Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-09-27 21:29:07

chickengun
Contributor
Registered: 2017-09-27
Posts: 7

Reading a mifare classic tag

Hello,

I just received my proxmark3 easy and tested it right away. I placed a mifare classik 1k tag onto it and did the following:

hf mf mifare

This way I was able to get one A key (484558414354). It was interesting to me that it was important to place the tag in a distance of ~0.5 inch to the antenna to make it recognize the tag. Placing it directly on the hf antenna resulted in a "can't find card" error message.

So after that I did the following to get the rest of the A/B keys:

hf mf nested 1 0 a 484558414354

This is the output:

[...]
Time in nested: 119.217 (0.750 sec per key)

-----------------------------------------------
Iterations count: 159


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  484558414354  | 1 |  000000000000  | 0 |
|001|  484558414354  | 1 |  000000000000  | 0 |
|002|  484558414354  | 1 |  000000000000  | 0 |
|003|  484558414354  | 1 |  000000000000  | 0 |
|004|  484558414354  | 1 |  000000000000  | 0 |    <- 000000000000 means
|005|  484558414354  | 1 |  000000000000  | 0 |    I am missing a lot of B keys
|006|  484558414354  | 1 |  000000000000  | 0 |      
|007|  484558414354  | 1 |  000000000000  | 0 |
|008|  484558414354  | 1 |  000000000000  | 0 |
|009|  484558414354  | 1 |  000000000000  | 0 |
|010|  484558414354  | 1 |  000000000000  | 0 |
|011|  484558414354  | 1 |  000000000000  | 0 |
|012|  484558414354  | 1 |  000000000000  | 0 |
|013|  484558414354  | 1 |  000000000000  | 0 |
|014|  484558414354  | 1 |  000000000000  | 0 |
|015|  484558414354  | 1 |  484558414354  | 1 |
|---|----------------|---|----------------|---|

As you can see I am missing 15 B keys. Now the funny part: I came across this website where a "proxmark guy" has a tag that looks like mine..... in fact it is the same manufacturer so we both happened to have the same A key 484558414354 (lol). However his output using the nested attack was:

|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  484558414354  | 1 |  a22ae129c013  | 1 |          
|001|  484558414354  | 1 |  49fae4e3849f  | 1 |          
|002|  484558414354  | 1 |  38fcf33072e0  | 1 |          
|003|  484558414354  | 1 |  000000000000  | 0 |      <- only one B key missing!  
|004|  484558414354  | 1 |  509359f131b1  | 1 |          
|005|  484558414354  | 1 |  6c78928e1317  | 1 |          
|006|  484558414354  | 1 |  aa0720018738  | 1 |          
|007|  484558414354  | 1 |  a6cac2886412  | 1 |          
|008|  484558414354  | 1 |  62d0c424ed8e  | 1 |          
|009|  484558414354  | 1 |  e64a986a5d94  | 1 |          
|010|  484558414354  | 1 |  8fa1d601d0a2  | 1 |          
|011|  484558414354  | 1 |  89347350bd36  | 1 |          
|012|  484558414354  | 1 |  66d2b7dc39ef  | 1 |          
|013|  484558414354  | 1 |  6bc1e1ae547d  | 1 |          
|014|  484558414354  | 1 |  22729a9bd40f  | 1 |          
|015|  484558414354  | 1 |  484558414354  | 1 |          
|---|----------------|---|----------------|---|

He was only missing one key. Furthermore he said:

Running the nested attack once allowed us to discover all the B keys but one (for sector "003"). Hopefully, running it again will allow us to find the missing value: 8ad5517b4b18. It is still unclear to me why from time to time, a key is not found, but running the attack again will find it. It may be either the exchanges with the tag failing once or twice during the attack, or the way the attack is done leading to some values not being found.

So he was able to get the last key (8ad5517b4b18) but I was even not able to get all the remaining 15 B keys. I tried it several times but I got always the same output.

Can anyone tell me why or what I can do to get all keys? Thanks!

Offline

#2 2017-09-28 18:40:14

chickengun
Contributor
Registered: 2017-09-27
Posts: 7

Re: Reading a mifare classic tag

Nevermind. Today I flashed the newest firmware. After that everything worked flawlessly. All keys were found in one run, pretty fast as well.

Offline

#3 2017-09-29 22:10:04

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Reading a mifare classic tag

Here fix this functionality....
https://github.com/Proxmark/proxmark3/pull/403

Offline

Board footer

Powered by FluxBB