Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-01-16 15:11:13
- CoolLink
- Contributor
- Registered: 2016-12-09
- Posts: 31
Can PM3 retrieve a key from the Mifare Classic 1k
I am running several mifare commands to see if i can be able to retrieve a key A/B on a Mifare Classic 1K.
1. Firmware on PM3
Prox/RFID mark3 RFID instrument
bootrom: master/v2.3 2016-09-19 20:28:38
os: master/v2.3 2016-09-19 20:28:38
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 183707 bytes (35%). Free: 340
581 bytes (65%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
2. Antenna Tune
proxmark3> hw tune
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
......#db# DownloadFPGA(len: 42096)
.
# LF antenna: 0.00 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 8.29 V @ 13.56 MHz
# Your LF antenna is unusable.
3. Card/Tag details
proxmark3> hf search
UID : de e6 16 5b
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search
4. Mifare Darkside Attack
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..
Card is not vulnerable to Darkside attack (its random number generator is not pr
edictable).
5. List the traces, if any
proxmark3> hf list 14a
Recorded Activity (TraceLen = 720 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error)
| CRC | Annotation |
------------|------------|-----|------------------------------------------------
-----------------|-----|--------------------|
0 | 992 | Rdr | 52
| | WUPA
2228 | 4596 | Tag | 04 00
| |
7040 | 9504 | Rdr | 93 20
| | ANTICOLL
10676 | 16564 | Tag | de e6 16 5b 75
| |
18816 | 29344 | Rdr | 93 70 de e6 16 5b 75 3a f8
| ok | SELECT_UID
30516 | 34036 | Tag | 08 b6 dd
| |
4187392 | 4192096 | Rdr | 60 00 f5 7b
| ok | AUTH-A(0)
4196916 | 4201588 | Tag | d3 83 0c 82
| |
4203648 | 4213024 | Rdr |00! 00! 00! 00! 00! 00! 00! 00!
| !crc| ?
4348416 | 4349408 | Rdr | 52
| | WUPA
4350644 | 4353012 | Tag | 04 00
| |
4355456 | 4357920 | Rdr | 93 20
| | ANTICOLL
4359092 | 4364980 | Tag | de e6 16 5b 75
| |
4367232 | 4377760 | Rdr | 93 70 de e6 16 5b 75 3a f8
| ok | SELECT_UID
4378932 | 4382452 | Tag | 08 b6 dd
| |
5235968 | 5240672 | Rdr | 60 00 f5 7b
| ok | AUTH-A(0)
5245492 | 5250228 | Tag | 61 5e 8a 7c
| |
5252224 | 5261536 | Rdr |00! 00! 00! 00! 00! 00! 00! 00
| !crc| ?
6854656 | 6855648 | Rdr | 52
| | WUPA
6856884 | 6859252 | Tag | 04 00
| |
6861696 | 6864160 | Rdr | 93 20
| | ANTICOLL
6865332 | 6871220 | Tag | de e6 16 5b 75
| |
6873472 | 6884000 | Rdr | 93 70 de e6 16 5b 75 3a f8
| ok | SELECT_UID
6885172 | 6888692 | Tag | 08 b6 dd
| |
7333120 | 7337824 | Rdr | 60 00 f5 7b
| ok | AUTH-A(0)
7342644 | 7347380 | Tag | 22 27 cf f2
| |
7349248 | 7358560 | Rdr |00! 00! 00! 00! 00! 00! 00! 00
| !crc| ?
8951680 | 8952672 | Rdr | 52
| | WUPA
8953908 | 8956276 | Tag | 04 00
| |
8958720 | 8961184 | Rdr | 93 20
| | ANTICOLL
8962356 | 8968244 | Tag | de e6 16 5b 75
| |
8970496 | 8981024 | Rdr | 93 70 de e6 16 5b 75 3a f8
| ok | SELECT_UID
8982196 | 8985716 | Tag | 08 b6 dd
| |
9430272 | 9434976 | Rdr | 60 00 f5 7b
| ok | AUTH-A(0)
9439796 | 9444468 | Tag | 43 4d ee 03
| |
9446400 | 9455712 | Rdr |00! 00! 00! 00! 00! 00! 00! 00
| !crc| ?
11048832 | 11049824 | Rdr | 52
| | WUPA
11051060 | 11053428 | Tag | 04 00
| |
11055872 | 11058336 | Rdr | 93 20
| | ANTICOLL
11059508 | 11065396 | Tag | de e6 16 5b 75
| |
11067648 | 11078176 | Rdr | 93 70 de e6 16 5b 75 3a f8
| ok | SELECT_UID
11079348 | 11082868 | Tag | 08 b6 dd
| |
11527424 | 11532128 | Rdr | 60 00 f5 7b
| ok | AUTH-A(0)
11536948 | 11541684 | Tag | 81 1e d3 94
| |
11543552 | 11552864 | Rdr |00! 00! 00! 00! 00! 00! 00! 00
| !crc| ?
13145984 | 13146976 | Rdr | 52
| | WUPA
13148212 | 13150580 | Tag | 04 00
| |
13153024 | 13155488 | Rdr | 93 20
| | ANTICOLL
13156660 | 13162548 | Tag | de e6 16 5b 75
| |
13164800 | 13175328 | Rdr | 93 70 de e6 16 5b 75 3a f8
| ok | SELECT_UID
13176500 | 13180020 | Tag | 08 b6 dd
| |
13624576 | 13629280 | Rdr | 60 00 f5 7b
| ok | AUTH-A(0)
13634100 | 13638772 | Tag | fc b3 5b 05
| |
13640704 | 13650016 | Rdr |00! 00! 00! 00! 00! 00! 00! 00
| !crc| ?
From this i gather that the authentication phase is failing, since the card is expecting a key from the PM3 to authenticate.
Is there a way to retrieve the key??
In the meantime I am reading the Mifare protocol guide and the Mifare Classic EV1 1K datasheet.
Any help will be appreciated.
Offline
#2 2017-01-16 15:15:40
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Can PM3 retrieve a key from the Mifare Classic 1k
The mifare attack vectors is well documented.
old cards, with vuln prng, use darkside & nested.
new cards, with fixed prng, if you have a known key, use hardnested.
How to get a one key needed for hardnested? either sniff/ sim x against reader/ check for default keys (use dictionary)
You find it all here on the forum.
Offline