Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

Post reply

#1 2023-10-29 19:55:33

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Mifare plus - dump fails?

Hello,

as far as I understand I have a Mifare plus card.

[usb] pm3 --> hf 14a info

[+]  UID: 14 0E 66 5F 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=] 
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands

Running hf mfp info results in:

[usb] pm3 --> hf mfp info

[=] --- Tag Information ---------------------------
[!!] ? No card response.

[+]  UID: 14 0E 66 5F 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=] 
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands

[!!] ? No card response.
[=] --- Fingerprint
[=]           SIZE: 2K (4 UID)
[=]             SAK: 2K 7b UID
[=] --- Security Level (SL)
[+]        SL mode: SL1
[=]   SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication

As far as I understand this is a mifare plus tag that operates as a normal mfc tag but has a size of 2k and 18 Sectors. 

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector  17 key type B -- using valid key [ 4B791BEA7BCC ] (used for nested / hardnested attack)
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1,5s | found 34/36 keys (56)
[=] running strategy 2
[=] Chunk 1,3s | found 34/36 keys (56)
[+] target sector   0 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector   1 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector  17 key type A -- found valid key [ 75CCB59C9BED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX512F SIMD core             |                 |
[=]        0 |       0 | Brute force benchmark: 1895 million (2^30,8) keys/s     | 140737488355328 |   21h
[=]        0 |       0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 439 ms                | 140737488355328 |   21h
[=]        0 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   21h
[=]        3 |     112 | Apply bit flip properties                               |      9641922560 |    5s
[=]        4 |     224 | Apply bit flip properties                               |      1575305472 |    1s
[=]        5 |     335 | Apply bit flip properties                               |      1575305472 |    1s
[=]        6 |     447 | Apply bit flip properties                               |      1219019136 |    1s
[=]        7 |     559 | Apply bit flip properties                               |      1180857600 |    1s
[=]        8 |     668 | Apply bit flip properties                               |      1180857600 |    1s
[=]        8 |     780 | Apply bit flip properties                               |      1180857600 |    1s
[=]        9 |     890 | Apply bit flip properties                               |      1180857600 |    1s
[=]       10 |    1001 | Apply bit flip properties                               |      1180857600 |    1s
[=]       11 |    1113 | Apply bit flip properties                               |      1180857600 |    1s
[=]       11 |    1223 | Apply bit flip properties                               |      1180857600 |    1s
[=]       12 |    1334 | Apply bit flip properties                               |      1180857600 |    1s
[=]       13 |    1446 | Apply bit flip properties                               |      1180857600 |    1s
[=]       15 |    1556 | Apply Sum property. Sum(a0) = 144                       |        66832920 |    0s
[=]       15 |    1556 | (Ignoring Sum(a8) properties)                           |        66832920 |    0s
[=]       15 |    1556 | Brute force phase completed.  Key found: 8627C10A7014   |               0 |    0s
[+] target sector   0 key type B -- found valid key [ 8627C10A7014 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX512F SIMD core             |                 |
[=]        0 |       0 | Brute force benchmark: 1933 million (2^30,8) keys/s     | 140737488355328 |   20h
[=]        0 |       0 | Loaded 351 RAW / 0 LZ4 / 0 BZ2 in 170 ms                | 140737488355328 |   20h
[=]        0 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   20h
[=]        3 |     112 | Apply bit flip properties                               |   9829748834304 | 85min
[=]        4 |     224 | Apply bit flip properties                               |   8543757402112 | 74min
[=]        5 |     334 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        5 |     446 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        6 |     558 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        7 |     670 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        8 |     780 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        8 |     891 | Apply bit flip properties                               |   8378623459328 | 72min
[=]        9 |    1003 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       10 |    1115 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       11 |    1225 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       12 |    1335 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       13 |    1446 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       13 |    1558 | Apply bit flip properties                               |   8378623459328 | 72min
[=]       15 |    1668 | Apply Sum property. Sum(a0) = 0                         |    238813396992 |  2min
[=]       15 |    1775 | Apply bit flip properties                               |    238813396992 |  2min
[=]       16 |    1883 | Apply bit flip properties                               |    238813396992 |  2min
[=]       17 |    1994 | Apply bit flip properties                               |    101187551232 |   52s
[=]       18 |    2105 | Apply bit flip properties                               |    101187551232 |   52s
[=]       19 |    2211 | Apply bit flip properties                               |    101187551232 |   52s
[=]       20 |    2322 | Apply bit flip properties                               |     69676859392 |   36s
[=]       20 |    2430 | Apply bit flip properties                               |     69676859392 |   36s
[=]       21 |    2536 | Apply bit flip properties                               |    101185060864 |   52s
[=]       22 |    2536 | (1. guess: Sum(a8) = 256)                               |    101185060864 |   52s
[=]       22 |    2536 | Apply Sum(a8) and all bytes bitflip properties          |     74706272256 |   39s
[=]       22 |    2536 | Brute force phase completed.  Key found: 00008627C10A   |               0 |    0s
[+] target sector   1 key type B -- found valid key [ 00008627C10A ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | D | 8627C10A7014 | H
[+]  001 | 007 | A0A1A2A3A4A5 | D | 00008627C10A | H
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | D
[+]  017 | 071 | 75CCB59C9BED | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )
[?] MAD key detected. Try `hf mf mad` for more details

It seems that all keys were found, however the dump fails to an error and therefore only a partial dump is created.

[+] Generating binary key file
[+] Found keys have been dumped to /home/dose/hf-mf-140E665F-key-001.bin
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[#] Block   4 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  1 block  0
[#] Block   5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   7 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY A,  swapping to KEY B
[#] Block   8 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  2 block  0
[#] Block   9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  12 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  3 block  0
[#] Block  13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  16 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  4 block  0
[#] Block  17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  20 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  5 block  0
[#] Block  21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  24 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  6 block  0
[#] Block  25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  28 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  7 block  0
[#] Block  29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  32 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  8 block  0
[#] Block  33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  36 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  9 block  0
[#] Block  37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  40 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 10 block  0
[#] Block  41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  44 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 11 block  0
[#] Block  45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  48 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 12 block  0
[#] Block  49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  52 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 13 block  0
[#] Block  53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  56 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 14 block  0
[#] Block  57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  60 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 15 block  0
[#] Block  61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  63 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  63 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY B
[-] ⛔ Dump file is PARTIAL complete
[=] downloading card content from emulator memory
[+] saved 1024 bytes to binary file /home/dose/hf-mf-140E665F-dump-001.bin
[+] saved to json file /home/dose/hf-mf-140E665F-dump-001.json
[=] autopwn execution time: 48 seconds

For completeness hf mf mad results in:

[usb] pm3 --> hf mf mad
[=] Authentication ( ok )
[#] Auth error

[=] --- MIFARE App Directory Information ----------------
[=] -----------------------------------------------------

[=] ------------ MAD v1 details -------------
[!] ⚠️  Card publisher not present 0x00

[=] ---------------- Listing ----------------
[=]  00 MAD v1
[=]  01 [2EC0] (unknown)
[=]  02 [0000] free
[=]  03 [0000] free
[=]  04 [0000] free
[=]  05 [0000] free
[=]  06 [0000] free
[=]  07 [0000] free
[=]  08 [0000] free
[=]  09 [0000] free
[=]  10 [0000] free
[=]  11 [0000] free
[=]  12 [0000] free
[=]  13 [0000] free
[=]  14 [0000] free
[=]  15 [0000] free

Any ideas how I can get a full dump of the card?

Thank's in advance!

Last edited by Dose13 (2023-10-29 19:58:45)

Offline

#2 2023-10-29 20:12:31

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Re: Mifare plus - dump fails?

Running the hf mf eview --2k command results in the following:

[usb] pm3 --> hf mf eview --2k
[=] downloading emulator memory

[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | 14 0E 66 5F 23 88 04 00 C8 24 00 20 00 00 00 20 | ..f_#....$. ... 
[=]      |   1 | EA 00 C0 2E 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |   3 | A0 A1 A2 A3 A4 A5 78 77 88 C1 86 27 C1 0A 70 14 | ......xw...'..p.
[=]    1 |   4 | 0D 4C 00 00 06 00 00 00 00 00 00 00 00 FF FF FF | .L.............. 
[=]      |   5 | 00 00 00 00 80 FF FF 38 00 00 00 00 00 00 00 00 | .......8........ 
[=]      |   6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |   7 | A0 A1 A2 A3 A4 A5 0F 00 FF AA 00 00 86 27 C1 0A | .............'..
[=]    2 |   8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    3 |  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    4 |  16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    5 |  20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    6 |  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    7 |  28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    8 |  32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    9 |  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   10 |  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   11 |  44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   12 |  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   13 |  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   14 |  56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   15 |  60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   16 |  64 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  65 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  66 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  67 | 5C 8F F9 99 0D A2 70 F0 F8 69 D0 1A FE EB 89 0A | \.....p..i......
[=]   17 |  68 | 48 31 43 4D 38 36 17 24 20 54 29 00 00 00 00 00 | H1CM86.$ T)..... 
[=]      |  69 | 57 76 69 21 12 92 C6 A4 87 A5 E8 55 02 FA A9 71 | Wvi!.......U...q 
[=]      |  70 | 63 F5 41 AE 87 A2 1F E0 83 B2 43 66 2B 82 AC 6C | c.A.......Cf+..l 
[=]      |  71 | 75 CC B5 9C 9B ED 70 F0 F8 69 4B 79 1B EA 7B CC | u.....p..iKy..{.
[=]   18 |  72 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  73 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  74 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  75 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   19 |  76 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  77 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  78 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  79 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   20 |  80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  81 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  82 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  83 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   21 |  84 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  85 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  86 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  87 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   22 |  88 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  89 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  91 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   23 |  92 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  93 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  94 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  95 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   24 |  96 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  97 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  98 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      |  99 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   25 | 100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 101 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 102 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 103 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   26 | 104 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 105 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 106 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 107 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   27 | 108 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 109 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 111 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   28 | 112 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 113 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 114 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 115 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   29 | 116 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 117 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 118 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 119 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   30 | 120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 121 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 122 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 123 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   31 | 124 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 125 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 126 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 
[=]      | 127 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] -----+-----+-------------------------------------------------+-----------------
[?] cyan = value block with decoded value
[?] MAD key detected. Try `hf mf mad` for more details

I wonder if this is the entire dump?

Offline

#3 2023-10-30 21:07:46

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Re: Mifare plus - dump fails?

When looking at the emulator view it seems that sector 17 contains all the information. I am able to read block 68:

[usb] pm3 --> hf mf rdbl --blk 68 -b -k 4b791bea7bcc

[=]   # | sector 17 / 0x11                                | ascii
[=] ----+-------------------------------------------------+-----------------
[=]  68 | 48 31 43 4D 38 36 17 24 20 54 29 00 00 00 00 00 | H1CM86.$ T).....

However it is not possible to read the content with key A:

[usb] pm3 --> hf mf rdbl --blk 68 -k 75ccb59c9bed
[#] Block  68 Cmd 0x30 Cmd Error 04
[#] Read block error

It is also not possible to write to that block, neither with key A nor key B:

[usb] pm3 --> hf mf wrbl -b --blk 68 -k 4b791bea7bcc -d 48315355373803252127990000000000
[=] Writing block no 68, key B - 4B791BEA7BCC
[=] data: 48 31 53 55 37 38 03 25 21 27 99 00 00 00 00 00 
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -a ...` instead

[usb] pm3 --> hf mf wrbl -a --blk 68 -k 75ccb59c9bed -d 48315355373803252127990000000000
[=] Writing block no 68, key A - 75CCB59C9BED
[=] data: 48 31 53 55 37 38 03 25 21 27 99 00 00 00 00 00 
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead

Any ideas?

Offline

#4 2023-10-30 22:26:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: Mifare plus - dump fails?

if you run info,  you might recognize some data

hf 14a info

Offline

#5 2023-10-30 22:52:28

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Re: Mifare plus - dump fails?

The output did not ring a bell. ...

[usb] pm3 --> hf 14a info

[+]  UID: 14 0E 66 5F 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=] 
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 577669211292C6A487A5E85502FAA97163F541AE87A21FE083B243662B82AC6C
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands

Offline

#6 2023-10-31 03:48:10

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: Mifare plus - dump fails?

take a look on the data one more time...

Offline

#7 2023-11-01 21:04:35

Dose13
Contributor
Registered: 2019-09-26
Posts: 29

Re: Mifare plus - dump fails?

Still not sure. I read in the datasheet that mfp should follow the iso14443-4 protocol. The pm3 output states that it is a non proprietary iso14443-4 card.

The ISO/IEC 14443-4 Protocol (also known as T=CL) is used in many processor cards.
This protocol is used for the MIFARE Plus with the following security levels: ...

If this means that it does not follow the mfp or mfc datasheet that might be the issue. Was this the hint that you wanted to give me?

Offline

#8 2023-11-02 02:00:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: Mifare plus - dump fails?

you missed the mark

Offline

Pages: 1

Post reply

Quick reply

Write your message and submit

Board footer

Powered by FluxBB