Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2011-02-27 20:39:01

pwned
Member
Registered: 2011-01-27
Posts: 6

Help on identify parameters

I've got a snoop from a Mifare Classic but I can't figure out more that UID.

+   1510:    :     93  20    
 +   2520:    :     93  70  8c  70  2a  69  bf  cc  f1    
 +  10407:    :     61  00  2d  62    
 +   1936:    :     c1  09  22  ee  7b  55  5d  40      !crc
 +   3831:    :     61  80  b8  79      !crc
 +   2864:    :     8a  59  92  ac      !crc
 +   2942:    :     d0  c4  5a  ed      !crc
 +   7640:    :     fc  7e  7b  8b      !crc
 +   1951:    :     bd  b8  30  eb  b5  45  87  06      !crc
 +    313:   0: TAG 02    
 +   1439:    :     13  63  9d  42      !crc
 +   2904:    :     88  df  85  73      !crc
 +     80:   0: TAG d2! 55  20  15! 67  31! 3a  ef! 81  bb  b2  92! c8  74! 8b! d6! 07! eb!     !crc
 +   2783:    :     61  04  ca  be      !crc
 +   9742:    :     48  89  4b  4d      !crc
 +    112:   0: TAG 65! 26  dc  99    
 +   1824:    :     a0  8b  b5  b2  55  f1  12  39      !crc
 +   1816:    :     8a  f1  03  b4      !crc
 +     72:   0: TAG e5  25! 40! c7! 7c  0c! d1  28! b7! f5  34  77! 67! f0! fa  e4  85  35      !crc
 +   4439:    :     0a  83  b9  b3      !crc
 +     72:   0: TAG 58  81! b9  04  0f! 82  dc  4b! 4d  fc! 2f! ec! 58! 62  f6! fb  ac  ee      !crc
 +  16333:    :     27  29  96  85      !crc
 +    136:   0: TAG 3d! 82  10! 33!   
 +   1800:    :     df  9c  52  4a  9b  11  e9  a4      !crc
 +     64:   0: TAG 50! 85! 9f! 96!   
 +   3143:    :     89  9b  e9  a1      !crc
 +   4655:    :     2a  17  a2  33      !crc
 +     73:   0: TAG 13  8d  ea  21  46  8f! 6c  f8  cb! d4  5a  46! 86! ce  15! 1e  b6! 5e      !crc
 +  17436:    :     66  92  42  a4      !crc
 +    218:   0: TAG 00!   
 +     61:   0: TAG 32! 2e!   
 +   1657:    :     69  d7  58  1a  5a  86  0d  ae      !crc
 +     64:   0: TAG 23  9a  93  07    
 +   1679:    :     a9  2c  06  73      !crc
 +     73:   0: TAG ed! 70  7c  05! 06  02! 90! bb  46  2b! 17  e4  f6! 95! d9! 30  bf  18      !crc
 +   5125:    :     db  be  ac  6d      !crc
 +     74:   0: TAG 3f! 16! 86! 04  1f  21  2c  48  6a  e0! fc  7c  fd  ae! d9! 76! f5! 60      !crc
 +  12045:    :     04  fd  50  71      !crc
 +    113:   0: TAG fb  0b  69  63    
 +   1799:    :     f5  c8  1c  ff  74  00  12  15      !crc
 +   1784:    :     63  7a  02  1d      !crc
 +     72:   0: TAG 47! 68! 61  c0! 41  29! 9b! 4e! 6f! e7  ce  af  92  73  d3! 2a! 1e  8f      !crc
 +   4447:    :     2e  44  22  0c      !crc
 +     72:   0: TAG 49! a3! da! 1b! 70  3c! 2d! d1! 21! cd  77  be! 95  75  08! 64! c6  b7!     !crc
 +  22556:    :     7b  71  84  c2      !crc
 +    112:   0: TAG 74  0b  52  c0!   
 +   1872:    :     1a  84  32  dc  2f  9d  6f  f4      !crc
 +     64:   0: TAG ba! d0  0f! e3!   
 +   1686:    :     c7  6e  0d  7d      !crc
 +     74:   0: TAG 9b! c9  35! 31! 86! ad  4f! 32  9e! 86  51! 74! 77  90! 1d  82! d5  15!     !crc
 +   3006:    :     25  f5  64  d7      !crc
 +     72:   0: TAG 53! 71! 50  84! 8f! a9! bb! b9! fe! 24  4a! 6a  46! 62! a8  d4! a6  9e      !crc
 +   2792:    :     0a  af  a2  d7      !crc
 +     72:   0: TAG 37  2f  15! b6  ed  1d! 95  81  cf! 58! 22  82  b9! e9  56  93! 2d  9b!     !crc
 +  18716:    :     27  b4  25  97      !crc
 +    112:   0: TAG ca! d0  a0  be!   
 +   1824:    :     83  41  37  3d  08  3a  09  08      !crc
 +     64:   0: TAG 12! 78  ec  cb    
 +   1680:    :     9b  5f  d8  24      !crc
 +     72:   0: TAG 66  86  fc  e2! 36! 7e! 56  91! d7! 93  f4! 3e  63! a7  50! 92  74! a4!     !crc
 +   5199:    :     b7  e3  3a  f5      !crc
 +     73:   0: TAG 2f  6f! a3! 61! 26  de! 75  f3! f5! 29! d8  f0! 2b! 91  d8  fb  dd! c1!     !crc
 +  61188:    :     67  f1  3e  82      !crc
 +    112:   0: TAG d3  e4! 57! d3    
 +   1848:    :     4e  1f  df  b5  b2  2b  04  12      !crc
 +     64:   0: TAG 12! 0e  5d! 9f!   
 +   1736:    :     ce  c2  05  b5      !crc
 +     64:   0: TAG 0c!   
 +   2511:    :     fc  c5  ac  f6  16  a7  b1  d4  40  83  ca  30  28  57  97  4b  7d  d0      !crc
 +   2632:   0: TAG 0e    
 +   1447:    :     d1  45  fa  b6      !crc
 +     73:   0: TAG af! b9! 2b! 6b! a0  22  f4  c3  88  44  1a! a8  11! ed  96! 7a  50! 8e      !crc
 +  10437:    :     3c  c4  0c  9b      !crc
 +    112:   0: TAG 44! 6b! 9f! ad    
 +   1824:    :     f7  74  59  0c  3c  9d  8e  2f      !crc
 +     64:   0: TAG df  5f! f7! 8b!   
 +   3408:    :     fc  1f  4c  77      !crc
 +     64:   0: TAG 0e    
 +   2743:    :     1c  63  f5  6a  e9  f1  88  fc  41  d0  13  50  50  cf  f2  a0  11  a7      !crc
 +   2632:   0: TAG 02    
 +   1439:    :     11  af  50  31      !crc
 +     73:   0: TAG 24  f2! fa  7b! 21! 74! 0f  36  4c! e2  56  cc  e6  c3! ca! 2e! c3! 55!     !crc

EDIT:
8c  70  2a  69 <---- UID?
+    112:   0: TAG 74  0b  52  c0!    <--- Tag challenge?
+   1872:    :     1a  84  32  dc  2f  9d  6f  f4      !crc <------- ks1 & ks2?
+     64:   0: TAG ba! d0  0f! e3!  <------- ks3?

EDIT:
Am I correct? According to the log, there is 5 challenge/response-sessions and thereby have I got these keys:
EEEADFDAB150
BD025FD133EB
82CE544D53EF
B11456C65975
398CFC51B53E

Shouldn't it be the same key? The only authentication I see is against Block 00 and Block 80.

Would be helpful in someone could clear this up for me...

Last edited by pwned (2011-02-28 12:13:59)

Offline

#2 2011-02-28 21:58:16

pwned
Member
Registered: 2011-01-27
Posts: 6

Re: Help on identify parameters

Okay, so I've tested the keys against the card I snooped from.

Tested it against Block 00, it didn't work.... What am I missing? Really need help with this...

Offline

#3 2011-03-01 10:31:39

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Help on identify parameters

your log is incomplete (it didn't hear the tag a few times). the easiest thing is trying to get a new capture, positioning the tag reader and sniffing antenna better.

There is however enough data in the trace, and the cipher is just that weak that you can break it, but it will require a tiny bit more effort.

the uid is indeed: 0x8c702a69
but that value you got pegged as tag challenge is actually an ecrypted tag challenge because that's a nested auth.  anyway let us know if getting a clean trace (each reader messageshould be followed by a tag message).

also keep in mind it's using keyB when testing keys.

Offline

#4 2011-03-01 11:00:42

pwned
Member
Registered: 2011-01-27
Posts: 6

Re: Help on identify parameters

Here is a new clean capture. It's a Mifare Classic Plus but I'm pretty sure that it's running on Crypto1 since there's ALOT of cards in motion.

recorded activity:
 ETU     :rssi: who bytes
---------+----+----+-----------
 +      0:    :     52    
 +  34059:    :     52    
 +  34161:    :     52    
 + 204368:    :     52    
 +  34146:    :     52    
 +  33961:    :     52    
 +  33961:    :     52    
 +  33986:    :     52    
 +     64:   0: TAG 04  00    
 +  33953:    :     52    
 +  34065:    :     52    
 +     64:   0: TAG 04  00    
 +  34002:    :     52    
 +  34137:    :     52    
 +     64:   0: TAG 04  00    
 +  33905:    :     52    
 +  33970:    :     52    
 +     64:   0: TAG 04  00    
 +  33906:    :     52    
 +  33968:    :     52    
 +     64:   0: TAG 04  00    
 +   1504:    :     93  20    
 +     64:   0: TAG 89  d5  21  32  4f    
 +   2240:    :     93  70  89  d5  21  32  4f  84  f2    
 +     64:   0: TAG 88  be  59    
 +  81624:    :     52    
 +  34090:    :     52    
 +     64:   0: TAG 04  00    
 +   1488:    :     93  20    
 +     64:   0: TAG 89  d5  21  32  4f    
 +   2326:    :     93  70  89  d5  21  32  4f  84  f2    
 +     64:   0: TAG 88  be  59    
 +  94559:    :     52    
 +     64:   0: TAG 04  00    
 +   1536:    :     93  20    
 +     64:   0: TAG 89  d5  21  32  4f    
 +   2927:    :     93  70  89  d5  21  32  4f  84  f2    
 +     64:   0: TAG 88  be  59    
 +  10502:    :     61  00  2d  62    
 +    112:   0: TAG d3  c4  5b  93    
 +   1952:    :     81  06  b4  17  0e  50  13  2d      !crc
 +     64:   0: TAG a7! 57  29! cb!   
 +   3111:    :     4c  ab  73  b0      !crc
 +     72:   0: TAG 48  a2! 50! 3b! 00  f3  44  dd! 4a  e0  03! 9f  9a  50! 6e! 61  ba! a9      !crc
 +   2911:    :     58  35  79  63      !crc
 +     72:   0: TAG 11  da  9b  6c  f2! d2  d2  1e! ef! 11  3d! ae! df  8b  80  ab  9e! 32!     !crc
 +   2792:    :     50  3a  13  07      !crc
 +     72:   0: TAG 94  db  c8  6e  ab  93! cb! 3f! 95  91! 23! ee  2b! e4! 2e  5a  48  6d      !crc
 +   6934:    :     99  80  62  e4      !crc
 +    112:   0: TAG 48! 53  e9! a1    
 +   1840:    :     e1  f5  7e  5b  38  11  f8  10      !crc
 +     64:   0: TAG f7  41! 9a  44!   
 +   1688:    :     4d  a2  4d  af      !crc
 +     72:   0: TAG c0  8c! 40! 91  3f! 11! 1d  be! 3d! 96  bc! 7f! 04! e8! d4  5f  12! 05!     !crc
 +   2871:    :     6e  f7  bc  09      !crc
 +     72:   0: TAG cd! f5  35  4b  dc  ce! 8f  b5! de! 5c  dc! ee! c5  48  36  9e! ba! 76      !crc
 +   2792:    :     8b  88  58  e0      !crc
 +     72:   0: TAG 30  b8! 15! 2a  95  74! a5  86  03  f0! 09! a9  c4  eb! a7  4a! fb! b3!     !crc
 +   9717:    :     d8  12  27  60      !crc
 +    112:   0: TAG 0f  87  bf  bd    
 +   1824:    :     17  ac  5b  24  19  4c  3d  62      !crc
 +     64:   0: TAG 24  48! 4f  0c!   
 +   1952:    :     58  db  12  23      !crc
 +     72:   0: TAG a8  5b  c3  af! 68  ad  f5! b1! e7  70  2d! 49! 6e! 20  b7! 4c! bd! 63      !crc
 +   4431:    :     e4  d2  b1  64      !crc
 +     72:   0: TAG f2! 6a! f7  56! 22! cb! 10! 62! 4a! f0  90  46! fa  a4! 04  1e  41  ac!     !crc
 +  16173:    :     02  b7  a9  41      !crc
 +    112:   0: TAG 93  fe  70  83    
 +   1824:    :     72  4f  6a  53  2a  b6  12  73      !crc
 +     64:   0: TAG 6d! 23  7b  07    
 +   3143:    :     76  a3  47  db      !crc
 +     72:   0: TAG 27! e5  34! ea! ed  6e  f3  8e  d0  d3  5d  27  66! 47  5a! b7! 62! 76!     !crc
 +   4567:    :     f6  9b  d1  c4      !crc
 +     72:   0: TAG 94  9c! d9! 7e! af! 2d! cf  a8  49  8f! f2  75  21  9e! 9c! c0! b9! ca!     !crc
 +  17381:    :     69  56  a4  87      !crc
 +    112:   0: TAG 2b  16! d8  86!   
 +   1823:    :     49  03  65  d3  04  c5  48  0f      !crc
 +     64:   0: TAG 59  fa  76  dc    
 +   1680:    :     13  8d  b1  93      !crc
 +     72:   0: TAG 10  4e  03! 0b  8e! fb  51  ff  ae  7e  ad! 2c  e3! 26  1f! 34! 10  3b      !crc
 +   4542:    :     30  24  56  54      !crc
 +     72:   0: TAG 43! b1! 89  75! c9  44  b8  55! 6d  33! 46  09! 40! 70! 46! 6b! f5! 4a!     !crc
 +  12111:    :     4d  c3  86  51      !crc
 +    112:   0: TAG d1  b9! 95! 8b!   
 +   1832:    :     fc  fd  08  6e  c7  82  7d  5f      !crc
 +     63:   0: TAG d4  16  a3! dc!   
 +   1680:    :     2d  9c  ed  58      !crc
 +     72:   0: TAG bd! 12  2d! b9  11! 97! 2c  bd! db! 49  bb! bf! 9c  76  ad! bc  18! 8e!     !crc
 +   4582:    :     50  00  e3  52      !crc
 +     72:   0: TAG c7  ad  cb  d0  3d  2a! 6a  da! 3e  77! 65! c7! d4! 14  c0! 07! 09! 3a      !crc
 +  10991:    :     63  b6  92  49      !crc
 +    112:   0: TAG 7e  b6  34! be    
 +   1840:    :     c7  4b  22  d1  c1  d8  4a  ec      !crc
 +     64:   0: TAG e2  b4! 40  3e!   
 +   1727:    :     50  c1  be  00      !crc
 +     72:   0: TAG ff  6c  49! 5e  22  cf! 3c  17  ff! a6! a0! fd! 56! d9! 5b! 9f  23! 5c!     !crc
 +   4448:    :     ab  50  94  f9      !crc
 +     70:   0: TAG 7e! 1f  7b! 37! 6e! f3  16  0d! 54  ab  5f  1e! 81! db  4f  d1  db! f0      !crc
 +  16558:    :     38  5d  ee  a6      !crc
 +    112:   0: TAG 09  e5! a6  4e!   
 +   1824:    :     c4  67  0f  f7  16  cd  bb  21      !crc
 +     64:   0: TAG 6f! 30! 14  ad!   
 +   1760:    :     28  c6  e2  9c      !crc
 +     72:   0: TAG 57! c1  26  c1  d1! b0  60  2c  72! 7f! 28  78! 25  10  03! 01  bc! 0b!     !crc
 +   2918:    :     a7  8f  e6  6c      !crc
 +     72:   0: TAG 12  14  3a! 7a! 8f! 6f  7b! 63! 5f! 7b! cb  9d  6a! ba  ec  94! 96! d9!     !crc
 +   2872:    :     22  79  ed  0e      !crc
 +     72:   0: TAG 4f! 64  a7! a4! c0! 20! da! fa! 1e  ed  75  56! 56  ab! 93! c9! f2! d1!     !crc
 +1370224:    :     52    
 +     64:   0: TAG 04  00    
 +  33976:    :     52    
 +  68012:    :     52   

I tried this as well with crapto1(gui) but it failed to auth on every sector as well. Maybe I need to read up some on the matter in hand but a nudge in the right direction would be helpful smile

Last edited by pwned (2011-03-01 11:07:10)

Offline

#5 2011-03-01 21:43:13

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Help on identify parameters

i don't know about the gui but  crapto1 has no problems with this configration

uid: 89  d5  21  32  4f
tag challenge: d3  c4  5b  93 
[readerchallenge][reader response]: 81  06  b4  17  0e  50  13  2d
[tag response]: a7! 57  29! cb!

i get a key that starts with 92...
and when i use it to decrypt the rest it's clear it's correct

since the command was : 61  00  2d  62
you trivially have the keyB for sector 0

Offline

#6 2011-03-02 11:10:33

pwned
Member
Registered: 2011-01-27
Posts: 6

Re: Help on identify parameters

Well that could explain something....

I was running that data and I didn't get any key that started with 92.
This is the key I've got: 00000FFE2488, I ran it through Crapto1gui 1.1.

I will try again with only crapto1 from source. I will try these keys in a few hours
and get back with the results.

EDIT:
I compiled the source from the PM3-wiki and changed lsrf_rollback -> lsrf_rollback_word and lsrf_recovery -> lsrf_recovery64
and double and tripplechecked uid, repsonses and challenges. But it didn't give me a key that started with 92. This is the output I got:

nt': 9e631684
nt'': b1592636
ks2: 903305a9
ks3: 160e0ffd
Found Key: [88 24 fe 0f 00 00]

I used the original data from the wiki as reference and it ran accordingly, finding the default ffffffff-key.

Last edited by pwned (2011-03-02 11:36:05)

Offline

#7 2011-03-02 12:27:35

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Help on identify parameters

i must have done something mysteriously wrong/right before, because when i check it now i get exactly the same numbers. i'll look into it further

for now you can instead of doing the lfsr-rollbacks's
instead work your way forward after the
lsrf_recovery64();
instead crypto1_word should give you : 7cab7118 .

i'll look into it.

Offline

#8 2011-03-02 19:24:35

pwned
Member
Registered: 2011-01-27
Posts: 6

Re: Help on identify parameters

hat wrote:

i must have done something mysteriously wrong/right before, because when i check it now i get exactly the same numbers. i'll look into it further

for now you can instead of doing the lfsr-rollbacks's
instead work your way forward after the
lsrf_recovery64();
instead crypto1_word should give you : 7cab7118 .

i'll look into it.

Thanks, I'm awaiting your reply...

Could you clearify what you mean with the last part?

Offline

#9 2011-03-10 22:57:38

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Help on identify parameters

ok sorry for the delay but i was busy and can't find anything, i must have done it wrong the first time around.

have you tried testing the key in different formats, and are you sure you are testing keyB and not keyA. because
ffe2488 is the keyB. for sector 0

tried?:
00 00 0f fe 24 88
88 24 fe 0f 00 00

i'm running a brute force to see if there's any key with that 0x92 at the start but i don't expect to find anything.

Offline

Board footer

Powered by FluxBB