Mifare Plus Atack

my_fair_cats_sick · 2016-03-24 22:29:12

OK thank you - have tried asking twice with no response. Not sure if its only given out to forum admins or those with major contributions to the project already. I was in a training session at TROOPERS which we talked about this a bit and I was interested to try it out. @blapost if you can share I would like to try this out as well.

my_fair_cats_sick · 2016-03-24 23:00:14

my_fair_cats_sick wrote:

OK thank you - have tried asking twice with no response. Not sure if its only given out to forum admins or those with major contributions to the project already. I was in a training session which we talked about this a bit and I was interested to try it out. @blapost if you can share I would like to try this out as well.

LaserByte · 2016-04-12 16:02:19

Hello
I have finally compiled piwi repository.
but I can not run the hardnested.
I have this

proxmark3> read hf 14th
ATQA: 00 44 UID: April 96 f1 af 0a 48 80 SAK: 08 [2]
MANUFACTURER: NXP Semiconductors Germany
TYPE: NXP Mifare Classic 1k | 2k Plus SL1
proprietary non ISO14443-4 card found, not supported RATS
Answers to chinese magic backdoor commands: NO

you may find a key B on this card with the repository piwi ??
do not run this command..

please helpme

iceman · 2016-04-12 16:16:36

your pasted text look scrambled.

LaserByte · 2016-04-12 16:36:24

sorry for my English
I have compiled the repository piwi, but still can not get hardnested run the command.
on this card

ATQA: 00 44 UID: April 96 f1 af 0a 48 80 SAK: 08 [2]
MANUFACTURER: NXP Semiconductors Germany
TYPE: NXP Mifare Classic 1k | 2k Plus SL1
proprietary non ISO14443-4 card found, not supported RATS
Answers to chinese magic backdoor commands: NO

I wonder if this card is a NXP Mifare Classic 1k | 2k Plus SL1
it is possible to obtain a key b

iceman · 2016-04-12 18:10:08

No, your pasted atqa info, looks scrambled. Don't translate it.

LaserByte · 2016-04-12 18:22:11

sorry

ATQA : 00 44
UID : 04 96 f1 0a af 48 80
SAK : 08 [2]
MANUFACTURER : NXP Semiconductors Germany
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

iceman · 2016-04-12 18:41:15

the easy questions first; Are you running the latest version from GitHub?

[edit] ok, piwi's hardnested. You need to flash firmware and run the same client as you compiled.

osys · 2016-04-18 19:07:59

LaserByte, don't forget to implement bruteforce in advance

ProxDesease · 2016-05-05 19:27:17

iceman wrote:

the easy questions first; Are you running the latest version from GitHub?
[edit] ok, piwi's hardnested. You need to flash firmware and run the same client as you compiled.

I've noticed youve implemented piwi's code, I've compiled the latest master branch, but cant use that function hf mf hardnested function or hf mf hard or hf mf parity.

Should I still use the code form piwi's repo?

osys · 2016-05-05 19:29:28

Check iceman's branch which is confirmed to be working.

ProxDesease · 2016-05-05 19:42:44

osys wrote:

Check iceman's branch which is confirmed to be working.

Do you mean this one? https://github.com/iceman1001/proxmark3/branches
Im getting this when trying to compile:
In file included from nonce2key/crypto1_bs.c:25:
nonce2key/crypto1_bs.h:25: error: alignment of array elements is greater than element size
make[1]: *** [obj/nonce2key/crypto1_bs.o] Error 1
make[1]: Leaving directory `/pm3/client'
make: *** [client/all] Error 2

iceman · 2016-05-05 19:45:12

As stated before, always compile / flash and use same client from the fork you want to test.

side note, I've never seen a "hf mf parity" command before in the client.

iceman · 2016-05-05 19:46:51

That error tells me you are using an older GCC compiler. Most likely 4.4 from the proxspace mingw-environment.

Use a linux distro or the docker container, GCC4.8.4 and above works.

my_fair_cats_sick · 2016-05-05 21:33:57

Is mifare plus SL1 the only card type that has hardened the PRNG or are others hardened as well just under a different marketing name? Looking to get my hands on one to test with and want to make sure I buy/find the right thing.

Are there any resources (legal and honest....) that you can buy used/old cards from with a known type?

Is there any good way to tell if the card I am testing is a Mifare Plus or at least has a hardened prng? Other than the fact darkside attack just doesn't work? Is the hardnested attack

Seems like when I do the simple read of the card for info, it gives 4 different answers as to what it MAY be.

my_fair_cats_sick · 2016-05-06 01:11:07

I tried darkside to see if the card was vulnerable, and it never returned anything - just kept going and going like 3 hours....any ideas?

pm3 --> hf mf mifare
-------------------------------------------------------------------------
Executing darkside attack. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

A standard 1k card that comes with the Proxmark kit comes back in like 20 seconds for me with:
pm3 --> hf mf mifare
-------------------------------------------------------------------------
Executing darkside attack. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..
Card isn't vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
generating polynomial with 16 effective bits only, but shows unexpected behaviour.

ProxDesease · 2016-05-06 03:24:12

Thanks a lot guys for your help!!! Just compiled it under Kali.

One question is, why it doesnt work with JCOP41 in Mifare Classic emulation?

iceman · 2016-05-06 06:52:00

@my_fair_cats_sick, if you did hear a loud click sound, then you have stumbled into the "hf mf mifare" bug. There is threads about it here, even a issue on github.

Your last entry shows that the card could be a chinese clone

roman921 · 2016-05-06 10:20:17

I try with jcop41 with emulation classuc 1k, but get error: root@kali:~/crypto1_bs# ./libnfc_crypto1_crack a0a1a2a3a4a5 5 B 0 B
Error while requesting plain tag-nonce Some other error occurred.
Found tag with uid 671234d1, collecting nonces for key B of block 0 using known key B a0a1a2a3a4a5 for block 5
Don't move the tag! Can you advice how fix this bag ?

iceman · 2016-05-06 10:41:13

open a issue on github, in the crypto_bs project? Its really not a proxmark3 problem.

my_fair_cats_sick · 2016-05-06 13:33:20

Are chinese clones usable for testing with or do they have basically "undefined" characteristics because they are not necessarily conforming to standards and there could be 10000000 different varieties?

I guess this strays from the original topic and I'll ask it elsewhere as well.

iceman · 2016-05-06 16:07:30

Don't know of any chinese clones, like fudan, to use the newer hardend prng. You don't know untill you can test the tags with your pm3...

Sergey Hartmann · 2016-07-02 23:50:42

Hi!

I used hardnested. That's what I got:

--target block no:  0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0           
Allocating memory for partial statelists...
Generating partial statelists...
Generating bitflip statelist...
Reading nonces from file nonces.bin...          
Read 18144 nonces from file. cuid=923f3380, Block=16, Keytype=B          
Checking for Filter Flip Properties...

Tests: Actual BitFlipProperties odd/even:
[00]:   [01]:   [02]:   [03]:   [04]:   [05]:   [06]:   [07]:   
[08]:   [09]:   [0a]:   [0b]:   [0c]:   [0d]:   [0e]:   [0f]:   
[10]:   [11]:   [12]:   [13]:   [14]:   [15]:   [16]:   [17]:   
[18]:   [19]:   [1a]:   [1b]:   [1c]:   [1d]:   [1e]:   [1f]:   
[20]:   [21]:   [22]:   [23]:   [24]:   [25]:   [26]:   [27]:   
[28]:   [29]:   [2a]:   [2b]:   [2c]:   [2d]:   [2e]:   [2f]:   
[30]:   [31]:   [32]:   [33]:   [34]:   [35]:   [36]:   [37]:   
[38]:   [39]:   [3a]:   [3b]:   [3c]:   [3d]:   [3e]:   [3f]:   
[40]:   [41]:   [42]:   [43]:   [44]:   [45]:   [46]:   [47]:   
[48]:   [49]:   [4a]:   [4b]:   [4c]:   [4d]:   [4e]:   [4f]:   
[50]:   [51]:   [52]:   [53]:   [54]:   [55]:   [56]:   [57]:   
[58]:   [59]:   [5a]:   [5b]:   [5c]:   [5d]:   [5e]:   [5f]:   
[60]:   [61]:   [62]:   [63]:   [64]:   [65]:   [66]:   [67]:   
[68]:   [69]:   [6a]:   [6b]:   [6c]:   [6d]:   [6e]:   [6f]:   
[70]:   [71]:   [72]:   [73]:   [74]:   [75]:   [76]:   [77]:   
[78]:   [79]:   [7a]:   [7b]:   [7c]:   [7d]:   [7e]:   [7f]:   
[80]:   [81]:   [82]:   [83]:   [84]:   [85]:   [86]:   [87]:   
[88]:   [89]:   [8a]:   [8b]:   [8c]:   [8d]:   [8e]:   [8f]:   
[90]:   [91]:   [92]:   [93]:   [94]:   [95]:   [96]:   [97]:   
[98]:   [99]:   [9a]:   [9b]:   [9c]:   [9d]:   [9e]:   [9f]:   
[a0]:   [a1]:   [a2]:   [a3]:   [a4]:   [a5]:   [a6]:   [a7]:   
[a8]:   [a9]:   [aa]:   [ab]:   [ac]:   [ad]:   [ae]:   [af]:   
[b0]:   [b1]:   [b2]:   [b3]:   [b4]:   [b5]:   [b6]:   [b7]:   
[b8]:   [b9]:   [ba]:   [bb]:   [bc]:   [bd]:   [be]:   [bf]:   
[c0]:   [c1]:   [c2]:   [c3]:   [c4]:   [c5]:   [c6]:   [c7]:   
[c8]:   [c9]:   [ca]:   [cb]:   [cc]:   [cd]:   [ce]:   [cf]:   
[d0]:   [d1]:   [d2]:   [d3]:   [d4]:   [d5]:   [d6]:   [d7]:   
[d8]:   [d9]:   [da]:   [db]:   [dc]:   [dd]:   [de]:   [df]:   
[e0]:   [e1]:   [e2]:   [e3]:   [e4]:   [e5]:   [e6]:   [e7]:   
[e8]:   [e9]:   [ea]:   [eb]:   [ec]:   [ed]:   [ee]:   [ef]:   
[f0]:   [f1]:   [f2]:   [f3]:   [f4]:   [f5]:   [f6]:   [f7]:   
[f8]:   [f9]:   [fa]:   [fb]:   [fc]:   [fd]:   [fe]:   [ff]:   

Tests: Sorted First Bytes:
#000 Byte: 28, n =  81, k =  11, Sum(a8):  32, Confidence:  95.0%, Bitflip:  
#001 Byte: a1, n =  69, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#002 Byte: 25, n =  68, k =  68, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#003 Byte: 96, n =  63, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#004 Byte: 94, n =  63, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#005 Byte: c4, n =  62, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#006 Byte: 58, n =  62, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#007 Byte: 48, n =  61, k =  61, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#008 Byte: eb, n =  60, k =  60, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#009 Byte: 0a, n =  60, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#010 Byte: 08, n =  60, k =  60, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#011 Byte: c6, n =  59, k =  59, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#012 Byte: 5a, n =  59, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#013 Byte: 1a, n =  56, k =  56, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#014 Byte: 86, n =  55, k =  55, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#015 Byte: d4, n =  49, k =  49, Sum(a8): 256, Confidence: 100.0%, Bitflip:  
#016 Byte: 78, n =  69, k =  65, Sum(a8): 224, Confidence:  99.9%, Bitflip:  
#017 Byte: 0c, n =  66, k =  62, Sum(a8): 224, Confidence:  99.9%, Bitflip:  
#018 Byte: 83, n =  69, k =   5, Sum(a8):  32, Confidence:  99.9%, Bitflip:  
#019 Byte: 60, n =  82, k =  73, Sum(a8): 224, Confidence:  99.5%, Bitflip:  
#020 Byte: 72, n =  57, k =   4, Sum(a8):  32, Confidence:  99.3%, Bitflip:  
#021 Byte: c0, n =  70, k =   7, Sum(a8):  32, Confidence:  99.2%, Bitflip:  
#022 Byte: f4, n =  64, k =   6, Sum(a8):  32, Confidence:  98.9%, Bitflip:  
#023 Byte: fe, n =  57, k =  52, Sum(a8): 224, Confidence:  98.3%, Bitflip:  
#024 Byte: 62, n =  57, k =  52, Sum(a8): 224, Confidence:  98.3%, Bitflip:  
#025 Byte: 4d, n =  81, k =  71, Sum(a8): 224, Confidence:  98.3%, Bitflip:  
#026 Byte: c9, n =  63, k =   7, Sum(a8):  32, Confidence:  96.5%, Bitflip:  
#027 Byte: 23, n =  63, k =   7, Sum(a8):  32, Confidence:  96.5%, Bitflip:  
#028 Byte: a7, n =  58, k =  52, Sum(a8): 224, Confidence:  96.4%, Bitflip:  
#029 Byte: ac, n =  57, k =   6, Sum(a8):  32, Confidence:  95.7%, Bitflip:  
#030 Byte: 6f, n =  72, k =   0, Sum(a8):   0, Confidence: 100.0%, Bitflip:  
#031 Byte: 81, n =  56, k =  50, Sum(a8): 224, Confidence:  94.7%, Bitflip:  
#032 Byte: 1c, n =  70, k =   9, Sum(a8):  32, Confidence:  93.8%, Bitflip:  
#033 Byte: ef, n =  73, k =  16, Sum(a8):  64, Confidence:  93.8%, Bitflip:  
#034 Byte: 07, n =  59, k =  52, Sum(a8): 224, Confidence:  92.4%, Bitflip:  
#035 Byte: 06, n =  66, k =  52, Sum(a8): 192, Confidence:  91.7%, Bitflip:  
#036 Byte: d8, n =  65, k =  51, Sum(a8): 192, Confidence:  91.5%, Bitflip:  
#037 Byte: 68, n =  63, k =   8, Sum(a8):  32, Confidence:  90.9%, Bitflip:  
#038 Byte: 80, n =  73, k =  10, Sum(a8):  32, Confidence:  90.8%, Bitflip:  
#039 Byte: 8b, n =  80, k =  60, Sum(a8): 192, Confidence:  90.1%, Bitflip:  
#040 Byte: a0, n =  63, k =  50, Sum(a8): 192, Confidence:  90.0%, Bitflip:  
#041 Byte: 65, n =  68, k =  52, Sum(a8): 192, Confidence:  90.0%, Bitflip:  
#042 Byte: 0f, n =  61, k =  13, Sum(a8):  64, Confidence:  89.9%, Bitflip:  
#043 Byte: c8, n =  65, k =  15, Sum(a8):  64, Confidence:  89.7%, Bitflip:  
#044 Byte: 4e, n =  52, k =   6, Sum(a8):  32, Confidence:  89.1%, Bitflip:  
#045 Byte: fc, n =  57, k =   7, Sum(a8):  32, Confidence:  89.1%, Bitflip:  
#046 Byte: b4, n =  57, k =  50, Sum(a8): 224, Confidence:  89.1%, Bitflip:  
#047 Byte: 8a, n =  58, k =  12, Sum(a8):  64, Confidence:  88.1%, Bitflip:  
#048 Byte: d9, n =  61, k =  14, Sum(a8):  64, Confidence:  88.0%, Bitflip:  
#049 Byte: 92, n =  56, k =  49, Sum(a8): 224, Confidence:  87.0%, Bitflip:  
#050 Byte: 69, n =  61, k =  53, Sum(a8): 224, Confidence:  86.9%, Bitflip:  
#051 Byte: e6, n =  69, k =  52, Sum(a8): 192, Confidence:  86.6%, Bitflip:  
#052 Byte: a6, n =  66, k =  50, Sum(a8): 192, Confidence:  86.6%, Bitflip:  
#053 Byte: f6, n =  63, k =  15, Sum(a8):  64, Confidence:  86.5%, Bitflip:  
#054 Byte: 46, n =  55, k =  43, Sum(a8): 192, Confidence:  86.5%, Bitflip:  
#055 Byte: a5, n =  54, k =  11, Sum(a8):  64, Confidence:  85.6%, Bitflip:  
#056 Byte: ee, n =  68, k =  13, Sum(a8):  64, Confidence:  85.3%, Bitflip:  
#057 Byte: 20, n =  60, k =  52, Sum(a8): 224, Confidence:  84.4%, Bitflip:  
#058 Byte: ad, n =  59, k =  14, Sum(a8):  64, Confidence:  84.2%, Bitflip:  
#059 Byte: 05, n =  75, k =  11, Sum(a8):  32, Confidence:  83.5%, Bitflip:  
#060 Byte: 7a, n =  58, k =  44, Sum(a8): 192, Confidence:  81.7%, Bitflip:  
#061 Byte: 16, n =  64, k =  16, Sum(a8):  64, Confidence:  81.7%, Bitflip:  
#062 Byte: e4, n =  59, k =  51, Sum(a8): 224, Confidence:  81.5%, Bitflip:  
#063 Byte: 30, n =  52, k =  12, Sum(a8):  64, Confidence:  81.1%, Bitflip:  
#064 Byte: 5c, n =  65, k =  53, Sum(a8): 192, Confidence:  79.4%, Bitflip:  
#065 Byte: 6b, n =  46, k =  37, Sum(a8): 192, Confidence:  79.2%, Bitflip:  
#066 Byte: da, n =  57, k =  14, Sum(a8):  64, Confidence:  78.7%, Bitflip:  
#067 Byte: 17, n =  57, k =  43, Sum(a8): 192, Confidence:  78.7%, Bitflip:  
#068 Byte: d2, n =  71, k =  13, Sum(a8):  64, Confidence:  78.2%, Bitflip:  
#069 Byte: 0e, n =  66, k =  12, Sum(a8):  64, Confidence:  76.5%, Bitflip:  
#070 Byte: 91, n =  62, k =  46, Sum(a8): 192, Confidence:  74.8%, Bitflip:  
#071 Byte: 2f, n =  61, k =  50, Sum(a8): 192, Confidence:  74.7%, Bitflip:  
#072 Byte: 4b, n =  80, k =  40, Sum(a8): 128, Confidence:  74.6%, Bitflip:  
#073 Byte: 7f, n =  65, k =  17, Sum(a8):  64, Confidence:  74.6%, Bitflip:  
#074 Byte: 44, n =  65, k =  48, Sum(a8): 192, Confidence:  74.6%, Bitflip:  
#075 Byte: 74, n =  71, k =  24, Sum(a8):  96, Confidence:  73.9%, Bitflip:  
#076 Byte: b2, n =  73, k =  24, Sum(a8):  96, Confidence:  73.6%, Bitflip:  
#077 Byte: 35, n =  70, k =  23, Sum(a8):  96, Confidence:  72.1%, Bitflip:  
#078 Byte: df, n =  68, k =  34, Sum(a8): 128, Confidence:  72.1%, Bitflip:  
#079 Byte: 9e, n =  69, k =  35, Sum(a8): 128, Confidence:  72.1%, Bitflip:  
#080 Byte: 5f, n =  69, k =  35, Sum(a8): 128, Confidence:  72.1%, Bitflip:  
#081 Byte: f0, n =  66, k =  33, Sum(a8): 128, Confidence:  71.6%, Bitflip:  
#082 Byte: bb, n =  66, k =  33, Sum(a8): 128, Confidence:  71.6%, Bitflip:  
#083 Byte: 4f, n =  69, k =  45, Sum(a8): 160, Confidence:  71.3%, Bitflip:  
#084 Byte: 15, n =  69, k =  45, Sum(a8): 160, Confidence:  71.3%, Bitflip:  
#085 Byte: 36, n =  73, k =  35, Sum(a8): 128, Confidence:  71.2%, Bitflip:  
#086 Byte: 73, n =  64, k =  32, Sum(a8): 128, Confidence:  71.2%, Bitflip:  
#087 Byte: 3d, n =  64, k =  32, Sum(a8): 128, Confidence:  71.2%, Bitflip:  
#088 Byte: 21, n =  58, k =  43, Sum(a8): 192, Confidence:  71.0%, Bitflip:  
#089 Byte: 5e, n =  56, k =  48, Sum(a8): 224, Confidence:  70.7%, Bitflip:  
#090 Byte: 38, n =  62, k =  31, Sum(a8): 128, Confidence:  70.7%, Bitflip:  
#091 Byte: 6d, n =  67, k =  45, Sum(a8): 160, Confidence:  70.5%, Bitflip:  
#092 Byte: f7, n =  64, k =  31, Sum(a8): 128, Confidence:  70.3%, Bitflip:  
#093 Byte: a4, n =  64, k =  31, Sum(a8): 128, Confidence:  70.3%, Bitflip:  
#094 Byte: 82, n =  64, k =  33, Sum(a8): 128, Confidence:  70.3%, Bitflip:  
#095 Byte: ca, n =  60, k =  30, Sum(a8): 128, Confidence:  70.2%, Bitflip:  
#096 Byte: 42, n =  65, k =  43, Sum(a8): 160, Confidence:  69.9%, Bitflip:  
#097 Byte: 34, n =  65, k =  43, Sum(a8): 160, Confidence:  69.9%, Bitflip:  
#098 Byte: b9, n =  67, k =  32, Sum(a8): 128, Confidence:  69.8%, Bitflip:  
#099 Byte: 2d, n =  67, k =  32, Sum(a8): 128, Confidence:  69.8%, Bitflip:  
#100 Byte: 90, n =  57, k =  47, Sum(a8): 192, Confidence:  69.5%, Bitflip:  
#101 Byte: 75, n =  72, k =  38, Sum(a8): 128, Confidence:  69.5%, Bitflip:  
#102 Byte: 8f, n =  65, k =  34, Sum(a8): 128, Confidence:  69.3%, Bitflip:  
#103 Byte: 53, n =  79, k =  42, Sum(a8): 128, Confidence:  69.3%, Bitflip:  
#104 Byte: 51, n =  60, k =  31, Sum(a8): 128, Confidence:  69.3%, Bitflip:  
#105 Byte: 04, n =  60, k =  29, Sum(a8): 128, Confidence:  69.3%, Bitflip:  
#106 Byte: 99, n =  57, k =  28, Sum(a8): 128, Confidence:  69.2%, Bitflip:  
#107 Byte: 84, n =  56, k =  28, Sum(a8): 128, Confidence:  69.2%, Bitflip:  
#108 Byte: 8e, n =  68, k =  24, Sum(a8):  96, Confidence:  69.0%, Bitflip:  
#109 Byte: cd, n =  66, k =  43, Sum(a8): 160, Confidence:  68.9%, Bitflip:  
#110 Byte: e9, n =  70, k =  25, Sum(a8):  96, Confidence:  68.9%, Bitflip:  
#111 Byte: dd, n =  58, k =  28, Sum(a8): 128, Confidence:  68.7%, Bitflip:  
#112 Byte: ab, n =  79, k =  54, Sum(a8): 160, Confidence:  68.7%, Bitflip:  
#113 Byte: 03, n =  64, k =  43, Sum(a8): 160, Confidence:  68.7%, Bitflip:  
#114 Byte: e0, n =  63, k =  42, Sum(a8): 160, Confidence:  68.6%, Bitflip:  
#115 Byte: f3, n =  61, k =  32, Sum(a8): 128, Confidence:  68.3%, Bitflip:  
#116 Byte: be, n =  75, k =  35, Sum(a8): 128, Confidence:  68.2%, Bitflip:  
#117 Byte: ec, n =  56, k =  27, Sum(a8): 128, Confidence:  68.2%, Bitflip:  
#118 Byte: ba, n =  52, k =  26, Sum(a8): 128, Confidence:  68.2%, Bitflip:  
#119 Byte: 26, n =  66, k =  31, Sum(a8): 128, Confidence:  67.9%, Bitflip:  
#120 Byte: bd, n =  59, k =  31, Sum(a8): 128, Confidence:  67.7%, Bitflip:  
#121 Byte: 3b, n =  54, k =  26, Sum(a8): 128, Confidence:  67.7%, Bitflip:  
#122 Byte: 57, n =  51, k =  26, Sum(a8): 128, Confidence:  67.6%, Bitflip:  
#123 Byte: aa, n =  64, k =  30, Sum(a8): 128, Confidence:  67.4%, Bitflip:  
#124 Byte: 9f, n =  64, k =  30, Sum(a8): 128, Confidence:  67.4%, Bitflip:  
#125 Byte: 1b, n =  64, k =  30, Sum(a8): 128, Confidence:  67.4%, Bitflip:  
#126 Byte: 70, n =  76, k =  48, Sum(a8): 160, Confidence:  67.3%, Bitflip:  
#127 Byte: bf, n =  49, k =  25, Sum(a8): 128, Confidence:  67.1%, Bitflip:  
#128 Byte: 1d, n =  49, k =  24, Sum(a8): 128, Confidence:  67.1%, Bitflip:  
#129 Byte: b0, n =  61, k =  20, Sum(a8):  96, Confidence:  66.8%, Bitflip:  
#130 Byte: 1e, n =  69, k =  37, Sum(a8): 128, Confidence:  66.6%, Bitflip:  
#131 Byte: 7e, n =  65, k =  23, Sum(a8):  96, Confidence:  66.3%, Bitflip:  
#132 Byte: 45, n =  62, k =  20, Sum(a8):  96, Confidence:  66.3%, Bitflip:  
#133 Byte: 52, n =  63, k =  22, Sum(a8):  96, Confidence:  66.3%, Bitflip:  
#134 Byte: 8c, n =  60, k =  28, Sum(a8): 128, Confidence:  66.2%, Bitflip:  
#135 Byte: 77, n =  67, k =  36, Sum(a8): 128, Confidence:  66.1%, Bitflip:  
#136 Byte: 64, n =  67, k =  43, Sum(a8): 160, Confidence:  66.0%, Bitflip:  
#137 Byte: 55, n =  58, k =  31, Sum(a8): 128, Confidence:  65.6%, Bitflip:  
#138 Byte: 3f, n =  58, k =  31, Sum(a8): 128, Confidence:  65.6%, Bitflip:  
#139 Byte: b5, n =  59, k =  39, Sum(a8): 160, Confidence:  65.3%, Bitflip:  
#140 Byte: a9, n =  56, k =  26, Sum(a8): 128, Confidence:  65.0%, Bitflip:  
#141 Byte: 49, n =  71, k =  26, Sum(a8):  96, Confidence:  65.0%, Bitflip:  
#142 Byte: fa, n =  72, k =  33, Sum(a8): 128, Confidence:  64.9%, Bitflip:  
#143 Byte: 56, n =  72, k =  33, Sum(a8): 128, Confidence:  64.9%, Bitflip:  
#144 Byte: e1, n =  63, k =  43, Sum(a8): 160, Confidence:  64.8%, Bitflip:  
#145 Byte: bc, n =  34, k =  30, Sum(a8): 224, Confidence:  64.8%, Bitflip:  
#146 Byte: 63, n =  59, k =  19, Sum(a8):  96, Confidence:  64.5%, Bitflip:  
#147 Byte: 97, n =  70, k =  32, Sum(a8): 128, Confidence:  64.3%, Bitflip:  
#148 Byte: 1f, n =  61, k =  28, Sum(a8): 128, Confidence:  64.2%, Bitflip:  
#149 Byte: 32, n =  64, k =  53, Sum(a8): 192, Confidence:  63.5%, Bitflip:  
#150 Byte: cb, n =  62, k =  40, Sum(a8): 160, Confidence:  63.3%, Bitflip:  
#151 Byte: db, n =  66, k =  36, Sum(a8): 128, Confidence:  63.1%, Bitflip:  
#152 Byte: d7, n =  66, k =  30, Sum(a8): 128, Confidence:  63.1%, Bitflip:  
#153 Byte: 66, n =  57, k =  26, Sum(a8): 128, Confidence:  62.9%, Bitflip:  
#154 Byte: c1, n =  56, k =  18, Sum(a8):  96, Confidence:  62.5%, Bitflip:  
#155 Byte: b7, n =  66, k =  42, Sum(a8): 160, Confidence:  62.4%, Bitflip:  
#156 Byte: 98, n =  64, k =  35, Sum(a8): 128, Confidence:  62.4%, Bitflip:  
#157 Byte: e7, n =  44, k =  11, Sum(a8):  64, Confidence:  62.3%, Bitflip:  
#158 Byte: 6a, n =  71, k =  22, Sum(a8):  96, Confidence:  61.8%, Bitflip:  
#159 Byte: 9c, n =  68, k =  43, Sum(a8): 160, Confidence:  61.7%, Bitflip:  
#160 Byte: 02, n =  71, k =  39, Sum(a8): 128, Confidence:  61.5%, Bitflip:  
#161 Byte: 9a, n =  61, k =  42, Sum(a8): 160, Confidence:  61.1%, Bitflip:  
#162 Byte: cf, n =  60, k =  33, Sum(a8): 128, Confidence:  61.0%, Bitflip:  
#163 Byte: 3a, n =  53, k =  17, Sum(a8):  96, Confidence:  60.5%, Bitflip:  
#164 Byte: 01, n =  53, k =  36, Sum(a8): 160, Confidence:  60.5%, Bitflip:  
#165 Byte: 6c, n =  58, k =  32, Sum(a8): 128, Confidence:  60.3%, Bitflip:  
#166 Byte: b1, n =  55, k =  19, Sum(a8):  96, Confidence:  60.3%, Bitflip:  
#167 Byte: fb, n =  54, k =  17, Sum(a8):  96, Confidence:  59.7%, Bitflip:  
#168 Byte: 54, n =  54, k =  17, Sum(a8):  96, Confidence:  59.7%, Bitflip:  
#169 Byte: 40, n =  56, k =  31, Sum(a8): 128, Confidence:  59.6%, Bitflip:  
#170 Byte: 50, n =  65, k =  29, Sum(a8): 128, Confidence:  59.4%, Bitflip:  
#171 Byte: ff, n =  63, k =  23, Sum(a8):  96, Confidence:  59.1%, Bitflip:  
#172 Byte: 7d, n =  52, k =  29, Sum(a8): 128, Confidence:  58.1%, Bitflip:  
#173 Byte: 09, n =  55, k =  38, Sum(a8): 160, Confidence:  58.0%, Bitflip:  
#174 Byte: f2, n =  61, k =  34, Sum(a8): 128, Confidence:  58.0%, Bitflip:  
#175 Byte: a2, n =  61, k =  34, Sum(a8): 128, Confidence:  58.0%, Bitflip:  
#176 Byte: 0d, n =  50, k =  33, Sum(a8): 160, Confidence:  56.9%, Bitflip:  
#177 Byte: b6, n =  57, k =  25, Sum(a8): 128, Confidence:  56.4%, Bitflip:  
#178 Byte: b3, n =  58, k =  37, Sum(a8): 160, Confidence:  56.3%, Bitflip:  
#179 Byte: d3, n =  77, k =  43, Sum(a8): 128, Confidence:  56.0%, Bitflip:  
#180 Byte: 5d, n =  48, k =  15, Sum(a8):  96, Confidence:  55.8%, Bitflip:  
#181 Byte: 39, n =  55, k =  31, Sum(a8): 128, Confidence:  55.6%, Bitflip:  
#182 Byte: 18, n =  55, k =  24, Sum(a8): 128, Confidence:  55.6%, Bitflip:  
#183 Byte: b8, n =  60, k =  22, Sum(a8):  96, Confidence:  55.6%, Bitflip:  
#184 Byte: 2c, n =  60, k =  22, Sum(a8):  96, Confidence:  55.6%, Bitflip:  
#185 Byte: c2, n =  55, k =  46, Sum(a8): 192, Confidence:  55.5%, Bitflip:  
#186 Byte: 2b, n =  56, k =  39, Sum(a8): 160, Confidence:  55.5%, Bitflip:  
#187 Byte: 79, n =  58, k =  42, Sum(a8): 192, Confidence:  55.4%, Bitflip:  
#188 Byte: d5, n =  64, k =  36, Sum(a8): 128, Confidence:  55.2%, Bitflip:  
#189 Byte: 11, n =  64, k =  36, Sum(a8): 128, Confidence:  55.2%, Bitflip:  
#190 Byte: 61, n =  46, k =  15, Sum(a8):  96, Confidence:  55.1%, Bitflip:  
#191 Byte: 5b, n =  53, k =  23, Sum(a8): 128, Confidence:  54.8%, Bitflip:  
#192 Byte: a3, n =  62, k =  23, Sum(a8):  96, Confidence:  54.7%, Bitflip:  
#193 Byte: ed, n =  63, k =  10, Sum(a8):  32, Confidence:  54.6%, Bitflip:  
#194 Byte: 2a, n =  62, k =  35, Sum(a8): 128, Confidence:  54.4%, Bitflip:  
#195 Byte: 0b, n =  62, k =  27, Sum(a8): 128, Confidence:  54.4%, Bitflip:  
#196 Byte: 7b, n =  64, k =  24, Sum(a8):  96, Confidence:  53.6%, Bitflip:  
#197 Byte: 76, n =  60, k =  34, Sum(a8): 128, Confidence:  53.6%, Bitflip:  
#198 Byte: 88, n =  60, k =  18, Sum(a8):  96, Confidence:  53.3%, Bitflip:  
#199 Byte: 93, n =  45, k =  30, Sum(a8): 160, Confidence:  53.3%, Bitflip:  
#200 Byte: c3, n =  70, k =  21, Sum(a8):  96, Confidence:  52.2%, Bitflip:  
#201 Byte: f5, n =  56, k =  24, Sum(a8): 128, Confidence:  51.9%, Bitflip:  
#202 Byte: d6, n =  56, k =  24, Sum(a8): 128, Confidence:  51.9%, Bitflip:  
#203 Byte: 85, n =  56, k =  24, Sum(a8): 128, Confidence:  51.9%, Bitflip:  
#204 Byte: 2e, n =  56, k =  32, Sum(a8): 128, Confidence:  51.9%, Bitflip:  
#205 Byte: 19, n =  56, k =  32, Sum(a8): 128, Confidence:  51.9%, Bitflip:  
#206 Byte: a8, n =  57, k =  21, Sum(a8):  96, Confidence:  51.9%, Bitflip:  
#207 Byte: f8, n =  65, k =  37, Sum(a8): 128, Confidence:  51.2%, Bitflip:  
#208 Byte: 31, n =  54, k =  31, Sum(a8): 128, Confidence:  51.0%, Bitflip:  
#209 Byte: ae, n =  57, k =   9, Sum(a8):  32, Confidence:  51.0%, Bitflip:  
#210 Byte: 3c, n =  54, k =  38, Sum(a8): 160, Confidence:  50.9%, Bitflip:  
#211 Byte: 4c, n =  63, k =  27, Sum(a8): 128, Confidence:  50.4%, Bitflip:  
#212 Byte: 33, n =  64, k =  45, Sum(a8): 160, Confidence:  50.2%, Bitflip:  
#213 Byte: 14, n =  64, k =  45, Sum(a8): 160, Confidence:  50.2%, Bitflip:  
#214 Byte: 41, n =  61, k =  23, Sum(a8):  96, Confidence:  49.8%, Bitflip:  
#215 Byte: c7, n =  61, k =  35, Sum(a8): 128, Confidence:  49.5%, Bitflip:  
#216 Byte: 43, n =  61, k =  35, Sum(a8): 128, Confidence:  49.5%, Bitflip:  
#217 Byte: 87, n =  44, k =  13, Sum(a8):  96, Confidence:  49.3%, Bitflip:  
#218 Byte: fd, n =  61, k =  43, Sum(a8): 160, Confidence:  49.2%, Bitflip:  
#219 Byte: 10, n =  72, k =  28, Sum(a8):  96, Confidence:  48.6%, Bitflip:  
#220 Byte: 47, n =  63, k =  18, Sum(a8):  64, Confidence:  48.4%, Bitflip:  
#221 Byte: ce, n =  48, k =  20, Sum(a8): 128, Confidence:  48.3%, Bitflip:  
#222 Byte: dc, n =  57, k =  24, Sum(a8): 128, Confidence:  47.7%, Bitflip:  
#223 Byte: 4a, n =  57, k =  33, Sum(a8): 128, Confidence:  47.7%, Bitflip:  
#224 Byte: 3e, n =  57, k =  24, Sum(a8): 128, Confidence:  47.7%, Bitflip:  
#225 Byte: 89, n =  71, k =  50, Sum(a8): 160, Confidence:  47.2%, Bitflip:  
#226 Byte: de, n =  74, k =  45, Sum(a8): 160, Confidence:  47.1%, Bitflip:  
#227 Byte: 8d, n =  64, k =  37, Sum(a8): 128, Confidence:  46.0%, Bitflip:  
#228 Byte: 27, n =  60, k =  35, Sum(a8): 128, Confidence:  44.2%, Bitflip:  
#229 Byte: e8, n =  62, k =  24, Sum(a8):  96, Confidence:  43.4%, Bitflip:  
#230 Byte: c5, n =  58, k =  24, Sum(a8): 128, Confidence:  43.3%, Bitflip:  
#231 Byte: 12, n =  58, k =  34, Sum(a8): 128, Confidence:  43.3%, Bitflip:  
#232 Byte: ea, n =  69, k =  29, Sum(a8): 128, Confidence:  43.1%, Bitflip:  
#233 Byte: 24, n =  56, k =  33, Sum(a8): 128, Confidence:  42.3%, Bitflip:  
#234 Byte: 37, n =  73, k =  44, Sum(a8): 160, Confidence:  41.6%, Bitflip:  
#235 Byte: 95, n =  65, k =  38, Sum(a8): 128, Confidence:  41.3%, Bitflip:  
#236 Byte: 00, n =  57, k =  35, Sum(a8): 160, Confidence:  40.8%, Bitflip:  
#237 Byte: cc, n =  63, k =  37, Sum(a8): 128, Confidence:  40.4%, Bitflip:  
#238 Byte: d0, n =  61, k =  25, Sum(a8): 128, Confidence:  39.5%, Bitflip:  
#239 Byte: 29, n =  48, k =  19, Sum(a8): 128, Confidence:  38.5%, Bitflip:  
#240 Byte: e5, n =  70, k =  28, Sum(a8):  96, Confidence:  37.7%, Bitflip:  
#241 Byte: 9b, n =  70, k =  28, Sum(a8):  96, Confidence:  37.7%, Bitflip:  
#242 Byte: 71, n =  57, k =  34, Sum(a8): 128, Confidence:  37.6%, Bitflip:  
#243 Byte: 67, n =  57, k =  23, Sum(a8): 128, Confidence:  37.6%, Bitflip:  
#244 Byte: 22, n =  57, k =  23, Sum(a8): 128, Confidence:  37.6%, Bitflip:  
#245 Byte: af, n =  45, k =  28, Sum(a8): 160, Confidence:  36.7%, Bitflip:  
#246 Byte: 6e, n =  63, k =  38, Sum(a8): 160, Confidence:  36.7%, Bitflip:  
#247 Byte: 13, n =  63, k =  25, Sum(a8):  96, Confidence:  36.7%, Bitflip:  
#248 Byte: f1, n =  53, k =  32, Sum(a8): 128, Confidence:  35.7%, Bitflip:  
#249 Byte: e3, n =  53, k =  21, Sum(a8): 128, Confidence:  35.7%, Bitflip:  
#250 Byte: f9, n =  62, k =  25, Sum(a8): 128, Confidence:  34.6%, Bitflip:  
#251 Byte: e2, n =  62, k =  25, Sum(a8): 128, Confidence:  34.6%, Bitflip:  
#252 Byte: 7c, n =  62, k =  25, Sum(a8): 128, Confidence:  34.6%, Bitflip:  
#253 Byte: d1, n =  58, k =  35, Sum(a8): 160, Confidence:  34.3%, Bitflip:  
#254 Byte: 59, n =  60, k =  24, Sum(a8): 128, Confidence:  33.7%, Bitflip:  
#255 Byte: 9d, n =  71, k =  29, Sum(a8): 128, Confidence:  33.2%, Bitflip:  
          
Sum(a0) = 112          
Number of first bytes with confidence > 95.0%: 30          
Generating crypto1 state candidates... 
Number of possible keys with Sum(a0) = 112: 13750076573696 (2^43.6)
Reducing Partial Statelists (p,q) = (4,6) with lengths 74240, 178706
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Odd  state candidates:     24 (2^4.6)
Even state candidates:  54116 (2^15.7)
Odd  state candidates:     33 (2^5.0)
Even state candidates:  54838 (2^15.7)
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Reducing Partial Statelists (p,q) = (6,4) with lengths 181736, 74304
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Odd  state candidates:    412 (2^8.7)
Even state candidates:  19048 (2^14.2)
Odd  state candidates:    568 (2^9.1)
Even state candidates:  18622 (2^14.2)
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Reducing Partial Statelists (p,q) = (10,12) with lengths 182032, 73356
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Odd  state candidates:    416 (2^8.7)
Even state candidates:  17350 (2^14.1)
Odd  state candidates:    456 (2^8.8)
Even state candidates:  17216 (2^14.1)
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Reducing Partial Statelists (p,q) = (12,10) with lengths 73420, 185062
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Odd  state candidates:     30 (2^4.9)
Even state candidates:  56028 (2^15.8)
Odd  state candidates:     27 (2^4.8)
Even state candidates:  56462 (2^15.8)
Odd  state candidates:      0 (2^-inf)
Even state candidates:      0 (2^-inf)
Number of remaining possible keys: 39806920 (2^25.2)
Time for generating key candidates list: 5 seconds          
Brute Force phase is not implemented.

Sorry for the stupid question.
How do I get the key candidates list?) And how long will it take for bruteforce (2^25)?

iceman · 2016-07-03 09:59:16

From here you can go two ways,
1. use @aczid separate solver
2. use my fork, where his solver is merged into.

Unless you are a great programmer with lots of times left over to make your own solver.

And a suggestion, use pastebin.com for the big traces/logs.

Sergey Hartmann · 2016-07-03 10:41:56

iceman, thx. I try the first way.

ps Now I will use pastebin.com

my_fair_cats_sick · 2016-07-05 15:50:08

What does it mean when hardnested fails? Is it worth trying again and again or if it fails once will it always fail?

I have all keys known but Sector 14, I have tried the command:

pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 14 B
--target block no: 14, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0           
Allocating memory for partial statelists...
Generating partial statelists...
Generating bitflip statelist...
Acquiring nonces...
Checking for Filter Flip Properties...
Acquired  1456 nonces ( 1440 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  1568 nonces ( 1550 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  2016 nonces ( 1992 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  2576 nonces ( 2532 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  3024 nonces ( 2959 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  3584 nonces ( 3490 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  4032 nonces ( 3913 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  4592 nonces ( 4436 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  5040 nonces ( 4846 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired  5600 nonces ( 5355 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  6048 nonces ( 5769 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  6608 nonces ( 6285 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  7056 nonces ( 6680 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  7504 nonces ( 7096 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  8064 nonces ( 7602 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  8512 nonces ( 8001 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  9072 nonces ( 8508 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired  9520 nonces ( 8889 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 10080 nonces ( 9367 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 10528 nonces ( 9752 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 11088 nonces (10223 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 11536 nonces (10590 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 12096 nonces (11068 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 12544 nonces (11426 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 13104 nonces (11892 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 13552 nonces (12260 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 14112 nonces (12716 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 14560 nonces (13063 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 15008 nonces (13423 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 15568 nonces (13879 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 16016 nonces (14231 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 16576 nonces (14665 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 17024 nonces (15012 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 17584 nonces (15436 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 18032 nonces (15784 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 18592 nonces (16194 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 19040 nonces (16534 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 19600 nonces (16976 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 20048 nonces (17289 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 20608 nonces (17705 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 21056 nonces (18024 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 21504 nonces (18350 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 22064 nonces (18737 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 22512 nonces (19054 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 23072 nonces (19471 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 23520 nonces (19792 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 24080 nonces (20185 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 24528 nonces (20496 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 2
Acquired 25088 nonces (20868 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 25536 nonces (21164 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 26096 nonces (21556 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 26544 nonces (21857 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 27104 nonces (22235 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 27552 nonces (22530 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 28112 nonces (22901 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 28560 nonces (23198 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 29008 nonces (23484 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 29568 nonces (23828 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Acquired 30016 nonces (24110 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 30576 nonces (24470 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 31024 nonces (24745 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 31584 nonces (25096 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 32032 nonces (25371 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 32592 nonces (25707 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 33040 nonces (25967 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 33600 nonces (26318 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 34048 nonces (26588 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 34608 nonces (26912 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 35056 nonces (27183 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 35504 nonces (27456 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 36064 nonces (27797 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 36512 nonces (28059 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 37072 nonces (28380 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 37520 nonces (28632 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 38080 nonces (28941 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 38528 nonces (29202 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 4
Acquired 39088 nonces (29513 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 39536 nonces (29771 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 40096 nonces (30087 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 40544 nonces (30331 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 41104 nonces (30645 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 41552 nonces (30900 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 42112 nonces (31201 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 42560 nonces (31433 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 5
Acquired 43008 nonces (31680 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 6
Acquired 43568 nonces (31960 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 44016 nonces (32189 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 44576 nonces (32471 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 45024 nonces (32700 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 45584 nonces (32984 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 46032 nonces (33211 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 46592 nonces (33493 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 47040 nonces (33729 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 9
Acquired 47600 nonces (33963 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 48048 nonces (34174 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 48608 nonces (34446 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 49056 nonces (34654 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 49504 nonces (34868 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 50064 nonces (35133 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 50512 nonces (35338 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 51072 nonces (35607 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 51520 nonces (35810 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 52080 nonces (36063 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 52528 nonces (36255 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 53088 nonces (36490 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 53536 nonces (36693 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 54096 nonces (36932 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 54544 nonces (37137 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 55104 nonces (37376 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 55552 nonces (37564 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 7
Acquired 56112 nonces (37804 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 8
Acquired 56560 nonces (38011 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 9
Acquired 57008 nonces (38189 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 57568 nonces (38423 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 58016 nonces (38616 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 58576 nonces (38859 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 59024 nonces (39042 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 59584 nonces (39286 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 60032 nonces (39465 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 60592 nonces (39682 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 61040 nonces (39831 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 61600 nonces (40055 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 62048 nonces (40234 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 62608 nonces (40437 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 63056 nonces (40590 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 63504 nonces (40750 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 64064 nonces (40958 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 64512 nonces (41127 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 65072 nonces (41348 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 10
Acquired 65520 nonces (41508 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 66080 nonces (41716 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 66528 nonces (41861 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 11
Acquired 67088 nonces (42060 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 12
Acquired 67536 nonces (42228 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 68096 nonces (42411 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 13
Acquired 68544 nonces (42587 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 69104 nonces (42783 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 69552 nonces (42948 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 70112 nonces (43155 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 70560 nonces (43310 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 71008 nonces (43457 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 71568 nonces (43654 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 72016 nonces (43807 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 72576 nonces (43989 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 73024 nonces (44133 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 73584 nonces (44326 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 74032 nonces (44457 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 74592 nonces (44637 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 75040 nonces (44773 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 14
Acquired 75600 nonces (44954 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 76048 nonces (45094 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 76608 nonces (45247 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 77056 nonces (45378 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 16
Acquired 77504 nonces (45513 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 15
Acquired 78064 nonces (45685 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 78512 nonces (45834 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 79072 nonces (45992 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 79520 nonces (46123 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 17
Acquired 80080 nonces (46295 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 80528 nonces (46440 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 81088 nonces (46611 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 18
Acquired 81536 nonces (46744 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 82096 nonces (46914 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 20
Acquired 82544 nonces (47050 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 83104 nonces (47192 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 83552 nonces (47328 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 19
Acquired 84112 nonces (47470 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 20
Acquired 84560 nonces (47598 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 21
Acquired 85008 nonces (47726 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 85568 nonces (47885 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 86016 nonces (48009 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 86576 nonces (48158 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 87024 nonces (48274 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 21
Acquired 87584 nonces (48416 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 23
Acquired 88032 nonces (48514 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 26
Acquired 88592 nonces (48674 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 27
Acquired a total of 88928 nonces in 74.7 seconds (71425 nonces/minute)          
Number of first bytes with confidence > 95.0%: 28          
Generating crypto1 state candidates... 
Number of possible keys with Sum(a0) = 136: 16937635385344 (2^43.9)
Reducing Partial Statelists (p,q) = (6,10) with lengths 181736, 185062
Reducing Partial Statelists (p,q) = (10,6) with lengths 182032, 178706
Number of remaining possible keys: 81850292 (2^26.3)
Time for generating key candidates list: 4 seconds          
Brute force phase starting.          
Using 128-bit bitslices          
Bitslicing best_first_byte^uid[3] (rollback byte): 51...          
Bitslicing nonces...          
Starting 1 cracking threads to search 8 buckets containing a total of 81850292 states...          
........Fail! Tested 81850292 states, in 1 seconds

Last edited by my_fair_cats_sick (2016-07-05 16:53:40)

osys · 2016-07-05 17:41:50

Try different combination of known blocks - keys. Usually when specifying not the first sector block it gives good results.

iceman · 2016-07-05 18:53:50

and as mentioned before, don't confuse blocks with sectors when you use the "HF MF" commands

my_fair_cats_sick · 2016-07-05 20:22:13

Ok so for attempting to recover key for sector 14 on a 1K card I would do something like:

hf mf hardnested 14 A FFFFFFFFFFFF 52 A?

I am looking at this page for reference:
https://www.supremainc.com/en/node/477

my_fair_cats_sick · 2016-07-06 15:52:23

Ha! I got it to work....finally and thanks much @osys! I had the sector/block confused!

suixo · 2016-07-06 16:04:09

@my_fair_cats_sick: how did you do? Just changing the source block for the hardnested attack did the trick?

my_fair_cats_sick · 2016-07-06 16:09:48

hf mf hardnested 26 A FFFFFFFFFFFF 56 B

(I was looking to get Sector 14 key B, and I had a Mifare 4K so the sector was higher than the 1k card).

my_fair_cats_sick · 2016-07-07 15:35:20

Has anyone ported this to work with the simple $10 off the shelf reader as this thread states? I assume just using the little black SCL3711? Would be interesting to do a comparison of the time to crack between the two!

osys · 2016-07-07 17:27:07

iceman wrote:

From here you can go two ways,
1. use @aczid separate solver

Aczid's separate solver has a libnfc version which should support common nfc readers though.

my_fair_cats_sick · 2016-07-08 13:22:22

Great thanks - could you kindly point me to this post or where its available? Or do I need to ask @aczid?

This is 100% solution using libnfc, getting Nonces and solver?

osys · 2016-07-08 14:00:31

This already has been shared several times across the forums

https://github.com/aczid/crypto1_bs

my_fair_cats_sick · 2016-07-08 14:05:42

Thanks much - sorry I just noticed there is a separate search menu option, I was looking for it at the forum top level. Still learning - I appreciate your help!

my_fair_cats_sick · 2016-07-09 23:29:38

I have a quick demo of this on youtube if that helps:

https://youtu.be/THY7WH3WI2Q

my_fair_cats_sick · 2016-07-15 19:12:03

So my cards take between 5-10 minutes to crack, using @iceman's branch which I believe has piwi's changes - does anyone know what is the best way to start looking to improve that timing? Or have things been optimized to hell and its just processor power?

iceman · 2016-07-16 02:17:02

The nonce collection part is as fast as you can get from that particular protocol.
The BF solver is the fastest around,
so, I suggest you look into the attack itself if you want to find shortcuts or optimizations.

piwi · 2016-07-16 07:12:31

If you say 5 - 10 minutes, is this the whole cycle acquisition - key space reduction - brute force? Which of those three steps takes how much time? (I know that total time can vary very much. If you are unlucky, you can spend hours in brute force. So let's stick to an average example).

my_fair_cats_sick · 2016-07-16 13:58:51

Good Point, I should clarify, this is the whole acquisition. For one card - it takes about 10 minutes total. 95% of that time is attempting to get to the 95% confidence threshold:

Acquired  1792 nonces ( 1763 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0									
Acquired  2352 nonces ( 2307 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0									
Acquired  2912 nonces ( 2847 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0									
Acquired  3472 nonces ( 3372 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1									
Acquired  4032 nonces ( 3902 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0									
Acquired  4592 nonces ( 4422 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1									
Acquired  5152 nonces ( 4937 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1									
Acquired  5712 nonces ( 5443 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 1									
Acquired  6272 nonces ( 5955 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0									
Acquired  6832 nonces ( 6450 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 0

The brute forcer is peanuts (like 5-6 seconds) compared to the time spent getting to that confidence level.

iceman · 2016-07-16 16:02:29

When I spoken with ppl about this, I've only divided it into two parts. The collecting and the solving but I'll use @piwi's division instead.
Considering first part "nonce acquisition"
The collecting part, @piwi found a faster way of getting a nonce out from the card then noone (publicly) before, is takes long time.

Considering the second part - "keyspace reduction"
According to @blapost, optimizing the keyspace reduction part doesn't make the solving part much faster.

Considering third part "BF solving"
Since the solver can be increased with faster hardware and its implementation is the fastest one when @azcid measured with @blapost solvers. I don't think the solver can be much faster, its down to keyspace and hardware.

Conclusion
The only way of making "hardnested" attack better would to find a way of getting less needed nonces for the attack to work.
Is there a way of collecting nonces which are considered "good" ? Is there a way of re-using already collected nonces to attack another block?

Final note,
this attack will never be fast enough to be a "drive-by" attack, it will always need physical access to the card.

my_fair_cats_sick · 2016-07-16 16:18:42

I appreciate the advice - I am not attempting to make it a drive by attack, simply trying to make this a research project to improve a few aspects (and learn a lot about the inner workings in the process). I tried performing some improvements to the client code itself but that appears to be fairly negligible as well (like performing multiplies instead of log functions in loops, removing some unecessary initializations and memcopies within loops).

I'll keep any progress posted. As always suggestions are welcome!

my_fair_cats_sick · 2016-07-16 20:26:45

Is there any way to precompute anything to help with the bruteforcing that would help reduce the time?

Last edited by my_fair_cats_sick (2016-07-16 20:32:46)

my_fair_cats_sick · 2016-07-17 20:59:21

So I have a few ideas but would like to run them by those of you who have already tried, @iceman, @piwi, @blapost

In some cases we may only have 1 sector where we don't know the key. Could we specify more known blocks and key pairs such that the authentication to known good blocks varies? Would that have a positive effect maybe in getting more "good" nonces? One thing I did notice is that rate of collecting "good" nonces goes down each "SendCommand" as time goes on - is this expected or any ideas why this would be?

total nonces	Nonces/cmd	Num unique	Num unique/cmd
1792	        560	1763	543
2352	        560	2307	544
2912	        560	2847	540
3472	        560	3372	525
4032	        560	3902	530
4592	        560	4422	520
5152	        560	4937	515
5712	        560	5443	506
6272	        560	5955	512
6832	        560	6450	495
7392	        560	6961	511
7952	        560	7456	495
8512	        560	7929	473
9072  	560	8395	466
9632	        560	8867	472
10192	560	9359	492
10752	560	9841	482
11312	560	10325	484
11872	560	10788	463
12432	560	11261	473
12992	560	11710	449
13552	560	12167	457
14112	560	12620	453
14672	560	13073	453
15232	560	13523	450
15792	560	13958	435
16352	560	14391	433
16912	560	14822	431
17472	560	15246	424
18032	560	15676	430
18592	560	16088	412
19152	560	16512	424
19712	560	16944	432
20272	560	17364	420
20832	560	17755	391
21392	560	18170	415
21952	560	18565	395
22512	560	18970	405
23072	560	19376	406
23632	560	19787	411
24192	560	20177	390
24752	560	20548	371
25312	560	20924	376
25872	560	21302	378
26432	560	21672	370
26992	560	22041	369
27552	560	22413	372
28112	560	22787	374
28672	560	23166	379
29232	560	23533	367
29792	560	23871	338
30352	560	24231	360
30912	560	24575	344
31472	560	24941	366
32032	560	25292	351
32592	560	25618	326
33152	560	25939	321
33712	560	26247	308
34272	560	26560	313
34832	560	26870	310
35392	560	27169	299
35952	560	27484	315
36512	560	27836	352
37072	560	28163	327
37632	560	28489	326
38192	560	28784	295
38752	560	29135	351
39312	560	29444	309
39872	560	29757	313
40432	560	30059	302
40992	560	30371	312
41552	560	30665	294
42112	560	30956	291
42672	560	31238	282
43232	560	31524	286
43792	560	31819	295
44352	560	32097	278
44912	560	32394	297
45472	560	32680	286
46032	560	32936	256
46592	560	33230	294
47152	560	33504	274
47712	560	33805	301
48272	560	34063	258
48832	560	34336	273
49392	560	34595	259
49952	560	34859	264
50512	560	35129	270
51072	560	35391	262
51632	560	35643	252
52192	560	35890	247
52752	560	36122	232
53312	560	36371	249
53872	560	36628	257
54432	560	36857	229
54992	560	37109	252
55552	560	37332	223
56112	560	37577	245
56672	560	37803	226
57232	560	38039	236
57792	560	38267	228
58352	560	38476	209
58912	560	38717	241
59472	560	38942	225
60032	560	39177	235
60592	560	39386	209
61152	560	39593	207
61712	560	39812	219
62272	560	40027	215
62832	560	40242	215

Could either of you explain what in fact a "good" nonce is? I know the comments say that it has distinct 1 and 0's but maybe if there is a bit more of a layman's version of that without having to read the paper in detail it would help. I will have to go back and re-read that either way likely to make any real improvement but I wanted to start at a higher level.

Also, would authenticating to other known good sectors and not the same one, decrease the amount of "timeout" needed before trying again? I'm guessing not since a smart card is likely too "dumb" for that, but figured it was worth asking if that is even worth trying.

Let me know if my ideas are way off base or at least something worth trying.

Last edited by my_fair_cats_sick (2016-07-18 00:17:05)

piwi · 2016-07-18 15:57:30

We are collecting 4 Byte random numbers which are encrypted with the unknown key. Only the first two bytes are used for key space reduction. After having collected some nonces, it becomes more and more likely that we get nonces with the same two first bytes as already collected. Therefore the number of "good" nonces goes down to 0 when we are approaching 65536.

Using other sectors doesn't help because those nonces would be encrypted with another key.

my_fair_cats_sick · 2016-07-18 22:11:07

Ok thanks - that makes sense. It was suggested on another thread that authenticating to different blocks (with the proper key) may increase the chances of the attack working at well, or maybe that only was a suggestion to use non-zero blocks. What is the proper block and key used for in this process if the nonce collection is only from the block with the unknown key?

piwi · 2016-07-19 12:56:27

The attack needs two blocks:

A block for which we know the key already. It doesn't matter which block or which key this is. It is just required to authenticate for this block to be able to then do a nested authentication for another block with the unknown key.
A block for which we try to find out the unknown key. Again, it doesn't matter which block this is, as long as it belongs to the same sector (i.e. requires the same key).

A good portion of the attack is about guessing the Sum property. If we are guessing wrong, then the attack might fail. In this case it is sufficient to repeat the attack with the same parameters. (Of course including the nonce acquisition. Repeating it with pre-acquired nonces will have the same result).

A side note: the attack as published on my github repository is still in conceptual phase because the discussion half year ago pissed me off. It doesn't implement 2nd byte bitflip properties and the nonce acquisition is somewhat "one size fits all". You should be able to decrease the nonce acquisition time by setting

#define GOOD_BYTES_REQUIRED		10

without too much disadvantages for average problems. Of course it would be best to somehow "predict" how many nonces would be required for a decent key space reduction...

my_fair_cats_sick · 2016-07-19 13:19:14

Great - thanks so much for your detailed reply. I would be happy to help focus on the known areas of needed improvement. I will look into these for a bit and ask more specific questions once I understand the problem further in those areas.

Proxmark3 community

Announcement

#151 2016-03-24 22:29:12

Re: Mifare Plus Atack

#152 2016-03-24 23:00:14

Re: Mifare Plus Atack

#153 2016-04-12 16:02:19

Re: Mifare Plus Atack

#154 2016-04-12 16:16:36

Re: Mifare Plus Atack

#155 2016-04-12 16:36:24

Re: Mifare Plus Atack

#156 2016-04-12 18:10:08

Re: Mifare Plus Atack

#157 2016-04-12 18:22:11

Re: Mifare Plus Atack

#158 2016-04-12 18:41:15

Re: Mifare Plus Atack

#159 2016-04-18 19:07:59

Re: Mifare Plus Atack

#160 2016-05-05 19:27:17

Re: Mifare Plus Atack

#161 2016-05-05 19:29:28

Re: Mifare Plus Atack

#162 2016-05-05 19:42:44

Re: Mifare Plus Atack

#163 2016-05-05 19:45:12

Re: Mifare Plus Atack

#164 2016-05-05 19:46:51

Re: Mifare Plus Atack

#165 2016-05-05 21:33:57

Re: Mifare Plus Atack

#166 2016-05-06 01:11:07

Re: Mifare Plus Atack

#167 2016-05-06 03:24:12

Re: Mifare Plus Atack

#168 2016-05-06 06:52:00

Re: Mifare Plus Atack

#169 2016-05-06 10:20:17

Re: Mifare Plus Atack

#170 2016-05-06 10:41:13

Re: Mifare Plus Atack

#171 2016-05-06 13:33:20

Re: Mifare Plus Atack

#172 2016-05-06 16:07:30

Re: Mifare Plus Atack

#173 2016-07-02 23:50:42

Re: Mifare Plus Atack

#174 2016-07-03 09:59:16

Re: Mifare Plus Atack

#175 2016-07-03 10:41:56

Re: Mifare Plus Atack

#176 2016-07-05 15:50:08

Re: Mifare Plus Atack

#177 2016-07-05 17:41:50

Re: Mifare Plus Atack

#178 2016-07-05 18:53:50

Re: Mifare Plus Atack

#179 2016-07-05 20:22:13

Re: Mifare Plus Atack

#180 2016-07-06 15:52:23

Re: Mifare Plus Atack

#181 2016-07-06 16:04:09

Re: Mifare Plus Atack

#182 2016-07-06 16:09:48

Re: Mifare Plus Atack

#183 2016-07-07 15:35:20

Re: Mifare Plus Atack

#184 2016-07-07 17:27:07

Re: Mifare Plus Atack

#185 2016-07-08 13:22:22

Re: Mifare Plus Atack

#186 2016-07-08 14:00:31

Re: Mifare Plus Atack

#187 2016-07-08 14:05:42

Re: Mifare Plus Atack

#188 2016-07-09 23:29:38

Re: Mifare Plus Atack

#189 2016-07-15 19:12:03

Re: Mifare Plus Atack