Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2011-06-07 13:39:28

merlok
Contributor
Registered: 2011-05-16
Posts: 132

new revision - 474

HI,

1. fixed hf 14a mifare. added functionality to ignore one Nt
2. completed hf 14a nested
3. added hf 14a chk to check keys
5. added check keys to hf 14a mifare and hf 14a nested
6. added debug level to mifare commands
7. small bugs and improvements

and fixed kbhit() for linux )

please, test it )

https://code.google.com/p/proxmark3/source/detail?r=474

Offline

#2 2011-06-07 13:45:25

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

maybe it is need to add command hf mf xxxx?  to separate mifare commands from standart iso 14443a?

Offline

#3 2011-06-07 14:01:46

wil
Contributor
Registered: 2010-04-13
Posts: 14

Re: new revision - 474

Thank you merlok,

The client (r474) doesn't compile on my Linux box.
It does with the following changes:

Index: include/common.h
===================================================================
--- include/common.h    (revision 474)
+++ include/common.h    (working copy)
@@ -12,6 +12,8 @@
 #ifndef __COMMON_H
 #define __COMMON_H
 
+#include <stdint.h>
+
 //-----------------------------------------------------------------------------
 // ISO 14443A
 //-----------------------------------------------------------------------------
Index: client/mifarehost.h
===================================================================
--- client/mifarehost.h (revision 474)
+++ client/mifarehost.h (working copy)
@@ -11,7 +11,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <conio.h>
 #include "common.h"
 #include "cmdmain.h"
 #include "ui.h"
Index: client/util.c
===================================================================
--- client/util.c       (revision 474)
+++ client/util.c       (working copy)
@@ -15,6 +15,10 @@
 #include "util.h"
 
 #ifdef __linux__
+
+#include <termios.h>
+#include <sys/ioctl.h> 
+
 int ukbhit(void)
 {
   int cnt = 0;

I will test it tonight.

wil

Offline

#4 2011-06-07 14:53:57

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: new revision - 474

merlok wrote:

HI,

1. fixed hf 14a mifare. added functionality to ignore one Nt
2. completed hf 14a nested
3. added hf 14a chk to check keys
5. added check keys to hf 14a mifare and hf 14a nested
6. added debug level to mifare commands
7. small bugs and improvements

and fixed kbhit() for linux )

please, test it )

https://code.google.com/p/proxmark3/source/detail?r=474


1. fixed hf 14a mifare. added functionality to ignore one Nt-------works fine, but what is the parameter to ignore Nt??????

2. completed hf 14a nested-----works fine but you forgot MIFARE MINI is also mifare classic but is less than 1k may be you could include this type of card

3. added hf 14a chk to check keys----works fine

5. added check keys to hf 14a mifare and hf 14a nested---- works fine

6. added debug level to mifare commands---who can i see this??what is the command??


i have another question this new frimware works with this version of proxmark 
http://wiki.032.la/nsl/Proxmark3_LCD

may be in the next week i will make one.your firmware works with this version or is possible to port your code to this version ( i know that some commands need a keyboard, but other not) so your frimware works whit this proxmark ??
for me is enought if it work with keyboard but i need to know if is going to work before i make one.
thanks

Last edited by thefkboss (2011-06-07 14:54:15)

Offline

#5 2011-06-07 15:31:48

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

wil wrote:

Thank you merlok,

The client (r474) doesn't compile on my Linux box.
It does with the following changes:

https://code.google.com/p/proxmark3/source/detail?r=475

Offline

#6 2011-06-07 15:44:58

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

thefkboss wrote:

1. fixed hf 14a mifare. added functionality to ignore one Nt-------works fine, but what is the parameter to ignore Nt??????


2. completed hf 14a nested-----works fine but you forgot MIFARE MINI is also mifare classic but is less than 1k may be you could include this type of card

3. added hf 14a chk to check keys----works fine

5. added check keys to hf 14a mifare and hf 14a nested---- works fine

6. added debug level to mifare commands---who can i see this??what is the command??


i have another question this new frimware works with this version of proxmark 
http://wiki.032.la/nsl/Proxmark3_LCD

may be in the next week i will make one.your firmware works with this version or is possible to port your code to this version ( i know that some commands need a keyboard, but other not) so your frimware works whit this proxmark ??
for me is enought if it work with keyboard but i need to know if is going to work before i make one.
thanks

1. time from time command returned invalid key, so if you want to get valid key you may test some other Nt (card nonce)
so.
hf 14a mifare  -- returned invalid key woth some Nt
hf 14a mifare Nt - would return right key
2. fixed in my version of code
6. internal value. some commands returns too many debug messages. it slows them.
i add this to increase speed of work mifare and nested commands

I dont have proxmark with LCD, so i cant test it...
ut if the oldest firmwares worked on it, so the new one wold work too

Offline

#7 2011-06-07 16:34:34

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: new revision - 474

works great but i don´t know how to do mifare Nt command
i do hf 14a mifare Nt ABABABAB and doesn´t work it tells me that i have to put 8 hex digits may be i type wrong command

i have a little change in hf 14a reader to detect the type of the card may be you could implement better

int CmdHF14AReader(const char *Cmd)
{
   UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
   SendCommand(&c);
   UsbCommand * resp = WaitForResponse(CMD_ACK);
   uint8_t              * uid  = resp->d.asBytes;
   iso14a_card_select_t * card = uid + 12;


   if(resp->arg[0] == 0) {
      PrintAndLog("iso14443a card select failed");
      return 0;
   }

   PrintAndLog("ATQA : %02x %02x", card->atqa[0], card->atqa[1]);
   PrintAndLog(" UID : %s", sprint_hex(uid, 12));
   PrintAndLog(" SAK : %02x [%d]", card->sak, resp->arg[0]);


   if(card->sak == 9){
      PrintAndLog(" CARD TYPE: MIFARE MINI");}
   else if(card->sak == Cool{
      PrintAndLog(" CARD TYPE: MIFARE CLASSIC 1K");}
   
   else if(card->sak == 24){
      PrintAndLog(" CARD TYPE: MIFARE CLASSIC 4K");}

   else if(card->sak == 32){
      PrintAndLog(" CARD TYPE: MIFARE DESFIRE D40");}
   else {
      PrintAndLog(" CARD TYPE: uknown card");}


here are all the types

http://www.libnfc.org/documentation/har … s/iso14443

Offline

#8 2011-06-07 18:39:59

razer
Member
Registered: 2011-05-31
Posts: 3

Re: new revision - 474

I've tried "hf 14a mifare" command many times and on various platforms (win xp, win 7, ubuntu 10.04)
unfortunately it never returns the right key
but I've noticed that the wrong keys it found always end with "0000"

anyone in the same situation?
or the command works fine for you guys?

Offline

#9 2011-06-07 18:59:50

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: new revision - 474

merlok wrote:

I dont have proxmark with LCD, so i cant test it...
ut if the oldest firmwares worked on it, so the new one wold work too

i think it has different fpgas is this a problem??? the new one is XC3S250E Spartan 3


********************************************************************************
*     The binary FPGA image compiled for the Spartan 2 is absolutely not       *
*     compatible with the Spartan 3 and the source code must be recompiled     *
********************************************************************************

The FPGA is initialized by the ARM through the FPGA_* pins DIN, DOUT, CLK, INITB
PROGB and DONE.

An external oscillator is implemented as before with IC203 and fed to two FPGA
global clock pins though I believe only one is needed. Additionally I believe any
clock frequency could be fed to these pins and the final required frequency be
synthesized internally to the FPGA via it's Digital Clock Modules (DCM).

The usual SSP and SPI buses are still present as before however a notable change
is the fact that the ARM no longer drives the analog multiplexer IC403 directly
but instead via the FPGA pins MUX_LO and MUX_HI. This was done in order to free
up more pins on the ARM.

The antenna drivers are driven by the pins PRW_LO, PWR_HI and PWR_OE1..4, so no
change there.

Finally a new ADC rated to run down to 3v is used in the form of the IC202
ADC08060 chip. This A/D can sample up to 70MSPS according to the datasheet.
Also despite the datasheet claiming a minimum sample rate of 20MSPS in practice
it seems to do a good job when driver in LF mode at 125KSPS.

Last edited by thefkboss (2011-06-07 19:00:43)

Offline

#10 2011-06-08 01:21:02

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: new revision - 474

razer wrote:

I've tried "hf 14a mifare" command many times and on various platforms (win xp, win 7, ubuntu 10.04)
unfortunately it never returns the right key
but I've noticed that the wrong keys it found always end with "0000"

anyone in the same situation?
or the command works fine for you guys?

My result is just like yours.And what's worse is all the keys I got  start with"0000" and end with "0000"....
There is still some kinds of my cards will hung up the PM3 when I running the "hf 14a mifare "and "hf 14a mifare nt"

Offline

#11 2011-06-08 03:23:08

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: new revision - 474

In my experiment of R474,I got to question:
My cards are all Mifare Classic 1K.
1.the nested command runs well and I have got 3 right keys in a card.
However,when I try to recover the 4th key for that card ,it shows the key"55000000aaff" is valid, and the "hf 14a chk **" shows it's valid too.But I can read/write that block neither though the "hf 14a mfrdbl" nor though my RC500 M1 reader.
2.The nested command seems not work on the kind of card I mentioned above.It can't get any keys.

Offline

#12 2011-06-08 06:49:42

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: new revision - 474

for me. it works perfect

Offline

#13 2011-06-08 08:13:48

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

thefkboss wrote:

w
i have a little change in hf 14a reader to detect the type of the card may be you could implement better

Thanks, I have added it into next release

Offline

#14 2011-06-08 08:33:11

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

ok, something like howto)

1. hf14a mifare
2. if it returned a wrong key:
hf 14a mifare 1499bbd0

where 1499bbd0- line form:
uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)

3. hf 14a nested 1 0 a ffffffffffff
4. you got all the keys )

Offline

#15 2011-06-08 08:35:35

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

thefkboss wrote:

i think it has different fpgas is this a problem??? the new one is XC3S250E Spartan 3

its not a problem if you have compiled core for your fpga.
i have not touched the loader code.

Offline

#16 2011-06-08 08:42:17

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

nemer wrote:

1.the nested command runs well and I have got 3 right keys in a card.
However,when I try to recover the 4th key for that card ,it shows the key"55000000aaff" is valid, and the "hf 14a chk **" shows it's valid too.But I can read/write that block neither though the "hf 14a mfrdbl" nor though my RC500 M1 reader.

some keys can authenticate and cant read sector
it depends on security settings written into the chip by an issuer

maybe try key B instead of key A

nemer wrote:

2.The nested command seems not work on the kind of card I mentioned above.It can't get any keys.

there is many new card wich have defense against this types of attack.
especially:
new MIFARE CLASSIC (with 7 byte UID)
MIFARE Plus S/X in SL1

so....  just try another card (preferentially the oldest one)

Last edited by merlok (2011-06-08 08:42:49)

Offline

#17 2011-06-08 13:11:59

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: new revision - 474

merlok wrote:

ok, something like howto)

1. hf14a mifare
2. if it returned a wrong key:
hf 14a mifare 1499bbd0

where 1499bbd0- line form:
uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)
)


thanks

merlok wrote:

its not a problem if you have compiled core for your fpga.
i have not touched the loader code.

yes i have the fpga.elf and s19 of this version

so i only need to change bootrom and osimage or only osimage from yours?????

merlok wrote:

nemer wrote:

    2.The nested command seems not work on the kind of card I mentioned above.It can't get any keys.

there is many new card wich have defense against this types of attack.
especially:
new MIFARE CLASSIC (with 7 byte UID)
MIFARE Plus S/X in SL1

so....  just try another card (preferentially the oldest one)

mifare command is not possible to implemente for any sector. i mean for example mfcuk yo could select the sector and the key you want an it recover that key doing darkside is not the same for proxmark??

thanks merlok

Offline

#18 2011-06-08 13:35:19

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: new revision - 474

i have tried

    ok, something like howto)

    1. hf14a mifare
    2. if it returned a wrong key:
    hf 14a mifare 1499bbd0

    where 1499bbd0- line form:
    uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)
    )

but everytime i execute the command the card always give me a new nt how is this possible?? this card is the only one that i have that i never recover the key.(i know the key but i want to recover it with proxmark)

Offline

#19 2011-06-08 14:07:10

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

thefkboss wrote:

so i only need to change bootrom and osimage or only osimage from yours?????

yes

thefkboss wrote:

mifare command is not possible to implemente for any sector. i mean for example mfcuk yo could select the sector and the key you want an it recover that key doing darkside is not the same for proxmark??

yes, this command can work with any sector.
but now there is lack of implementation

i can implement it after simulator

is this feature needed?

Offline

#20 2011-06-08 14:11:50

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

thefkboss wrote:

but everytime i execute the command the card always give me a new nt how is this possible?? this card is the only one that i have that i never recover the key.(i know the key but i want to recover it with proxmark)

Is mfcuk recovered it? (can you test it?)

Offline

#21 2011-06-08 16:42:03

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: new revision - 474

I'm using r475.
hf 14a mifare doesn't work-red led is blinking, all screen is filled with dots. I tried to run it for 1 hour, but couldn't recover any key.
I have same problem with r473.

Offline

#22 2011-06-09 06:10:47

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: new revision - 474

vivat wrote:

I'm using r475.
hf 14a mifare doesn't work-red led is blinking, all screen is filled with dots. I tried to run it for 1 hour, but couldn't recover any key.
I have same problem with r473.

yes.one of my card shows the same result as yours.how about the feedback of your card when running hf 14a nested?

Offline

#23 2011-06-09 13:00:17

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: new revision - 474

nemer

proxmark3> hf 14a nested o 0 A FFFFFFFFFFFF 1 A
--block no:00 key type:00 key:ff ff ff ff ff ff
--target block no:01 target key type:00


proxmark3> Got 0 keys from proxmark.
Nested error.
proxmark3> hf 14a nested 1 0 A FFFFFFFFFFFF
--block no:00 key type:00 key:ff ff ff ff ff ff
Block shift=0
Testing known keys. Sector count=16
proxmark3> nested...


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.
Iterations count: 0
|---|----------------|---|----------------|---|
|blk|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  0000ffffffff  | 65535 |  000000000001  | -1 |
|001|  000000000000  | 0 |  000000000000  | 0 |
|002|  0000ffffffff  | 65535 |  000000000001  | -1 |
|003|  0000ffffffff  | 65535 |  000000000001  | -1 |
|004|  0000ffffffff  | 65535 |  000000000001  | -1 |
|005|  0000ffffffff  | 65535 |  000000000001  | -1 |
|006|  0000ffffffff  | 65535 |  000000000001  | -1 |
|007|  0000ffffffff  | 65535 |  000000000001  | -1 |
|008|  0000ffffffff  | 65535 |  000000000001  | -1 |
|009|  0000ffffffff  | 65535 |  000000000001  | -1 |
|010|  0000ffffffff  | 65535 |  000000000001  | -1 |
|011|  0000ffffffff  | 65535 |  000000000001  | -1 |
|012|  0000ffffffff  | 65535 |  000000000001  | -1 |
|013|  0000ffffffff  | 65535 |  000000000001  | -1 |
|014|  0000ffffffff  | 65535 |  000000000001  | -1 |
|015|  0000ffffffff  | 65535 |  000000000001  | -1 |
|---|----------------|---|----------------|---|

I know the keys for blocks 0, 2-15, it is FFFFFFFFFFFF, but I don't know the 1 block key. My card is unlicensed Mifare 1K, from Sankt Petersburg.

Offline

#24 2011-06-09 13:53:44

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

Got 0 keys from proxmark.

it happend, when proxmark cant init card and got Nt
it seems that there is a new card. this type of attack doesnt work on the newest cards

Offline

#25 2011-06-09 14:41:00

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: new revision - 474

merlok wrote:
thefkboss wrote:

so i only need to change bootrom and osimage or only osimage from yours?????

yes

but only bootrom
or only osimage
or both?????

merlok wrote:
thefkboss wrote:

mifare command is not possible to implemente for any sector. i mean for example mfcuk yo could select the sector and the key you want an it recover that key doing darkside is not the same for proxmark??

yes, this command can work with any sector.
but now there is lack of implementation

i can implement it after simulator

is this feature needed?

may be if you can´t recover key 0 you could have luck and you could recover other keys


merlok wrote:
thefkboss wrote:

    but everytime i execute the command the card always give me a new nt how is this possible?? this card is the only one that i have that i never recover the key.(i know the key but i want to recover it with proxmark)

Is mfcuk recovered it? (can you test it?)

i´m testing it but the problem with this card is that mfcuk has done like 200000 auth but only 80 nt auth so that could be one week to recover the key if there is 655xx nt possibilities.
i let the computer working from one week is not a problem

vivat wrote:

proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.


proxmark3> Got 0 keys from proxmark.
Iterations count: 0
|---|----------------|---|----------------|---|
|blk|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  0000ffffffff  | 65535 |  000000000001  | -1 |
|001|  000000000000  | 0 |  000000000000  | 0 |
|002|  0000ffffffff  | 65535 |  000000000001  | -1 |
|003|  0000ffffffff  | 65535 |  000000000001  | -1 |
|004|  0000ffffffff  | 65535 |  000000000001  | -1 |
|005|  0000ffffffff  | 65535 |  000000000001  | -1 |
|006|  0000ffffffff  | 65535 |  000000000001  | -1 |
|007|  0000ffffffff  | 65535 |  000000000001  | -1 |
|008|  0000ffffffff  | 65535 |  000000000001  | -1 |
|009|  0000ffffffff  | 65535 |  000000000001  | -1 |
|010|  0000ffffffff  | 65535 |  000000000001  | -1 |
|011|  0000ffffffff  | 65535 |  000000000001  | -1 |
|012|  0000ffffffff  | 65535 |  000000000001  | -1 |
|013|  0000ffffffff  | 65535 |  000000000001  | -1 |
|014|  0000ffffffff  | 65535 |  000000000001  | -1 |
|015|  0000ffffffff  | 65535 |  000000000001  | -1 |
|---|----------------|---|----------------|---|

I know the keys for blocks 0, 2-15, it is FFFFFFFFFFFF, but I don't know the 1 block key. My card is unlicensed Mifare 1K, from Sankt Petersburg.

if you make hf 14a reader what SAK give the key 08 or other different

Last edited by thefkboss (2011-06-09 14:41:40)

Offline

#26 2011-06-09 15:27:26

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: new revision - 474

My card is unlicensed Mifare 1k:

proxmark3> hf 14a reader
proxmark3> ATQA : 04 00
 UID : 41 fb * * 00 00 00 00 8e 59 41 5e
 SAK : 08 [2]
proprietary non-iso14443a card found, RATS not supported
proxmark3> hf 14a list
proxmark3> recorded activity:
 ETU     :rssi: who bytes
---------+----+----+-----------
 +      0:    :     52
 +    236:   0: TAG 04  00
 +      0:    :     93  20
 +    452:   0: TAG 41  fb  *  *  a4
 +      0:    :     93  70  41  fb  *  *  a4  7a  aa
 +    308:   0: TAG 08  b6  dd // It says "I'm Mifare 1k"

Offline

#27 2011-06-09 22:57:27

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: new revision - 474

hi vivat ,we are using the same cards and facing the same problems.

Offline

#28 2011-06-10 07:57:38

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

thefkboss wrote:

but only bootrom
or only osimage
or both?????

osimage only

Offline

#29 2011-06-10 08:08:18

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

for that cards there is a problem. here the code:

  FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
  SpinDelay(200);
  
  davg = dmax = 0;
  dmin = 2000;

  // test nonce distance
  for (rtr = 0; rtr < 10; rtr++) {
    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
    SpinDelay(100);
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);

after first drop field - it works,
but after second - it dont respond on the commands

so....  it seems that it need just to increase the delay to maybe 500ms or more

but....   in that cards there is fixed random generator
so the Nt generation not depends on field switching on time and....
I guess that it will need too much time to implement this type of attack (
and i think that one week is too less time

p.s. IMHO there is only one possibility of attack: darkside.
p.p.s. nobody was forbid sniff the protocol and hack sniffed trace offline

Last edited by merlok (2011-06-10 08:59:14)

Offline

#30 2011-06-11 10:48:27

nemer
Contributor
Registered: 2010-09-07
Posts: 34

Re: new revision - 474

I have too say running the darkside attack on the special card mentioned above is limited to the delay time too....merlok,which parameter should I edit if I want to get a longer delay?thanks!

Offline

#31 2011-06-11 22:05:02

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

SpinDelay(100);
100 - milliseconds

you should try at least 300-500 ms...  up to 1000ms

Last edited by merlok (2011-06-11 22:05:22)

Offline

#32 2011-06-14 15:43:33

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: new revision - 474

I've tried to change SpinDelay time for 300, then 500 and 1000, but this didn't give me any key. Can anyone explain to me darkside attack?

Offline

#33 2011-06-16 15:59:59

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: new revision - 474

Hi,

as I have seen:
there is no correlation between Nt and time of auth query in the new cards.
but maybe there will be another ways to get the same Nt....
or there would way to get the key withouth same Nt

but)
there is a way: sniffing attack. just avoid crypto1 and this attack wouldnt work...

p.s. about change delay:
some new cards cant work if delay too small.
it was implemented to avoid this types of atatck

Last edited by merlok (2011-06-16 16:03:45)

Offline

#34 2011-12-03 07:18:06

aminbakhtvar62
Contributor
Registered: 2011-02-23
Posts: 24

Re: new revision - 474

hi
"got 0 keys from proxmark",
so by changing 32bits lfsr which produces the Nt in the new cards, mifare classic cards have become secure again ? (i mean againt offline attacks ).?

Offline

#35 2012-01-28 08:08:22

aminbakhtvar62
Contributor
Registered: 2011-02-23
Posts: 24

Re: new revision - 474

hi
"hf 14a mifare " command returns values of Nt which after 2-3 times puts me in a loop .also par() and ks() are always zero
any help would be appreciated.

merlok wrote:

ok, something like howto)

1. hf14a mifare
2. if it returned a wrong key:
hf 14a mifare 1499bbd0

where 1499bbd0- line form:
uid(e68fffff) nt(1499bbd0) par(5b236bf33b1b2b73) ks(050d0001090f0f04)

3. hf 14a nested 1 0 a ffffffffffff
4. you got all the keys )

Last edited by aminbakhtvar62 (2012-01-28 08:09:23)

Offline

#36 2013-07-28 06:09:39

minoruharvest
Member
Registered: 2013-07-20
Posts: 4

Re: new revision - 474

is anything new about the "got 0 keys from proxmark" problem?

Offline

Board footer

Powered by FluxBB