Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-09-15 08:16:20

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 10

Missing A Key - Sector 15 - Mifare 1K

I have already gone through Forum but could not locate resolution to my query.

I am trying to clone Mifare 1K access card with 4 byte UID. However, when i take card dump, i get access to Sector 15 but A Key is missing. Rest all sectors 1-14 have default info and default A/B keys (FFFFFFFFFFF)

Dump


How do i decrypt this? so that cloning can be done.?

Surprisingly, if clone is made without sector 15, new card works for Device accesses and not for Door or parking access.

Thanks

Last edited by Learner4Life (2017-09-15 08:19:27)

Offline

#2 2017-09-15 14:47:28

lonewolf
Contributor
Registered: 2016-09-03
Posts: 36

Re: Missing A Key - Sector 15 - Mifare 1K

I'm not sure why you felt the need to censor the access condition flags, but whatever.  A nested or hardnested attack would be what I'd try next.

Offline

#3 2017-09-15 16:22:32

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 162
Website

Re: Missing A Key - Sector 15 - Mifare 1K

1) does your parking access has long range instead of the typical short range contact ?
-yes if long range, the card is combined with UHF card so the sector doesn't matter.
-no if not, yes that sector is important

If you are using the MCT, you can load up some known keys inside the pm3 source can test it. like a0a1a2a3a4a5 (the more typical one for a start)

I am guessing nested will just work well for it since it already worked with MCT.


You live, you learn.
You give, you take.
You win, you lose.

Offline

#4 2017-09-15 20:12:35

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 10

Re: Missing A Key - Sector 15 - Mifare 1K

lonewolf wrote:

I'm not sure why you felt the need to censor the access condition flags, but whatever.  A nested or hardnested attack would be what I'd try next.

Appreciate your input.

Offline

#5 2017-09-15 20:20:21

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 10

Re: Missing A Key - Sector 15 - Mifare 1K

Dot.Com wrote:

1) does your parking access has long range instead of the typical short range contact ?
-yes if long range, the card is combined with UHF card so the sector doesn't matter.
-no if not, yes that sector is important

If you are using the MCT, you can load up some known keys inside the pm3 source can test it. like a0a1a2a3a4a5 (the more typical one for a start)

I am guessing nested will just work well for it since it already worked with MCT.

Appreciate your input.

Parking seems to be short range just like access door. I am just wondering, if key is not there - block will be inaccessible however block 15 is accessible with key A missing (_ _ _) while Key B is (222222222222) . What does this mean? Also, do you think it is required to sniff reader to be able to decrypt/clone card?

A sincere request to members here, Can anybody share all latest/updated standard keys which i can use with MCT. I have tried looking around even bought a application on appstore - but no luck. Seems i am not looking for it at right place.

Pls help me out.

Offline

#6 2017-09-15 22:50:16

lonewolf
Contributor
Registered: 2016-09-03
Posts: 36

Re: Missing A Key - Sector 15 - Mifare 1K

Learner4Life wrote:

I am just wondering, if key is not there - block will be inaccessible however block 15 is accessible with key A missing (_ _ _) while Key B is (222222222222) . What does this mean?

It means the access bits (the part you censored) are set to allow access to the block with Key B, and MCT was able to guess Key B.

Learner4Life wrote:

Also, do you think it is required to sniff reader to be able to decrypt/clone card?

No.  While that would work, a hardnested attack on the card with a PM3 should work as well.

Learner4Life wrote:

A sincere request to members here, Can anybody share all latest/updated standard keys which i can use with MCT. I have tried looking around even bought a application on appstore - but no luck. Seems i am not looking for it at right place.

You're assuming the key is going to be in a standard key list - if it's not then a list of common keys is useless.  Have you tried iceman's list?  https://github.com/iceman1001/proxmark3/blob/master/client/default_keys.dic  If it's not there then I doubt any list will have it.

Offline

#7 2017-09-16 10:20:02

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 10

Re: Missing A Key - Sector 15 - Mifare 1K

You are right. I removed key B from my key stack and MCT failed to access sector 15.

It means the access bits (the part you censored) are set to allow access to the block with Key B, and MCT was able to guess Key B. [/quote wrote:
Learner4Life wrote:

Also, do you think it is required to sniff reader to be able to decrypt/clone card?

No.  While that would work, a hardnested attack on the card with a PM3 should work as well.

Learner4Life wrote:

A sincere request to members here, Can anybody share all latest/updated standard keys which i can use with MCT. I have tried looking around even bought a application on appstore - but no luck. Seems i am not looking for it at right place.

You're assuming the key is going to be in a standard key list - if it's not then a list of common keys is useless.  Have you tried iceman's list?  https://github.com/iceman1001/proxmark3/blob/master/client/default_keys.dic  If it's not there then I doubt any list will have it.

Thank you for pointing this out. i have copied all these keys and used it in MCT. But no luck. So currently, i have all keys to this said card except one that is Sector 15 - Key A. Unfortunately i dont have access to hardnesting right away.

However, i tried to clone without Sector 15 - Key A. Cloned card could not access doors but can access devices like xerox machines. This is surprising for me, wonder how it happens.

Appreciate all your help.

I happen to see MCT with bruteforce. However, i am not able to get bruteforce version anywhere. Anybody can point towards bruteforce MCT download place?

Last edited by Learner4Life (2017-09-16 10:48:39)

Offline

#8 2017-09-16 15:31:11

app_o1
Contributor
Registered: 2013-06-22
Posts: 230

Re: Missing A Key - Sector 15 - Mifare 1K

How has the first sector, first block, been dealt with? Is it 100% same as your card?

Sniff communication and see if sector 15 is supposed to give key A. If yes, you have B so it's a 60 sec run to get A.

Offline

#9 2017-09-16 19:40:02

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 10

Re: Missing A Key - Sector 15 - Mifare 1K

app_o1 wrote:

How has the first sector, first block, been dealt with? Is it 100% same as your card?

Yes. It is.

app_o1 wrote:

Sniff communication and see if sector 15 is supposed to give key A. If yes, you have B so it's a 60 sec run to get A.

Now this is something i am not very well versed (process and tools) with as of now. May be you/masters here can help me. I checked online but could not get complete and exact info.

Thanks

Offline

#10 2017-09-25 09:45:39

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 10

Re: Missing A Key - Sector 15 - Mifare 1K

Ok. This challenge is getting more interesting now.

I am using Windows 7 - 64 Bit and my PM3 details are as below.

17vxXrJ.png

Tune details are as below.

4ZsTGjZ.png

Now, i have Mi 1K card wherein i know all keys except Key A - Sector 15.

When i try to do nested attack, it gives following message. Not sure, How to rightly place the command though i have tried all possible combination.

kLDlqRY.png

When i try to do hardnested attack, it gives following message.

pXkS94q.png


So i am stuck even with latest PM3 around. Wish somebody can help me here.

Thanks

Last edited by Learner4Life (2017-09-25 09:52:33)

Offline

#11 2017-09-25 09:57:48

iceman
Administrator
Registered: 2013-04-25
Posts: 4,159
Website

Re: Missing A Key - Sector 15 - Mifare 1K

....you will need to read the helptext for hardnested since you are calling it the wrong way


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#12 2017-09-25 10:38:38

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 10

Re: Missing A Key - Sector 15 - Mifare 1K

iceman wrote:

....you will need to read the helptext for hardnested since you are calling it the wrong way

Appreciate your revert.

I have tried taking help using HF MF Hardnested help and it gives just 3 formats.

Now as i know i just need Key A for Sector 15 and i know Key A for secotr 0 is FFFFFFFFFFFF. i am keeping command as

HF MF Hardnested 0 A FFFFFFFFFFFF 15 A

But when i run this command , after few mins , it gives me key as FFFFFFFFFFFF which i know is wrong.

Not sure where i am going wrong

Last edited by Learner4Life (2017-09-25 10:48:45)

Offline

#13 2017-09-25 10:47:00

iceman
Administrator
Registered: 2013-04-25
Posts: 4,159
Website

Re: Missing A Key - Sector 15 - Mifare 1K

... you should take notice to details when you read the helptext...


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2017-10-12 01:33:19

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 47

Re: Missing A Key - Sector 15 - Mifare 1K

I have what seems to be a similar problem/type of card. All keys known except for sector 15 key A.

I can however read sector 15 with key B.

I have tried hardnested with Block 0 key A as the known key and target key A sector 15.

I have also tried sniffing the communication however nothing is picked up after multiple attempts.

An interesting thing to note is the readers stay red LED on a successful read with only a 1 beeb, whereas these readers I have seen before that turn green and a diffrent tone. (Not sure if relevant).

c93aeba02178b6943daedfdd07ac1916.jpg

The website points out

Mifare Enhanced Security (MES) options are available to counter card-cloning attempts.

In addition to Mifare Classic security, the Gallagher system
implements an optional layer of security, “Mifare Enhanced Security”
(MES). MES helps protect against card cloning, denying access and
raising alarms upon unauthorised card presentation.

Typically Gallagher access control
information resides on sector 15 but it can be located on any sector
from 1-15.

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 | 
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|015|  ffffffffffff  | 0 |  b7bf0c13066e  | 1 |
|---|----------------|---|----------------|---|

Version:

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-70-gc19f26b-suspect 2017-09-27 07:20:24
os: master/v3.0.1-70-gc19f26b-suspect 2017-09-27 07:20:26
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 198877 bytes (38). Free: 325411 bytes (62).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

Card:

 UID : f5 80 ba 2e 
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Valid ISO14443A Tag Found - Quiting Search

Hard Nested 1

--target block no: 15, target key type:A, known target key: 0x000000000000 (not set), file action: write, Slow: No, Tests: 0 



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time 
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and no SIMD core                  |                 |
       0 |       0 | Brute force benchmark: 135 million (2^27.0) keys/s      | 140737488355328 |   12d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   12d
       5 |       0 | Writing acquired nonces to binary file nonces.bin       | 140737488355328 |   12d
       6 |     112 | Apply bit flip properties                               |  10792007106560 |   22h
       7 |     224 | Apply bit flip properties                               |   8805313150976 |   18h
       8 |     336 | Apply bit flip properties                               |   8433352835072 |   17h
       9 |     448 | Apply bit flip properties                               |   8381726720000 |   17h
      10 |     560 | Apply bit flip properties                               |   8378623459328 |   17h
      11 |     672 | Apply bit flip properties                               |   8378623459328 |   17h
      11 |     784 | Apply bit flip properties                               |   8378623459328 |   17h
      12 |     895 | Apply bit flip properties                               |   8378623459328 |   17h
      13 |    1003 | Apply bit flip properties                               |   8378623459328 |   17h
      13 |    1112 | Apply bit flip properties                               |   8378623459328 |   17h
      14 |    1221 | Apply bit flip properties                               |   8378623459328 |   17h
      15 |    1330 | Apply bit flip properties                               |   8378623459328 |   17h
      16 |    1439 | Apply bit flip properties                               |   8378623459328 |   17h
      18 |    1550 | Apply Sum property. Sum(a0) = 0                         |    122364919808 | 15min
      18 |    1660 | Apply bit flip properties                               |    117800845312 | 15min
      19 |    1770 | Apply bit flip properties                               |    114275516416 | 14min
      20 |    1880 | Apply bit flip properties                               |    114275516416 | 14min
      21 |    1992 | Apply bit flip properties                               |    114275516416 | 14min
      22 |    2099 | Apply bit flip properties                               |    113353940992 | 14min
      23 |    2210 | Apply bit flip properties                               |    112791142400 | 14min
      24 |    2320 | Apply bit flip properties                               |    112791142400 | 14min
      24 |    2430 | Apply bit flip properties                               |    112111714304 | 14min
      25 |    2539 | Apply bit flip properties                               |    111884386304 | 14min
      26 |    2650 | Apply bit flip properties                               |    111884386304 | 14min
      27 |    2758 | Apply bit flip properties                               |    111884386304 | 14min
      28 |    2758 | (1. guess: Sum(a8) = 256)                               |    111884386304 | 14min
      34 |    2758 | Apply Sum(a8) and all bytes bitflip properties          |     23491956736 |  3min
     567 |    2758 | Brute force phase:  24.35%                              |     17948137472 |  2min
     595 |    2758 | Brute force phase completed. Key found: ffffffffffff    |               0 |    0s

Hard Nest 2

--target block no: 15, target key type:A, known target key: 0x000000000000 (not set), file action: write, Slow: Yes, Tests: 0 



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time 
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 8 threads and no SIMD core                  |                 |
       0 |       0 | Brute force benchmark: 89 million (2^26.4) keys/s       | 140737488355328 |   18d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   18d
      16 |       0 | Writing acquired nonces to binary file nonces.bin       | 140737488355328 |   18d
      16 |     112 | Apply bit flip properties                               |  10181519867904 |   32h
      28 |     224 | Apply bit flip properties                               |   8534695608320 |   27h
      39 |     334 | Apply bit flip properties                               |   8381762895872 |   26h
      50 |     446 | Apply bit flip properties                               |   8378623459328 |   26h
      61 |     558 | Apply bit flip properties                               |   8378623459328 |   26h
      71 |     668 | Apply bit flip properties                               |   8378623459328 |   26h
      82 |     780 | Apply bit flip properties                               |   8378623459328 |   26h
      92 |     891 | Apply bit flip properties                               |   8378623459328 |   26h
      94 |    1002 | Apply bit flip properties                               |   8378623459328 |   26h
      96 |    1111 | Apply bit flip properties                               |   8378623459328 |   26h
     106 |    1222 | Apply bit flip properties                               |   8378623459328 |   26h
     116 |    1332 | Apply bit flip properties                               |   8378623459328 |   26h
     129 |    1437 | Apply Sum property. Sum(a0) = 0                         |    188756525056 | 35min
     139 |    1545 | Apply bit flip properties                               |    188756525056 | 35min
     141 |    1656 | Apply bit flip properties                               |    156011675648 | 29min
     151 |    1766 | Apply bit flip properties                               |    156001271808 | 29min
     161 |    1876 | Apply bit flip properties                               |    156001271808 | 29min
     172 |    1988 | Apply bit flip properties                               |    137744809984 | 26min
     182 |    2092 | Apply bit flip properties                               |    129065066496 | 24min
     192 |    2199 | Apply bit flip properties                               |    123643412480 | 23min
     202 |    2310 | Apply bit flip properties                               |    123643412480 | 23min
     222 |    2416 | Apply bit flip properties                               |    119926300672 | 22min
     242 |    2524 | Apply bit flip properties                               |    116065337344 | 22min
     262 |    2633 | Apply bit flip properties                               |    114965610496 | 22min
     283 |    2737 | Apply bit flip properties                               |    114965610496 | 22min
     303 |    2843 | Apply bit flip properties                               |    114965610496 | 22min
     323 |    2953 | Apply bit flip properties                               |    113471586304 | 21min
     343 |    3063 | Apply bit flip properties                               |    113471586304 | 21min
     363 |    3171 | Apply bit flip properties                               |    113471586304 | 21min
     383 |    3273 | Apply bit flip properties                               |    113471586304 | 21min
     403 |    3273 | (1. guess: Sum(a8) = 256)                               |    113471586304 | 21min
     410 |    3273 | Apply Sum(a8) and all bytes bitflip properties          |     19884787712 |  4min
     818 |    3273 | Brute force phase:  24.19%                              |     15634106368 |  3min
     842 |    3273 | Brute force phase completed. Key found: ffffffffffff    |               0 |    0s

Hard Nest 3

proxmark3> hf mf hardnested 14 A FFFFFFFFFFFF 15 A w s
--target block no: 15, target key type:A, known target key: 0x000000000000 (not set), file action: write, Slow: Yes, Tests: 0           


          
 time    | #nonces | Activity                                                | expected to brute force          
         |         |                                                         | #states         | time           
------------------------------------------------------------------------------------------------------          
       0 |       0 | Start using 8 threads and no SIMD core                  |                 |          
       0 |       0 | Brute force benchmark: 132 million (2^27.0) keys/s      | 140737488355328 |   12d          
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   12d          
       5 |       0 | Writing acquired nonces to binary file nonces.bin       | 140737488355328 |   12d          
       6 |     112 | Apply bit flip properties                               |  10821247696896 |   23h          
       7 |     224 | Apply bit flip properties                               |   8712106278912 |   18h          
       8 |     335 | Apply bit flip properties                               |   8421561073664 |   18h          
       9 |     447 | Apply bit flip properties                               |   8386506129408 |   18h          
      10 |     557 | Apply bit flip properties                               |   8378623459328 |   18h          
      11 |     668 | Apply bit flip properties                               |   8378623459328 |   18h          
      11 |     777 | Apply bit flip properties                               |   8378623459328 |   18h          
      12 |     888 | Apply bit flip properties                               |   8378623459328 |   18h          
      13 |    1000 | Apply bit flip properties                               |   8378623459328 |   18h          
      13 |    1108 | Apply bit flip properties                               |   8378623459328 |   18h          
      14 |    1220 | Apply bit flip properties                               |   8378623459328 |   18h          
      15 |    1331 | Apply bit flip properties                               |   8378623459328 |   18h          
      16 |    1442 | Apply bit flip properties                               |   8378623459328 |   18h          
      19 |    1552 | Apply Sum property. Sum(a0) = 0                         |    170989617152 | 22min          
      19 |    1663 | Apply bit flip properties                               |    151463559168 | 19min          
      20 |    1773 | Apply bit flip properties                               |    130902237184 | 17min          
      21 |    1882 | Apply bit flip properties                               |    130902237184 | 17min          
      22 |    1990 | Apply bit flip properties                               |    125837172736 | 16min          
      22 |    2098 | Apply bit flip properties                               |    125837172736 | 16min          
      33 |    2205 | Apply bit flip properties                               |    125837172736 | 16min          
      43 |    2314 | Apply bit flip properties                               |    122196566016 | 15min          
      54 |    2418 | Apply bit flip properties                               |    122196566016 | 15min          
      64 |    2525 | Apply bit flip properties                               |    122196566016 | 15min          
      74 |    2631 | Apply bit flip properties                               |    122196566016 | 15min          
      84 |    2631 | (1. guess: Sum(a8) = 256)                               |    122196566016 | 15min          
      93 |    2631 | Apply Sum(a8) and all bytes bitflip properties          |     42498150400 |  5min          
     887 |    2631 | Brute force phase:  24.20%                              |     34882801664 |  4min          
     893 |    2631 | Brute force phase:  48.61%                              |     27204415488 |  3min          
     933 |    2631 | Brute force phase:  74.29%                              |     19124908032 |  2min          
     934 |    2631 | Brute force phase completed. Key found: ffffffffffff    |               0 |    0s          

hard nest 4

proxmark3> hf mf hardnested r
--target block no:  0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0           


          
 time    | #nonces | Activity                                                | expected to brute force          
         |         |                                                         | #states         | time           
------------------------------------------------------------------------------------------------------          
       0 |       0 | Start using 8 threads and no SIMD core                  |                 |          
       0 |       0 | Brute force benchmark: 85 million (2^26.3) keys/s       | 140737488355328 |   19d          
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   19d          
       5 |       0 | Reading nonces from file nonces.bin...                  | 140737488355328 |   19d          
       5 |    2688 | Read 2688 nonces from file. cuid=f580ba2e               | 140737488355328 |   19d          
      14 |    2688 | (1. guess: Sum(a8) = 256)                               |    130780127232 | 26min          
      22 |    2688 | Apply Sum(a8) and all bytes bitflip properties          |     51081715712 | 10min          
     813 |    2688 | Brute force phase:  24.20%                              |     43466366976 |  8min          
     820 |    2688 | Brute force phase:  48.61%                              |     35787980800 |  7min          
     859 |    2688 | Brute force phase:  74.29%                              |     27708473344 |  5min          
     860 |    2688 | Brute force phase completed. Key found: ffffffffffff    |               0 |    0s

Hard nest 5 (sector 15 key B as known)

proxmark3> hf mf hardnested 15 B b7bf0c13066e 15 A w s
--target block no: 15, target key type:A, known target key: 0x000000000/Users/sam/Downloads/sector15 3.txt000 (not set), file action: write, Slow: Yes, Tests: 0           


          
 time    | #nonces | Activity                                                | expected to brute force          
         |         |                                                         | #states         | time           
------------------------------------------------------------------------------------------------------          
       0 |       0 | Start using 8 threads and no SIMD core                  |                 |          
       0 |       0 | Brute force benchmark: 128 million (2^26.9) keys/s      | 140737488355328 |   13d          
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   13d          
#db# Authentication failed. Card timeout.          
#db# AcquireNonces: Auth1 error          
#db# Authentication failed. Card timeout.          
#db# AcquireNonces: Auth1 error          
#db# Authentication failed. Card timeout.          
#db# AcquireNonces: Auth1 error          
#db# Authentication failed. Card timeout.          
#db# AcquireNonces: Auth1 error          
#db# Authentication failed. Card timeout.          
#db# AcquireNonces: Auth1 error          

Sector 15 read with key B

proxmark3> hf mf rdsc 15 B b7bf0c13066e
--sector no:15 key type:B key:b7 bf 0c 13 06 6e            
           
#db# READ SECTOR FINISHED          
isOk:01          
data   : a3 08 b0 c3 b2 b0 a3 d9 5c f7 4f 3c 4d 4f 5c 26           
data   : 77 77 77 2e 63 61 72 64 61 78 2e 63 6f 6d 20 20           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
trailer: 00 00 00 00 00 00 78 77 88 c1 00 00 00 00 00 00      

Suggestions to get sector 15 key A?

Last edited by samburner3 (2017-10-12 03:00:19)

Offline

#15 2017-10-12 04:45:31

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 47

Re: Missing A Key - Sector 15 - Mifare 1K

Tried all above again on master --HEAD branch & firmware of proxmark3, same results sad

I think the clue is in the sector 15 access conditions (78 77 88 c1), may be related to http://www.proxmark.org/forum/viewtopic.php?id=4898

Not sure what else to try.

Last edited by samburner3 (2017-10-12 04:47:59)

Offline

#16 2017-10-12 06:27:45

iceman
Administrator
Registered: 2013-04-25
Posts: 4,159
Website

Re: Missing A Key - Sector 15 - Mifare 1K

...and yet there is a difference in sector vs block...


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#17 2017-10-12 06:38:19

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 47

Re: Missing A Key - Sector 15 - Mifare 1K

iceman wrote:

...and yet there is a difference in sector vs block...

Can you explain?

Offline

#18 2017-10-12 06:52:23

iceman
Administrator
Registered: 2013-04-25
Posts: 4,159
Website

Re: Missing A Key - Sector 15 - Mifare 1K

the difference between sector and block?  no.  That I leave up to you.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#19 2017-10-12 14:36:47

T.
Contributor
Registered: 2017-09-20
Posts: 8

Re: Missing A Key - Sector 15 - Mifare 1K

Hello,

I don't know if I am right here, but I think that :

Your Hardnest 5 cannot work cause you are using sector 15 B to get your 15 A key, I would try to use hf mf hardnested 14 B b0b1b2b3b4b5 15 A w s.

Correct me if I am totally wrong, just trying to help

Last edited by T. (2017-10-12 14:37:06)

Offline

#20 2017-10-12 14:56:22

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 47

Re: Missing A Key - Sector 15 - Mifare 1K

iceman wrote:

the difference between sector and block?  no.  That I leave up to you.

Hah of course I know that. I ment in what context do you make that comment?

Offline

#21 2017-10-12 14:59:22

piwi
Moderator
Registered: 2013-06-04
Posts: 473

Re: Missing A Key - Sector 15 - Mifare 1K

@T.: you are making the same mistake as samburner3.

Iceman gave you the correct hint.

Here is another hint: Try hf mf hardnested 15 B ffffffffffff 15 A
I bet that the result is ffffffffffff

Offline

#22 2017-10-12 19:09:10

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 162
Website

Re: Missing A Key - Sector 15 - Mifare 1K

I see the problem now. Good eyes iceman and piwi. smile

Let's keep them hanging. smile


You live, you learn.
You give, you take.
You win, you lose.

Offline

#23 2017-10-12 23:02:56

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 47

Re: Missing A Key - Sector 15 - Mifare 1K

Omg how silly of me hahaah!!

Got it wink

lol lol lol lol lol lol lol lol lol lol lol

Offline

#24 2017-12-08 15:28:20

Heru
Contributor
Registered: 2017-10-08
Posts: 36

Re: Missing A Key - Sector 15 - Mifare 1K

Hi Samburner,

Could you share the key or how did you run your hardnested command?

I have the same issue, cannot find the Sector 15 A key. and my PC crashes every time when I run hardnested command,

Mine never passes this stage , .. very frustrating

      27 |    2758 | Apply bit flip properties                               |    111884386304 | 14min
      28 |    2758 | (1. guess: Sum(a8) = 256)                               |    111884386304 | 14min
      34 |    2758 | Apply Sum(a8) and all bytes bitflip properties          |     23491956736 |  3min
 

Offline

#25 2017-12-09 08:23:22

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 162
Website

Re: Missing A Key - Sector 15 - Mifare 1K

2 Aussie talking to each other for a hardnest command. hmm.

Maybe Heru can look into the crapto as suggested by some users previously instead of using hardnest smile

Since I believe you probably know how to operate the hardnest.

Read up my friend. Someone still owe me something. smile


You live, you learn.
You give, you take.
You win, you lose.

Offline

#26 2017-12-09 09:48:25

Heru
Contributor
Registered: 2017-10-08
Posts: 36

Re: Missing A Key - Sector 15 - Mifare 1K

hehe, thanks Dot.com. I'm trying to get away from you. but seem I cant wink

I got the hints from iceman's, piwi's and your response already. I admit I had to read 2 times to get it. haha

I guess because of the extensive dic file, we are lucky not to use "hardnested" attack that much,  hence tend to forget the details.


My device currently half bricked and not performing well, hardnested attack runs but it crashes my laptop (with i7 CPU),
I need a JTAG device, I 'll have to shop around,

Offline

Board footer

Powered by FluxBB