Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-08-27 19:57:46
- meter
- Contributor
- Registered: 2015-07-13
- Posts: 78
PM3 Mifare emulation and reader attack doesn't work
Hi,
I have some mifare 1K classic. Someone is vulnerable to nested attack and hardnest and someone only to hardnest, but this is not my problem.
I have all passwords.
I would like to understand as the reader calculate the password for every sector. So I trying to emulate a mifare 1k with PM3 changing some data for understand when the password is different and here I have a problem.
All mifare have password A sector 0 to A0A1A2A3A4A5 and all others different for every keyfobs.
I have loaded the memory of emulator with only the sector 0 and started emulator with
hf mf sim i or
hf mf sim i rI have not used x parameter because it stop after first key and I want to calculate all passwords and anyway more passwords.
The reader try to authenticate in all sectors but with mfkey32 I can calculate only password of sector 0 A0A1A2A3A4A5 all other mfkey32 tell me "Couldn't recover key."
I have used random nonce for try also the moebius attack but nothing mfkey32 tell me always the same message.
Here there is a part of trace:
4021056 | 4022048 | Rdr | 52 | | WUPA
4023604 | 4025972 | Tag | 04 00 | |
4029632 | 4040160 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
4041652 | 4045172 | Tag | 08 b6 dd | |
4051776 | 4056544 | Rdr | 61 07 92 16 | ok | AUTH-B(7)
4060724 | 4065460 | Tag | 01 02 03 04 | |
4068012 | 4077388 | Rdr |e5! d2 4f! aa! 91 bc b7! ff! | !crc| ?
4125100 | 4129868 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
4151744 | 4152736 | Rdr | 52 | | WUPA
4154292 | 4156660 | Tag | 04 00 | |
4160448 | 4170976 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
4172340 | 4175860 | Tag | 08 b6 dd | |
4182464 | 4187232 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
4191412 | 4196148 | Tag | 01 02 03 04 | |
4198572 | 4207948 | Rdr | d5 b0 ae ad! 09 fb! 20! c4 | !crc| ?
4241600 | 4242592 | Rdr | 52 | | WUPA
4244148 | 4246516 | Tag | 04 00 | |
4250304 | 4260832 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
4262196 | 4265716 | Tag | 08 b6 dd | |
4272576 | 4277344 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
4281652 | 4286388 | Tag | 01 02 03 04 | |
4288832 | 4298208 | Rdr |bf! b1! 42 de! 23 ee 54 1f | !crc| ?
4306740 | 4311412 | Tag | 9f 5a 33 14 | |
4314816 | 4315808 | Rdr | 52 | | WUPA
4317364 | 4319732 | Tag | 04 00 | |
4323520 | 4334048 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
4335412 | 4338932 | Tag | 08 b6 dd | |
4345536 | 4350304 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
4354484 | 4359220 | Tag | 01 02 03 04 | |
4361644 | 4371020 | Rdr |0e! d4! 69! 0c 4f! 15! f8! be! | !crc| ?and this with random nonce
15476638 | 15477630 | Rdr | 52 | | WUPA
15479186 | 15481554 | Tag | 04 00 | |
15485214 | 15495742 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
15497234 | 15500754 | Tag | 08 b6 dd | |
15507614 | 15512382 | Rdr | 61 07 92 16 | ok | AUTH-B(7)
15516690 | 15521362 | Tag | b6 fa b1 4b | |
15523854 | 15533166 | Rdr |40! 99! 0e! 5a! d6! ca 25! c3 | !crc| MAGIC WUPC1
15580686 | 15585454 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
15607326 | 15608318 | Rdr | 52 | | WUPA
15609874 | 15612242 | Tag | 04 00 | |
15616286 | 15626814 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
15628306 | 15631826 | Tag | 08 b6 dd | |
15638302 | 15643070 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
15647378 | 15652114 | Tag | 89 48 a9 68 | |
15654542 | 15663918 | Rdr | b8 51! 77 ba! 43! 2b 64! 4d! | !crc| ?
15697566 | 15698558 | Rdr | 52 | | WUPA
15700114 | 15702482 | Tag | 04 00 | |
15706142 | 15716670 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
15718162 | 15721682 | Tag | 08 b6 dd | |
15728670 | 15733438 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
15737746 | 15742418 | Tag | a0 3e 48 96 | |
15744934 | 15754246 | Rdr | a6 fd be! 14 01 b5! 91! e9! | !crc| ?
15762906 | 15767578 | Tag | 7b 1a 52 ee | |
15778590 | 15779582 | Rdr | 52 | | WUPA
15781138 | 15783506 | Tag | 04 00 | |
15787166 | 15797694 | Rdr | 93 70 f4 39 47 de 54 42 85 | ok | SELECT_UID
15799186 | 15802706 | Tag | 08 b6 dd | |
15809566 | 15814334 | Rdr | 61 0b fe dc | ok | AUTH-B(11)
15818642 | 15823378 | Tag | c6 2f f1 46 | |
15825806 | 15835182 | Rdr |86! df! 3c 6a a5 48 19! d2! | !crc| ?Naturally I taken 2 answers from reader for same sector and in succession.
Suggestions? What is wrong in my trace? I see missing commands, I don't know if the problem is the emulator or the reader has problem with my antenna.
Last edited by meter (2017-08-27 19:59:53)
Offline
#2 2017-08-27 20:30:48
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,505
- Website
Re: PM3 Mifare emulation and reader attack doesn't work
Why don't you use mfkey64?
pm3 ~/tools/mfkey$ mfkey64.exe f43947de a03e4896 a6fdbe14 01b591e9 7b1a52ee
MIFARE Classic key recovery - based 64 bits of keystream
Recover key from only one complete authentication!
Recovering key for:
uid: f43947de
nt: a03e4896
{nr}: a6fdbe14
{ar}: 01b591e9
{at}: 7b1a52ee
LFSR succesors of the tag challenge:
nt': 7ec61de1
nt'': 712af0a4
Keystream used to generate {ar} and {at}:
ks2: 7f738c08
ks3: 0a30a24a
Found Key: [ffffffffffff]Offline
#3 2017-08-27 22:56:38
- meter
- Contributor
- Registered: 2015-07-13
- Posts: 78
Re: PM3 Mifare emulation and reader attack doesn't work
Because in the emulator the password is surely wrong. I will test all authentications with mfkey64. How can it work if tag (PM3 emulator) don't know correct password?
Offline
#4 2017-08-27 23:21:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,505
- Website
Re: PM3 Mifare emulation and reader attack doesn't work
I missed your point of only loading the first sector in emulator mem. You will need two partial auths for the same block/key/keytype in order to get mfkey32 to work.
Isn't there an option to load emulator mem with the found key? In order to get keys from "sim x" or mfkey32, the reader must authenticate against the sectors you are looking for. If it doesn't do that, you can't get all keys that way. Thats how it works.
Not quite sure what you mean with
I would like to understand as the reader calculate the password for every sector
Do you mean how crypto1 works? Or do you think the system of which your tags belong to, has a algo to calculate each key and you want to figure out that algo?
Offline
#5 2017-08-28 09:41:40
- meter
- Contributor
- Registered: 2015-07-13
- Posts: 78
Re: PM3 Mifare emulation and reader attack doesn't work
This is my scope:
Or do you think there system of which your tags belong to, has a algo to calculate each key and you want to figure out that algo?
The reader don't try the same password in succession, sometime FFFFFFFFFFFF and sometime b0b1b2b3b4b5, so I need try many combinations for discover all passwords. After your suggestion iceman, I tried to combine first and third response from reader and I got a password found, thank you.
Offline