XEMON
April 25, 2024, 11:21pm
1
Hello yall,
Ive been having a more and more common “issue” with MF-1K on the PM3 easy.
I run the autopwn command to dump all the keys and load the dump onto a fresh card, when it works, it work great
But i have been getting a lot of those lately:
[!!] Error: Static encrypted nonce detected. Aborted
This stop the process, so no file to dump onto a fresh card …
Is there any way around or through it?
For reference (I know its gonna be asked ):
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 60% used )
Client.... Iceman/master/v4.16717-263-g9e8adce7a 2023-07-30 13:26:17
Bootrom... Iceman/master/v4.16717-263-g9e8adce7a 2023-07-30 13:25:13
OS........ Iceman/master/v4.16717-263-g9e8adce7a 2023-07-31 17:10:40
Target.... PM3 GENERIC
Any help would be appreciated.
Thanks,
X
I don’t think there’s an attack for that at the moment
I think you can still try to get the passwords by sniffing the reader though, if possible
What’s it being used for?
XEMON
April 25, 2024, 11:30pm
3
Dam … have to be the hard way
Its mostly hotel card, but i see it pop up more and more on newer MF-1K installation …
Now lets lean how to snif
Whats teh difference between hf sniff
and hf 14a sniff
?
1 Like
hf mf auto --1k -f mfc_default_keys
try that, let it run through the full dict see if it’s able to dig up any keys.
sniffing would be my goto for this.
the difference between hf sniff and hf 14a sniff is hf sniff looks for commands under any protocol on 13.56mhz whereas hf 14a sniff only looks for iso14a.
hf 14a sniff -r -c
sandwich proxmark between card and reader, tap the card/proxmark against the reader twice for prosperity to grab whatever transaction data you can & then press the button to end the sniff.
hf mf list
to view the trace in a mifare classic context with decoded keys from the auths.
you may not get all the keys on the card but by looking at the sniff you can see which (if any) keys are being sent telling you which keys and sectors are important to the reader.
3 Likes
XEMON
April 26, 2024, 4:37am
5
Equipter:
hf mf auto --1k -f mfc_default_keys
try that, let it run through the full dict see if it’s able to dig up any keys.
I get the same result as with autopwn
:
[!!] Error: Static encrypted nonce detected. Aborted
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 001 | 007 | 2A2C13CC242A | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 004 | 019 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 005 | 023 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 006 | 027 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 007 | 031 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 008 | 035 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 009 | 039 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 010 | 043 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 011 | 047 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 012 | 051 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 013 | 055 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 014 | 059 | ------------ | 0 | FFFFFFFFFFFF | D
[+] 015 | 063 | ------------ | 0 | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
I did 3 sets of sniffing, and got about the same result each time.
I dont understand the majority of this some pattern emerges, but going blind is a bit … overwhelming …
It seam like 93 20
is asking for the UID and 93 70
followed by the uid “link” the reader to the card … is there a “code list” we can refer too?
[usb] pm3 --> hf 14a sniff -r -c
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 2412
[usb] pm3 --> hf mf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 2412 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52(7) | | WUPA
2244 | 4612 | Tag |04 00 | |
17648 | 20112 | Rdr |93 20 | | ANTICOLL
21300 | 27188 | Tag |dc 46 d2 fb b3 | |
42096 | 52624 | Rdr |93 70 dc 46 d2 fb b3 b1 29 | ok | SELECT_UID
53792 | 57280 | Rdr |f7! 49! 22 | !! |
71392 | 76096 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
77732 | 82404 | Tag |8e 66 c8 30 | | AUTH: nt
83808 | 93184 | Rdr |48! 71! 14 9e 58 0f 40 84! | | AUTH: nr ar (enc)
309312 | 310304 | Rdr |52(7) | | WUPA
311556 | 313924 | Tag |04 00 | |
326960 | 329424 | Rdr |93 20 | | ANTICOLL
330612 | 336500 | Tag |dc 46 d2 fb b3 | |
351520 | 362048 | Rdr |93 70 dc 46 d2 fb b3 b1 29 | ok | SELECT_UID
363236 | 366756 | Tag |08 b6 dd | ok |
381088 | 385856 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
387408 | 392048 | Rdr |64! a2! 5d! 6c! | |
393504 | 402880 | Rdr |42 99! 63 d9! f9 49 97 f9 | !! |
404068 | 408804 | Tag |df 7a! b4! f8 | !! |
422288 | 426992 | Rdr |b3 be! af d7 | !! |
428628 | 433364 | Tag |1d 1e 78! 43 | !! |
434720 | 444032 | Rdr |f1 00 8c cd 73! 74 12 0b | !! |
445264 | 449904 | Rdr |1f! 39 27 78 | !! |
456720 | 461488 | Rdr |f7 da ea 5c | !! |
462676 | 483540 | Tag |2c! a2 d2 4e! bd! e9! 42 6c! e7 e0 a9 23 c0! 79 fb 89 94 30 | !! |
502016 | 506720 | Rdr |d7 bd! a4! 6f | !! | PPS - CID=7
508356 | 513092 | Tag |7b! c9 47 4a | !! |
514432 | 523808 | Rdr |1e! 80 13! 28 9b! 4b! 64 41 | !! |
524996 | 529668 | Tag |f0! ef 57 b2 | !! |
536448 | 541152 | Rdr |e6! 3b 33 d5 | !! |
542404 | 563268 | Tag |b3! 71 13! 4a! f6! 9b 7c 69! f9 a1! d3 81 a4! cb! 35! bc 7f! 27 | !! |
578672 | 583376 | Rdr |29! 5c! 10 1f | !! |
584628 | 605492 | Tag |4a! 5d! 7a e8 d7 f5! af 4a! 28 2a! 74! c5 9c! 75! e8 30! f4 c9 | !! |
624480 | 629184 | Rdr |81 83 19! 09 | !! |
630820 | 635556 | Tag |41 d4! e7! 07 | !! |
636896 | 646272 | Rdr |8d 26 01 d1 9d 69! b5 25 | !! |
647460 | 652196 | Tag |e7 33! e5 85 | !! |
658896 | 663664 | Rdr |82! d4! f6 c7 | !! |
664868 | 685668 | Tag |02 0b a6 2e! 05! 5f! 23! 8c e9! 78 0e 14! c4! ac 76 73 be 01 | !! |
1881024 | 1885792 | Rdr |6e! b8! 37 41 | !! |
1887380 | 1892116 | Tag |90! 76 5a! 72 | !! |
1893456 | 1902832 | Rdr |ea 05 0d eb 84 26 c6 85 | !! |
1904004 | 1908740 | Tag |38 9f ed! 7b | !! |
1915456 | 1920224 | Rdr |da! e0 ee 7a | !! | PPS - CID=a
1921396 | 1942260 | Tag |15 fa f4 14! 9a 31! 6e 03 f2 41! 47! 4d! 07 4b 58! 82! e4! 85 | !! |
2260752 | 2265520 | Rdr |1d! 8f! e3 10 | !! |
2267092 | 2271828 | Tag |32! d3 a2 bf | !! |
2273168 | 2282544 | Rdr |33 e4 60! 8a! e7! 20! 2b! d0 | !! |
2283716 | 2288388 | Tag |54! 35! ab 68 | !! |
2295168 | 2299936 | Rdr |af! d9! 6a 5d | !! |
2301108 | 2321972 | Tag |87! 29! a0 c3 80! 2d! 08! b0 63 78! 78 35 7d! e9! 2f! de f8! 85 | !! |
2603600 | 2608368 | Rdr |5a fb 5b ba | !! |
2609940 | 2614676 | Tag |4b 80 03 ec | !! |
2616032 | 2625408 | Rdr |d8 bb! cf! 17 da! 49! 47 ab | !! |
2626580 | 2631316 | Tag |71! 63 4b! b8 | !! |
2638160 | 2642928 | Rdr |45! dd 6f! c0 | !! |
2644116 | 2664980 | Tag |6c! fd bb b7! 23! 0e 98! ba! f0 20 e7! fd! 6c! 6d! 4e de bc f4 | !! |
2680896 | 2685664 | Rdr |92! 15 bd 6b | !! |
2686836 | 2687476 | Tag |01(4) | |
2702384 | 2723216 | Rdr |24 da! 8c 3e 89 cd 4c 6b! 80 c9! db 1b 7d! 05 ad 31! b8! 3c | !! |
2761572 | 2762148 | Tag |0b(3) | |
2776352 | 2781056 | Rdr |2b cd! 50! 60 | !! |
2782692 | 2787428 | Tag |1d 1e 78! 43 | !! |
2788768 | 2798080 | Rdr |d8! 7a 07 f8! 96 4e! 99 1f | !! |
2799316 | 2803988 | Tag |d8 d3! df dd | !! |
2810768 | 2815536 | Rdr |4b! cc! ce! 87 | !! | VCSL
2816708 | 2837508 | Tag |4e! 69! 1e! 1d! 09 90 de! 79! 0e 57 cd! 77 63 d4 92! c4 82! 6c | !! |
2853504 | 2858208 | Rdr |2c ac! 33! d2 | !! |
2859444 | 2860020 | Tag |0d(3) | |
2874992 | 2895888 | Rdr |05 6d db 06 0c! 81 5c 98! a0 78 a0! 6e! ed 72 ac 18! f2 35 | !! |
2934180 | 2934756 | Tag |0b(3) | |
2945888 | 2950592 | Rdr |a8 a5! 57 70 | !! | MAGIC WRITEBLOCK(165)
2951828 | 2952404 | Tag |09(3) | |
2967376 | 2988208 | Rdr |5a b3! f8 13! e2! ad! 68! 9e 85! d8! c1! e3 c2! d8! ad 9f 3b! 58 | !! |
3026564 | 3027204 | Tag |06(4) | |
7424864 | 7425856 | Rdr |52(7) | | WUPA
7427108 | 7429476 | Tag |04 00 | |
11660256 | 11661248 | Rdr |52(7) | | WUPA
11662484 | 11664852 | Tag |04 00 | |
80036736 | 80037728 | Rdr |52(7) | | WUPA
80038964 | 80041332 | Tag |04 00 | |
80054384 | 80056848 | Rdr |93 20 | | ANTICOLL
80058036 | 80063924 | Tag |dc 46 d2 fb b3 | |
80078816 | 80089344 | Rdr |93 70 dc 46 d2 fb b3 b1 29 | ok | SELECT_UID
80090532 | 80094052 | Tag |08 b6 dd | ok |
80108112 | 80112816 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
80114452 | 80119124 | Tag |8e 66 c8 30 | | AUTH: nt
80346048 | 80347040 | Rdr |52(7) | | WUPA
80348292 | 80350660 | Tag |04 00 | |
80363696 | 80366160 | Rdr |93 20 | | ANTICOLL
80367348 | 80373236 | Tag |dc 46 d2 fb b3 | |
80388128 | 80398656 | Rdr |93 70 dc 46 d2 fb b3 b1 29 | ok | SELECT_UID
80399844 | 80403364 | Tag |08 b6 dd | ok |
80417168 | 80421936 | Rdr |60 04 d1 3d | ok | AUTH-A(4)
80423508 | 80428244 | Tag |06 2e 37 b9 | | AUTH: nt
80429584 | 80438896 | Rdr |fb! 8b! b0 e0 e7 b1! bf! d1 | | AUTH: nr ar (enc)
80440148 | 80444884 | Tag |4b ac! 33! 5e | | AUTH: at (enc)
80458368 | 80463072 | Rdr |29! 53! 53! a4! | |
| | * | key 2A2C13CC242A prng WEAK | |
| | * |60 05 58 2C | ok | AUTH-A(5)
80464708 | 80469444 | Tag |1d 1e 78! 43 | | AUTH: nt (enc)
80470784 | 80480096 | Rdr |bf 99! 72! 33! 71 72 66 db | | AUTH: nr ar (enc)
80481348 | 80486020 | Tag |00! f0 f5! 03 | | AUTH: at (enc)
80492912 | 80497616 | Rdr |7b! 5a 25! 7f! | |
| | * | last used key 2A2C13CC242A| |
| | * |30 05 AF FF | ok | READBLOCK(5)
80498868 | 80519732 | Tag |6a! 0a! ab 61 17 36! 57! d6! 56 ee f6! 78! fa! 5b c9! d7 f1 3d | |
| | * |2C 00 0A 00 00 00 00 00 00 00 00 C1 00 00 00 18 DD B4 | ok |
80538720 | 80543424 | Rdr |b1 97! d9! a9 | |
| | * |60 01 7C 6A | ok | AUTH-A(1)
80545060 | 80549796 | Tag |90! 76 5a! 72! | | AUTH: nt (enc)
80551152 | 80560528 | Rdr |e3 3c! cb c4 e4 98! 2f f6! | | AUTH: nr ar (enc)
80561716 | 80566452 | Tag |4a 43 56! 2f | | AUTH: at (enc)
80573152 | 80577920 | Rdr |2a! 27 40 a8 | |
| | * | nested probable key: F2ADCF089ABA ks2:7a4dc97a ks3:6e596ef0 | |
| | * |30 01 8B B9 | ok | READBLOCK(1)
80579108 | 80599908 | Tag |12! 46 26 95 50 b4! 94! 20 6b b8 b7 b2! a1! 39 b1 a9! 75! 8d | |
| | * |54 C0 17 56 F8 19 64 0B 29 E8 B9 B9 AB 10 28 C1 4F 12 | ok |
80615888 | 80620656 | Rdr |4e 94! 1f! 02 | |
| | * |30 02 10 8B | ok | READBLOCK(2)
80621844 | 80642708 | Tag |e3 0a e0! 59! 24 6f 8c 11! 57! dc 55 fe! a2! b4 14 62 3e! d2! | |
| | * |8A 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 3B 5F | ok |
80661184 | 80665888 | Rdr |7f! 77! 4d 09 | |
| | * |60 05 58 2C | ok | AUTH-A(5)
80667504 | 80672208 | Rdr |e2! e1! 87 bc! | |
80673600 | 80682912 | Rdr |61 46 19! e6! bc! a6 aa! 6e | !! | AUTH-B(70)
80684164 | 80688900 | Tag |1e 53 a3 c8 | | AUTH: nt (enc)
80695600 | 80700368 | Rdr |e0 de c7 06! | | RATS - FSDI=d, CID=e
80701556 | 80722420 | Tag |0f cd 53 a2! 96! 6d! e0 f5! 07 d9! fc d7 51 31 ad 5b e8! ed | !! |
81836720 | 81841424 | Rdr |a9! c1! ac ea | !! | WRITE SIG
81843040 | 81847744 | Rdr |6f 89! a5 8d | !! |
81849136 | 81858448 | Rdr |f8 72 24 e4! 7a! 50 b1 19 | !! |
81859700 | 81864372 | Tag |d9 2d! b0! 26 | !! |
81871136 | 81875840 | Rdr |c7! 98 ea ff | !! |
81877092 | 81897956 | Tag |66 1b! 65 39! 00! fe! fa! 97! 86! 4e ac! 7f! 86 b5 7f 9f! 8a! 84 | !! |
82216560 | 82221328 | Rdr |ff! 23 5c! 56 | !! |
82222900 | 82227572 | Tag |1b! 7c! 37 7b | !! |
82228976 | 82238288 | Rdr |47! 61! 15 b9 07 4a 7d! 5f | !! |
82239540 | 82244276 | Tag |16! e0! f7 84 | !! |
82250976 | 82255680 | Rdr |d5 df! f8! 11 | !! | PPS - CID=5
82256932 | 82277796 | Tag |b0 25! 68 34 b1 99 f1! ca! 53 d4! 42! 26 f0! 1d! 42 cc 58 8c | !! |
82558640 | 82563408 | Rdr |56 c2 f2 75 | !! |
82564976 | 82569616 | Rdr |22 a3! b8 66 | !! |
82571072 | 82580448 | Rdr |52! 09! 4e! 73 5a! 7d 6e 6a | !! | WUPA
82581616 | 82586320 | Rdr |97! 92 43 5f | !! | SELECT_XXX-3
82593072 | 82597840 | Rdr |a1! 8c! e4! 9f | !! |
82599028 | 82619828 | Tag |7b dc 2b 2c! 52! 98! 1e! 15! 9c! 3b! 32! ba! 2a 7d 4c! 34! db! f5 | !! |
82635808 | 82640576 | Rdr |93 3c 07 a7 | !! | SELECT_XXX
82641764 | 82642340 | Tag |08(3) | |
82657296 | 82678128 | Rdr |04 5f! 15! 25 f8! 7a 10 0b 6c 00 2e! c5 38 a3 a2! 52! 53! 27 | !! |
82716480 | 82717088 | Rdr |08(4) | |
82731136 | 82735904 | Rdr |16 ba! 48 59 | !! |
82737456 | 82742160 | Rdr |3e! ef df! 5f | !! | CHK TEARING(239)
82743552 | 82752864 | Rdr |23 62! 87 50! 25! 68! 6e! 96 | !! |
82754116 | 82758852 | Tag |e1! f8! 49! 85 | !! |
82765680 | 82770448 | Rdr |75! 37! c7 ae | !! |
82771636 | 82792436 | Tag |fd! a1 5d c1! ea a1! 2e! 99 8a! bc! bc 92 a4! 34! 5a! 39 69! df | !! |
82808288 | 82812992 | Rdr |c0! 32 bd! 48 | !! | DEC(50)
82814244 | 82814884 | Tag |01(4) | |
82829776 | 82850608 | Rdr |b9! 22! 2e! 84 54 25 6f 2c! 2e! ef! 8a 0c! 92! 9a 44 c6 bb 2c | !! |
82888980 | 82889556 | Tag |0a(3) | |
82900672 | 82905376 | Rdr |e3 89 e1! b6 | !! |
82906628 | 82907204 | Tag |0f(3) | |
82922160 | 82942992 | Rdr |e2 0c 37 5e! 54 fb! 4c 95! 77 96! 2b! a0! 80! 6a 8c d9 fc! 3b | !! |
82981344 | 82981952 | Rdr |09(4) | |
87267760 | 87268752 | Rdr |52(7) | | WUPA
87270004 | 87272372 | Tag |04 00 | |
91344656 | 91345648 | Rdr |52(7) | | WUPA
91346900 | 91349268 | Tag |04 00 | |
95437748 | 95440116 | Tag |04 00 | |
Ok, how do i interpret the sniff/list?
Where do i go from here?
1 Like
your crc on those sniffs ain’t great i’d try for another, but first give this ago
hf mf autopwn —1k -k F2ADCF089ABA
once you’ve got that dumped
hf mf eload -f dumpfilename
hf mf sim
tap the proxmark to the reader instead of the card, end the sim and do hf mf list again. the crc should be better as you’re not mitming.
curious to see if that extra key brings in just sector 1 or more
2 Likes
XEMON
April 26, 2024, 5:00am
7
First of all, thank you for the help, you are awesome!
follow up dumb question, how do you know to use key F2ADCF089ABA
?
i got all the keys
[usb] pm3 --> hf mf autopwn --1k -k F2ADCF089ABA
[=] target sector 0 key type A -- using valid key [ F2ADCF089ABA ] (used for nested / hardnested attack)
[+] target sector 3 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 4 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 5 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 6 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 7 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 8 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 9 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 10 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 11 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 12 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 13 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 14 key type A -- found valid key [ F2ADCF089ABA ]
[+] target sector 15 key type A -- found valid key [ F2ADCF089ABA ]
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 4.4s | found 18/32 keys (56)
[=] running strategy 2
[=] ..
[=] Chunk 4.4s | found 18/32 keys (56)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ 2A2C13CC242A ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 001 | 007 | 2A2C13CC242A | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 004 | 019 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 005 | 023 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 006 | 027 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 007 | 031 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 008 | 035 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 009 | 039 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 010 | 043 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 011 | 047 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 012 | 051 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 013 | 055 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 014 | 059 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] 015 | 063 | F2ADCF089ABA | U | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
Equipter:
once you’ve got that dumped
hf mf eload -f dumpfilename
hf mf sim
tap the proxmark to the reader instead of the card, end the sim and do hf mf list again. the crc should be better as you’re not mitming.
Well, that the first time i use the proxmark to simulate a card … I knew it was possible, but never done it myself
It opened the door, so were heading the right direction for sure.
Here is the list:
[usb] pm3 --> hf mf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 1286 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error)
| CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52(7)
| | WUPA
2100 | 4468 | Tag |04 00
| |
17678 | 20142 | Rdr |93 20
| | ANTICOLL
21186 | 27074 | Tag |dc 46 d2 fb b3
| |
42092 | 52620 | Rdr |93 70 dc 46 d2 fb b3 b1 29
| ok | SELECT_UID
53664 | 57184 | Tag |08 b6 dd
| ok |
71368 | 76072 | Rdr |60 00 f5 7b
| ok | AUTH-A(0)
81020 | 85692 | Tag |3e 0c d7 96
| | AUTH: nt
87248 | 96624 | Rdr |d1 aa 58! aa! 1d 6a fa 5a!
| | AUTH: nr ar (enc)
309318 | 310310 | Rdr |52(7)
| | WUPA
311418 | 313786 | Tag |04 00
| |
327090 | 329554 | Rdr |93 20
| | ANTICOLL
330598 | 336486 | Tag |dc 46 d2 fb b3
| |
351504 | 362032 | Rdr |93 70 dc 46 d2 fb b3 b1 29
| ok | SELECT_UID
363076 | 366596 | Tag |08 b6 dd
| ok |
380572 | 385340 | Rdr |60 04 d1 3d
| ok | AUTH-A(4)
390032 | 394768 | Tag |16 6b e9 57
| | AUTH: nt
396266 | 405642 | Rdr |91! a4! f6! a4 48! 38 08 ce
| | AUTH: nr ar (enc)
414494 | 419166 | Tag |55 c4! c8! aa
| | AUTH: at (enc)
432932 | 437636 | Rdr |94! 39 ea! ad!
| |
| | * | key 2A2C13CC242A prng WEAK | |
| | * |60 05 58 2C
| ok | AUTH-A(5)
444632 | 449304 | Tag |b7 e8! 25 73!
| | AUTH: nt (enc)
450850 | 460162 | Rdr |00 c6! c0! 3c 65! e6! 7b 23!
| | AUTH: nr ar (enc)
469078 | 473814 | Tag |20 27 94! 98
| | AUTH: at (enc)
480668 | 485372 | Rdr |4b! b6! 7f 3c
| |
| | * | last used key 2A2C13CC242A| |
| | * |30 05 AF FF
| ok | READBLOCK(5)
501264 | 522128 | Tag |57 41 ed! b2 b8 ec! e8 b2! f1! 74! e9! d9! 5b! 5c d8! 51 ca! 83 | |
| | * |2D 00 0B 00 00 00 00 00 00 00 00 C1 00 00 00 18 27 44 | ok |
540872 | 545640 | Rdr |21! 28 bf! 93!
| |
| | * |60 01 7C 6A
| ok | AUTH-A(1)
552444 | 557116 | Tag |93! 5f! 29 09
| | AUTH: nt (enc)
558662 | 567974 | Rdr |ea ed! 21! d0! fb! 83 52! b9!
| | AUTH: nr ar (enc)
576890 | 581562 | Tag |08! 5e 7b! 49!
| | AUTH: at (enc)
588480 | 593248 | Rdr |18 5d! a4! e3
| |
Nested authentication detected.
tools/mf_nonce_brute/mf_nonce_brute dc46d2fb 935f2909 1100 eaed21d0 fb8352b9 1011 85e7b49 1011 185DA4E3
608948 | 629748 | Tag |88! 10 3a 60 7a! f0 7d c2! 38 24 db 5e! bc 7c ce b0 73! a1! | |
645532 | 650236 | Rdr |a2! 0a 73 cb!
| |
666128 | 686992 | Tag |0a 19! 62 98 8e! 7a! 98! 10! 5e 23 21! 0f! b3! 1c 4d 0e ec! c0! | |
705608 | 710312 | Rdr |7d! fe! 68! 3f
| |
717308 | 721980 | Tag |b7 e8! 25 73!
| |
723556 | 732868 | Rdr |50! 24 6b 41 9e b8! 8c ea!
| |
741720 | 746392 | Tag |94! 18! 9b ad!
| |
753536 | 758304 | Rdr |40 9e! 09 bd!
| |
774068 | 794868 | Tag |de 4c! 6f 65! c9 1a a7 cb! 7c! a6! af! 92 5e! 6c ec! d8 d5 e9! | |
2134014 | 2135006 | Rdr |52(7)
| | WUPA
2136114 | 2138482 | Tag |04 00
| |
2151642 | 2154106 | Rdr |93 20
| | ANTICOLL
2155150 | 2161038 | Tag |dc 46 d2 fb b3
| |
2176216 | 2186744 | Rdr |93 70 dc 46 d2 fb b3 b1 29
| ok | SELECT_UID
2187788 | 2191308 | Tag |08 b6 dd
| ok |
2205092 | 2209860 | Rdr |60 02 e7 58
| ok | AUTH-A(2)
2214616 | 2219288 | Tag |87 3e 02 e7
| | AUTH: nt
2220834 | 2230146 | Rdr |3d 17 d7 2c! 89! 4f 3b! 3c
| | AUTH: nr ar (enc)
2239062 | 2243798 | Tag |69! b5 89 b1!
| | AUTH: at (enc)
2250908 | 2255676 | Rdr |82 38! 39 36!
| |
| | * | key F2ADCF089ABA prng WEAK | |
| | * |30 02 10 8B
| ok | READBLOCK(2)
2271376 | 2292176 | Tag |b3! dd 3e 04 96! 6a 6a! 75! d8 c0! c5 e8! 31! 56 8c! 92 0e! 80! | |
| | * |8A 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 3B 5F | ok |
2614948 | 2619716 | Rdr |b2! 19 64! 4d!
| |
| | * |60 10 74 6B
| ok | AUTH-A(16)
2626520 | 2631256 | Tag |02! e6! db 30!
| | AUTH: nt (enc)
2632738 | 2642114 | Rdr |b5 db a4 4b c9 e7! 4d! e9
| | AUTH: nr ar (enc)
2650838 | 2655510 | Tag |9c 06 0e 5f
| | AUTH: at (enc)
2662654 | 2667422 | Rdr |59! dd! d3! 9f!
| |
| | * | last used key F2ADCF089ABA| |
| | * |30 10 83 B8
| ok | READBLOCK(16)
2683186 | 2704050 | Tag |e9! bc b5! 35 be a5! bc! fe 49 b9! 15 f6 c5! c9! e8 90 d6 ec | |
| | * |AC 64 CB E8 60 13 00 36 AC 64 CC 31 20 13 00 40 23 A8 | ok |
2985414 | 2990118 | Rdr |9c! 7b! 10 c1!
| |
| | * |60 16 42 0E
| ok | AUTH-A(22)
2997114 | 3001850 | Tag |02! e6! db 30!
| | AUTH: nt (enc)
3003300 | 3012612 | Rdr |fb 0c! da! 5b! 2b! 9a ec 31!
| | AUTH: nr ar (enc)
3021528 | 3026264 | Tag |ef! b6 69 a8
| | AUTH: at (enc)
3033086 | 3037790 | Rdr |5c bc f9 78
| |
| | * | last used key F2ADCF089ABA| |
| | * |30 16 B5 DD
| ok | READBLOCK(22)
3053746 | 3074610 | Tag |52 e9 63! c4! 15 39! 9a! 5b 32! d6 7f! 56 bc 4f! a4 65! 68! b6 | |
| | * |AC 64 CD 58 20 13 00 68 00 00 00 00 00 00 00 00 E9 D9 | ok |
3090282 | 3095050 | Rdr |88! cf! 70 93!
| |
| | * |A0 16 E8 C4
| ok | WRITEBLOCK(22)
3098782 | 3099422 | Tag |02(4)
| |
| | * |0A
| |
3114694 | 3135526 | Rdr |81! 91 4b! 04 76 03 ed 0c! 20 a7! 7c! 21 76 bb f9 b8 bf! 0e! | |
| | * |AC 64 CD 58 20 13 00 68 AC 64 CD 74 20 13 00 84 AB 79 | ok | ?
3146746 | 3147322 | Tag |09(3)
| |
| | * |0A
| |
3161634 | 3166402 | Rdr |65! 6e a1! 0b
| |
| | * |60 05 58 2C
| ok | AUTH-A(5)
3173206 | 3177878 | Tag |2e! f5! 1c! 7c! | | AUTH: nt (enc)
3179392 | 3188704 | Rdr |03 3d! db 04! 29 24 2a 37!
| | AUTH: nr ar (enc)
3197620 | 3202292 | Tag |a5 8c! c8! 70!
| | AUTH: at (enc)
3209322 | 3214090 | Rdr |db! f4! b7 e1!
| |
| | * |
key 2A2C13CC242A| |
| | * |30 05 AF FF
| ok | READBLOCK(5)
3229982 | 3250782 | Tag |92! 14! d6! a9 98 cf 48 2c! c6! 5f! d9! 1f cc! c9! d7 c8! c3! a7! | |
| | * |2D 00 0B 00 00 00 00 00 00 00 00 C1 00 00 00 18 27 44 | ok |
3266374 | 3271142 | Rdr |22 e7! c7! 85
| |
| | * |A0 05 F2 E6
| ok | WRITEBLOCK(5)
3274746 | 3275386 | Tag |06(4)
| |
| | * |0A
| |
3290658 | 3311490 | Rdr |f2 f3 ca! 31 55! 0d! 0c! b1 48 ec ab! e3! c1 ff! b3! 2c! ec f6 | |
| | * |30 00 0C 00 00 00 00 00 00 00 00 C1 00 00 00 02 45 DC | ok | READBLOCK(0)
3322710 | 3323350 | Tag |05(4)
| |
| | * |0A | |
3334654 | 3339358 | Rdr |97 7f e5 ea!
| |
| | * |A0 04 7B F7
| ok | WRITEBLOCK(4)
3343154 | 3343794 | Tag |05(4)
| |
| | * |0A
| |
3358920 | 3379752 | Rdr |9b! 30 f4! b0 2f bf! aa f8! ca 2e 4e! 96 c3 ce 41! f3 88! 0e! | |
| | * |30 00 0C 00 00 00 00 00 00 00 00 C1 00 00 00 02 45 DC | ok | READBLOCK(0)
3390972 | 3391548 | Tag |0b(3) | |
| | * |0A
| |
7631742 | 7632734 | Rdr |52(7)
| | WUPA
7633842 | 7636210 | Tag |04 00
| |
11649534 | 11650526 | Rdr |52(7)
| | WUPA
11651634 | 11654002 | Tag |04 00 | |
Can we take that json and dump it to a card?
2 Likes
check your previous comment where you ran hf mf list, you can see the client has decoded that potential key from the trace!
awesome! you have a full dump now!
go try your original card against the door to make sure it works, if it does ignore what i say next about it potentially using a validated rolling code below.
you can dump this onto a magic tag to make a full clone of the original but by the looks of your second trace, the reader is sending write commands to update block content after it validates a read of the same block. this means the system could be using a rolling-code of sorts which would prevent you from being able to have two of the same credential in use at the same time.
it would be worth trying with a magic card in my opinion. worst case scenario you are only able to use one card. the system could read but not backend-validate the block content allowing you to use both so it’s worth trying.
do you know what you’re doing when it comes to magic cards? if not quick refresher
hf mf cload for gen1a
hf mf restore for gen2&3
hf mf gen3uid for setting gen3 uids
2 Likes
XEMON
April 26, 2024, 5:20am
9
| * | nested probable key: F2ADCF089ABA
Thanks for pointing it out
no rolling code here, the original card still works.
I dumped the json a gen 1 and it works
i tried to dump it to ultimate gen 4, but that didnt work
It seam to like the write, but the card doesnt work … im not sure i have it setup correctly
[usb] pm3 --> hf mf gload -f [json file name]
[+] loaded from JSON file `[json file name]`
[=] Copying to magic gen4 GTU MIFARE Classic 1K
[=] Starting block: 0. Ending block: 63.
[=] ................................................................
[+] Card loaded 64 blocks from file
[=] Done!
Is that the A0 16
command?
1 Like
is this a battery powered reader? gen4s have a reputation for being a little bad with timings. this is most seen in battery powered readers.
Is that the A0 16
command
yup yup A0 is wrbl
glad you’ve got it loaded onto a magic and all is working! another win for the hackers! they can staticencrypted nonce all they want but we will still win
2 Likes
XEMON
April 26, 2024, 5:31am
11
no, its one of those:
Ultimate Magic Card (Gen4) The Ultimate Magic Card is multi-purpose emulation card, supporting customisable card type, card configuration and functionality mode. It is essentially a completely configurable emulation platform in card format. This card...
youre the hacker/hero, im just the clerk here
Thanks for the lesson, i learned a lot today
Do we have a command list to be able to interpret the sniffs?
1 Like
XEMON:
no, its one of those:
no i mean the reader you tap the card to to enter the room, is it hard wired to the wall or is it a hotel style door lock that uses batteries
the iso14443A spec has some info but i can’t think of a place with a full comprehensive list of the commands
2 Likes
XEMON
April 26, 2024, 5:39am
13
This one is the battery operated style (from a hotel) setup as a tester for IT to play with … I just stole borrowed for a bit
1 Like