Erwan's Blog

I got myself a proxmark3 device lately, for fun.

I will not spend time explaining how to flash the device or install proxspace and pm3 as it all explained here.

Lets start with identifying the card we have in hands.

[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag…
[+] UID: 94 13 70 EE
[+] ATQA: 00 02
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection……. hard
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

What we got here is a mifare classic 4k.

Lets see if we can find keys to decrypt this card with a simple (but fast) chk command.

[usb] pm3 --> hf mf chk --4k
[+] loaded 61 keys from hardcoded default array
[=] Start check for keys...
[=] .................................................................................
[=] time in checkkeys 12 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  031 | 127 | ------------ | 0 | ------------ | 0
[+]  032 | 143 | ------------ | 0 | ------------ | 0
[+]  033 | 159 | ------------ | 0 | ------------ | 0
[+]  034 | 175 | ------------ | 0 | ------------ | 0
[+]  035 | 191 | ------------ | 0 | ------------ | 0
[+]  036 | 207 | ------------ | 0 | ------------ | 0
[+]  037 | 223 | ------------ | 0 | ------------ | 0
[+]  038 | 239 | ------------ | 0 | ------------ | 0
[+]  039 | 255 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more details

We got some keys missing … lets try with a dictionary attack.

[usb] pm3 --> hf mf chk --4k -f mfc_default_keys
[+] loaded 61 keys from hardcoded default array
[+] Loaded 1887 keys from dictionary file `C:\_apps\ProxSpace\pm3\proxmark3\client\dictionaries/mfc_default_keys.dic`
[=] Start check for keys...
[=] ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
[=] time in checkkeys 249 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  016 | 067 | A0A1A2A3A4A5 | 1 | B0B1B2B3B4B5 | 1
[+]  017 | 071 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  018 | 075 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  019 | 079 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  020 | 083 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  021 | 087 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  022 | 091 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  023 | 095 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  024 | 099 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  025 | 103 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  026 | 107 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  027 | 111 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  028 | 115 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  029 | 119 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  030 | 123 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  031 | 127 | ------------ | 0 | ------------ | 0
[+]  032 | 143 | ------------ | 0 | ------------ | 0
[+]  033 | 159 | ------------ | 0 | ------------ | 0
[+]  034 | 175 | ------------ | 0 | ------------ | 0
[+]  035 | 191 | ------------ | 0 | ------------ | 0
[+]  036 | 207 | ------------ | 0 | ------------ | 0
[+]  037 | 223 | ------------ | 0 | ------------ | 0
[+]  038 | 239 | ------------ | 0 | ------------ | 0
[+]  039 | 255 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more details

Still no luck…

Lets be more aggressive with a autopwn attack which will basically use all possible attacks (sparing us the hassle to to try them one by one or in some cases going block per block).

Note that I am skipping the -f mfc_default_keys.dic here since the previous dictionary attack did not prove useful.

[usb] pm3 --> hf mf autopwn --4k
[!] no known key was supplied, key recovery might fail
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] ...
[=] running strategy 2
[=] ....
[+] target sector   0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector   0 key type B -- found valid key [ B0B1B2B3B4B5 ]
[+] target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector  16 key type B -- found valid key [ B0B1B2B3B4B5 ]
[+] target sector  17 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  17 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  18 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  18 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  19 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  19 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  20 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  20 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  21 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  21 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  22 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  22 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  23 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  23 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  24 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  24 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  25 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  25 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  26 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  26 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  27 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  27 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  28 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  28 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  29 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  29 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  30 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  30 key type B -- found valid key [ FFFFFFFFFFFF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 509 million (2^28.9) keys/s      | 140737488355328 |    3d
[=]        5 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 5226 ms               | 140737488355328 |    3d
[=]        5 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |    3d
[=]       10 |     112 | Apply bit flip properties                               |     35058302976 |   69s
[=]       11 |     224 | Apply bit flip properties                               |     24066930688 |   47s
[=]       12 |     334 | Apply bit flip properties                               |     17448558592 |   34s
[=]       13 |     444 | Apply bit flip properties                               |      9945160704 |   20s
[=]       14 |     555 | Apply bit flip properties                               |      9036183552 |   18s
[=]       15 |     667 | Apply bit flip properties                               |      7640147968 |   15s
[=]       16 |     779 | Apply bit flip properties                               |      6678748160 |   13s
[=]       17 |     890 | Apply bit flip properties                               |      6678748160 |   13s
[=]       18 |    1000 | Apply bit flip properties                               |      6347502592 |   12s
[=]       18 |    1112 | Apply bit flip properties                               |      6347502592 |   12s
[=]       18 |    1223 | Apply bit flip properties                               |      6347502592 |   12s
[=]       19 |    1332 | Apply bit flip properties                               |      6347502592 |   12s
[=]       20 |    1442 | Apply bit flip properties                               |      6347502592 |   12s
[=]       23 |    1552 | Apply Sum property. Sum(a0) = 128                       |       262742304 |    1s
[=]       24 |    1664 | Apply bit flip properties                               |       262742304 |    1s
[=]       25 |    1771 | Apply bit flip properties                               |       262742304 |    1s
[=]       26 |    1879 | Apply bit flip properties                               |       262742304 |    1s
[=]       26 |    1879 | (Ignoring Sum(a8) properties)                           |       262742304 |    1s
[=]       27 |    1879 | Brute force phase completed.  Key found: E704822D6AED   |               0 |    0s
[+] target sector  31 key type A -- found valid key [ E704822D6AED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 493 million (2^28.9) keys/s      | 140737488355328 |    3d
[=]        3 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 2696 ms               | 140737488355328 |    3d
[=]        3 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |    3d
[=]        7 |     112 | Apply bit flip properties                               |    646552223744 | 22min
[=]        8 |     224 | Apply bit flip properties                               |    495434760192 | 17min
[=]        9 |     336 | Apply bit flip properties                               |    474214105088 | 16min
[=]       10 |     448 | Apply bit flip properties                               |    422348587008 | 14min
[=]       11 |     560 | Apply bit flip properties                               |    422348587008 | 14min
[=]       12 |     671 | Apply bit flip properties                               |    422348587008 | 14min
[=]       13 |     783 | Apply bit flip properties                               |    422348587008 | 14min
[=]       14 |     893 | Apply bit flip properties                               |    422348587008 | 14min
[=]       15 |    1005 | Apply bit flip properties                               |    369272356864 | 12min
[=]       15 |    1117 | Apply bit flip properties                               |    369272356864 | 12min
[=]       16 |    1227 | Apply bit flip properties                               |    369272356864 | 12min
[=]       17 |    1338 | Apply bit flip properties                               |    369272356864 | 12min
[=]       17 |    1447 | Apply bit flip properties                               |    369272356864 | 12min
[=]       18 |    1559 | Apply bit flip properties                               |    369272356864 | 12min
[=]       19 |    1669 | Apply bit flip properties                               |    369272356864 | 12min
[=]       20 |    1776 | Apply bit flip properties                               |    369272356864 | 12min
[=]       21 |    1887 | Apply bit flip properties                               |    369272356864 | 12min
[=]       23 |    1997 | Apply Sum property. Sum(a0) = 128                       |     54618914816 |  2min
[=]       24 |    2106 | Apply bit flip properties                               |     54618914816 |  2min
[=]       25 |    2215 | Apply bit flip properties                               |     54618914816 |  2min
[=]       25 |    2324 | Apply bit flip properties                               |     54618914816 |  2min
[=]       26 |    2324 | (Ignoring Sum(a8) properties)                           |     54618914816 |  2min
[=]       89 |    2324 | Brute force phase completed.  Key found: EAE581E19550   |               0 |    0s
[+] target sector  31 key type B -- found valid key [ EAE581E19550 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 4 threads and AVX SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 411 million (2^28.6) keys/s      | 140737488355328 |    4d
[=]        3 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 2965 ms               | 140737488355328 |    4d
[=]        3 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |    4d
[=]        7 |     112 | Apply bit flip properties                               |   1300592066560 | 53min
[=]        8 |     224 | Apply bit flip properties                               |    956737191936 | 39min
[=]        9 |     336 | Apply bit flip properties                               |    788323893248 | 32min
[=]       10 |     448 | Apply bit flip properties                               |    699458519040 | 28min
[=]       11 |     559 | Apply bit flip properties                               |    611835576320 | 25min
[=]       12 |     669 | Apply bit flip properties                               |    604953968640 | 25min
[=]       13 |     781 | Apply bit flip properties                               |    546183413760 | 22min
[=]       14 |     891 | Apply bit flip properties                               |    497112612864 | 20min
[=]       15 |    1002 | Apply bit flip properties                               |    497112612864 | 20min
[=]       16 |    1110 | Apply bit flip properties                               |    497112612864 | 20min
[=]       18 |    1221 | Apply Sum property. Sum(a0) = 160                       |     30699894784 |   75s
[=]       18 |    1331 | Apply bit flip properties                               |     29279275008 |   71s
[=]       19 |    1439 | Apply bit flip properties                               |     29279275008 |   71s
[=]       20 |    1547 | Apply bit flip properties                               |     29279275008 |   71s
[=]       21 |    1658 | Apply bit flip properties                               |     28913727488 |   70s
[=]       21 |    1658 | (1. guess: Sum(a8) = 0)                                 |     28913727488 |   70s
[=]       22 |    1658 | Apply Sum(a8) and all bytes bitflip properties          |     28548368384 |   69s
[=]       22 |    1658 | (2. guess: Sum(a8) = 32)                                |     96629514240 |  4min
[=]       23 |    1658 | Apply Sum(a8) and all bytes bitflip properties          |     96404660224 |  4min
[=]       23 |    1658 | (3. guess: Sum(a8) = 64)                                |    201095266304 |  8min
[=]       25 |    1658 | Apply Sum(a8) and all bytes bitflip properties          |    199944667136 |  8min
[=]       25 |    1658 | Brute force phase completed.  Key found: A989077ECCED   |               0 |    0s
[+] target sector  32 key type A -- found valid key [ A989077ECCED ]
[+] target sector  32 key type B -- found valid key [ A989077ECCED ]
[+] target sector  33 key type A -- found valid key [ A989077ECCED ]
[+] target sector  33 key type B -- found valid key [ A989077ECCED ]
[+] target sector  34 key type A -- found valid key [ A989077ECCED ]
[+] target sector  34 key type B -- found valid key [ A989077ECCED ]
[+] target sector  35 key type A -- found valid key [ A989077ECCED ]
[+] target sector  35 key type B -- found valid key [ A989077ECCED ]
[+] target sector  36 key type A -- found valid key [ A989077ECCED ]
[+] target sector  36 key type B -- found valid key [ A989077ECCED ]
[+] target sector  37 key type A -- found valid key [ A989077ECCED ]
[+] target sector  37 key type B -- found valid key [ A989077ECCED ]
[+] target sector  38 key type A -- found valid key [ A989077ECCED ]
[+] target sector  38 key type B -- found valid key [ A989077ECCED ]
[+] target sector  39 key type A -- found valid key [ A989077ECCED ]
[+] target sector  39 key type B -- found valid key [ A989077ECCED ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  016 | 067 | A0A1A2A3A4A5 | D | B0B1B2B3B4B5 | D
[+]  017 | 071 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  018 | 075 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  019 | 079 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  020 | 083 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  021 | 087 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  022 | 091 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  023 | 095 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  024 | 099 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  025 | 103 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  026 | 107 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  027 | 111 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  028 | 115 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  029 | 119 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  030 | 123 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  031 | 127 | E704822D6AED | H | EAE581E19550 | H
[+]  032 | 143 | A989077ECCED | H | A989077ECCED | R
[+]  033 | 159 | A989077ECCED | R | A989077ECCED | R
[+]  034 | 175 | A989077ECCED | R | A989077ECCED | R
[+]  035 | 191 | A989077ECCED | R | A989077ECCED | R
[+]  036 | 207 | A989077ECCED | R | A989077ECCED | R
[+]  037 | 223 | A989077ECCED | R | A989077ECCED | R
[+]  038 | 239 | A989077ECCED | R | A989077ECCED | R
[+]  039 | 255 | A989077ECCED | R | A989077ECCED | R
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )
[?] MAD key detected. Try `hf mf mad` for more details


[+] Generating binary key file
[+] Found keys have been dumped to `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-key.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 4096 bytes to binary file `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-dump.bin`
[+] Saved to json file `C:\_apps\ProxSpace\pm3/hf-mf-941370EE-dump.json`
[=] autopwn execution time: 166 seconds

Ok, this time we got lucky and all keys were found within 166 seconds (on my slow computer…).

Note that the keys have been conveniently dumped to hf-mf-941370EE-key.bin.

The content of the card itself has been dumped to hf-mf-941370EE-dump.bin.

At this stage you can dump the card (again) at any point with this command:

hf mf dump --4k --keys hf-mf-941370EE-key.bin

You can also simulate the card with this command :

hf mf sim -u 941370EE --4k

And last but not least you can restore the dump to a blank card (effectively cloning the original card) with this command :

#for a gen1 card
hf mf cload --4k -f hf-mf-941370EE-dump.bin
#for a gen2 card - notice that you need the keyfile of the target card to be able to write your dump
#note that we are passing the original uid sparing us the extra command hf mf csetuid -u 941370EE 
hf mf restore --4k --uid 941370EE -k hf-mf-target-key.bin -f hf-mf-941370EE-dump.bin

Extra notes, you can test the reading with a block or sector with a key the following way :

hf mf rdbl --blk 127 -b -k EAE581E19550
hf mf rdsc --sec 31 -a -k E704822D6AED