Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2015-10-28 19:39:26

y0no
Member
Registered: 2015-10-28
Posts: 5

Re: cracking mifare keys

I got key A from sector 0 using mfoc. Concerning the key B I found it on this thread.

I got result like:

Sector 00 - Found   Key A: a0a1a2a3a4a5 Found   Key B: b4c132439eef
Sector 01 - Unknown Key A               Unknown Key B
Sector 02 - Unknown Key A               Unknown Key B
Sector 03 - Unknown Key A               Unknown Key B
Sector 04 - Unknown Key A               Unknown Key B

I do not have a proxmarkIII, but I have read on this forum that it's possible to find other keys with xor operations. I am just curious to know what is the algo used to do that. If I am wrong, I will be happy to learn more on the mizip keys.

Offline

#52 2015-10-28 19:49:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

It looks like MIZIP,..   you'll have to ask ppl who has that algo, if you get luck they might trade it with you for other information.

Offline

#53 2015-10-28 20:13:42

y0no
Member
Registered: 2015-10-28
Posts: 5

Re: cracking mifare keys

Yep this is a MIZIP key. Because I have found information on this thread that I ask if someone can share its knowledge with me smile

Offline

#54 2015-10-28 20:24:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

usually you'll need something to trade with...

Offline

#55 2015-10-28 20:31:28

y0no
Member
Registered: 2015-10-28
Posts: 5

Re: cracking mifare keys

ah ok. Concenring the MiZip keys I have not many information to share. But I can share vulnerability on the MorphoAccess system in PM.  wink

Offline

#56 2016-04-11 20:28:57

Christian22
Contributor
Registered: 2016-04-11
Posts: 13

Re: cracking mifare keys

Hey guys,

I'm new and read in this forum a lot of time and find this topic, as I was search for MiZIP.
Is it correct, that someone has the correct algo for the MiZIP cards but it's not public yet?

Offline

#57 2016-05-06 09:18:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

it works.
I got bored and did a lua script.

pm3 --> sc r calc_mizip -u 11223344
--- Executing: ./scripts/calc_mizip.lua, args'-u 11223344'
============================================================

|UID|   11223344
|---|----------------|----------------|
|sec|key A           |key B           |
|---|----------------|----------------|
|000|  A0A1A2A3A4A5  |  B4C132439EEF  |
|001|  1830696198C7  |  C2689571EB65  |
|002|  BA57FA73830D  |  40A388DC0105  |
|003|  F35072EB3D2B  |  9909025465EA  |
|004|  2058846B55B2  |  835736051EB9  |
|---|----------------|----------------|

-----Finished

Offline

#58 2016-11-04 10:34:19

onlo
Contributor
Registered: 2016-11-03
Posts: 3

Re: cracking mifare keys

there is the possibility to start the lua script with windows or mac?

Last edited by onlo (2016-11-05 19:00:11)

Offline

#59 2016-11-06 12:35:09

onlo
Contributor
Registered: 2016-11-03
Posts: 3

Re: cracking mifare keys

it's possible?

Offline

#60 2016-11-14 13:56:01

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

I just moved into a new apartment and they are using Mifare Desfire neutral
I'm thinking of using the snoop tomorrow to try and sniff out the key to duplicate the fob.

Are the steps in this thread useful for finding out the key for the Desfire?

proxmark3> hf 14a reader
UID : 04 54 20 22 02 44 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3
       -  TL : length is 12 bytes
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
       - TC1 : NAD is NOT supported, CID is supported
       -  HB : c1 05 2f 2f 01 bc d6 -> MIFARE Plus X 2K or 4K
               c1 -> Mifare or (multiple) virtual cards of various type
                  05 -> Length is 5 bytes
                     2x -> MIFARE Plus
                        2x -> Released
                           x1 -> VCS, VCSL, and SVC supported
#db# unknown command:: 0x0607
Waiting for a response from the proxmark...

Offline

#61 2016-11-14 14:42:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

The error message in the bottom of your posted output tells me you have not flashed the device with the fullimage from which you are using the client software.

The desfire is still quite locked down, so if there is no default keys then you can't do anything.

Offline

#62 2016-11-15 09:59:39

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

iceman wrote:

The error message in the bottom of your posted output tells me you have not flashed the device with the fullimage from which you are using the client software.

The desfire is still quite locked down, so if there is no default keys then you can't do anything.


Yep you are right... the firmware was flashed about 3 years ago. It was quite stable ... so i didn't flash it again.

Offline

#63 2016-11-15 10:22:33

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

genexis wrote:
iceman wrote:

The error message in the bottom of your posted output tells me you have not flashed the device with the fullimage from which you are using the client software.

The desfire is still quite locked down, so if there is no default keys then you can't do anything.


Yep you are right... the firmware was flashed about 3 years ago. It was quite stable ... so i didn't flash it again.

Just updated to the latest bootrom and fullimage that came with PM2.5

So a little more info about the DESFire tag i have... it is from this system called VITEZ. I think quite a few apartments in my area uses this company as their security system. Does anybody has any experience with this or may know their "default key"?

I will have access to do some snooping... is there a way to clone the card based on the snoop results?

Offline

#64 2016-11-15 11:18:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

There is a info command in my fork. It tries to read som stuff of your tag.  In any case there is very little done with desfire tags in regards to the pm3 code.  There were a sidechannel attack for the first desfire tag (not the newer ones) but still nothing proxmark3 related.

hf mfdes info

Offline

#65 2016-11-17 15:25:58

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

pm3 --> hw ver
[[[ Cached information ]]]
         
Prox/RFID mark3 RFID instrument         
bootrom: /-suspect 2015-11-19 10:08:02
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
         
uC: AT91SAM7S256 Rev A         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes. Used: 169916 bytes (65). Free: 92228 bytes (35).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 256K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
         


pm3 --> hf 14a reader
UID : 04 54 20 22 02 44 80           
ATQA : 00 44         
SAK : 20 [1]         
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41         
MANUFACTURER : NXP Semiconductors Germany         
ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3           
       -  TL : length is 12 bytes         
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)         
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]         
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)         
       - TC1 : NAD is NOT supported, CID is supported         
       -  HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K         
               c1 -> Mifare or (multiple) virtual cards of various type         
                  05 -> Length is 5 bytes         
                     2x -> MIFARE Plus         
                        2x -> Released         
                           x1 -> VCS, VCSL, and SVC supported         
Answers to magic commands (GEN1): NO         
pm3 --> hf mfdes info
#db# unknown command:: 0x072d         
Command execute timeout         
pm3 -->


What went wrong?

Last edited by genexis (2016-11-17 15:26:40)

Offline

#66 2016-11-17 15:56:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

as always,  run the same client as you flashed the device with.

Offline

#67 2016-11-19 07:52:18

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

got it! finally managed to compile on my Mac.

pm3 --> hf mfdes info
#db# halt error. response len: 3         
         
-- Desfire Information --------------------------------------         
-------------------------------------------------------------         
  UID                : 04 54 20 22 02 44 80           
  Batch number       : 00 00 00 00 00           
  Production date    : week 00, 2000         
  -----------------------------------------------------------         
  Hardware Information         
      Vendor Id      : no tag-info available         
      Type           : 0x68         
      Subtype        : 0x00         
      Version        : 0.0 (Desfire MF3ICD40)         
      Storage size   : 0x00 (1 bytes)         
      Protocol       : 0x00 (Unknown)         
  -----------------------------------------------------------         
  Software Information         
      Vendor Id      : no tag-info available         
      Type           : 0x32         
      Subtype        : 0x00         
      Version        : 0.0         
      storage size   : 0x00 (1 bytes)         
      Protocol       : 0x00 (Unknown)         
-------------------------------------------------------------         
CMK - PICC, Card Master Key settings           
         
#db# halt error. response len: 3         
   [0x08] Configuration changeable       : YES         
   [0x04] CMK required for create/delete : NO         
   [0x02] Directory list access with CMK : YES         
   [0x01] CMK is changeable              : YES         
#db# halt error. response len: 3         
         
   Max number of keys       : 104         
   Master key Version       : 189 (0xbd)         
   ----------------------------------------------------------         
#db# halt error. response len: 3         
   [0x0A] Authenticate      : YES         
#db# halt error. response len: 3         
   [0x1A] Authenticate ISO  : YES         
#db# halt error. response len: 3         
   [0xAA] Authenticate AES  : YES         
         
   ----------------------------------------------------------         
#db# halt error. response len: 3         
   Available free memory on card       : 26813 bytes         
-------------------------------------------------------------         
pm3 -->

Offline

#68 2016-11-19 09:00:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

well,  of course the presumption is that you flashed yr device with the fullimage from my fork. 
I don't think your tag is desfire,  it could be a Mifare plus.   Too much zero's and wrong response lengths in your post.

Offline

#69 2016-11-19 16:00:23

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

Yep. Flashed with the lastest stable pull from your fork.
mifare plus... let me read up on it...

Offline

#70 2016-11-19 16:07:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

You can try hf hf mifare

Offline

#71 2016-11-20 09:33:42

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

tried that for the whole morning. Just kept showing dots even after a couple of hours. It is normal for this to happen? I know it says it should end after 25 secs, but ... mine is not ending... Is it still "Cracking in progress?"

Offline

#72 2016-11-20 12:01:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

Try

hf mf chk
hf list 14a

Offline

#73 2016-11-20 14:05:48

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

pm3 --> hf 14a reader
UID : 04 54 20 22 02 44 80           
ATQA : 00 44         
SAK : 20 [1]         
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41         
MANUFACTURER : NXP Semiconductors Germany         
ATS : 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3           
       -  TL : length is 12 bytes         
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)         
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]         
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)         
       - TC1 : NAD is NOT supported, CID is supported         
       -  HB : C1 05 2F 2F 01 BC D6 -> MIFARE Plus X 2K or 4K         
               c1 -> Mifare or (multiple) virtual cards of various type         
                  05 -> Length is 5 bytes         
                     2x -> MIFARE Plus         
                        2x -> Released         
                           x1 -> VCS, VCSL, and SVC supported         
Answers to magic commands (GEN1): NO         
pm3 --> hf mf chk *4 ? d
No key specified, trying default keys         
key[ 0] ffffffffffff         
key[ 1] 000000000000         
key[ 2] a0a1a2a3a4a5         
key[ 3] b0b1b2b3b4b5         
key[ 4] aabbccddeeff         
key[ 5] 4d3a99c351dd         
key[ 6] 1a982c7e459a         
key[ 7] d3f7d3f7d3f7         
key[ 8] 714c5c886e97         
key[ 9] 587ee5f9350f         
key[10] a0478cc39091         
key[11] 533cb6c723f6         
key[12] 8fd0a4f256e9         
................................................................................
Time in checkkeys: 1590767 ticks 92 seconds
         
testing to read key B...         
|---|----------------|---|----------------|---|         
|sec|key A           |res|key B           |res|         
|---|----------------|---|----------------|---|         
|000|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|001|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|002|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|003|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|004|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|005|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|006|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|007|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|008|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|009|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|010|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|011|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|012|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|013|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|014|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|015|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|016|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|017|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|018|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|019|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|020|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|021|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|022|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|023|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|024|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|025|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|026|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|027|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|028|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|029|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|030|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|031|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|032|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|033|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|034|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|035|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|036|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|037|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|038|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|039|  ffffffffffff  | 0 |  ffffffffffff  | 0 |         
|---|----------------|---|----------------|---|         
Printing keys to binary file dumpkeys.bin...         
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.         
         
pm3 -->


pm3 --> hf list 14a
Recorded Activity (TraceLen = 313 bytes)         
         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
         
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|         
          0 |        992 | Rdr |52                                                               |     | WUPA         
       2228 |       4596 | Tag |44  00                                                           |     |           
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL         
      10676 |      16564 | Tag |88  04  54  20  f8                                               |     |           
      18944 |      29408 | Rdr |93  70  88  04  54  20  f8  73  c3                               |  ok | SELECT_UID         
      30644 |      34164 | Tag |04  da  17                                                       |     |           
      35456 |      37920 | Rdr |95  20                                                           |     | ANTICOLL-2         
      39092 |      44916 | Tag |22  02  44  80  e4                                               |     |           
      47360 |      57888 | Rdr |95  70  22  02  44  80  e4  cf  86                               |  ok | ANTICOLL-2         
      59060 |      62644 | Tag |20  fc  70                                                       |     |           
      64256 |      69024 | Rdr |e0  80  31  73                                                   |  ok | RATS         
      70196 |      86452 | Tag |0c  75  77  80  02  c1  05  2f  2f  01  bc  d6  60  d3           |  ok |           
      89088 |      93856 | Rdr |61  ff  55  6d                                                   |  ok | AUTH-B(255)         
    1143552 |    1144800 | Rdr |00                                                               |     |           
    1160064 |    1161056 | Rdr |52                                                               |     | WUPA         
    2211712 |    2212704 | Rdr |52                                                               |     | WUPA         
    3263360 |    3264352 | Rdr |52                                                               |     | WUPA         
    4315008 |    4316000 | Rdr |52                                                               |     | WUPA         
    5366656 |    5367648 | Rdr |52                                                               |     | WUPA         
    6418304 |    6419296 | Rdr |52                                                               |     | WUPA         
    7469952 |    7470944 | Rdr |52                                                               |     | WUPA         
    8521600 |    8522592 | Rdr |52                                                               |     | WUPA         
    9573248 |    9574240 | Rdr |52                                                               |     | WUPA         
   10624896 |   10625888 | Rdr |52                                                               |     | WUPA         
   11676544 |   11677536 | Rdr |52                                                               |     | WUPA         
   12728192 |   12729184 | Rdr |52                                                               |     | WUPA         
pm3 -->

Last edited by genexis (2016-11-20 14:09:16)

Offline

#74 2016-11-20 14:29:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

Ok, it doesn't seem to be a Mifare classic, since it doesn't answer the Auth 0x61 command.

Back to Desfire and Plus (in SL2 mode?) 

hf mfdes info
hf list 14a 

Offline

#75 2016-11-20 14:36:49

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: cracking mifare keys

in the HF 14a READER command, it says that it is a
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41         

what makes you feel otherwise about it?

Offline

#76 2016-11-20 15:06:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: cracking mifare keys

As I mentioned earlier, the previous posted output from "hf mfdes info" has too many zero and read failures to be a Desfire tag.
Its not a Mifare Plus pretending as "mifare classic" so its either a Plus tag in SL1/SL2/SL3 mode or JCOP tag I would say.

There is no known attack to either, hence you need to open another thread if you have other questions, since this thread is about Mifare classic keys.

Offline

Board footer

Powered by FluxBB