Hi, I recently got with the proxmark3 the keys of all the sectors of a mifare classic 1k ev1 card. Here I leave the sector 0, 1 and 2, which are the ones that have the information. The sectors I was interested in were sectors 1 and 2.
“Created”: “proxmark3”,
“FileType”: “mfcard”,
“Card”: {
“UID”: “64B15D26”,
“ATQA”: “0400”,
“SAK”: “08”
},
“blocks”: {
“0”: “64B15D26AE880400C806002000000020”,
“1”: “7B002688268800000000000000000000”,
“2”: “00000000000000000000000000000000”,
“3”: “A0A1A2A3A4A578778800164F86ED1174”,
"4": "0000FE0E0000000000003A000000006F",
"5": "0300000000000000000000000000C89B",
"6": "0B194F2E00000000000000000A0100A1",
"7": "07869C23FC6B7877880017FD0801A54F",
"8": "00000000FFFFFFFF0000000009F609F6",
"9": "3C000000C3FFFFFF3C00000009F609F6",
"10": "00000000FFFFFFFF000000000AF50AF5",
"11": "0403F8B9B9A508778F00147D99FE62C4",
So far so good, the case is that I got my hands on a new card from this company and what was my surprise that when I try to read it with the proxmark3 and does not let me read sectors 1 and 2. This company has changed the passwords of sectors 0,3,4,5,6,7,8,9,9,10,11,12,13,14,15 and has put default keys FFFFFFFFFFFFFFFFFFFF. In the first one you only knew the password A of sector 0, which was A0A1A2A3A4A5.
if I use hf mf keycheck, it comes out empty, it does not find any key.
if I use hf mf fchk, I get all keys except for sector 1 and 2.
if I use hf mf autopwn, it only gets the FFFFFFFFFFFFFFFFFFFFF and at the end it says: nested: 00000000 vs 00000000. error: no response from proxmark3.
if use hf mf darkside pone runing darkside…- card is not vulnerable to darkside attack, doesn’t send NACK on authentication request.
Another change that I have seen and I had not noticed is that the header 0 of sector 0, has also changed, that is to say, this the uid and other numbers, that in the old cards except for the uid, were all the same. In this new change in each card are not the same.
[usb] pm3 → hf mf chk
[=] Start check for keys…
[=] …
[=] time in checkkeys 3 seconds
[=] testing to read key B…
[+] found keys:
[+] -----±----±-------------±–±-------------±—
[+] Sec | Blk | key A |res| key B |res
[+] -----±----±-------------±–±-------------±—
[+] 000 | 003 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 001 | 007 | ------------ | 0 | ------------ | 0
[+] 002 | 011 | ------------ | 0 | ------------ | 0
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] -----±----±-------------±–±-------------±—
[+] ( 0:Failed / 1:Success )
[usb] pm3 → hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 45 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1.2s | found 28/32 keys (45)
[=] running strategy 2
[=] Chunk 1.2s | found 28/32 keys (45)
[+] target sector 0 key type A – found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B – found valid key [ FFFFFFFFFFFF ]
[#] Nested: 00000000 vs 00000000
[!!] Error: No response from Proxmark3.
[usb] pm3 → hf mf darkside
[=] Expected execution time is about 25seconds on average
[=] Press pm3-button to abort
[=] Running darkside …[-] card is not vulnerable to Darkside attack (doesn’t send NACK on authentication requests)
[usb] pm3 → hf mf hardnested --tblk 4 --ta
[!] Key is wrong. Can’t authenticate to block: 0 key type: A
[usb] pm3 → hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta
[=] Target block no 4, target key type: A, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting…
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2630 million (2^31.3) keys/s | 140737488355328 | 15h
[=] 5 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 15h
[#] AcquireEncryptedNonces finished
[!!] Error: Static encrypted nonce detected. Aborted.
[usb] pm3 → hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -f nonces.bin -w -s
[=] Target block no 4, target key type: A, known target key: 000000000000 (not set)
[=] File action: write, Slow: Yes, Tests: 0
[=] Hardnested attack starting…
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2304 million (2^31.1) keys/s | 140737488355328 | 17h
[=] 4 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 17h
[#] AcquireEncryptedNonces finished
[!!] Error: Static encrypted nonce detected. Aborted.
[usb] pm3 → script run hf_mf_keycheck.lua
[+] executing lua C:\Users\APOFIS\Downloads\ProxSpace\pm3\proxmark3\client\luascripts/hf_mf_keycheck.lua
[+] args ‘’
Found tag NXP MIFARE CLASSIC 1k | Plus 2k
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 78 keys
[+] hf_mf_keycheck - Checkkey execution time: 332 sec
|—|----------------|—|----------------|—|
sec key A res key B res
000 ------------ 0 ------------ 0
001 ------------ 0 ------------ 0
002 ------------ 0 ------------ 0
003 ------------ 0 ------------ 0
004 ------------ 0 ------------ 0
005 ------------ 0 ------------ 0
006 ------------ 0 ------------ 0
007 ------------ 0 ------------ 0
008 ------------ 0 ------------ 0
009 ------------ 0 ------------ 0
010 ------------ 0 ------------ 0
011 ------------ 0 ------------ 0
012 ------------ 0 ------------ 0
013 ------------ 0 ------------ 0
014 ------------ 0 ------------ 0
015 ------------ 0 ------------ 0
— ---------------- — ---------------- —
Do you wish to save the keys to dumpfile? [y/n] ?
[usb] pm3 → hf mf nested --1k --blk 0 -a -k FFFFFFFFFFFF
[+] Testing known keys. Sector count 16
[=] Chunk 1.3s | found 28/32 keys (46)
[+] Time to check 45 known keys: 1 seconds
[+] enter nested key recovery
[#] Nested: 00000000 vs 00000000
[!!] Command execute timeout
[usb] pm3 --> hf mf nested --1k --blk 0 -a -k ffffffffffff --tblk 8 --ta
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).