Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-07-17 03:59:01

emersonxr3
Contributor
Registered: 2020-03-20
Posts: 26

restore mifare plus

friends i would like to restore the data on this card is this possible?

[usb] pm3 --> hf mfp info

[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------

[+]  UID: 04 9D 51 22 7E 62 80
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER:    NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K / Classic 1K CL2
[+]    MIFARE Plus 2K / Plus EV1 2K
[+]    MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] SAK incorrectly claims that card doesn't support RATS
[+]  ATS: 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 60 D3
[+]        -  TL : length is 12 bytes
[+]        -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[+]        - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[+]        - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[+]        - TC1 : NAD is NOT supported, CID is supported
[+] Prng detection: hard
[=] --- Fingerprint
[=]           SIZE: 2K (7 UID)
[=]             SAK: 2K 7b UID
[=] --- Security Level (SL)
[+]        SL mode: SL1
[=]   SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication

Offline

#2 2020-07-18 16:00:55

Hotel-key-card
Contributor
Registered: 2020-06-27
Posts: 10

Re: restore mifare plus

yes

Offline

#3 2020-07-19 01:47:04

emersonxr3
Contributor
Registered: 2020-03-20
Posts: 26

Re: restore mifare plus

I'm not getting it because the access condition of sector 13 is 73 C4 B8 00

Offline

#4 2021-06-19 07:06:06

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: restore mifare plus

any progress on this card? thanks

Offline

#5 2021-07-20 19:53:53

theyhavelanded
Contributor
Registered: 2015-09-29
Posts: 7

Re: restore mifare plus

Anything new with this? I can not get hardnested to work on this MFP fob. Errors out with below until it crashes the proxmark and resets.

This FOB is a blue one looks like Awid style but def not Awid or 125khz. I also posted hf mfp info below.

[usb] pm3 --> hf mf hardnested 0 A A0A1A2A3A4A5 4 A
[=] Target block no:  4, target key type:A, known target key: 0x000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[+] Using AVX2 SIMD core.



time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 541 million (2^29.0) keys/s      | 140737488355328 |    3d
       6 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    3d
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth2 error len=0



[usb|script] pm3 --> hf mfp info

[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+]               UID: 04 XX XX XX XX XX 80
[+]      Batch number: CE BE 55 55 21
[+]   Production date: week 06 / 2019

[=] --- Hardware Information
[=]           Raw : 04 02 02 11 00 16 04
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x02 (Plus)
[=]        Subtype: 0x02
[=]        Version: 11.0 (Plus EV1)
[=]   Storage size: 0x16 (2048 bytes)
[=]       Protocol: 0x04 (ISO 14443-3 MIFARE, 14443-4)

[=] --- Software Information
[=]           Raw : 04 02 01 01 00 16
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x02 (Plus)
[=]        Subtype: 0x01
[=]        Version: 1.0
[=]   Storage size: 0x16 (2048 bytes)
[=]       Protocol: 0x04 (ISO 14443-3 MIFARE, 14443-4)

[=] --- Tag Signature
[=]  IC signature public key name: MIFARE Plus EV1
[=] IC signature public key value: 044409ADC42F91A8394066BA83D872FB
[=]                              : 1D16803734E911170412DDF8BAD1A4DA
[=]                              : DFD0416291AFE1C748253925DA39A5F3
[=]                              : 9A1C557FFACD34C62E
[=]     Elliptic curve parameters: NID_secp224r1
[=]              TAG IC Signature: B523544E36FCE87CDC5BC04A158D67C0
[=]                              : A161870F4874E63A4A853068FA39681B
[=]                              : 96F0F8891FDBC145863758D545141A48
[=]                              : F7908238F13B13E9
[+]        Signature verification: successful
[=] --- Fingerprint
[=]           Tech: MIFARE Plus EV1
[=]           SIZE: 2K (7 UID)
[=]             SAK: 2K 7b UID
[=] --- Security Level (SL)
[+]        SL mode: SL1
[=]   SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication

Last edited by theyhavelanded (2021-07-20 20:40:40)

Offline

#6 2021-07-21 03:58:12

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: restore mifare plus

mifare plus is non crackable at all

Offline

#7 2021-07-24 17:57:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: restore mifare plus

Depends on the configuration,  but your tag might use the optional AES authentication.  If you have access to a genuine reader and card, try sniffing the communications and post the results.   Even save a trace file and share.

Offline

Board footer

Powered by FluxBB