Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2013-10-15 02:02:06

The Enterprise
Contributor
Registered: 2013-10-14
Posts: 18

cracking mifare keys

I seem to be running into a few problems when cracking keys.

1: For some reason when i try *hf 14a reader* it says something like non-proprietary  ISO14443A card but i know it is a mifare classic 1k card because my ACR122U reads it and says it is.

2: I used *hf 14a snoop* on the card traffic and got this

 +      0:   0: TAG 04  00              
 +    299:   0: TAG 89  3c  64  80  51              
 +    811:   0: TAG 88  be  59              
 +   1379:   0: TAG 7a  d1  80  f9              
 +    699:   0: TAG cd! c5  bd! 8a              
 +    475:   0: TAG 65! 58  3f! 7e  a4  42! b1! 72  0d  84  38  03  35! c2! 8a  7b  06! 33     !crc          
 +    451:   0: TAG 65! 02  9d  90  c5  bd  1f! 59  1f! 6d! f9  67! 75  0c  61! fb  f0! 8d     !crc          
 +    435:   0: TAG b5! c8  0b  03  7e! 07! 96! 1d! 25! dc! 1c! 56  c4  2d! b1  86! df  d9     !crc          
 +   1347:   0: TAG 89  f3! 7f  78              
 +    712:   0: TAG 3f! 23  a8  2c              
 +    459:   0: TAG 77  c9! 65  32! 2d  a9  56  0a! d9! fc  ee  20  a5! e1  f2! 30! 60  bb!    !crc          
 +    451:   0: TAG f2  f2! d4  96  e4  86! 56  56  e6! 58! 70  a9  36  f8! be! f1  61  2a     !crc          
 +    435:   0: TAG 8f  6b! 8b! 18! 7b  54! 78! 67  25  69  6a! 47  5e! 2c! d4  fa! 4c! a6     !crc          
 +    587:   0: TAG b4  39! d3  19!             
 +    699:   0: TAG a3  0c  4a  e3              
 +    443:   0: TAG fa! 6a! c8  52  3a  41  dd! 1a! ef  bf! 12! cb! 9e  53! c3! cf! ef  52     !crc          
 +    443:   0: TAG 36  0d! 0d! e1! ad  32  0d! 61  f6  8b! c3! 5a  ff  95  b6! e9! fc  43     !crc          
 +    435:   0: TAG d2! ee! 08! 77  03! e1! 1e! 85  92  b8! ca! 5d! de  dd! 8a! a5! e3! eb!    !crc          
 +    555:   0: TAG da  d5  9e! 3a!             
 +    691:   0: TAG 46  bb  9a! 6c!             
 +    467:   0: TAG e7  4c  ee  aa  50! 39! 56! 64  a3  40! a9! 72! b8! c2! b2  2c  c5  02     !crc          
 +      6:   0: TAG 08              
 +    451:   0: TAG 27! a6  dc! 00  a5  c9! f2  c1! e2! 8b! bb! 39  93! 2d  0a  b4! 69! e3!    !crc          
 +    435:   0: TAG 2c  59! 66  8e  7c  87! 40! c6  ad  16  41! 34  63  14! 34  43  39! cf!    !crc          
 +    531:   0: TAG 62! 1e! cb! 17              
 +    691:   0: TAG 4e! a3! f7  3e              
 +    427:   0: TAG 81! f5! 43! a7! 09! 4a! 2a  28  8c  a4  50! 5d! b9! e1! 37  47! 41! 3a!    !crc          
 +    435:   0: TAG 12! 19! 10  c4  9d! b0! da! 2e  8d  b3! 74! fb  00  e3  95! 2e  13! 2a!    !crc          
 +    435:   0: TAG f3  49  31  7b! 14  67  c0! c1  d3  03! d9! 86  02  d5! fc  9e  13! 16!    !crc          
 +    523:   0: TAG 1d! 53! c4  73              
 +    691:   0: TAG d5  ad  70! e6              
 +    427:   0: TAG a6! 7a  47  18! bc! 59! ea! c4! 76  5b! fe  c1! ff! 81! f9! 4d  c8! f2!    !crc          
 +    435:   0: TAG f9  61! f2  37! c1  ac  73  d9  d5  e3  cb  4b! c8! 9a! f7! e8! df! c8!    !crc          
 +    439:   0: TAG 7f  04! de! c9! 3e! eb! 30! 0f  e2! 2b  5c! 65  71  50! 69  06  8e  f4     !crc          
 + 140980:    :     26              
 +     64:   0: TAG 04  00              
 +    276:    :     93  20              
 +     64:   0: TAG 89  3c  64  80  51              
 +    748:    :     93  70  89  3c  64  80  51  87  70              
 +     64:   0: TAG 88  be  59              
 +    780:    :     61  00  2d  62              
 +    112:   0: TAG 57  ae  7a  85              
 +    636:    :     2c  e3  63  91  39  dc  00  75     !crc          
 +     64:   0: TAG 5d! 28! 5b! 17              
 +    404:    :     30  85  71  c5     !crc          
 +   1334:   0: TAG 1f              
 +    584:    :     5d  7f  2f  33     !crc          
 +    112:   0: TAG 12  db  2d  31!             
 +    628:    :     3f  06  5d  ae  0b  04  97  b0     !crc          
 +     64:   0: TAG 07! 04! 6c  a1!             
 +    412:    :     cd  e0  9b  36     !crc          
 +     64:   0: TAG 07              
 +   1380:    :     1c  e9  fc  88  49  cf  2d  7f  2e  76  4f  65  b1  21  c7  c7  6e  eb     !crc          
 +   2992:   0: TAG 00!             
 +    396:    :     d3  24  43  d8     !crc          
 +     64:   0: TAG 07              
 +   1372:    :     6b  f4  f9  5c  63  1e  f8  0d  b0  1e  be  e1  a1  86  74  99  6e  75     !crc          
 +   2992:   0: TAG 0c!             
 +    444:    :     04  f6  22  7d     !crc          
 +     64:   0: TAG 06!             
 +   1380:    :     d3  bc  78  1d  54  22  57  3b  05  8d  ec  70  28  a0  a0  7a  21  9e     !crc          
 +   2996:   0: TAG 01              
 +    452:    :     60  ff  77  47     !crc          
 +    112:   0: TAG ad! 80! 84! c4              
 +    628:    :     c3  9d  0a  af  7a  97  c5  c1     !crc          
 +     64:   0: TAG bf! 01  f1  2b              
 +    380:    :     cd  43  fb  63     !crc          
 +     64:   0: TAG 0f!             
 +   1372:    :     b6  b3  4e  93  00  ef  66  72  1c  24  fc  e2  8e  91  c5  5a  70  b1     !crc          
 +   2992:   0: TAG 02              
 +    444:    :     ed  c1  f5  e9     !crc          
 +    112:   0: TAG 2c! 55! 44! 3f              
 +    628:    :     17  ff  3a  08  58  4f  ed  a5     !crc          
 +     64:   0: TAG 11! 52  3c  41!             
 +    364:    :     f0  3c  12  dc     !crc          
 +     64:   0: TAG 01              
 +   1372:    :     fb  ed  c8  88  df  f8  56  83  e8  f5  5b  41  d0  82  0b  1c  1a  fa     !crc          
 +   2992:   0: TAG 09!             
 +   1284:    :     18  55  58  17     !crc          
 +546176990:   0: TAG 04  00              
 +    306:   0: TAG 89  3c  64  80  51              
 +    810:   0: TAG 88  be  59              
 +   1374:   0: TAG 62  8f  2d  31              
 +    706:   0: TAG df! f7  ab  ea              
 +    482:   0: TAG 95! 9a! 6f  67  79  b0  33! 88  61! 51  ff  f4  5a! a8  c9! 65! d9  73!    !crc          
 +    450:   0: TAG 70! 3f  76! 07  f6  83! 03  db  d7! 26  d6! 63  7b  8f  74! 5c  71! 17!    !crc          
 +    434:   0: TAG 04  5f  44! 83! 3e! c8  cd! e2  64! 8e  26! d2  38  25! 5e! 74! be! eb     !crc          
 +   1282:   0: TAG 2e  ce! 04! df              
 +    690:   0: TAG 8c! 9e! 69! 76              
 +    466:   0: TAG 75  e4  cc  3a! a8  88! e7  e4  70  6f! 75! 8c! 88  72  a0  e8! ea! 21     !crc          
 +    450:   0: TAG 16! 3b  e3! 08! 4e  86  cb! 6a  e8! cf! d1  2a  2d  5a! a7! d8  45  3e!    !crc          
 +    434:   0: TAG 28! 9d  60! 52! dc  d7! 2b! 53  66  46  19  af  de! 49  1b! 0d  b6  31!    !crc          
 +    586:   0: TAG f0  1b! aa  60!             
 +    694:   0: TAG 6b  4e! 50! 58!             
 +    434:   0: TAG 21  d2! 2b  1b  2f  09! 76! b8  43  45! 8b  a0  1b! 9d  52! 87  11  18     !crc          
 +    442:   0: TAG 1d  c1  8c  3a! 3f! 5e  b5! 71  ef! 89  61  c2! e5  6a  aa  61  ef  a8!    !crc          
 +    434:   0: TAG 00  4b! 58! 99! 14! ff! 0a! d1  f3! 12! 46! be  7a  6a! d2  67! 1a  ba!    !crc          
 +    546:   0: TAG a5! c2  79  e2              
 +    690:   0: TAG 80! 2e  82  86!             
 +    434:   0: TAG 4b! 6b  8a  cb  59  5a  81  91! 5e! e2! c8! ab! 65  81! 01! 88  56  74     !crc          
 +    434:   0: TAG 56  a7! 08  57! 93! 60! 30! 25  71! 61! 7e  3e! 37! 82! 43  15! 96  e8     !crc          
 +    434:   0: TAG 92  51! 0b  d7! e1  a8  1a  b1! be  09  b6  8c  0b  c3  1d  58  53! db     !crc          
 +    522:   0: TAG 27! bd  cc! c6!             
 +    690:   0: TAG 16! 42  92! 86              
 +   1374:   0: TAG 24  9a! 68! 2a  76              
 +    434:   0: TAG 1b! cd  29! 7d! 5b  8b  ce  ab! ed! b4  42! dd! c6  15! 64! 91  d4  70!    !crc          
 +    434:   0: TAG da  16! 97  cb  65! ef! 86! c5! 50! 86! 18! f5! 8f  63! 83  dd  60  95!    !crc          
 +    522:   0: TAG cb  67! ea! 76!

Im Guessing:

UID=893c648051
TAG CHALLENGE=57ae7a85
READER CHALLENGE=2ce36391
READER RESPONSE=39dc0075
TAG RESPONSE=5d285b17

The key should be D2D72CB60F59 using CRAPTO1 gui v1.01

So when i do *hf mf  rdsc 0 A D2D72CB60F59*

I get Authentication Failed

Am i doing something wrong?????

Offline

#2 2013-10-15 05:39:59

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: cracking mifare keys

Key B.

Offline

#3 2013-10-16 03:13:04

The Enterprise
Contributor
Registered: 2013-10-14
Posts: 18

Re: cracking mifare keys

OHHHHHHHHHH youre right stupid me i appreciate it.

Offline

#4 2015-09-29 18:35:08

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

Hi guys,
I sniffed a mifare communication and please find below the log:
the UID is a2 f2 69 ea

[== Undefined ==]

    26 
    26 
    26 
    22 
U00 
Uff 
    26 
TAG 04 00 
    93 20 
TAG a2 f2 69 ea d3 
    93 70 a2 f2 69 ea d3 21 02 
TAG 00 24 d8 
    61 03 b6 50 
TAG 01 20 01 45 
    31 f0 4b 31 bb 22 a6 b5 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 99 
    61 03 b6 50 
TAG 01 20 01 45 
    4a 0c 2c 22 4d 40 3e c3 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 05 
    b9 a0 4d cc 5e bd 34 30 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    50 d5 d0 7a f5 f3 f3 c4 
TAG 19 84 69 ad 
    9b 2c 19 3f 
TAG 11 cd 3c 98 54 90 51 af 98 3d 8a f2 d8 c0 40 b9 b2 3e 
    d3 88 30 09 
TAG 1d 4b d3 73 
    d7 f7 fa 04 1a 2e 54 03 
TAG f5 1f ed 6b 
    97 9d 58 82 
TAG 9e 85 db 42 ee 78 44 31 d7 50 a5 90 06 9a 1c 91 84 20 
    ec 2d a1 d6 
TAG 3f f4 50 6f 4b e7 d7 6f 6d 8c 72 d0 1c 38 56 16 ef a5 
    1e cf a8 40 
TAG 6e 80 14 0f 0e 06 66 c4 1f 73 9d 1e f5 29 87 3c b8 2f 
    49 65 7d 16 
TAG 42 11 ff ff 
    52 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 20 01 45 
    45 70 21 3f 66 61 11 e0 
TAG 74 9a ea 13 
    1c 44 df d3 
TAG 61 6d 3e 3b 3f cd 50 95 c9 44 32 71 5f d4 19 f9 7c b4 
    8e c3 7c 73 
TAG 6f 46 43 8f 
    17 6f 8a 86 8b 04 2d 92 
TAG 44 17 87 3d 
    5e 54 5e a6 
TAG 9d 1c 39 f8 00 40 40 ad 02 e5 02 35 2e 39 31 9d 90 1d 
    de 12 a3 26 
TAG 27 37 e1 36 e0 0e de 07 88 d0 1d e4 a7 1e 22 ef 3b f3 
    d8 62 0e 7a 
TAG 44 7c ba 2d 7b 14 05 c6 93 a7 96 1f ad f5 e7 be 89 0b 
    d8 94 c5 29 
    52 
TAG 00 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    f7 cb 51 71 53 1c e8 2c 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    f0 a1 16 37 b0 00 f6 21 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    d8 79 5e f3 c1 c6 21 82 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    4f 2d d0 f1 6f 93 da b3 
TAG 88 64 35 2b 
    7a e3 2a 49 
TAG a1 82 c1 bb 14 70 ed 74 b9 75 b1 d1 98 d9 85 06 51 77 
    3b 21 f0 18 
TAG 5c 23 fe 40 
    3d 21 af ef 57 68 71 08 
TAG ef ff dd 21 
    81 44 23 ca 
TAG 49 33 04 06 04 03 3a 13 29 59 5c 59 53 40 6a 3b 69 54 
    28 b7 64 64 
TAG 8b 61 93 7f 8e 9c 25 e4 54 32 d1 14 f6 eb 82 d7 06 40 
    d6 c9 ec e4 
TAG e2 80 64 cb 61 f4 8d af 3d 0b 3d d2 4d e3 33 5c 60 5d 
    44 26 60 30 
TAG 20 30 09 69 
    52 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 20 01 45 
    2f 7b c4 a2 97 0a 1a 84 
TAG fc 4c 44 12 
    71 0b 0a 2c 
TAG b8 90 b7 62 1b 06 1e 41 7c 58 7e da c2 11 09 ea a9 b8 
    3b 6e de 8d 
TAG 66 55 4f 44 
    6d 27 ae 65 79 3e cd 9f 
TAG 70 07 19 62 
    f6 fb 8e e0 
TAG 3f 40 bf 64 53 42 f5 a9 5c 6a 84 91 93 df e9 f6 bd 56 
    8f 2a c1 33 
TAG d7 ca c0 02 8e 40 68 3c 2f 7e 9e 1c fb 10 0c 49 9f 3f 
    3f 4d 6f 08 
TAG 46 44 72 64 82 0e 59 b5 5c 59 8b e9 5e b8 7c fa fa 22 
    e0 8c 24 23 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    a1 8d b0 d1 a2 9b 63 65 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
Uc1 ff ff fe ba 
Uf8 a8 86 d4 aa e9 b1 d2 f9 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    d2 27 46 8f db 62 de 66 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    87 8d 75 ee 52 0a 60 81 
TAG 74 b7 70 61 
    d7 2b 04 0d 
TAG dc 60 07 20 70 06 80 e7 9d fe cc 98 4a 34 0e 94 55 40 
    75 ed aa ec 
TAG 5c 23 fe 40 
    14 3f ba d3 cd 50 78 ee 
TAG 43 02 40 54 
    4c 6f dd b9 
TAG c4 4f 0c a5 50 a9 8e 45 a3 95 67 4e ec 94 4e 33 e6 d5 
    9b 04 c2 ea 
TAG 30 c2 40 08 20 c8 34 15 75 79 dd 5c 9c 7d 1f db 2d 8d 
    aa 21 5b 8a 
TAG ea 0e 13 07 4a d3 02 08 74 3f 6f 52 3b 4f 02 00 00 46 
    ca 59 00 8e 
TAG 6c 39 3d ea 
    52 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 20 01 45 
    ce 14 d5 58 6f db 4c a8 
TAG 77 04 00 64 
    38 30 84 44 
TAG ba 31 68 2c 42 b2 00 b3 5f d4 0b ae 0c 7a 28 f0 1d ff 
    81 3a 62 eb 
TAG c2 4e 84 c0 
    44 ad 05 39 68 24 fe 53 
TAG 35 14 ea bf 
    5c 2f 0b 34 
TAG 4e c5 5a 2a 63 d7 e7 73 4a 48 6a 94 10 60 48 80 00 7e 
    0f 59 94 55 
TAG 46 05 eb f3 03 d1 51 5f f5 51 22 15 fb 1e 8d 73 b9 0d 
    d2 85 0f a3 
TAG b0 60 00 cc 11 49 c6 0c 44 f4 ec 98 db 0c b3 56 74 a5 
    f0 a5 e0 ae 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    a9 35 b0 ad 30 3a 44 a4 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 00 b4 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    02 19 d3 7b b3 60 10 83 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 00 00 45 
    c0 9c cf df 99 b0 fd 35 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    dd f0 d7 f1 2b 69 3a 45 
TAG 01 20 00 a0 
    a0 03 57 0d 
TAG a2 67 1f 44 c5 71 af ef 17 27 2e 4e a4 0a 38 0c 33 64 
    1e e6 e1 9d 
TAG c0 7c 20 f4 
    9c 8b 98 d0 97 1f f4 88 
TAG e9 2f b7 ac 
    c3 ef 16 14 
TAG 01 47 e9 7d 75 da a7 fd f8 6d 31 a2 08 02 90 a2 e1 25 
    8e d2 6b 89 
TAG 26 51 28 37 52 ba 11 17 c9 9a af 2d 38 b3 b3 0e 3d 1d 
    4d aa 22 c4 
TAG 80 84 0c cc 46 f8 27 83 4d 2f 90 40 bf 9a 52 81 f1 07 
    ca a1 bf b9 
TAG 30 49 4f 5f 
    52 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 00 00 00 
    31 8d e8 66 e5 e1 5b 43 
TAG 97 58 41 55 
    9f 5c 51 63 
TAG 4c cb b5 d6 d3 27 8f 37 de b1 79 6d ed fb 6f f8 00 c0 
    74 e9 a2 05 
TAG 6f 46 43 8f 
    b4 d3 ac 0d 5d 55 ac c5 
TAG 97 cd 03 6b 
    08 c8 18 ee 
TAG 04 00 8a cf e1 0c b1 6e d0 52 c1 03 11 77 50 b2 8c 15 
    16 48 70 7c 
TAG c5 a6 1a 98 e0 b2 ce 22 6f dd 08 8a 15 04 48 60 f8 23 
    9e 9d 72 9b 
TAG f9 23 8e 64 e4 c9 43 5a cd 33 a1 5f 98 d6 d5 b6 43 29 
    ae 55 20 39 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    70 2d df ca f8 68 5e 2c 
    52 
TAG 00 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    eb a4 39 c1 80 b8 c4 d1 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 00 24 dc 
    61 03 b6 50 
TAG 01 20 01 45 
    d0 96 49 c8 f8 34 cb 84 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 00 00 00 
    29 76 c3 fa d3 4a 64 c3 
TAG 07 60 98 ad 
    a8 0b a5 7a 
TAG 69 30 b7 9a 3f 2c f0 fd 45 de f3 9f 94 22 c0 18 e2 c0 
    fc d0 1d 5d 
TAG 1d 4b d3 7b 
    dd 51 fb 65 8d e8 d8 bb 
TAG 0a 17 7a c2 
    5d 42 17 35 
TAG 80 ce 6a ac 53 fb cf 35 61 4c e7 b4 66 ee b5 fd 5e 35 
    17 c9 af 05 
TAG 0b 1d fe 74 e0 c0 8c 24 e3 82 fa 01 00 44 30 1d eb 50 
    ba 36 cf cc 
TAG a5 ed 05 97 90 c9 84 12 87 cf 4b 67 0f 79 16 cf 9e fd 
    2e 50 a4 b8 
TAG 42 11 ff ff 
    52 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 24 98 
    61 07 92 16 
TAG 01 20 01 45 
    a9 5a 5b b3 7f 52 a6 3a 
TAG a9 ed 1d 51 
    e6 61 f9 92 
TAG 67 c0 00 c0 7f 2e 75 a8 ac ec 5d 59 9a 46 95 b4 cd 23 
    6e e6 58 59 
TAG 6f 46 43 8f 
    c9 0c b7 70 c3 ca a0 07 
TAG c8 8e bc 03 
    ab 48 c9 6c 
TAG 75 46 7d 06 84 76 e4 d9 dc dd 91 6d f7 47 a2 e2 d5 0f 
    25 c4 3c f7 
TAG 00 d2 34 a5 64 e5 00 a7 6b 30 c7 0e a0 85 6a 64 20 23 
    4d 6f b0 c2 
TAG 7c 8a d9 d6 8a b7 0a b6 e9 fa 60 ac 82 40 02 b0 b2 cb 
    73 8e be 7d 
U00 
Uf8 52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    50 00 57 cd 
    26 
    26 
    26 
    26 
U00 
Uff 
U00 
Ufc 26 
TAG 04 00 
    93 20 
TAG a2 f2 69 ea d3 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    50 00 57 cd 
U00 
Uff 

Is there someone that can help me to find all info to use properly crapto1 gui software??

big_smile

Last edited by mariolino (2015-09-29 18:35:45)

Offline

#5 2015-09-29 18:59:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

I never used the crapto1 gui,  but if you use the mfkey64.exe under the /tools/mfkey/ folder in the Pm3 source you can use your trace above.

But I guess you would need to understand the authenticate handshake to gather the right bytes.
If you read the "example_trace.txt" file in the same folder,  you can understand better maybe.



pm3 ~/tools/mfkey$ mfkey64.exe a2f269ea 01200145 50d5d07a f5f3f3c4 198469ad
MIFARE Classic key recovery - based 64 bits of keystream
Recover key from only one complete authentication!

Recovering key for:
  uid: a2f269ea
   nt: 01200145
 {nr}: 50d5d07a
 {ar}: f5f3f3c4
 {at}: 198469ad

LFSR succesors of the tag challenge:
  nt': 63e5bca7
 nt'': 993730bd

Keystream used to generate {ar} and {at}:
  ks2: 96164f63
  ks3: 80b35910

Found Key: [a0a1a2a3a4a5]

Offline

#6 2015-09-29 19:06:01

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

iceman wrote:

I never used the crapto1 gui,  but if you use the mfkey64.exe under the /tools/mfkey/ folder in the Pm3 source you can use your trace above.

But I guess you would need to understand the authenticate handshake to gather the right bytes.
If you read the "example_trace.txt" file in the same folder,  you can understand better maybe.



pm3 ~/tools/mfkey$ mfkey64.exe a2f269ea 01200145 50d5d07a f5f3f3c4 198469ad
MIFARE Classic key recovery - based 64 bits of keystream
Recover key from only one complete authentication!

Recovering key for:
  uid: a2f269ea
   nt: 01200145
 {nr}: 50d5d07a
 {ar}: f5f3f3c4
 {at}: 198469ad

LFSR succesors of the tag challenge:
  nt': 63e5bca7
 nt'': 993730bd

Keystream used to generate {ar} and {at}:
  ks2: 96164f63
  ks3: 80b35910

Found Key: [a0a1a2a3a4a5]

Dear Iceman,
thanks a lot for your quick reply. Could you confirm that on the sniff log you can find only the Key A a0a1a2a3a4a5 or is there also the Key B?

I tried but the result for me is FFFFFFFFFFFF

Last edited by mariolino (2015-09-29 19:10:09)

Offline

#7 2015-09-29 19:22:05

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

Dear Iceman I have a question for you.... Do you think that, just knowing the UID and sector 0 data,  you will be able to find the default keys on this kind of Tag? tongue

Offline

#8 2015-09-29 19:22:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

I just tried one key the rest is up to you to  find out.

Hint, there are several auth commands in your trace.

Offline

#9 2015-10-01 18:22:47

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

Dear Iceman, thanks for your help. As suggested I read the example on PM3 folder:

[== Undefined ==]
 +  50782:    :     26
 +  33822:    :     26
 +  50422:    :     26
 +     64:   0: TAG 04  00
 +    944:    :     93  20
 +     64:   0: TAG 9c  59  9b  32  6c
 +   1839:    :     93  70  9c  59  9b  32  6c  6b  30
 +     64:   0: TAG 08  b6  dd
 +   3783:    :     60  32  64  69
 +    113:   0: TAG 82  a4  16  6c
 +   1287:    :     a1  e4  58  ce  6e  ea  41  e0
 +     64:   0: TAG 5c  ad  f4  39

./mfkey64 9c599b32 82a4166c a1e458ce 6eea41e0 5cadf439

But I'm still don't understand where I'm doing something wrong.
In the following you can find any keys found on my sniff log:

[== Undefined ==]
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    50 d5 d0 7a f5 f3 f3 c4 
TAG 19 84 69 ad 
A0A1A2A3A4A5
    9b 2c 19 3f 
TAG 11 cd 3c 98 54 90 51 af 98 3d 8a f2 d8 c0 40 b9 b2 3e 
    d3 88 30 09 
TAG 1d 4b d3 73 
    d7 f7 fa 04 1a 2e 54 03 
TAG f5 1f ed 6b 
683ACA777D4D
    97 9d 58 82 
TAG 9e 85 db 42 ee 78 44 31 d7 50 a5 90 06 9a 1c 91 84 20 
    ec 2d a1 d6 
TAG 3f f4 50 6f 4b e7 d7 6f 6d 8c 72 d0 1c 38 56 16 ef a5 
    1e cf a8 40 
TAG 6e 80 14 0f 0e 06 66 c4 1f 73 9d 1e f5 29 87 3c b8 2f 
    49 65 7d 16 
TAG 42 11 ff ff 
    52 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 20 01 45 
    45 70 21 3f 66 61 11 e0 
TAG 74 9a ea 13 
FFFFFFFFFFFF
    1c 44 df d3 
TAG 61 6d 3e 3b 3f cd 50 95 c9 44 32 71 5f d4 19 f9 7c b4 
    8e c3 7c 73 
TAG 6f 46 43 8f 
    17 6f 8a 86 8b 04 2d 92 
TAG 44 17 87 3d 
447D1866F002
    5e 54 5e a6 
TAG 9d 1c 39 f8 00 40 40 ad 02 e5 02 35 2e 39 31 9d 90 1d 
    de 12 a3 26 
TAG 27 37 e1 36 e0 0e de 07 88 d0 1d e4 a7 1e 22 ef 3b f3 
    d8 62 0e 7a 
TAG 44 7c ba 2d 7b 14 05 c6 93 a7 96 1f ad f5 e7 be 89 0b 
    d8 94 c5 29 
    52 
TAG 00 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    f7 cb 51 71 53 1c e8 2c 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    f0 a1 16 37 b0 00 f6 21 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 03 b6 50 
TAG 01 20 01 45 
    d8 79 5e f3 c1 c6 21 82 
    52 
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    4f 2d d0 f1 6f 93 da b3 
TAG 88 64 35 2b 
A0A1A2A3A4A5
    7a e3 2a 49 
TAG a1 82 c1 bb 14 70 ed 74 b9 75 b1 d1 98 d9 85 06 51 77 
    3b 21 f0 18 
TAG 5c 23 fe 40 
    3d 21 af ef 57 68 71 08 
TAG ef ff dd 21 
4B8081C21014

Where is the "error" on the generation Key??
Thanks in advance

Offline

#10 2015-10-01 19:23:01

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

Dear Iceman, according to the PM3 example, the proper Keys should be the following:

[== Undefined ==]
TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    50 d5 d0 7a f5 f3 f3 c4 
TAG 19 84 69 ad 
A0A1A2A3A4A5

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 20 01 45 
    45 70 21 3f 66 61 11 e0 
TAG 74 9a ea 13 
FFFFFFFFFFFF

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    4f 2d d0 f1 6f 93 da b3 
TAG 88 64 35 2b 
A0A1A2A3A4A5

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 20 01 45 
    2f 7b c4 a2 97 0a 1a 84 
TAG fc 4c 44 12 
FFFFFFFFFFFF

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    87 8d 75 ee 52 0a 60 81 
TAG 74 b7 70 61 
A0A1A2A3A4A5

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 20 01 45 
    ce 14 d5 58 6f db 4c a8 
TAG 77 04 00 64
1669638CDE27 

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 20 01 45 
    dd f0 d7 f1 2b 69 3a 45 
TAG 01 20 00 a0 
4787C6A94ED7

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    61 07 92 16 
TAG 01 00 00 00 
    31 8d e8 66 e5 e1 5b 43 
TAG 97 58 41 55 
DC358AF289C5

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 b6 dd 
    60 03 6e 49 
TAG 01 00 00 00 
    29 76 c3 fa d3 4a 64 c3 
TAG 07 60 98 ad 
A8C6E115DE58

TAG 04 00 
    93 70 a2 f2 69 ea d3 21 02 
TAG 08 24 98 
    61 07 92 16 
TAG 01 20 01 45 
    a9 5a 5b b3 7f 52 a6 3a 
TAG a9 ed 1d 51 
FFFFFFFFFFFF

But unfortunately they are wrong  mad

Last edited by mariolino (2015-10-01 19:25:01)

Offline

#11 2015-10-01 20:04:43

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: cracking mifare keys

Can you please provide some more information? What did you do to find out that "they are wrong"? What kind of card is this which gives the same tag nonce (01 20 01 45) every time? Which version of PM3 software are you using?

Offline

#12 2015-10-01 20:22:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

When I look are your found keys,  they doesn't makes sense.
Like these two Auth Key B for sector 7.  Should be same and nonce as Piwi says is highly repeating.


    61 07 92 16
TAG 01 00 00 00
    31 8d e8 66 e5 e1 5b 43
TAG 97 58 41 55
DC358AF289C5

    61 07 92 16
TAG 01 20 01 45
    a9 5a 5b b3 7f 52 a6 3a
TAG a9 ed 1d 51
FFFFFFFFFFFF

If you don't want to use the mfkey64,   you can also use the mfkey32  instead.

Offline

#13 2015-10-01 22:05:41

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

piwi wrote:

Can you please provide some more information? What did you do to find out that "they are wrong"? What kind of card is this which gives the same tag nonce (01 20 01 45) every time? Which version of PM3 software are you using?

Dear piw, this card is a Mifare Classic 1K
To find the key by the log, I'm using crapto gui.

For this sniff I didn't use the proxmark because there were many people around me, so, the sniffing, has been made by another hardware.

Before to give me your thoughts,  let me explain my test....
I had a Mifare Classic Key where Mfoc, Mfcuk and PM3 didn't recover the default keys.
I know only the first Key A: A0A1A2A3A4A5

I had also another TAG, for the same distributor, where mfoc worked fine, so my intention was write a 'magic card' with the known dump of the other TAG, change the UID on Block 0 with the unknown TAG, and sniff the communication.

The results should be some Auth with the request, from the Machine to my TAG,  containing the proper Key associated to the UID written on Block 0.

But, trying to find the key from the log, using crapto gui, all keys found are wrong for my TAG.

Offline

#14 2015-10-01 23:11:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

Magic generation 1,    hf mf mifare never works.

pm3 --> hf 14a re
 UID : 11 22 33 55
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....................

Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

Modern toy-token,  the PRNG is 32bits..

pm3 --> hf 14a re
 UID : 04 4D A1 A2 DF 2B 80
ATQA : 00 44
 SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...

Card is not vulnerable to Darkside attack (its random number generator is not predictable).

Offline

#15 2015-10-01 23:36:41

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

Thanks Iceman for your clarification...
Then, if I understood,  I cannot use a magic card for the mifare sniffing.
My reason was to find a relationship between UID and sector Keys.
Anyway, could be good sniff the communication on the working TAG and analyse the log file...

Last edited by mariolino (2015-10-01 23:37:33)

Offline

#16 2015-10-01 23:40:48

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

iceman wrote:

Magic generation 1,    hf mf mifare never works.

pm3 --> hf 14a re
 UID : 11 22 33 55
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....................

Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

Modern toy-token,  the PRNG is 32bits..

pm3 --> hf 14a re
 UID : 04 4D A1 A2 DF 2B 80
ATQA : 00 44
 SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...

Card is not vulnerable to Darkside attack (its random number generator is not predictable).

For the second Tag NXP MIFARE Mini 0.3k ( but with 4bytes uid) Asper know the relationship between UID and keys smile

Offline

#17 2015-10-01 23:45:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

You can use the magic tag if it accepted on the reader,   just because its magic doesn't mean the reader likes it smile

I guess your setup is:    reader <-> pm3 sniff <-> magic tag with modified uid---

Reader has a key-gen algo to based on UID, 
and you want to gather enough data to figure out key-gen..

This works, I've done it,  but you need to be able to verify the collected keys from the magic tag..

I've been in a situation where I can let one pm3 sim and the other one sniff,  but the found keys was not always correct.
My guess is a modern mifare reader, uses the newer PRNG 32bits,    which known attacks doesn't work on.

Offline

#18 2015-10-01 23:49:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

If @asper would know the relation for that specific token, I would be suprised.  That was a D.I..  the keygen algo is still unknown, we havn't found a good way of collecting needed data.

Offline

#19 2015-10-02 00:07:57

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

iceman wrote:

If @asper would know the relation for that specific token, I would be suprised.  That was a D.I..  the keygen algo is still unknown, we havn't found a good way of collecting needed data.

@asper know the algo for the old mifare 0.3k... They are also called mizip smile

If you know the UID of one that specific tag but you didn't know the default keys,  we can try to use that algo if can be applied..

Last edited by mariolino (2015-10-02 00:25:27)

Offline

#20 2015-10-02 07:58:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

Sorry, the only Mifare mini 0.3kb tags I have has 7bytes uid.
You can always try the uid from the one I posted smile

Offline

#21 2015-10-02 08:17:45

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: cracking mifare keys

Sniffing and mfkey64 should work even with modern cards. But deriving a key diversification algorithm without or even with knowing the master key (which would be stored in a secure storage (SAM) inside the reader or on the host) is challenging at least.

But your approach wouldn't work anyway. You are producing a magic card with data (and sector keys) from one card and the UID from another card. With key diversification the keys depend on the UID, I.e. your magic card has wrong keys and cannot authenticate.

Offline

#22 2015-10-02 08:48:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

The idea is that the magic card has wrong keys,  and you sniff the reader to try authenticate it,   then you use the mfkey32 to find the key which the reader tried.  You update the magic tag with the found key,  and see next reader authentication and so forth.

Problem with tags with newer PRNG (32bits) is that the mfkey32 / mfkey64 can't rollback since the Pm3 implementation of the mifare PRNG is only 16bits..      So sometimes it works,  but you can't garantue it.   You'll need to do a  mfcheckkeys to validate it..

Then you need to original card to do that.

And yes,  solving those keygen-algos is doable but takes lots of work. An black-box approach.

Offline

#23 2015-10-02 09:12:44

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: cracking mifare keys

Sorry, I meant simulating, not sniffing. You need to be able to dictate the tag nonce, otherwise you would need to wait until a "good" one is generated by a tag. Might be a good idea to modify mfkey32 and mfkey64 to distinguish "good" and "bad" tag nonces.

Offline

#24 2015-10-02 11:03:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

in your implementation for checking distance,  it uses 16 bitspace.  The question is how the new PRNG works..  since it can't the old ones...   Have someone looked at it?

How do we distinguish between a "good" (breakable/old) and a "bad" (unbreakable/new) nonce ?   How do we identify the PRNG?

Offline

#25 2015-10-02 11:04:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

And yes,  in sim, that is the problem..     if you want to see that in action,  look at a Disney Infinity 2.0 toy.

Offline

#26 2015-10-02 11:17:02

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

iceman wrote:

Sorry, the only Mifare mini 0.3kb tags I have has 7bytes uid.
You can always try the uid from the one I posted smile


UID: 044da1a2


KEY A

a0a1a2a3a4a5
0D5FFB878DA8
AF3868959662
E63FE00D2844
3537168D40DD

KEY B

b4c132439eef
508E801E7983
D2459DB393E3
0BEF173BF70C
11B1236A8C5F

Offline

#27 2015-10-02 13:17:58

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: cracking mifare keys

Need to test a different mizip; i suspect keys will be the same and not uid-dependant.

Offline

#28 2015-10-02 20:55:44

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

@iceman could you confirm that the keys found for your TAG are wrong?

Offline

#29 2015-10-02 21:33:58

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

iceman wrote:

Magic generation 1,    hf mf mifare never works.

pm3 --> hf 14a re
 UID : 11 22 33 55
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....................

Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

Modern toy-token,  the PRNG is 32bits..

pm3 --> hf 14a re
 UID : 04 4D A1 A2 DF 2B 80
ATQA : 00 44
 SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
pm3 --> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...

Card is not vulnerable to Darkside attack (its random number generator is not predictable).

@iceman, according to the following table there is something wrong respect on your TAG:

[== Undefined ==]
Manufacturer	Product	ATQA	SAK	ATS (called ATR for contact smartcards)	UID length
NXP	MIFARE Mini	00 04	09		4 bytes
MIFARE Classic 1k	00 04	08		4 bytes
MIFARE Classic 4k	00 02	18		4 bytes
MIFARE Ultralight	00 44	00		7 byte
MIFARE DESFire	03 44	20	75 77 81 02 80	7 bytes
MIFARE DESFire EV1	03 44	20	75 77 81 02 80	7 bytes

Last edited by mariolino (2015-10-02 21:35:01)

Offline

#30 2015-10-02 22:10:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

If you are trying to say that the Mifare Mini identification is wrong because of ATQA 0x00 0x44 is not the same as in your list where it says 0x00 0x04?

The tag identication inside "Hf 14a reader" is based on the SAK value, which is 0x09 and that is the same as in your list.

Offline

#31 2015-10-02 22:15:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

I can safely say that those keys didn't work

This is no MIZIP keytag,  this is a Disney Infinity token... 

pm3 --> hf 14a re
 UID : 04 4D A1 A2 DF 2B 80
ATQA : 00 44
 SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO


pm3 --> hf mf rdsc 0 a a0a1a2a3a4a5
--sector no:0 key type:A key:A0 A1 A2 A3 A4 A5

#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 0 a a0a1a2a3a4a5
--sector no:0 key type:A key:A0 A1 A2 A3 A4 A5

#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 1 a 0D5FFB878DA8
--sector no:1 key type:A key:0D 5F FB 87 8D A8

#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 2 a AF3868959662
--sector no:2 key type:A key:AF 38 68 95 96 62

#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 0 b b4c132439eef
--sector no:0 key type:B key:B4 C1 32 43 9E EF

#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00
pm3 --> hf mf rdsc 1 b 508E801E7983
--sector no:1 key type:B key:50 8E 80 1E 79 83

#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ SECTOR FINISHED
isOk:00

Offline

#32 2015-10-02 22:17:21

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

The SAK value is the same, 9.
Did you verify if the keys above are correct or wrong?

smile ok..., they are different

Last edited by mariolino (2015-10-02 22:18:42)

Offline

#33 2015-10-02 22:34:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

If you read the document http://www.nxp.com/documents/applicatio … N10833.pdf

Page 9,   Mifare Mini ATQA  0x00 0xn4,  SAK 0x09. The 'n' hints its a 7byte uid or not

Mifare Mini with 7byte UID  0x00 0x44
Mifare Mini with 4byte UID  0x00 0x04

The identification is correct.

Offline

#34 2015-10-02 22:40:03

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

Looking your post below
http://www.proxmark.org/forum/viewtopic.php?id=2413
you don't need a solution for this kind of token.
You already found a solution to get the key

Last edited by mariolino (2015-10-02 22:41:14)

Offline

#35 2015-10-02 22:53:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

Sniffing the key when using the portal is not optimal.
The Pm3 provides with such solution. 

Figuring out the keygen-algo is funnier.

Offline

#36 2015-10-02 23:07:47

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

I'm agreed with you... The second solution is better.
I'll try to find more info on that TAG

I have the same problem with the sniffed TAG on my first post.
I cannot recover the default keys, but in this case i have the dumps of others where the keys have been got.

The first approach was to compare the UIDs and Keys found in order to find the relation but without success.

I can also tell you that on this tag there is a fixed relation between the keys on each sector.

It means the following :
The first Key A on sector 0 is always A0A1A2A3A4A5

Starting from the sector 1
Key A sector 1 -- XOR -- Key A sector 2
The result is the same for all TAGs with different UID.

Then I also need to understand how to find the first Key A sector 1 starting from the UID and Algo tongue

Offline

#37 2015-10-03 07:52:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

try xor:ing all keys  1-2-3-4-5 with eachother and see if the resulting value has any connections with the key 0 or UID ..

The a0a1a2a3a4a5 key is a default key, and if you read some NXP docs it has a "best practice" of keeping one key default.
Luckily that practice opens up for the nested attack...

Offline

#38 2015-10-03 10:23:35

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

iceman wrote:

try xor:ing all keys  1-2-3-4-5 with eachother and see if the resulting value has any connections with the key 0 or UID ..

The a0a1a2a3a4a5 key is a default key, and if you read some NXP docs it has a "best practice" of keeping one key default.
Luckily that practice opens up for the nested attack...

Already done but nothing seems to be correlated...
I'll try again after

Offline

#39 2015-10-21 14:13:35

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

piwi wrote:

Can you please provide some more information? What did you do to find out that "they are wrong"? What kind of card is this which gives the same tag nonce (01 20 01 45) every time? Which version of PM3 software are you using?

#piwi you can find below a new sniff log for the other card used on the same machine. On the example has been used not a magic key but the original mifare classik 1k:

[== Undefined ==]
U0f 04 00 
    93 20 
U0f 64 fb 4a de 0b 
    93 70 64 fb 4a de 0b f5 ec 
U0f 00 a4 dd 
    61 03 b6 50 
U0f bf 03 3a 13 
    6c 3e 9e 7b ff 26 59 bb 
U0f 00 01 e0 e4 
    e0 fc a1 86 
U0f 82 d4 71 92 90 99 e9 d5 11 f8 c1 c7 16 12 06 8a ec b4 
    6d de 60 48 
U0f 81 60 cf 23 
    4a a9 89 87 62 13 3a 57 
U0f 0c b0 f4 d3 
    3a 7c ea ee 
U0f 59 d7 34 73 f1 71 c2 f2 93 cd db 8e 60 7f 67 eb 4a b2 
    06 83 0f 6c 
U0f 20 00 80 03 80 39 32 78 00 1c 40 08 18 72 00 44 e0 38 
    16 49 ea 5b 
U0f 00 3c 00 64 c2 e0 42 98 62 c9 9b e4 37 56 28 6b 51 c8 
    28 c7 ee 4e 
U0f b6 3e a6 79 
    c0 92 ae ff 67 a2 a9 9f 
U0f 83 40 30 8e 
    af ea 2f d4 
U0f 65 65 99 37 f9 70 09 21 6b 20 ee 77 4c 8c f9 59 5c 12 
    0a db 9e 7c 
U0f 1c 81 8c 20 
    05 5a 1e 58 b2 19 b2 8c 
U0f 13 7f f9 33 
    80 67 2d d7 
U0f 63 01 47 ac 92 0f bb 91 fc 08 20 c4 6d 53 df b0 a0 72 
    ad 61 e9 02 
U0f 08 20 1e 20 0e 1e 08 12 c8 e0 00 10 06 00 00 13 07 03 
    9c 84 0a a4 
U0f 9f 04 60 71 ea 7d 6d 44 c2 fb e7 1e 85 53 de 2f 29 3f 
    97 4d 1c 2a 
U0f 00 79 40 c0 
    18 ef 6d fe 2c aa 85 8c 
U0f 01 92 48 c0 
    a3 cc 2c 8d 
U0f f9 e0 70 c0 08 9e 7e 10 00 00 08 40 1c 18 e0 08 0e 80 
    70 be dc 94 
U0f de 20 b9 fb 
    b3 c5 7a 68 fd 6d 50 7f 
U0f 03 0e 27 26 
    d1 41 7a a2 
U0f c8 1c 00 24 03 00 61 03 00 b7 7a 24 b1 9b 11 8c 23 be 
    27 16 a3 82 
U0f bb ed f6 d2 f4 0c bf ac be 6d f4 bf 37 8a 92 a1 6e 11 
    5c 4c 15 d7 
U0f 18 00 00 e2 88 08 64 84 00 0e 00 06 00 24 08 00 1c 78 

I want also report the keys info about this tag:

[== Undefined ==]
uid:64fb4ade

|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  a0a1a2a3a4a5  | 1 |  a5a7d679999c  | 1 |          
|001|  b46eccb77483  | 1 |  000000000000  | 0 |          
|002|  b7eba82d314d  | 0 |  a795c96aea2c  | 1 |          
|003|  b6b978acab04  | 1 |  a6e364afa949  | 1 |          
|004|  000000000000  | 0 |  a1a4df1832f2  | 1 |          
|005|  b0ac517bf3e4  | 1 |  a01cbc0beb2e  | 1 |          
|006|  b3d746bb3567  | 1 |  a3cc31bfff43  | 1 |          
|007|  b27ac56ee6f3  | 1 |  000000000000  | 0 |          
|008|  000000000000  | 0 |  adf24507b661  | 1 |          
|009|  bc8c255e9286  | 1 |  ac14e0d3691d  | 1 |          
|010|  000000000000  | 0 |  000000000000  | 0 |          
|011|  befa3154d74d  | 1 |  aecbc66492af  | 1 |          
|012|  b9824c5455a5  | 1 |  a9faa36bf0b7  | 1 |          
|013|  b88147799234  | 1 |  a805ba87cff9  | 1 |          
|014|  bb631df35a1a  | 1 |  abcac69b6619  | 1 |          
|015|  ba519b1871c8  | 1 |  aa64a8a163c0

I used the following data to generate the Key but it seems to be wrong....

UID                     64 fb 4a de
tag challenge       bf 03 3a 13
reader challenge   6c 3e 9e 7b
reader response    ff 26 59 bb
tag response        00 01 e0 e4

KEY     6C97E2C4E531

"wrong" means not good for Auth....

Offline

#40 2015-10-21 14:30:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

Your keyA and keyB has some correlations 
look at the first byte of each...

|012|  b9 824c5455a5  | 1 |  a9 faa36bf0b7  | 1 |          
|013|  b8 8147799234  | 1 |  a8 05ba87cff9  | 1 |          
|014|  bb 631df35a1a  | 1 |  ab cac69b6619  | 1 |

And the output of nested has a lot of errors,  ,  try re-run it until they are gone.

Last edited by iceman (2015-10-21 14:31:50)

Offline

#41 2015-10-21 15:13:26

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

The relation between the Keys is the following:

[== Undefined ==]
XOR between KEY A1 and Key A2 385649A45CE
XOR between KEY A1 and Key A3 2D7B41BDF87
... end so on

55813702C25
4C29DCC8767
7B98A0C41E4
61409D99270
9077890939F
8E2E9E9E605
BAAC5FA2AA8
A94FDE3A3CE
DEC80E32126
CEF8BCEE6B7
F0DD1442E99
E3F57AF054B

XOR between KEY A1 and Key B0  11C91ACEED1F
.
.
.and so on

11C91ACEED1F
107B94225924
13FB05DD9EAF
128DA818DDCA
15CA13AF4671
147270BC9FAD
17A2FD088BC0
16BD12C4CD62
199C89B0C2E2
187A2C641D9E
1BFFA804AA66
1AA50AD3E62C
1D946FDC8434
1C6B7630BB7A
1FA40A2C129A
1E0A64161743

Using this correlation is easy to find the missing keys :

|004|  B136DFC758A6
|008|  BD69B427E71C
|010|  BC8C255E9286

|001|  A41558952DA7  Key B
|007|  A2D3DE73B9E1  Key B
|010|  AF9164B3DEE5  Key B

The first problem now is how to find the relation between the first Key A1 generated starting from the UID.
Second issue is.... why the sniff log is wrong??

In order to study the algo, if you have an email, I can share with you the Keys A and B of 11 Mifare 1K cards opened with proxmark.

Last edited by mariolino (2015-10-21 16:06:33)

Offline

#42 2015-10-21 17:12:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

When I read this thread its easy to be confused.

but lets recap.

1) your tag is MIZIP ?  Mifare Mini?   http://www.methack.it/forum/archive/ind … 932-7.html
--> Comestero Worldkey ?

--> it could be a newer version where the PRNG is fixed,  thats whay the "sniff log" mfkey is wrong.

-----

Offline

#43 2015-10-21 17:17:34

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

iceman wrote:

When I read this thread its easy to be confused.

but lets recap.

1) your tag is MIZIP ?  Mifare Mini?   http://www.methack.it/forum/archive/ind … 932-7.html
--> Comestero Worldkey ?

--> it could be a newer version where the PRNG is fixed,  thats whay the "sniff log" mfkey is wrong.

-----

tongue. For the mizip I already know the algo.... That keys are WorldKey.
If you are interested i can share by email the mentioned data

Offline

#44 2015-10-21 17:54:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

sure, you can send it to me.  You'll find my email is all over this forum.

Offline

#45 2015-10-21 18:30:51

mariolino
Contributor
Registered: 2014-04-27
Posts: 47

Re: cracking mifare keys

ok....done

Offline

#46 2015-10-21 18:49:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

Got it.

Offline

#47 2015-10-28 17:02:41

y0no
Member
Registered: 2015-10-28
Posts: 5

Re: cracking mifare keys

Hello,
I'm new here. I try to read data from my mifare mini 0.3k. I have read some forum concerning this type of key.
I have found the A and B keys from sector 0, but I don't find the other sectors keys. It seems that keys are linked to the uid (in my case 6678828d), but I don't find the algorithm used to do it.

Could you help me please ?  roll

Offline

#48 2015-10-28 19:15:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

Since you are new, I suggest that you read the Proxmark3 wiki to begin with. Then start reading up on the specific rfidtag you are trying to focus on.

Offline

#49 2015-10-28 19:26:04

y0no
Member
Registered: 2015-10-28
Posts: 5

Re: cracking mifare keys

I already read this page https://github.com/Proxmark/proxmark3/wiki/Mifare%20Tag%20Ops and this one https://github.com/Proxmark/proxmark3/wiki/Mifare%20HowTo.

But I don't find any informations concerning the possible algorithm used to generate keys on Mizip (seems to be another name of mifare 0.3k) from uid.

Offline

#50 2015-10-28 19:30:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: cracking mifare keys

then the question is,  did you understand what you read?

How do you find keys to a Mifare mini tag...   What options do you have... Given the fact you already have sector 0 keys...

Offline

Board footer

Powered by FluxBB