I am trying to clone a Mifare Classic 1k used for a coffee machine. More for the learning process than for the coffee itself !
I have a proxmark3, I have flashed the firmware thanks to Iceman's Wiki.
Now I've tried few commands, I am pretty confused because when I use the hf mf autopwn command, I see that 7 keys are missing.
I am not really sure what I am supposed to do next...
Here below you will find the output of the commands :
usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ Client ]
Iceman/master/v4.18341-6-g1a7b2856e-suspect 2024-03-25 13:37:46 20d6f7f37
compiled with............. GCC 13.2.0
platform.................. Linux / x86_64
Readline support.......... present
QT GUI support............ present
native BT support......... absent
Python script support..... present
Lua SWIG support.......... present
Python SWIG support....... present
[ Proxmark3 ]
device.................... device / fw mismatch
firmware.................. RDV4
external flash............ present
smartcard reader.......... absent
FPC USART for BT add-on... absent
[ ARM ]
bootrom: Iceman/master/v4.18341-6-g1a7b2856e-suspect 2024-03-25 13:38:14 20d6f7f37
os: Iceman/master/v4.18341-6-g1a7b2856e-suspect 2024-03-25 13:38:31 20d6f7f37
compiled with GCC 13.2.1 20231009
[ FPGA ]
fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 69% used )
[usb] pm3 --> hf search
[!] ⚠ No known/supported 13.56 MHz tags found
[usb] pm3 --> hf search
? Searching for ISO14443-A tag...
[+] UID: 8C C3 A6 0C
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... weak
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
[+] UID: 8C C3 A6 0C
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... weak
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
[usb] pm3 --> hf mf autopwn
[!] ⚠ no known key was supplied, key recovery might fail
[+] loaded 5 dynamic keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] .
[=] running strategy 2
[=] .
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 9 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 10 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 11 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 12 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 13 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 14 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[-] ⛔ Tag isn't vulnerable to Nested Attack (PRNG is probably not predictable).
[-] ⛔ Nested attack failed --> try hardnested
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 4 threads and AVX SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1021 million (2^29.9) keys/s | 140737488355328 | 2d
[=] 1 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 872 ms | 140737488355328 | 2d
[=] 1 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 2d
[!!] ? Error: Static encrypted nonce detected. Aborted
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | A0A1A2A3A4A5 | D | ------------ | 0
[+] 009 | 039 | A0A1A2A3A4A5 | D | ------------ | 0
[+] 010 | 043 | A0A1A2A3A4A5 | D | ------------ | 0
[+] 011 | 047 | A0A1A2A3A4A5 | D | ------------ | 0
[+] 012 | 051 | A0A1A2A3A4A5 | D | ------------ | 0
[+] 013 | 055 | A0A1A2A3A4A5 | D | ------------ | 0
[+] 014 | 059 | A0A1A2A3A4A5 | D | ------------ | 0
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
Thank you for your support.
]]>[usb] pm3 --> hf mf info
[=] --- ISO14443-a Information ---------------------
[+] UID: AE BE CE 3A
[+] ATQA: 00 02
[+] SAK: 18 [2][=] --- Keys Information
[=] [0] key FF FF FF FF FF FF
[+] loaded 1 keys supplied by user
[+] loaded 61 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Sector 1 key A... FFFFFFFFFFFF
[+] Block 0.......... AE BE CE 3A E4 98 02 00 64 8F 45 18 65 90 01 11[=] --- Fingerprint
[=] --- Magic Tag Information
[=] <N/A>[=] --- PRNG Information
[+] Prng................. weak
[usb] pm3 --> hf mfp info
[=] --- Tag Information ---------------------------
[!!] No card response[+] UID: AE BE CE 3A
[+] ATQA: 00 02
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported[!!] No card response
[=] --- Fingerprint
[=] Size...... 4K (4 UID)
[=] SAK....... 4K 7b UID
[=] --- Security Level (SL)
[+] SL mode... SL1
[=] SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication
Restoring with a Ultimate magic card (Magic capabilities Gen 4 GTU & Gen 2 / CUID):
script run hf_mf_ultimatecard -w 0 -g 00 -t 7 -u AEBECE3A -q 000218 -g 01
hf mf gload -p AEBECE3A --4k -v -f hf-mf-AEBECE3A-dump-001.bin
script run hf_mf_ultimatecard -g 03
The card doesn't work... did a dump of the second card and "data diff" looks about the same. The original has 255 blocks & copy has 63 blocks for some reason.
The original dump.json does have some odd ATQA/SAK that didn't show up earlier:
"UID": "AEBECE3A",
"ATQA": "0200",
"SAK": "98"
Is this a clue why it's not working? Any tips?
]]>despite of the weeks passed, let me board here:
[=] Session log /home/john/.proxmark3/logs/log_20240206141530.txt
[+] loaded `/home/john/.proxmark3/preferences.json`
[+] Using UART port /dev/ttyACM0
[+] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev B
Memory.... 512 KB ( 62% used )
Client.... Iceman/master/v4.17768-380-g6566021f3 2024-02-05 14:33:47
Bootrom... Iceman/master/v4.17768-380-g6566021f3-suspect 2024-02-05 14:34:34
OS........ Iceman/master/v4.17768-380-g6566021f3-suspect 2024-02-05 14:34:56
Target.... PM3 GENERIC
[usb] pm3 --> hf 14a info
[+] UID: 33 DA DB AE
[+] ATQA: 00 02
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... hard
....
[+] generating binary key file
[+] found keys have been dumped to `/home/john/hf-mf-12345678-key-004.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[#] Block 8 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 2 block 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY A, swapping to KEY B
[#] Block 4 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 1 block 0
[#] Block 5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 16 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 4 block 0
[#] Block 17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 20 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 5 block 0
[#] Block 21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 24 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 6 block 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 28 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 7 block 0
[#] Block 29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 32 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 8 block 0
[#] Block 33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 36 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 9 block 0
[#] Block 37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 40 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 10 block 0
[#] Block 41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 44 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 11 block 0
[#] Block 45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 48 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 12 block 0
[#] Block 49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 52 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 13 block 0
[#] Block 53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 56 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 14 block 0
[#] Block 57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 60 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 15 block 0
[#] Block 61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 63 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 63 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY B
[-] ⛔ Dump file is PARTIAL complete
[=] downloading card content from emulator memory
[+] saved 1024 bytes to binary file `/home/john/hf-mf-12345678-dump-004.bin`
[+] saved to json file `/home/john/hf-mf-33DADBAE-dump-004.json`
[=] autopwn execution time: 119 seconds
[usb] pm3 -->
All keys (4) have been successfully found. But the dump at the end of "hf mf autopwn" fails. Does anybody have a solution for that? I hope that I can exclude bad adjustment between the card and the device.
Best regards
JD.
]]>Thanks, have a good day.
Again, well I tried, no good, it gives me information on another sector. In addition, great, it must have the new 8bit crc, well I will continue reading this sector, in sector 1 I have all the information "session date" the TLV except that I have 03 but no FE in the sector but still an 03 for the end.
C0 value = entertainment & sports
]]>sector 0 with the MAD
sector 1 empty but always with access key different for each card I still need to understand why
sector 3 an ascii code
sector 5 the same ascii code but with also the disembarkation day at the end
and sector 6 with a strange hex strings I think ....actually I'm sure that is for the door lock
keys are all same in different card for sect 0-3-5 and 6 only sector 1 change always ...maybe is connected to the uid
so far is all what I know do you have ever found something like this?
I'm really curios of this world...
I meet the problem when trying to clone my flat door card.
1. I found my card's sector 1 encrypted with unknown keys. So firstly I tried to brute force the keys with PN532. And I successfully got the keyA. However, after about 0.7M attempts, I failed to find keyB.
2. Just as i was trying more attempts (actually, this may theorically cost thousands of years), I googled the keyA and found this post. I then knew that the KeyB is related to the UID.
3. Although I do not find my UID bytes in reply#21, I find that the lower 4 bits follow the rule: $x+y=5$, where x and y are the lower 4 bits of UID bytes and KeyB bytes.
4. So, this complexity come down to at most (2^(4*4) =)65536 attempts. For me, the KeyB is in this pattern: XAX3X1XF9595, where the X stands for unknow 4 bits.
Finally, after minutes of attempts with my PN532, I got my card's KeyB!
I'd really appreciate your post. Thank you!
]]>And of course, if the system is using mifare classic keys, you can always clone them
]]>Do you think these DI tags from AE could be overwritten with the ACR122U to be used for any figure or disc?
]]>