Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2022-10-25 19:32:41

Essorcal
Contributor
Registered: 2022-10-25
Posts: 6

Trying to crack mifare 1k classic on my 3d printer filament spool

So i'm new to this scene and just found this forum. i've got a Proxmark3 Easy up and running with the latest iceman release and i'm trying to crack the mifare 1k classic in my bambu labs x1 3d printer filament spool so i can make my own tags and have them recognized by the printer in terms of color/material/etc...

hw ver

Iceman/master/v4.14831-1002-g8940982c8 2022-10-23 21:25:49 8b5c14153
bootrom: Iceman/master/v4.14831-1002-g8940982c8 2022-10-23 21:25:16 8b5c14153
os: Iceman/master/v4.14831-1002-g8940982c8 2022-10-23 21:25:27 8b5c14153

So, things ive tried so far:

running hf search i get the following:

[|] Searching for ISO14443-A tag...
[+]  UID: 75 15 ED 1B
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands

[+] Valid ISO 14443-A tag found

If I attempt to run autopwn it doesn't find anything and i get this:

[usb] pm3 --> hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 44 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 0.6s | found 0/32 keys (44)
[=] running strategy 2
[=] ...
[=] Chunk 7.2s | found 0/32 keys (44)
[=] Expected execution time is about 25seconds on average
[=] Press pm3-button to abort

[=] Running darkside ...........
[-] Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).

[-] No usable key was found!

I was able to sniff the following twice with hf 14a sniff but i dont know what to do with it...

[+] Recorded activity (trace len = 13 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       4768 | Rdr |50  00  57  cd                                                           |  ok | HALT
[usb] pm3 --> hf 14a sniff

[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 13
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 13 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       4768 | Rdr |50  00  57  cd     


I've also tried running through the built in key list and no luck there either using hf mf fchk --1k -f mfc_default_keys.dic

From research online I think I need to try a hardnested attack but i'm unfamiliar with the syntax required so I think i'm doing it wrong but this the error i'm getting

[usb] pm3 --> hf mf hardnested -r
[=] Target block no   0, target key type: A, known target key: 000000000000 (not set)
[=] File action: read, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX512F SIMD core            |                 |
[=]        0 |       0 | Brute force benchmark: 3064 million (2^31.5) keys/s     | 140737488355328 |   13h
[=]        3 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   13h
[!] Could not open file hf-mf-7515ED1B-nonces.bin

Any advice on next steps would be greatly appreciated

Offline

#2 2022-10-26 19:44:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Trying to crack mifare 1k classic on my 3d printer filament spool

Autopwn does all of it.  If you fail,  I suggest you do a sniff,   

hf 14a sniff -h
trace save -f 3dfilament
trace list -h

Offline

#3 2022-10-28 16:23:49

Essorcal
Contributor
Registered: 2022-10-25
Posts: 6

Re: Trying to crack mifare 1k classic on my 3d printer filament spool

Thanks a lot for that! I was able to get the first 2 keys from the trace after I figured out how to do that. I'm currently running autopwn with the first key is there a way I can give it both of the keys I know as an input to reduce the time needed to bruteforce it? I dumped both of the keys but since i had to try them independently i have 2 separate .bin files that im unsure of how to combine or view.

Last edited by Essorcal (2022-10-28 17:03:59)

Offline

#4 2022-10-28 23:26:17

Essorcal
Contributor
Registered: 2022-10-25
Posts: 6

Re: Trying to crack mifare 1k classic on my 3d printer filament spool

Ok so i figured out how to put the keys into a dictionary and pass those into autopwn but im running into the following error. its happened twice. I've disabled usb suspended state and made sure my computer never went to sleep but im not sure if thats still the issue or if theres something else I might be missing. Both times happened around ~5000.

 
[=]     5073 |       1 | Apply bit flip properties                               | 140737488355328 |   13h
[=]     5074 |       1 | Apply bit flip properties                               | 140737488355328 |   13h

[!!] Error: No response from Proxmark3


[!] Communicating with Proxmark3 device failed

[=] Running in OFFLINE mode. Use "hw connect" to reconnect

[usb] pm3 --> [offline] pm3 -->

Offline

#5 2022-10-29 07:59:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Trying to crack mifare 1k classic on my 3d printer filament spool

depends on the card tech.
Lately people found out the hard way that MIFARE Plus and hardnested doesn't go well together.

Offline

#6 2022-10-29 15:39:35

Essorcal
Contributor
Registered: 2022-10-25
Posts: 6

Re: Trying to crack mifare 1k classic on my 3d printer filament spool

Ah ok, good to know thanks. Anything I should try to keep making progress?

Offline

#7 2022-10-29 16:29:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Trying to crack mifare 1k classic on my 3d printer filament spool

hard to tell right now,   since I am not sure of how you perform your research with the pm3.

I usually start with getting a solid identification of the involved card tech and build my approach accordingly

Offline

#8 2022-10-29 19:51:04

Essorcal
Contributor
Registered: 2022-10-25
Posts: 6

Re: Trying to crack mifare 1k classic on my 3d printer filament spool

Makes sense. This is the first time I’ve ever done anything like this so my method is very much not optimal haha. Lots of guess and check based off random info gained from forum posts. Any resources to point to for how to identify the involved card tech?

Offline

Board footer

Powered by FluxBB