Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2016-12-30 21:40:31
- ericlam2728
- Contributor
- Registered: 2015-09-26
- Posts: 34
- Website
Can't find any keys at all for mifare 1k plus
I've been trying to clone this mifare card for a very long time. I can't seem to find any keys at all and don't know what to do...
Prox/RFID mark3 RFID instrument
bootrom: iceman/master/v1.1.0-1743-g1772cf8 2016-12-27 03:46:28
os: iceman/master/v1.1.0-1743-g1772cf8 2016-12-27 03:46:33
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 216090 bytes (82). Free: 46054 bytes (18).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf mf chk *1 ? t
No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] aabbccddeeff
key[ 5] 4d3a99c351dd
key[ 6] 1a982c7e459a
key[ 7] d3f7d3f7d3f7
key[ 8] 714c5c886e97
key[ 9] 587ee5f9350f
key[10] a0478cc39091
key[11] 533cb6c723f6
key[12] 8fd0a4f256e9
................................
Time in checkkeys: 19624 ticks 19 seconds
testing to read key B...
Reading block 63
#db# Can't select card
#db# READ BLOCK FINISHED
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 0 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| ffffffffffff | 0 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 1 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
Found keys have been transferred to the emulator memory
pm3 -->
Offline
#2 2016-12-30 21:48:36
- gator96100
- Contributor
- From: Austria
- Registered: 2016-03-25
- Posts: 177
Re: Can't find any keys at all for mifare 1k plus
Seems like you found 1 key. Now you can try a nested attack or if it doesn't work a hardnested attack.
Last edited by gator96100 (2016-12-30 21:49:02)
Offline
#3 2016-12-31 00:28:58
- ericlam2728
- Contributor
- Registered: 2015-09-26
- Posts: 34
- Website
Re: Can't find any keys at all for mifare 1k plus
I think my scanner wasn't working correctly I ran it again with another one i have and got
No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] aabbccddeeff
key[ 5] 4d3a99c351dd
key[ 6] 1a982c7e459a
key[ 7] d3f7d3f7d3f7
key[ 8] 714c5c886e97
key[ 9] 587ee5f9350f
key[10] a0478cc39091
key[11] 533cb6c723f6
key[12] 8fd0a4f256e9
Time in checkkeys: 24862 ticks 25 seconds
testing to read key B...
Reading block 59
#db# READ BLOCK FINISHED
Data:FF FF FF FF FF FF
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| ffffffffffff | 0 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
I then ran this command:
hf mf hardnested 0 a ffffffffffff 4 a w
which gave me
Acquiring nonces...
Writing acquired nonces to binary file nonces.bin
Checking for Filter Flip Properties...
Acquired 1344 nonces ( 1327/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 1568 nonces ( 1549/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 2016 nonces ( 1986/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 2576 nonces ( 2528/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 3024 nonces ( 2962/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 3584 nonces ( 3494/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 4032 nonces ( 3908/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 4592 nonces ( 4425/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 5040 nonces ( 4845/ 5000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 5600 nonces ( 5363/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 6048 nonces ( 5766/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 6608 nonces ( 6280/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 7056 nonces ( 6678/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 7504 nonces ( 7082/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 8064 nonces ( 7574/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 8512 nonces ( 7969/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 9072 nonces ( 8465/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 0
Acquired 9520 nonces ( 8848/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 10080 nonces ( 9329/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 1
Acquired 10528 nonces ( 9697/10000 with distinct bytes 0,1). Bytes with probability for correctly guessed Sum(a8) > 95.0%: 3
Generating crypto1 state candidates...
Number of possible keys with Sum(a0) = 136: 16937635385344 (2^43.9)
Number of remaining possible keys: 720083200 (2^29.4)
Brute force phase starting.
Using 128-bit bitslices
Bitslicing best_first_byte^uid[3] (rollback byte): 14 ...
Bitslicing nonces...
Starting 4 cracking threads to search 8 buckets containing a total of 720083200 states...
but then it crashed. I'm using your latest compile of icemans fork on a windows 10 pc.
Last edited by ericlam2728 (2016-12-31 00:29:12)
Offline
#4 2016-12-31 12:39:02
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Can't find any keys at all for mifare 1k plus
first run "hf mf mifare" to verify that your tag has the newer prng and needs the hardnested attack.
Second, try "hf mf dbg 3" (or 4) to see more messages when running the nested attack.
Offline
#5 2017-01-02 16:46:55
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Can't find any keys at all for mifare 1k plus
Subject says "Mifare 1k plus". If this is correct, then hf mf mifare and hf mf nested will not work.
Mifare Plus chips can be configured in one of 4 possible Security Levels (SL0 to SL3):
SL0: initial state. Accepts personalization commands only (and the command to switch to SL1).
SL1: Mifare Classic EV1 compatibility. An additional authentication with an 128 Bit AES key can be performed but is not required. hf mf hardnested should work.
SL2: The additional authentication with an 128Bit AES key is mandatory before Mifare Classic commands can be used
SL3: Mifare Plus command set and ISO14443-4 protocol only.
You didn't tell us in which Security Level your Mifare Plus chip is configured? If in doubt, try hf 14a reader.
Offline
#6 2017-01-15 23:50:05
- ericlam2728
- Contributor
- Registered: 2015-09-26
- Posts: 34
- Website
Re: Can't find any keys at all for mifare 1k plus
When I use the search command I get:
UID : 4b b4 d9 49
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search
When I try using a normal nested/darkside command it returns
Card is not vulnerable to Darkside attack (its random number generator is not predictable).
Offline
#7 2017-01-16 08:17:20
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Can't find any keys at all for mifare 1k plus
if you have one key, you can try and use the hardnested attack
Offline
#8 2017-02-09 19:49:18
- Go_tus
- Contributor
- Registered: 2015-06-03
- Posts: 81
Re: Can't find any keys at all for mifare 1k plus
look like Mifare function only try out known passwords. Am I correct?
Last edited by Go_tus (2017-02-09 19:49:35)
Offline