Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2019-12-12 11:10:49
- Hem
- Contributor
- Registered: 2019-12-12
- Posts: 3
Cracked keys via hardnested but still can't dump Mifare Classic
Hey all, new to proxmark here and just experimenting with a bunch of random cards I have laying around. I've read a bunch of blogs and have a decent idea how it works, but I'm having an interesting issue dumping a card directly.
So with one of the cards I ran hardnested and cracked a key successfully, such that the chk command returns:
|---|----------------|----------------|
|sec|key A |key B |
|---|----------------|----------------|
|000| a2a3cca2a3cc | ffffffffffff |
|001| ? | ffffffffffff |
|002| ffffffffffff | ffffffffffff |
|003| a2a3cca2a3cc | ffffffffffff |
|004| a2a3cca2a3cc | ffffffffffff |
|005| a2a3cca2a3cc | ffffffffffff |
|006| a2a3cca2a3cc | ffffffffffff |
|007| a2a3cca2a3cc | ffffffffffff |
|008| a2a3cca2a3cc | ffffffffffff |
|009| a2a3cca2a3cc | ffffffffffff |
|010| a2a3cca2a3cc | ffffffffffff |
|011| a2a3cca2a3cc | ffffffffffff |
|012| a2a3cca2a3cc | ffffffffffff |
|013| a2a3cca2a3cc | ffffffffffff |
|014| a2a3cca2a3cc | ffffffffffff |
|015| a2a3cca2a3cc | ffffffffffff |
|---|----------------|----------------|
31 keys(s) found have been transferred to the emulator memoryFor some reason there is a `?` in sector 001 and `ffffffffffff` in sector 002, however running hardnested on those blocks just returns the same key for both. That is confirmed by the fact that I can run `hf mf rdbl 1 A a2a3cca2a3cc` and `hf mf rdbl 2 A a2a3cca2a3cc` and successfully read the data.
I have tried positioning the card in a million different ways but no matter what I do I can't populate those two sectors. This problem exists on another card as well, except instead of a `?` there is a random key that gets populated in sector 1.
Running `hf mf ekeyprn` returns:
|---|----------------|----------------|
|sec|key A |key B |
|---|----------------|----------------|
|000| a2a3cca2a3cc | ffffffffffff |
|001| ffffffffffff | ffffffffffff |
|002| ffffffffffff | ffffffffffff |
|003| a2a3cca2a3cc | ffffffffffff |
|004| a2a3cca2a3cc | ffffffffffff |
|005| a2a3cca2a3cc | ffffffffffff |
|006| a2a3cca2a3cc | ffffffffffff |
|007| a2a3cca2a3cc | ffffffffffff |
|008| a2a3cca2a3cc | ffffffffffff |
|009| a2a3cca2a3cc | ffffffffffff |
|010| a2a3cca2a3cc | ffffffffffff |
|011| a2a3cca2a3cc | ffffffffffff |
|012| a2a3cca2a3cc | ffffffffffff |
|013| a2a3cca2a3cc | ffffffffffff |
|014| a2a3cca2a3cc | ffffffffffff |
|015| a2a3cca2a3cc | ffffffffffff |
|---|----------------|----------------|Trying to dump the card doesn't work, I assume that's because those two sectors don't have the correct key in them. Is there a way to manually set those values?
Output of `hf mf dump 1`:
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector 1. Trying
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Successfully read block 0 of sector 0.
#db# READ BLOCK FINISHED
Successfully read block 1 of sector 0.
#db# READ BLOCK FINISHED
Successfully read block 2 of sector 0.
#db# READ BLOCK FINISHED
Successfully read block 3 of sector 0.
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
Could not read block 0 of sector 1hw version
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2019-12-09 04:30:11
os: /-suspect 2019-12-09 04:30:15
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2019/11/13 at 14:52:19
SmartCard Slot: available
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 207736 bytes (40%). Free: 31 552 bytes (60%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash MemoryAny ideas?
Thanks!
Last edited by Hem (2019-12-12 11:34:31)
Offline
#2 2019-12-12 11:37:59
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Cracked keys via hardnested but still can't dump Mifare Classic
.... the good old blocks is not sectors...
Offline
#3 2019-12-13 08:42:07
- Hem
- Contributor
- Registered: 2019-12-12
- Posts: 3
Re: Cracked keys via hardnested but still can't dump Mifare Classic
Ah right, got it working. I had to run hardnested on block 4 to crack sector 1 and it worked as expected 
Offline