Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2018-01-09 16:13:03
- goseoan
- Contributor
- Registered: 2017-11-06
- Posts: 11
nxp mifare classic 0.3k hardnested attack
nxp mifare classic 0.3k I'm trying to get a key for a tag, but I do not get any results or I get an error.
hardware firmware info
Proxmark3 RFID instrument
[ ARM ]
bootrom: iceman// 2018-01-05 16:11:33
os: iceman// 2018-01-05 16:16:37
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16
[ Hardware ]
--= uC: AT91SAM7S256 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 256K bytes, Used: 235214 bytes (90%) Free: 26930 bytes (10%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 256K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memoryreader
pm3 --> hf 14a re
UID : 3E C3 69 50
ATQA : 00 04
SAK : 09 [2]
Field dropped.info
pm3 --> hf 14a info
UID : 3E C3 69 50
ATQA : 00 04
SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: HARDEND (hardnested)fast key check
hf mf fchk 0
[+] No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] c0c1c2c3c4c5
key[ 5] d0d1d2d3d4d5
key[ 6] aabbccddeeff
key[ 7] 1a2b3c4d5e6f
key[ 8] 123456789abc
key[ 9] 010203040506
key[10] 123456abcdef
key[11] abcdef123456
key[12] 4d3a99c351dd
key[13] 1a982c7e459a
key[14] d3f7d3f7d3f7
key[15] 714c5c886e97
key[16] 587ee5f9350f
key[17] a0478cc39091
key[18] 533cb6c723f6
key[19] 8fd0a4f256e9
[+] Running strategy 1
[-] Chunk: 1.3s | found 7/10 keys (20)
[+] Running strategy 2
[-] Chunk: 1.2s | found 7/10 keys (20)
[+] Time in checkkeys (fast): 2.5s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ------------ | 0 | ffffffffffff | 1 |
|002| ------------ | 0 | ffffffffffff | 1 |
|003| ------------ | 0 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|response error
pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 4 A s
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: Yes, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 386 million (2^28.5) keys/s | 140737488355328 | 4d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 4d
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
6 | 112 | Apply bit flip properties | 898558787584 | 39min
.
.
.
#db# AcquireNonces: Can't select card (UID)
196 | 19769 | Apply bit flip properties | nan | nand
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
197 | 19846 | Apply bit flip properties | nan | nand
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth2 error len=1
Error: No response from Proxmark.I'm trying to get a key for the Mifare Classic Mini 0.3k.
I am currently working on a topic that says that other topics should be hardnested
A program debugging error , or a proxmark3 response error occurs in windows os.
The progress of the probe or nonce is then different.
I keep trying, but I have not succeeded.
Should I sniff and analyze this?
Do you have this experience or do you have any other way?
Last edited by goseoan (2018-01-09 16:16:53)
Offline
#2 2018-01-09 16:20:30
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: nxp mifare classic 0.3k hardnested attack
The "can't select card" usually indicates you have not found the swetspot for your card & antenna. try some different positions.
Also try the complete dictionary file..
hf mf fchk 0 default_keys.dicOffline
#3 2018-01-09 17:08:44
- goseoan
- Contributor
- Registered: 2017-11-06
- Posts: 11
Re: nxp mifare classic 0.3k hardnested attack
It's better to find the chip position by lighting.
Can not select card (UID) does not or does not appear.
The result using default_key.dic, including 453 keys, was the same.
hardnested attack. As a result, I know that block(sector) key is coming out.
When I read the file noces.bin, I do not see anything. XD
100% is out and the operation does not go on ... Is there a problem with my equipment?
pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: write, Slow: Yes, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 451 million (2^28.7) keys/s | 140737488355328 | 4d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 4d
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
5 | 0 | Writing acquired nonces to binary file nonces.bin | 140737488355328 | 4d
6 | 112 | Apply bit flip properties | 981710602240 | 36min
#db# AcquireNonces: Auth1 error
7 | 224 | Apply bit flip properties | 633842630656 | 23min
#db# AcquireNonces: Auth1 error
17 | 333 | Apply bit flip properties | 613532696576 | 23min
#db# AcquireNonces: Auth1 error
18 | 445 | Apply bit flip properties | 532960935936 | 20min
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
19 | 556 | Apply bit flip properties | 513494351872 | 19min
20 | 668 | Apply bit flip properties | 468561625088 | 17min
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth2 error len=1
#db# AcquireNonces: Auth1 error
21 | 780 | Apply bit flip properties | 468234502144 | 17min
#db# AcquireNonces: Auth2 error len=1
22 | 891 | Apply bit flip properties | 434515083264 | 16min
24 | 999 | Apply bit flip properties | 434136023040 | 16min
27 | 1108 | Apply Sum property. Sum(a0) = 128 | 330106372096 | 12min
#db# AcquireNonces: Can't select card (UID)
30 | 1218 | Apply bit flip properties | 347030323200 | 13min
32 | 1327 | Apply bit flip properties | 344463015936 | 13min
#db# AcquireNonces: Auth1 error
34 | 1439 | Apply bit flip properties | 41687818240 | 2min
#db# AcquireNonces: Auth2 error len=1
35 | 1547 | Apply bit flip properties | 41687818240 | 2min
#db# AcquireNonces: Auth1 error
36 | 1658 | Apply bit flip properties | 41687818240 | 2min
37 | 1769 | Apply bit flip properties | 41687818240 | 2min
#db# AcquireNonces: Auth1 error
37 | 1769 | (Ignoring Sum(a8) properties) | 41687818240 | 2min
207 | 1769 | Brute force phase: 100.00% | 27419593408512 | 17h
pm3 -->
pm3 -->
pm3 -->
pm3 --> hf mf hardnested r FFFFFFFFFFFF
--target block no: 0, target key type:A, known target key: 0xffffffffffff, file action: read, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 449 million (2^28.7) keys/s | 140737488355328 | 4d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 4d
4 | 0 | Reading nonces from file nonces.bin... | 140737488355328 | 4d
4 | 1792 | Read 1792 nonces from file. cuid=3ec36950 | 140737488355328 | 4d
4 | 1792 | Target Block=4, Keytype=A | 140737488355328 | 4d
BUG: known target key's even state is not member of first nonce byte's (0x3a) states_bitarray!
BUG: known target key's odd state is not member of first nonce byte's (0x3a) states_bitarray!
BUG: known target key's even state is not member of all_bitflips_bitarray!
BUG: known target key's odd state is not member of all_bitflips_bitarray!
18 | 1792 | (Ignoring Sum(a8) properties) | 41687818240 | 2min
BUG: known target key's even state is not member of first nonce byte's (0x20) states_bitarray!
BUG: known target key's odd state is not member of first nonce byte's (0x20) states_bitarray!
BUG: known target key's even state is not member of all_bitflips_bitarray!
BUG: known target key's odd state is not member of all_bitflips_bitarray!
29 | 1792 | (Test: Key NOT found) | 0 | 0s
183 | 1792 | Brute force phase: 100.00% | 36976325558272 | 23hLast edited by goseoan (2018-01-09 17:31:30)
Offline
#4 2018-01-09 17:41:57
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: nxp mifare classic 0.3k hardnested attack
What your antenna voltages? Which device are you using?
Offline
#5 2018-01-09 18:26:00
- goseoan
- Contributor
- Registered: 2017-11-06
- Posts: 11
Re: nxp mifare classic 0.3k hardnested attack
i use proxmark3 easy
pm3 --> hw tune
Measuring antenna characteristics, please wait......
# HF antenna: 25.77 V @ 13.56 MHz
# Your LF antenna is unusable.Now I reconnect and enter the command, so sum continues to increase. I will post it once again when the result comes out.
Offline
#6 2018-01-09 18:50:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: nxp mifare classic 0.3k hardnested attack
HF voltage looks good.
what OS are you running on?
Offline
#7 2018-01-09 19:02:04
- goseoan
- Contributor
- Registered: 2017-11-06
- Posts: 11
Re: nxp mifare classic 0.3k hardnested attack
Windows 10 Home
This is Now Status Keep Going
3422 | 2417 | Brute force phase: 64.70% | 356939857920 | 13min
3473 | 2417 | Brute force phase: 65.19% | 354279522304 | 13min
3637 | 2417 | Brute force phase: 67.41% | 342332702720 | 13min
3646 | 2417 | Brute force phase: 69.64% | 330342957056 | 12min
3832 | 2417 | Brute force phase: 71.57% | 319969165312 | 12min
3871 | 2417 | Brute force phase: 78.94% | 280268701696 | 10min
3922 | 2417 | Brute force phase: 79.41% | 277731606528 | 10min
4009 | 2417 | Brute force phase: 82.63% | 260368138240 | 10min
4075 | 2417 | Brute force phase: 84.80% | 248707219456 | 9min
4087 | 2417 | Brute force phase: 90.22% | 219528396800 | 8min
4142 | 2417 | Brute force phase: 90.84% | 216205623296 | 8min
4316 | 2417 | Brute force phase: 93.89% | 199774830592 | 7min
4371 | 2417 | Brute force phase: 99.40% | 170063790080 | 6min
4398 | 2417 | Brute force phase: 100.00% | 166852722688 | 6min
4398 | 2417 | (9. guess: Sum(a8) = 152) | 308918190080 | 11min
4411 | 2417 | Apply Sum(a8) and all bytes bitflip properties | 232743239680 | 9min
4454 | 2417 | Brute force phase: 11.11% | 230748209152 | 9min
4463 | 2417 | Brute force phase: 35.55% | 226362310656 | 8min
4469 | 2417 | Brute force phase: 50.03% | 223763021824 | 8min
4497 | 2417 | Brute force phase: 60.89% | 221814046720 | 8min
4510 | 2417 | Brute force phase: 85.09% | 217470746624 | 8min
4517 | 2417 | Brute force phase: 100.00% | 214793814016 | 8min
4517 | 2417 | (10. guess: Sum(a8) = 136) | 535258693632 | 20min
4529 | 2417 | Apply Sum(a8) and all bytes bitflip properties | 140712591360 | 5minIt is positive that it is proceeding.
Offline
#8 2018-01-09 20:22:59
- goseoan
- Contributor
- Registered: 2017-11-06
- Posts: 11
Re: nxp mifare classic 0.3k hardnested attack
cool get key thanks
Offline
#9 2018-01-11 15:44:24
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: nxp mifare classic 0.3k hardnested attack
How do I get this updated? mine shows 2015 despite installed the latest master
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50Offline
#10 2018-01-11 16:44:45
- Skeltek
- Contributor
- Registered: 2017-12-31
- Posts: 19
Re: nxp mifare classic 0.3k hardnested attack
Weird, I just stumbled upon that 30 seconds ago too, while trying to figure out why my emulation doesnt work. Ill write something here if I find anything.
Offline
Pages: 1