Proxmark3 community

markus

Contributor

Registered: 2018-06-20

Posts: 3

Something strange on mifare replication. Some new mf protection?

Hello guys! How are the things going? Yesterday I got two mifare cards with values inside and the same as always tried to clone it. (I work in a company that make pen tests with cloning cards)

This is not the first time we audit this company and in all their older mifare cards we could reproduce the cloning process on all their cards.

But for the first time, proxmark3 couldn't complete the process. I would like some help of my colleagues that are much more experienced than me on this. Maybe is there some formatting protection on this new card?

Let me show the reproduction below:

That's my initialisation;
-------begin result -------

#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2016-11-09 00:59:56
#db# os: /-suspect 2016-12-08 12:45:38
#db# HF FPGA image built on 2015/03/09 at 08:41:42
#db#   Modify by Willok(willok@163.com)

#db#      proxmark3.taobao.com

Prox/RFID mark3 RFID instrument

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 0 bytes ( 0%). Free: 262144 bytes (100%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

----- end result ----

After placing the card on the proxmark3 we made a hw tune check and a hw 14a read procedure:

----- begin result ----
>hw tune
Measuring antenna characteristics, please wait.......
# LF antenna: 24.06 V @   125.00 kHz
# LF antenna: 36.85 V @   134.00 kHz
# LF optimal: 36.85 V @   133.33 kHz
# HF antenna: 25.77 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

proxmark3> hf 14a reader
UID : 73 5b 67 ec
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
proxmark3>

----- end result ----

After that, we continue with the process:
----- begin result ----
proxmark3> hf mf chk *1 ? d
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block:  3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block:  7, key type:A, key count:13
--sector: 2, block: 11, key type:A, key count:13
--sector: 3, block: 15, key type:A, key count:13
--sector: 4, block: 19, key type:A, key count:13
--sector: 5, block: 23, key type:A, key count:13
--sector: 6, block: 27, key type:A, key count:13
--sector: 7, block: 31, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 0, block:  3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block:  7, key type:B, key count:13
--sector: 2, block: 11, key type:B, key count:13
--sector: 3, block: 15, key type:B, key count:13
--sector: 4, block: 19, key type:B, key count:13
--sector: 5, block: 23, key type:B, key count:13
--sector: 6, block: 27, key type:B, key count:13
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.
----- end result ----

With the key in hand we tried the nested attack on the card:
And that SURPRISED US because never happened before!

----- begin result ----
proxmark3> hf mf nested 1 0 A ffffffffffff d
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Error: No response from Proxmark.

proxmark3>
----- end result ----

After this fact, proxmark3 becomes irresponsive sending messages all the time

We tried a simple hw tune to see if proxmark3 is responding and we got that "sending bytes to proxmark failed" messages

-----begin code-----
proxmark3> hw tune

Measuring antenna characteristics, please wait...Sending bytes to proxmark failed
........
No response from Proxmark. Aborting...
proxmark3>

-----end code-----

To make proxmark respond again, we have to remove it from the usb and connect again

The card works normally on any antenna for reading the value inside

Also, when try to sniff it, nothing happens - it keeps reading for ever...

proxmark3> hf mf sniff
-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
.....................................................................................................................................................

I have tested another older cards from this company and everything works fine but there are new ones that has something new that I couldn't get it.

Does anyone can help me on this?

Thanks in advance.

markus

Contributor

Registered: 2018-06-20

Posts: 3

Re: Something strange on mifare replication. Some new mf protection?

One observation: this card is ev1

rayway99

Contributor

Registered: 2018-04-08

Posts: 20

Re: Something strange on mifare replication. Some new mf protection?

Note that you are using a NON official firmware or iceman firmware with version shown
  from the information provided looks like a taobao (Chinese ebay) one, it might work if you know what you are doing but support is only provided for official firmware here on the forum

if you are using the latest firmware, the >hf 14a info or hf mf nested might show you more useful informatoin
   in the case Tag isn't vulnerable to Nested Attack, you would need to try hardnest

You can try to see if my other thread with the similar problem is of any help to you, but do get the firmware corrected if you want specific guidance from this forum.
http://proxmark.org/forum/viewtopic.php?id=5733

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: Something strange on mifare replication. Some new mf protection?

sorry @OP,

You are running on a custom firmware, you have to ask your question to the creator of that firmware which looks like Willok.
On this forum we recommend to run the latest offical PM3 master,  to be sure there is no bugs in latest source.

#db#   Modify by Willok(willok@163.com)