Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hitag2 - two improved attacks emerged
Based from the Hitag2 to Hell source, two attacks has emerged. One CPU based and one GPU based.
HiTag2 Cracking Suite
Authors:
Attacks 1, 2, 3, 4 : Kevin Sheldrake kev@headhacking.com
Attacks 5, 5gpu : anonymous, based on https://github.com/factoritbv/hitag2hell by FactorIT B.V.
Attack 5
Attack 5 is heavily based on the HiTag2 Hell CPU implementation from https://github.com/factoritbv/hitag2hell by FactorIT B.V., with the following changes:
Main takes a UID and 2 {nR},{aR} pairs as arguments and searches for states producing the first aR sample, reconstructs the corresponding key candidates and tests them against the second nR,aR pair;
Reuses the Hitag helping functions of the other attacks.
Attack 5gpu
Attack 5gpu is identical to attack 5, simply the code has been ported to OpenCL to run on GPUs and is therefore much faster than attack 5.
Usage details: Attack 5
Attack 5 requires two encrypted nonce and challenge response value pairs (nR, aR) for the tag's UID.
pm3 --> lf hitag sniff
Stop once you got two pairs.
$ ./ht2crack5 <UID> <nR1> <aR1> <nR2> <aR2>
Usage details: Attack 5gpu
Attack 5gpu requires two encrypted nonce and challenge response value pairs (nR, aR) for the tag's UID.
pm3 --> lf hitag sniff
Stop once you got two pairs.
$ ./ht2crack5gpu <UID> <nR1> <aR1> <nR2> <aR2>
Offline
Amazing!
Test on an old DELL laptop without Nvidia, It took about 3 hours to get the key.
With a fast computer or Nvida card it would be real fast.
Great hack
Last edited by cosmo61 (2020-04-12 10:50:50)
Offline
Good day.
I tried to implement the attack on my device (Proxmark3 easy china). To my regret, the latest builds for Windows downloaded from the https://drive.google.com/drive/folders/1uX9RtYGinuFrpHybu4xq_BE3HrobI20e branch do not work correctly with the "lf hitag sniff" command. After this command, the device reboots after a while. Can anyone share a working build for my device?
C:\Users\User\Downloads\rrg_other-64-20200723-84a49bf03b1c62a2f70719e7ddc3e38d2de5a819\win64>proxmark3 COM12
[=] Session log C:/Users/User/Downloads/rrg_other-64-20200723-84a49bf03b1c62a2f70719e7ddc3e38d2de5a819/win64/.proxmark3/logs/log_20200727.txt
[+] loaded from JSON file C:/Users/User/Downloads/rrg_other-64-20200723-84a49bf03b1c62a2f70719e7ddc3e38d2de5a819/win64/.proxmark3/preferences.json
[=] Using UART port COM12
[=] Communicating with PM3 over USB-CDC
██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ iceman@icesql.net
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edge
https://github.com/rfidresearchgroup/proxmark3/
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:27
compiled with MinGW-w64 9.3.0 OS:Windows (64b) ARCH:x86_64
[ PROXMARK3 ]
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:11
os: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:18
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 227408 bytes (43%) Free: 296880 bytes (57%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait...
[/] 10
[=] ---------- LF Antenna ----------
[+] LF antenna: 21.68 V - 125.00 kHz
[+] LF antenna: 30.03 V - 134.83 kHz
[+] LF optimal: 30.78 V - 133.33 kHz
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 36.28 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.
[usb] pm3 --> hw status
[#] Memory
[#] BigBuf_size.............43924
[#] Available memory........43924
[#] Tracing
[#] tracing ................1
[#] traceLen ...............0
[#] Current FPGA image
[#] mode.................... HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[#] LF Sampling config
[#] [q] divisor.............95 ( 125.00 kHz )
[#] [b] bits per sample.....8
[#] [d] decimation..........1
[#] [a] averaging...........Yes
[#] [t] trigger threshold...0
[#] [s] samples to skip.....0
[#] LF Sampling Stack
[#] Max stack usage.........3952 / 8480 bytes
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
[#] long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
[#] leading zero | 31 | 20 | 18 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 31 | 20 | 18 | 34 | 15 | 50 | 66 |
[#]
[#] Transfer Speed
[#] Sending packets to client...
[#] Time elapsed............500ms
[#] Bytes transferred.......270336
[#] Transfer Speed PM3 -> Client = 540672 bytes/s
[#] Various
[#] Max stack usage.........4112 / 8480 bytes
[#] DBGLEVEL................1
[#] ToSendMax...............-1
[#] ToSendBit...............0
[#] ToSend BUFFERSIZE.......2308
[#] Slow clock..............31628 Hz
[#] Installed StandAlone Mode
[#] HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza)
[usb] pm3 --> hw hitag reader 26
help This help
connect connect Proxmark3 to serial port
dbg Set Proxmark3 debug level
detectreader ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)
fpgaoff Set FPGA off
ping Test if the Proxmark3 is responsive
readmem [address] -- Read memory at decimal address from flash
reset Reset the Proxmark3
setlfdivisor <19 - 255> -- Drive LF antenna at 12MHz/(divisor+1)
setmux Set the ADC mux to a specific value
standalone Jump to the standalone mode
status Show runtime status information about the connected Proxmark3
tia Trigger a Timing Interval Acquisition to re-adjust the RealTimeCounter divider
tune Measure antenna tuning
version Show version information about the connected Proxmark3
[usb] pm3 --> lf hitag reader 26
[+] UID: 0a350429
[usb] pm3 --> lf hitag sniff
[usb] pm3 --> [#] Starting Hitag2 sniffing
lf hitag list
[=] downloading tracelog from device
[=] Waiting for a response from the Proxmark3...
[=] You can cancel this operation by pressing the pm3 button
[-] Timed out while trying to download data from device
[!] timeout while waiting for reply.
[+] Recorded activity (trace len = 0 bytes)
[usb] pm3 -->
[!] Communicating with Proxmark3 device failed
[=] Running in OFFLINE mode. Use "hw connect" to reconnect
[offline] pm3 --> hw connect
[=] Using UART port COM12
[=] Communicating with PM3 over USB-CDC
[usb] pm3 --> lf hitag sniff l
[usb] pm3 --> [#] Starting Hitag2 sniffing
[!] Communicating with Proxmark3 device failed
[=] Running in OFFLINE mode. Use "hw connect" to reconnect
[offline] pm3 -->
Last edited by zorro (2020-07-27 20:37:38)
Offline
Good day . I looked at an open post about my problem at https://github.com/RfidResearchGroup/proxmark3/issues/551 and then the question arises, how to make an attack if the project is not fully functional ?. Does anyone have any thoughts? Thank.
Offline
You need to somehow collect the data needed to being able to execute the key recovery software.
Offline
Well, of the possible attacks on the key, I considered 4 or 3 attacks, but 4 attacks, as I understand it, require a valid tag to make a second request from the reader and get the second encrypted pair. cosmo61 seems to have implemented some kind of attack, it would be interesting to hear his opinion.
Yes, tell me an approximate reason why newer assemblies do not work? Well, exactly in lf hitag sniff mode?
Offline
I did it real basic, sniff the comunication wtih (proxmark3) lf sniff command. manually read the responce, Then used the crack5 method.
Last edited by cosmo61 (2020-08-11 06:47:54)
Offline
Pages: 1