Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I've got a snoop from a Mifare Classic but I can't figure out more that UID.
+ 1510: : 93 20
+ 2520: : 93 70 8c 70 2a 69 bf cc f1
+ 10407: : 61 00 2d 62
+ 1936: : c1 09 22 ee 7b 55 5d 40 !crc
+ 3831: : 61 80 b8 79 !crc
+ 2864: : 8a 59 92 ac !crc
+ 2942: : d0 c4 5a ed !crc
+ 7640: : fc 7e 7b 8b !crc
+ 1951: : bd b8 30 eb b5 45 87 06 !crc
+ 313: 0: TAG 02
+ 1439: : 13 63 9d 42 !crc
+ 2904: : 88 df 85 73 !crc
+ 80: 0: TAG d2! 55 20 15! 67 31! 3a ef! 81 bb b2 92! c8 74! 8b! d6! 07! eb! !crc
+ 2783: : 61 04 ca be !crc
+ 9742: : 48 89 4b 4d !crc
+ 112: 0: TAG 65! 26 dc 99
+ 1824: : a0 8b b5 b2 55 f1 12 39 !crc
+ 1816: : 8a f1 03 b4 !crc
+ 72: 0: TAG e5 25! 40! c7! 7c 0c! d1 28! b7! f5 34 77! 67! f0! fa e4 85 35 !crc
+ 4439: : 0a 83 b9 b3 !crc
+ 72: 0: TAG 58 81! b9 04 0f! 82 dc 4b! 4d fc! 2f! ec! 58! 62 f6! fb ac ee !crc
+ 16333: : 27 29 96 85 !crc
+ 136: 0: TAG 3d! 82 10! 33!
+ 1800: : df 9c 52 4a 9b 11 e9 a4 !crc
+ 64: 0: TAG 50! 85! 9f! 96!
+ 3143: : 89 9b e9 a1 !crc
+ 4655: : 2a 17 a2 33 !crc
+ 73: 0: TAG 13 8d ea 21 46 8f! 6c f8 cb! d4 5a 46! 86! ce 15! 1e b6! 5e !crc
+ 17436: : 66 92 42 a4 !crc
+ 218: 0: TAG 00!
+ 61: 0: TAG 32! 2e!
+ 1657: : 69 d7 58 1a 5a 86 0d ae !crc
+ 64: 0: TAG 23 9a 93 07
+ 1679: : a9 2c 06 73 !crc
+ 73: 0: TAG ed! 70 7c 05! 06 02! 90! bb 46 2b! 17 e4 f6! 95! d9! 30 bf 18 !crc
+ 5125: : db be ac 6d !crc
+ 74: 0: TAG 3f! 16! 86! 04 1f 21 2c 48 6a e0! fc 7c fd ae! d9! 76! f5! 60 !crc
+ 12045: : 04 fd 50 71 !crc
+ 113: 0: TAG fb 0b 69 63
+ 1799: : f5 c8 1c ff 74 00 12 15 !crc
+ 1784: : 63 7a 02 1d !crc
+ 72: 0: TAG 47! 68! 61 c0! 41 29! 9b! 4e! 6f! e7 ce af 92 73 d3! 2a! 1e 8f !crc
+ 4447: : 2e 44 22 0c !crc
+ 72: 0: TAG 49! a3! da! 1b! 70 3c! 2d! d1! 21! cd 77 be! 95 75 08! 64! c6 b7! !crc
+ 22556: : 7b 71 84 c2 !crc
+ 112: 0: TAG 74 0b 52 c0!
+ 1872: : 1a 84 32 dc 2f 9d 6f f4 !crc
+ 64: 0: TAG ba! d0 0f! e3!
+ 1686: : c7 6e 0d 7d !crc
+ 74: 0: TAG 9b! c9 35! 31! 86! ad 4f! 32 9e! 86 51! 74! 77 90! 1d 82! d5 15! !crc
+ 3006: : 25 f5 64 d7 !crc
+ 72: 0: TAG 53! 71! 50 84! 8f! a9! bb! b9! fe! 24 4a! 6a 46! 62! a8 d4! a6 9e !crc
+ 2792: : 0a af a2 d7 !crc
+ 72: 0: TAG 37 2f 15! b6 ed 1d! 95 81 cf! 58! 22 82 b9! e9 56 93! 2d 9b! !crc
+ 18716: : 27 b4 25 97 !crc
+ 112: 0: TAG ca! d0 a0 be!
+ 1824: : 83 41 37 3d 08 3a 09 08 !crc
+ 64: 0: TAG 12! 78 ec cb
+ 1680: : 9b 5f d8 24 !crc
+ 72: 0: TAG 66 86 fc e2! 36! 7e! 56 91! d7! 93 f4! 3e 63! a7 50! 92 74! a4! !crc
+ 5199: : b7 e3 3a f5 !crc
+ 73: 0: TAG 2f 6f! a3! 61! 26 de! 75 f3! f5! 29! d8 f0! 2b! 91 d8 fb dd! c1! !crc
+ 61188: : 67 f1 3e 82 !crc
+ 112: 0: TAG d3 e4! 57! d3
+ 1848: : 4e 1f df b5 b2 2b 04 12 !crc
+ 64: 0: TAG 12! 0e 5d! 9f!
+ 1736: : ce c2 05 b5 !crc
+ 64: 0: TAG 0c!
+ 2511: : fc c5 ac f6 16 a7 b1 d4 40 83 ca 30 28 57 97 4b 7d d0 !crc
+ 2632: 0: TAG 0e
+ 1447: : d1 45 fa b6 !crc
+ 73: 0: TAG af! b9! 2b! 6b! a0 22 f4 c3 88 44 1a! a8 11! ed 96! 7a 50! 8e !crc
+ 10437: : 3c c4 0c 9b !crc
+ 112: 0: TAG 44! 6b! 9f! ad
+ 1824: : f7 74 59 0c 3c 9d 8e 2f !crc
+ 64: 0: TAG df 5f! f7! 8b!
+ 3408: : fc 1f 4c 77 !crc
+ 64: 0: TAG 0e
+ 2743: : 1c 63 f5 6a e9 f1 88 fc 41 d0 13 50 50 cf f2 a0 11 a7 !crc
+ 2632: 0: TAG 02
+ 1439: : 11 af 50 31 !crc
+ 73: 0: TAG 24 f2! fa 7b! 21! 74! 0f 36 4c! e2 56 cc e6 c3! ca! 2e! c3! 55! !crc
EDIT:
8c 70 2a 69 <---- UID?
+ 112: 0: TAG 74 0b 52 c0! <--- Tag challenge?
+ 1872: : 1a 84 32 dc 2f 9d 6f f4 !crc <------- ks1 & ks2?
+ 64: 0: TAG ba! d0 0f! e3! <------- ks3?
EDIT:
Am I correct? According to the log, there is 5 challenge/response-sessions and thereby have I got these keys:
EEEADFDAB150
BD025FD133EB
82CE544D53EF
B11456C65975
398CFC51B53E
Shouldn't it be the same key? The only authentication I see is against Block 00 and Block 80.
Would be helpful in someone could clear this up for me...
Last edited by pwned (2011-02-28 12:13:59)
Offline
Okay, so I've tested the keys against the card I snooped from.
Tested it against Block 00, it didn't work.... What am I missing? Really need help with this...
Offline
your log is incomplete (it didn't hear the tag a few times). the easiest thing is trying to get a new capture, positioning the tag reader and sniffing antenna better.
There is however enough data in the trace, and the cipher is just that weak that you can break it, but it will require a tiny bit more effort.
the uid is indeed: 0x8c702a69
but that value you got pegged as tag challenge is actually an ecrypted tag challenge because that's a nested auth. anyway let us know if getting a clean trace (each reader messageshould be followed by a tag message).
also keep in mind it's using keyB when testing keys.
Offline
Here is a new clean capture. It's a Mifare Classic Plus but I'm pretty sure that it's running on Crypto1 since there's ALOT of cards in motion.
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 52
+ 34059: : 52
+ 34161: : 52
+ 204368: : 52
+ 34146: : 52
+ 33961: : 52
+ 33961: : 52
+ 33986: : 52
+ 64: 0: TAG 04 00
+ 33953: : 52
+ 34065: : 52
+ 64: 0: TAG 04 00
+ 34002: : 52
+ 34137: : 52
+ 64: 0: TAG 04 00
+ 33905: : 52
+ 33970: : 52
+ 64: 0: TAG 04 00
+ 33906: : 52
+ 33968: : 52
+ 64: 0: TAG 04 00
+ 1504: : 93 20
+ 64: 0: TAG 89 d5 21 32 4f
+ 2240: : 93 70 89 d5 21 32 4f 84 f2
+ 64: 0: TAG 88 be 59
+ 81624: : 52
+ 34090: : 52
+ 64: 0: TAG 04 00
+ 1488: : 93 20
+ 64: 0: TAG 89 d5 21 32 4f
+ 2326: : 93 70 89 d5 21 32 4f 84 f2
+ 64: 0: TAG 88 be 59
+ 94559: : 52
+ 64: 0: TAG 04 00
+ 1536: : 93 20
+ 64: 0: TAG 89 d5 21 32 4f
+ 2927: : 93 70 89 d5 21 32 4f 84 f2
+ 64: 0: TAG 88 be 59
+ 10502: : 61 00 2d 62
+ 112: 0: TAG d3 c4 5b 93
+ 1952: : 81 06 b4 17 0e 50 13 2d !crc
+ 64: 0: TAG a7! 57 29! cb!
+ 3111: : 4c ab 73 b0 !crc
+ 72: 0: TAG 48 a2! 50! 3b! 00 f3 44 dd! 4a e0 03! 9f 9a 50! 6e! 61 ba! a9 !crc
+ 2911: : 58 35 79 63 !crc
+ 72: 0: TAG 11 da 9b 6c f2! d2 d2 1e! ef! 11 3d! ae! df 8b 80 ab 9e! 32! !crc
+ 2792: : 50 3a 13 07 !crc
+ 72: 0: TAG 94 db c8 6e ab 93! cb! 3f! 95 91! 23! ee 2b! e4! 2e 5a 48 6d !crc
+ 6934: : 99 80 62 e4 !crc
+ 112: 0: TAG 48! 53 e9! a1
+ 1840: : e1 f5 7e 5b 38 11 f8 10 !crc
+ 64: 0: TAG f7 41! 9a 44!
+ 1688: : 4d a2 4d af !crc
+ 72: 0: TAG c0 8c! 40! 91 3f! 11! 1d be! 3d! 96 bc! 7f! 04! e8! d4 5f 12! 05! !crc
+ 2871: : 6e f7 bc 09 !crc
+ 72: 0: TAG cd! f5 35 4b dc ce! 8f b5! de! 5c dc! ee! c5 48 36 9e! ba! 76 !crc
+ 2792: : 8b 88 58 e0 !crc
+ 72: 0: TAG 30 b8! 15! 2a 95 74! a5 86 03 f0! 09! a9 c4 eb! a7 4a! fb! b3! !crc
+ 9717: : d8 12 27 60 !crc
+ 112: 0: TAG 0f 87 bf bd
+ 1824: : 17 ac 5b 24 19 4c 3d 62 !crc
+ 64: 0: TAG 24 48! 4f 0c!
+ 1952: : 58 db 12 23 !crc
+ 72: 0: TAG a8 5b c3 af! 68 ad f5! b1! e7 70 2d! 49! 6e! 20 b7! 4c! bd! 63 !crc
+ 4431: : e4 d2 b1 64 !crc
+ 72: 0: TAG f2! 6a! f7 56! 22! cb! 10! 62! 4a! f0 90 46! fa a4! 04 1e 41 ac! !crc
+ 16173: : 02 b7 a9 41 !crc
+ 112: 0: TAG 93 fe 70 83
+ 1824: : 72 4f 6a 53 2a b6 12 73 !crc
+ 64: 0: TAG 6d! 23 7b 07
+ 3143: : 76 a3 47 db !crc
+ 72: 0: TAG 27! e5 34! ea! ed 6e f3 8e d0 d3 5d 27 66! 47 5a! b7! 62! 76! !crc
+ 4567: : f6 9b d1 c4 !crc
+ 72: 0: TAG 94 9c! d9! 7e! af! 2d! cf a8 49 8f! f2 75 21 9e! 9c! c0! b9! ca! !crc
+ 17381: : 69 56 a4 87 !crc
+ 112: 0: TAG 2b 16! d8 86!
+ 1823: : 49 03 65 d3 04 c5 48 0f !crc
+ 64: 0: TAG 59 fa 76 dc
+ 1680: : 13 8d b1 93 !crc
+ 72: 0: TAG 10 4e 03! 0b 8e! fb 51 ff ae 7e ad! 2c e3! 26 1f! 34! 10 3b !crc
+ 4542: : 30 24 56 54 !crc
+ 72: 0: TAG 43! b1! 89 75! c9 44 b8 55! 6d 33! 46 09! 40! 70! 46! 6b! f5! 4a! !crc
+ 12111: : 4d c3 86 51 !crc
+ 112: 0: TAG d1 b9! 95! 8b!
+ 1832: : fc fd 08 6e c7 82 7d 5f !crc
+ 63: 0: TAG d4 16 a3! dc!
+ 1680: : 2d 9c ed 58 !crc
+ 72: 0: TAG bd! 12 2d! b9 11! 97! 2c bd! db! 49 bb! bf! 9c 76 ad! bc 18! 8e! !crc
+ 4582: : 50 00 e3 52 !crc
+ 72: 0: TAG c7 ad cb d0 3d 2a! 6a da! 3e 77! 65! c7! d4! 14 c0! 07! 09! 3a !crc
+ 10991: : 63 b6 92 49 !crc
+ 112: 0: TAG 7e b6 34! be
+ 1840: : c7 4b 22 d1 c1 d8 4a ec !crc
+ 64: 0: TAG e2 b4! 40 3e!
+ 1727: : 50 c1 be 00 !crc
+ 72: 0: TAG ff 6c 49! 5e 22 cf! 3c 17 ff! a6! a0! fd! 56! d9! 5b! 9f 23! 5c! !crc
+ 4448: : ab 50 94 f9 !crc
+ 70: 0: TAG 7e! 1f 7b! 37! 6e! f3 16 0d! 54 ab 5f 1e! 81! db 4f d1 db! f0 !crc
+ 16558: : 38 5d ee a6 !crc
+ 112: 0: TAG 09 e5! a6 4e!
+ 1824: : c4 67 0f f7 16 cd bb 21 !crc
+ 64: 0: TAG 6f! 30! 14 ad!
+ 1760: : 28 c6 e2 9c !crc
+ 72: 0: TAG 57! c1 26 c1 d1! b0 60 2c 72! 7f! 28 78! 25 10 03! 01 bc! 0b! !crc
+ 2918: : a7 8f e6 6c !crc
+ 72: 0: TAG 12 14 3a! 7a! 8f! 6f 7b! 63! 5f! 7b! cb 9d 6a! ba ec 94! 96! d9! !crc
+ 2872: : 22 79 ed 0e !crc
+ 72: 0: TAG 4f! 64 a7! a4! c0! 20! da! fa! 1e ed 75 56! 56 ab! 93! c9! f2! d1! !crc
+1370224: : 52
+ 64: 0: TAG 04 00
+ 33976: : 52
+ 68012: : 52
I tried this as well with crapto1(gui) but it failed to auth on every sector as well. Maybe I need to read up some on the matter in hand but a nudge in the right direction would be helpful
Last edited by pwned (2011-03-01 11:07:10)
Offline
i don't know about the gui but crapto1 has no problems with this configration
uid: 89 d5 21 32 4f
tag challenge: d3 c4 5b 93
[readerchallenge][reader response]: 81 06 b4 17 0e 50 13 2d
[tag response]: a7! 57 29! cb!
i get a key that starts with 92...
and when i use it to decrypt the rest it's clear it's correct
since the command was : 61 00 2d 62
you trivially have the keyB for sector 0
Offline
Well that could explain something....
I was running that data and I didn't get any key that started with 92.
This is the key I've got: 00000FFE2488, I ran it through Crapto1gui 1.1.
I will try again with only crapto1 from source. I will try these keys in a few hours
and get back with the results.
EDIT:
I compiled the source from the PM3-wiki and changed lsrf_rollback -> lsrf_rollback_word and lsrf_recovery -> lsrf_recovery64
and double and tripplechecked uid, repsonses and challenges. But it didn't give me a key that started with 92. This is the output I got:
nt': 9e631684
nt'': b1592636
ks2: 903305a9
ks3: 160e0ffd
Found Key: [88 24 fe 0f 00 00]
I used the original data from the wiki as reference and it ran accordingly, finding the default ffffffff-key.
Last edited by pwned (2011-03-02 11:36:05)
Offline
i must have done something mysteriously wrong/right before, because when i check it now i get exactly the same numbers. i'll look into it further
for now you can instead of doing the lfsr-rollbacks's
instead work your way forward after the
lsrf_recovery64();
instead crypto1_word should give you : 7cab7118 .
i'll look into it.
Offline
i must have done something mysteriously wrong/right before, because when i check it now i get exactly the same numbers. i'll look into it further
for now you can instead of doing the lfsr-rollbacks's
instead work your way forward after the
lsrf_recovery64();
instead crypto1_word should give you : 7cab7118 .i'll look into it.
Thanks, I'm awaiting your reply...
Could you clearify what you mean with the last part?
Offline
ok sorry for the delay but i was busy and can't find anything, i must have done it wrong the first time around.
have you tried testing the key in different formats, and are you sure you are testing keyB and not keyA. because
ffe2488 is the keyB. for sector 0
tried?:
00 00 0f fe 24 88
88 24 fe 0f 00 00
i'm running a brute force to see if there's any key with that 0x92 at the start but i don't expect to find anything.
Offline
Pages: 1