MIFARE CLASSIC 1K EV1 PROBLENG CARD KEYS

Support
1

Hi, I recently got with the proxmark3 the keys of all the sectors of a mifare classic 1k ev1 card. Here I leave the sector 0, 1 and 2, which are the ones that have the information. The sectors I was interested in were sectors 1 and 2.

“Created”: “proxmark3”,
“FileType”: “mfcard”,
“Card”: {
“UID”: “64B15D26”,
“ATQA”: “0400”,
“SAK”: “08”
},
“blocks”: {
“0”: “64B15D26AE880400C806002000000020”,
“1”: “7B002688268800000000000000000000”,
“2”: “00000000000000000000000000000000”,
“3”: “A0A1A2A3A4A578778800164F86ED1174”,

"4": "0000FE0E0000000000003A000000006F",
"5": "0300000000000000000000000000C89B",
"6": "0B194F2E00000000000000000A0100A1",
"7": "07869C23FC6B7877880017FD0801A54F",

"8": "00000000FFFFFFFF0000000009F609F6",
"9": "3C000000C3FFFFFF3C00000009F609F6",
"10": "00000000FFFFFFFF000000000AF50AF5",
"11": "0403F8B9B9A508778F00147D99FE62C4",

So far so good, the case is that I got my hands on a new card from this company and what was my surprise that when I try to read it with the proxmark3 and does not let me read sectors 1 and 2. This company has changed the passwords of sectors 0,3,4,5,6,7,8,9,9,10,11,12,13,14,15 and has put default keys FFFFFFFFFFFFFFFFFFFF. In the first one you only knew the password A of sector 0, which was A0A1A2A3A4A5.

if I use hf mf keycheck, it comes out empty, it does not find any key.
if I use hf mf fchk, I get all keys except for sector 1 and 2.
if I use hf mf autopwn, it only gets the FFFFFFFFFFFFFFFFFFFFF and at the end it says: nested: 00000000 vs 00000000. error: no response from proxmark3.

if use hf mf darkside pone runing darkside…- card is not vulnerable to darkside attack, doesn’t send NACK on authentication request.

Another change that I have seen and I had not noticed is that the header 0 of sector 0, has also changed, that is to say, this the uid and other numbers, that in the old cards except for the uid, were all the same. In this new change in each card are not the same.

[usb] pm3 → hf mf chk
[=] Start check for keys…
[=] …
[=] time in checkkeys 3 seconds

[=] testing to read key B…

[+] found keys:

[+] -----±----±-------------±–±-------------±—
[+] Sec | Blk | key A |res| key B |res
[+] -----±----±-------------±–±-------------±—
[+] 000 | 003 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 001 | 007 | ------------ | 0 | ------------ | 0
[+] 002 | 011 | ------------ | 0 | ------------ | 0
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] -----±----±-------------±–±-------------±—
[+] ( 0:Failed / 1:Success )

[usb] pm3 → hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 45 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1.2s | found 28/32 keys (45)
[=] running strategy 2
[=] Chunk 1.2s | found 28/32 keys (45)
[+] target sector 0 key type A – found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B – found valid key [ FFFFFFFFFFFF ]
[#] Nested: 00000000 vs 00000000

[!!] Error: No response from Proxmark3.

[usb] pm3 → hf mf darkside
[=] Expected execution time is about 25seconds on average
[=] Press pm3-button to abort

[=] Running darkside …[-] card is not vulnerable to Darkside attack (doesn’t send NACK on authentication requests)

[usb] pm3 → hf mf hardnested --tblk 4 --ta
[!] Key is wrong. Can’t authenticate to block: 0 key type: A
[usb] pm3 → hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta
[=] Target block no 4, target key type: A, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting…
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2630 million (2^31.3) keys/s | 140737488355328 | 15h
[=] 5 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 15h
[#] AcquireEncryptedNonces finished
[!!] Error: Static encrypted nonce detected. Aborted.

[usb] pm3 → hf mf hardnested --blk 0 -a -k FFFFFFFFFFFF --tblk 4 --ta -f nonces.bin -w -s
[=] Target block no 4, target key type: A, known target key: 000000000000 (not set)
[=] File action: write, Slow: Yes, Tests: 0
[=] Hardnested attack starting…
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2304 million (2^31.1) keys/s | 140737488355328 | 17h
[=] 4 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 17h
[#] AcquireEncryptedNonces finished
[!!] Error: Static encrypted nonce detected. Aborted.

[usb] pm3 → script run hf_mf_keycheck.lua
[+] executing lua C:\Users\APOFIS\Downloads\ProxSpace\pm3\proxmark3\client\luascripts/hf_mf_keycheck.lua
[+] args ‘’
Found tag NXP MIFARE CLASSIC 1k | Plus 2k
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys
Testing block 0, keytype 0, with 84 keys

Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 84 keys
Testing block 60, keytype 1, with 78 keys

[+] hf_mf_keycheck - Checkkey execution time: 332 sec

|—|----------------|—|----------------|—|

sec	key A	res	key B	res
000	------------	0	------------	0
001	------------	0	------------	0
002	------------	0	------------	0
003	------------	0	------------	0
004	------------	0	------------	0
005	------------	0	------------	0
006	------------	0	------------	0
007	------------	0	------------	0
008	------------	0	------------	0
009	------------	0	------------	0
010	------------	0	------------	0
011	------------	0	------------	0
012	------------	0	------------	0
013	------------	0	------------	0
014	------------	0	------------	0
015	------------	0	------------	0
—	----------------	—	----------------	—
Do you wish to save the keys to dumpfile? [y/n] ?				
[usb] pm3 → hf mf nested --1k --blk 0 -a -k FFFFFFFFFFFF
[+] Testing known keys. Sector count 16
[=] Chunk 1.3s | found 28/32 keys (46)
[+] Time to check 45 known keys: 1 seconds

[+] enter nested key recovery
[#] Nested: 00000000 vs 00000000
[!!] Command execute timeout


[usb] pm3 --> hf mf nested --1k --blk 0 -a -k ffffffffffff --tblk 8 --ta
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).
2

The pm3 currently can’t deal with static encrypted nonces. You should try sniffing between the card and reader.

1 Like
3

ok, thank you.

4

This is my first time to sniff a mifare classic ev1. I put the card on the original proxmark3, then I put the mobile phone on the card and run the mifare classic tool program, to read the sectors 0 to 3, sectors 0 and 3 have the default keys FFFFFFFFFFFFFFFFFF, and sectors 1 and 2 have encrypted keys. My question is what I sniffed is ok, is it good for anything, if it is ok I would like to learn what I have to look at, sectors 1 and 2 have a Static encrypted nonce detected.

[usb] pm3 → hf 14a sniff

[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 29725
[usb] pm3 → hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 29725 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

  Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation

------------±-----------±----±------------------------------------------------------------------------±----±-------------------
0 | 2368 | Tag |04 00 | |
38736 | 41104 | Tag |04 00 | |
51776 | 57600 | Tag |fb ca 48 b3 ca | |
76336 | 79856 | Tag |08 b6 dd | |
303952 | 306320 | Tag |04 00 | |
325056 | 328576 | Tag |08 b6 dd | |
605504 | 607872 | Tag |04 00 | |
626624 | 630144 | Tag |08 b6 dd | |
845168 | 847536 | Tag |04 00 | |
866272 | 869792 | Tag |08 b6 dd | |
982336 | 987008 | Tag |ed 28 8c c6 | |
1694876 | 1695868 | Rdr |52(7)

1694876 | 1695868 | Rdr |52(7) | | WUPA
1697104 | 1699472 | Tag |04 00 | |
1718208 | 1721728 | Tag |08 b6 dd | |
1811404 | 1816172 | Rdr |50 00 57 cd | ok | HALT
1913840 | 1916208 | Tag |04 00 | |
1923228 | 1933692 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
1934944 | 1938464 | Tag |08 b6 dd | |
2020700 | 2025468 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
2027040 | 2031776 | Tag |57 77 d2 37 | |
2038492 | 2047868 | Rdr |c0! 3d a1 95! 77! 9f! b2! 57 | !! | DEC(61)
2117180 | 2121948 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
2215820 | 2220588 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
2315932 | 2320700 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
2416540 | 2421308 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
2512364 | 2517132 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
2615372 | 2620140 | Rdr |50 00 57 cd | ok | HALT
2715756 | 2716748 | Rdr |52(7) | | WUPA
2717984 | 2720352 | Tag |04 00 | |
2727388 | 2737852 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
2739088 | 2742608 | Tag |08 b6 dd | |
2824540 | 2829308 | Rdr |50 00 57 cd | ok | HALT
2931004 | 2931996 | Rdr |52(7) | | WUPA
2933232 | 2935600 | Tag |04 00 | |
2942636 | 2953100 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
2954336 | 2957856 | Tag |08 b6 dd | |
4762460 | 4767228 | Rdr |50 00 57 cd | ok | HALT
4845548 | 4846540 | Rdr |52(7) | | WUPA
4847776 | 4850144 | Tag |04 00 | |
4857180 | 4867644 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
4868880 | 4872400 | Tag |08 b6 dd | |
6642860 | 6647628 | Rdr |50 00 57 cd | ok | HALT
6724124 | 6725116 | Rdr |52(7) | | WUPA
6726352 | 6728720 | Tag |04 00 | |
6735756 | 6746220 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
6747456 | 6750976 | Tag |08 b6 dd | |
8507836 | 8512604 | Rdr |50 00 57 cd | ok | HALT
8592460 | 8593452 | Rdr |52(7) | | WUPA
8594688 | 8597056 | Tag |04 00

it does not vary is all the same until this appears:

279664108 | 279674572 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
279675808 | 279679328 | Tag |08 b6 dd | |
281600256 | 281602624 | Tag |04 00 | |
282106992 | 282109360 | Tag |04 00 | |
289631424 | 289633792 | Tag |04 00 | |
289670112 | 289672480 | Tag |04 00 | |
289683120 | 289688944 | Tag |fb ca 48 b3 ca | |
297217180 | 297218236 | Rdr |26(7) | | REQA
297219408 | 297221776 | Tag |04 00 | |
297228812 | 297233580 | Rdr |50 00 57 cd | ok | HALT
297255916 | 297256908 | Rdr |52(7) | | WUPA
297258144 | 297260512 | Tag |04 00 | |
297267548 | 297270012 | Rdr |93 20 | | ANTICOLL
297271184 | 297277008 | Tag |fb ca 48 b3 ca | |
297284044 | 297294508 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
297295744 | 297299264 | Tag |08 b6 dd | |
297394700 | 297399468 | Rdr |50 00 57 cd | ok | HALT
297506748 | 297507740 | Rdr |52(7) | | WUPA
297508976 | 297511344 | Tag |04 00 | |
297518380 | 297528844 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
297530080 | 297533600 | Tag |08 b6 dd | |
297628236 | 297633004 | Rdr |50 00 57 cd | ok | HALT
297735916 | 297736908 | Rdr |52(7) | | WUPA
297738144 | 297740512 | Tag |04 00 | |
297747548 | 297758012 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
297759248 | 297762768 | Tag |08 b6 dd | |
297854636 | 297859404 | Rdr |50 00 57 cd | ok | HALT
297966124 | 297967116 | Rdr |52(7) | | WUPA
297968352 | 297970720 | Tag |04 00 | |
297977740 | 297988204 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
297989472 | 297992992 | Tag |08 b6 dd | |
298090092 | 298094860 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
298096416 | 298101088 | Tag |5b a6 34 be | |
298107868 | 298117180 | Rdr |80 1e! 72 cb! 34 36 ad c0 | !! | MAGIC AUTH (30)
298198556 | 298203324 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
298308108 | 298312876 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
298418956 | 298423724 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
298527644 | 298532412 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
298640748 | 298645516 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
298756812 | 298761580 | Rdr |50 00 57 cd | ok | HALT
298871276 | 298872268 | Rdr |52(7) | | WUPA
298873520 | 298875888 | Tag |04 00 | |
298882908 | 298893372 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
298894608 | 298898128 | Tag |08 b6 dd | |
298986332 | 298991100 | Rdr |50 00 57 cd | ok | HALT
299093804 | 299094796 | Rdr |52(7) | | WUPA
299096032 | 299098400 | Tag |04 00 | |
299105436 | 299115900 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
299117136 | 299120656 | Tag |08 b6 dd | |
299205660 | 299210428 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
299211984 | 299216720 | Tag |e9 91 21 cb | |
299223452 | 299232764 | Rdr |9d 01! d4! cb! d3! 85 08 b2 | !! |
299310396 | 299315164 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
299409228 | 299413996 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
299508300 | 299513068 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
299610028 | 299614796 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
299713836 | 299718604 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
299821772 | 299826540 | Rdr |50 00 57 cd | ok | HALT
299922396 | 299923388 | Rdr |52(7) | | WUPA
299924624 | 299926992 | Tag |04 00 | |

299924624 | 299926992 | Tag |04 00 | |
299934028 | 299944492 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
299945728 | 299949248 | Tag |08 b6 dd | |
300039388 | 300044156 | Rdr |50 00 57 cd | ok | HALT
300139084 | 300140076 | Rdr |52(7) | | WUPA
300141312 | 300143680 | Tag |04 00 | |
300150716 | 300161180 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
300162416 | 300165936 | Tag |08 b6 dd | |
300584716 | 300589484 | Rdr |50 00 57 cd | ok | HALT
300674044 | 300675036 | Rdr |52(7) | | WUPA
300676288 | 300678656 | Tag |04 00 | |
300685676 | 300696140 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
300697376 | 300700896 | Tag |08 b6 dd | |
302471564 | 302476332 | Rdr |50 00 57 cd | ok | HALT
302577404 | 302578396 | Rdr |52(7) | | WUPA
302579632 | 302582000 | Tag |04 00 | |

347209564 | 347220028 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
347221264 | 347224784 | Tag |08 b6 dd | |
347931836 | 347936540 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
347938160 | 347942832 | Tag |a7 67 87 69 | |
347949596 | 347958908 | Rdr |07! 50 9a! b4 ab 2f! 51! 67 | !! |
347960160 | 347964896 | Tag |02 15! 37 ae | |
348074060 | 348078828 | Rdr |bb aa ce 00 | !! |
348080016 | 348100816 | Tag |71! be! a1 4c c0 76 f8 4e 1f! 14 0b 74 64 b8! 81! 6c! 25 11 | !! |
348301164 | 348305932 | Rdr |a0! 1a 71 1f | !! | WRITEBLOCK(26)
348307104 | 348327968 | Tag |f3! 35! 49! d1 8a! bd! 41 d4 00! 47 f0! 4d! 3f 42 88! 43! 93 05 | !! |
348538156 | 348542860 | Rdr |a9! b9! 65! 9b | !! | WRITE SIG
348544112 | 348564912 | Tag |38! 1e fc! ab! 56 a0! d9! 2e 3c! eb d4! 0b 5b ef ad! e2! fa! 9f | !! |
348757276 | 348762044 | Rdr |e7 b5 8a 49 | !! |
348763216 | 348784080 | Tag |81 26 bf! 4e! d7 e2! b8! 90! c2 47! be 0d! d7! a2 a8 5a f4! 15 | !! |
349017148 | 349021852 | Rdr |b1 5a! a2 ab | !! |
349131612 | 349132604 | Rdr |52(7) | | WUPA
349133856 | 349136224 | Tag |04 00 | |
349143244 | 349153708 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
349154944 | 349158464 | Tag |08 b6 dd | |
350953740 | 350958508 | Rdr |50 00 57 cd | ok | HALT
351069820 | 351070812 | Rdr |52(7) | | WUPA
351072048 | 351074416 | Tag |04 00 | |

463673804 | 463684268 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
463685520 | 463689040 | Tag |08 b6 dd | |
464302252 | 464306956 | Rdr |60 0c 99 b1 | ok | AUTH-A(12)
464308592 | 464313264 | Tag |9b 19 02 cc | |
464320028 | 464329404 | Rdr |5a 72 aa e0 f1! 31! 5f 04 | !! |
464330576 | 464335248 | Tag |b0! b6! 64! 3c | |
464408140 | 464412908 | Rdr |e7 3c! eb! ea | !! |
464414080 | 464434944 | Tag |1e de! a5! 25 af! 87! 77 e4! 75 7f 67 cd! 3c! 2f! d4 38! 29 f3 | !! |
464533148 | 464537852 | Rdr |a8 98 77 0d | !! | MAGIC WRITEBLOCK(152)
464539104 | 464559904 | Tag |d1! 5b! 82! b3! 36 ba! 7a 05! bd cc! 63 12 74! 57 7f d1! cc! a3 | !! |
464652556 | 464657324 | Rdr |e5! ec ca 90 | !! |
464658496 | 464679360 | Tag |e3! 54! d2! f1! 94! 5c 3a c8! 38! f2 bd be! 45 e5! a2 13 e8 50 | !! |
464776732 | 464781500 | Rdr |66 dd! a4! e0 | !! |
464782672 | 464803536 | Tag |9b! 9a! 13 e7! 2d 36 0d! 6d a4 45! 91! e1! 8c! 01 a0 39! 83! f9 | !! |
464909356 | 464914060 | Rdr |8d! c3! b8 80 | !! |
464998220 | 464999212 | Rdr |52(7) | | WUPA
465000448 | 465002816 | Tag |04 00 | |

542544700 | 542555164 | Rdr |93 70 fb ca 48 b3 ca 45 5f | ok | SELECT_UID
542556400 | 542559920 | Tag |08 b6 dd | |
543605724 | 543610492 | Rdr |60 08 bd f7 | ok | AUTH-A(8)
543612048 | 543616720 | Tag |b2 7d 85 a6 | |
543623500 | 543632876 | Rdr |42 f8 ab 8f! a1 5b! e7! 92 | !! |
543693404 | 543698172 | Rdr |50 00 57 cd | ok | HALT
543779644 | 543780636 | Rdr |52(7) | | WUPA
543781872 | 543784240 | Tag |04 00 | |

5

Sniffing phone traffic is annoying because the phone does so much bullshit between commands the app is trying to send.

Tucked away in there are some read commands and prob some auth commands…but to figure out what you’ve got you have to read the mifare data sheet and figure out what command means read and what command means authenticate and then start picking the data apart.

6

If I understand you correctly, if I run the command hf 14a sniff, the proxmark starts sniffing. And now what command would I have to execute to do what you say?

7

I was trying with dictionary. :sweat_smile:

[usb] pm3 → hf mf chk -a --tblk 11 -f mis_keys.dic
[+] loaded 32811839 keys from dictionary file C:\Users\APOFIS\Downloads\ProxSpace\pm3\proxmark3\client\dictionaries/mis_keys.dic
[=] Start check for keys…
[=] …

are keys that I have generated and that are not repeated. created with python

8

You need to use the pm3 to sniff traffic from the legitimate reader. Because that’s the reader that will have the keys you want.

9

ok, thank you. But that’s going to be hard to do. It’s a vending machine that is on the street, anyway thanks again to everyone.

10

I got with my keys generated with python after 4 days one of the passwords of sector 2.

11

I’ve been experimenting for a few days with the sniffing of a mifare classcit 1k and I think I got something although I’m not very sure, but of course if I’m right and they are valid data I have to do with them now.

UID: 34 65 72 F0
NC: 84 1A B3 99
NR: 9E 71 98 F5
AR: F3 3F 3B 46
AT: 8A CB 8F 28

What command do I have to use in the proxmark to get the key. Or do I have to use another program? I have seen that someone tuliza another and you put the data in another application and tells you the possible key, but I do not know.

12

There are a handful of key recovery commands in the pm3. Hf mf -h should list them.

13

ok, I’ll check them out

14

it doesn’t do anything or I don’t get the data right, I don’t know.

[usb] pm3 → hf mf decrypt

Decrypt Crypto-1 encrypted bytes given some known state of crypto. See tracelog to gather needed values

usage:
hf mf decrypt [-h] --nt --ar --at -d

options:
-h, --help This help
–nt tag nonce
–ar ar_enc, encrypted reader response
–at at_enc, encrypted tag response
-d, --data encrypted data, taken directly after at_enc and forward

examples/notes:
hf mf decrypt --nt b830049b --ar 9248314a --at 9280e203 -d 41e586f9
→ 41e586f9 becomes 3003999a
→ which annotates 30 03 [99 9a] read block 3 [crc]

[usb] pm3 → -h --nt 841ab399 --ar 9e7198f5 --atf33f3b46 -d 8acb8f28
help Use <command> help for details of a command
prefs { Edit client/device preferences… }
-------- ----------------------- Technology -----------------------
analyse { Analyse utils… }
data { Plot window / data buffer manipulation… }
emv { EMV ISO-14443 / ISO-7816… }
hf { High frequency commands… }
hw { Hardware commands… }
lf { Low frequency commands… }
mem { Flash memory manipulation… }
nfc { NFC commands… }
piv { PIV commands… }
reveng { CRC calculations from RevEng software… }
smart { Smart card ISO-7816 commands… }
script { Scripting commands… }
trace { Trace manipulation… }
wiegand { Wiegand format manipulation… }
-------- ----------------------- General -----------------------
auto Automated detection process for unknown tags
clear Clear screen
hints Turn hints on / off
msleep Add a pause in milliseconds
rem Add a text line in log file
quit
exit Exit program

[usb] pm3 → --nt 841ab399 --ar 9e7198f5 --atf33f3b46 -d 8acb8f28
help Use <command> help for details of a command
prefs { Edit client/device preferences… }
-------- ----------------------- Technology -----------------------
analyse { Analyse utils… }
data { Plot window / data buffer manipulation… }
emv { EMV ISO-14443 / ISO-7816… }
hf { High frequency commands… }
hw { Hardware commands… }
lf { Low frequency commands… }
mem { Flash memory manipulation… }
nfc { NFC commands… }
piv { PIV commands… }
reveng { CRC calculations from RevEng software… }
smart { Smart card ISO-7816 commands… }
script { Scripting commands… }
trace { Trace manipulation… }
wiegand { Wiegand format manipulation… }
-------- ----------------------- General -----------------------
auto Automated detection process for unknown tags
clear Clear screen
hints Turn hints on / off
msleep Add a pause in milliseconds
rem Add a text line in log file
quit
exit Exit program

[usb] pm3

15

You usually don’t need to mess around with sniffs if you possess the card physically. Try some of the other key recovery options. There should be ones that automates most of the process.

16

After a good look I realized the error and I got this:

[usb] pm3 → hf mf decrypt --nt 841ab399 --ar f33f3b46 --at 8acb8f28 -d a83c61df
[=] nt… 841AB399
[=] ar enc… F33F3B46
[=] at enc… 8ACB8F28
[+] encrypted data… A8 3C 61 DF
[+] decrypted data… 61 08 65 EE

and with this what do I do now?

17

Decrypt isn’t the command you want. It’s a simple crypto1 data decryption tool, not key recovery.

18

but this card has a static encrypted nonce.

19

Well boy I don’t know which command to use, or I’ve been in front of the screen for so many hours that I don’t see it.

20

iceman advised me to sniff, I started to do it because I had never done it before and I had to look at what data to look at and now I don’t know what to do with it to get a key.