Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-10-28 17:54:22

Lcardil
Contributor
Registered: 2018-10-28
Posts: 9

Solve Decrypted communication trace meaning

Hello Proxmarkers,

I sniff a Mifare 1k 14443-A card communication trace with 'hf mf sniff' and got this trace:

tag select uid:a0 25 a4 19  atqa:0x0004 sak:0x08
RDR(0):60 01 7c 6a
TAG(1):ff ac 38 57
RDR(2):b9 5c b5 1e 2f 56 9d a5
TAG(3):69 5e 24 1b
RDR(4):af 73 07 c1
TAG(5):d1 27 46 db 49 05 68 2d 9f 1b 52 90 b0 c1 f3 7c 6f 3f
RDR(6):4f a2 0f 5a
TAG(7):98 46 3c 60
RDR(8):3b 40 0a 02 d1 47 56 09
TAG(9):15 53 54 2e
RDR(10):fb 8c 25 c3
TAG(11):35 06 db 72
RDR(12):87 fb 1b 4f
TAG(13):92 62 fb ed c6 57 9a 53
RDR(14):57 bd 8d d9
TAG(15):fb d0 88 5d
RDR(16):0b
TAG(17):aa 5c bc 6b 13 9f
RDR(18):8c ab f2 3d
#db# COMMAND FINISHED

I used mfkey64 to decrypt the trace:

MIFARE Classic key recovery - based on 64 bits of keystream
Recover key from only one complete authentication!

LFSR successors of the tag challenge:
  nt' : aa624075
  nt'': 12355c5f
Keystream used to generate {ar} and {at}:
   ks2: 8534ddd0
   ks3: 7b6b7844

Decrypted communication:
{dec0}: 30018bb9
{dec1}: 04040000fbfbffff0404000001fe01fe7cef
{dec2}: 6004d13d
{dec3}: fdbc5bbe
{dec4}: 200d529b8aa933ca
{dec5}: 7333e26a
{dec6}: f787454f
{dec7}: 15af5c66
{dec8}: 2b3e2d2a
{dec9}: 7e215d44d19052e4
{dec10}: f8e79621
{dec11}: bae129b9
{dec12}: c3
{dec13}: f08d6a236252
{dec14}: 50f49bcd
Found Key: [7cb033257498]

I've already got the key that found by 'hardneasted' command.

I am interesting in the decrypted communication from the mfkey64

(dec0 is the tag's source and dec1 is the reader's source and on and on..):

Decrypted communication:
{dec0}: 30018bb9 #read sector 0 block 1
{dec1}: 04040000fbfbffff0404000001fe01fe7cef #sector 0 block 1 data
{dec2}: 6004d13d #auth sector 1 block 4 (first block of sector 1)
{dec3}: fdbc5bbe #?
{dec4}: 200d529b8aa933ca #?
{dec5}: 7333e26a #?
{dec6}: f787454f
{dec7}: 15af5c66
{dec8}: 2b3e2d2a
{dec9}: 7e215d44d19052e4
{dec10}: f8e79621
{dec11}: bae129b9
{dec12}: c3
{dec13}: f08d6a236252
{dec14}: 50f49bcd

I am trying to figure out what is happening because i know that:

Command- ISO/IEC 14443- Command code

Request REQA 26h (7 bit)
Wake-up WUPA 52h (7 bit)
Anticollision CL1 Anticollision CL1 93h 20h
Select CL1 Select CL1 93h 70h
Anticollision CL2 Anticollision CL2 95h 20h
Select CL2 Select CL2 95h 70h
Halt Halt 50h 00h
Authentication with Key A - 60h
Authentication with Key B - 61h
Personalize UID Usage - 40h
SET_MOD_TYPE - 43h
MIFARE Read - 30h
MIFARE Write - A0h
MIFARE Decrement - C0h
MIFARE Increment - C1h
MIFARE Restore - C2h
MIFARE Transfer - B0h

ref page 15 http://www.advanide.com/wp-content/uplo … YYX_V1.pdf

Thanks for the help in advance.

Last edited by Lcardil (2018-10-29 10:15:53)

Offline

#2 2018-10-29 19:34:32

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Solve Decrypted communication trace meaning

You see a nested authentication. {dec3} would be nt, {dec4} would be ar, nr, etc. However, it is decrypted with the sector 0 key instead of the sector 1 key.

BTW: hf mf sniff is deprecated. It is easier to use hf 14a snoop and then hf list mf. If mfkey64 works for your card, hf list mf should be able to decrypt nested authentications as well.

Offline

#3 2018-11-06 23:45:47

Lcardil
Contributor
Registered: 2018-10-28
Posts: 9

Re: Solve Decrypted communication trace meaning

piwi wrote:

You see a nested authentication. {dec3} would be nt, {dec4} would be ar, nr, etc. However, it is decrypted with the sector 0 key instead of the sector 1 key.

BTW: hf mf sniff is deprecated. It is easier to use hf 14a snoop and then hf list mf. If mfkey64 works for your card, hf list mf should be able to decrypt nested authentications as well.

Thanks for the new information!

How can you tell that it is decrypted with the sector 0 key instead of sector 1 key?

also, i tried mfkey64 with the dec3 as nt and so on..
didn't got much information and got the wrong key out.
what have i done wrong?

Thanks!

Offline

#4 2019-04-07 19:10:26

Lcardil
Contributor
Registered: 2018-10-28
Posts: 9

Re: Solve Decrypted communication trace meaning

Still no luck.. any other ideas? thanks

Offline

#5 2019-04-08 07:22:57

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Solve Decrypted communication trace meaning

What did you get with 'hf 14a snoop' followed by 'hf list mf' ?

Offline

Board footer

Powered by FluxBB