Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-04-26 17:13:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Decapping Mifare 1k w new prng?

Hey 0xFFFF,

since you decapped a iclass tag,  how about you do one of these?  Mifare s50 1k w hardend prng?

Maybe its useful for someone?

Offline

#2 2017-04-27 00:40:00

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Decapping Mifare 1k w new prng?

Never considered looking at the newer S50.
I doubt that I have any on hand.

Any suggestions on a good (cheap) supplier to obtain a few from?

Offline

#3 2017-04-28 14:50:34

kwx
Contributor
Registered: 2013-11-26
Posts: 46

Re: Decapping Mifare 1k w new prng?

Hey mate -
I could probably get some from our factory. I could get them doped, or maybe even un-doped, right off the wafer..
Let me know what you'd prefer.

Offline

#4 2017-04-28 15:29:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decapping Mifare 1k w new prng?

...the documents describing the wafer? wink

Offline

#5 2017-04-28 16:44:43

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Decapping Mifare 1k w new prng?

Most probably this would be a waste of time because there will be no PRNG at all. NXP claims that their Mifare Classic EV1 has a True RNG. A True RNG would be made of a noisy PN junction and an amplifier. Reverse engineering wouldn't help.

Offline

#6 2017-04-28 17:04:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decapping Mifare 1k w new prng?

...claiming or knowing, such a difference

Offline

#7 2017-05-01 01:15:23

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Decapping Mifare 1k w new prng?

kwx - Message sent.

piwi wrote:

...NXP claims that their Mifare Classic EV1 has a True RNG...

iceman wrote:

...claiming or knowing, such a difference

I'm willing to bet that you're right piwi but until someone can confirm either way, we can't be absolutely certain.

Offline

#8 2017-05-04 10:30:37

kwx
Contributor
Registered: 2013-11-26
Posts: 46

Re: Decapping Mifare 1k w new prng?

0xFFFF wrote:

kwx - Message sent.

piwi wrote:

...NXP claims that their Mifare Classic EV1 has a True RNG...

iceman wrote:

...claiming or knowing, such a difference

I'm willing to bet that you're right piwi but until someone can confirm either way, we can't be absolutely certain.

Let me know specifically what you'd want or need, and I'll chat with my suppliers.
I'm pretty sure I could get you undoped chips right off the wafer (probably with the UID unfused as well.)

Offline

#9 2017-05-19 00:24:38

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Decapping Mifare 1k w new prng?

Update:

I have been trying to arrange a suitable time to visit a lab. Time and money have been preventing me from getting this done sooner.

Offline

#10 2017-05-22 01:22:25

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Decapping Mifare 1k w new prng?

Some photos. Not very useful at this stage...
20170516_212711_920_s.png
20170516_213726_458_s.jpg

Offline

#11 2017-05-22 07:06:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decapping Mifare 1k w new prng?

its a start!

Offline

#12 2017-05-22 07:47:21

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Decapping Mifare 1k w new prng?

Thanks. I suppose it is.
Not having much fun at all. I swapped the camera module on my microscope and something has gone horribly wrong. My X axis has stopped working and focus hasn't been 100%. The table appears to have been knocked out of alignment. Very frustrating!

I've been talking to a few labs to try and arrange access to an SEM. As much as I'd like to go ahead with this, I can't justify the expense.
A new microscope is first on my list which is more that I can afford right now.

Offline

#13 2017-05-22 19:41:46

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: Decapping Mifare 1k w new prng?

So in the case does NXP claim these cards are compatible with all CRYPTO1 implementations but will not be vulnerable to nested or hard-nested?

Didn't the original paper which showed hard nested attack theory show that there were vulnerabilities besides the PRNG that could be exploited?  Does anyone know if the EV1 is out yet and this can be looked at?

Offline

#14 2017-05-22 19:46:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decapping Mifare 1k w new prng?

those pics 0xFFFF has, should be Mifare Classic EV1 dies...

Offline

#15 2017-05-22 23:58:46

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Decapping Mifare 1k w new prng?

my_fair_cats_sick wrote:

So in the case does NXP claim these cards are compatible with all CRYPTO1 implementations but will not be vulnerable to nested or hard-nested?

I have not looked in to the vulnerabilities just yet.
The Classic EV1 'behaves' the same way as the older S50s.
7 Byte UID version supports random UIDs.
True random number generator.
The 4 Byte version appears to be a non unique UID.

my_fair_cats_sick wrote:

Didn't the original paper which showed hard nested attack theory show that there were vulnerabilities besides the PRNG that could be exploited?

I have not looked in to this.

my_fair_cats_sick wrote:

Does anyone know if the EV1 is out yet and this can be looked at?

See photos above.
They are terrible but you can just make out that the die is a S50 EV1.
7MF1S50XV0A

I would like to get a 4 Byte and a 7 Byte card.

Offline

#16 2017-05-25 09:52:42

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Decapping Mifare 1k w new prng?

Mifare Classic EV1 is out since years. You most probably get one if you order "Mifare Classic" today. Compared to the old Mifare Classic  it has a true RNG instead of the broken PRNG but otherwise no difference. Which means that it still should work for all applications but the attacks based on the broken PRNG (Darkside, "nested") won't work any more. "Hardnested" however does work.

Offline

Board footer

Powered by FluxBB