Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-05-09 15:19:21

T.
Contributor
Registered: 2017-09-20
Posts: 20

(Solved) Proxmark crash for classic 1 k

Hey there,

I have a small problem trying to crack a mifare 1k classic :

Let me explain everything, first I have that version :

proxmark3> hw version
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: master-rysc/v3.0.1 2017-09-21 19:05:39
os: master-rysc/v3.0.1 2017-09-21 19:05:45
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 192390 bytes (73%). Free: 69754 bytes (27%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

Then I am trying to crack that card :

proxmark3> hf search

 UID : f5 34 7c 00
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search 
proxmark3> hf 14a read
 UID : f5 34 7c 00
ATQA : 00 04
 SAK : 08 [2]
Field dropped.

Hf mf mifare is giving me a key :


proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.#db# Mifare: Can't select card
Found 7 possible keys. Trying to authenticate with each of them ...

Found valid key:e733745249e9 

Hf mf chk *1 ? is giving me no key

proxmark3> hf mf chk *1 ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9

To cancel this operation press the button on the proxmark...
--.
No valid keys found.


The hardnest is giving me another key :

proxmark3>  hf mf hardnested 0 A e733745249e9 4 a s
--target block no:  4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: Yes, Tests: 0
Using AVX2 SIMD core.



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 926 million (2^29.8) keys/s      | 140737488355328 |    2d
      17 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    2d
      21 |     112 | Apply bit flip properties                               |    154259030016 |  3min
      22 |     224 | Apply bit flip properties                               |     31561357312 |   34s
      23 |     336 | Apply bit flip properties                               |     20053813248 |   22s
      24 |     447 | Apply bit flip properties                               |     18644912128 |   20s
      25 |     559 | Apply bit flip properties                               |     18611140608 |   20s
      25 |     670 | Apply bit flip properties                               |     18187343872 |   20s
      26 |     782 | Apply bit flip properties                               |     18187343872 |   20s
      27 |     893 | Apply bit flip properties                               |     18187343872 |   20s
      27 |    1005 | Apply bit flip properties                               |     18187343872 |   20s
      28 |    1117 | Apply bit flip properties                               |     18187343872 |   20s
      29 |    1185 | Apply bit flip properties                               |     18187343872 |   20s
      30 |    1295 | Apply bit flip properties                               |     18187343872 |   20s
      31 |    1331 | Apply bit flip properties                               |     18187343872 |   20s
      32 |    1443 | Apply bit flip properties                               |     18187343872 |   20s
      32 |    1508 | Apply bit flip properties                               |     18187343872 |   20s
      34 |    1619 | Apply Sum property. Sum(a0) = 96                        |      1301511040 |    1s
      35 |    1731 | Apply bit flip properties                               |      1301511040 |    1s
      35 |    1843 | Apply bit flip properties                               |      1301511040 |    1s
      36 |    1954 | Apply bit flip properties                               |      1785375104 |    2s
      37 |    2035 | Apply bit flip properties                               |      1199415296 |    1s
      38 |    2146 | Apply bit flip properties                               |      1199415296 |    1s
      39 |    2146 | (1. guess: Sum(a8) = 224)                               |      1199415296 |    1s
      39 |    2146 | Apply Sum(a8) and all bytes bitflip properties          |      1199415296 |    1s
      39 |    2146 | Starting brute force...                                 |      1199415296 |    1s
      39 |    2146 | (2. guess: Sum(a8) = 192)                               |      3025586944 |    3s
      39 |    2146 | Apply Sum(a8) and all bytes bitflip properties          |      3025585152 |    3s
      39 |    2146 | Starting brute force...                                 |      3025586944 |    3s
      39 |    2146 | (3. guess: Sum(a8) = 160)                               |      5734760960 |    6s
      41 |    2146 | Apply Sum(a8) and all bytes bitflip properties          |      5723732480 |    6s
      41 |    2146 | Starting brute force...                                 |      5734760960 |    6s
      41 |    2146 | (4. guess: Sum(a8) = 176)                               |      8874139648 |   10s
      42 |    2146 | Apply Sum(a8) and all bytes bitflip properties          |      8450249216 |    9s
      42 |    2146 | Starting brute force...                                 |      8874139648 |   10s
      42 |    2146 | (5. guess: Sum(a8) = 200)                               |     11526259712 |   12s
      42 |    2146 | Apply Sum(a8) and all bytes bitflip properties          |     11436068864 |   12s
      42 |    2146 | Starting brute force...                                 |     11526259712 |   12s
      42 |    2146 | (6. guess: Sum(a8) = 128)                               |     17479796736 |   19s
      45 |    2146 | Apply Sum(a8) and all bytes bitflip properties          |      3500292608 |    4s
      45 |    2146 | Starting brute force...                                 |     17479796736 |   19s
      46 |    2146 | (7. guess: Sum(a8) = 152)                               |      4460759552 |    5s
      47 |    2146 | Apply Sum(a8) and all bytes bitflip properties          |      3153695232 |    3s
      47 |    2146 | Starting brute force...                                 |      4460759552 |    5s
      48 |    2146 | Brute force phase completed. Key found: 2a2c13cc242a    |               0 |    0s

But then when I am using hf mf nested with the previous key found I have a crash,  PRoxmark.exe stopped working


proxmark3>  hf mf nested 1 0 A e733745249e9 d
--nested. sectors:16, block no:  0, key type:A, eml:n, dmp=y checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:f5347c00 trgbl=0 trgkey=0
Found valid key:e733745249e9 

I feel that I am doing something quite stupid but a long time I didn't touch my proxmark and I don't really remember everything.
Anyway if you guys could help me solving that stupid stuff I would be very happy

Thank you for your time smile




Ps :

After running the script autopwn I have :

-----------------------------------------------
Nested statistic:
Iterations count: 107
Time in nested: 67.340 (0.629 sec per key)
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  000000000000  | 1 |  ffffffffffff  | 1 |
|001|  22d14e00f087  | 1 |  ffffffffffff  | 1 |
|002|  6961206b6579  | 1 |  000000000000  | 0 |
|003|  000000000000  | 1 |  000000000000  | 0 |
|004|  e0f72e06e0f7  | 1 |  ffffffffffff  | 1 |
|005|  000000000000  | 1 |  ffffffffffff  | 1 |
|006|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|007|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|008|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|009|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|010|  e733745249e9  | 1 |  000000000000  | 0 |
|011|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|012|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|013|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|014|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|015|  e733745249e9  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|--- 

But most of the block error auth :

|-----------------------------------------|
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not read block  0 of sector  0
ERROR:  Could not read file dumpdata.bin
ERROR:  Could not read file dumpdata.bin
ERROR:  Could not read file 

Last edited by T. (2018-05-11 12:55:20)

Offline

#2 2018-05-09 16:48:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: (Solved) Proxmark crash for classic 1 k

You are runing on a un-released source code version from Rysccorp.  I suggest you turn to them to ask your questions.
We usually can answer questions regarding the offical open-source pm3 repo.

bootrom: master-rysc/v3.0.1 2017-09-21 19:05:39
os: master-rysc/v3.0.1 2017-09-21 19:05:45

Offline

#3 2018-05-09 16:52:16

T.
Contributor
Registered: 2017-09-20
Posts: 20

Re: (Solved) Proxmark crash for classic 1 k

iceman wrote:

You are runing on a un-released source code version from Rysccorp.  I suggest you turn to them to ask your questions.
We usually can answer questions regarding the offical open-source pm3 repo.

bootrom: master-rysc/v3.0.1 2017-09-21 19:05:39
os: master-rysc/v3.0.1 2017-09-21 19:05:45

Will update that now so I can use the same as the community, coming back to the forum soon if that still doesn't work

Thank you so much again for your work Iceman wink

Last edited by T. (2018-05-09 17:00:54)

Offline

#4 2018-05-09 20:12:43

T.
Contributor
Registered: 2017-09-20
Posts: 20

Re: (Solved) Proxmark crash for classic 1 k

After a small update of the firmware, everything is working perfectly fine smile
I don't know how to put (solved) in the title of my post, or if it is only admin and moderator that can do that.

Last edited by T. (2018-05-09 20:13:30)

Offline

#5 2018-05-09 20:46:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: (Solved) Proxmark crash for classic 1 k

you edit your first post.

Offline

Board footer

Powered by FluxBB