Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello,
as far as I understand I have a Mifare plus card.
[usb] pm3 --> hf 14a info
[+] UID: 14 0E 66 5F
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
Running hf mfp info results in:
[usb] pm3 --> hf mfp info
[=] --- Tag Information ---------------------------
[!!] ? No card response.
[+] UID: 14 0E 66 5F
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
[!!] ? No card response.
[=] --- Fingerprint
[=] SIZE: 2K (4 UID)
[=] SAK: 2K 7b UID
[=] --- Security Level (SL)
[+] SL mode: SL1
[=] SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication
As far as I understand this is a mifare plus tag that operates as a normal mfc tag but has a size of 2k and 18 Sectors.
[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector 17 key type B -- using valid key [ 4B791BEA7BCC ] (used for nested / hardnested attack)
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1,5s | found 34/36 keys (56)
[=] running strategy 2
[=] Chunk 1,3s | found 34/36 keys (56)
[+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 1 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector 16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector 17 key type A -- found valid key [ 75CCB59C9BED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1895 million (2^30,8) keys/s | 140737488355328 | 21h
[=] 0 | 0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 439 ms | 140737488355328 | 21h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 21h
[=] 3 | 112 | Apply bit flip properties | 9641922560 | 5s
[=] 4 | 224 | Apply bit flip properties | 1575305472 | 1s
[=] 5 | 335 | Apply bit flip properties | 1575305472 | 1s
[=] 6 | 447 | Apply bit flip properties | 1219019136 | 1s
[=] 7 | 559 | Apply bit flip properties | 1180857600 | 1s
[=] 8 | 668 | Apply bit flip properties | 1180857600 | 1s
[=] 8 | 780 | Apply bit flip properties | 1180857600 | 1s
[=] 9 | 890 | Apply bit flip properties | 1180857600 | 1s
[=] 10 | 1001 | Apply bit flip properties | 1180857600 | 1s
[=] 11 | 1113 | Apply bit flip properties | 1180857600 | 1s
[=] 11 | 1223 | Apply bit flip properties | 1180857600 | 1s
[=] 12 | 1334 | Apply bit flip properties | 1180857600 | 1s
[=] 13 | 1446 | Apply bit flip properties | 1180857600 | 1s
[=] 15 | 1556 | Apply Sum property. Sum(a0) = 144 | 66832920 | 0s
[=] 15 | 1556 | (Ignoring Sum(a8) properties) | 66832920 | 0s
[=] 15 | 1556 | Brute force phase completed. Key found: 8627C10A7014 | 0 | 0s
[+] target sector 0 key type B -- found valid key [ 8627C10A7014 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1933 million (2^30,8) keys/s | 140737488355328 | 20h
[=] 0 | 0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 170 ms | 140737488355328 | 20h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 20h
[=] 3 | 112 | Apply bit flip properties | 9829748834304 | 85min
[=] 4 | 224 | Apply bit flip properties | 8543757402112 | 74min
[=] 5 | 334 | Apply bit flip properties | 8378623459328 | 72min
[=] 5 | 446 | Apply bit flip properties | 8378623459328 | 72min
[=] 6 | 558 | Apply bit flip properties | 8378623459328 | 72min
[=] 7 | 670 | Apply bit flip properties | 8378623459328 | 72min
[=] 8 | 780 | Apply bit flip properties | 8378623459328 | 72min
[=] 8 | 891 | Apply bit flip properties | 8378623459328 | 72min
[=] 9 | 1003 | Apply bit flip properties | 8378623459328 | 72min
[=] 10 | 1115 | Apply bit flip properties | 8378623459328 | 72min
[=] 11 | 1225 | Apply bit flip properties | 8378623459328 | 72min
[=] 12 | 1335 | Apply bit flip properties | 8378623459328 | 72min
[=] 13 | 1446 | Apply bit flip properties | 8378623459328 | 72min
[=] 13 | 1558 | Apply bit flip properties | 8378623459328 | 72min
[=] 15 | 1668 | Apply Sum property. Sum(a0) = 0 | 238813396992 | 2min
[=] 15 | 1775 | Apply bit flip properties | 238813396992 | 2min
[=] 16 | 1883 | Apply bit flip properties | 238813396992 | 2min
[=] 17 | 1994 | Apply bit flip properties | 101187551232 | 52s
[=] 18 | 2105 | Apply bit flip properties | 101187551232 | 52s
[=] 19 | 2211 | Apply bit flip properties | 101187551232 | 52s
[=] 20 | 2322 | Apply bit flip properties | 69676859392 | 36s
[=] 20 | 2430 | Apply bit flip properties | 69676859392 | 36s
[=] 21 | 2536 | Apply bit flip properties | 101185060864 | 52s
[=] 22 | 2536 | (1. guess: Sum(a8) = 256) | 101185060864 | 52s
[=] 22 | 2536 | Apply Sum(a8) and all bytes bitflip properties | 74706272256 | 39s
[=] 22 | 2536 | Brute force phase completed. Key found: 00008627C10A | 0 | 0s
[+] target sector 1 key type B -- found valid key [ 00008627C10A ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | D | 8627C10A7014 | H
[+] 001 | 007 | A0A1A2A3A4A5 | D | 00008627C10A | H
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | D
[+] 017 | 071 | 75CCB59C9BED | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try `hf mf mad` for more details
It seems that all keys were found, however the dump fails to an error and therefore only a partial dump is created.
[+] Generating binary key file
[+] Found keys have been dumped to /home/dose/hf-mf-140E665F-key-001.bin
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[#] Block 4 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 1 block 0
[#] Block 5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 7 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY A, swapping to KEY B
[#] Block 8 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 2 block 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 12 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 3 block 0
[#] Block 13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 16 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 4 block 0
[#] Block 17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 20 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 5 block 0
[#] Block 21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 24 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 6 block 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 28 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 7 block 0
[#] Block 29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 32 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 8 block 0
[#] Block 33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 36 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 9 block 0
[#] Block 37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 40 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 10 block 0
[#] Block 41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 44 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 11 block 0
[#] Block 45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 48 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 12 block 0
[#] Block 49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 52 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 13 block 0
[#] Block 53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 56 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 14 block 0
[#] Block 57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 60 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 15 block 0
[#] Block 61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 63 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 63 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY B
[-] ⛔ Dump file is PARTIAL complete
[=] downloading card content from emulator memory
[+] saved 1024 bytes to binary file /home/dose/hf-mf-140E665F-dump-001.bin
[+] saved to json file /home/dose/hf-mf-140E665F-dump-001.json
[=] autopwn execution time: 48 seconds
For completeness hf mf mad results in:
[usb] pm3 --> hf mf mad
[=] Authentication ( ok )
[#] Auth error
[=] --- MIFARE App Directory Information ----------------
[=] -----------------------------------------------------
[=] ------------ MAD v1 details -------------
[!] ⚠️ Card publisher not present 0x00
[=] ---------------- Listing ----------------
[=] 00 MAD v1
[=] 01 [2EC0] (unknown)
[=] 02 [0000] free
[=] 03 [0000] free
[=] 04 [0000] free
[=] 05 [0000] free
[=] 06 [0000] free
[=] 07 [0000] free
[=] 08 [0000] free
[=] 09 [0000] free
[=] 10 [0000] free
[=] 11 [0000] free
[=] 12 [0000] free
[=] 13 [0000] free
[=] 14 [0000] free
[=] 15 [0000] free
Any ideas how I can get a full dump of the card?
Thank's in advance!
Last edited by Dose13 (2023-10-29 19:58:45)
Running the hf mf eview --2k command results in the following:
[usb] pm3 --> hf mf eview --2k
[=] downloading emulator memory
[=] -----+-----+-------------------------------------------------+-----------------
[=] sec | blk | data | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=] 0 | 0 | 14 0E 66 5F 23 88 04 00 C8 24 00 20 00 00 00 20 | ..f_#....$. ...
[=] | 1 | EA 00 C0 2E 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 3 | A0 A1 A2 A3 A4 A5 78 77 88 C1 86 27 C1 0A 70 14 | ......xw...'..p.
[=] 1 | 4 | 0D 4C 00 00 06 00 00 00 00 00 00 00 00 FF FF FF | .L..............
[=] | 5 | 00 00 00 00 80 FF FF 38 00 00 00 00 00 00 00 00 | .......8........
[=] | 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 7 | A0 A1 A2 A3 A4 A5 0F 00 FF AA 00 00 86 27 C1 0A | .............'..
[=] 2 | 8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 3 | 12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 4 | 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 5 | 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 6 | 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 7 | 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 8 | 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 9 | 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 10 | 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 11 | 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 12 | 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 13 | 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 14 | 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 15 | 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 16 | 64 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 65 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 66 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 67 | 5C 8F F9 99 0D A2 70 F0 F8 69 D0 1A FE EB 89 0A | \.....p..i......
[=] 17 | 68 | 48 31 43 4D 38 36 17 24 20 54 29 00 00 00 00 00 | H1CM86.$ T).....
[=] | 69 | 57 76 69 21 12 92 C6 A4 87 A5 E8 55 02 FA A9 71 | Wvi!.......U...q
[=] | 70 | 63 F5 41 AE 87 A2 1F E0 83 B2 43 66 2B 82 AC 6C | c.A.......Cf+..l
[=] | 71 | 75 CC B5 9C 9B ED 70 F0 F8 69 4B 79 1B EA 7B CC | u.....p..iKy..{.
[=] 18 | 72 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 73 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 74 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 75 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 19 | 76 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 77 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 78 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 79 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 20 | 80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 81 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 82 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 83 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 21 | 84 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 85 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 86 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 87 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 22 | 88 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 89 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 91 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 23 | 92 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 93 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 94 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 95 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 24 | 96 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 97 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 98 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 99 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 25 | 100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 101 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 102 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 103 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 26 | 104 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 105 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 106 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 107 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 27 | 108 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 109 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 111 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 28 | 112 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 113 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 114 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 115 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 29 | 116 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 117 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 118 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 119 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 30 | 120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 121 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 122 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 123 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 31 | 124 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 125 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 126 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 127 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] -----+-----+-------------------------------------------------+-----------------
[?] cyan = value block with decoded value
[?] MAD key detected. Try `hf mf mad` for more details
I wonder if this is the entire dump?
When looking at the emulator view it seems that sector 17 contains all the information. I am able to read block 68:
[usb] pm3 --> hf mf rdbl --blk 68 -b -k 4b791bea7bcc
[=] # | sector 17 / 0x11 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 68 | 48 31 43 4D 38 36 17 24 20 54 29 00 00 00 00 00 | H1CM86.$ T).....
However it is not possible to read the content with key A:
[usb] pm3 --> hf mf rdbl --blk 68 -k 75ccb59c9bed
[#] Block 68 Cmd 0x30 Cmd Error 04
[#] Read block error
It is also not possible to write to that block, neither with key A nor key B:
[usb] pm3 --> hf mf wrbl -b --blk 68 -k 4b791bea7bcc -d 48315355373803252127990000000000
[=] Writing block no 68, key B - 4B791BEA7BCC
[=] data: 48 31 53 55 37 38 03 25 21 27 99 00 00 00 00 00
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -a ...` instead
[usb] pm3 --> hf mf wrbl -a --blk 68 -k 75ccb59c9bed -d 48315355373803252127990000000000
[=] Writing block no 68, key A - 75CCB59C9BED
[=] data: 48 31 53 55 37 38 03 25 21 27 99 00 00 00 00 00
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
Any ideas?
The output did not ring a bell. ...
[usb] pm3 --> hf 14a info
[+] UID: 14 0E 66 5F
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
Still not sure. I read in the datasheet that mfp should follow the iso14443-4 protocol. The pm3 output states that it is a non proprietary iso14443-4 card.
The ISO/IEC 14443-4 Protocol (also known as T=CL) is used in many processor cards.
This protocol is used for the MIFARE Plus with the following security levels: ...
If this means that it does not follow the mfp or mfc datasheet that might be the issue. Was this the hint that you wanted to give me?