Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-03-24 09:51:00

grk
Contributor
Registered: 2017-03-23
Posts: 4

Close to clone Mifare TAG- not vulnerable to nested and dark attack

Hello

I bought a Proxmark3 some weeks ago as I would like to clone a Mifare TAG .

This is a very new Intratone Cogelec mifare tag which is not vulnerable to nested attack.
https://www.intratone.fr/produits-services/controle-d-acces/314-badge-de-proximite-electronique.html

1) I Flashed it with Iceman firmware

Proxmark3 RFID instrument
bootrom: iceman/master/v1.1.0-1858-g76c0ec0 2017-01-27 16:43:12
os: iceman/master/v1.1.0-1858-g76c0ec0 2017-01-27 16:43:17
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 215531 bytes (82). Free: 46613 bytes (18).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hw ver
[[[ Cached information ]]]

2) I got the first key A for this intratone tag by snooping communication between reader and TAG (4 times to get the full communication :-) and then got the KEY A with Crapto1Gui.

3) Tryed nested attack but it is not vulnerable

pm3 --> hf mf nested 1 3 A 484558414354 d
Testing known keys. Sector count=16
Time to check 6 known keys: 5619 ticks 6 seconds

enter nested...
Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).

4) I used hardnested attack to get key B for all sectors with my known Key A and finally got all the keys.

I put they keys on mf_default_keys.lua and run the script mfkeys.lua to generate dumpkey.bin file.

pm3 --> script run mfkeys.lua
--- Executing: ./scripts/mfkeys.lua, args''
Found a NXP MIFARE CLASSIC 1k | Plus 2k tag
Testing block 3, keytype 0, with 16 keys
Testing block 3, keytype 1, with 16 keys
Testing block 7, keytype 0, with 16 keys
.......
Testing block 55, keytype 0, with 16 keys
Testing block 55, keytype 1, with 16 keys
Testing block 59, keytype 0, with 16 keys
Testing block 59, keytype 1, with 16 keys
Testing block 63, keytype 0, with 16 keys
Testing block 63, keytype 1, with 16 keys

(I removed founf key B from display below as they are unique to my tag and do't want to put it on internet)

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|001|  484558414354  | 1 |  ------------  | 1 |
|002|  484558414354  | 1 |  ------------  | 1 |
|003|  484558414354  | 1 |  ------------  | 1 |
|004|  484558414354  | 1 |  ------------  | 1 |
|005|  484558414354  | 1 |  ------------  | 1 |
|006|  484558414354  | 1 |  ------------  | 1 |
|007|  484558414354  | 1 |  ------------  | 1 |
|008|  484558414354  | 1 |  ------------  | 1 |
|009|  484558414354  | 1 |  ------------  | 1 |
|010|  484558414354  | 1 |  ------------  | 1 |
|011|  484558414354  | 1 |  ------------  | 1 |
|012|  484558414354  | 1 |  ------------  | 1 |
|013|  484558414354  | 1 |  ------------  | 1 |
|014|  484558414354  | 1 |  ------------  | 1 |
|015|  484558414354  | 1 |  ------------  | 1 |
|016|  484558414354  | 1 |  484558414354  | 1 |
|---|----------------|---|----------------|---|
Do you wish to save the keys to dumpfile? [y]/[n] ?y
Select a filename to store to (default: dumpkeys.bin )


5) I dumped my original Tag
pm3 --> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
....
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Successfully read block  0 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector  0.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector  0.
....
#db# READ BLOCK FINISHED
Successfully read block  0 of sector 15.
#db# READ BLOCK FINISHED
Successfully read block  1 of sector 15.
#db# READ BLOCK FINISHED
Successfully read block  2 of sector 15.
#db# READ BLOCK FINISHED
Successfully read block  3 of sector 15.
Dumped 64 blocks (1024 bytes) to file dumpdata.bin

6) I restored it to my Chinese UID modifiable S50 card and copied block 0 (with uid) from original tag to my chinese card.

pm3 --> hf mf restore
Restoring dumpdata.bin to card
Writing to block   0: XX XX XX XX XX 88 04 00 XX XX XX XX XX XX XX XX
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block   1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   2: 00 00 00 00 00 00 00 00 00 00 00 00 XX 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
.....
isOk:01
Writing to block  63: 48 45 58 41 43 54 XX XX XX XX XX XX XX XX XX
#db# WRITE BLOCK FINISHED

7) I Copied block 0 (put XX instead of real numbers)

Read sector 0 (put XX instead of real numbers)
pm3 --> hf mf rdsc 0 A 484558414354
--sector no:0 key type:A key:48 45 58 41 43 54

#db# READ SECTOR FINISHED
isOk:01
data   : XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00
trailer: 00 00 00 00 00 00 71 E7 88 00 00 00 00 00 00 00

pm3 --> hf mf csetblk 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
--block number: 0 data:XX XX XX XX XX XX XX XX XX XX XX XX

8) the 2 tags look the same

original tag
pm3 --> hf 14a read
UID : 5B 1D CF 2A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO

Cloned tag
pm3 --> hf 14a read
UID : 5B 1D CF 2A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES

When I compare dump from original tag and dump from Chinese card they are excatly the same (I compared with 010 Editor

software)

I tryed my clone with the reader and I get solid red light. It does not work :-(

Do you know the reason why it does not work while the 2 dumps are exactly the same ?

Offline

#2 2017-03-24 10:24:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Close to clone Mifare TAG- not vulnerable to nested and dark attack

Good, you did your homework.
I suspect this system has a magic gen1 detection in its readers.
In your sniff log, see if the reader somes some non-standard commands during anti-coll. This will be quite easy to see.

Next time you can use the tools here /tools/mfkey/   instead of crapto1gui.

Offline

#3 2017-03-24 11:16:38

grk
Contributor
Registered: 2017-03-23
Posts: 4

Re: Close to clone Mifare TAG- not vulnerable to nested and dark attack

Hi Iceman,

I'm not an expert on RFID protocols. I can send you the traces I got with the full communication.

I prefer not to send it directly on the forum as there could be some IDs in the communication that could identify clearly my tag (uid or maybe others ids).

I think TAG security vendors might looks at your forum :-)

Can I send it to you by mail or post it on a ftp/web site ?

Thx so much for your help

Offline

#4 2017-03-24 11:32:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Close to clone Mifare TAG- not vulnerable to nested and dark attack

You can ghostbin it.  My email is easy to find.

And yes, the rfid vendors and police ppl does monitor this forum,  I'm surprised ppl doesnt understand that.
Usually they pretend to know and wants help with a tag.  They want to know if the rfid sec ppl has a weakness for their product.
they want to know if they can make copies, when needed. 

and no, its not my forum. I'm just a admin,  I don't run this show.

Offline

#5 2017-03-24 14:12:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Close to clone Mifare TAG- not vulnerable to nested and dark attack

ok,
not the best trace, No obvious calls of magic backdoor commands.
However it tries to authenticate A block 0,  question is if it tries to write or read?!..

Since you scrubbed yr uid,  I can't decode it for you.  You'll need to use the mfkey64 and decode the following command..

ser@ubuntu:~/proxmark3/tools/mfkey$ ./mfkey64
MIFARE Classic key recovery - based 64 bits of keystream
Recover key from only one complete authentication!

 syntax: ./mfkey64 <uid> <nt> <{nr}> <{ar}> <{at}> [enc...]

Offline

#6 2017-03-24 16:25:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Close to clone Mifare TAG- not vulnerable to nested and dark attack

well, the one command I got looks like a normal read block 0 command.  Would need a better trace from beginning.

Offline

#7 2017-11-30 15:12:01

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Close to clone Mifare TAG- not vulnerable to nested and dark attack

I am testing the write once cards on an Int**tone system in the next couple of weeks.
the original shows 88 as the SAK in block 0 whereas the SAK is really 08
so I will write two fobs, one exactly as the original with 88 and one where I will change block 0 to 08
If neither work then it will show that the reader tests for the original SAK which magic cards don't have.
I'll keep you posted.

Last edited by Onisan (2017-11-30 15:21:31)

Offline

Board footer

Powered by FluxBB