Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Dear All,
I'm just discovering and using the proxmark 3 device under windows 7 with the client written by Gaucho (Found in the pm3-bin-0.0.2 archive)
May I ask you help concerning the 'hf mf nested' command please ?
I'm testing the following card
proxmark3> hf 14a reader
ATQA : 04 00
UID : b0 08 12 df
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported
with the following PM3
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 845 2014-02-19 20:57:27
#db# os: svn 845 2014-02-19 20:57:32
#db# FPGA image built on 2014/02/19 at 11:41:11
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
When using the 'hf mf chk *1 ? t, it found known defaut keys (a0a1a2a3a4a5) but,then when using the
'hf mf nested 1 0 A a0a1a2a3a4a5 t' command, pm3 starts working and then, it loops with the following message :
(all pm3 leds are ON)
#db# Nested: Auth1 error
#db# Authentication failed. Card timeout
May I ask you some help please ?
Thank you very much.
Have a nice day
Skappy
Offline
Try to put the card 0,5-0,1 cm from the antenna.
Offline
Hi Asper,
Thank you for your answer and your help ... the card is already at about 0.5 cm from the antenna but error is still here.
It seems that the operation starts correctly, leds start blinking for 2-3 seconds and then it loops indefinitely...
As far as i'm able to test them, others commands seems to work correctly ...
Offline
let's see if is it a FW issue.
If you explain to me what is this command, how to use it and which tag i should use, i can do a test on the other boards in order to understand if is it a board problem or a FW problem.
moreover it is important to know which part of the circuit is it used by this command.
Last edited by gaucho (2014-04-08 17:23:35)
Offline
Dear all,
The 'hf mf nested 1 0 A a0a1a2a3a4a5 t' command allows to proceed to a nested attack ,
Usage
All sectors: hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]
One sector: hf mf nested o <block number> <key A/B> <key (12 hex symbols)>
I'm sorry but I do not really know what part of the circuit is used by this command, but i have notice that at the beginning of the execution of this command , all the leds on the board are blinking quite fast but after 4 or 5 seconds, no more blink, they keep lighting , green led has a more intensive colour than when blinking and the PM3 loops indefinitely ...
The tag i'm working on is a NXP MIFARE CLASSIC 1k | Plus 2k SL1.
All the other command I've tried seems to work perfectly.
I do not knwo what i can try in order to test the board deeper ... I have not updated the firmware.
If you have any idea ...
Have a nice day
Skappy
Dear all,
The 'hf mf nested 1 0 A a0a1a2a3a4a5 t' command allows to proceed to a nested attack ,
Usage
All sectors: hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t,d]
One sector: hf mf nested o <block number> <key A/B> <key (12 hex symbols)>
I'm sorry but I do not really know what part of the circuit is used by this command, but i have notice that at the beginning of the execution of this command , all the leds on the board are blinking quite fast but after 4 or 5 seconds, no more blink, they keep lighting , green led has a more intensive colour than when blinking and the PM3 loops indefinitely ...
The tag i'm working on is a NXP MIFARE CLASSIC 1k | Plus 2k SL1.
All the other command I've tried seems to work perfectly.
I do not knwo what i can try in order to test the board deeper ... I have not updated the firmware.
If you have any idea ...
Have a nice day
Some new elements
when using the ffffffffffff key only the 3 red leds keep shining , not the green and here is the message
proxmark3> hf mf nested 1 0 A ffffffffffff t
--block no:00 key type:00 key:ff ff ff ff ff ff etrans:1
Block shift=0
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Multiple tags detected. Collision after Bit 2
#db# Nested: Can't select card
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Nested: Auth1 error
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Nested: Auth1 error
Skappy
Last edited by skappy (2014-04-09 18:56:05)
Offline
first of all in order to use the last client version you should flash the last fw version. you never know what is changed and it's better to use coherent versions of both app.
skappy i'm not an expert but i cracked a mifare with a script, not with that command.
i'm not sure what the nested attack is used for but try the crack script, just another check on your board.
You can run the script by accessing the proxmark tool (gaucho gui ) and go in HF - 14443A TAGS - MIFARE - CLASSIC TAGS - HACKS - SCRIPT AUTOMATIC MIFARE CRACK and press LAUNCH button.
in order to run these scripts you should have the folders lua and scripts in the same folder of the client exe.
let the script work.
save the log in order to post it here and if it doesn't find the passwords, try it again. in my experience it does not find the password at first try(not always).
Last edited by gaucho (2014-04-09 20:11:03)
Offline
Try to flash OS and FPGA holding the button using the new flasher and let me know.
Offline
Dear All,
Thank you very much for your help and your kindness...
I will first try to update the OS and FPGA via the new flasher as Asper suggest but, (and sorry to be such a noob) , may i ask you where I can find a tuto concerning this new flasher please as i'm a bit afraid of making a mistake.
Thank you very much for your patience.
Have a nice day
Skappy
Offline
Please have a look at this to know more about flashing: https://github.com/Proxmark/proxmark3/wiki/compiling; if you are using windows the commands are:
To flash full FPGA image:
flasher.exe comX -b fullimage.elf
To flash the OS:
flasher.exe comX osimage.elf
replace X with the com port assigned to your proxmark3 under Windows.
You can find the compile elf files here; .elf files must be in the same folder as flasher.exe.
If you are unconfortable with manual commands you can use provided batch files (.bat) included in the link above just as they are but you need to preserve folder structure as it is in the archives.
EDIT:
Also rememebr that the command:
hf mf nested 1 0 A a0a1a2a3a4a5
need to use the correct key for the selected sector (you selected sector 0 and keyA a0a1a2a3a4a5, are you sure that block0 has keyA = a0a1a2a3a4a5 ? Or maybe that keyA is for another sector ?).
Last edited by asper (2014-04-10 09:18:22)
Offline
Dear All,
I have not succeed in updating the firmware and the O.S at te present time, i'm still trying to understand how to process bit I have use the manual command instaed of the windows client and gui and here ois the result of the : hf mf nested 1 0 A ffffffffffff command
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 845 2014-02-19 20:57:27
#db# os: svn 845 2014-02-19 20:57:32
#db# FPGA image built on 2014/02/19 at 11:41:11
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf mf nested 1 0 ffffffffffff
Key must include 12 HEX symbols
proxmark3> hf mf nested 1 0 ffffffffffff t
Key must include 12 HEX symbols
proxmark3> hf mf nested 1 0 A ffffffffffff
--block no:00 key type:00 key:ff ff ff ff ff ff etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
(...)
-----------------------------------------------
Time in nested: 155.482 (2.221 sec per key)
-----------------------------------------------
Iterations count: 70
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|009| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|010| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|011| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|012| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|013| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|014| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
proxmark3>
May i ask you how i can interpret this result please ?
Thnak you for your hekp
Have a nice day
Last edited by skappy (2014-04-11 21:09:13)
Offline
Well you cracked it. Keya and keyb for sectors from 0 to 7 and 15 are ffffffffffff.
Keya for sector from 8 to 14 is a0a1a2a3a4a5 while keyb for the same sectors is 000000000000.
You can use these keys to read/write specific sectors. Please read mifare classic manual to learn more about those tags.
EDIT:
As I told you:
Also rememebr that the command:
hf mf nested 1 0 A a0a1a2a3a4a5
need to use the correct key for the selected sector (you selected sector 0 and keyA a0a1a2a3a4a5, are you sure that block0 has keyA = a0a1a2a3a4a5 ? Or maybe that keyA is for another sector ?).
The command:
hf mf nested 1 0 A a0a1a2a3a4a5 t
was wrong because a0a1a2a3a4a5 is not sector0 keyA = authentication error
hf mf nested 1 0 A ffffffffffff t
is correct because ffffffffff is sector0 keyA = it works !
Last edited by asper (2014-04-12 07:55:46)
Offline
Well, the "0" after KEY_B for block 8-15 should mean unsuccessfull. So you dont have all the keys.
Offline
Dear All,
I'm really sorry to bother you but may i ask you to have a look at the following log please ?
proxmark3> hf mf nested 1 0 a ffffffffffff d
--block no:00 key type:00 key:ff ff ff ff ff ff etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
-----------------------------------------------
-----------------------------------------------
(...)
-----------------------------------------------
Time in nested: 159.847 (2.284 sec per key)
-----------------------------------------------
Iterations count: 70
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|009| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|010| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|011| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|012| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|013| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|014| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...
proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
Command execute timeout
Command execute timeout
Command execute timeout
Command execute timeout
Command execute timeout
(...)
Command execute timeout
Command execute timeout
Command execute timeout
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
Command execute timeout
Command execute timeout
Command execute timeout
Command execute timeout
Command execute timeout
Command execute timeout
Command execute timeout
(...)
Command execute timeout
proxmark3>
I have obtained 2 files called dumpdata.bin and dumpkeys.bin.
When editing them with Hxd, it seems that dumpdata.bin is corrupted
dumpkeys.bin
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF A0 A1 A2 A3 A4 A5 A0 A1 A2 A3 A4 A5 A0 A1 A2 A3 A4 A5 A0 A1 A2 A3 A4 A5 A0 A1 A2 A3 A4 A5 A0 A1 A2 A3 A4 A5 A0 A1 A2 A3 A4 A5 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
dumpdata.bin does not contains anything...
Is there something i'm doing wrong ?
Thank you very much
Have a nice day
Offline
your dumpkeys.bin file matches your nested output. However the key_B for Block 8-14 is not found.
if you check the filesize of dumpdata.bin, it's size should be 1024 bytes. And if you card was blank, then the dump is blank too.. beside the keys of course.. Check it with a hex-editor
Offline
hi Iceman,
the size of the dumpdata.bin is 0, Hxd, the hex edittor i'm working with show nothing but the card is not blank, it was used for paying coffee in a self service machine , and i'm sure that it still have some credits...
I'm a bit lost, is there anyway to discover the Key_B values for block 8-14 ?
What procedure should i follow in order to continue the test please ?
Thank you very much for your patience
Offline
try holding the card a bit from the antenna..
Offline
Hi Iceman,
I've tried different distance from the antenna but the result still the same ..
ffffffffffff seem to be the right value for A & B keys ...
proxmark3> hf mf chk * A ffffffffffff
chk key[0] ffffffffffff
--SectorsCnt:0 block no:0x03 key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:A key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:A key count:1
--SectorsCnt:9 block no:0x27 key type:A key count:1
--SectorsCnt:10 block no:0x2b key type:A key count:1
--SectorsCnt:11 block no:0x2f key type:A key count:1
--SectorsCnt:12 block no:0x33 key type:A key count:1
--SectorsCnt:13 block no:0x37 key type:A key count:1
--SectorsCnt:14 block no:0x3b key type:A key count:1
--SectorsCnt:15 block no:0x3f key type:A key count:1
Found valid key:[ffffffffffff]
proxmark3> hf mf chk * B ffffffffffff
chk key[0] ffffffffffff
--SectorsCnt:0 block no:0x03 key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:1 block no:0x07 key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:2 block no:0x0b key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:3 block no:0x0f key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:4 block no:0x13 key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:5 block no:0x17 key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:6 block no:0x1b key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:7 block no:0x1f key type:B key count:1
Found valid key:[ffffffffffff]
--SectorsCnt:8 block no:0x23 key type:B key count:1
--SectorsCnt:9 block no:0x27 key type:B key count:1
--SectorsCnt:10 block no:0x2b key type:B key count:1
--SectorsCnt:11 block no:0x2f key type:B key count:1
--SectorsCnt:12 block no:0x33 key type:B key count:1
--SectorsCnt:13 block no:0x37 key type:B key count:1
--SectorsCnt:14 block no:0x3b key type:B key count:1
--SectorsCnt:15 block no:0x3f key type:B key count:1
Found valid key:[ffffffffffff]
Is there anything i can do in order to go further please ?
Thank you very much
Have a nice day
Last edited by skappy (2014-04-13 14:01:55)
Offline
So you have all keys?,
What do you want to do now with them?
If you want to dump the contents, create your own dumpkeys.bin file with the keys. and use the hf mf dump cmd to get a dumpdata.bin file (1024bytes)
or write 16 different "hf mf rdsc .." commands and read the contents yourself..
Offline
Hi Iceman,
I have made little progress ...
I have obtained the 2 files (dumpdata.bin and dumpkeys.bin).
The file "dumpdata.bin" size is 1024 bytes, size looks good.
I have then used the script available under the Gaucho Client GUI for changing the dumpdata.bin into a file with the [uid of the card].eml name...
Then, via the command line, i have used the "hf mf cload file" on a chinese magic card, I have obtained a card with the same UID as the original one but it is not recognize by the self service coffee machine...
May I ask you what i have miss out on please ?
Thank you once again
Have a great day
Offline
Well, make a dump from your chinese card and do a bindiff to see if the clone is identical.
From here on, your free lunch is not on me.
Offline
I ve tried to redo the hf mf dump and here is the log
proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 8
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 8
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 8
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 9
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 9
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 9
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 10
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 10
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 10
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 11
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 11
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 11
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 12
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 12
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 12
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 13
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 13
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 13
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 14
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 14
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for block 14
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
proxmark3>
It looks like the value for key_b is wrong doesn' it (Could not get access rights for block 13
#db# Authentication failed. Card timeout.)
I've then tried
proxmark3> hf mf rdbl 10 b ffffffffffff
--block no:0a key type:01 key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read block error
#db# READ BLOCK FINISHED
isOk:00
proxmark3>
No access to the 8 -14 blocks ... Do you know how i can have access to the right key_B value ?
I have also notice that the PM3 crash after the hf mf nested 1 8 B ffffffffffff command
The command finish but the red leds keep lighnting and the PM3 is no more available.
Thx
Last edited by skappy (2014-04-14 19:28:51)
Offline
To repeat what iceman told a few times: you don't have key B for sectors 8 to 14. Obviously the Access Conditions for those sectors require key B - you therefore cannot read those sectors and therefore cannot dump them to your Chinese card.
The keys you have found are "standard" keys which are also found by hf mf chk. hf mf chk is run as a first pass in hf mf nested too and would have delivered all the keys you have found (those with res = 1). I therefore assume that you have a newer card with a fixed PRNG (Pseudo Random Number Generator). The well known attacks (hf mf mif and hf mf nested) don't work with these cards. To verify this assumption, please try hf mf mif - if it fails as well you are out of luck with card only attacks.
Offline
Hi Piwi and Iceman,
Thank you very much for your kindness and your patience.
I will try the "hf mf mif" command as soon as possible, but may I ask you if there is a kind of alternative concerning my situation ? According to you, does a solution exist for obtaining the key_b value ?
Thank you once again
Have a nice day
Offline
You could try the script-version of 'hf mf chk', which is 'script run mfkeys'. It uses a larger list of default keys (here's the full list : https://github.com/Proxmark/proxmark3/blob/master/client/lualibs/mf_default_keys.lua )
Last edited by holiman (2014-04-15 08:23:04)
Offline
Hi Holiman,
Thank you for the idea !
Really no luck, Classic Mifare would be too easy isn't it ?
I will give it a try, and keep you informed ...
Have a nice day
Skappy
Offline
Try to sniff valid transaction with key_b and crack it
OR
try reader-only attack.
Offline
Dear All,
Piwi,
Command 'hf mf mif'fails, it dives the PM3 into an infinite loop...
Holiman,
Here is the log of the .lua script.
It seems that i keep being unlucky...
________________________________________
|Sector|Block| A | B |
|--------------------------------------|
| 1 | 3 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 2 | 7 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 3 | 11 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 4 | 15 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 5 | 19 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 6 | 23 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 7 | 27 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 8 | 31 |FFFFFFFFFFFF|FFFFFFFFFFFF|
| 9 | 35 |A0A1A2A3A4A5||
| 10 | 39 |A0A1A2A3A4A5||
| 11 | 43 |A0A1A2A3A4A5||
| 12 | 47 |A0A1A2A3A4A5||
| 13 | 51 |A0A1A2A3A4A5||
| 14 | 55 |A0A1A2A3A4A5||
| 15 | 59 |A0A1A2A3A4A5||
| 16 | 63 |FFFFFFFFFFFF|FFFFFFFFFFFF|
|--------------------------------------|
Vivat,
I've tried to obtain some information concerning the reader only attack and i've used the following procedures
proxmark3> hf mf eclr
proxmark3> hf mf sim x
uid:N/A, numreads:0, flags:8 (0x08)
#db# 4B UID: e68487f3
proxmark3> hf mf sim x
uid:N/A, numreads:0, flags:8 (0x08)
#db# Failed to obtain two AR/NR pairs!
#db# Emulator stopped. Tracing: 1 trace length: 0
#db# 4B UID: e68487f3
proxmark3>
And then, I've tried the following
proxmark3> hf 14a snoop
#db# cancelled by button
#db# COMMAND FINISHED
#db# maxDataLen=2, Uart.state=0, Uart.len=0
#db# traceLen=0, Uart.output[0]=00000041
proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
proxmark3>
May I ask you if i'm doing something wrong please ?
May i ask ask you more information concerning how to sniff valid transaction with key_b and crack it ...
Thank you very much for the help,
See you
Offline
try using B0B1B2B3B4B5 for key B
(just a guess looking at the other keys)
not sure why you are looping. I'll yield to others on that.
Offline
Hi Everybody,
I'm back !
Unfortunately the b0b1b2b3b4b5 key does not work !
May I ask you some help with using Reader Only Attack and how to sniff a valid transaction with PM3 please ?
Thank you for helping me
Skappy
Offline
Please end this discussion, it is quite obvious that the key will be used for something we do not "support".
Offline
Please end this discussion, it is quite obvious that the key will be used for something we do not "support".
what do you know that the rest of us don't? this forum is full of duplicating credentials information. is there some malice intended in this case? if so then I agree we should go no further.
Offline
Well I consider all the thread, not only some posts or "dumps" and reading the whole content of this thread I suppose (quite celarly) it is for "malicious" intent. If you do not agree feel free to help him, I will then change my previous sentence in "... I do not support".
Offline
I honestly don't know the intentions here, I thought maybe you did and thus made that statement. a lot of people on here are looking to test the security system of their company or trying to understand the weaknesses of such a system. I started with that myself. and to perform such a test you need to be able to crack, dump, and either duplicate or simulate that tag. that is what I've read in this thread. but I also don't know the tag's purpose or the intent behind the thread. In no way do I condone any illegal use of the information here like actually impersonating someone or stealing from a company.
granted I don't think I could help in this particular case anyway as I do not know how to crack a mifare plus card myself.
I guess I may be naïve to give people the benefit of the doubt and assume they are not here to steal/cheat/break into/or otherwise perform some malice against another party.
maybe instead of my naivety I should just start asking what the intent is before I offer help. I will consider this. Thanks asper.
Offline
Dear Asper
Really sorry to read these last posts. I really do not well understand where the malice could be in trying to undestand how things work ? Please note that I have no malicious intention , I have only one RFID card and i use it for testing purpose, it originally goes with a coffee machine . Would it be malicious as you say to buy a Proxmark 3 device (about 160 Euros) for avoidiing to pay coffee which are sold 0.15 Cents ? I don't thing so ... I think that I have misunderstand the meaning of community , it was sure that it was based on sharing knowledge and helping , very sorry for that .
It never mind, I wish you good luck in your project...
Last edited by skappy (2014-04-17 21:44:49)
Offline
Regarding reader-only attack. You should be able to do something like this:
'hf mf sim x' , walk up to the reader and hold the antenna there. If you're lucky (it's been flaky between different revisions), the reader will try to authenticate for the card, this gives you AR/NR which can used to reveal the key for that sector (probably sector 9-16, if that's where the data is stored). Then, you can use a tool in the same codebase (tools/mfkey/mfkey32.c) to crack from the AR/NR vaues.
Regarding malicious intent: the poster has stated that he is experimenting with a coffee machine. I can only take his word for it, as always, but if that's the case I'm ok with that. It's as good a good experimentation environment as one will get without purchasing legit readers and setting up lab-environments.
There is a section on the forum for analysing skidata-dumps, and I've gathered some skidata tickets myself which maybe I'll analyse some rainy day, but that doesn't mean I would avoid paying when I go skiing - and I think that goes for most users in this community.
Last edited by holiman (2014-04-17 21:46:14)
Offline
The intent is personal (everyone can play as he wants), what I would avoid is "disclose potentially unwanted secrets" such as vendor's keys because the forum should get in troubles and avoid helping people to obtain something for free even if it costs 1 cent. Also answers for the above questions are scattered all around the forum so if someone REALLY wants to study he should equip himself with lot of patience and start reading the very useful info availble here and there and also official datasheets+research papers. I wanted a windows gui to make things easier but now i am not sure it was a good choice.... spoon-feeding is also "bad" because it doesn't help the learning process.
Those are my 0.5 cents, I hope you will understand the meaning of my words.
Offline
Sorry for the upcoming offtopic rant, but here's my .5 cents...
I think we have different perspectives. I'm more for full disclosure, and here are my reasons:
1. Lets define some actors: Vendors, Victims, Criminals, Defenders.
2. Vendors want to make money, sell their existing solutions. They often want to hush and cover up evidence of flaws. See for example iclass, http://www.iscs.com.au/ "iclass gold is totally secure and always has been"
3. Victims are e.g. a bank, corporate office or whatever - a company purchasing e.g. a system for physical entry protection using NFC cards. They contact vendors, read brochures and talk to salespeople. They don't necessarily dig up whitepapers from academia.
4. Criminals. These have economic incentive to find the vendor keys and establish ways to gain entry. They can afford to spend some time learning this stuff, purchasing the hardware required to reverse readers etc. This information can be used, either to e.g. perform crime or to sell further on the black market. They have the same incentive as the vendors : no full disclosure. As longs as secrets are hushed up, they can keep using them.
5. Defenders. By that I mean white-hat hackers. These are employed by "victims" to assess the security of their system FOO - e.g. a NFC-payment solution or passage-entry system. These assignments are expensive to the victim, and the consultants have short amount of time. They don't have the time to learn everything about everything, and they can't spend as much time or resources as the criminals on reverse-engineering and making theoretical attacks into practical attacks.
In the real world, customers (victims) are not very impressed by reports which reference academia whitepapers, saying "some PhD's from Holland can break your system". Unless the report says "I was able to break your system within one minute, I created money/added users/gained entry with full privileges", they are not going to bother fixing it.
I belong to category 5. I find NFC very interesting, and it's a become a bit of a hobby - but I still want my tools to work as flawlessly as possible, and I want the information to be public.
If a vulnerability is known by only a researcher, them I'm for responsible disclosure. If all the steps to retrieve vendor keys are published, however, then I see no reason not to release the keys also, plus tools for exploiting them. All that increases the awareness of the flaw, which helps defenderes and protects victims, to the chargrin of vendors and criminals.
tldr: Only criminals and vendors win on "hushed-disclosure", once a vulnerability is known to exist .
Offline
I torally agree with you except for "giving keys" or something already prepared avoiding people makes their way to learn how to obtain it (spoon-feeding = bad). Also in many countries releasing keys and exploits is illegal (if this was not, why for example hid keys aren't public even if quite a lot of people knows them?). Even roel had and has problems releasing megamos infos even if it is a responsable disclosure.
Again this forum is full of how-to so let people investigate themself to find answers to the most common questions (this is only my opinion and a kind suggestion ).
Last edited by asper (2014-04-18 22:52:00)
Offline