[SOLVED] Darkside attack no result even after overnight processing

earlneo · 2016-10-04 03:44:58

Hi guys. I tried darkside attack but even I leave it the command to process overnight, I still didn't get any result.

If I run "hf mf nested" command, it will error "No response from Proxmark". I had to remove the usb cable and plug in again to run other command.

My card SAK is 08 [2]. Would it be possible this is Mifare Plus card?

I read some posts on hardnested attack, but I don't find a full guide on how do it.

I'm planning to do snoop at the reader later of the day. Will the codes from snoop command help me to crack the code?

Can you assist me on this?

Below are the results from my test. Thanks

#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-04-02 15:12:04
#db# os: /-suspect 2015-04-02 15:12:11
#db# HF FPGA image built on 2015/03/09 at 08:41:42
Prox/RFID mark3 RFID instrument

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 0 bytes ( 0%). Free: 262144 bytes (100%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait........
# LF antenna: 27.91 V @ 125.00 kHz
# LF antenna: 32.31 V @ 134.00 kHz
# LF optimal: 36.02 V @ 130.43 kHz
# HF antenna: 20.74 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

proxmark3> hf 14a reader
UID : 10 4e 4b 3e
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
proxmark3> hf mf chk *1 ? t
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:A, key count:13
#db# ChkKeys: Can't select card
--sector: 3, block: 15, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
#db# ChkKeys: Can't select card
--sector:14, block: 59, key type:B, key count:13
--sector:15, block: 63, key type:B, key count:13
#db# ChkKeys: Can't select card
Found keys have been transferred to the emulator memory

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..........................................................................................................................................................................................................................................................................................................................................................................................................

(NOTES : i leave it over night and still no result)

proxmark3> hf mf nested 1 55 A ffffffffffff d
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Error: No response from Proxmark.

(NOTES : I had to remove the USB and plug in again after getting no response message)

Last edited by earlneo (2016-10-11 17:30:41)

earlneo · 2016-10-04 05:03:03

I update the firmware to Iceman and received following error on darkside attack;

Prox/RFID mark3 RFID instrument
bootrom: iceman//-suspect 2016-09-26 09:08:55
os: iceman//-suspect 2016-09-26 09:08:56
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 219920 bytes (84%). Free: 42224 bytes (16%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...................

Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

iceman · 2016-10-04 06:15:24

..and your question is?

earlneo · 2016-10-04 07:12:46

I read some posts on hardnested attack, but I don't find a full guide on how do it.

I'm planning to do snoop at the reader later of the day. Will the codes from snoop command help me to crack the code?

Which method works faster to crack the code for Mifare Plus card? hardnested or snoop?

Any forum/website I can refer to for the hardnested attack?

iceman · 2016-10-04 07:50:26

Read the help text for the command you are trying to run?

This thread seemed to be about a potential bug in "hf mf mifare" and that is resolved by upgrading firmware, and the rest of OP's question can be found be some forum searching, I'm done here.

earlneo · 2016-10-04 11:17:59

Anyone can assist me on how to read the raw data?

Last edited by earlneo (2016-10-19 15:23:34)

earlneo · 2016-10-04 13:40:46

I tried snoop on another card, and got better result. But still the code still not crack yet.

Last edited by earlneo (2016-10-19 15:23:56)

earlneo · 2016-10-04 13:42:31

Anyone can help me to read the raw data please?

gator96100 · 2016-10-04 13:57:46

No, if you have 1 known key just do a hardnested attack.

earlneo · 2016-10-04 14:11:51

Hi Gator. I believed I have found 1 key.

Please advise me what shall I do next? Thanks

Last edited by earlneo (2016-10-19 15:22:18)

gator96100 · 2016-10-04 14:40:21

So you do have all keys? So what's the problem?

earlneo · 2016-10-04 16:51:33

I only able to decode keys for A, but not for Sector 15 B.

Last edited by earlneo (2016-10-19 15:22:33)

gator96100 · 2016-10-04 18:40:09

Just do a hardnested with the A key. -> hf mf hardnested 63 A 8216B77729F6 63 B

iceman · 2016-10-04 20:01:34

or look at the accessbits....

earlneo · 2016-10-05 09:07:35

Hi guys. I have managed to crack via hardnested attack. Faster and less work. Haha

Ok now, I'm having issue with changing UID card. The new encode code not as per original code.

I run Diff Tool on MCT Tool, but the result are different.

Any possibility for the tool to write the sector 0 with full hex code?

Last edited by earlneo (2016-10-19 15:22:59)

iceman · 2016-10-05 09:55:00

You can hf mf csetblk to write a complete block.

The hf mf csetuid targets only to set the uid/sal/ataq part without damaging the rest of the block and making sure the bcc is correct.

earlneo · 2016-10-05 10:16:30

I tried but have errors. I tried on 2 different M1 UID Card.

proxmark3> hf mf csetblk 0 xxxxxx
--block number: 0 data:xxxxxx
#db# write block send command error
Can't write block. error=2

Last edited by earlneo (2016-10-19 15:25:00)

iceman · 2016-10-05 10:28:12

Post the output from the last two commands.

hf mf dbg 1
hf mf csetblk 0 90AB7926648804000000000000000000
hf list 14a

earlneo · 2016-10-05 11:07:58

Here you go.

Last edited by earlneo (2016-10-19 15:25:23)

iceman · 2016-10-05 11:20:31

Sry, wrong debug level.

hf mf dbg 4

earlneo · 2016-10-05 13:56:35

Here you go.

Last edited by earlneo (2016-10-19 15:25:38)

earlneo · 2016-10-05 14:04:21

Hey guys. Just want to update.

Eventhough getting timeout errors, it writes perfectly.

I just did hex comparison on Diff Tool.

Mission accomplished.

Thank you so much for your help! Keep it up with the development works!

osys · 2016-10-06 09:32:53

Feel free to donate at https://paypal.me/iceman1001/
This will make the development more productive

All support is welcome.

earlneo · 2016-10-11 17:28:04

osys wrote:

Feel free to donate at https://paypal.me/iceman1001/
This will make the development more productive
All support is welcome.

I tried the link but paypal.me doesn't available in my country.

let me know if you have other option. thanks

Danz · 2016-10-16 23:24:36

osys wrote:

Feel free to donate at https://paypal.me/iceman1001/
This will make the development more productive
All support is welcome.

Hello Iceman, is this guy legit !! fishy

iceman · 2016-10-17 09:33:04

Legit is something I can't tell, but the one thing you could accuse @osys for is kindness.

The link is the same as found on my github profile and in the icemanfork's readme.md. All support is welcome.

phiber · 2016-10-18 15:15:54

This is weird.. i have this card that i can't run darkside with iceman's fork.
It just keeps running and no result.

but if i used the official 2.3 rom, darkside attack works and i am able to get the key in less than 10secs..

Just FYI.

iceman · 2016-10-18 15:38:30

There is no solver in PM3 2.3.0, what you got is @piwi's test for key.
The solver / GOOD_BYTES can be adjusted in my fork, its quite low at the moment. If you save the nonces, would you mind sharing it here via sendspace.com ?

phiber · 2016-10-18 16:07:53

iceman wrote:

There is no solver in PM3 2.3.0, what you got is @piwi's test for key.
The solver / GOOD_BYTES can be adjusted in my fork, its quite low at the moment. If you save the nonces, would you mind sharing it here via sendspace.com ?

Can you share with me the command to get the nuances and i will send it over to you?

This is the "2.3" firmware i am using, i used the command hf mf mifare, i replaced sensitive data with xxxx:
i verified the key is correct as i am able to extract and modify the encrypted sectors.

Prox/RFID mark3 RFID instrument
bootrom: master/v2.3 2016-09-19 20:28:38
os: master/v2.3 2016-09-19 20:28:38
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 183707 bytes (70%). Free: 78437 bytes (30%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
> hf mf mifare
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card

uid(xxxxxxxx) nt(61c83615) par(0000000000000000) ks(070f090b03040905) nr(00000000)


parity is all zero,try special attack!just wait for few more seconds...
Key not found (lfsr_common_prefix list is null). Nt=61c83615
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card

uid(xxxxxxxx) nt(61c83615) par(0000000000000000) ks(0c060c0409030c00) nr(00000001)


parity is all zero,try special attack!just wait for few more seconds...
Key not found (lfsr_common_prefix list is null). Nt=61c83615
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card

uid(xxxxxxxx) nt(61c83615) par(0000000000000000) ks(0b0709080e0d0d09) nr(00000002)


parity is all zero,try special attack!just wait for few more seconds...
Found valid key:xxxxxxxx

When i run hf mf mifare on iceman fork, it just runs and runs with nothing..

pm3 --> hf 14a read
 UID : xx xx xx xx
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO
pm3 --> hf mf mifare
-------------------------------------------------------------------------
Executing darkside attack. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...

Do you meant that "hf mf mifare" does different thing from your fork and the official fork?

Thanks!

Last edited by phiber (2016-10-18 16:13:18)

iceman · 2016-10-18 16:17:15

This thread is about hf mf hardnested your issues is related to hf mf mifare, please make another thread and do not hijack threads again.

And a fast answer,
- no, you are trying to run the darkside attack against a clone tag, (chinese clone?) and the iceman fork has problems with those.
- the error message tells you also that the PM3 can't select the card. Most likely because of antenna voltage, card placement over antenna.

Proxmark3 community

Announcement

#1 2016-10-04 03:44:58

[SOLVED] Darkside attack no result even after overnight processing

#2 2016-10-04 05:03:03

Re: [SOLVED] Darkside attack no result even after overnight processing

#3 2016-10-04 06:15:24

Re: [SOLVED] Darkside attack no result even after overnight processing

#4 2016-10-04 07:12:46

Re: [SOLVED] Darkside attack no result even after overnight processing

#5 2016-10-04 07:50:26

Re: [SOLVED] Darkside attack no result even after overnight processing

#6 2016-10-04 11:17:59

Re: [SOLVED] Darkside attack no result even after overnight processing

#7 2016-10-04 13:40:46

Re: [SOLVED] Darkside attack no result even after overnight processing

#8 2016-10-04 13:42:31

Re: [SOLVED] Darkside attack no result even after overnight processing

#9 2016-10-04 13:57:46

Re: [SOLVED] Darkside attack no result even after overnight processing

#10 2016-10-04 14:11:51

Re: [SOLVED] Darkside attack no result even after overnight processing

#11 2016-10-04 14:40:21

Re: [SOLVED] Darkside attack no result even after overnight processing

#12 2016-10-04 16:51:33

Re: [SOLVED] Darkside attack no result even after overnight processing

#13 2016-10-04 18:40:09

Re: [SOLVED] Darkside attack no result even after overnight processing

#14 2016-10-04 20:01:34

Re: [SOLVED] Darkside attack no result even after overnight processing

#15 2016-10-05 09:07:35

Re: [SOLVED] Darkside attack no result even after overnight processing

#16 2016-10-05 09:55:00

Re: [SOLVED] Darkside attack no result even after overnight processing

#17 2016-10-05 10:16:30

Re: [SOLVED] Darkside attack no result even after overnight processing

#18 2016-10-05 10:28:12

Re: [SOLVED] Darkside attack no result even after overnight processing

#19 2016-10-05 11:07:58

Re: [SOLVED] Darkside attack no result even after overnight processing

#20 2016-10-05 11:20:31

Re: [SOLVED] Darkside attack no result even after overnight processing

#21 2016-10-05 13:56:35

Re: [SOLVED] Darkside attack no result even after overnight processing

#22 2016-10-05 14:04:21

Re: [SOLVED] Darkside attack no result even after overnight processing

#23 2016-10-06 09:32:53

Re: [SOLVED] Darkside attack no result even after overnight processing

#24 2016-10-11 17:28:04

Re: [SOLVED] Darkside attack no result even after overnight processing

#25 2016-10-16 23:24:36

Re: [SOLVED] Darkside attack no result even after overnight processing

#26 2016-10-17 09:33:04

Re: [SOLVED] Darkside attack no result even after overnight processing

#27 2016-10-18 15:15:54

Re: [SOLVED] Darkside attack no result even after overnight processing

#28 2016-10-18 15:38:30

Re: [SOLVED] Darkside attack no result even after overnight processing

#29 2016-10-18 16:07:53

Re: [SOLVED] Darkside attack no result even after overnight processing

#30 2016-10-18 16:17:15

Re: [SOLVED] Darkside attack no result even after overnight processing

Board footer