Proxmark3 community

lohcm88

Contributor

Registered: 2016-02-05

Posts: 59

[Solved] Hardnested a card but fail

Got my hands on a card and it is not vulnerable to both dark side and nested commands. 

Using hf mf chk *1 ? d , unknown keys at block 19.

UID : 9e ac f9 7e 
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Valid ISO14443A Tag Found - Quiting Search

No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block:  3, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 1, block:  7, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:A, key count:13 
--sector: 5, block: 23, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13 
Found valid key:[ffffffffffff]
--sector: 0, block:  3, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 1, block:  7, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count:13 
--sector: 5, block: 23, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13 
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13 

Next i tried the hardnested using iceman fork via the docker with compiling and flash done.

Using command hf mf hardnested  3 A ffffffffffff 19 A w s

#db# AcquireNonces: Can't select card (UID)
Acquired 59024 nonces (38836 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 21
#db# Authentication failed. Card timeout.
#db# AcquireNonces: Auth1 error
#db# Authentication failed. Card timeout.
#db# AcquireNonces: Auth1 error
Acquired 59584 nonces (39073 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 20
#db# Authentication failed. Error card response.
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
Acquired 60032 nonces (39245 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 21
#db# Authentication failed. Error card response.
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
Acquired 60592 nonces (39457 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 22
Acquired 61040 nonces (39630 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 25
Acquired 61600 nonces (39852 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 24
Acquired 62048 nonces (40036 with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > 95.0%: 28
#db# AcquireNonces: Auth2 error len=1
#db# AcquireNonces: Can't select card (UID)
Acquired a total of 62048 nonces in 275.8 seconds (13501 nonces/minute)

Sum(a0) = 1
Number of first bytes with confidence > 95.0%: 28
Generating crypto1 state candidates...
Number of possible keys with Sum(a0) = 1: 0 (2^-inf)
Number of remaining possible keys: 0 (2^-inf)
Time for generating key candidates list: 0 seconds
Brute force phase starting.
Using 128-bit bitslices
Bitslicing best_first_byte^uid[3] (rollback byte): 12...
Bitslicing nonces...
Starting 1 cracking threads to search 0 buckets containing a total of 0 states...
Fail! Tested 0 states, in 0 seconds
pm3 -->

Any advice?

Last edited by lohcm88 (2016-05-21 02:23:11)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,538

Website

Re: [Solved] Hardnested a card but fail

I spoke with Aczid about that, and according to him the hardnested attack is expected to fail sometime,  just like the darkside attack does.   You'll need to running until it solvers.

Try restart the hardnested with your saved nonces file and see if it still fails?

Otherwise run it some more times.   Your "can't select card" is troublesum,  you should find a better position/distance/angle for your card on the antenna until you don't get such messages.

lohcm88

Contributor

Registered: 2016-02-05

Posts: 59

Re: [Solved] Hardnested a card but fail

I tried twice and got the same failed result for this card. 

Whereas another card (same brand card but for different apartment ),  I am able to detect and read with both nested and hardnested commands.

Last edited by lohcm88 (2016-05-27 15:49:22)

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: [Solved] Hardnested a card but fail

Auth1 error
Auth2 error
sync error
#db# AcquireNonces: Can't select card

Just a question of interest, do you see any of those msg while inspect the Adalo card where nested/hardnested methods are working?

Sometime I see them, then they disappears then re-appeared and eventual but not always did find keys... as if the SW does try to re-balance/re-synch

Could there be any indicator or a intelligent limit set, that an experiment is hopeless and better be stopped and readjusted with new conditions?

lohcm88

Contributor

Registered: 2016-02-05

Posts: 59

Re: [Solved] Hardnested a card but fail

Yes.... the errors appears and disappears intermittently but once u nested and copy to a changeable UID card.. the readings from the UID card will be more stable.

lohcm88

Contributor

Registered: 2016-02-05

Posts: 59

Re: [Solved] Hardnested a card but fail

Solved! Manage to find the card's G spot and hardnested was done beautifully... thx!

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: [Solved] Hardnested a card but fail

I have big interest in your finding. If you could elaborate a little bit more elegantly and a tiny more eloquently you would be a great man @lohcm88

lohcm88

Contributor

Registered: 2016-02-05

Posts: 59

Re: [Solved] Hardnested a card but fail

The card is like a woman... Hard to please. Need to be patient and tried various positions with her before I hit her G spot. Once u got the correct position there will be no more auth error, can't select card etc and hardnested command will have less failure.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: [Solved] Hardnested a card but fail

hahaha you are great in explanation.  So to find out the correct distance/position/angle, that is the way to master the art. 

So to do 10x HF 14a reader error-free is not enough to have the correct dist/posi/angle. (that happened to me even 10x error-free reading, still alot of Auth err) What other trick have you employed/discovered to get quicker to the optimal dist/posi/angle??

Last edited by ntk (2016-05-21 16:59:08)

BadDog

Member

Registered: 2016-05-27

Posts: 2

Re: [Solved] Hardnested a card but fail

I am having trouble getting "hardnested" to work.

I successfully ran/compiled Iceman's latest fork (iceman1001/proxmark3:1.6.1) using Docker but it is like hardnested does not exist, not even in the help.

This is what I get:

I'm thinking this shows the software upgraded properly:

proxmark3> hw version
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument          
bootrom: icemanmaster/-suspect 2016-05-18 07:44:45
os: icemanmaster/-suspect 2016-05-18 07:44:46
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 211849 bytes (40%). Free: 312439 bytes (60%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          

Then every time I run hardnested I get a help screen, which doesn't mention hardnested:

proxmark3> hf mf hardnested 0 A d25701232d76 4 A
help             This help          
dbg              Set default debug mode          
rdbl             Read MIFARE classic block          
rdsc             Read MIFARE classic sector          
dump             Dump MIFARE classic tag to binary file          
restore          Restore MIFARE classic binary file to BLANK tag          
wrbl             Write MIFARE classic block          
chk              Test block keys          
mifare           Read parity error messages.          
nested           Test nested authentication          
sniff            Sniff card-reader communication          
sim              Simulate MIFARE card          
eclr             Clear simulator memory block          
eget             Get simulator memory block          
eset             Set simulator memory block          
eload            Load from file emul dump          
esave            Save to file emul dump          
ecfill           Fill simulator memory with help of keys from simulator          
ekeyprn          Print keys from simulator memory          
csetuid          Set UID for magic Chinese card          
csetblk          Write block - Magic Chinese card          
cgetblk          Read block - Magic Chinese card          
cgetsc           Read sector - Magic Chinese card          
cload            Load dump into magic Chinese card          
csave            Save dump from magic Chinese card into file or emulator          
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace          
proxmark3> 

Is it me or the iceman fork?

I don't know if this is important, but I pulled the bootrom.elf and fullimage.elf out of the docker and placed them into ASPER's old PM3-bin-2.5.0 environment then ran the flash from there in Windows.  I am also accessing the Prosmark3 from there. 

Any ideas to get hardnested to work?

iceman

Administrator

Registered: 2013-04-25

Posts: 9,538

Website

Re: [Solved] Hardnested a card but fail

stop mixing firmware and client for different forks.   

Only use firmware and client from the same fork/brach.

BadDog

Member

Registered: 2016-05-27

Posts: 2

Re: [Solved] Hardnested a card but fail

ICEMAN  Thanks!

I guess I will have to be satisfied with using prompt commands inside the docker

ntk modified the "settings.xml" for windows "Proxmark Tool.exe" to use the "hardnested" command. I really wanted to do the same and use the Windows Proxmark Tool and write xml and lua scripts for the proxmark3

iceman

Administrator

Registered: 2013-04-25

Posts: 9,538

Website

Re: [Solved] Hardnested a card but fail

You can still use the PM3 master with the proxspace env,   and in that one you can run GUI and all other commands too.
But for hardnested and some new stuff, you gonna need Iceman Fork, 

You can still develop lua scripts,  which runs on botth PM3 master and my fork.   You just need to save it on the saved folder place you use. Then inside docker container copy it to your client/folder  so you can run it for the client.   However it will be gone from this folder when you exit the container.  As I instructed on hub.docker.com/ you need to copy all gather data back to that shared folder to make sure it doesn't get deleted.

If you are brave, you can look into something I read about  "docker commit" command,  where it should keeped local changes.  I haven't tried it myself.