Mifare Classic EV1 1k Attack With No Known Keys

Sullyboy · June 2, 2023, 2:25am

Hello all,

I am trying to get the dump info of a G+D Mifare Classic EV1 1k for possible cloning purposes if a 7-byte UID magic injectable implant is ever made. Here is the card details:

[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag...
[+]  UID: (7-byte UID)
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 067DE177A402139DA35228ADFFCB9F4A0AE1AA166079830AEADEBEF8F492E7B1
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

The first problem comes when I try autopwn:

[usb] pm3 --> hf mf autopwn
[!] iso14443a card select failed
[usb] pm3 --> hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 0.5s | found 0/32 keys (23)
[=] running strategy 2
[=] ..
[=] Chunk 5.0s | found 0/32 keys (23)
[-] No usable key was found!

I believe the problem is that the card doesn’t use any default/common keys in any sectors. I confirmed this with hf mf chk:

[usb] pm3 --> hf mf chk
[=] No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
.........
[22] 96a301bce267
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 9 seconds

[=] testing to read key B...

[+] found keys:

[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ------------   | 0 | ------------   | 0 |
[+] | 001 | ------------   | 0 | ------------   | 0 |
[+] | 002 | ------------   | 0 | ------------   | 0 |
[+] | 003 | ------------   | 0 | ------------   | 0 |
[+] | 004 | ------------   | 0 | ------------   | 0 |
[+] | 005 | ------------   | 0 | ------------   | 0 |
[+] | 006 | ------------   | 0 | ------------   | 0 |
[+] | 007 | ------------   | 0 | ------------   | 0 |
[+] | 008 | ------------   | 0 | ------------   | 0 |
[+] | 009 | ------------   | 0 | ------------   | 0 |
[+] | 010 | ------------   | 0 | ------------   | 0 |
[+] | 011 | ------------   | 0 | ------------   | 0 |
[+] | 012 | ------------   | 0 | ------------   | 0 |
[+] | 013 | ------------   | 0 | ------------   | 0 |
[+] | 014 | ------------   | 0 | ------------   | 0 |
[+] | 015 | ------------   | 0 | ------------   | 0 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )

So no valid keys were found. Am I now stuck since I have no keys to work nested attacks off of? I assume it would be pointless, but is there a way to try and bruteforce one of the keys to then start nested attacks off of? Any help would be appreciated, Thanks.

Equipter · June 2, 2023, 8:31am

hf mf sim -h

run that find the syntax (you’ll need uid atqa sak) put your values in with those, simulate and tap against the door while still connected to your computer. terminate the sim with a tap to the proxmark button then run

hf mf list
in the decoded trace you should get at least one key from the sniff which you can then use for nested

tatramaco · June 2, 2023, 2:20pm

hf mf sim --1k -u UID -i -x

Will collect nonces from the reader and automagically perform a mf32key attack to retrieve one key.

Then you can do a hardnested etc using that key to determine any others and dump the entire card

Jirvin · June 6, 2023, 6:27pm

Since this is a ev1, run a ckh --2k (double check syntax) and you’ll be surprised to find some keys you can use to recover the rest.