Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-09-07 14:55:12

pusinato
Member
Registered: 2013-12-20
Posts: 7

Mifare Classic Broken ? CMD 04 Key A recovered

uid(d80eeXXX) nt(c4977XX) par(2e1646fee6deXXX6) ks(0d0c0b05050XXX1) nr(7ffdec0000000XX0)


Key found:000000000000

Found valid key:000000000000
--block no:0, key type:A, key:00 00 00 00 00 00 
#db# Cmd Error: 04       
#db# Read block error       
#db# READ BLOCK FINISHED       
isOk:00
--block no:0, key type:B, key:00 00 00 00 00 00 
#db# Cmd Error: 04       
#db# Read block error       
#db# READ BLOCK FINISHED


Darkside works great i get the key, but when to read the card Block 0 it seems keys are wrong,
I cant get any access to block 0, 1, 2 and 3
have tested diffrent firmware and same result.

Any tips how to get acces to the card ?

Offline

#2 2015-09-09 00:33:23

abyjk
Member
Registered: 2014-11-27
Posts: 7

Re: Mifare Classic Broken ? CMD 04 Key A recovered

Hi!

Which command did you use? "hf mf mifare"? or the chk?
Is the tag use-able in the normal environment (can it still open doors or still pay the bus ride etc.)?

Offline

#3 2015-09-09 09:15:42

pusinato
Member
Registered: 2013-12-20
Posts: 7

Re: Mifare Classic Broken ? CMD 04 Key A recovered

the command was "hf mf mifare"
the card is not use-able
is it possible to use sniff or snoop command to get the A key for the block

the UID is visable when read but not giving me acces to read the block 0

Offline

#4 2015-09-09 10:21:22

abyjk
Member
Registered: 2014-11-27
Posts: 7

Re: Mifare Classic Broken ? CMD 04 Key A recovered

That's weird because, as you know, the first block contains "free data".
I would guess, the sniffed key is wrong (every sniff I tried myself gone wrong, but maybe I'm too stupid for that wink only the encrypted one works for me).
You could try the other one: "hf mf chk *1 ? t" assuming, it's a MFC 1k, checking all the default keys.
So maybe it shows a different Key to you. If you're a bit lucky, it shows you any key, you can use for the nested attack and THEN get a key for the first sector (or "another" one).

On every MFC1k tag at home, the fist sector can be read with "a0a1a2a3a4a5" (type a).

Offline

#5 2015-09-10 08:16:41

pusinato
Member
Registered: 2013-12-20
Posts: 7

Re: Mifare Classic Broken ? CMD 04 Key A recovered

Thank you for the suggestion,

hf mf chk *1 ? t gave me the same key, fault key found again,

also your type A key was auth error, but thank you again

Offline

#6 2015-09-10 09:20:00

abyjk
Member
Registered: 2014-11-27
Posts: 7

Re: Mifare Classic Broken ? CMD 04 Key A recovered

Okay then I have two last ideas.
1) try with another reader. I use the ACR122U to verify correctness of tags.
2)  Or try to change block 4 (key A, access bits, key B) with your type b key, if you got one during attacks, because it sounds like you won't use the tag in real life anyway. But, as you know, writing a block with keys can be tricky.

Offline

#7 2015-09-11 09:15:08

pusinato
Member
Registered: 2013-12-20
Posts: 7

Re: Mifare Classic Broken ? CMD 04 Key A recovered

yes, I have ordered a ACR122U so I will try that way, thank you for the suggestion,
Perheps it will work better with MFCUK and MFOC

Offline

Board footer

Powered by FluxBB