Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-04-09 08:40:09

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Successfully cracked a MC1K, but the cloned card cannot be recognized

Hi Guys,

It's is the first time I met such a weird situation.

executing 'hf 14a read' command, what I got is

ATQA : 04 00
UID : ba 2e 3e 44
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported

looks like a normal MC1K.

Next step is to try if any block encrypted with default key, well

Found valid key:[ffffffffffff]

Next step run nested attack

I got

-----------------------------------------------
uid:ba2e3e44 len=2 trgbl=60 trgkey=0
Found valid key:7304b9facf5e
-----------------------------------------------
uid:ba2e3e44 len=2 trgbl=60 trgkey=1
Found valid key:4a42e2f5c54e
-----------------------------------------------
Iterations count: 2


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  7304b9facf5e  | 1 |  4a42e2f5c54e  | 1 |
|---|----------------|---|----------------|---|

uid(ba2e3e44) nt(6f522ade) par(29412139e119f931) ks(030f0f0e07070c00) nr(2400000000)


We got all keys already, and "Dumped card data into 'dumpdata.bin' "



thereafter, I converted the bin to eml and loaded it to emulate the card

guess what, I put HF antenna to the reader, nothing happened, not even a blink from indicator.


I thought there might be something wrong with the emulating process.
So I wrote the dumped file to an UID changeable card. It's still not working, the same response which is no response.


Normally, if we can get the keys of a MC1K, we can dump all data onto an UID changeable card that will function exactly as the original card.

But in this case, it doesn't work.


I'm really curious how could this happen? Apparently, we got all data dumped successfully, why the cloned one won't be accepted by the reader?

I have compared the dumpdate with the cloned card, exactly the same. I tried several UID cards, none of them works.

Could any one give me some clues?

Appreciate!

Offline

#2 2014-04-09 10:18:25

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Successfully cracked a MC1K, but the cloned card cannot be recognized

Maybe the reader check for special chinese commands to be accepted by the card ? (very difficult to believe but this can be possible if the cards are exactly the same). Did you try a changeable uid card that needs special commands or the new ones ?

Offline

#3 2014-04-11 11:02:22

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Successfully cracked a MC1K, but the cloned card cannot be recognized

Can you sniff communication between genuine reader and card and with cloned one and post it?

Offline

Board footer

Powered by FluxBB