Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2011-05-26 12:35:09

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Mifare read/write via crypto1

HI,

  Ok all this stuff is done) :

1. Mifare read block command
2. Mifare read sector (via 1)
3. Mifare write block
4. fixed several bugs in iso 14443 select

tested:
JCOP30
MIFARE S50 china
MIFARE S50 NXP
MIFARE classic 1k 7 byte UID  (libnfs can't do it ))) )
MIFARE Plus S SL1
MIFARE Plus X SL1

Maybe if someone wants - I can place it into repository http://code.google.com/p/proxmark3/
if no, ill post the code into my repository and post here the link)

P.S. im a developer with 15+ years development experience )

Last edited by merlok (2011-05-26 12:38:09)

Offline

#2 2011-05-26 13:58:23

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

Offline

#3 2011-05-26 14:33:51

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

hey friend,I got my first PM3 just now.Could I know how should I use your program with the PM3 with the firmware of "20090905-r216"?I'm not good as programming, so I have no idea where should I start my research.THX a lot.

Offline

#4 2011-05-27 12:40:41

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

You should upgrage it to last version.

upgrade here: http://proxmark3.com/dl/PM3-UserGuide-v7.pdf

Before upgrading you have to compile sources.

build enviroment here:
http://code.google.com/p/proxmark3/down … z&can=2&q=
tortoiseSVN:
http://tortoisesvn.net/downloads.html

so.....

1.download proxspace and unzip it into any folder
2. install trtoizesvn
3. reboot PC )
4. ProxSpace\pm3 - right button in windows explorer - <SVN Update>
5.  ProxSpace\runme.bat - make sute that there is your path to proxspace    set MYPATH=C:\XXXXXXXXX\ProxSpace
6. run runme.bat
7. from there:
make clean
make all
8. with help of binaries from ProxSpace\pm3\client
and firmware files from ProxSpace\pm3\armsrc\obj
upgrade firmware

9. use it and have fun )

Last edited by merlok (2011-05-27 12:41:13)

Offline

#5 2011-05-30 15:49:05

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

thanks for the improvement. works perfect.
some times the 14a reader command don't work i don't  know if is my computer or a bug, i have to tried more times


it could be possible to make the darkside attack with proxmark like mfcuk and mfoc??
i mean could you developed this attack inside proxmark?
this would be great using proxmark also like a reader not only like sniffer.

thanks

Offline

#6 2011-05-31 01:44:44

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

thanks a lot for your help.

Offline

#7 2011-05-31 02:18:04

moebius
Contributor
Registered: 2011-03-10
Posts: 199

Re: Mifare read/write via crypto1

thefkboss wrote:

thanks for the improvement. works perfect.
some times the 14a reader command don't work i don't  know if is my computer or a bug, i have to tried more times


it could be possible to make the darkside attack with proxmark like mfcuk and mfoc??
i mean could you developed this attack inside proxmark?
this would be great using proxmark also like a reader not only like sniffer.

thanks

The guy from "Implementing_an_RFID_MIFARE_CLASSIC_Attack" implemented crapto attack inside pmark3...

maybe someone can merge that code into the current stable firmware and client.

smile

Offline

#8 2011-05-31 04:06:52

moebius
Contributor
Registered: 2011-03-10
Posts: 199

Re: Mifare read/write via crypto1

Well, i've successfully compiled all the stuff here.. updated all *.s19 but using old "prox.exe" client...

because proxmark3.exe is not working for me.. proxmark not found is the error... i'm using xp. Something wrong with the usb?

Need help here!

Thanks a lot!

Offline

#9 2011-05-31 04:14:43

moebius
Contributor
Registered: 2011-03-10
Posts: 199

Re: Mifare read/write via crypto1

done by installing Pmark3 as a libusb device smile

I'll try this new firmware

Thanks!

Offline

#10 2011-05-31 04:18:46

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

I have update my firmware and the proxmark3.exe is OK ,but it shows "PROXMARK3: NOT FOUND!".Then I tried the old prox in "20090905-r216",and some commands is still usalbe.I typed "version" and the result is below:

#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 471-suspect 2011-05-31 02:36:41
#db# os: svn 471-suspect 2011-05-31 02:36:50
#db# FPGA image built on 2009/12/ 8 at  8: 3:54

Is it updated not correctly? Or something else?
Thank you !


BTW,moebius ,you can copy the proxmark3.exe to the folder"ProxSpace\pm3" and run the "proxmark3.exe" in the environment built by running the "runme.bat".

Offline

#11 2011-05-31 11:59:40

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

proxmark3.exe nedds to install libusb device
For almost all windows suits driver from proxmark directory
ProxSpace\mingw\bin\proxmark.inf

USB driver to Win 7 here. my post:
http://www.proxmark.org/forum/viewtopic.php?id=531

Offline

#12 2011-05-31 12:01:14

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

nemer wrote:

#db# os: svn 471-suspect 2011-05-31 02:36:50

it seems correct

Offline

#13 2011-05-31 12:10:15

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

thefkboss wrote:

thanks for the improvement. works perfect.
some times the 14a reader command don't work i don't  know if is my computer or a bug, i have to tried more times


it could be possible to make the darkside attack with proxmark like mfcuk and mfoc??
i mean could you developed this attack inside proxmark?
this would be great using proxmark also like a reader not only like sniffer.

thanks

unfortunately thjere is a bug in the usb communication. so...  just retry (
maybe i have time to fix it....

darkside attack allready implemented)
just try:
hf 14a mifare
hf14a list

today or tomorrow i will commit improved version of that code

Offline

#14 2011-05-31 12:47:33

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

YES,my program is OK,THX a lot!GOOD JOB!

Offline

#15 2011-05-31 20:12:44

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

unfortunately thjere is a bug in the usb communication. so...  just retry (
maybe i have time to fix it....

darkside attack allready implemented)
just try:
hf 14a mifare
hf14a list

today or tomorrow i will commit improved version of that code

how this work?
i have this



Connected units:
        1. SN: ChangeMe [bus-0/\\.\libusb0-0001--0x9ac4-0x4b8f]
proxmark3> hf 14a mifare
#db# COMMAND FINISHED
#db# nt=6a
proxmark3> hf 14a list
proxmark3> recorded activity:
ETU     :rssi: who bytes
---------+----+----+-----------
+      0:    :     6a  5a  ca  80     !crc
+      0:    :     9e  f6  39  5f  8e  ca  c2  7e     !crc
+      0:    :     9e  b0  0a  df  cb  55  b1  b6     !crc
proxmark3> hf 14a mifare
#db# COMMAND FINISHED
#db# nt=31
proxmark3> hf 14a list
proxmark3> recorded activity:
ETU     :rssi: who bytes
---------+----+----+-----------
+      0:    :     31  78  fa  7a     !crc
+      0:    :     9e  f6  39  5f  8e  ca  c2  7e     !crc
+      0:    :     9e  b0  0a  df  cb  55  b1  b6     !crc
proxmark3>


i have tried two times with the same card.

i have to used the crapto to get back the key or what i have to do with that resoult?

for darkside atack i tought in mfcuk software

http://code.google.com/p/mfcuk/

something similar to that software that the proxmark get all the password from all sectors make a dump of the card

Offline

#16 2011-05-31 21:00:14

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

new version https://code.google.com/p/proxmark3/source/detail?r=472
recovers keyA for sector 0

Offline

#17 2011-06-01 01:30:44

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

Trying the "hf 14a mifare" for more than 30 minutes,and it shows as below.
3379107095412676823.jpg
It's so baldness.And what's worse is I don't know whether it runs correctly...

Last edited by nemer (2011-06-01 01:50:19)

Offline

#18 2011-06-01 02:37:21

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

I am not sure it's my fault or there is still some bug in r472.But I think it will be better if there is some feedback of process during the recovering.

Offline

#19 2011-06-01 04:43:38

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

that bug was there before my version. i only added code at the end of function. it seems, that proxmark3 hung, but i dont know why(

In this situation I cant abort the proxmark3 by pressing button on it.

Last edited by merlok (2011-06-01 05:02:22)

Offline

#20 2011-06-01 04:50:44

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

what about your command "neseted".how does it work to run a nested attack?

Offline

#21 2011-06-01 05:02:55

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

It incomplete

Offline

#22 2011-06-01 06:16:55

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

nemer wrote:

Trying the "hf 14a mifare" for more than 30 minutes,and it shows as below.
http://img.ph.126.net/e0WD1WicQXZlhp78A … 676823.jpg
It's so baldness.And what's worse is I don't know whether it runs correctly...


i have the same result, and still like that since yesterday i will stop it today but i think  is not going to get any key

Offline

#23 2011-06-01 07:00:50

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

i have to shut my mouth


uid(3221d80f) nt(21639454) par(0d65453de55d2df5) ks(080c0d0c060e0f0f)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 8 |  d  |1,0,1,1,0,0,0,0|
| 20 |00000020| c |  9  |1,0,1,0,0,1,1,0|
| 40 |00000040| d |  8  |1,0,1,0,0,0,1,0|
| 60 |00000060| c |  9  |1,0,1,1,1,1,0,0|
| 80 |00000080| 6 |  3  |1,0,1,0,0,1,1,1|
| a0 |000000a0| e |  b  |1,0,1,1,1,0,1,0|
| c0 |000000c0| f |  a  |1,0,1,1,0,1,0,0|
| e0 |000000e0| f |  a  |1,0,1,0,1,1,1,1|
-------------------------------------------------------------------------
Key found:5a4f4d4d4552

proxmark3>

after 7 hours it recovers the key and i know it that one, so is perfect, i´m going to try with another card

if you finish nested attack it would be the perfect weapon.

thanks for your time and knowledge merlok

Last edited by thefkboss (2011-06-01 07:02:40)

Offline

#24 2011-06-01 08:02:32

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

Well,I will try it again!
thefkboss ,does it shows like my photo all the time before you got the result ?
7 hours... MY GOD !

Offline

#25 2011-06-01 08:52:39

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

nemer wrote:

Well,I will try it again!
thefkboss ,does it shows like my photo all the time before you got the result ?
7 hours... MY GOD !

Exactly the same.
I have another card working so if with this card also work i will paste the result and time.
7hours from 23:30pm-7am (from Spain)

Offline

#26 2011-06-01 08:57:28

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

There is strange statistical situation. for one Nr it can works many hours, but for another Nt - seconds.
I guess because of that the original code author implemented transfer previous Nt into the command

Offline

#27 2011-06-01 09:04:01

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

I forget to say that i'm ussing a netbook asus aspire one that is a intel atom.
May be with a normal computer the time will be less i don't know if the pocesors power is important or not, but know i only have this one to try, my other computer it has to be format and i don't have time

Offline

#28 2011-06-01 09:33:10

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

Oh,I started my "hf 14a mifare" from 20110601 16:05(from China).And I will paste my result and time when I got my key.

Offline

#29 2011-06-01 15:17:48

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

I saw small bug in realization.
FIXED: https://code.google.com/p/proxmark3/source/detail?r=473

Offline

#30 2011-06-01 21:17:57

wil
Contributor
Registered: 2010-04-13
Posts: 14

Re: Mifare read/write via crypto1

Hi merlok,

Thanks for the code !
The client doesn't compile on Linux because of the use of conio.h (in cmdhf14a.c)
that does not exist on this platform.
kbhit() should be easy to reimplement.
Here is a GPL compliant example http://www.linuxquestions.org/questions … hit-34027/ .

wil


wilr on irc.freenode.org #proxmark3

Offline

#31 2011-06-01 21:19:42

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

proxmark3> hf 14a mifare
-------------------------------------------------------------------------
Executing command. It may take up to 30 min.
Press the key on proxmark3 device to abort proxmark3.
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....................................................proxmark3>

isOk:01


uid(db8cc296) nt(97656c93) par(53cb2b13cba3534b) ks(0b0608090a000209)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| b |  e  |1,1,0,0,1,0,1,0|
| 20 |00000020| 6 |  3  |1,1,0,1,0,0,1,1|
| 40 |00000040| 8 |  d  |1,1,0,1,0,1,0,0|
| 60 |00000060| 9 |  c  |1,1,0,0,1,0,0,0|
| 80 |00000080| a |  f  |1,1,0,1,0,0,1,1|
| a0 |000000a0| 0 |  5  |1,1,0,0,0,1,0,1|
| c0 |000000c0| 2 |  7  |1,1,0,0,1,0,1,0|
| e0 |000000e0| 9 |  c  |1,1,0,1,0,0,1,0|
-------------------------------------------------------------------------
Key found:a8844b0bca06

proxmark3>


with last version 2 min.
great thanks, i´m going to make another try

Offline

#32 2011-06-01 21:31:12

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

i have discover a little bug
i don´t know why but with some mifare cards have the same problem as with mfcuk.
mfcuk never recover the key


and promark have recovered the key

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 8 |  d  |0,0,0,0,0,0,0,0|
| 20 |00000020| 6 |  3  |0,0,0,0,0,0,0,0|
| 40 |00000040| d |  8  |0,0,0,0,0,0,0,0|
| 60 |00000060| d |  8  |0,0,0,0,0,0,0,0|
| 80 |00000080| 7 |  2  |0,0,0,0,0,0,0,0|
| a0 |000000a0| 4 |  1  |0,0,0,0,0,0,0,0|
| c0 |000000c0| e |  b  |0,0,0,0,0,0,0,0|
| e0 |000000e0| 6 |  3  |0,0,0,0,0,0,0,0|
-------------------------------------------------------------------------
Key found:2cb03d140000

proxmark3>


but it´s worng key because i know the key

there are more pepople with this problem  i don´t know why this happen.

http://www.libnfc.org/community/topic/9 … ck/page/2/

in the end of the post is the same problem

may be you could solved this bug

thanks

Offline

#33 2011-06-01 21:40:51

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

another wrong key this one is the first one that i post
it should be 5a4f4d4d4552

but

proxmark3> hf 14a mifare
-------------------------------------------------------------------------
Executing command. It may take up to 30 min.
Press the key on proxmark3 device to abort proxmark3.
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
................................................................................
...............................proxmark3>

isOk:01


uid(3221d80f) nt(601a6707) par(04e424b44ca4349c) ks(0001080305040d02)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 0 |  5  |0,0,1,0,0,0,0,0|
| 20 |00000020| 1 |  4  |0,0,1,0,0,1,1,1|
| 40 |00000040| 8 |  d  |0,0,1,0,0,1,0,0|
| 60 |00000060| 3 |  6  |0,0,1,0,1,1,0,1|
| 80 |00000080| 5 |  0  |0,0,1,1,0,0,1,0|
| a0 |000000a0| 4 |  1  |0,0,1,0,0,1,0,1|
| c0 |000000c0| d |  8  |0,0,1,0,1,1,0,0|
| e0 |000000e0| 2 |  7  |0,0,1,1,1,0,0,1|
-------------------------------------------------------------------------
Key found:db32fe080000

proxmark3>

i,m going to try again

Offline

#34 2011-06-01 22:12:10

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

i have the same result keys are wrong i have try with 6 cards are all worng i tried two times with every card and every two times the keys give me the same key but they are worng

some one have other results???

Last edited by thefkboss (2011-06-01 22:17:29)

Offline

#35 2011-06-01 22:40:53

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

may be is my antenna??
fisrts red light start blinking then yellow light still and some time the other green, after that the last green power off but first red light and yellow still there and again the same

Last edited by thefkboss (2011-06-01 22:44:37)

Offline

#36 2011-06-01 23:24:06

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

It still printing "...." after 16 hours running .There must be something wrong in my program.Maybe there reason is my edit for the "hf 14a sim".I will give a try to the original r473.

Offline

#37 2011-06-01 23:32:10

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

Oh !No,I got this after just 2 seconds running:



proxmark3> hf 14a mifare
-------------------------------------------------------------------------
Executing command. It may take up to 30 min.
Press the key on proxmark3 device to abort proxmark3.
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
proxmark3>

isOk:01


uid(c271c9db) nt(ab3011d3) par(0000000000000000) ks(0000000000000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 9 |  c  |0,0,0,0,0,0,0,0|
| 20 |00000020| f |  a  |0,0,0,0,0,0,0,0|
| 40 |00000040| 0 |  5  |0,0,0,0,0,0,0,0|
| 60 |00000060| 7 |  2  |0,0,0,0,0,0,0,0|
| 80 |00000080| 0 |  5  |0,0,0,0,0,0,0,0|
| a0 |000000a0| c |  9  |0,0,0,0,0,0,0,0|
| c0 |000000c0| e |  b  |0,0,0,0,0,0,0,0|
| e0 |000000e0| 3 |  6  |0,0,0,0,0,0,0,0|
-------------------------------------------------------------------------
Key found:00009a080000


I have 3 kinds of "mifare 1k", 2 of them works as above and the other works producing "....." all the time. Crying sad

Last edited by nemer (2011-06-02 00:57:16)

Offline

#38 2011-06-02 01:38:28

moebius
Contributor
Registered: 2011-03-10
Posts: 199

Re: Mifare read/write via crypto1

merlok!

good job dude! right now i'm running hf 14a mifare command againt a card, i'll post the results later.

2 questions 4 u:

* Do you think that you can port crapto1 program to the pmark3? I want to sniff a real transaction between a valid reader and a card and the pmark3 itself to crack the key for the sector read.

* When do you expect to have nested attack running?

Thanks a lot!

Offline

#39 2011-06-02 07:59:08

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

nemer wrote:

Oh !No,I got this after just 2 seconds running:



proxmark3> hf 14a mifare
-------------------------------------------------------------------------
Executing command. It may take up to 30 min.
Press the key on proxmark3 device to abort proxmark3.
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
proxmark3>

isOk:01


uid(c271c9db) nt(ab3011d3) par(0000000000000000) ks(0000000000000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 9 |  c  |0,0,0,0,0,0,0,0|
| 20 |00000020| f |  a  |0,0,0,0,0,0,0,0|
| 40 |00000040| 0 |  5  |0,0,0,0,0,0,0,0|
| 60 |00000060| 7 |  2  |0,0,0,0,0,0,0,0|
| 80 |00000080| 0 |  5  |0,0,0,0,0,0,0,0|
| a0 |000000a0| c |  9  |0,0,0,0,0,0,0,0|
| c0 |000000c0| e |  b  |0,0,0,0,0,0,0,0|
| e0 |000000e0| 3 |  6  |0,0,0,0,0,0,0,0|
-------------------------------------------------------------------------
Key found:00009a080000


I have 3 kinds of "mifare 1k", 2 of them works as above and the other works producing "....." all the time. Crying sad

nemer that key are the right one? have you tried or do you know  that one is the right one for the card?
i ask you this because may be you could have my problem it recovers the key but is not the right one.

Offline

#40 2011-06-02 09:55:23

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

thefkboss wrote:

nemer that key are the right one? have you tried or do you know  that one is the right one for the card?
i ask you this because may be you could have my problem it recovers the key but is not the right one.

NO,it's a wrong key.the key should be 1fffffffffff.

Offline

#41 2011-06-02 09:59:49

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

I found another possible bug there.I tried the "hf 14a mfrdsc" and typed a wrong sector number.Then:

proxmark3>hf 14a mfrdsc 70 A ffffffffffff
 sector no:46 key type:00 key:ff ff ff ff ff ff  
#db# auth uid: d2375648 nt: d47765af
#db# Authentication failed. Card timeout.
#db# Auth error
proxmark3>
isOk:00
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
proxmark3>
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff 

proxmark3>hf 14a mfrdsc 77 A ffffffffffff
 sector no:4d key type:00 key:ff ff ff ff ff ff  
#db# auth uid: d2375648 nt: faaeec75
proxmark3> 
isOk:01
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
proxmark3> 
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff 

there is only 16 sectors in my mifare 1k,but ....sector :77(4d)....is ok to read...
doubtful...

Offline

#42 2011-06-02 11:50:06

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

nemer wrote:

there is only 16 sectors in my mifare 1k,but ....sector :77(4d)....is ok to read...
doubtful...

this digits inserts into the authentication command. maybe ill should add some input check code - sector number 1 byte long and 77*4 = 308 == 52 (sector 13) )

you can have look on it via command
hf 14a list

(ask me if it wrong)

Last edited by merlok (2011-06-02 13:39:46)

Offline

#43 2011-06-02 11:54:47

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

If you got wrong key - restart the process.
some of Nt returned wrong key.

and if sniffing takes less than 10 seconds - as I saw - Nt usually has wrong key in the result of the process

In the command there is the parameter.
the parameter should say the program that you dont want sniff Nt from parameter
but it not implemented by now

in a next release ill implement it

Offline

#44 2011-06-02 12:11:17

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

moebius wrote:

2 questions 4 u:

* Do you think that you can port crapto1 program to the pmark3? I want to sniff a real transaction between a valid reader and a card and the pmark3 itself to crack the key for the sector read.

* When do you expect to have nested attack running?

1. I have ported crapto1 into proxmark3 (it was portable - I cange only 1 line of code).
BUT(
It cant be usable in all situations because of low memory on ARM7 (64kb)
if there is ARM9))))

so, if you want encrypt|decrypt - it works.

2. I have some problems with memory on PC and low speed of communication via USB with proxmark.
I m working on it )

Last edited by merlok (2011-06-02 12:12:16)

Offline

#45 2011-06-02 12:33:36

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

nemer wrote:

Oh !No,I got this after just 2 seconds running:
......................
I have 3 kinds of "mifare 1k", 2 of them works as above and the other works producing "....." all the time. Crying

I have several cards like yours....
I think that some cards have strange statistical behavior.

and from some of them I have recovered key, but form some - never...

Last edited by merlok (2011-06-02 12:34:48)

Offline

#46 2011-06-02 13:12:37

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

merlok wrote:

this digits inserts into the authentication command. maybe ill should add some code - sector number 1 byte long and 77*4 = 308 == 52 (sector 13) )

It is right.it was reading the 52th block.But I don't understand why "308 == 52 "....Stupid me... tongue

Offline

#47 2011-06-02 17:10:02

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

nemer wrote:
merlok wrote:

this digits inserts into the authentication command. maybe ill should add some code - sector number 1 byte long and 77*4 = 308 == 52 (sector 13) )

It is right.it was reading the 52th block.But I don't understand why "308 == 52 "....Stupid me... tongue

308 = 0x0134
last byte - 0x34 == 52

there is block 52 in sector 13 )

Offline

#48 2011-06-02 19:48:47

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Mifare read/write via crypto1

merlok wrote:
nemer wrote:

Oh !No,I got this after just 2 seconds running:
......................
I have 3 kinds of "mifare 1k", 2 of them works as above and the other works producing "....." all the time. Crying

I have several cards like yours....
I think that some cards have strange statistical behavior.

and from some of them I have recovered key, but form some - never...


i think is not a problem of the card is a problem of the antenna and the position of the card( depends where the mifare chip is , may is something related with the field), i have tried several times (30 times o more and now i recover  the key perfect)  next week i will make a new antenna, this new one  is going to be a PCB antenna like the one that have the normal readers.


try putting the card in parallel with the anntena, and the mifare chip the most far away from the proxmark ( for me this work perfect)
may be merlok you could implement  that when it gets the key try to autehntificate the sector if is wrong key, start again the process automatic to prevent false positives.

Offline

#49 2011-06-03 01:42:43

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: Mifare read/write via crypto1

merlok wrote:

308 = 0x0134
last byte - 0x34 == 52

there is block 52 in sector 13 )

Oh,ye,I see.thank U so much!

Offline

#50 2011-06-07 13:42:32

merlok
Contributor
Registered: 2011-05-16
Posts: 110

Re: Mifare read/write via crypto1

Offline

Board footer

Powered by FluxBB