Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2018-08-12 22:39:51

ImFlo
Contributor
Registered: 2018-08-12
Posts: 2

Problem with Mifare SL1

Hi, I'm new here and in the world of RFID so my explication can be a little rough hmm


So since one week I get a Mifare badge that I want to read but I've some difficulty to read the interresting sector.

For the beginning this is my setup : 

 [ CLIENT ]
 client: iceman build for RDV40 with flashmem; smartcard;

 [ ARM ]
 bootrom: iceman// 2018-08-11 22:01:12
      os: iceman// 2018-08-11 22:01:16

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 8/10 at  1:28:37

 [ Hardware ]
  --= uC: AT91SAM7S256 Rev C
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 237451 bytes (91%) Free: 24693 bytes ( 9%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

So I tried to identify the Tag :

pm3 --> hf search
 UID : 43 D6 97 9C
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD

[+] Valid ISO14443-A Tag Found

So I was thinking  "Okay it's a Mifare Classic but SL1 so I will maybe get lucky and get Sector with default key !"

pm3 --> hf mf chk * ?
No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[...]
[19] 8fd0a4f256e9

Time in checkkeys: 0 seconds

testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ------------  | 0 |
|001|  ------------  | 0 |  ------------  | 0 |
|002|  ------------  | 0 |  ------------  | 0 |
|003|  ------------  | 0 |  ------------  | 0 |
|004|  ------------  | 0 |  ------------  | 0 |
|005|  ------------  | 0 |  ------------  | 0 |
|006|  ------------  | 0 |  ------------  | 0 |
|007|  ------------  | 0 |  ------------  | 0 |
|008|  ------------  | 0 |  ------------  | 0 |
|009|  ------------  | 0 |  ------------  | 0 |
|010|  ------------  | 0 |  ------------  | 0 |
|011|  ------------  | 0 |  ------------  | 0 |
|012|  ------------  | 0 |  ------------  | 0 |
|013|  ------------  | 0 |  ------------  | 0 |
|014|  ------------  | 0 |  ------------  | 0 |
|015|  ------------  | 0 |  ------------  | 0 |
|---|----------------|---|----------------|---|

And this is the first problem I get. The previous command was executed faster than usual, and return no key. So I've tried to read the sector 0 with the key: "FFFFFFFFFFFF" for my curiosity and to confirm the output, but instead, I was able to read the sector : 

pm3 --> hf mf rdsc 0 A ffffffffffff
--sector no:0 key type:A key:FF FF FF FF FF FF

isOk:01
data   : 43 D6 97 9C 9E 88 04 00 C8 01 00 20 00 00 00 16
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

That make me confuse about the output of the CHK. I've tried to run the CHK again but only on the A key :

pm3 --> hf mf chk *1 A
No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[...]
[19] 8fd0a4f256e9
................
Time in checkkeys: 3 seconds

testing to read key B...
Reading block 3
[...]
Reading block 63
Data:FF FF FF FF FF FF
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|009|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|010|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|011|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|012|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|013|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|014|  a0a1a2a3a4a5  | 1 |  ------------  | 0 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|

This time I get more key, and I tried to read the sector 11 because he get a different key and I get this output :

pm3 --> hf mf rdsc 10 A a0a1a2a3a4a5
--sector no:10 key type:A key:A0 A1 A2 A3 A4 A5

#db# Cmd Error: 04
#db# Read sector 10 block  0 error
isOk:00

So I'm new and I dont really understand the output of this command ? What that error 04 mean ?

For curiosity I've tried to run hardnested attack on the  first block of this sector and the attack get me same key, so I dont understand why I get this error, can you explain to me ?

pm3 --> hf mf hard 0 A FFFFFFFFFFFF 40 A
--target block no: 40, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0

 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 1152 million (2^30.1) keys/s     | 140737488355328 |   34h
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   34h
       5 |     112 | Apply bit flip properties                               |     24269654016 |   21s
[...]
      13 |    1219 | Apply bit flip properties                               |      1247843200 |    1s
      15 |    1329 | Apply Sum property. Sum(a0) = 120                       |       348616576 |    0s
      15 |    1329 | (Ignoring Sum(a8) properties)                           |       348616576 |    0s
      18 |    1329 | Brute force phase completed. Key found: a0a1a2a3a4a5    |               0 |    0s

Thank you in advance to help me smile

PS : I'm so sorry for my very poor orthograph, I try to do my best to be understandable hmm

Offline

Pages: 1

Board footer

Powered by FluxBB