Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-08-25 10:52:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

[Resolved] hf mf dump for 4k cards broken?

I tried the "hf mf dump"  on a Mifare S70 4k card, and the dumpdata.bin is only 1024bytes.  Is there some known problem with the dump command?  Or should I just fix it myself smile

Last edited by iceman (2015-03-20 14:51:48)

Offline

#2 2014-08-25 12:13:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

To answer my own question,
Well, nope, not broken,  but "hf mf dump" only handles 1k S50 cards..

Offline

#3 2014-08-29 15:00:08

pusinato
Member
Registered: 2013-12-20
Posts: 7

Re: [Resolved] hf mf dump for 4k cards broken?

did you manage the cloning ?
please share, i would like to learn how to
tnx

Offline

#4 2014-08-29 15:41:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

I guess you can just create  a lot of  "hf mf rdbl " commands in a texteditor and paste it in the pm3 client...

Offline

#5 2014-08-29 23:20:00

johankosmos
Member
Registered: 2014-08-29
Posts: 7

Re: [Resolved] hf mf dump for 4k cards broken?

If you have questions i know anything tongue

if you like to dump mifare 4k you do this command:

hf mf chk *1 ? t

when it's done type this command:

hf mf nested 4 0 A then you key that is found with the first command.

example with  hf mf chk *1 ? t found a key 000000000000

than you type hf mf nested 4 0 A 0000000000 d

d=safe  without - not type  -d!!!!!!!!!!! but d

afther hf mf nested =0 = mini  1 =1k  2= 2k 3= 3k 4 -4k

if you type hf mf nested 4 0 A 0000000000 t =transfer keys into emulator memory

if there are more people that have bootproblems contact me becouse you can recover almoast  90% every proxmark without jtag!!!!

a lot of guys can't load bootrom.elf, or os.elf , fpgaimage.elf etc etc  easy to fix tongue
greatings Johankosmos neutral

Offline

#6 2014-08-30 07:22:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Sorry, but I disagree
with the check, nested, commands you get the keys for the mifare card.

If you want to dump the contents of the card, ie the data, then you need to either use the dump command or read commands.

Offline

#7 2014-08-31 09:33:13

johankosmos
Member
Registered: 2014-08-29
Posts: 7

Re: [Resolved] hf mf dump for 4k cards broken?

But the best thing you can do is crack the mifare 4 k cards with mfoc this goes a lot fasther!

The only problem is that you can't crack and copy any 4k cards new one have an protection.

i use Linux backtrack for my mifare 4k cards  but 1k cards goes fasther with the Proxmark3.

Greatings Johankosmos

Offline

#8 2014-09-01 20:04:26

carlijn
Contributor
Registered: 2014-09-01
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

The proxmark3 work fine but there is one bug that is been never fixed!
the problem with the proxmark 3  =  there is no option to backup
mifare 4 k card i tryd all the software no one is working.
if you do this command  :   hf  mf  nested 4 0 A 000000000000 d
the proxmark start nest command and when he is done
he make no bin file!
with the mifare 1 and 2k cards he make the  binfile.
this issue is stored if every software from the proxmark3.
my command for the mifare 4 k:=   hf  mf  chk  *4  ?  t  4 becouse 4k card!
than  after 39 blocks A  and B  i write hf mf nested 4 0 A 000000000000 d  end no binfile after dumping!
than i try hf mf ekeyprn  prints the result keys.
than i make emul dump file   hf mf  esave  i get 1 2134c578c54.iml file  9kb???
i loaded the file and got this result  256 blocks loaded????
i see nothing  and i can't make a bijn file  who can help me pls?
greatings Carlijn

Offline

#9 2014-09-01 20:20:03

carlijn
Contributor
Registered: 2014-09-01
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

here some printsreens

Offline

#10 2014-09-01 21:02:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

You are right,  the "hf mf nested" command has a little bug in the dump codesection.
I fixed it,

Offline

#11 2014-09-01 21:10:30

carlijn
Contributor
Registered: 2014-09-01
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

it's becouse the old .dll files there from 2005 2009  it's to old
and the proxmark can never crack the new mifare cards
i try with mfoc  mcfuk  no results
only the old cards you can crack till 2012.
mfoc works better i think, but that is my opinion.
thanks for helping
greatings Carlijn.

Offline

#12 2014-09-01 21:17:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

dll files from 2005-2009 ??  Have you not tried to compile the sourcecode since then???   No wonder you have problems.

Offline

#13 2014-09-05 09:13:50

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

iceman wrote:

You are right,  the "hf mf nested" command has a little bug in the dump codesection.
I fixed it,

Inititated by this threat I had a closer look and found that most of the hf mf commands have a broken 4K support. I started fixing.

To avoid double work: can you please share/push your fix for hf mf nested?

Offline

#14 2014-09-05 09:17:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Well..  I sent it to holiman
I can send it to you too.
give me a mail to   rfid at iuse.se  and I'll get back to you

Offline

#15 2014-09-05 20:04:38

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: [Resolved] hf mf dump for 4k cards broken?

Sorry, haven't pushed it yet, I'll try to get it done during the weekend

Offline

#16 2014-09-05 20:23:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

No worries. Piwi got a copy of the corrections. 

I guess people never just it for 4K cards so the broken funtionality was never sought after.

Offline

#17 2014-09-06 09:28:17

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

Unfortunately iceman's fix only takes care of the different number of sectors in 4K cards (40 compared to 16 in 1K cards). Like all the other functions which claim to support 4K cards, this doesn't take into account that sectors >31 are different:

  • sector size is 16 blocks instead of 4

  • Access Conditions are valid per 5 blocks instead of per 1 block.

I already started fixing (hf mf rdsc already completed, hf mf dump nearly done) and will try to complete the rest during the next few days.

It is indeed astonishing that nobody brought this up until now. It seems that 1K cards are still the vast majority out there.

Offline

#18 2014-09-06 10:22:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Thats great piwi!

I also think that the "hf mf nested" should test the same default keys as "hf mf chk" does..  And there is more keys inside the mf_default_keys.lua..  Should be the same everywhere, one might think.

But indeed astonishing... I suspect that this is not the only thing broken still..

Offline

#19 2014-09-07 10:35:00

carlijn
Contributor
Registered: 2014-09-01
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

i don't care anymore i make my dumps with mfoc
first i start my backtrack up .
than mfoc -k 000000000000 -k b1b2b3b4b5b6 -T 4 -P 500 -O dumpkeys.bin ( so that  i have the dump key smile )
than again with no keys  mfoc -T 4 -P 500 -O dumpdata.bin and i have the dumpkey and dumpdata.
go up start windows 7  start proxmark   copy the  dumpkey and dumpdata in the same folder and burn it tongue
it's a little bit confused but that works also thanks anyway.
Greatings Carlijn

Offline

#20 2014-09-07 12:47:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Regarding MFOC,   (since I don't run it)

I'm curious of how the output files looks like from your two commands.   When I read the MFOC sourcecode, it seems to me that it dumps keys&data in the same file always.    And if I understand the PM3's  "hf mf restore" it will need 2 files,  one with the keys and one with the data.   Just wondering.

Offline

#21 2014-09-07 14:52:29

carlijn
Contributor
Registered: 2014-09-01
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

find key A for sector 0 with the following command:

./mfcuk -C -R 0:A -v 2 -o bla.mfd

or found sector 15  : ./mfcuk -C -R 15 -v 2 -O bla.mfd

you can then supply these keys to mfoc to crack the entire set.

Cloning the Card

This card assumes that you have a destination card of the same type as the source.
This method is based on that described here.


First dump the keys from the destination card, so you can write to it.

I assume that the card is new, so the default keys will be easily found
 
mfoc -T 4 -P 500 -O dumpdata.bin

now the source keys

you can supply additional keys found with mfcuk using the -k option - see the man page

You'll need to repeat that step with your source card to get all the keys.

The results will look (SIMILAR)!! with a different data dump to that of above; it's obviously not included here for security reasons.

example : mfoc -k af91d7429a9d -k ba9a3887066f -k 160a91d29a9d -k b7bf0c13066f -T 4 -P 500 -O dumpkeys.bin.

Once complete, you can copy the card using the nfc-mfclassic program. You can also replace the b with an a to use the A keys instead.

or using your proxmark 3 it's better.

nfc-mfclassic w b  or w a and mfd file  the .bin file use with proxmark3.

If you have the correct card type, you can replace the w with a W to flash the UID too!

Offline

#22 2014-09-07 15:18:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Interesting stuff, but not what I asked about.
I'm wondering about the output files from your commands:

1) mfoc -k 000000000000 -k b1b2b3b4b5b6 -T 4 -P 500 -O dumpkeys.bin
2) mfoc -T 4 -P 500 -O dumpdata.bin

Since you don't want to include them, then I suppose the filesize will do.  Or if you do a bindiff between them and confirm that they have different data inside.

Offline

#23 2014-09-07 16:16:10

johankosmos
Member
Registered: 2014-08-29
Posts: 7

Re: [Resolved] hf mf dump for 4k cards broken?

DUMP   MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
KEYS   MiFare Dump (MFD) that contains the keys (optional).
Data part of the dump is ignored.

So format of keys.mfd is same as dump.mfd
Once you get a valid dump.mfd you can use it as keyfile to read the card later.
It's a chicken & egg problem, the very first time you've to create yourself
an artificial binary dump to write in the key



About the problem reading back a formatted card:
mifare-classic-format
nfc-mfclassic r b foo
This fails because formatting the MFC means putting it back into default transport configuration
where only key A can read so you should use instead:
nfc-mfclassic r a foo.

Greatings Johankosmos

Offline

#24 2014-09-07 19:53:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

I still don't get it.  When I read the sourcecode for MFOC,  and inputoption "-O  filenamne"   it only opens the file for writing.   It never uses it for reading keys from.

basically, that dump file created from MFOC can't be the same as the  dumpkeys.bin -format needed for PM3 "hf mf restore".
And you don't have to issue your commands twice,  since the first run both finds the keys and dumps the data in MFOC.

but my original thought was how it was done,  and now I understand it is not possible to use the dumps from MFOC  straight up,  but there has to be a dumpkeys.bin file created first.

It is not a "what comes first question".  It's a question of understanding how to use the software.

In the long run, I see no reason for good interoperability between different NFC/PM3 software.  It is better to have the freedom to use which tool/software needed to get the job dne, and without the hazzle of different file formats.
Like for instance creating a new lua-script, which takes a dumpdata.bin file and extract the keys into a dumpkeys.bin file.

Offline

#25 2014-09-09 07:58:31

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: [Resolved] hf mf dump for 4k cards broken?

iceman wrote:

I also think that the "hf mf nested" should test the same default keys as "hf mf chk" does..  And there is more keys inside the mf_default_keys.lua..  Should be the same everywhere, one might think.

Yes, however, one cannot just add keys indefinitely - the lua-script will not send more keys to the device than fit in a USB packet, so it's ok to just dump keys in there. In the other cases, one have to be a bit careful so not to copy-paste too much data into the packet.

iceman wrote:

But indeed astonishing... I suspect that this is not the only thing broken still..

My experience with pm3 is that I've had to fix bugs with almost every thing I've ever tested. There are probably quite a few bugs left...

Offline

#26 2014-09-09 09:14:35

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

hf mf chk also takes care of the USB packet size and I would agree to align the LUA keys and the hf mf chk keys.

However, I don't agree to use the same (big) set of keys for hf mf nested. If hf mf nested works (on old cards with the poor PRNG), it will find the keys anyway. The precheck with a few well known keys is meant to speed up the process - adding too many keys would be contra productive.

holiman wrote:

My experience with pm3 is that I've had to fix bugs with almost every thing I've ever tested. There are probably quite a few bugs left...

Unfortunately I have to second that. I even was wondering why we have a separate "unstable" branch on github - this would imply that the master branch is stable... wink

Offline

#27 2014-09-09 10:11:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

I agree
if there ever will be more default keys found and shared,  then 512bytes usbcmd size limit will be a a temporary setback until someone makes the reverse of "getfrombigbuffer" function.  Or who says you can't run the script two times with parts of the keyset...   

I don't see it's as much as  a software issue, more of a time&interest issue from the community.

Offline

#28 2014-09-09 10:14:57

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: [Resolved] hf mf dump for 4k cards broken?

The script runs it as many times as needed. I'm not sure about hf mf chk, iirc, that one for some reason sends a few keys at a time.. but does not send as many as it potentially could. It's been a while since I looked at it. 

I like the way the script does it, it deduplicates keys. So it's ok to just paste in any keydump you can find on the internet into the file and not bother with dupes.

Offline

#29 2014-09-09 19:25:51

russ
Contributor
Registered: 2014-09-09
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

I was just in the middle of attempting to dump and analyze a 4K  Plus SL1 card.  And I found this thread when I noticed the dump seemed to be too small.

Where can I find the patches for the 4K issues?  Github seems to have the last commit as 11 days ago.

I could code some fixes myself if I know the idea behind the bug and changes needed?

(An aside, #proxmark on Freenode seems to be very unresponsive).

Offline

#30 2014-09-09 20:03:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

The "mfkeys.lua" script is really good.  Thank you for making it. It is really just cut'npaste into the file and no dupes.

The "hf mf nested"  does a subset of default keys, hardcoded and so does  "hf mf chk".  If really there was a need for making things smoother,  then a cross-over lua script where all the default keys in lualibs  was first checked,  and  the output use as input to the "hf mf nested" but in the end it is just a minor time and convenience matter what we have now.   How much longer does it take to run the needed commands? one minute?  maybe two? 

Regard the 4K patches,  its in the hands of Piwi now.  Whenever he finds time to finished it.
His fixes will be more complete and better then my quick patch.

Offline

#31 2014-09-10 18:09:39

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

Fixes/additions committed to master on github. Commit message:

fix/add support for 4K (and other non 1K) card sizes in hf mf commands
- hf mf rdsc (fix): didn't account for 16 block sectors, allowed max sector 63 instead of 39
- hf mf ecfill (add): added (optional) card size parameter and support for non 1K cards
- hf mf dump (add): added (optional) card size parameter and support for non 1K cards
- hf mf dump (fix): Access Condition 011 not handled correctly (tried to access with key A)
- hf mf restore (add): added (optional) card size parameter and support for non 1K cards
- hf mf nested (fix): didn't account for 16 block sectors, allowed max sector 63 instead of 39
- hf mf nested (fix): always dumped 16 keys to dumpkeys.bin instead of correct number
- hf mf chk (fix): always dumped 16 keys to dumpkeys.bin instead of correct number
- hf mf eget (fix): displayed three instead of one block
- hf mf eload (add): load 4K .eml files (but accepts 1K .eml files for backwards compatibility)
- hf mf esave (add): always save the whole emulator memory (4K) instead of 1K only
- hf mf ecfill (add): added (optional) card size parameter and support for non 1K cards

Please give it a try and test it. I am happy to fix remaining (or new) bugs.

BTW: I didn't add non-1K support to hf mf sim yet.

Offline

#32 2014-09-10 19:57:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Well done Piwi!

Offline

#33 2014-09-10 21:22:46

russ
Contributor
Registered: 2014-09-09
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

Thanks piwi, I will compile and test it out with my 4K cards.

Offline

#34 2014-09-10 22:28:48

russ
Contributor
Registered: 2014-09-09
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

piwi wrote:

Fixes/additions committed to master on github. Commit message:

...
- hf mf dump (add): added (optional) card size parameter and support for non 1K cards
- hf mf dump (fix): Access Condition 011 not handled correctly (tried to access with key A)
- hf mf chk (fix): always dumped 16 keys to dumpkeys.bin instead of correct number
...

Thanks for all the work Piwi, I tried a few different commands:

- mf chk command and it seems to work.  But the dump to file feature is disabled it seems.  THere's a block of code that's commented out for doing it at the bottom of the function based on the createDumpFile variable.  Looks like it's been like that for a while. (line 1192)

- mf nested does create a dumpkeys.bin file, for a 4K card mine looks like:

xxd dumpkeys.bin 
0000000: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000010: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000020: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000030: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000040: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000050: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000060: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000070: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000080: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000090: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000c0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000d0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000e0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000f0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000100: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000110: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000120: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000130: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000140: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000150: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000160: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000170: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000180: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000190: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00001a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00001b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00001c0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00001d0: ffff ffff ffff ffff ffff ffff ffff ffff  ................

- hf mf dump 4   did not go so well.  Something seems to have glitched in the sector and block values.  An overflow somewhere?
Big paste!

 hf mf dump 4
|-----------------------------------------|          
|------ Reading sector access bits...-----|          
|-----------------------------------------|          
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
|-----------------------------------------|          
|----- Dumping all blocks to file... -----|          
|-----------------------------------------|          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  0          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  0          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  0          
#db# READ BLOCK FINISHED                 
Dumped block 256 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 512 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 768 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 1024 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 1280 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 1536 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 1792 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  2          
#db# READ BLOCK FINISHED                 
Dumped block 2048 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  3          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  3          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  3          
#db# READ BLOCK FINISHED                 
Dumped block 2304 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  4          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  4          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  4          
#db# READ BLOCK FINISHED                 
Dumped block 2560 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  5          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  5          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  5          
#db# READ BLOCK FINISHED                 
Dumped block 2816 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  6          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  6          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  6          
#db# READ BLOCK FINISHED                 
Dumped block 3072 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  7          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  7          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  7          
#db# READ BLOCK FINISHED                 
Dumped block 3328 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  8          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  8          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  8          
#db# READ BLOCK FINISHED                 
Dumped block 3584 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector  9          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector  9          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector  9          
#db# READ BLOCK FINISHED                 
Dumped block 3840 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 10          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 10          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 10          
#db# READ BLOCK FINISHED                 
Dumped block 4096 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 11          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 11          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 11          
#db# READ BLOCK FINISHED                 
Dumped block 4352 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 12          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 12          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 12          
#db# READ BLOCK FINISHED                 
Dumped block 4608 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 13          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 13          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 13          
#db# READ BLOCK FINISHED                 
Dumped block 4864 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 14          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 14          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 14          
#db# READ BLOCK FINISHED                 
Dumped block 5120 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 15          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 15          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 15          
#db# READ BLOCK FINISHED                 
Dumped block 5376 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 16          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 16          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 16          
#db# READ BLOCK FINISHED                 
Dumped block 5632 of sector 1946768912 into 'dumpdata.bin'          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  0 of sector 17          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  1 of sector 17          
#db# Cmd Error: 04                 
#db# Read block error                 
#db# READ BLOCK FINISHED                 
Could not read block  2 of sector 17          
#db# READ BLOCK FINISHED                 
Dumped block 5888 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 6144 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 6400 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 6656 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 6912 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 7168 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 7424 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 7680 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 7936 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 8192 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 8448 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 8704 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 8960 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 9216 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 9472 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 9728 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 9984 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 10240 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 10496 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 10752 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 11008 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 11264 of sector 1946768912 into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped block 11520 of sector 1946768912 into 'dumpdata.bin'
...
keeps going, I ctrl-C cancelled it

Offline

#35 2014-09-10 22:45:53

russ
Contributor
Registered: 2014-09-09
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

Sorry Piwi,

It looks like the sectorNo and blockNo variables are missing from the print statement for successfully writing to the dump file.
On line 642 add the variables to the print statement.

Looks like it's only 3312 bytes, is that too small for a 4K card?
3312 10 Sep 16:43 dumpdata.bin

Oh, it looks like I had read failures on a bunch of blocks from sectors 2 - 17.  I'll have to look at that further.

Offline

#36 2014-09-11 06:29:42

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

- mf chk command and it seems to work.  But the dump to file feature is disabled it seems.  THere's a block of code that's commented out for doing it at the bottom of the function based on the createDumpFile variable.  Looks like it's been like that for a while. (line 1192)

Indeed. Mental note for me: Don't use cut & paste in committ messages.

- mf nested does create a dumpkeys.bin file, for a 4K card mine looks like:

This looks good. It contains 6 Bytes per Key * 2 Keys per Sector * 40 Sectors = 480 Bytes. If the keys have never been changed, this would indeed all be 0xFF.

- hf mf dump 4   did not go so well.  Something seems to have glitched in the sector and block values.  An overflow somewhere?

It looks like the sectorNo and blockNo variables are missing from the print statement for successfully writing to the dump file.
On line 642 add the variables to the print statement.

Yep! Well spotted.

Looks like it's only 3312 bytes, is that too small for a 4K card?
3312 10 Sep 16:43 dumpdata.bin
Oh, it looks like I had read failures on a bunch of blocks from sectors 2 - 17.  I'll have to look at that further.

Yes. For a 4K card it should be 4096.  You probably had read errors with 49 blocks (4096 - 49*16 = 3312). The error handling obviously needs improvement as well. IMHO it would be better to abort the dump command than to create useless dump files.

Thanks for testing. Next commit probably today.

Offline

#37 2014-09-11 07:11:20

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [Resolved] hf mf dump for 4k cards broken?

Hi piwi, I think there is a problem in the new OS/FPGA files; I just flashed the latest fullimage release (starting from my 0.0.2) and now the proxmark is not shown in the COM list devices and the red led remains on; after a few couple of seconds it automatically reset itself.

Going back to 0.0.2 (holding the button is necessary) and flashing the latest OS-image OR the fpga-image only has the same behaviour but the red led doesn't remain on.

This is the problematic compiled firmware (there seem to be a "empty loadtable segment detected in fullimage.elf, is this intentional?" error while compiling... is this normal ?).

Should I also update the bootloader ?

Last edited by asper (2014-09-11 07:28:15)

Offline

#38 2014-09-11 08:58:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Regarding the "hf mf chk"  its better to use Holimans luascript "mfkeys.lua" instead.  It uses a larger set of keys, which you can to yourself and creates a dumpkeys.bin file.

The "hf mf dump" misses two variables:

 PrintAndLog("Dumped block %2d of sector %2d into 'dumpdata.bin'", blockNo, sectorNo);

Offline

#39 2014-09-11 09:06:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

As an suggestion,  we could instead try to identify the card and selected numOfSectors from there instead of asuming 1K by default..

Offline

#40 2014-09-11 09:29:31

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

asper wrote:

Hi piwi, I think there is a problem in the new OS/FPGA files; I just flashed the latest fullimage release (starting from my 0.0.2) and now the proxmark is not shown in the COM list devices and the red led remains on; after a few couple of seconds it automatically reset itself.

Going back to 0.0.2 (holding the button is necessary) and flashing the latest OS-image OR the fpga-image only has the same behaviour but the red led doesn't remain on.

This is the problematic compiled firmware (there seem to be a "empty loadtable segment detected in fullimage.elf, is this intentional?" error while compiling... is this normal ?).

Should I also update the bootloader ?

The latest commits didn't touch neither the boot process nor the FPGA. I think your upgrade issue relates to an older change from iZsh (https://github.com/Proxmark/proxmark3/c … bbba80c70e) which required a bootloader update. The "empty loadable segment ..." message had always been there (as far as I remember).

Offline

#41 2014-09-11 09:34:35

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

iceman wrote:

As an suggestion,  we could instead try to identify the card and selected numOfSectors from there instead of asuming 1K by default..

I thought about that as well but

  • found it too difficult to identify 2K cards.

  • thought that we are more flexible if we can explicitely specify the card size. E.g. to dump and restore from/to different sizes.

Offline

#42 2014-09-11 09:43:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

I don't see why we can't have both?   the flexible way from you and when in default mode, try to identify card, if it fails, the client can hint that you should use flexible way and specifiy which type of card it is.

Offline

#43 2014-09-11 10:00:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

Something like this I suppose will do.

// Tries to identify cardsize.
// Returns <num>  where num is:
// -1  unidentified
//  0 - MINI (320bytes)
//  1 - 1K
//  2 - 2K
//  4 - 4K
int GetCardSize()
{
	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
	SendCommand(&c);

	UsbCommand resp;
	WaitForResponse(CMD_ACK,&resp);

	if(resp.arg[0] == 0) {
		PrintAndLog("iso14443a card select failed");
		return -1;
	}
	
	iso14a_card_select_t *card = (iso14a_card_select_t *)resp.d.asBytes;

	switch (card->sak) {
		case 0x00: return -1; break; // NXP MIFARE Ultralight | Ultralight C
		case 0x04: return -1; break; // NXP MIFARE (various !DESFire !DESFire EV1

		case 0x08: return -1; break; // NXP MIFARE CLASSIC 1k | Plus 2k SL1
		case 0x09: return  0; break; // NXP MIFARE Mini 0.3k
		case 0x10: return  2; break; // NXP MIFARE Plus 2k SL2
		case 0x11: return  4; break; // NXP MIFARE Plus 4k SL2
		case 0x18: return  4; break; // NXP MIFARE Classic 4k | Plus 4k SL1
		case 0x20: return -1; break; // NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
		case 0x24: return -1; break; // NXP MIFARE DESFire | DESFire EV1
		case 0x28: return -1; break; // JCOP31 or JCOP41 v2.3.1
		case 0x38: return  4; break; // Nokia 6212 or 6131 MIFARE CLASSIC 4K
		case 0x88: return  1; break; // Infineon MIFARE CLASSIC 1K
		case 0x98: return -1; break; // Gemplus MPCOS
		default: ;
	}
	return -1;
}

Offline

#44 2014-09-11 10:51:09

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [Resolved] hf mf dump for 4k cards broken?

Thank you piwi i will test asagbh. I am i bit out of pm3 in these months... is the iclass (pentuea/midnite/etc) stuff already merged in the main trunk ?

Offline

#45 2014-09-11 10:51:43

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

The difficulty I mentioned is here:

case 0x08: return -1; break; // NXP MIFARE CLASSIC 1k | Plus 2k SL1

This is by far the most common case. And therefore the most common case would require us to specify the card size explizitely. I think it is more convenient to keep the existing default (1K) and only specify other sizes when required.

Offline

#46 2014-09-11 11:17:50

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [Resolved] hf mf dump for 4k cards broken?

You were right piwi; the izsh patch requires a bootrom+fullfpgaimage flash to make pm3 working again.

Sorry for the OT but what about iclass stuff ? Is it still branched or is it merged in the main trunk ?

Offline

#47 2014-09-11 11:59:31

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [Resolved] hf mf dump for 4k cards broken?

Hard to say - and I somehow lost track as well. Holiman has merged something to master, but there is still development going on in other branches (unstable and PenturaProx-iclass-research).

Offline

#48 2014-09-11 14:03:43

johankosmos
Member
Registered: 2014-08-29
Posts: 7

Re: [Resolved] hf mf dump for 4k cards broken?

some fun with my proxmark3
1410440592_prox.jpg
Greatings Johan Kosmos

Offline

#49 2014-09-11 14:19:52

carlijn
Contributor
Registered: 2014-09-01
Posts: 11

Re: [Resolved] hf mf dump for 4k cards broken?

Nice Johan but if it is real working ?
if your answer is yes mail it to me  big_smile  big_smile  big_smile
Greatings Carlijn

Offline

#50 2014-09-11 14:23:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [Resolved] hf mf dump for 4k cards broken?

I see, Piwi,  just identifiing on sak is to general and I don't suggest that resolving to a default value of 16 is a bad thing. Just keep it like that.
I looked into the fingerprint function in Libnfc,   ripping out the interesting stuff,  this is the revised version. 
Since I don't have any Mifareplus cards to test the function but it should do the work. Otherwize the libnfc guys have it all wrong. (or typos from my side hmm )

// Tries to identify cardsize.
// Returns <num>  where num is:
// -1  unidentified
//  0 - MINI (320bytes)
//  1 - 1K
//  2 - 2K
//  4 - 4K
int GetCardSize()
{
	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
	SendCommand(&c);

	UsbCommand resp;
	WaitForResponse(CMD_ACK,&resp);

	if(resp.arg[0] == 0) {
		PrintAndLog("iso14443a card select failed");
		return -1;
	}
	
	iso14a_card_select_t *card = (iso14a_card_select_t *)resp.d.asBytes;

	uint16_t atqa = 0;
	uint8_t sak = 0;
	atqa = (card->atqa[0] & 0xff) << 8;
    atqa += card->atqa[1] & 0xff;
	sak = card->sak;
	
	// https://code.google.com/p/libnfc/source/browse/libnfc/target-subr.c
	
	// NXP MIFARE Mini 0.3k
	if ( (atqa && 0xff0f == 0x0004) && (sak == 0x09) ) return 0;
	
	// MIFARE Classic 1K
	if ( (atqa && 0xff0f == 0x0004) && (sak == 0x08) ) return 1;
	
	// MIFARE Classik 4K
	if ( (atqa && 0xff0f == 0x0002) && (sak == 0x18) ) return 4;
	
	// SmartMX with MIFARE 1K emulation 
	if ( (atqa && 0xf0ff == 0x0004) ) return 1;

	// SmartMX with MIFARE 4K emulation 
	if ( (atqa && 0xf0ff == 0x0002) ) return 4;	
	
	// Infineon MIFARE CLASSIC 1K
	if ( (atqa && 0xffff == 0x0004) && (sak == 0x88) ) return 1;
	
	// MFC 4K emulated by Nokia 6212 Classic
	if ( (atqa && 0xffff == 0x0002) && (sak == 0x38) ) return 4;

	// MFC 4K emulated by Nokia 6131 NFC
	if ( (atqa && 0xffff == 0x0008) && (sak == 0x38) ) return 4;

	// MIFARE Plus (4 Byte UID or 4 Byte RID)
	// MIFARE Plus (7 Byte UID)
	if (
			(atqa && 0xffff == 0x0002) ||
			(atqa && 0xffff == 0x0004) ||
			(atqa && 0xffff == 0x0042) ||	
			(atqa && 0xffff == 0x0044) 
		)
	{
		switch(sak){
			case 0x08:
			case 0x10:
			case 0x18:
				return 2;
				break;
			case 0x11:
			case 0x18:
			case 0x20:
				return 4;
				break;
		}
	}
	
	return -1;
}

Offline

Board footer

Powered by FluxBB