Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-01-16 15:11:13

CoolLink
Contributor
Registered: 2016-12-09
Posts: 31

Can PM3 retrieve a key from the Mifare Classic 1k

I am running several mifare commands to see if i can be able to retrieve a key A/B on a Mifare Classic 1K.

1. Firmware on PM3

Prox/RFID mark3 RFID instrument
bootrom: master/v2.3 2016-09-19 20:28:38
os: master/v2.3 2016-09-19 20:28:38
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 183707 bytes (35%). Free: 340
581 bytes (65%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

2. Antenna Tune

proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)

......#db# DownloadFPGA(len: 42096)
.
# LF antenna:  0.00 V @   125.00 kHz
# LF antenna:  0.00 V @   134.00 kHz
# LF optimal:  0.00 V @ 12000.00 kHz
# HF antenna:  8.29 V @    13.56 MHz
# Your LF antenna is unusable.

3. Card/Tag details

proxmark3> hf search

UID : de e6 16 5b
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Valid ISO14443A Tag Found - Quiting Search

4. Mifare Darkside Attack

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press button on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..

Card is not vulnerable to Darkside attack (its random number generator is not pr
edictable).

5. List the traces, if any

proxmark3> hf list 14a
Recorded Activity (TraceLen = 720 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)
                 | CRC | Annotation         |
------------|------------|-----|------------------------------------------------
-----------------|-----|--------------------|
          0 |        992 | Rdr | 52
                 |     | WUPA
       2228 |       4596 | Tag | 04  00
                 |     |
       7040 |       9504 | Rdr | 93  20
                 |     | ANTICOLL
      10676 |      16564 | Tag | de  e6  16  5b  75
                 |     |
      18816 |      29344 | Rdr | 93  70  de  e6  16  5b  75  3a  f8
                 |  ok | SELECT_UID
      30516 |      34036 | Tag | 08  b6  dd
                 |     |
    4187392 |    4192096 | Rdr | 60  00  f5  7b
                 |  ok | AUTH-A(0)
    4196916 |    4201588 | Tag | d3  83  0c  82
                 |     |
    4203648 |    4213024 | Rdr |00! 00! 00! 00! 00! 00! 00! 00!
                 | !crc| ?
    4348416 |    4349408 | Rdr | 52
                 |     | WUPA
    4350644 |    4353012 | Tag | 04  00
                 |     |
    4355456 |    4357920 | Rdr | 93  20
                 |     | ANTICOLL
    4359092 |    4364980 | Tag | de  e6  16  5b  75
                 |     |
    4367232 |    4377760 | Rdr | 93  70  de  e6  16  5b  75  3a  f8
                 |  ok | SELECT_UID
    4378932 |    4382452 | Tag | 08  b6  dd
                 |     |
    5235968 |    5240672 | Rdr | 60  00  f5  7b
                 |  ok | AUTH-A(0)
    5245492 |    5250228 | Tag | 61  5e  8a  7c
                 |     |
    5252224 |    5261536 | Rdr |00! 00! 00! 00! 00! 00! 00!  00
                 | !crc| ?
    6854656 |    6855648 | Rdr | 52
                 |     | WUPA
    6856884 |    6859252 | Tag | 04  00
                 |     |
    6861696 |    6864160 | Rdr | 93  20
                 |     | ANTICOLL
    6865332 |    6871220 | Tag | de  e6  16  5b  75
                 |     |
    6873472 |    6884000 | Rdr | 93  70  de  e6  16  5b  75  3a  f8
                 |  ok | SELECT_UID
    6885172 |    6888692 | Tag | 08  b6  dd
                 |     |
    7333120 |    7337824 | Rdr | 60  00  f5  7b
                 |  ok | AUTH-A(0)
    7342644 |    7347380 | Tag | 22  27  cf  f2
                 |     |
    7349248 |    7358560 | Rdr |00! 00! 00! 00! 00! 00! 00!  00
                 | !crc| ?
    8951680 |    8952672 | Rdr | 52
                 |     | WUPA
    8953908 |    8956276 | Tag | 04  00
                 |     |
    8958720 |    8961184 | Rdr | 93  20
                 |     | ANTICOLL
    8962356 |    8968244 | Tag | de  e6  16  5b  75
                 |     |
    8970496 |    8981024 | Rdr | 93  70  de  e6  16  5b  75  3a  f8
                 |  ok | SELECT_UID
    8982196 |    8985716 | Tag | 08  b6  dd
                 |     |
    9430272 |    9434976 | Rdr | 60  00  f5  7b
                 |  ok | AUTH-A(0)
    9439796 |    9444468 | Tag | 43  4d  ee  03
                 |     |
    9446400 |    9455712 | Rdr |00! 00! 00! 00! 00! 00! 00!  00
                 | !crc| ?
   11048832 |   11049824 | Rdr | 52
                 |     | WUPA
   11051060 |   11053428 | Tag | 04  00
                 |     |
   11055872 |   11058336 | Rdr | 93  20
                 |     | ANTICOLL
   11059508 |   11065396 | Tag | de  e6  16  5b  75
                 |     |
   11067648 |   11078176 | Rdr | 93  70  de  e6  16  5b  75  3a  f8
                 |  ok | SELECT_UID
   11079348 |   11082868 | Tag | 08  b6  dd
                 |     |
   11527424 |   11532128 | Rdr | 60  00  f5  7b
                 |  ok | AUTH-A(0)
   11536948 |   11541684 | Tag | 81  1e  d3  94
                 |     |
   11543552 |   11552864 | Rdr |00! 00! 00! 00! 00! 00! 00!  00
                 | !crc| ?
   13145984 |   13146976 | Rdr | 52
                 |     | WUPA
   13148212 |   13150580 | Tag | 04  00
                 |     |
   13153024 |   13155488 | Rdr | 93  20
                 |     | ANTICOLL
   13156660 |   13162548 | Tag | de  e6  16  5b  75
                 |     |
   13164800 |   13175328 | Rdr | 93  70  de  e6  16  5b  75  3a  f8
                 |  ok | SELECT_UID
   13176500 |   13180020 | Tag | 08  b6  dd
                 |     |
   13624576 |   13629280 | Rdr | 60  00  f5  7b
                 |  ok | AUTH-A(0)
   13634100 |   13638772 | Tag | fc  b3  5b  05
                 |     |
   13640704 |   13650016 | Rdr |00! 00! 00! 00! 00! 00! 00!  00
                 | !crc| ?

From this i gather that the authentication phase is failing, since the card is expecting a key from the PM3 to authenticate.
Is there a way to retrieve the key??

In the meantime I am reading the Mifare protocol guide and the Mifare Classic EV1 1K datasheet.

Any help will be appreciated.

Offline

#2 2017-01-16 15:15:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Can PM3 retrieve a key from the Mifare Classic 1k

The mifare attack vectors is well documented. 

old cards,  with vuln prng,  use darkside & nested.
new cards, with fixed prng,   if you have a known key, use hardnested.

How to get a one key needed for hardnested?   either sniff/ sim x  against reader/ check for default keys (use dictionary)

You find it all here on the forum.

Offline

Board footer

Powered by FluxBB