Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-04-07 18:55:06

draser
Contributor
Registered: 2018-03-29
Posts: 6

Mifare classic 4k | Plus 4k SL1

Hello,

I would like to find the keys of a Mifare classic 4k | Plus 4k SL1. I find the key of sector 0 through a dark side attack, i use the command:

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
........................Found a possible key. Trying to authenticate...

Found valid key:000000000000

Then I try to use hardnested attack:

proxmark3> hf mf hardnested 0 A 000000000000 52 A

--target block no: 52, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
Using AVX2 SIMD core.



time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 1112 million (2^30.1) keys/s     | 140737488355328 |   35h
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   35h
       4 |     112 | Apply bit flip properties                               |    119943102464 |  2min
       5 |     224 | Apply bit flip properties                               |     49209499648 |   44s
       6 |     336 | Apply bit flip properties                               |     34467893248 |   31s
       7 |     447 | Apply bit flip properties                               |     23625703424 |   21s
       8 |     557 | Apply bit flip properties                               |     22416168960 |   20s
       9 |     669 | Apply bit flip properties                               |     19311689728 |   17s
      10 |     779 | Apply bit flip properties                               |     18435229696 |   17s
      11 |     819 | Apply bit flip properties                               |     18435229696 |   17s
      12 |     930 | Apply bit flip properties                               |     18095204352 |   16s
      13 |    1040 | Apply bit flip properties                               |     18095204352 |   16s
      14 |    1111 | Apply bit flip properties                               |     16657317888 |   15s
      14 |    1194 | Apply bit flip properties                               |     16657317888 |   15s
      14 |    1306 | Apply bit flip properties                               |     16657317888 |   15s
      15 |    1404 | Apply bit flip properties                               |     16657317888 |   15s
      16 |    1515 | Apply bit flip properties                               |     16657317888 |   15s
      17 |    1627 | Apply bit flip properties                               |     16657317888 |   15s
      18 |    1739 | Apply bit flip properties                               |     16657317888 |   15s
      19 |    1835 | Apply bit flip properties                               |     16657317888 |   15s
      21 |    1947 | Apply Sum property. Sum(a0) = 128                       |      1086200704 |    1s
      22 |    2051 | Apply bit flip properties                               |      1086200704 |    1s
      22 |    2145 | Apply bit flip properties                               |      1086200704 |    1s
      23 |    2246 | Apply bit flip properties                               |      1086200704 |    1s
      24 |    2246 | (Ignoring Sum(a8) properties)                           |      1086200704 |    1s
      26 |    2246 | Starting brute force...                                 |      1086200704 |    1s
      37 |    2246 | Brute force phase completed. Key found: b5ff67cba951    |               0 |    0s

However the key b5ff67cba951 doesn't work. Am i doing anything wrong?

---------------------------------------
VERSION AND CARD INFO
---------------------------------------

proxmark3> hw version
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-353-gb24930c-dirty-suspect 2018-03-26 14:08:44
os: master/v3.0.1-353-gb24930c-dirty-suspect 2018-03-26 14:08:55
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 197081 bytes (75%). Free: 65063 bytes (25%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hf 14a info
UID : ba da 08 44
ATQA : 00 02
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK

Offline

#2 2018-04-07 19:25:29

draser
Contributor
Registered: 2018-03-29
Posts: 6

Re: Mifare classic 4k | Plus 4k SL1

When I try to read a sector i get...


proxmark3> hf mf rdsc 15 A B5FF67CBA951
--sector no:15 key type:A key:b5 ff 67 cb a9 51

#db# Cmd Error: 04
#db# Read sector 15 block  0 error
#db# READ SECTOR FINISHED
isOk:00

Offline

#3 2018-04-08 15:43:54

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare classic 4k | Plus 4k SL1

Well, this is not a big surprise. You are trying to read block 60 with the key of block 52.

If hf mf mifare worked, then you should be able to use hf mf nested to get the rest of the keys.

Offline

#4 2018-04-08 19:43:44

draser
Contributor
Registered: 2018-03-29
Posts: 6

Re: Mifare classic 4k | Plus 4k SL1

I forgot to mention that I get the same key for block 60 and block 52.
I used the nested attack in order to found all keys basically. The result is:



|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  000000000000  | 1 |  b5ff67cba951  | 1 |
|001|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|002|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|003|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|004|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|005|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|006|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|007|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|008|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|009|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|010|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|011|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|012|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|013|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|014|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|015|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|016|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|017|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|018|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|019|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|020|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|021|  b5ff67cba951  | 1 |  b5ff67cba951  | 1 |
|022|  1fafd60c24a1  | 1 |  8d36d2bdd9bc  | 1 |
|023|  5e7a9953fb50  | 1 |  d6fb1134a39e  | 1 |
|024|  3ea64a8e9f79  | 1 |  156cd527b857  | 1 |
|025|  bd07c5052d9c  | 1 |  423c12076ed6  | 1 |
|026|  40f6be2dbd60  | 1 |  bd98c363bd90  | 1 |
|027|  9a42b30b62b7  | 1 |  df3bdbdec3c3  | 1 |
|028|  67864df34824  | 1 |  a014d08b8f32  | 1 |
|029|  15588353f89f  | 1 |  506b21adce7a  | 1 |
|030|  7663fa8edfa2  | 1 |  c464b7a90d6d  | 1 |
|031|  4946321dc9ac  | 1 |  c4a69a91f2e9  | 1 |
|032|  f25c2303d115  | 1 |  f09afd2ebad9  | 1 |
|033|  95f4ebf12e5f  | 1 |  9f98ae18b58c  | 1 |
|034|  9c4f2cf9f0af  | 1 |  56c3f2a0f913  | 1 |
|035|  19ce022aa276  | 1 |  f32ac3a2140e  | 1 |
|036|  ea57d3b7c7c3  | 1 |  95ffe6adb1b1  | 1 |
|037|  492a8f290ff3  | 1 |  3975decdcd5f  | 1 |
|038|  4d8648c957be  | 1 |  3f79c430b8d0  | 1 |
|039|  6eb3f2d89b35  | 1 |  145faf0ced41  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...


However, when I try to read any sector from 1 to 21, I get the following error. For all the rest sectors, they keys work great. Is it even possible that the access conditions don''t allow us to read a sector? I had the idea that they only forbid to write to specific blocks of the sector. So my guess is that key is the right one, but we can't I read the sector?



proxmark3> hf mf rdsc 10 A  b5ff67cba951
--sector no:10 key type:A key:b5 ff 67 cb a9 51

#db# Cmd Error: 04
#db# Read sector 10 block  0 error
#db# READ SECTOR FINISHED
isOk:00

Offline

#5 2018-04-09 11:49:31

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare classic 4k | Plus 4k SL1

Can you please try the read block command on each of the sector's blocks?

Offline

Board footer

Powered by FluxBB