xM1 - Mifare Classic clonning problems

Midoriya · June 18, 2020, 12:49pm

Hi, I’ve finally got my Proxmark3 and I was trying to clone my Mifare Classic EV1 MF1S50 card, but none of default keys are working:

sudo ./proxmark3 /dev/ttyACM0
./proxmark3: Symbol `rl_readline_state’ has different size in shared object, consider re-linking
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2016-11-09 00:59:56
#db# os: /-suspect 2016-11-14 03:06:26
#db# HF FPGA image built on 2015/03/09 at 08:41:42

#db# Modify by Willok(willok@163.com)

Prox/RFID mark3 RFID instrument

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 0 bytes ( 0%). Free: 524288 bytes (100%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
–sector: 0, block: 3, key type:A, key count:13
–sector: 1, block: 7, key type:A, key count:13
–sector: 2, block: 11, key type:A, key count:13
–sector: 3, block: 15, key type:A, key count:13
–sector: 4, block: 19, key type:A, key count:13
–sector: 5, block: 23, key type:A, key count:13
–sector: 6, block: 27, key type:A, key count:13
–sector: 7, block: 31, key type:A, key count:13
–sector: 8, block: 35, key type:A, key count:13
–sector: 9, block: 39, key type:A, key count:13
–sector:10, block: 43, key type:A, key count:13
–sector:11, block: 47, key type:A, key count:13
–sector:12, block: 51, key type:A, key count:13
–sector:13, block: 55, key type:A, key count:13
–sector:14, block: 59, key type:A, key count:13
–sector:15, block: 63, key type:A, key count:13
–sector: 0, block: 3, key type:B, key count:13
–sector: 1, block: 7, key type:B, key count:13
–sector: 2, block: 11, key type:B, key count:13
–sector: 3, block: 15, key type:B, key count:13
–sector: 4, block: 19, key type:B, key count:13
–sector: 5, block: 23, key type:B, key count:13
–sector: 6, block: 27, key type:B, key count:13
–sector: 7, block: 31, key type:B, key count:13
–sector: 8, block: 35, key type:B, key count:13
–sector: 9, block: 39, key type:B, key count:13
–sector:10, block: 43, key type:B, key count:13
–sector:11, block: 47, key type:B, key count:13
–sector:12, block: 51, key type:B, key count:13
–sector:13, block: 55, key type:B, key count:13
–sector:14, block: 59, key type:B, key count:13
–sector:15, block: 63, key type:B, key count:13

proxmark3>

and I am getting this error while trying to use bigger txt file with keys:

Cannot allocate memory for defKeys
double free or corruption (out)
Aborted

This is scan of the card using NXP TagInfo app:
ED-C7-9A-15_2020-06-18 14-33-32_taginfo_scan.txt (6.2 KB)

I’d be glad for any help, it’s my public transport card and it would awesome if I managed to copy it to my xM1.

NiamhAstra · June 18, 2020, 5:12pm

I’m a meeting so can’t go into details

hf mf csetuid <new id>

Should be all you need to set the ID for the M1.

Pilgrimsmaster · June 18, 2020, 6:04pm

if you don’t have any luck with @NiamhAstra suggestion you could also try following this guide from the start, and let us know, if / where you have any problems. (personally I would also do a hw tune just before it says “the cloning process” in the guide)

NiamhAstra · June 18, 2020, 6:07pm

Back again briefly
This looks less than ideal.
If it is working for you and you are not tech savy all good.
If you are comfortable, I recommend recompiling and re-flashing your PM3
This version of the firmware GitHub - RfidResearchGroup/proxmark3: Iceman Fork - Proxmark3 is also recomended.

fraggersparks · June 19, 2020, 6:37am

Agreed. It’s a very old version of the OS and bootrom.

Reflash the PM3. It’s necessary.

Midoriya · June 22, 2020, 8:59pm

Yeah, I gotta do it. No idea how, but I’ll find out.
I have already set the ID, but I don’t think it will be enought.
@Pilgrimsmaster I’ve been doing same thing, the problem is all those tutorials assume one of those standard keys will work, which isn’t true in my case.

fraggersparks · June 23, 2020, 12:10am

You’ll need to crack the keys in that case. There’s some commands and I can assist if needed. You’ll need to identify what version of donor card you have - ie what it’s vulnerable to. Some older cards will be vulnerable to the timing attack, new cards are vulnerable to hardnested - which is a kind of attack that needs captured communications from a reader.

Compgeek · June 23, 2020, 2:22am

I’ve found the easiest way is to run the AutoPwn script in the Iceman version. Will try default keys, then nested, then hardnested, then something else I think, then brute force.

The ETA starts off with something horrid, and as it finds a working vuln it jumps right down.

Very simple way to do it!

Midoriya · June 23, 2020, 12:44pm

Ok, so today I’ll try to update proxmark.
Will this AutoPwn work with this firmware that @NiamhAstra linked?
Or I should use Iceman’s firmware for pm3

sorry for noob questions it’s my first time using it

Compgeek · June 23, 2020, 12:50pm

The one @NiamhAstra linked above is what a lot of us call the Iceman Fork - it used to be posted on his github, but its now technically called the RFID Research Group fork - he’s the (lead dev? Project manager? Head Wizard in Charge?)

It’ll work just fine with that version

Midoriya · June 23, 2020, 5:48pm

Yeah, so… I am encauntering more and more problems… Just when I thought that I manadged to update everything:

pm3 ~/proxmark3$ pm3-flash-all
[=] Session log E:\Downloads\ProxSpace-64\ProxSpace-64\pm3/.proxmark3/logs/log_20200623.txt
[=] Loading preferences...
[+] loaded from JSON file E:\Downloads\ProxSpace-64\ProxSpace-64\pm3/.proxmark3/preferences.json
[+] About to use the following files:
[+]    E:\Downloads\ProxSpace-64\ProxSpace-64\msys2\usr\local\bin\../share/proxmark3/firmware/bootrom.elf
[+]    E:\Downloads\ProxSpace-64\ProxSpace-64\msys2\usr\local\bin\../share/proxmark3/firmware/fullimage.elf
[+] Waiting for Proxmark3 to appear on COM5
[|] 59 found
[=] Available memory on this board: 512K bytes

[=] Permitted flash range: 0x00100000-0x00180000
[+] Loading ELF file E:\Downloads\ProxSpace-64\ProxSpace-64\msys2\usr\local\bin\../share/proxmark3/firmware/bootrom.elf
[+] Loading usable ELF segments:
[+]    0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
[+]    1: V 0x00200000 P 0x00100200 (0x00000d50->0x00000d50) [R X] @0x298

[+] Loading ELF file E:\Downloads\ProxSpace-64\ProxSpace-64\msys2\usr\local\bin\../share/proxmark3/firmware/fullimage.elf
[+] Loading usable ELF segments:
[+]    0: V 0x00102000 P 0x00102000 (0x0003d530->0x0003d530) [R X] @0x94
[+]    1: V 0x00200000 P 0x0013f530 (0x00001970->0x00001970) [RW ] @0x3d5c4
[=] Note: Extending previous segment from 0x3d530 to 0x3eea0 bytes

[+] Flashing...
[+] Writing segments for file: E:\Downloads\ProxSpace-64\ProxSpace-64\msys2\usr\local\bin\../share/proxmark3/firmware/bootrom.elf
[+]  0x00100000..0x001001ff [0x200 / 1 blocks]
 OK
[+]  0x00100200..0x00100f4f [0xd50 / 7 blocks]
 OK

[+] Writing segments for file: E:\Downloads\ProxSpace-64\ProxSpace-64\msys2\usr\local\bin\../share/proxmark3/firmware/fullimage.elf
[+]  0x00102000..0x00140e9f [0x3eea0 / 504 blocks]
mm OK

[+] All done

Have a nice day!
pm3 ~/proxmark3$

But, now my pm3easy (guess I should mention it earlier, it’s pm3 EASY) is unrecognisable by Win10 (I’m using ProxSpace). It shows up as an unknown USB device with this error:

A request for the USB device descriptor failed.

However, when I plug it in with the flash button pressed it shows up normally on the COM ports.
I’ve read that, with pm3easy you should make Makefile.platform file with:

PLATFORM=PM3EASY

but I’ve got an error that it’s an invalid platform, so I’ve changed it to:

PLATFORM=PM3OTHER

I was following those guides:

github.com

RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Windows-Installation-Instructions.md

<a id="top"></a>

# Windows Installation instructions


## Table of Contents
- [Windows Installation instructions](#windows-installation-instructions)
  - [Table of Contents](#table-of-contents)
  - [Installing dev-environment with ProxSpace](#installing-dev-environment-with-proxspace)
  - [Video Installation guide](#video-installation-guide)
  - [Driver Installation ( Windows 7 )](#driver-installation--windows-7-)
  - [Download ProxSpace repo](#download-proxspace-repo)
  - [Launch ProxSpace](#launch-proxspace)
  - [Clone the Iceman repository](#clone-the-iceman-repository)
  - [Compile and use the project](#compile-and-use-the-project)
  - [Done!](#done)
- [Installing pre-compiled binaries with ProxSpace](#installing-pre-compiled-binaries-with-proxspace)
- [Installing dev-environment with WSL 1](#installing-dev-environment-with-wsl-1)
    - [More about WSL 1](#more-about-wsl-1)
  - [X Server Installation](#x-server-installation)

This file has been truncated. show original

ProxSpace part ofc
and then:

github.com

RfidResearchGroup/proxmark3/blob/master/doc/md/Use_of_Proxmark/0_Compilation-Instructions.md

<a id="Top"></a>

# Compilation instructions

# Table of Contents
- [Compilation instructions](#compilation-instructions)
- [Table of Contents](#table-of-contents)
  - [Tuning compilation parameters](#tuning-compilation-parameters)
    - [Compile for Proxmark3 RDV4](#compile-for-proxmark3-rdv4)
    - [Compile for generic Proxmark3 platforms](#compile-for-generic-proxmark3-platforms)
  - [Get the latest commits](#get-the-latest-commits)
  - [Clean and compile everything](#clean-and-compile-everything)
    - [if there are different Python 3 packages installed](#if-there-are-different-python-3-packages-installed)
    - [if you got an error](#if-you-got-an-error)
  - [Install](#install)
  - [Flash the BOOTROM & FULLIMAGE](#flash-the-bootrom--fullimage)
    - [The button trick](#the-button-trick)
  - [flasher stops and warns you about firmware image](#flasher-stops-and-warns-you-about-firmware-image)
  - [Run the client](#run-the-client)
  - [Next steps](#next-steps)

This file has been truncated. show original

I just hope that it’s not bricked and I don’t need to buy Bus Pirate or anything to fix it ._.

amal · June 23, 2020, 5:53pm

i would wipe the rrg repo entirely from proxspace… then do another git clone… update the Makefile.platform to PLATFORM=PM3OTHER and do a total make clean && make all and then make install … then hold the flash button down, plug in, run ./pm3-flash-bootrom with the button held down the whole time… let it finish… release the button… let it sit for 30 seconds… then unplug USB… then plug it back in with the button held (again) and do the ./pm3-flash-fullimage … release… 30 seconds… unplug USB… plug back in… then wait a good 60 seconds and see if it comes back online.

I have an old rysc corp proxmark3 original board i just did this to and it had some hiccups but finally after following the above it worked.

amal · June 23, 2020, 5:54pm

oh, and when i say 30 seconds… i mean 30 seconds… it took close to 28 seconds after releasing the button for a virtual com port to appear after updating the bootrom… i dunno what it’s doing but i let it do its thing and everything is happy now.

Midoriya · June 23, 2020, 5:56pm

Ok I’ll try, at first I didn’t understand what did you mean with rrg repo whoops
Thanks for a quick answer

Pilgrimsmaster · June 23, 2020, 6:05pm

If none of that works above
you could always try the Konami Code below

B, A

I hope that helps

Midoriya · June 23, 2020, 6:15pm

I’ve wiped the repo.
Cloned it again.
Updated Makefile.platform.
make clean && make all
make install
flashed bootrom with button, after waiting for like 15s device appeared, but same as before it’s unrecognised with this error:

A request for the USB device descriptor failed.

Unplug and repeat with the full image.
Aaaand again with the same problem, it shows but isn’t working properly.

error code 43

P.S. Konami Code didn’t help, I’m in trouble, aren’t I?

Forgot to mention, diodes A, D and obviously Power are on. I don’t know what does it mean yet, but maybe it’ll be helpful.

Midoriya · June 23, 2020, 6:35pm

The strangest part is that when I plug it in with the button, it shows correctly on the COM port.

Midoriya · June 23, 2020, 6:42pm

GOOD INFO
I’ve got it working, after reinstalling drivers and reflashing again it just worked ¯\_(ツ)_/¯

Midoriya · June 23, 2020, 7:49pm

I hope i’ts my last question here.
I’ve managed to get all the keys, but one block from one sector (s4b2) is refusing to be read. I am getting this errors:

[!] access rights do not allow reading of sector  4 block   2
[!] command execute timeout when trying to read block  2 of sector  4.

Is it normal? Will it cause any problems with using the xM1? If yes, or maybe yes, it any way to read it and copy it?

amal · June 23, 2020, 11:27pm

How are you getting keys? Are you using autopwn? If not, you should consider using it… it will escalate the attack methods as necessary to get all keys.