Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2014-06-10 09:21:37

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Cracking Mifare Classic 1K

The listing above.. is that from "hf 14a list" ? It does not look right, both sides of the conversation is marked as "Tag", for one thing, and it mostly appears to be communication failures.

If you have access to the reader, could you please try this 'hf mf sim u 0419ace2972f81 x'. It's a 'reader attack', so issue the command and hold the antenna against the reader.  If that does not work, try "hf mf sim x".
Also, you don't have to include screenshots, use instead the code-tag when pasting into the forum posts.

Edit: edited for clarity

Last edited by holiman (2014-06-10 09:22:25)

Offline

#52 2014-06-10 23:38:56

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

hello iceman

this is attack " hf mf sim u 0419ace2972f81 x " in balance reader...
-------------------------------------------------------------------------------
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
uid:04 19 ac e2 97 2f 81 , numreads:0, flags:12 (0x0c)
#db# 7B UID: (88)0419ace2972f81
proxmark3> a:  0.00 V @   125.00 kHz
proxmark3> a:  0.00 V @   134.00 kHz
proxmark3> l:  0.00 V @ 12000.00 kHz
proxmark3> a:  7.77 V @    13.56 MHz
proxmark3> ntenna is unusable.
proxmark3> hf mf sim u 0419ace2972f81 x
proxmark3>
proxmark3>
proxmark3> hf 14a list
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Failed to obtain two AR/NR pairs!
#db# Emulator stopped. Tracing: 1  trace length: 1727
Recorded Activity

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer

All times are in carrier periods (1/13.56Mhz)

     Start |       End | Src | Data
-----------|-----------|-----|--------
         0 |      1056 | Rdr | 26
      2356 |      4724 | Tag | 44  00
     22912 |     25376 | Rdr | 93  20
     26932 |     32756 | Tag | 88  04  19  ac  6f
     50944 |     53408 | Rdr | 93  20
     54964 |     60788 | Tag | 88  04  19  ac  6f
     78976 |     81440 | Rdr | 93  20
     82996 |     88820 | Tag | 88  04  19  ac  6f
    107008 |    109472 | Rdr | 93  20
    111028 |    116852 | Tag | 88  04  19  ac  6f
   6424342 |   6425398 | Rdr | 26
   6426570 |   6428938 | Tag | 44  00
   6447140 |   6449604 | Rdr | 93  20
   6451160 |   6456984 | Tag | 88  04  19  ac  6f
   6475172 |   6477636 | Rdr | 93  20
   6479192 |   6485016 | Tag | 88  04  19  ac  6f
   6503204 |   6505668 | Rdr | 93  20
   6507224 |   6513048 | Tag | 88  04  19  ac  6f
   6531364 |   6533828 | Rdr | 93  20
   6535384 |   6541208 | Tag | 88  04  19  ac  6f
  12849272 |  12850328 | Rdr | 26
  12851564 |  12853932 | Tag | 44  00
  12872312 |  12874776 | Rdr | 93  20
  12876268 |  12882092 | Tag | 88  04  19  ac  6f
  12900344 |  12902808 | Rdr | 93  20
  12904300 |  12910124 | Tag | 88  04  19  ac  6f
  12928376 |  12930840 | Rdr | 93  20
  12932332 |  12938156 | Tag | 88  04  19  ac  6f
  12956408 |  12958872 | Rdr | 93  20
  12960364 |  12966188 | Tag | 88  04  19  ac  6f
  19273692 |  19274748 | Rdr | 26
  19276048 |  19278416 | Tag | 44  00
  19296604 |  19299068 | Rdr | 93  20
  19300624 |  19306448 | Tag | 88  04  19  ac  6f
  19324636 |  19327100 | Rdr | 93  20
  19328656 |  19334480 | Tag | 88  04  19  ac  6f
  19352668 |  19355132 | Rdr | 93  20
  19356688 |  19362512 | Tag | 88  04  19  ac  6f
  19380700 |  19383164 | Rdr | 93  20
  19384720 |  19390544 | Tag | 88  04  19  ac  6f
  25698304 |  25699360 | Rdr | 26
  25700788 |  25703156 | Tag | 44  00
  25721216 |  25723680 | Rdr | 93  20
  25725236 |  25731060 | Tag | 88  04  19  ac  6f
  25749120 |  25751584 | Rdr | 93  20
  25753140 |  25758964 | Tag | 88  04  19  ac  6f
  25776770 |  25777826 | Rdr | 26
  25779126 |  25781494 | Tag | 44  00
  25799680 |  25802144 | Rdr | 93  20
  25803700 |  25809524 | Tag | 88  04  19  ac  6f
  25827840 |  25830304 | Rdr | 93  20
  25831860 |  25837684 | Tag | 88  04  19  ac  6f
  32145494 |  32146550 | Rdr | 26
  32147786 |  32150154 | Tag | 44  00
  32168484 |  32170948 | Rdr | 93  20
  32172632 |  32178456 | Tag | 88  04  19  ac  6f
  32196694 |  32199158 | Rdr | 93  20
  32200650 |  32206474 | Tag | 88  04  19  ac  6f
  32224726 |  32227190 | Rdr | 93  20
  32228682 |  32234506 | Tag | 88  04  19  ac  6f
  32252758 |  32255222 | Rdr | 93  20
  32256714 |  32262538 | Tag | 88  04  19  ac  6f
  38570554 |  38571610 | Rdr | 26
  38572910 |  38575278 | Tag | 44  00
  38593466 |  38595930 | Rdr | 93  20
  38597486 |  38603310 | Tag | 88  04  19  ac  6f
  38621498 |  38623962 | Rdr | 93  20
  38625518 |  38631342 | Tag | 88  04  19  ac  6f
  38649530 |  38651994 | Rdr | 93  20
  38653550 |  38659374 | Tag | 88  04  19  ac  6f
  38677562 |  38680026 | Rdr | 93  20
  38681582 |  38687406 | Tag | 88  04  19  ac  6f
  44995294 |  44996350 | Rdr | 26
  44997778 |  45000146 | Tag | 44  00
  45018334 |  45020798 | Rdr | 93  20
  45022354 |  45028178 | Tag | 88  04  19  ac  6f
  45046366 |  45048830 | Rdr | 93  20
  45050386 |  45056210 | Tag | 88  04  19  ac  6f
  45074398 |  45076862 | Rdr | 93  20
  45078418 |  45084242 | Tag | 88  04  19  ac  6f
  45102430 |  45104894 | Rdr | 93  20
  45106450 |  45112274 | Tag | 88  04  19  ac  6f
proxmark3>

Offline

#53 2014-07-06 13:44:28

Bebeoix
Contributor
Registered: 2014-02-03
Posts: 22

Re: Cracking Mifare Classic 1K

Did anyone successfully gone through a MIFARE Plus (7 Byte UID) 4K, Security level 1 ?

Offline

#54 2014-07-19 14:22:11

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

Hi
there and after reading a little work, I finally found the key, I've taken the dumpkeys and  dumpdata.bin and now I would like to know how to convert the dumpdata.bin to. eml file. to pass the data to the Chinese magic.     
I'm doing well?

Offline

#55 2014-07-19 18:02:16

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Cracking Mifare Classic 1K

./client/pm3_mfd2eml.py

Offline

#56 2014-07-20 14:27:03

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

Hi there
I have been unable to convert a dumpdata.bin to dumpdata.eml
I tried in every way and I could not.
I do not run any script.
------------------
pm3 ~$ client/proxmark3.exe com5
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2014-06-07 15:46:01
#db# os: /-suspect 2014-06-07 15:46:10
#db# FPGA image built on 2014/03/24 at 21:54:44
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> script run dumptoemul -i dumpdata.bin -o cap.eml
--- Executing: ./scripts/dumptoemul.lua, args'-i dumpdata.bin -o cap.eml'
cannot open ./scripts/dumptoemul.lua: No such file or directory

-----Finished
proxmark3>

Offline

#57 2014-07-20 20:00:53

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Cracking Mifare Classic 1K

C'mon...

pm3 ~$ client/proxmark3.exe com5

You are apparently executing from proxmark3/, not from proxmark3/client/ folder. So, current working directory is pm3 root folder.

cannot open ./scripts/dumptoemul.lua: No such file or directory

It tries to load <currentdir>/scripts/dumptoemul.lua. Did you look for that file? The scripts-folder is located at <pm3-root>/client/scripts/ .

So, go into client-directory and *then* start the client. The same goes for most load/save commands and a few other commands, they expect you to be there.

Offline

#58 2014-07-20 20:55:51

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

i change the <dir>\scripts to pm3 dir and say this..

pm3 ~$ client/proxmark3.exe com5
proxmark3> script run dumptoemul -i dumpdata.bin -o cap.eml
--- Executing: ./scripts/dumptoemul.lua, args'-i dumpdata.bin -o cap.eml'
./scripts/dumptoemul.lua:3: module 'getopt' not found:
        no field package.preload['getopt']
        no file 'C:\ProxSpace\pm3\client\lua\getopt.lua'
        no file 'C:\ProxSpace\pm3\client\lua\getopt\init.lua'
        no file 'C:\ProxSpace\pm3\client\getopt.lua'
        no file 'C:\ProxSpace\pm3\client\getopt\init.lua'
        no file '.\getopt.lua'
        no file './lualibs/getopt.lua'
        no file 'C:\ProxSpace\pm3\client\getopt.dll'
        no file 'C:\ProxSpace\pm3\client\loadall.dll'
        no file '.\getopt.dll'

-----Finished
proxmark3>
but into de dir\client no exist the dir\lua.  neither getot..
this is the problem.... thanks for your help..

I will reinstall..

Offline

#59 2014-07-20 21:12:42

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Cracking Mifare Classic 1K

No no.. This is what you should do when starting the client:

$ cd client
$ ./proxmark3.exe com5

That's all.

Regarding your current problems the getopt is here:

[~/tools/proxmark3/client]
#find -name "getopt.*"
./lualibs/getopt.lua

As you can see from the error message, it tries to search ./lualibs/getopt.lua. If your '.'-folder (current working dir) had been client, it would have found it.

Offline

#60 2014-07-20 21:29:11

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

Thanks
is perfect..
-------------->
pm3 ~$ cd client
pm3 ~/client$ proxmark3.exe com5
proxmark3> script ru test
--- Executing: ./scripts/test.lua, args''
This shows how to use some standard libraries
Continue with this operation (y/n)? y
Ok then, whatever

-----Finished
proxmark3>

Offline

#61 2014-07-21 16:46:01

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

Hello
the cloning process was successful ..
authenticates a great ...
Thank you very much to Holiman, midnitesnake and iceman.
I will continue doing my tests and will tell you ...

thanks

Offline

#62 2014-08-11 23:47:45

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

Hello!
I'm trying to find the key to : NXP MIFARE 1k CLASSIC | 2k Plus SL1 high entropy, I have the key "A", but to make a nested 1 0 A,
just gives me zeros to the key "B"
I've tried almost everything, everything I know.
any idea or solution?

Offline

#63 2014-08-12 07:59:25

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Cracking Mifare Classic 1K

"high entropy" means that you have a card with a fixed random number generator. The card only attacks won't work.

Offline

#64 2014-08-12 11:54:39

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

could be more specific, do not understand

Offline

#65 2014-08-12 13:15:11

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Cracking Mifare Classic 1K

You can't use hf mf mifare and hf mf nested with these cards.

Offline

#66 2014-08-12 13:19:28

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

ahh yes..i know... but some idea..??

Offline

#67 2014-08-12 15:53:39

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Cracking Mifare Classic 1K

hf mf sim x would still work...

...but...

LaserByte wrote:

proxmark3> a:  7.77 V @    13.56 MHz

... your antenna most probably needs improvement for successful simulation (and sniffing/snooping). See e.g. http://www.proxmark.org/files/Documents/Antennas/2009.03.01-proxmark_HF_13.56MHz_mifare_antenne.pdf

Offline

#68 2014-08-12 19:08:37

LaserByte
Contributor
Registered: 2014-05-18
Posts: 46

Re: Cracking Mifare Classic 1K

pm3 ~$ cd client
pm3 ~/client$ proxmark3.exe com5
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host

# LF antenna:  0.00 V @   125.00 kHz
# LF antenna:  0.00 V @   134.00 kHz
# LF optimal:  0.00 V @ 12000.00 kHz
# HF antenna: 10.28 V @    13.56 MHz
# Your LF antenna is unusable.
proxmark3>

Offline

#69 2014-08-13 14:50:37

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Cracking Mifare Classic 1K

Good improvement. Should be enough.

Offline

#70 2014-08-13 14:51:58

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Cracking Mifare Classic 1K

Good improvement. could be enough. Simply give it a try.

Offline

#71 2014-08-16 03:47:37

geekngadgets
Member
Registered: 2014-08-16
Posts: 2

Re: Cracking Mifare Classic 1K

Hi guys,

G'day!

Just wanna share with you that I have some of these Chinese Magic Cards, which allows you to modify the UID in Block 0. I have tried it on my personal project and it works. Just wanna give a shoutout in case any of you needs some of these Chinese Magic Cards, which I have some in excess.
Feel free to shoot me an email at geekngadgets@live.com

Cheers!

Offline

#72 2014-09-03 00:21:22

spawnrider
Member
From: France
Registered: 2014-08-12
Posts: 4

Re: Cracking Mifare Classic 1K

LaserByte,

Did you retrieved our key "B" using your system ?

I tried to use mfoc/mfcuk on my MIFARE Classic 1K (high entropy) but without any success.
Anybody have a solution? Using Proxmark reader sniffing technic ?

Offline

Board footer

Powered by FluxBB