Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-05-12 05:04:00

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Salto Tag - NXP MIFARE Classic 4k

This is my first time playing around with Mifare tags and i'm getting a little lost...

First I ran...

proxmark3> hf 14a reader
 UID : 2e c0 29 bd           
ATQA : 00 02          
 SAK : 18 [2]          
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO 

then...

proxmark3> hf mf mifare 
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.
Card is not vulnerable to Darkside attack (its random number generator is not predictable).
proxmark3> 

so then I...

proxmark3> hf mf chk *4 ? t
No key specified, trying default keys          
chk default key[ 0] ffffffffffff          
chk default key[ 1] 000000000000          
chk default key[ 2] a0a1a2a3a4a5          
chk default key[ 3] b0b1b2b3b4b5          
chk default key[ 4] aabbccddeeff          
chk default key[ 5] 4d3a99c351dd          
chk default key[ 6] 1a982c7e459a          
chk default key[ 7] d3f7d3f7d3f7          
chk default key[ 8] 714c5c886e97          
chk default key[ 9] 587ee5f9350f          
chk default key[10] a0478cc39091          
chk default key[11] 533cb6c723f6          
chk default key[12] 8fd0a4f256e9          
--sector: 0, block:  3, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 1, block:  7, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 2, block: 11, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 3, block: 15, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 4, block: 19, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 5, block: 23, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 6, block: 27, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 7, block: 31, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 8, block: 35, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector: 9, block: 39, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:10, block: 43, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:11, block: 47, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:12, block: 51, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:13, block: 55, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:14, block: 59, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:15, block: 63, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:16, block: 67, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:17, block: 71, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:18, block: 75, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:19, block: 79, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:20, block: 83, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:21, block: 87, key type:A, key count:13           
Found valid key:[ffffffffffff]          
--sector:22, block: 91, key type:A, key count:13           
Found valid key:[ffffffffffff]          
etc.......

next i saw I tried

proxmark3> hf mf nested o 0 A FFFFFFFFFFFF 3 A 
--target block no:  3, target key type:A           
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).

and

proxmark3> hf mf nested 4 0 A FFFFFFFFFFFF  
Testing known keys. Sector count=40          
nested...          
-----------------------------------------------          
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).

I've been searching all over the forum beacuse im sure the answer is right in front of my eyes but I cant seem to put it together. Is anyone able to point me in the right direction?

Offline

#2 2017-05-12 07:13:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Salto Tag - NXP MIFARE Classic 4k

...if only there was a way to save the found keys in hf mf chk...

Offline

#3 2017-05-12 07:58:22

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Salto Tag - NXP MIFARE Classic 4k

iceman wrote:

...if only there was a way to save the found keys in hf mf chk...

Thanks Iceman!

hf mf chk *4 ? d         

....am i on the right track? If I'm working on Windows, will I need python installed for datakey/datadump.bin?

Offline

#4 2017-05-12 08:28:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Salto Tag - NXP MIFARE Classic 4k

the bin files are just ordinary binary files.  You would need hexeditor to open them.  if you don't like binary files, you always change them into eml (script run bintoemul)  which is ascii files which you can open in any texteditor

Offline

#5 2017-05-12 08:54:11

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Salto Tag - NXP MIFARE Classic 4k

Salto 1K
card  (4 byte UID)
fob    (4 byte UID)
label  (7 byte UID)

use FFFFFFFFFFFF for key A and B for sector 0,1,2,3,4
and a single key for sector A and a single key for sector B for all other sectors


Hint: One of the three (Card, Fob, Sticky Label) is prone to MFOC.

Offline

#6 2017-05-12 14:32:37

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Salto Tag - NXP MIFARE Classic 4k

UID : 00 00 00 00
ATQA : 00 02
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): NO

My guess if you need to clone them, you probably need this smile

Offline

#7 2017-05-12 16:27:57

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Salto Tag - NXP MIFARE Classic 4k

if im still running ProxSpace-130613 would this cause issues with hardness attacks?

Offline

#8 2017-05-12 16:59:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Salto Tag - NXP MIFARE Classic 4k

I doubt that old proxspace env is able to compile.

Offline

#9 2017-05-12 19:07:14

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Salto Tag - NXP MIFARE Classic 4k

ok I switched to Gators Proxspace but still cant run the hardnested cmds. Is there a way to check the new Github proxspace worked correctly.

Offline

#10 2017-05-12 20:03:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Salto Tag - NXP MIFARE Classic 4k

the pm3 master does not have hardnested.  do your background checks.

Offline

#11 2017-12-08 11:11:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Salto Tag - NXP MIFARE Classic 4k

You should be able to use the offical pm3 release now with hardnested in order  to get some keys out.

Offline

#12 2017-12-08 11:38:50

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Salto Tag - NXP MIFARE Classic 4k

Yep, Hardnested will give you the keys. :-)

Offline

#13 2018-02-18 09:57:31

rfidboi
Contributor
Registered: 2017-01-31
Posts: 17

Re: Salto Tag - NXP MIFARE Classic 4k

Did you have any luck with this fob Charlie?

Something odd happened to me. hf mf mifare found that ffffffffffff was the key (A and B) for most sectors except the last ones. I did a few hardnested attacks and found that ffffffffffff was supposedly the type A key for a few of the last sectors and also key type B for at least one of the last sectors. I don’t get why hf mf didn’t find this key. I was able to use it to read some of the last sectors with key A. But I was not able to use ffffffffffff as ley B... Not sure how to move forward with cloning this fob. Any tips are greatly appreciated. Thanks!

Offline

Board footer

Powered by FluxBB