Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-07-08 21:42:09

JohnDoePM
Contributor
Registered: 2018-07-08
Posts: 2

Trying to dump/clone MIFARE Classic 4k

Hi everyone and thanx Iceman for granting write permissions !

As this is (after introduction) my first post, please try to be patient .... ;-)
Since a few days I'm owning a PM3 RDV2. I've followed the wiki and flashed the latest github version to the device:

Prox/RFID mark3 RFID instrument          
bootrom: master/v3.0.1-377-gfdee1ff-suspect 2018-07-07 13:40:18
os: master/v3.0.1-377-gfdee1ff-suspect 2018-07-07 13:40:19
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 201676 bytes (38%). Free: 322612 bytes (62%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory  

Now as first step I'm trying to find keys for that card:

proxmark3> hf search
          
 UID : ** d* *b a*           
ATQA : 00 02          
 SAK : 18 [2]          
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1          
proprietary non iso14443-4 card found, RATS not supported          
No chinese magic backdoor command detected          
Prng detection: HARDENED (hardnested)          

Valid ISO14443A Tag Found - Quiting Search

I've searched the forum a bit and did read this and that topic.

First I tried

proxmark3> hf mf hardnested 0 A a0a1a2a3a4a5 4 A
--target block no:  4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0           
Using AVX SIMD core.          


          
 time    | #nonces | Activity                                                | expected to brute force          
         |         |                                                         | #states         | time           
------------------------------------------------------------------------------------------------------          
       0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |          
       0 |       0 | Brute force benchmark: 236 million (2^27,8) keys/s      | 140737488355328 |    7d          
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    7d          
       6 |     112 | Apply bit flip properties                               |  10427863924736 |   12h          
       7 |     224 | Apply bit flip properties                               |   8847993339904 |   10h          
       8 |     336 | Apply bit flip properties                               |   8513965785088 |   10h          
       9 |     447 | Apply bit flip properties                               |   8412162162688 |   10h          
      10 |     557 | Apply bit flip properties                               |   8412162162688 |   10h          
      10 |     665 | Apply bit flip properties                               |   8378623459328 |   10h          
      11 |     775 | Apply bit flip properties                               |   8378623459328 |   10h          
      12 |     884 | Apply bit flip properties                               |   8378623459328 |   10h          
      13 |     993 | Apply bit flip properties                               |   8378623459328 |   10h          
      15 |    1105 | Apply Sum property. Sum(a0) = 0                         |    142307000320 | 10min          
      15 |    1216 | Apply bit flip properties                               |    142307000320 | 10min          
      16 |    1325 | Apply bit flip properties                               |    142307000320 | 10min          
      17 |    1436 | Apply bit flip properties                               |    122364919808 |  9min          
      18 |    1544 | Apply bit flip properties                               |    117800845312 |  8min          
      18 |    1655 | Apply bit flip properties                               |    114275516416 |  8min          
      19 |    1762 | Apply bit flip properties                               |    113346232320 |  8min          
      20 |    1872 | Apply bit flip properties                               |    113346232320 |  8min          
      21 |    1982 | Apply bit flip properties                               |    113346232320 |  8min          
      22 |    2090 | Apply bit flip properties                               |    112378781696 |  8min          
      23 |    2199 | Apply bit flip properties                               |    112103956480 |  8min          
      24 |    2308 | Apply bit flip properties                               |    112103956480 |  8min          
      24 |    2413 | Apply bit flip properties                               |    111876759552 |  8min          
      25 |    2413 | (1. guess: Sum(a8) = 0)                                 |    111876759552 |  8min          
      31 |    2413 | Apply Sum(a8) and all bytes bitflip properties          |     24139712512 |  2min          
     236 |    2413 | Brute force phase completed. Key found: ffffffffffff    |               0 |    0s          
proxmark3> 

Unfortunately, that useless key didn't helped me with

proxmark3> hf mf chk 0 A ffffffffffff default_keys.dic
chk key[ 0] ffffffffffff          
chk custom key[ 1] ffffffffffff          
chk custom key[ 2] 000000000000          
chk custom key[ 3] a0a1a2a3a4a5          
chk custom key[ 4] b0b1b2b3b4b5          
chk custom key[ 5] c0c1c2c3c4c5          
chk custom key[ 6] d0d1d2d3d4d5          
chk custom key[ 7] aabbccddeeff          
chk custom key[ 8] 4d3a99c351dd          
chk custom key[ 9] 1a982c7e459a        
...
chk custom key[474] 6a1987c40a21          
chk custom key[475] 7f33625bc129          
chk custom key[476] de1fcbec764b          

Found valid key:[0:A]a0a1a2a3a4a5          
          
proxmark3> 

with the keyfile from icemans repository.
Is the only way to gather valid keys to snoop/sniff the interactions of the card with the reader ?
Best regards,

JD.

Offline

Board footer

Powered by FluxBB