Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2022-09-08 09:02:57
- mbzadegan
- Contributor
- Registered: 2022-08-15
- Posts: 20
Next step in cloning Mifare mini
Hi there,
I'm trying to copy my Mifare card.
[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag...
[+] UID: B3 B8 18 64
[+] ATQA: 00 04
[+] SAK: 09 [2]
[+] Possible types:
[+] MIFARE Mini 0.3K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Valid ISO 14443-A tag foundI found that it is Mifare mini.
[usb] pm3 --> hf mf chk --mini -k FFFFFFFFFFFF
[=] [ 0] key FF FF FF FF FF FF
[=] Start check for keys...
[=] ...........
[=] time in checkkeys 2 seconds
[=] testing to read key B...
[=] Sector: 0, First block: 0, Last block: 3, Num of blocks: 4
[=] Reading sector trailer
[=] Sector: 2, First block: 8, Last block: 11, Num of blocks: 4
[=] Reading sector trailer
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | 1 | ------------ | 0
[+] 001 | 007 | ------------ | 0 | ------------ | 0
[+] 002 | 011 | A0A1A2A3A4A5 | 1 | ------------ | 0
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )Now, I found this key: A0A1A2A3A4A5
What script should I run in my next step?
Offline
#2 2022-09-09 01:29:36
- mbzadegan
- Contributor
- Registered: 2022-08-15
- Posts: 20
Re: Next step in cloning Mifare mini
I have tested this command as well, but still I have a problem!
[usb] pm3 --> hf mf nested --blk 0 -a -k A0A1A2A3A4A5
[+] Testing known keys. Sector count 16
[=] ...
[=] Chunk 6.5s | found 6/32 keys (43)
[+] Time to check 42 known keys: 7 seconds
[+] enter nested key recovery
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).
[usb] pm3 -->Then I try Hardnested:
[usb] pm3 --> hf mf hardnested --blk 0 -a -k A0A1A2A3A4A5
[=] Target block no 0, target key type: A, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 923 million (2^29.8) keys/s | 140737488355328 | 2d
[=] 7 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
[=] 11 | 112 | Apply bit flip properties | 47314325504 | 51s
[=] 12 | 224 | Apply bit flip properties | 5145465344 | 6s
[=] 13 | 335 | Apply bit flip properties | 2985049856 | 3s
[=] 14 | 447 | Apply bit flip properties | 1745006976 | 2s
[=] 15 | 558 | Apply bit flip properties | 1247843200 | 1s
[=] 16 | 668 | Apply bit flip properties | 1247843200 | 1s
[=] 16 | 779 | Apply bit flip properties | 1247843200 | 1s
[=] 17 | 888 | Apply bit flip properties | 1247843200 | 1s
[=] 18 | 999 | Apply bit flip properties | 1247843200 | 1s
[=] 18 | 1110 | Apply bit flip properties | 1247843200 | 1s
[=] 20 | 1220 | Apply Sum property. Sum(a0) = 120 | 346747264 | 0s
[=] 20 | 1220 | (Ignoring Sum(a8) properties) | 346747264 | 0s
[=] 23 | 1220 | Brute force phase completed. Key found: A0A1A2A3A4A5 | 0 | 0s
[usb] pm3 -->What should I do next?
Last edited by mbzadegan (2022-09-09 01:39:16)
Offline
#3 2022-09-09 17:43:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Next step in cloning Mifare mini
Maybe you find something worth reading here,
https://github.com/RfidResearchGroup/pr … eat-sheets
or
https://github.com/RfidResearchGroup/pr … atsheet.md
Offline
#4 2022-09-10 20:47:56
- mbzadegan
- Contributor
- Registered: 2022-08-15
- Posts: 20
Re: Next step in cloning Mifare mini
iceman wrote:
Maybe you find something worth reading here,
https://github.com/RfidResearchGroup/pr … eat-sheets
or
https://github.com/RfidResearchGroup/pr … atsheet.md
Thank you for your response.
Unfortunately, I could not find any resolve,
I think it is MIFARE mini card, Do you think there is no way to copy it?
Offline
#5 2022-09-11 04:49:21
- mbzadegan
- Contributor
- Registered: 2022-08-15
- Posts: 20
Re: Next step in cloning Mifare mini
I found these keys when I run [hf mf autopwn]:
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | D | 0D258FE90296 | H
[+] 001 | 007 | 25DB1D129004 | H | D6DF72F055BF | H
[+] 002 | 011 | A0A1A2A3A4A5 | D | D6DF72F055BF | R
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | 5C8FF9990DA2 | H | D01AFEEB890A | H
[+] 006 | 027 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 007 | 031 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 008 | 035 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 009 | 039 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 010 | 043 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 011 | 047 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 012 | 051 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 013 | 055 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 014 | 059 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] 015 | 063 | 5C8FF9990DA2 | R | D01AFEEB890A | R
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try `hf mf mad` for more details
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-B3B81864-key-6.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-B3B81864-dump-10.bin
[+] saved 64 blocks to text file hf-mf-B3B81864-dump-9.eml
[+] saved to json file hf-mf-B3B81864-dump-9.json
[=] autopwn execution time: 166 seconds
[usb] pm3 -->What is my next step to copy this Mifare card?
Offline
#6 2022-09-11 09:35:26
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Next step in cloning Mifare mini
If you read the help texts for the commands you are running, you will find that it defaults to 1K cards...
Offline
#7 2022-09-11 18:16:31
- mbzadegan
- Contributor
- Registered: 2022-08-15
- Posts: 20
Re: Next step in cloning Mifare mini
iceman wrote:
If you read the help texts for the commands you are running, you will find that it defaults to 1K cards...
Aha!, Thank you so much for your reminder!
I run "hf mf autopwn --mini" and finally got these information without error.
[usb] pm3 --> hf mf autopwn --mini
[!] no known key was supplied, key recovery might fail
[+] loaded 42 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1.2s | found 6/10 keys (42)
[=] running strategy 2
[=] Chunk 1.2s | found 6/10 keys (42)
[+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector 2 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 768 million (2^29.5) keys/s | 140737488355328 | 2d
[=] 10 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
[=] 14 | 112 | Apply bit flip properties | 35840151552 | 47s
[=] 15 | 224 | Apply bit flip properties | 10151162880 | 13s
[=] 16 | 336 | Apply bit flip properties | 7335602688 | 10s
[=] 17 | 447 | Apply bit flip properties | 6678748160 | 9s
[=] 18 | 557 | Apply bit flip properties | 6678748160 | 9s
[=] 19 | 667 | Apply bit flip properties | 6678748160 | 9s
[=] 20 | 772 | Apply bit flip properties | 6394606080 | 8s
[=] 20 | 882 | Apply bit flip properties | 6394606080 | 8s
[=] 21 | 994 | Apply bit flip properties | 6394606080 | 8s
[=] 22 | 1103 | Apply bit flip properties | 6394606080 | 8s
[=] 22 | 1214 | Apply bit flip properties | 6394606080 | 8s
[=] 23 | 1325 | Apply bit flip properties | 6394606080 | 8s
[=] 24 | 1432 | Apply bit flip properties | 6394606080 | 8s
[=] 25 | 1541 | Apply bit flip properties | 6394606080 | 8s
[=] 26 | 1649 | Apply bit flip properties | 6394606080 | 8s
[=] 27 | 1756 | Apply bit flip properties | 6394606080 | 8s
[=] 28 | 1865 | Apply bit flip properties | 6394606080 | 8s
[=] 30 | 1976 | Apply Sum property. Sum(a0) = 128 | 282340928 | 0s
[=] 30 | 2085 | Apply bit flip properties | 282340928 | 0s
[=] 31 | 2195 | Apply bit flip properties | 282340928 | 0s
[=] 32 | 2305 | Apply bit flip properties | 282340928 | 0s
[=] 33 | 2305 | (Ignoring Sum(a8) properties) | 282340928 | 0s
[=] 34 | 2305 | Brute force phase completed. Key found: 0D258FE90296 | 0 | 0s
[+] target sector 0 key type B -- found valid key [ 0D258FE90296 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 909 million (2^29.8) keys/s | 140737488355328 | 2d
[=] 6 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
[=] 10 | 112 | Apply bit flip properties | 4011938545664 | 74min
[=] 11 | 223 | Apply bit flip properties | 2245112102912 | 41min
[=] 12 | 335 | Apply bit flip properties | 2161078960128 | 40min
[=] 13 | 447 | Apply bit flip properties | 2127205761024 | 39min
[=] 14 | 557 | Apply bit flip properties | 2127205761024 | 39min
[=] 15 | 668 | Apply bit flip properties | 2127205761024 | 39min
[=] 16 | 778 | Apply bit flip properties | 2127205761024 | 39min
[=] 16 | 889 | Apply bit flip properties | 2127205761024 | 39min
[=] 17 | 998 | Apply bit flip properties | 2127205761024 | 39min
[=] 18 | 1106 | Apply bit flip properties | 2127205761024 | 39min
[=] 19 | 1216 | Apply bit flip properties | 2127205761024 | 39min
[=] 20 | 1327 | Apply bit flip properties | 2127205761024 | 39min
[=] 20 | 1438 | Apply bit flip properties | 2127205761024 | 39min
[=] 23 | 1547 | Apply Sum property. Sum(a0) = 128 | 125849157632 | 2min
[=] 23 | 1654 | Apply bit flip properties | 125849157632 | 2min
[=] 24 | 1765 | Apply bit flip properties | 125849157632 | 2min
[=] 25 | 1875 | Apply bit flip properties | 85512159232 | 2min
[=] 26 | 1984 | Apply bit flip properties | 85512159232 | 2min
[=] 26 | 2093 | Apply bit flip properties | 37412089856 | 41s
[=] 27 | 2204 | Apply bit flip properties | 85512159232 | 2min
[=] 28 | 2313 | Apply bit flip properties | 85512159232 | 2min
[=] 29 | 2424 | Apply bit flip properties | 59237195776 | 65s
[=] 30 | 2531 | Apply bit flip properties | 59237195776 | 65s
[=] 31 | 2639 | Apply bit flip properties | 95621865472 | 2min
[=] 32 | 2746 | Apply bit flip properties | 95621865472 | 2min
[=] 33 | 2854 | Apply bit flip properties | 95621865472 | 2min
[=] 33 | 2963 | Apply bit flip properties | 95621865472 | 2min
[=] 34 | 2963 | (1. guess: Sum(a8) = 0) | 95621865472 | 2min
[=] 34 | 2963 | Apply Sum(a8) and all bytes bitflip properties | 95621865472 | 2min
[=] 34 | 2963 | (2. guess: Sum(a8) = 64) | 320054394880 | 6min
[=] 35 | 2963 | Apply Sum(a8) and all bytes bitflip properties | 293785108480 | 5min
[=] 36 | 2963 | Brute force phase completed. Key found: 25DB1D129004 | 0 | 0s
[+] target sector 1 key type A -- found valid key [ 25DB1D129004 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 821 million (2^29.6) keys/s | 140737488355328 | 2d
[=] 5 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
[=] 9 | 112 | Apply bit flip properties | 188968124416 | 4min
[=] 10 | 224 | Apply bit flip properties | 117209038848 | 2min
[=] 11 | 334 | Apply bit flip properties | 93525139456 | 2min
[=] 12 | 446 | Apply bit flip properties | 92831907840 | 2min
[=] 13 | 554 | Apply bit flip properties | 92831907840 | 2min
[=] 14 | 665 | Apply bit flip properties | 92831907840 | 2min
[=] 14 | 775 | Apply bit flip properties | 91839938560 | 2min
[=] 15 | 885 | Apply bit flip properties | 91839938560 | 2min
[=] 16 | 996 | Apply bit flip properties | 91839938560 | 2min
[=] 17 | 1107 | Apply bit flip properties | 91839938560 | 2min
[=] 18 | 1219 | Apply bit flip properties | 91839938560 | 2min
[=] 18 | 1330 | Apply bit flip properties | 91839938560 | 2min
[=] 19 | 1440 | Apply bit flip properties | 91839938560 | 2min
[=] 20 | 1551 | Apply bit flip properties | 91839938560 | 2min
[=] 21 | 1660 | Apply bit flip properties | 91839938560 | 2min
[=] 22 | 1771 | Apply bit flip properties | 91839938560 | 2min
[=] 24 | 1881 | Apply Sum property. Sum(a0) = 64 | 858644160 | 1s
[=] 24 | 1991 | Apply bit flip properties | 858644160 | 1s
[=] 25 | 2097 | Apply bit flip properties | 858644160 | 1s
[=] 26 | 2206 | Apply bit flip properties | 807506176 | 1s
[=] 27 | 2206 | (1. guess: Sum(a8) = 256) | 807506176 | 1s
[=] 27 | 2206 | Apply Sum(a8) and all bytes bitflip properties | 172694864 | 0s
[=] 27 | 2206 | Brute force phase completed. Key found: D6DF72F055BF | 0 | 0s
[+] target sector 1 key type B -- found valid key [ D6DF72F055BF ]
[+] target sector 2 key type B -- found valid key [ D6DF72F055BF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | D | 0D258FE90296 | H
[+] 001 | 007 | 25DB1D129004 | H | D6DF72F055BF | H
[+] 002 | 011 | A0A1A2A3A4A5 | D | D6DF72F055BF | R
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try `hf mf mad` for more details
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-B3B81864-key-7.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[=] downloading the card content from emulator memory
[+] saved 320 bytes to binary file hf-mf-B3B81864-dump-11.bin
[+] saved 20 blocks to text file hf-mf-B3B81864-dump-10.eml
[+] saved to json file hf-mf-B3B81864-dump-10.json
[=] autopwn execution time: 103 secondsAfter that I run "[usb] pm3 --> hf mf restore --mini --uid B3B81864 -k hf-mf-B3B81864-key-7.bin -f hf-mf-B3B81864-dump-11.bin"
But, I got these errors!!
[usb] pm3 --> hf mf restore --mini --uid B3B81864 -k hf-mf-B3B81864-key-7.bin -f hf-mf-B3B81864-dump-11.bin
[+] loaded 320 bytes from binary file hf-mf-B3B81864-dump-11.bin
[=] Restoring hf-mf-B3B81864-dump-11.bin to card
[=] block 0: B3 B8 18 64 77 89 04 00 C8 46 00 20 00 00 00 15
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 1: 6F 01 51 90 51 90 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 3: A0 A1 A2 A3 A4 A5 78 77 88 C1 0D 25 8F E9 02 96
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 4: 45 32 31 75 5B 37 48 CA 15 B6 9B 6A C3 93 DC 32
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 5: 4C 00 1B DA 25 EF 90 B1 B0 27 29 27 8B EC EB 5E
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 6: F8 66 BD C6 4E 3A A9 53 F1 74 16 DB BE ED 6F 06
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 7: 25 DB 1D 12 90 04 78 77 88 01 D6 DF 72 F0 55 BF
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 11: A0 A1 A2 A3 A4 A5 78 77 88 05 D6 DF 72 F0 55 BF
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 15: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 17: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 19: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] Done!
[usb] pm3 --> So, what should I do in my second step?
Thanks again for your help.
Offline
#8 2022-09-11 20:41:11
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Next step in cloning Mifare mini
... was the target card blank? Since you instructed the client to use a key file
Offline
Pages: 1