Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2023-10-13 19:50:11

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

hf mf autopwn finds wrong keys

Good evening,

I have a Mifare Classic 1K card:

[usb] pm3 --> hf search
 ?  Searching for ISO14443-A tag...          
[+]  UID: 14 0E 66 5F 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=] 
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands

[+] Valid ISO 14443-A tag found

running the hf mf autopwn results in the following output:

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector  17 key type B -- using valid key [ 4B791BEA7BCC ] (used for nested / hardnested attack)
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1,5s | found 34/36 keys (56)
[=] running strategy 2
[=] Chunk 1,3s | found 34/36 keys (56)
[+] target sector   0 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector   1 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector  17 key type A -- found valid key [ 75CCB59C9BED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX512F SIMD core             |                 |
[=]        0 |       0 | Brute force benchmark: 2000 million (2^30,9) keys/s     | 140737488355328 |   20h
[=]        0 |       0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 151 ms                | 140737488355328 |   20h
[=]        0 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   20h
[=]        3 |     112 | Apply bit flip properties                               |     25885241344 |   13s
[=]        4 |     224 | Apply bit flip properties                               |      2556349696 |    1s
[=]        5 |     335 | Apply bit flip properties                               |      1396081024 |    1s
[=]        6 |     447 | Apply bit flip properties                               |      1180857600 |    1s
[=]        7 |     559 | Apply bit flip properties                               |      1180857600 |    1s
[=]        8 |     669 | Apply bit flip properties                               |      1180857600 |    1s
[=]        8 |     781 | Apply bit flip properties                               |      1180857600 |    1s
[=]        9 |     893 | Apply bit flip properties                               |      1180857600 |    1s
[=]       10 |    1005 | Apply bit flip properties                               |      1180857600 |    1s
[=]       10 |    1116 | Apply bit flip properties                               |      1180857600 |    1s
[=]       11 |    1227 | Apply bit flip properties                               |      1180857600 |    1s
[=]       12 |    1336 | Apply bit flip properties                               |      1180857600 |    1s
[=]       13 |    1444 | Apply bit flip properties                               |      1180857600 |    1s
[=]       14 |    1549 | Apply bit flip properties                               |      1180857600 |    1s
[=]       15 |    1660 | Apply bit flip properties                               |      1180857600 |    1s
[=]       16 |    1768 | Apply Sum property. Sum(a0) = 144                       |        41649300 |    0s
[=]       16 |    1768 | (Ignoring Sum(a8) properties)                           |        41649300 |    0s
[=]       17 |    1768 | Brute force phase completed.  Key found: 8627C10A7014   |               0 |    0s
[+] target sector   0 key type B -- found valid key [ 8627C10A7014 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX512F SIMD core             |                 |
[=]        0 |       0 | Brute force benchmark: 1946 million (2^30,9) keys/s     | 140737488355328 |   20h
[=]        0 |       0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 159 ms                | 140737488355328 |   20h
[=]        0 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   20h
[=]        3 |     112 | Apply bit flip properties                               |   9824572014592 | 84min
[=]        4 |     224 | Apply bit flip properties                               |   8600731779072 | 74min
[=]        5 |     336 | Apply bit flip properties                               |   8389646090240 | 72min
[=]        6 |     447 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        6 |     558 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        7 |     669 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        8 |     780 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        9 |     891 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        9 |    1001 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       10 |    1112 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       12 |    1221 | Apply Sum property. Sum(a0) = 0                         |    740766121984 |  6min
[=]       12 |    1331 | Apply bit flip properties                               |    740766121984 |  6min
[=]       13 |    1441 | Apply bit flip properties                               |    613979586560 |  5min
[=]       14 |    1550 | Apply bit flip properties                               |    613979586560 |  5min
[=]       14 |    1659 | Apply bit flip properties                               |    332301336576 |  3min
[=]       15 |    1768 | Apply bit flip properties                               |    332301336576 |  3min
[=]       16 |    1878 | Apply bit flip properties                               |    332301336576 |  3min
[=]       17 |    1990 | Apply bit flip properties                               |    369056808960 |  3min
[=]       18 |    2098 | Apply bit flip properties                               |    172788613120 |   89s
[=]       19 |    2206 | Apply bit flip properties                               |    324740481024 |  3min
[=]       20 |    2314 | Apply bit flip properties                               |    324740481024 |  3min
[=]       20 |    2420 | Apply bit flip properties                               |    324740481024 |  3min
[=]       21 |    2529 | Apply bit flip properties                               |    324740481024 |  3min
[=]       22 |    2529 | (1. guess: Sum(a8) = 256)                               |    324740481024 |  3min
[=]       22 |    2529 | Apply Sum(a8) and all bytes bitflip properties          |    298232905728 |  3min
[=]       22 |    2529 | Brute force phase completed.  Key found: 00008627C10A   |               0 |    0s
[+] target sector   1 key type B -- found valid key [ 00008627C10A ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | D | 8627C10A7014 | H
[+]  001 | 007 | A0A1A2A3A4A5 | D | 00008627C10A | H
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | D
[+]  017 | 071 | 75CCB59C9BED | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )
[?] MAD key detected. Try `hf mf mad` for more details


[+] Generating binary key file
[+] Found keys have been dumped to /home/dose/hf-mf-140E665F-key.bin
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[#] Block   4 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  1 block  0
[#] Block   5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   7 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY A,  swapping to KEY B
[#] Block   8 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  2 block  0
[#] Block   9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  12 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  3 block  0
[#] Block  13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  16 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  4 block  0
[#] Block  17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  20 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  5 block  0
[#] Block  21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  24 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  6 block  0
[#] Block  25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  28 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  7 block  0
[#] Block  29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  32 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  8 block  0
[#] Block  33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  36 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  9 block  0
[#] Block  37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  40 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 10 block  0
[#] Block  41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  44 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 11 block  0
[#] Block  45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  48 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 12 block  0
[#] Block  49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  52 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 13 block  0
[#] Block  53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  56 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 14 block  0
[#] Block  57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  60 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 15 block  0
[#] Block  61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  63 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  63 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY B
[-] ⛔ Dump file is PARTIAL complete
[=] downloading card content from emulator memory
[+] saved 1024 bytes to binary file /home/dose/hf-mf-140E665F-dump.bin
[+] saved to json file /home/dose/hf-mf-140E665F-dump.json
[=] autopwn execution time: 49 seconds

hf mf nack fails:

[usb] pm3 --> hf mf nack
[=] Checking for NACK bug
[=] ....
[!] ⚠️  detection failed

hf mf mad:

[usb] pm3 --> hf mf mad
[=] Authentication ( ok )
[#] Auth error


[=] --- MIFARE App Directory Information ----------------
[=] -----------------------------------------------------

[=] ------------ MAD v1 details -------------
[!] ⚠️  Card publisher not present 0x00

[=] ---------------- Listing ----------------
[=]  00 MAD v1
[=]  01 [2EC0] (unknown)
[=]  02 [0000] free
[=]  03 [0000] free
[=]  04 [0000] free
[=]  05 [0000] free
[=]  06 [0000] free
[=]  07 [0000] free
[=]  08 [0000] free
[=]  09 [0000] free
[=]  10 [0000] free
[=]  11 [0000] free
[=]  12 [0000] free
[=]  13 [0000] free
[=]  14 [0000] free
[=]  15 [0000] free

When trying to access block 4 with the password found by "hf mf autopwn" I am receiving also an error message

[usb] pm3 --> hf mf rdbl --blk 4 -k ffffffffffff
[#] Auth error

I then ran the hf mf hardnested and I was receiving the following sector key:

[usb] pm3 --> hf mf rdbl --blk 4 -k ffffffffffff
[#] Auth error

[usb] pm3 --> hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 4 --tb
[=] Target block no   4, target key type: B, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX512F SIMD core             |                 |
[=]        0 |       0 | Brute force benchmark: 1858 million (2^30,8) keys/s     | 140737488355328 |   21h
[=]        0 |       0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 151 ms                | 140737488355328 |   21h
[=]        0 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   21h
[=]        3 |     112 | Apply bit flip properties                               |  10365789274112 |    2h
[=]        4 |     224 | Apply bit flip properties                               |   8683303993344 | 78min
[=]        5 |     335 | Apply bit flip properties                               |   8449560674304 | 76min
[=]        6 |     447 | Apply bit flip properties                               |   8378623459328 | 75min
[=]        7 |     558 | Apply bit flip properties                               |   8378623459328 | 75min
[=]        7 |     668 | Apply bit flip properties                               |   8378623459328 | 75min
[=]        8 |     778 | Apply bit flip properties                               |   8378623459328 | 75min
[=]        8 |     887 | Apply bit flip properties                               |   8378623459328 | 75min
[=]        9 |     999 | Apply bit flip properties                               |   8378623459328 | 75min
[=]       10 |    1110 | Apply bit flip properties                               |   8378623459328 | 75min
[=]       11 |    1221 | Apply bit flip properties                               |   8378623459328 | 75min
[=]       12 |    1330 | Apply bit flip properties                               |   8378623459328 | 75min
[=]       13 |    1442 | Apply bit flip properties                               |   8378623459328 | 75min
[=]       14 |    1553 | Apply Sum property. Sum(a0) = 0                         |    452560977920 |  4min
[=]       14 |    1661 | Apply bit flip properties                               |    452560977920 |  4min
[=]       15 |    1772 | Apply bit flip properties                               |    252655468544 |  2min
[=]       16 |    1881 | Apply bit flip properties                               |    252655468544 |  2min
[=]       17 |    1988 | Apply bit flip properties                               |    238848901120 |  2min
[=]       18 |    2099 | Apply bit flip properties                               |    238848901120 |  2min
[=]       19 |    2208 | Apply bit flip properties                               |    238848901120 |  2min
[=]       20 |    2318 | Apply bit flip properties                               |    238848901120 |  2min
[=]       20 |    2318 | (1. guess: Sum(a8) = 256)                               |    238848901120 |  2min
[=]       21 |    2318 | Apply Sum(a8) and all bytes bitflip properties          |    212369932288 |  2min
[=]       21 |    2318 | Brute force phase completed.  Key found: 00008627C10A   |               0 |    0s

With "KEY B" I can access the sector:

[usb] pm3 --> hf mf rdbl --blk 4 -v -b -k 00008627c10a

[=]   # | sector 01 / 0x01                                | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   4 | 0D 4C 00 00 06 00 00 00 00 00 00 00 00 FF FF FF | .L.............. 

I then tried to get "KEY A" with the hardnested attack but this one fails:

[usb] pm3 --> hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 4 --ta
[=] Target block no   4, target key type: A, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX512F SIMD core             |                 |
[=]        0 |       0 | Brute force benchmark: 1986 million (2^30,9) keys/s     | 140737488355328 |   20h
[=]        0 |       0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 72 ms                 | 140737488355328 |   20h
[=]        0 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   20h
[=]        3 |     112 | Apply bit flip properties                               |    156684779520 |   79s
[=]        4 |     223 | Apply bit flip properties                               |     21349662720 |   11s
[=]        5 |     335 | Apply bit flip properties                               |      4731800576 |    2s
[=]        5 |     445 | Apply bit flip properties                               |      1430008960 |    1s
[=]        6 |     556 | Apply bit flip properties                               |      1247843200 |    1s
[=]        7 |     666 | Apply bit flip properties                               |      1247843200 |    1s
[=]        7 |     776 | Apply bit flip properties                               |      1247843200 |    1s
[=]        8 |     886 | Apply bit flip properties                               |      1247843200 |    1s
[=]        9 |     996 | Apply bit flip properties                               |      1247843200 |    1s
[=]       10 |    1107 | Apply bit flip properties                               |      1247843200 |    1s
[=]       11 |    1218 | Apply bit flip properties                               |      1247843200 |    1s
[=]       11 |    1328 | Apply bit flip properties                               |      1247843200 |    1s
[=]       12 |    1436 | Apply bit flip properties                               |      1247843200 |    1s
[=]       14 |    1546 | Apply Sum property. Sum(a0) = 120                       |       248405696 |    0s
[=]       14 |    1546 | (Ignoring Sum(a8) properties)                           |       248405696 |    0s

[-] ⛔ Failed to recover a key

At first I thought that this one is related to this github report: https://github.com/RfidResearchGroup/pr … issues/960 but honestly I am not too sure.

My questions are:

- why does hf mf autopwn find different keys then the hardnested attack?
- why is it not possible to derive "KEY A" for some blocks with the sector 0 key?
- any ideas on what is needed to dump the entire file?

Thank's in advance!

Offline

#2 2023-10-13 22:36:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: hf mf autopwn finds wrong keys

try some distance between tag and antenna.  You get too much communications errors.

Offline

#3 2023-10-14 09:22:17

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Re: hf mf autopwn finds wrong keys

I am quite sure that it is not distance related since it worked on other sectors. However, I found that this is a Mifare Classic 1k EV1 card. Not sure if the problem is related to that.

Offline

#4 2023-10-14 09:45:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: hf mf autopwn finds wrong keys

ok,  you know best

Offline

Board footer

Powered by FluxBB