Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I try to dump my NXP MIFARE Classic 4k
pm3 --> hf 14a info
UID : 1A 38 43 97
ATQA : 00 02
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1 | 4k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
pm3 --> hf mf dump 4
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
[+] successfully read block 0 of sector 0.
[+] successfully read block 1 of sector 0.
[+] successfully read block 2 of sector 0.
[+] successfully read block 3 of sector 0.
[+] successfully read block 0 of sector 1.
[+] successfully read block 1 of sector 1.
[+] successfully read block 2 of sector 1.
[+] successfully read block 3 of sector 1.
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
#db# Auth error
[-] could not read block 0 of sector 2
Okay, lets try to read it manualy with my safed keys from (hf mf chk *4 A default_keys.dic)
pm3 --> hf mf rdbl 8 A 59454b57454e
--block no:8, key type:A, key:59 45 4B 57 45 4E
#db# Cmd Error: 04
#db# Read block error
isOk:00
Its not working, i try to hardnested the block:
pm3 --> hf mf hardnested 3 A a0a1a2a3a4a5 8 A
--target block no: 8, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX SIMD core | |
0 | 0 | Brute force benchmark: 504 million (2^28.9) keys/s | 140737488355328 | 3d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 3d
6 | 112 | Apply bit flip properties | 469728788480 | 16min
7 | 224 | Apply bit flip properties | 414756503552 | 14min
9 | 335 | Apply bit flip properties | 192740671488 | 6min
10 | 446 | Apply bit flip properties | 190245044224 | 6min
11 | 558 | Apply bit flip properties | 190245044224 | 6min
12 | 670 | Apply bit flip properties | 190208491520 | 6min
13 | 782 | Apply bit flip properties | 190208491520 | 6min
14 | 893 | Apply bit flip properties | 190208491520 | 6min
14 | 1002 | Apply bit flip properties | 190208491520 | 6min
15 | 1114 | Apply bit flip properties | 190208491520 | 6min
16 | 1226 | Apply bit flip properties | 190208491520 | 6min
16 | 1338 | Apply bit flip properties | 190208491520 | 6min
19 | 1446 | Apply Sum property. Sum(a0) = 160 | 3639393280 | 7s
19 | 1555 | Apply bit flip properties | 3639393280 | 7s
20 | 1665 | Apply bit flip properties | 3055864832 | 6s
20 | 1775 | Apply bit flip properties | 2776153600 | 6s
21 | 1775 | (1. guess: Sum(a8) = 0) | 2776153600 | 6s
22 | 1775 | Apply Sum(a8) and all bytes bitflip properties | 542746240 | 1s
22 | 1775 | Brute force phase completed. Key found: 59454b57454e | 0 | 0s
Its total crazy. Hardnest found key "59454b57454e" but i if want to use it, it didnt work. (see above)
I try to remove the ant and set some space between the card and the reader regarding http://www.proxmark.org/forum/viewtopic.php?id=4271 but this was no solution.
I updated the proxmark and try different firmwares but it always the same.
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-1072-gfbc42bd7 2019-01-28 12:52:13
os: iceman/master/ice_v3.1.0-1072-gfbc42bd7 2019-01-28 12:52:17
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
Can anybody help?
Thanks for your quick answer. Is this a hidden hint to the B Key? That works but I don't know how to say the dump command that he should try it with the B key. The help command doesn't help me. So I tried to use the A key everywhere and get this error.
Sure, the dump command needs a key file. I have generated it via hf mf chk *4 A default_keys.dic (See the post above)
Unfortunately, the command didn't work:
pm3 --> hf mf chk *4 ? default_keys.dic d
[+] Loaded 518 keys from default_keys.dic
Time in checkkeys: 0 seconds
testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ------------ | 0 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
.....
The command didnt find any key and lasts 0 seconds.
So I decided to run hf mf chk *4 A. That worked and gave me a keyfile:
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | ------------ | 0 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| 59454b57454a | 1 | ------------ | 0 |
|003| 93df2e5b58aa | 1 | ------------ | 0 |
|004| 93df2e5b58aa | 1 | ------------ | 0 |
|005| 93df2e5b58aa | 1 | ------------ | 0 |
|006| 93df2e5b58aa | 1 | ------------ | 0 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| a0a1a2a3a4a5 | 1 | ------------ | 0 |
|012| a0a1a2a3a4a5 | 1 | ------------ | 0 |
|013| a0a1a2a3a4a5 | 1 | ------------ | 0 |
|014| a0a1a2a3a4a5 | 1 | ------------ | 0 |
|015| a0a1a2a3a4a5 | 1 | ------------ | 0 |
|016| ffffffffffff | 1 | ffffffffffff | 1 |
|017| ffffffffffff | 1 | ffffffffffff | 1 |
|018| ffffffffffff | 1 | ffffffffffff | 1 |
|019| ffffffffffff | 1 | ffffffffffff | 1 |
|020| ffffffffffff | 1 | ffffffffffff | 1 |
|021| ffffffffffff | 1 | ffffffffffff | 1 |
|022| ffffffffffff | 1 | ffffffffffff | 1 |
|023| ffffffffffff | 1 | ffffffffffff | 1 |
|024| ffffffffffff | 1 | ffffffffffff | 1 |
|025| ffffffffffff | 1 | ffffffffffff | 1 |
|026| ffffffffffff | 1 | ffffffffffff | 1 |
|027| ffffffffffff | 1 | ffffffffffff | 1 |
|028| ffffffffffff | 1 | ffffffffffff | 1 |
|029| ffffffffffff | 1 | ffffffffffff | 1 |
|030| ffffffffffff | 1 | ffffffffffff | 1 |
|031| ffffffffffff | 1 | ffffffffffff | 1 |
|032| ffffffffffff | 1 | ffffffffffff | 1 |
|033| ffffffffffff | 1 | ffffffffffff | 1 |
|034| ffffffffffff | 1 | ffffffffffff | 1 |
|035| ffffffffffff | 1 | ffffffffffff | 1 |
|036| ffffffffffff | 1 | ffffffffffff | 1 |
|037| ffffffffffff | 1 | ffffffffffff | 1 |
|038| ffffffffffff | 1 | ffffffffffff | 1 |
|039| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file hf-mf-9E384397-key.bin...
Found keys have been dumped to file hf-mf-9E384397-key.bin. 0xffffffffffff has been inserted for unknown keys.
Exactly the same with the B key
pm3 --> hf mf chk *4 B default_keys.dic d
[+] Loaded 518 keys from default_keys.dic
..........................................................................................................
Time in checkkeys: 121 seconds
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | 56cf3acd90ca | 1 |
|001| ------------ | 0 | ffffffffffff | 1 |
|002| ------------ | 0 | 504353504351 | 1 |
|003| ------------ | 0 | 3b1181ff34a1 | 1 |
|004| ------------ | 0 | 3b1181ff34a1 | 1 |
|005| ------------ | 0 | 3b1181ff34a1 | 1 |
|006| ------------ | 0 | 3b1181ff34a1 | 1 |
|007| ------------ | 0 | ffffffffffff | 1 |
|008| ------------ | 0 | ffffffffffff | 1 |
|009| ------------ | 0 | ffffffffffff | 1 |
|010| ------------ | 0 | ffffffffffff | 1 |
|011| ------------ | 0 | 9cffc7751693 | 1 |
|012| ------------ | 0 | c2444db5ee23 | 1 |
|013| ------------ | 0 | 03cce7f6190a | 1 |
|014| ------------ | 0 | acdcd7e3be45 | 1 |
|015| ------------ | 0 | a177712c89fa | 1 |
|016| ------------ | 0 | ffffffffffff | 1 |
|017| ------------ | 0 | ffffffffffff | 1 |
|018| ------------ | 0 | ffffffffffff | 1 |
|019| ------------ | 0 | ffffffffffff | 1 |
|020| ------------ | 0 | ffffffffffff | 1 |
|021| ------------ | 0 | ffffffffffff | 1 |
|022| ------------ | 0 | ffffffffffff | 1 |
|023| ------------ | 0 | ffffffffffff | 1 |
|024| ------------ | 0 | ffffffffffff | 1 |
|025| ------------ | 0 | ffffffffffff | 1 |
|026| ------------ | 0 | ffffffffffff | 1 |
|027| ------------ | 0 | ffffffffffff | 1 |
|028| ------------ | 0 | ffffffffffff | 1 |
|029| ------------ | 0 | ffffffffffff | 1 |
|030| ------------ | 0 | ffffffffffff | 1 |
|031| ------------ | 0 | ffffffffffff | 1 |
|032| ------------ | 0 | ffffffffffff | 1 |
|033| ------------ | 0 | ffffffffffff | 1 |
|034| ------------ | 0 | ffffffffffff | 1 |
|035| ------------ | 0 | ffffffffffff | 1 |
|036| ------------ | 0 | ffffffffffff | 1 |
|037| ------------ | 0 | ffffffffffff | 1 |
|038| ------------ | 0 | ffffffffffff | 1 |
|039| ------------ | 0 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file hf-mf-9E384397-key.bin...
Found keys have been dumped to file hf-mf-9E384397-key.bin. 0xffffffffffff has been inserted for unknown keys.
So i try to dump the card with this keyfiles but i get the error from my first post. Maybe anyone can tell me whats wrong with the command:
hf mf chk *4 ? default_keys.dic d
I didnt get any key (See the output in the first code block)
Last edited by Christian (2019-02-08 15:42:29)