95! 2e 13! 2a! !crc
+ 435: 0: TAG f3 49 31 7b! 14 67 c0! c1 d3 03! d9! 86 02 d5! fc 9e 13! 16! !crc
+ 523: 0: TAG 1d! 53! c4 73
+ 691: 0: TAG d5 ad 70! e6
+ 427: 0: TAG a6! 7a 47 18! bc! 59! ea! c4! 76 5b! fe c1! ff! 81! f9! 4d c8! f2! !crc
+ 435: 0: TAG f9 61! f2 37! c1 ac 73 d9 d5 e3 cb 4b! c8! 9a! f7! e8! df! c8! !crc
+ 439: 0: TAG 7f 04! de! c9! 3e! eb! 30! 0f e2! 2b 5c! 65 71 50! 69 06 8e f4 !crc
+ 140980: : 26
+ 64: 0: TAG 04 00
+ 276: : 93 20
+ 64: 0: TAG 89 3c 64 80 51
+ 748: : 93 70 89 3c 64 80 51 87 70
+ 64: 0: TAG 88 be 59
+ 780: : 61 00 2d 62
+ 112: 0: TAG 57 ae 7a 85
+ 636: : 2c e3 63 91 39 dc 00 75 !crc
+ 64: 0: TAG 5d! 28! 5b! 17
+ 404: : 30 85 71 c5 !crc
+ 1334: 0: TAG 1f
+ 584: : 5d 7f 2f 33 !crc
+ 112: 0: TAG 12 db 2d 31!
+ 628: : 3f 06 5d ae 0b 04 97 b0 !crc
+ 64: 0: TAG 07! 04! 6c a1!
+ 412: : cd e0 9b 36 !crc
+ 64: 0: TAG 07
+ 1380: : 1c e9 fc 88 49 cf 2d 7f 2e 76 4f 65 b1 21 c7 c7 6e eb !crc
+ 2992: 0: TAG 00!
+ 396: : d3 24 43 d8 !crc
+ 64: 0: TAG 07
+ 1372: : 6b f4 f9 5c 63 1e f8 0d b0 1e be e1 a1 86 74 99 6e 75 !crc
+ 2992: 0: TAG 0c!
+ 444: : 04 f6 22 7d !crc
+ 64: 0: TAG 06!
+ 1380: : d3 bc 78 1d 54 22 57 3b 05 8d ec 70 28 a0 a0 7a 21 9e !crc
+ 2996: 0: TAG 01
+ 452: : 60 ff 77 47 !crc
+ 112: 0: TAG ad! 80! 84! c4
+ 628: : c3 9d 0a af 7a 97 c5 c1 !crc
+ 64: 0: TAG bf! 01 f1 2b
+ 380: : cd 43 fb 63 !crc
+ 64: 0: TAG 0f!
+ 1372: : b6 b3 4e 93 00 ef 66 72 1c 24 fc e2 8e 91 c5 5a 70 b1 !crc
+ 2992: 0: TAG 02
+ 444: : ed c1 f5 e9 !crc
+ 112: 0: TAG 2c! 55! 44! 3f
+ 628: : 17 ff 3a 08 58 4f ed a5 !crc
+ 64: 0: TAG 11! 52 3c 41!
+ 364: : f0 3c 12 dc !crc
+ 64: 0: TAG 01
+ 1372: : fb ed c8 88 df f8 56 83 e8 f5 5b 41 d0 82 0b 1c 1a fa !crc
+ 2992: 0: TAG 09!
+ 1284: : 18 55 58 17 !crc
+546176990: 0: TAG 04 00
+ 306: 0: TAG 89 3c 64 80 51
+ 810: 0: TAG 88 be 59
+ 1374: 0: TAG 62 8f 2d 31
+ 706: 0: TAG df! f7 ab ea
+ 482: 0: TAG 95! 9a! 6f 67 79 b0 33! 88 61! 51 ff f4 5a! a8 c9! 65! d9 73! !crc
+ 450: 0: TAG 70! 3f 76! 07 f6 83! 03 db d7! 26 d6! 63 7b 8f 74! 5c 71! 17! !crc
+ 434: 0: TAG 04 5f 44! 83! 3e! c8 cd! e2 64! 8e 26! d2 38 25! 5e! 74! be! eb !crc
+ 1282: 0: TAG 2e ce! 04! df
+ 690: 0: TAG 8c! 9e! 69! 76
+ 466: 0: TAG 75 e4 cc 3a! a8 88! e7 e4 70 6f! 75! 8c! 88 72 a0 e8! ea! 21 !crc
+ 450: 0: TAG 16! 3b e3! 08! 4e 86 cb! 6a e8! cf! d1 2a 2d 5a! a7! d8 45 3e! !crc
+ 434: 0: TAG 28! 9d 60! 52! dc d7! 2b! 53 66 46 19 af de! 49 1b! 0d b6 31! !crc
+ 586: 0: TAG f0 1b! aa 60!
+ 694: 0: TAG 6b 4e! 50! 58!
+ 434: 0: TAG 21 d2! 2b 1b 2f 09! 76! b8 43 45! 8b a0 1b! 9d 52! 87 11 18 !crc
+ 442: 0: TAG 1d c1 8c 3a! 3f! 5e b5! 71 ef! 89 61 c2! e5 6a aa 61 ef a8! !crc
+ 434: 0: TAG 00 4b! 58! 99! 14! ff! 0a! d1 f3! 12! 46! be 7a 6a! d2 67! 1a ba! !crc
+ 546: 0: TAG a5! c2 79 e2
+ 690: 0: TAG 80! 2e 82 86!
+ 434: 0: TAG 4b! 6b 8a cb 59 5a 81 91! 5e! e2! c8! ab! 65 81! 01! 88 56 74 !crc
+ 434: 0: TAG 56 a7! 08 57! 93! 60! 30! 25 71! 61! 7e 3e! 37! 82! 43 15! 96 e8 !crc
+ 434: 0: TAG 92 51! 0b d7! e1 a8 1a b1! be 09 b6 8c 0b c3 1d 58 53! db !crc
+ 522: 0: TAG 27! bd cc! c6!
+ 690: 0: TAG 16! 42 92! 86
+ 1374: 0: TAG 24 9a! 68! 2a 76
+ 434: 0: TAG 1b! cd 29! 7d! 5b 8b ce ab! ed! b4 42! dd! c6 15! 64! 91 d4 70! !crc
+ 434: 0: TAG da 16! 97 cb 65! ef! 86! c5! 50! 86! 18! f5! 8f 63! 83 dd 60 95! !crc
+ 522: 0: TAG cb 67! ea! 76!Im Guessing:
UID=893c648051
TAG CHALLENGE=57ae7a85
READER CHALLENGE=2ce36391
READER RESPONSE=39dc0075
TAG RESPONSE=5d285b17
The key should be D2D72CB60F59 using CRAPTO1 gui v1.01
So when i do *hf mf rdsc 0 A D2D72CB60F59*
I get Authentication Failed
Am i doing something wrong?????
Offline
#2 2013-10-15 05:39:59
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: cracking mifare keys
Key B.
Offline
#3 2013-10-16 03:13:04
- The Enterprise
- Contributor
- Registered: 2013-10-14
- Posts: 18
Re: cracking mifare keys
OHHHHHHHHHH youre right stupid me i appreciate it.
Offline
#4 2015-09-29 18:35:08
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Hi guys,
I sniffed a mifare communication and please find below the log:
the UID is a2 f2 69 ea
[== Undefined ==]
26
26
26
22
U00
Uff
26
TAG 04 00
93 20
TAG a2 f2 69 ea d3
93 70 a2 f2 69 ea d3 21 02
TAG 00 24 d8
61 03 b6 50
TAG 01 20 01 45
31 f0 4b 31 bb 22 a6 b5
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 99
61 03 b6 50
TAG 01 20 01 45
4a 0c 2c 22 4d 40 3e c3
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 05
b9 a0 4d cc 5e bd 34 30
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
50 d5 d0 7a f5 f3 f3 c4
TAG 19 84 69 ad
9b 2c 19 3f
TAG 11 cd 3c 98 54 90 51 af 98 3d 8a f2 d8 c0 40 b9 b2 3e
d3 88 30 09
TAG 1d 4b d3 73
d7 f7 fa 04 1a 2e 54 03
TAG f5 1f ed 6b
97 9d 58 82
TAG 9e 85 db 42 ee 78 44 31 d7 50 a5 90 06 9a 1c 91 84 20
ec 2d a1 d6
TAG 3f f4 50 6f 4b e7 d7 6f 6d 8c 72 d0 1c 38 56 16 ef a5
1e cf a8 40
TAG 6e 80 14 0f 0e 06 66 c4 1f 73 9d 1e f5 29 87 3c b8 2f
49 65 7d 16
TAG 42 11 ff ff
52
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 20 01 45
45 70 21 3f 66 61 11 e0
TAG 74 9a ea 13
1c 44 df d3
TAG 61 6d 3e 3b 3f cd 50 95 c9 44 32 71 5f d4 19 f9 7c b4
8e c3 7c 73
TAG 6f 46 43 8f
17 6f 8a 86 8b 04 2d 92
TAG 44 17 87 3d
5e 54 5e a6
TAG 9d 1c 39 f8 00 40 40 ad 02 e5 02 35 2e 39 31 9d 90 1d
de 12 a3 26
TAG 27 37 e1 36 e0 0e de 07 88 d0 1d e4 a7 1e 22 ef 3b f3
d8 62 0e 7a
TAG 44 7c ba 2d 7b 14 05 c6 93 a7 96 1f ad f5 e7 be 89 0b
d8 94 c5 29
52
TAG 00 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
f7 cb 51 71 53 1c e8 2c
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
f0 a1 16 37 b0 00 f6 21
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
d8 79 5e f3 c1 c6 21 82
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
4f 2d d0 f1 6f 93 da b3
TAG 88 64 35 2b
7a e3 2a 49
TAG a1 82 c1 bb 14 70 ed 74 b9 75 b1 d1 98 d9 85 06 51 77
3b 21 f0 18
TAG 5c 23 fe 40
3d 21 af ef 57 68 71 08
TAG ef ff dd 21
81 44 23 ca
TAG 49 33 04 06 04 03 3a 13 29 59 5c 59 53 40 6a 3b 69 54
28 b7 64 64
TAG 8b 61 93 7f 8e 9c 25 e4 54 32 d1 14 f6 eb 82 d7 06 40
d6 c9 ec e4
TAG e2 80 64 cb 61 f4 8d af 3d 0b 3d d2 4d e3 33 5c 60 5d
44 26 60 30
TAG 20 30 09 69
52
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 20 01 45
2f 7b c4 a2 97 0a 1a 84
TAG fc 4c 44 12
71 0b 0a 2c
TAG b8 90 b7 62 1b 06 1e 41 7c 58 7e da c2 11 09 ea a9 b8
3b 6e de 8d
TAG 66 55 4f 44
6d 27 ae 65 79 3e cd 9f
TAG 70 07 19 62
f6 fb 8e e0
TAG 3f 40 bf 64 53 42 f5 a9 5c 6a 84 91 93 df e9 f6 bd 56
8f 2a c1 33
TAG d7 ca c0 02 8e 40 68 3c 2f 7e 9e 1c fb 10 0c 49 9f 3f
3f 4d 6f 08
TAG 46 44 72 64 82 0e 59 b5 5c 59 8b e9 5e b8 7c fa fa 22
e0 8c 24 23
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
a1 8d b0 d1 a2 9b 63 65
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
Uc1 ff ff fe ba
Uf8 a8 86 d4 aa e9 b1 d2 f9
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
d2 27 46 8f db 62 de 66
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
87 8d 75 ee 52 0a 60 81
TAG 74 b7 70 61
d7 2b 04 0d
TAG dc 60 07 20 70 06 80 e7 9d fe cc 98 4a 34 0e 94 55 40
75 ed aa ec
TAG 5c 23 fe 40
14 3f ba d3 cd 50 78 ee
TAG 43 02 40 54
4c 6f dd b9
TAG c4 4f 0c a5 50 a9 8e 45 a3 95 67 4e ec 94 4e 33 e6 d5
9b 04 c2 ea
TAG 30 c2 40 08 20 c8 34 15 75 79 dd 5c 9c 7d 1f db 2d 8d
aa 21 5b 8a
TAG ea 0e 13 07 4a d3 02 08 74 3f 6f 52 3b 4f 02 00 00 46
ca 59 00 8e
TAG 6c 39 3d ea
52
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 20 01 45
ce 14 d5 58 6f db 4c a8
TAG 77 04 00 64
38 30 84 44
TAG ba 31 68 2c 42 b2 00 b3 5f d4 0b ae 0c 7a 28 f0 1d ff
81 3a 62 eb
TAG c2 4e 84 c0
44 ad 05 39 68 24 fe 53
TAG 35 14 ea bf
5c 2f 0b 34
TAG 4e c5 5a 2a 63 d7 e7 73 4a 48 6a 94 10 60 48 80 00 7e
0f 59 94 55
TAG 46 05 eb f3 03 d1 51 5f f5 51 22 15 fb 1e 8d 73 b9 0d
d2 85 0f a3
TAG b0 60 00 cc 11 49 c6 0c 44 f4 ec 98 db 0c b3 56 74 a5
f0 a5 e0 ae
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
a9 35 b0 ad 30 3a 44 a4
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 00 b4 dd
61 03 b6 50
TAG 01 20 01 45
02 19 d3 7b b3 60 10 83
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 00 00 45
c0 9c cf df 99 b0 fd 35
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
dd f0 d7 f1 2b 69 3a 45
TAG 01 20 00 a0
a0 03 57 0d
TAG a2 67 1f 44 c5 71 af ef 17 27 2e 4e a4 0a 38 0c 33 64
1e e6 e1 9d
TAG c0 7c 20 f4
9c 8b 98 d0 97 1f f4 88
TAG e9 2f b7 ac
c3 ef 16 14
TAG 01 47 e9 7d 75 da a7 fd f8 6d 31 a2 08 02 90 a2 e1 25
8e d2 6b 89
TAG 26 51 28 37 52 ba 11 17 c9 9a af 2d 38 b3 b3 0e 3d 1d
4d aa 22 c4
TAG 80 84 0c cc 46 f8 27 83 4d 2f 90 40 bf 9a 52 81 f1 07
ca a1 bf b9
TAG 30 49 4f 5f
52
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 00 00 00
31 8d e8 66 e5 e1 5b 43
TAG 97 58 41 55
9f 5c 51 63
TAG 4c cb b5 d6 d3 27 8f 37 de b1 79 6d ed fb 6f f8 00 c0
74 e9 a2 05
TAG 6f 46 43 8f
b4 d3 ac 0d 5d 55 ac c5
TAG 97 cd 03 6b
08 c8 18 ee
TAG 04 00 8a cf e1 0c b1 6e d0 52 c1 03 11 77 50 b2 8c 15
16 48 70 7c
TAG c5 a6 1a 98 e0 b2 ce 22 6f dd 08 8a 15 04 48 60 f8 23
9e 9d 72 9b
TAG f9 23 8e 64 e4 c9 43 5a cd 33 a1 5f 98 d6 d5 b6 43 29
ae 55 20 39
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
70 2d df ca f8 68 5e 2c
52
TAG 00 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
eb a4 39 c1 80 b8 c4 d1
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 00 24 dc
61 03 b6 50
TAG 01 20 01 45
d0 96 49 c8 f8 34 cb 84
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 00 00 00
29 76 c3 fa d3 4a 64 c3
TAG 07 60 98 ad
a8 0b a5 7a
TAG 69 30 b7 9a 3f 2c f0 fd 45 de f3 9f 94 22 c0 18 e2 c0
fc d0 1d 5d
TAG 1d 4b d3 7b
dd 51 fb 65 8d e8 d8 bb
TAG 0a 17 7a c2
5d 42 17 35
TAG 80 ce 6a ac 53 fb cf 35 61 4c e7 b4 66 ee b5 fd 5e 35
17 c9 af 05
TAG 0b 1d fe 74 e0 c0 8c 24 e3 82 fa 01 00 44 30 1d eb 50
ba 36 cf cc
TAG a5 ed 05 97 90 c9 84 12 87 cf 4b 67 0f 79 16 cf 9e fd
2e 50 a4 b8
TAG 42 11 ff ff
52
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 24 98
61 07 92 16
TAG 01 20 01 45
a9 5a 5b b3 7f 52 a6 3a
TAG a9 ed 1d 51
e6 61 f9 92
TAG 67 c0 00 c0 7f 2e 75 a8 ac ec 5d 59 9a 46 95 b4 cd 23
6e e6 58 59
TAG 6f 46 43 8f
c9 0c b7 70 c3 ca a0 07
TAG c8 8e bc 03
ab 48 c9 6c
TAG 75 46 7d 06 84 76 e4 d9 dc dd 91 6d f7 47 a2 e2 d5 0f
25 c4 3c f7
TAG 00 d2 34 a5 64 e5 00 a7 6b 30 c7 0e a0 85 6a 64 20 23
4d 6f b0 c2
TAG 7c 8a d9 d6 8a b7 0a b6 e9 fa 60 ac 82 40 02 b0 b2 cb
73 8e be 7d
U00
Uf8 52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
50 00 57 cd
26
26
26
26
U00
Uff
U00
Ufc 26
TAG 04 00
93 20
TAG a2 f2 69 ea d3
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
50 00 57 cd
U00
Uff Is there someone that can help me to find all info to use properly crapto1 gui software??
Last edited by mariolino (2015-09-29 18:35:45)
Offline
#5 2015-09-29 18:59:19
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
I never used the crapto1 gui, but if you use the mfkey64.exe under the /tools/mfkey/ folder in the Pm3 source you can use your trace above.
But I guess you would need to understand the authenticate handshake to gather the right bytes.
If you read the "example_trace.txt" file in the same folder, you can understand better maybe.
pm3 ~/tools/mfkey$ mfkey64.exe a2f269ea 01200145 50d5d07a f5f3f3c4 198469ad
MIFARE Classic key recovery - based 64 bits of keystream
Recover key from only one complete authentication!
Recovering key for:
uid: a2f269ea
nt: 01200145
{nr}: 50d5d07a
{ar}: f5f3f3c4
{at}: 198469ad
LFSR succesors of the tag challenge:
nt': 63e5bca7
nt'': 993730bd
Keystream used to generate {ar} and {at}:
ks2: 96164f63
ks3: 80b35910
Found Key: [a0a1a2a3a4a5]Offline
#6 2015-09-29 19:06:01
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
I never used the crapto1 gui, but if you use the mfkey64.exe under the /tools/mfkey/ folder in the Pm3 source you can use your trace above.
But I guess you would need to understand the authenticate handshake to gather the right bytes.
If you read the "example_trace.txt" file in the same folder, you can understand better maybe.pm3 ~/tools/mfkey$ mfkey64.exe a2f269ea 01200145 50d5d07a f5f3f3c4 198469ad MIFARE Classic key recovery - based 64 bits of keystream Recover key from only one complete authentication! Recovering key for: uid: a2f269ea nt: 01200145 {nr}: 50d5d07a {ar}: f5f3f3c4 {at}: 198469ad LFSR succesors of the tag challenge: nt': 63e5bca7 nt'': 993730bd Keystream used to generate {ar} and {at}: ks2: 96164f63 ks3: 80b35910 Found Key: [a0a1a2a3a4a5]
Dear Iceman,
thanks a lot for your quick reply. Could you confirm that on the sniff log you can find only the Key A a0a1a2a3a4a5 or is there also the Key B?
I tried but the result for me is FFFFFFFFFFFF
Last edited by mariolino (2015-09-29 19:10:09)
Offline
#7 2015-09-29 19:22:05
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Dear Iceman I have a question for you.... Do you think that, just knowing the UID and sector 0 data, you will be able to find the default keys on this kind of Tag? 
Offline
#8 2015-09-29 19:22:32
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
I just tried one key the rest is up to you to find out.
Hint, there are several auth commands in your trace.
Offline
#9 2015-10-01 18:22:47
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Dear Iceman, thanks for your help. As suggested I read the example on PM3 folder:
[== Undefined ==]
+ 50782: : 26
+ 33822: : 26
+ 50422: : 26
+ 64: 0: TAG 04 00
+ 944: : 93 20
+ 64: 0: TAG 9c 59 9b 32 6c
+ 1839: : 93 70 9c 59 9b 32 6c 6b 30
+ 64: 0: TAG 08 b6 dd
+ 3783: : 60 32 64 69
+ 113: 0: TAG 82 a4 16 6c
+ 1287: : a1 e4 58 ce 6e ea 41 e0
+ 64: 0: TAG 5c ad f4 39
./mfkey64 9c599b32 82a4166c a1e458ce 6eea41e0 5cadf439But I'm still don't understand where I'm doing something wrong.
In the following you can find any keys found on my sniff log:
[== Undefined ==]
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
50 d5 d0 7a f5 f3 f3 c4
TAG 19 84 69 ad
A0A1A2A3A4A5
9b 2c 19 3f
TAG 11 cd 3c 98 54 90 51 af 98 3d 8a f2 d8 c0 40 b9 b2 3e
d3 88 30 09
TAG 1d 4b d3 73
d7 f7 fa 04 1a 2e 54 03
TAG f5 1f ed 6b
683ACA777D4D
97 9d 58 82
TAG 9e 85 db 42 ee 78 44 31 d7 50 a5 90 06 9a 1c 91 84 20
ec 2d a1 d6
TAG 3f f4 50 6f 4b e7 d7 6f 6d 8c 72 d0 1c 38 56 16 ef a5
1e cf a8 40
TAG 6e 80 14 0f 0e 06 66 c4 1f 73 9d 1e f5 29 87 3c b8 2f
49 65 7d 16
TAG 42 11 ff ff
52
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 20 01 45
45 70 21 3f 66 61 11 e0
TAG 74 9a ea 13
FFFFFFFFFFFF
1c 44 df d3
TAG 61 6d 3e 3b 3f cd 50 95 c9 44 32 71 5f d4 19 f9 7c b4
8e c3 7c 73
TAG 6f 46 43 8f
17 6f 8a 86 8b 04 2d 92
TAG 44 17 87 3d
447D1866F002
5e 54 5e a6
TAG 9d 1c 39 f8 00 40 40 ad 02 e5 02 35 2e 39 31 9d 90 1d
de 12 a3 26
TAG 27 37 e1 36 e0 0e de 07 88 d0 1d e4 a7 1e 22 ef 3b f3
d8 62 0e 7a
TAG 44 7c ba 2d 7b 14 05 c6 93 a7 96 1f ad f5 e7 be 89 0b
d8 94 c5 29
52
TAG 00 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
f7 cb 51 71 53 1c e8 2c
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
f0 a1 16 37 b0 00 f6 21
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 03 b6 50
TAG 01 20 01 45
d8 79 5e f3 c1 c6 21 82
52
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
4f 2d d0 f1 6f 93 da b3
TAG 88 64 35 2b
A0A1A2A3A4A5
7a e3 2a 49
TAG a1 82 c1 bb 14 70 ed 74 b9 75 b1 d1 98 d9 85 06 51 77
3b 21 f0 18
TAG 5c 23 fe 40
3d 21 af ef 57 68 71 08
TAG ef ff dd 21
4B8081C21014Where is the "error" on the generation Key??
Thanks in advance
Offline
#10 2015-10-01 19:23:01
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Dear Iceman, according to the PM3 example, the proper Keys should be the following:
[== Undefined ==]
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
50 d5 d0 7a f5 f3 f3 c4
TAG 19 84 69 ad
A0A1A2A3A4A5
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 20 01 45
45 70 21 3f 66 61 11 e0
TAG 74 9a ea 13
FFFFFFFFFFFF
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
4f 2d d0 f1 6f 93 da b3
TAG 88 64 35 2b
A0A1A2A3A4A5
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 20 01 45
2f 7b c4 a2 97 0a 1a 84
TAG fc 4c 44 12
FFFFFFFFFFFF
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
87 8d 75 ee 52 0a 60 81
TAG 74 b7 70 61
A0A1A2A3A4A5
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 20 01 45
ce 14 d5 58 6f db 4c a8
TAG 77 04 00 64
1669638CDE27
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 20 01 45
dd f0 d7 f1 2b 69 3a 45
TAG 01 20 00 a0
4787C6A94ED7
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
61 07 92 16
TAG 01 00 00 00
31 8d e8 66 e5 e1 5b 43
TAG 97 58 41 55
DC358AF289C5
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 b6 dd
60 03 6e 49
TAG 01 00 00 00
29 76 c3 fa d3 4a 64 c3
TAG 07 60 98 ad
A8C6E115DE58
TAG 04 00
93 70 a2 f2 69 ea d3 21 02
TAG 08 24 98
61 07 92 16
TAG 01 20 01 45
a9 5a 5b b3 7f 52 a6 3a
TAG a9 ed 1d 51
FFFFFFFFFFFFBut unfortunately they are wrong 
Last edited by mariolino (2015-10-01 19:25:01)
Offline
#11 2015-10-01 20:04:43
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: cracking mifare keys
Can you please provide some more information? What did you do to find out that "they are wrong"? What kind of card is this which gives the same tag nonce (01 20 01 45) every time? Which version of PM3 software are you using?
Offline
#12 2015-10-01 20:22:45
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
When I look are your found keys, they doesn't makes sense.
Like these two Auth Key B for sector 7. Should be same and nonce as Piwi says is highly repeating.
61 07 92 16
TAG 01 00 00 00
31 8d e8 66 e5 e1 5b 43
TAG 97 58 41 55
DC358AF289C5
61 07 92 16
TAG 01 20 01 45
a9 5a 5b b3 7f 52 a6 3a
TAG a9 ed 1d 51
FFFFFFFFFFFF
If you don't want to use the mfkey64, you can also use the mfkey32 instead.
Offline
#13 2015-10-01 22:05:41
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Can you please provide some more information? What did you do to find out that "they are wrong"? What kind of card is this which gives the same tag nonce (01 20 01 45) every time? Which version of PM3 software are you using?
Dear piw, this card is a Mifare Classic 1K
To find the key by the log, I'm using crapto gui.
For this sniff I didn't use the proxmark because there were many people around me, so, the sniffing, has been made by another hardware.
Before to give me your thoughts, let me explain my test....
I had a Mifare Classic Key where Mfoc, Mfcuk and PM3 didn't recover the default keys.
I know only the first Key A: A0A1A2A3A4A5
I had also another TAG, for the same distributor, where mfoc worked fine, so my intention was write a 'magic card' with the known dump of the other TAG, change the UID on Block 0 with the unknown TAG, and sniff the communication.
The results should be some Auth with the request, from the Machine to my TAG, containing the proper Key associated to the UID written on Block 0.
But, trying to find the key from the log, using crapto gui, all keys found are wrong for my TAG.
Offline
#14 2015-10-01 23:11:27
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
Magic generation 1, hf mf mifare never works.
pm3 --> hf 14a re
UID : 11 22 33 55
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....................
Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).Modern toy-token, the PRNG is 32bits..
pm3 --> hf 14a re
UID : 04 4D A1 A2 DF 2B 80
ATQA : 00 44
SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...
Card is not vulnerable to Darkside attack (its random number generator is not predictable).Offline
#15 2015-10-01 23:36:41
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Thanks Iceman for your clarification...
Then, if I understood, I cannot use a magic card for the mifare sniffing.
My reason was to find a relationship between UID and sector Keys.
Anyway, could be good sniff the communication on the working TAG and analyse the log file...
Last edited by mariolino (2015-10-01 23:37:33)
Offline
#16 2015-10-01 23:40:48
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Magic generation 1, hf mf mifare never works.
pm3 --> hf 14a re UID : 11 22 33 55 ATQA : 00 04 SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 proprietary non iso14443-4 card found, RATS not supported Answers to chinese magic backdoor commands: YES pm3 --> hf mf mif ------------------------------------------------------------------------- Executing command. Expected execution time: 25sec on average :-) Press button on the proxmark3 device to abort both proxmark3 and client. ------------------------------------------------------------------------- ..................... Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).Modern toy-token, the PRNG is 32bits..
pm3 --> hf 14a re UID : 04 4D A1 A2 DF 2B 80 ATQA : 00 44 SAK : 09 [2] TYPE : NXP MIFARE Mini 0.3k MANUFACTURER : NXP Semiconductors Germany proprietary non iso14443-4 card found, RATS not supported Answers to chinese magic backdoor commands: NO pm3 --> hf mf mif ------------------------------------------------------------------------- Executing command. Expected execution time: 25sec on average :-) Press button on the proxmark3 device to abort both proxmark3 and client. ------------------------------------------------------------------------- ... Card is not vulnerable to Darkside attack (its random number generator is not predictable).
For the second Tag NXP MIFARE Mini 0.3k ( but with 4bytes uid) Asper know the relationship between UID and keys 
Offline
#17 2015-10-01 23:45:26
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
You can use the magic tag if it accepted on the reader, just because its magic doesn't mean the reader likes it
I guess your setup is: reader <-> pm3 sniff <-> magic tag with modified uid---
Reader has a key-gen algo to based on UID,
and you want to gather enough data to figure out key-gen..
This works, I've done it, but you need to be able to verify the collected keys from the magic tag..
I've been in a situation where I can let one pm3 sim and the other one sniff, but the found keys was not always correct.
My guess is a modern mifare reader, uses the newer PRNG 32bits, which known attacks doesn't work on.
Offline
#18 2015-10-01 23:49:55
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
If @asper would know the relation for that specific token, I would be suprised. That was a D.I.. the keygen algo is still unknown, we havn't found a good way of collecting needed data.
Offline
#19 2015-10-02 00:07:57
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
If @asper would know the relation for that specific token, I would be suprised. That was a D.I.. the keygen algo is still unknown, we havn't found a good way of collecting needed data.
@asper know the algo for the old mifare 0.3k... They are also called mizip
If you know the UID of one that specific tag but you didn't know the default keys, we can try to use that algo if can be applied..
Last edited by mariolino (2015-10-02 00:25:27)
Offline
#20 2015-10-02 07:58:56
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
Sorry, the only Mifare mini 0.3kb tags I have has 7bytes uid.
You can always try the uid from the one I posted
Offline
#21 2015-10-02 08:17:45
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: cracking mifare keys
Sniffing and mfkey64 should work even with modern cards. But deriving a key diversification algorithm without or even with knowing the master key (which would be stored in a secure storage (SAM) inside the reader or on the host) is challenging at least.
But your approach wouldn't work anyway. You are producing a magic card with data (and sector keys) from one card and the UID from another card. With key diversification the keys depend on the UID, I.e. your magic card has wrong keys and cannot authenticate.
Offline
#22 2015-10-02 08:48:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
The idea is that the magic card has wrong keys, and you sniff the reader to try authenticate it, then you use the mfkey32 to find the key which the reader tried. You update the magic tag with the found key, and see next reader authentication and so forth.
Problem with tags with newer PRNG (32bits) is that the mfkey32 / mfkey64 can't rollback since the Pm3 implementation of the mifare PRNG is only 16bits.. So sometimes it works, but you can't garantue it. You'll need to do a mfcheckkeys to validate it..
Then you need to original card to do that.
And yes, solving those keygen-algos is doable but takes lots of work. An black-box approach.
Offline
#23 2015-10-02 09:12:44
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: cracking mifare keys
Sorry, I meant simulating, not sniffing. You need to be able to dictate the tag nonce, otherwise you would need to wait until a "good" one is generated by a tag. Might be a good idea to modify mfkey32 and mfkey64 to distinguish "good" and "bad" tag nonces.
Offline
#24 2015-10-02 11:03:14
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
in your implementation for checking distance, it uses 16 bitspace. The question is how the new PRNG works.. since it can't the old ones... Have someone looked at it?
How do we distinguish between a "good" (breakable/old) and a "bad" (unbreakable/new) nonce ? How do we identify the PRNG?
Offline
#25 2015-10-02 11:04:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
And yes, in sim, that is the problem.. if you want to see that in action, look at a Disney Infinity 2.0 toy.
Offline
#26 2015-10-02 11:17:02
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Sorry, the only Mifare mini 0.3kb tags I have has 7bytes uid.
You can always try the uid from the one I posted
UID: 044da1a2
KEY A
a0a1a2a3a4a5
0D5FFB878DA8
AF3868959662
E63FE00D2844
3537168D40DD
KEY B
b4c132439eef
508E801E7983
D2459DB393E3
0BEF173BF70C
11B1236A8C5F
Offline
#27 2015-10-02 13:17:58
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: cracking mifare keys
Need to test a different mizip; i suspect keys will be the same and not uid-dependant.
Offline
#28 2015-10-02 20:55:44
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
@iceman could you confirm that the keys found for your TAG are wrong?
Offline
#29 2015-10-02 21:33:58
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Magic generation 1, hf mf mifare never works.
pm3 --> hf 14a re UID : 11 22 33 55 ATQA : 00 04 SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 proprietary non iso14443-4 card found, RATS not supported Answers to chinese magic backdoor commands: YES pm3 --> hf mf mif ------------------------------------------------------------------------- Executing command. Expected execution time: 25sec on average :-) Press button on the proxmark3 device to abort both proxmark3 and client. ------------------------------------------------------------------------- ..................... Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).Modern toy-token, the PRNG is 32bits..
pm3 --> hf 14a re UID : 04 4D A1 A2 DF 2B 80 ATQA : 00 44 SAK : 09 [2] TYPE : NXP MIFARE Mini 0.3k MANUFACTURER : NXP Semiconductors Germany proprietary non iso14443-4 card found, RATS not supported Answers to chinese magic backdoor commands: NO pm3 --> hf mf mif ------------------------------------------------------------------------- Executing command. Expected execution time: 25sec on average :-) Press button on the proxmark3 device to abort both proxmark3 and client. ------------------------------------------------------------------------- ... Card is not vulnerable to Darkside attack (its random number generator is not predictable).
@iceman, according to the following table there is something wrong respect on your TAG:
[== Undefined ==]
Manufacturer Product ATQA SAK ATS (called ATR for contact smartcards) UID length
NXP MIFARE Mini 00 04 09 4 bytes
MIFARE Classic 1k 00 04 08 4 bytes
MIFARE Classic 4k 00 02 18 4 bytes
MIFARE Ultralight 00 44 00 7 byte
MIFARE DESFire 03 44 20 75 77 81 02 80 7 bytes
MIFARE DESFire EV1 03 44 20 75 77 81 02 80 7 bytesLast edited by mariolino (2015-10-02 21:35:01)
Offline
#30 2015-10-02 22:10:15
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
If you are trying to say that the Mifare Mini identification is wrong because of ATQA 0x00 0x44 is not the same as in your list where it says 0x00 0x04?
The tag identication inside "Hf 14a reader" is based on the SAK value, which is 0x09 and that is the same as in your list.
Offline
#31 2015-10-02 22:15:45
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
I can safely say that those keys didn't work
This is no MIZIP keytag, this is a Disney Infinity token...
pm3 --> hf 14a re
UID : 04 4D A1 A2 DF 2B 80
ATQA : 00 44
SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
pm3 --> hf mf rdsc 0 a a0a1a2a3a4a5
--sector no:0 key type:A key:A0 A1 A2 A3 A4 A5
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 0 a a0a1a2a3a4a5
--sector no:0 key type:A key:A0 A1 A2 A3 A4 A5
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 1 a 0D5FFB878DA8
--sector no:1 key type:A key:0D 5F FB 87 8D A8
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 2 a AF3868959662
--sector no:2 key type:A key:AF 38 68 95 96 62
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 0 b b4c132439eef
--sector no:0 key type:B key:B4 C1 32 43 9E EF
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 1 b 508E801E7983
--sector no:1 key type:B key:50 8E 80 1E 79 83
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00Offline
#32 2015-10-02 22:17:21
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
The SAK value is the same, 9.
Did you verify if the keys above are correct or wrong?
ok..., they are different
Last edited by mariolino (2015-10-02 22:18:42)
Offline
#33 2015-10-02 22:34:46
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
If you read the document http://www.nxp.com/documents/applicatio … N10833.pdf
Page 9, Mifare Mini ATQA 0x00 0xn4, SAK 0x09. The 'n' hints its a 7byte uid or not
Mifare Mini with 7byte UID 0x00 0x44
Mifare Mini with 4byte UID 0x00 0x04
The identification is correct.
Offline
#34 2015-10-02 22:40:03
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Looking your post below
http://www.proxmark.org/forum/viewtopic.php?id=2413
you don't need a solution for this kind of token.
You already found a solution to get the key
Last edited by mariolino (2015-10-02 22:41:14)
Offline
#35 2015-10-02 22:53:29
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
Sniffing the key when using the portal is not optimal.
The Pm3 provides with such solution.
Figuring out the keygen-algo is funnier.
Offline
#36 2015-10-02 23:07:47
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
I'm agreed with you... The second solution is better.
I'll try to find more info on that TAG
I have the same problem with the sniffed TAG on my first post.
I cannot recover the default keys, but in this case i have the dumps of others where the keys have been got.
The first approach was to compare the UIDs and Keys found in order to find the relation but without success.
I can also tell you that on this tag there is a fixed relation between the keys on each sector.
It means the following :
The first Key A on sector 0 is always A0A1A2A3A4A5
Starting from the sector 1
Key A sector 1 -- XOR -- Key A sector 2
The result is the same for all TAGs with different UID.
Then I also need to understand how to find the first Key A sector 1 starting from the UID and Algo
Offline
#37 2015-10-03 07:52:39
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
try xor:ing all keys 1-2-3-4-5 with eachother and see if the resulting value has any connections with the key 0 or UID ..
The a0a1a2a3a4a5 key is a default key, and if you read some NXP docs it has a "best practice" of keeping one key default.
Luckily that practice opens up for the nested attack...
Offline
#38 2015-10-03 10:23:35
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
try xor:ing all keys 1-2-3-4-5 with eachother and see if the resulting value has any connections with the key 0 or UID ..
The a0a1a2a3a4a5 key is a default key, and if you read some NXP docs it has a "best practice" of keeping one key default.
Luckily that practice opens up for the nested attack...
Already done but nothing seems to be correlated...
I'll try again after
Offline
#39 2015-10-21 14:13:35
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
Can you please provide some more information? What did you do to find out that "they are wrong"? What kind of card is this which gives the same tag nonce (01 20 01 45) every time? Which version of PM3 software are you using?
#piwi you can find below a new sniff log for the other card used on the same machine. On the example has been used not a magic key but the original mifare classik 1k:
[== Undefined ==]
U0f 04 00
93 20
U0f 64 fb 4a de 0b
93 70 64 fb 4a de 0b f5 ec
U0f 00 a4 dd
61 03 b6 50
U0f bf 03 3a 13
6c 3e 9e 7b ff 26 59 bb
U0f 00 01 e0 e4
e0 fc a1 86
U0f 82 d4 71 92 90 99 e9 d5 11 f8 c1 c7 16 12 06 8a ec b4
6d de 60 48
U0f 81 60 cf 23
4a a9 89 87 62 13 3a 57
U0f 0c b0 f4 d3
3a 7c ea ee
U0f 59 d7 34 73 f1 71 c2 f2 93 cd db 8e 60 7f 67 eb 4a b2
06 83 0f 6c
U0f 20 00 80 03 80 39 32 78 00 1c 40 08 18 72 00 44 e0 38
16 49 ea 5b
U0f 00 3c 00 64 c2 e0 42 98 62 c9 9b e4 37 56 28 6b 51 c8
28 c7 ee 4e
U0f b6 3e a6 79
c0 92 ae ff 67 a2 a9 9f
U0f 83 40 30 8e
af ea 2f d4
U0f 65 65 99 37 f9 70 09 21 6b 20 ee 77 4c 8c f9 59 5c 12
0a db 9e 7c
U0f 1c 81 8c 20
05 5a 1e 58 b2 19 b2 8c
U0f 13 7f f9 33
80 67 2d d7
U0f 63 01 47 ac 92 0f bb 91 fc 08 20 c4 6d 53 df b0 a0 72
ad 61 e9 02
U0f 08 20 1e 20 0e 1e 08 12 c8 e0 00 10 06 00 00 13 07 03
9c 84 0a a4
U0f 9f 04 60 71 ea 7d 6d 44 c2 fb e7 1e 85 53 de 2f 29 3f
97 4d 1c 2a
U0f 00 79 40 c0
18 ef 6d fe 2c aa 85 8c
U0f 01 92 48 c0
a3 cc 2c 8d
U0f f9 e0 70 c0 08 9e 7e 10 00 00 08 40 1c 18 e0 08 0e 80
70 be dc 94
U0f de 20 b9 fb
b3 c5 7a 68 fd 6d 50 7f
U0f 03 0e 27 26
d1 41 7a a2
U0f c8 1c 00 24 03 00 61 03 00 b7 7a 24 b1 9b 11 8c 23 be
27 16 a3 82
U0f bb ed f6 d2 f4 0c bf ac be 6d f4 bf 37 8a 92 a1 6e 11
5c 4c 15 d7
U0f 18 00 00 e2 88 08 64 84 00 0e 00 06 00 24 08 00 1c 78 I want also report the keys info about this tag:
[== Undefined ==]
uid:64fb4ade
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | a5a7d679999c | 1 |
|001| b46eccb77483 | 1 | 000000000000 | 0 |
|002| b7eba82d314d | 0 | a795c96aea2c | 1 |
|003| b6b978acab04 | 1 | a6e364afa949 | 1 |
|004| 000000000000 | 0 | a1a4df1832f2 | 1 |
|005| b0ac517bf3e4 | 1 | a01cbc0beb2e | 1 |
|006| b3d746bb3567 | 1 | a3cc31bfff43 | 1 |
|007| b27ac56ee6f3 | 1 | 000000000000 | 0 |
|008| 000000000000 | 0 | adf24507b661 | 1 |
|009| bc8c255e9286 | 1 | ac14e0d3691d | 1 |
|010| 000000000000 | 0 | 000000000000 | 0 |
|011| befa3154d74d | 1 | aecbc66492af | 1 |
|012| b9824c5455a5 | 1 | a9faa36bf0b7 | 1 |
|013| b88147799234 | 1 | a805ba87cff9 | 1 |
|014| bb631df35a1a | 1 | abcac69b6619 | 1 |
|015| ba519b1871c8 | 1 | aa64a8a163c0I used the following data to generate the Key but it seems to be wrong....
UID 64 fb 4a de
tag challenge bf 03 3a 13
reader challenge 6c 3e 9e 7b
reader response ff 26 59 bb
tag response 00 01 e0 e4
KEY 6C97E2C4E531
"wrong" means not good for Auth....
Offline
#40 2015-10-21 14:30:53
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
Your keyA and keyB has some correlations
look at the first byte of each...
|012| b9 824c5455a5 | 1 | a9 faa36bf0b7 | 1 |
|013| b8 8147799234 | 1 | a8 05ba87cff9 | 1 |
|014| bb 631df35a1a | 1 | ab cac69b6619 | 1 |And the output of nested has a lot of errors, , try re-run it until they are gone.
Last edited by iceman (2015-10-21 14:31:50)
Offline
#41 2015-10-21 15:13:26
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
The relation between the Keys is the following:
[== Undefined ==]
XOR between KEY A1 and Key A2 385649A45CE
XOR between KEY A1 and Key A3 2D7B41BDF87
... end so on
55813702C25
4C29DCC8767
7B98A0C41E4
61409D99270
9077890939F
8E2E9E9E605
BAAC5FA2AA8
A94FDE3A3CE
DEC80E32126
CEF8BCEE6B7
F0DD1442E99
E3F57AF054B
XOR between KEY A1 and Key B0 11C91ACEED1F
.
.
.and so on
11C91ACEED1F
107B94225924
13FB05DD9EAF
128DA818DDCA
15CA13AF4671
147270BC9FAD
17A2FD088BC0
16BD12C4CD62
199C89B0C2E2
187A2C641D9E
1BFFA804AA66
1AA50AD3E62C
1D946FDC8434
1C6B7630BB7A
1FA40A2C129A
1E0A64161743Using this correlation is easy to find the missing keys :
|004| B136DFC758A6
|008| BD69B427E71C
|010| BC8C255E9286
|001| A41558952DA7 Key B
|007| A2D3DE73B9E1 Key B
|010| AF9164B3DEE5 Key B
The first problem now is how to find the relation between the first Key A1 generated starting from the UID.
Second issue is.... why the sniff log is wrong??
In order to study the algo, if you have an email, I can share with you the Keys A and B of 11 Mifare 1K cards opened with proxmark.
Last edited by mariolino (2015-10-21 16:06:33)
Offline
#42 2015-10-21 17:12:08
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
When I read this thread its easy to be confused.
but lets recap.
1) your tag is MIZIP ? Mifare Mini? http://www.methack.it/forum/archive/ind … 932-7.html
--> Comestero Worldkey ?
--> it could be a newer version where the PRNG is fixed, thats whay the "sniff log" mfkey is wrong.
-----
Offline
#43 2015-10-21 17:17:34
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
When I read this thread its easy to be confused.
but lets recap.
1) your tag is MIZIP ? Mifare Mini? http://www.methack.it/forum/archive/ind … 932-7.html
--> Comestero Worldkey ?--> it could be a newer version where the PRNG is fixed, thats whay the "sniff log" mfkey is wrong.
-----
. For the mizip I already know the algo.... That keys are WorldKey.
If you are interested i can share by email the mentioned data
Offline
#44 2015-10-21 17:54:19
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
sure, you can send it to me. You'll find my email is all over this forum.
Offline
#45 2015-10-21 18:30:51
- mariolino
- Contributor
- Registered: 2014-04-27
- Posts: 47
Re: cracking mifare keys
ok....done
Offline
#46 2015-10-21 18:49:00
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
Got it.
Offline
#47 2015-10-28 17:02:41
- y0no
- Member
- Registered: 2015-10-28
- Posts: 5
Re: cracking mifare keys
Hello,
I'm new here. I try to read data from my mifare mini 0.3k. I have read some forum concerning this type of key.
I have found the A and B keys from sector 0, but I don't find the other sectors keys. It seems that keys are linked to the uid (in my case 6678828d), but I don't find the algorithm used to do it.
Could you help me please ? 
Offline
#48 2015-10-28 19:15:19
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
Since you are new, I suggest that you read the Proxmark3 wiki to begin with. Then start reading up on the specific rfidtag you are trying to focus on.
Offline
#49 2015-10-28 19:26:04
- y0no
- Member
- Registered: 2015-10-28
- Posts: 5
Re: cracking mifare keys
I already read this page https://github.com/Proxmark/proxmark3/wiki/Mifare%20Tag%20Ops and this one https://github.com/Proxmark/proxmark3/wiki/Mifare%20HowTo.
But I don't find any informations concerning the possible algorithm used to generate keys on Mizip (seems to be another name of mifare 0.3k) from uid.
Offline
#50 2015-10-28 19:30:37
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: cracking mifare keys
then the question is, did you understand what you read?
How do you find keys to a Mifare mini tag... What options do you have... Given the fact you already have sector 0 keys...
Offline