Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-01-09 16:13:03

goseoan
Contributor
Registered: 2017-11-06
Posts: 11

nxp mifare classic 0.3k hardnested attack

nxp mifare classic 0.3k I'm trying to get a key for a tag, but I do not get any results or I get an error.



hardware firmware info

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman// 2018-01-05 16:11:33
      os: iceman// 2018-01-05 16:16:37
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S256 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 235214 bytes (90%) Free: 26930 bytes (10%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 256K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

reader

pm3 --> hf 14a re
 UID : 3E C3 69 50
ATQA : 00 04
 SAK : 09 [2]
Field dropped.

info

pm3 --> hf 14a info
 UID : 3E C3 69 50
ATQA : 00 04
 SAK : 09 [2]
TYPE : NXP MIFARE Mini 0.3k
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: HARDEND (hardnested)

fast key check

hf mf fchk 0
[+] No key specified, trying default keys
key[ 0] ffffffffffff
key[ 1] 000000000000
key[ 2] a0a1a2a3a4a5
key[ 3] b0b1b2b3b4b5
key[ 4] c0c1c2c3c4c5
key[ 5] d0d1d2d3d4d5
key[ 6] aabbccddeeff
key[ 7] 1a2b3c4d5e6f
key[ 8] 123456789abc
key[ 9] 010203040506
key[10] 123456abcdef
key[11] abcdef123456
key[12] 4d3a99c351dd
key[13] 1a982c7e459a
key[14] d3f7d3f7d3f7
key[15] 714c5c886e97
key[16] 587ee5f9350f
key[17] a0478cc39091
key[18] 533cb6c723f6
key[19] 8fd0a4f256e9
[+] Running strategy 1

[-] Chunk: 1.3s | found 7/10 keys (20)
[+] Running strategy 2

[-] Chunk: 1.2s | found 7/10 keys (20)
[+] Time in checkkeys (fast):  2.5s

|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ------------  | 0 |  ffffffffffff  | 1 |
|002|  ------------  | 0 |  ffffffffffff  | 1 |
|003|  ------------  | 0 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|

response error

pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 4 A s
--target block no:  4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: Yes, Tests: 0

 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 386 million (2^28.5) keys/s      | 140737488355328 |    4d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    4d
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
       6 |     112 | Apply bit flip properties                               |    898558787584 | 39min

  .
  .
  .

#db# AcquireNonces: Can't select card (UID)
     196 |   19769 | Apply bit flip properties                               |             nan |  nand
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Can't select card (UID)
     197 |   19846 | Apply bit flip properties                               |             nan |  nand
#db# AcquireNonces: Can't select card (UID)
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth2 error len=1
Error: No response from Proxmark.

I'm trying to get a key for the Mifare Classic Mini 0.3k.

I am currently working on a topic that says that other topics should be hardnested

A program debugging error , or a proxmark3 response error occurs in windows os.

The progress of the probe or nonce is then different.

I keep trying, but I have not succeeded.

Should I sniff and analyze this?

Do you have this experience or do you have any other way?

Last edited by goseoan (2018-01-09 16:16:53)

Offline

#2 2018-01-09 16:20:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: nxp mifare classic 0.3k hardnested attack

The "can't select card"  usually indicates you have not found the swetspot for your card & antenna.  try some different positions.
Also try the complete dictionary file..

hf mf fchk 0 default_keys.dic

Offline

#3 2018-01-09 17:08:44

goseoan
Contributor
Registered: 2017-11-06
Posts: 11

Re: nxp mifare classic 0.3k hardnested attack

It's better to find the chip position by lighting.

Can not select card (UID) does not or does not appear.

The result using default_key.dic, including 453 keys, was the same.

hardnested attack. As a result, I know that block(sector) key is coming out.

When I read the file noces.bin, I do not see anything. XD

100% is out and the operation does not go on ... Is there a problem with my equipment?

pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s
--target block no:  4, target key type:A, known target key: 0x000000000000 (not set), file action: write, Slow: Yes, Tests: 0



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 451 million (2^28.7) keys/s      | 140737488355328 |    4d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    4d
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
       5 |       0 | Writing acquired nonces to binary file nonces.bin       | 140737488355328 |    4d
       6 |     112 | Apply bit flip properties                               |    981710602240 | 36min
#db# AcquireNonces: Auth1 error
       7 |     224 | Apply bit flip properties                               |    633842630656 | 23min
#db# AcquireNonces: Auth1 error
      17 |     333 | Apply bit flip properties                               |    613532696576 | 23min
#db# AcquireNonces: Auth1 error
      18 |     445 | Apply bit flip properties                               |    532960935936 | 20min
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth1 error
      19 |     556 | Apply bit flip properties                               |    513494351872 | 19min
      20 |     668 | Apply bit flip properties                               |    468561625088 | 17min
#db# AcquireNonces: Auth1 error
#db# AcquireNonces: Auth2 error len=1
#db# AcquireNonces: Auth1 error
      21 |     780 | Apply bit flip properties                               |    468234502144 | 17min
#db# AcquireNonces: Auth2 error len=1
      22 |     891 | Apply bit flip properties                               |    434515083264 | 16min
      24 |     999 | Apply bit flip properties                               |    434136023040 | 16min
      27 |    1108 | Apply Sum property. Sum(a0) = 128                       |    330106372096 | 12min
#db# AcquireNonces: Can't select card (UID)
      30 |    1218 | Apply bit flip properties                               |    347030323200 | 13min
      32 |    1327 | Apply bit flip properties                               |    344463015936 | 13min
#db# AcquireNonces: Auth1 error
      34 |    1439 | Apply bit flip properties                               |     41687818240 |  2min
#db# AcquireNonces: Auth2 error len=1
      35 |    1547 | Apply bit flip properties                               |     41687818240 |  2min
#db# AcquireNonces: Auth1 error
      36 |    1658 | Apply bit flip properties                               |     41687818240 |  2min
      37 |    1769 | Apply bit flip properties                               |     41687818240 |  2min
#db# AcquireNonces: Auth1 error
      37 |    1769 | (Ignoring Sum(a8) properties)                           |     41687818240 |  2min
     207 |    1769 | Brute force phase: 100.00%                              |  27419593408512 |   17h
pm3 -->
pm3 -->
pm3 -->
pm3 --> hf mf hardnested r FFFFFFFFFFFF
--target block no:  0, target key type:A, known target key: 0xffffffffffff, file action: read, Slow: No, Tests: 0       



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 449 million (2^28.7) keys/s      | 140737488355328 |    4d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    4d
       4 |       0 | Reading nonces from file nonces.bin...                  | 140737488355328 |    4d
       4 |    1792 | Read 1792 nonces from file. cuid=3ec36950               | 140737488355328 |    4d
       4 |    1792 | Target Block=4, Keytype=A                               | 140737488355328 |    4d

BUG: known target key's even state is not member of first nonce byte's (0x3a) states_bitarray!

BUG: known target key's odd  state is not member of first nonce byte's (0x3a) states_bitarray!

BUG: known target key's even state is not member of all_bitflips_bitarray!

BUG: known target key's odd  state is not member of all_bitflips_bitarray!
      18 |    1792 | (Ignoring Sum(a8) properties)                           |     41687818240 |  2min

BUG: known target key's even state is not member of first nonce byte's (0x20) states_bitarray!

BUG: known target key's odd  state is not member of first nonce byte's (0x20) states_bitarray!

BUG: known target key's even state is not member of all_bitflips_bitarray!

BUG: known target key's odd  state is not member of all_bitflips_bitarray!
      29 |    1792 | (Test: Key NOT found)                                   |               0 |    0s
     183 |    1792 | Brute force phase: 100.00%                              |  36976325558272 |   23h

Last edited by goseoan (2018-01-09 17:31:30)

Offline

#4 2018-01-09 17:41:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: nxp mifare classic 0.3k hardnested attack

What your antenna voltages?   Which device are you using?

Offline

#5 2018-01-09 18:26:00

goseoan
Contributor
Registered: 2017-11-06
Posts: 11

Re: nxp mifare classic 0.3k hardnested attack

i use proxmark3 easy

pm3 --> hw tune

Measuring antenna characteristics, please wait......
# HF antenna: 25.77 V @    13.56 MHz
# Your LF antenna is unusable.

Now I reconnect and enter the command, so sum continues to increase. I will post it once again when the result comes out.

Offline

#6 2018-01-09 18:50:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: nxp mifare classic 0.3k hardnested attack

HF voltage looks good.

what OS are you running on?

Offline

#7 2018-01-09 19:02:04

goseoan
Contributor
Registered: 2017-11-06
Posts: 11

Re: nxp mifare classic 0.3k hardnested attack

Windows 10 Home

This is Now Status Keep Going

    3422 |    2417 | Brute force phase:  64.70%                              |    356939857920 | 13min
    3473 |    2417 | Brute force phase:  65.19%                              |    354279522304 | 13min
    3637 |    2417 | Brute force phase:  67.41%                              |    342332702720 | 13min
    3646 |    2417 | Brute force phase:  69.64%                              |    330342957056 | 12min
    3832 |    2417 | Brute force phase:  71.57%                              |    319969165312 | 12min
    3871 |    2417 | Brute force phase:  78.94%                              |    280268701696 | 10min
    3922 |    2417 | Brute force phase:  79.41%                              |    277731606528 | 10min
    4009 |    2417 | Brute force phase:  82.63%                              |    260368138240 | 10min
    4075 |    2417 | Brute force phase:  84.80%                              |    248707219456 |  9min
    4087 |    2417 | Brute force phase:  90.22%                              |    219528396800 |  8min
    4142 |    2417 | Brute force phase:  90.84%                              |    216205623296 |  8min
    4316 |    2417 | Brute force phase:  93.89%                              |    199774830592 |  7min
    4371 |    2417 | Brute force phase:  99.40%                              |    170063790080 |  6min
    4398 |    2417 | Brute force phase: 100.00%                              |    166852722688 |  6min
    4398 |    2417 | (9. guess: Sum(a8) = 152)                               |    308918190080 | 11min
    4411 |    2417 | Apply Sum(a8) and all bytes bitflip properties          |    232743239680 |  9min
    4454 |    2417 | Brute force phase:  11.11%                              |    230748209152 |  9min
    4463 |    2417 | Brute force phase:  35.55%                              |    226362310656 |  8min
    4469 |    2417 | Brute force phase:  50.03%                              |    223763021824 |  8min
    4497 |    2417 | Brute force phase:  60.89%                              |    221814046720 |  8min
    4510 |    2417 | Brute force phase:  85.09%                              |    217470746624 |  8min
    4517 |    2417 | Brute force phase: 100.00%                              |    214793814016 |  8min
    4517 |    2417 | (10. guess: Sum(a8) = 136)                              |    535258693632 | 20min
    4529 |    2417 | Apply Sum(a8) and all bytes bitflip properties          |    140712591360 |  5min

It is positive that it is proceeding.

Offline

#8 2018-01-09 20:22:59

goseoan
Contributor
Registered: 2017-11-06
Posts: 11

Re: nxp mifare classic 0.3k hardnested attack

cool get key thanks

Offline

#9 2018-01-11 15:44:24

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: nxp mifare classic 0.3k hardnested attack

How do I get this updated? mine shows 2015 despite installed the latest master

LF image built for 2s30vq100 on 2017/10/25 at 19:50:50

Offline

#10 2018-01-11 16:44:45

Skeltek
Contributor
Registered: 2017-12-31
Posts: 19

Re: nxp mifare classic 0.3k hardnested attack

Weird, I just stumbled upon that 30 seconds ago too, while trying to figure out why my emulation doesnt work. Ill write something here if I find anything.

Offline

Board footer

Powered by FluxBB