Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-10-22 09:13:01

lasersword
Contributor
Registered: 2016-06-08
Posts: 24

why iceman's firmware for 'hf mf mifare' got stuck and not working?

Hi Iceman, I compiled your latest code and run the hf mf mifare for multiple tokens but always got stuck with get nothing there? how ever I use the official release branch, it works fine, so can you evaluate what's the reason?

see the belowing screening:

sony@MichaelFu MINGW32 ~/iceman1001/client
$ ./proxmark3.exe com2
Prox/RFID mark3 RFID instrument
bootrom: iceman/master/v1.1.0-1656-g2dcf60f-suspect 2016-10-22 11:01:15
os: iceman/master/v1.1.0-1656-g2dcf60f-suspect 2016-10-22 11:01:33
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 216145 bytes (82). Free: 45999 bytes (18).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

pm3 --> hf 14a reader
hf 14a reader
UID : 17 75 88 22
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO

pm3 --> hf mf mifare
hf mf mifare
-------------------------------------------------------------------------
Executing darkside attack. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...............................

--->  it is stucking here and got nothing result with C/D lighting

however, if I flash to official release 2.5, it can smoothly carry out the key, what happening here?  is there any bugs in your 'mifare' implementation', looks like this function is broken..... and I tried multiple token and get the same result like this. your help is apperciated. thanks!

see the screen snapshoot below after flashing to offical Rel 2.5 ver by run mifare.

[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 169916 bytes (65%). Free: 92228 bytes (35%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hf 14a reader
UID : 17 75 88 22
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card




uid(17758822) nt(c0c69e59) par(0000000000000000) ks(0600050f0d0a0b0b) nr(800000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 6 |  3  |0,0,0,0,0,0,0,0|
| 20 |00000020| 0 |  5  |0,0,0,0,0,0,0,0|
| 40 |00000040| 5 |  0  |0,0,0,0,0,0,0,0|
| 60 |00000060| f |  a  |0,0,0,0,0,0,0,0|
| 80 |00000080| d |  8  |0,0,0,0,0,0,0,0|
| a0 |000000a0| a |  f  |0,0,0,0,0,0,0,0|
| c0 |000000c0| b |  e  |0,0,0,0,0,0,0,0|
| e0 |000000e0| b |  e  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...         
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=c0c69e59
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card




uid(17758822) nt(c0c69e59) par(0000000000000000) ks(080105020705040e) nr(800000001)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000001| 8 |  d  |0,0,0,0,0,0,0,0|
| 20 |00000021| 1 |  4  |0,0,0,0,0,0,0,0|
| 40 |00000041| 5 |  0  |0,0,0,0,0,0,0,0|
| 60 |00000061| 2 |  7  |0,0,0,0,0,0,0,0|
| 80 |00000081| 7 |  2  |0,0,0,0,0,0,0,0|
| a0 |000000a1| 5 |  0  |0,0,0,0,0,0,0,0|
| c0 |000000c1| 4 |  1  |0,0,0,0,0,0,0,0|
| e0 |000000e1| e |  b  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...         
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=c0c69e59
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card




uid(17758822) nt(c0c69e59) par(0000000000000000) ks(01070a05050c0705) nr(800000002)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000002| 1 |  4  |0,0,0,0,0,0,0,0|
| 20 |00000022| 7 |  2  |0,0,0,0,0,0,0,0|
| 40 |00000042| a |  f  |0,0,0,0,0,0,0,0|
| 60 |00000062| 5 |  0  |0,0,0,0,0,0,0,0|
| 80 |00000082| 5 |  0  |0,0,0,0,0,0,0,0|
| a0 |000000a2| c |  9  |0,0,0,0,0,0,0,0|
| c0 |000000c2| 7 |  2  |0,0,0,0,0,0,0,0|
| e0 |000000e2| 5 |  0  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...         
p1:647 p2:a8b p3:0 key:fbb73692d07a
p1:6ff p2:bc1 p3:1 key:fb401a7ace21
p1:805 p2:d73 p3:2 key:fa9695ef5824
p1:e52 p2:17e8 p3:3 key:f65f38bdc127
p1:1638 p2:24f3 p3:4 key:f14bc07e82f1
p1:1930 p2:2a10 p3:5 key:ef4b0ca2ae90
p1:1ba4 p2:2e52 p3:6 key:ed991a1afa0f
p1:1c1d p2:2f07 p3:7 key:ed494a072c79
p1:23d9 p2:3c35 p3:8 key:e808dd926255
p1:24f9 p2:3e2c p3:9 key:e74631630b7d
p1:280f p2:434e p3:a key:e5484a09b0a6
p1:30b8 p2:514b p3:b key:df93b317fa7e
p1:31fe p2:537c p3:c key:dea9174dd545
p1:3765 p2:5cc2 p3:d key:daead5889125
p1:3b27 p2:6307 p3:e key:d88b85802325
p1:3cfd p2:6655 p3:f key:d7506907d3b7
p1:3e78 p2:68b5 p3:10 key:d664963500e9
p1:3fdf p2:6b53 p3:11 key:d56503a6de63
p1:4036 p2:6bd2 p3:12 key:d52b151a87d0
p1:4829 p2:7957 p3:13 key:cfc81b4c8aac
p1:4a57 p2:7ce4 p3:14 key:ce64a83f676f
p1:4d51 p2:81c3 p3:15 key:cc7bb958e2a9
p1:5939 p2:960a p3:16 key:c45f9ab10838
p1:5d8d p2:9d3e p3:17 key:c16d8673d4bc
p1:5ee3 p2:9f5b p3:18 key:c09594888ede
p1:6130 p2:a2d0 p3:19 key:bf239f1fa809
p1:665c p2:ac0d p3:1a key:bb8ff5504bd1
p1:68f0 p2:b065 p3:1b key:b9e856055441
p1:69a3 p2:b180 p3:1c key:b9737ba902af
p1:69e8 p2:b200 p3:1d key:b93faddbe032
p1:73cd p2:c348 p3:1e key:b27861b2ddf2
p1:7b91 p2:cffb p3:1f key:ad7fcd4d4d34
p1:7ec3 p2:d53d p3:20 key:ab780f4baac0
p1:8a2d p2:e88a p3:21 key:a3e19f47f8a0
p1:8c25 p2:ebd6 p3:22 key:a283d37b0a5d
p1:95ce p2:fba3 p3:23 key:9c1912c5cd2c
p1:9864 p2:1000a p3:24 key:9a6637c10bd1
p1:988c p2:10048 p3:25 key:9a4e709519dd
p1:9897 p2:10050 p3:26 key:9a492cc5d80c
p1:9a4d p2:10353 p3:27 key:991b662dd009
p1:9f1d p2:10bd7 p3:28 key:95c7003f4e05
p1:9fa7 p2:10cdd p3:29 key:9563e80d12ab
p1:a81b p2:11b47 p3:2a key:8fc1313f9250
p1:aa62 p2:11f05 p3:2b key:8e4f6eb1738a
p1:adbc p2:1245f p3:2c key:8c10647b4e78
p1:b2e8 p2:12c90 p3:2d key:88cd74fc131f
p1:b37c p2:12d88 p3:2e key:886fb833b935
p1:b5ec p2:13193 p3:2f key:86cd420489e6
p1:b8c0 p2:13674 p3:30 key:84e6036e24af
p1:ba01 p2:13868 p3:31 key:841f4b21126d
p1:bbf5 p2:13b7e p3:32 key:82dec92e4386
p1:c11c p2:1445e p3:33 key:7f4bca6ed9c7
p1:c357 p2:147cd p3:34 key:7de7b0366b0e
p1:ca0a p2:15310 p3:35 key:794b642156fb
p1:cab9 p2:15430 p3:36 key:78d690c34f97
p1:d060 p2:15d31 p3:37 key:75237a58cd91
p1:d073 p2:15d55 p3:38 key:751644502c4d
p1:d31c p2:161b9 p3:39 key:736890c8385f
p1:d941 p2:16bc2 p3:3a key:6f4b634f8369
p1:da08 p2:16d19 p3:3b key:6ecd867b8c5b
p1:dd5e p2:1726c p3:3c key:6cb58cd77178
p1:df0e p2:17538 p3:3d key:6b8fadb77426
p1:e101 p2:17885 p3:3e key:6a37e1dbbe06
p1:e33c p2:17c26 p3:3f key:68bc34de1aef
p1:e3a7 p2:17cd5 p3:40 key:68782c2c3d60
p1:e662 p2:18121 p3:41 key:66b30bf1235a
p1:eb8e p2:189a0 p3:42 key:63575969cda2
p1:edc6 p2:18d7c p3:43 key:61ce9b18fed8
p1:f1a4 p2:1947d p3:44 key:5f0b44a46ec2
p1:f255 p2:195aa p3:45 key:5e9328b159eb
p1:f3a2 p2:197b5 p3:46 key:5dbb69625433
p1:f4ea p2:19a10 p3:47 key:5ce393e9c944
p1:f7dd p2:19f41 p3:48 key:5aeadd849df4
p1:f9ae p2:1a209 p3:49 key:59bc16e86260
p1:fba5 p2:1a50b p3:4a key:5881b627cfca
p1:fe41 p2:1a91c p3:4b key:56dd37e1c346
p1:10758 p2:1b8a0 p3:4c key:50b0dcab0f0a
p1:10a22 p2:1bd8c p3:4d key:4eca29e565b3
p1:10f86 p2:1c61b p3:4e key:4b4dae56aacd
p1:10f9e p2:1c63d p3:4f key:4b3d02167b3e
p1:11254 p2:1cae8 p3:50 key:494ebd7c3763
p1:11292 p2:1cb3f p3:51 key:49248540e442
p1:11688 p2:1d1ee p3:52 key:467a8e6a4a0f
p1:11fee p2:1e25e p3:53 key:400143b03c0f
p1:12f0c p2:1faf4 p3:54 key:363636363636
p1:131e8 p2:1ffc9 p3:55 key:344632e155f8
p1:1324a p2:20075 p3:56 key:33fd42e4e349
p1:1334a p2:2021c p3:57 key:33555a9f5733
p1:13734 p2:208eb p3:58 key:30903e669fe4
p1:13ac3 p2:20f59 p3:59 key:2e143036d4a9
p1:13ddb p2:21419 p3:5a key:2c3b56d145ab
p1:1441a p2:21e30 p3:5b key:282937737e79
p1:14c59 p2:22c2d p3:5c key:229b5263d6e4
p1:14daf p2:22e7a p3:5d key:21bd60e3f195
p1:14f1c p2:230ea p3:5e key:20c63e66d6c1
p1:151d4 p2:23581 p3:5f key:1eeb3d1807de
p1:15978 p2:2421f p3:60 key:19d809aa8dfd
p1:15d8f p2:24955 p3:61 key:170101eb2c60
p1:1635d p2:25350 p3:62 key:1327c0aa7f44
p1:171c0 p2:26c5e p3:63 key:09383bac915a
p1:175a1 p2:272d1 p3:64 key:06b777de7e4c
p1:17c9f p2:27edf p3:65 key:01de4f82d307
key_count:102
------------------------------------------------------------------
Found valid key:363636363636


proxmark3>

Offline

#2 2016-10-23 06:00:06

phiber
Contributor
Registered: 2016-10-11
Posts: 37

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

i got the same experience as well, maybe need to use official firmware if we want to crack mifrare?

Offline

#3 2016-10-23 10:01:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

In your output there is a lot of "can't select tag" messages which indicates  position & distance over antenna issues.

it looks like it doesn't get any parity bit (ie tag doesn't send nack) and tries the special condition "zero attack" which targets clones (ie not Mifare but fudan or magic tags with limited prngs). This attack doesnt work at all in my fork.

Zero parity attack does not work in latest pm3 master. If you go back before @piwi's changes to "hf mf mifare" then it works.

The v2.5 you are using is a bin-dist from @asper and its quite old.

Offline

#4 2016-10-23 15:41:55

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

iceman wrote:

Zero parity attack does not work in latest pm3 master. If you go back before @piwi's changes to "hf mf mifare" then it works.

The v2.5 you are using is a bin-dist from @asper and its quite old.

According to lasersword it does work in asper's binary distribution. v2.5 is from November 2015 and there had been no changes to "hf mf mifare" since then. It therefore should work in master as well.

Offline

#5 2016-10-23 17:59:42

lasersword
Contributor
Registered: 2016-06-08
Posts: 24

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

iceman wrote:

In your output there is a lot of "can't select tag" messages which indicates  position & distance over antenna issues.

it looks like it doesn't get any parity bit (ie tag doesn't send nack) and tries the special condition "zero attack" which targets clones (ie not Mifare but fudan or magic tags with limited prngs). This attack doesnt work at all in my fork.

Zero parity attack does not work in latest pm3 master. If you go back before @piwi's changes to "hf mf mifare" then it works.

The v2.5 you are using is a bin-dist from @asper and its quite old.

whatever the tags to be, if there is a way once work fine for it, would you mind either combine to your current fork or develop a new command to include this? I really like your fork but it will be a pity for me if the mifare command will not perfectly work as like master did, thanks a lot!

Offline

#6 2016-10-23 19:31:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

The beauty of firmwares, is that you can switch between them with ease to have the functionality that you need for the moment.

Go for the PM3 Master or v2.5.0 or piwi's hardnested branch and solve your current problem.  If you like the iceman fork but it doesnt fit your needs, you are in luck since there is so much options to choose from.

And to @piwi,  while the v2.5.0 is compiled 19nov 2015 however it doesn't actually mean it was compiled with the latest available source of the time. Given the fact its a custom build maintained offline with releases long after the commits to the repo.  Go ahead, prove me wrong.  You show me that zero parity attack works in current Pm3 master and I stand corrected.
Until then I stand by my claims.

Offline

#7 2016-10-24 04:13:41

lasersword
Contributor
Registered: 2016-06-08
Posts: 24

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

iceman wrote:

The beauty of firmwares, is that you can switch between them with ease to have the functionality that you need for the moment.

Go for the PM3 Master or v2.5.0 or piwi's hardnested branch and solve your current problem.  If you like the iceman fork but it doesnt fit your needs, you are in luck since there is so much options to choose from.

OK, thanks anyway man!

Offline

#8 2016-10-24 08:08:53

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

iceman wrote:

Go ahead, prove me wrong.  You show me that zero parity attack works in current Pm3 master and I stand corrected.
Until then I stand by my claims.

Do you know of a source where I can get Fudan (or similar) Mifare clones in low quantities (I don't need 500 pcs)?

Offline

#9 2016-10-24 10:02:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

taobao is your friend.

Offline

#10 2016-10-26 20:30:23

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

iceman wrote:

Go ahead, prove me wrong.  You show me that zero parity attack works in current Pm3 master and I stand corrected.
Until then I stand by my claims.

My Fudan fob arrived today. Here you go;

proxmark3> hw ver
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: irq_test/v2.2.0-6-g00c5814-dirty-suspect 2015-07-21 17:17:43
os: master/v2.2.0-264-gd1057e7-suspect 2016-10-26 19:21:51
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 186093 bytes (71). Free: 76051 bytes (29).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hf mf mif
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.



uid(2e086b1a) nt(230736f6) par(0000000000000000) ks(0b0008000804000e) nr(7529d88000000000)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| b |  e  |0,0,0,0,0,0,0,0|
| 20 |00000020| 0 |  5  |0,0,0,0,0,0,0,0|
| 40 |00000040| 8 |  d  |0,0,0,0,0,0,0,0|
| 60 |00000060| 0 |  5  |0,0,0,0,0,0,0,0|
| 80 |00000080| 8 |  d  |0,0,0,0,0,0,0,0|
| a0 |000000a0| 4 |  1  |0,0,0,0,0,0,0,0|
| c0 |000000c0| 0 |  5  |0,0,0,0,0,0,0,0|
| e0 |000000e0| e |  b  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=230736f6
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card




uid(2e086b1a) nt(230736f6) par(0000000000000000) ks(0e0b0e0b090c0d02) nr(7529d88000000001)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000001| e |  b  |0,0,0,0,0,0,0,0|
| 20 |00000021| b |  e  |0,0,0,0,0,0,0,0|
| 40 |00000041| e |  b  |0,0,0,0,0,0,0,0|
| 60 |00000061| b |  e  |0,0,0,0,0,0,0,0|
| 80 |00000081| 9 |  c  |0,0,0,0,0,0,0,0|
| a0 |000000a1| c |  9  |0,0,0,0,0,0,0,0|
| c0 |000000c1| d |  8  |0,0,0,0,0,0,0,0|
| e0 |000000e1| 2 |  7  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
p1:1955 p2:15ce p3:0 key:f9fe8fc9fcc0
p1:1cf3 p2:18f0 p3:1 key:f91b6ba0b629
p1:1da3 p2:1991 p3:2 key:f8f1bb244fdf
p1:1db3 p2:19a3 p3:3 key:f8edefe71841
p1:21e6 p2:1d53 p3:4 key:f7f28452fb73
p1:2244 p2:1da7 p3:5 key:f7dacffcf43b
p1:2d00 p2:276f p3:6 key:f533b3170aa2
p1:2fd5 p2:2a11 p3:7 key:f4857b3ee259
p1:3084 p2:2aa3 p3:8 key:f45c99df946e
p1:34cc p2:2e9d p3:9 key:f344255351d1
p1:41f6 p2:3a21 p3:a key:f0154fdbd315
p1:4fe6 p2:46c8 p3:b key:ecb6b88ade59
p1:5f21 p2:53c1 p3:c key:e921335b9dd7
p1:63e8 p2:57f2 p3:d key:e7f8da457ea0
p1:8757 p2:7828 p3:e key:df6d7f14314b
p1:a61c p2:9352 p3:f key:d7f2bd30641b
p1:b2f0 p2:9e4c p3:10 key:d4db7845df4f
p1:c0b0 p2:aac3 p3:11 key:d1815c84c208
p1:da78 p2:c1f3 p3:12 key:cb46d78f5952
p1:f287 p2:d710 p3:13 key:c57c2505e227
p1:11ceb p2:fd92 p3:14 key:bb2719075f6f
p1:12d56 p2:10c1d p3:15 key:b71c9e4bbbaf
p1:134f7 p2:11313 p3:16 key:b53edadc2cea
p1:13b09 p2:11882 p3:17 key:b3d3a0e7f004
p1:13b3b p2:118ab p3:18 key:b3c63a07d618
p1:13df8 p2:11b28 p3:19 key:b319b4505412
p1:1497a p2:12603 p3:1a key:b0434d796e0d
p1:1c539 p2:195a4 p3:1b key:92881ec57e4f
p1:1cb4c p2:19af7 p3:1c key:910e9b6c85b0
p1:1cf9f p2:19ec4 p3:1d key:8ffd5fe2afb8
p1:1d1c9 p2:1a0ad p3:1e key:8f7b476dd709
p1:1eec5 p2:1b9a9 p3:1f key:88a701565e92
p1:1f03c p2:1bb0b p3:20 key:884c24d2c467
p1:1f573 p2:1bfdb p3:21 key:87054b10844c
p1:2114b p2:1d8b4 p3:22 key:804fd86d6b86
p1:22456 p2:1e9c2 p3:23 key:7bb7f5475b93
p1:24066 p2:20203 p3:24 key:75023aff9c0a
p1:24878 p2:2092c p3:25 key:730cd8b10543
p1:2620c p2:21ff4 p3:26 key:6cf5e946a084
p1:26783 p2:22490 p3:27 key:6bb59aa26bd5
p1:26dae p2:22a60 p3:28 key:6a2a59cd884c
p1:27270 p2:22ec1 p3:29 key:69010c72bc00
p1:2a284 p2:25944 p3:2a key:5d440e733120
p1:2c374 p2:276e7 p3:2b key:5539853f8396
p1:2c770 p2:27a0c p3:2c key:544d10fb2909
p1:2c7b5 p2:27a4d p3:2d key:543d7ab4094e
p1:2cf6a p2:28114 p3:2e key:5253d8f2011d
p1:2d6aa p2:28782 p3:2f key:5095306c58f2
p1:2d6fb p2:287c3 p3:30 key:5081be02c024
p1:2e236 p2:2919d p3:31 key:4dc4d6757e3d
p1:2e8ce p2:2971b p3:32 key:4c4338877821
p1:2f424 p2:2a16c p3:33 key:4978c3cc9428
p1:30c13 p2:2b6f3 p3:34 key:43a87c0aadb6
p1:30df5 p2:2b8ac p3:35 key:4331689de4eb
p1:342ec p2:2e7c0 p3:36 key:3645b089c090
p1:34f9e p2:2f35f p3:37 key:333615144c75
p1:3528d p2:2f5fd p3:38 key:327f798e15e4
p1:3880f p2:3264c p3:39 key:2562bbd594c8
p1:39a57 p2:336b7 p3:3a key:20f6a7d020a9
p1:39d32 p2:33923 p3:3b key:204f8a47a333
p1:3a306 p2:33ec9 p3:3c key:1ed8fe08c1d0
p1:3ace3 p2:347f1 p3:3d key:1c5de460683a
p1:3e6eb p2:37c7e p3:3e key:0e4be30907b2
p1:3f423 p2:38868 p3:3f key:0b1baba152f4
p1:40c4a p2:39d45 p3:40 key:056fc4ab5edd
p1:40fc6 p2:3a018 p3:41 key:04a341b787c7
p1:41487 p2:3a443 p3:42 key:038088010fc5
p1:41670 p2:3a60e p3:43 key:03053f7c12bf
p1:41ecb p2:3ad4c p3:44 key:00fb56e13ab1
key_count:69
Key not found (lfsr_common_prefix list is null). Nt=230736f6
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...
.#db# Mifare: Can't select card
....#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
.#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card
#db# Mifare: Can't select card




uid(2e086b1a) nt(230736f6) par(0000000000000000) ks(0e05060e01080b08) nr(7529d88000000002)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000002| e |  b  |0,0,0,0,0,0,0,0|
| 20 |00000022| 5 |  0  |0,0,0,0,0,0,0,0|
| 40 |00000042| 6 |  3  |0,0,0,0,0,0,0,0|
| 60 |00000062| e |  b  |0,0,0,0,0,0,0,0|
| 80 |00000082| 1 |  4  |0,0,0,0,0,0,0,0|
| a0 |000000a2| 8 |  d  |0,0,0,0,0,0,0,0|
| c0 |000000c2| b |  e  |0,0,0,0,0,0,0,0|
| e0 |000000e2| 8 |  d  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
p1:0 p2:0 p3:0 key:ffffffffffff
p1:1a863 p2:4cef p3:1 key:8d5583f0d573
p1:1c10c p2:5120 p3:2 key:86b36ec93d21
p1:2cdd6 p2:8191 p3:3 key:3d64df60d3ec
key_count:4
------------------------------------------------------------------
Found valid key:ffffffffffff


proxmark3>

The "Can't select card" errors need some investigation though. But they are not related to a bad antenna.

Offline

#11 2016-10-28 19:17:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

I stand corrected then.

How on earth does the par become all zeros and still valid mifare commands?  I thought it was all zeros because the tag didn't send NACK's hence not able to collect parity info.


--side note--
Found one issue with the dist_nonce didn't wanted to be found in iceman fork, kind of made it just stand there.
Its visible if you set the debug level to 4.  (hf mf dbg 4)  and then run the darkside attack.
fix is committed.
--

Offline

#12 2016-10-29 09:17:30

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

iceman wrote:

How on earth does the par become all zeros and still valid mifare commands?  I thought it was all zeros because the tag didn't send NACK's hence not able to collect parity info.

hf mf mifare tries sending different parities with the reader response until the tag answers with NACK. The "normal" card answers with NACK when the correct parity is tried. The Fudan clones always answer with NACK including on the first try, which is the zero parity. "all zeroes" is therefore an indicator for a card always answering with NACK. Cards never answering with NACK are not vulnerable to hf mf mifare.

Last edited by piwi (2016-10-29 13:34:37)

Offline

#13 2016-10-29 09:43:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

That would explain par_list=0 and ks_list>0 (ie no parity and a keystream)

If NACK is answered on first try,  the zero parity attack should be fast in the collecting part device side.

I should be able to test the nonce2key_ex with data from your trace and see whats missing.
uid(2e086b1a) nt(230736f6) par(0000000000000000) ks(0b0008000804000e) nr(7529d88000000000)
uid(2e086b1a) nt(230736f6) par(0000000000000000) ks(0e05060e01080b08) nr(7529d88000000002)

Offline

#14 2016-10-29 17:29:21

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

Yes, correct deduction, it is fast (and it would be even faster without the card select errors).

Offline

#15 2016-10-29 17:56:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

A bug in the NR (7529d88000000000) from your trace is way too big for the uint32_t type by which it is declared.
I'm guessing  00 00 00 00 as nonce

Offline

#16 2016-10-29 20:48:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: why iceman's firmware for 'hf mf mifare' got stuck and not working?

@OP  I pushed some fixes into my fork.  This should fix the  "zero parity attack" vector and some other minor things.

Offline

Board footer

Powered by FluxBB