Update: Удалось скопировать, обзор обновлен.
В одном из своих обзоров (Atmega8A в корпусе TQFP-32 прошивка через Arduino ISP), я уже упоминал о сборке считывателя/эмулятора для контактных домофонных ключей по проекту clusterr’а.
Устройство получилось хорошим, и решив, не останавливаться на достигнутом, принялся изучать теорию по работе с бесконтактными ключами (далее RFID). В частности интересовала возможность, создание копии ключа или полной копии, так называемого magic key (копируется не только содержание, но и ID-устройства), просмотрев информация в интернете решил заказать данный набор.
Доставка и внешний вид
Товар пришел в обычном желтом пакете без пинов был обмотан воздушно-пузырьковой пленкой и в целом отлично упакован. Продавец предоставил отслеживаемый трек.
Состав лота:
— МодульPN532 NFC Чтение/Запись (3.3V-5V);
— S50 Белая карта;
— S50 Ключ карта.
Характеристики
На плате установлен чип NXP Pn532, который позволяет производить операции чтения и записи для Mifare Classic Card (13.56 МГц).
— Размер: 10.5см X 4.9см;
— Питание: 3.3V-5.0V;
— Интерфейсы: I2C, SPI, HSU(3.3V-5V совместимость);
— Кнопка Reset на плате;
— Шаг между пинами: 2.54 мм.
Подключение
Для подключения к компьютеру, лучше всего использовать HSU — High-speed UARTs и USB TTL основанный на чипе FT232RL, так же есть возможность подключения Pn532 NFC Module по SPI с Arduino и использовать последнюю, как USB TTL, более подробно можно прочитать по проекту mfocuino. К сожалению, у меня возникли проблемы с Cp2102, который я уже неоднократно упоминал в своих обзорах.
— Pn532 NFC Module TX -> FTDI TTL RX
— Pn532 NFC Module RX -> FTDI TTL TX
— Pn532 NFC Module VIN -> FTDI TTL VCC
— Pn532 NFC Module GND -> FTDI TTL GND
Установка и настройка программной части
Для работы с Mifare Classic существует свободная библиотека libnfc, которая содержит необходимый набор утилит для RFID. Установка поддерживается на множество популярных ОС, но я рекомендую использовать GNULinux и в частности DebianUbuntu.
Установка libnfc
Открываем Terminal, получаем права привилегированного пользователя (root) и устанавливаем необходимые пакеты.
sudo apt-get install autoconf libtool libpcsclite-dev libusb-dev gitДля удобства создадим папку nfc в домашней директории и перейдем в неё:
mkdir ~/nfc
cd ~/nfcПолучаем текущую версию из git-репозитория:
git clone https://github.com/nfc-tools/libnfc.gitСобираем libnfc из исходных кодов, которые были получены:
cd ./libnfc
autoreconf -vis
./configure --with-drivers=pn532_uart
make
sudo make install
sudo ldconfigУстановка mfoc
MFOC — это открытая реализация «offline nested» атаки от Nethemba.
Программа позволяет восстановить ключи аутентификации от MIFARE Classic card, только если известен один из ключей, кроме того список наиболее популярных ключей уже захаркодин в утилите, по которым будет идти проверка.
Получаем текущую версию из git-репозитория:
git clone https://github.com/nfc-tools/mfoc.git
cd ./mfoc
autoreconf -vis
./configure
sudo make
Установка mfcuk
MFCUK — это открытая реализация Darkside Attack. Данная утилита не требует знаний какого-либо из ключей.
Получаем текущую версию из git-репозитория:
git clone https://github.com/nfc-tools/mfcuk.git
cd ./mfcuk
autoreconf -vis
./configure
sudo make
Использование
Подключаем Pn532 NFC Module к USB TTL, а его в свою очередь к порту компьютера и прикладываем RFID ключ — пустой, который шел в комплекте.
Запускаем команду:
sudo nfc-listВ ответ получаем:
nfc-list use libnfc libnfc-1.7.1-89-g403650a
Connected to NFC device: Adafruit PN532 board via UART - PN532 v1.6 (0x07)
1 ISO14443A passive target(s) found:
ATQA (SENS_RES): 00 04
UID (NFCID1): dc b8 f9 2d
SAK (SEL_RES): 08Пробуем получить dump карты через утилиту mfoc.
cd ./mfoc/src
mfoc -O dump.mfd
Получаем дамп карты в файл dump.mfd
Ключи Key A: ffffffffffff Found Key B: ffffffffffff
Вывод команды
./mfoc -O dump.rfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): dc b8 f9 2d
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
[Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]
Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 05 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 06 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 07 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 08 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 09 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 10 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 11 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 12 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 13 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 14 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff
We have all sectors encrypted with the default keys..
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 58, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 54, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 50, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 48, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 47, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 46, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 45, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 44, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 43, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 42, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 41, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 40, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 39, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 38, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 37, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 36, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 35, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 34, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 33, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 32, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 31, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 30, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 29, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 28, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 27, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 26, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 25, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 24, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 23, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 22, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 21, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 20, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 19, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 18, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 17, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 16, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 15, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 14, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 13, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 12, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 11, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 10, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 09, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 08, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 07, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 06, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 05, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 03, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 02, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 01, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 00, type A, key ffffffffffff :dc b8 f9 2d b0 08 04 00 01 09 67 1b 75 49 46 1d
Убираем пустой RFID и прикладываем домофонный, выполняем команду:
./mfoc -O domofon_dump.rfdНе получилось со стандартными ключами No sector encrypted with the default key has been found, exiting…
Если нам известен один из ключей, то можно воспользоваться параметром -k key
Вывод команды
./mfoc -O domofon_dump.rfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): f7 b2 d9 b9
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '' B key found, 'x' both keys found
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [................]
[Key: d3f7d3f7d3f7] -> [................]
[Key: 000000000000] -> [................]
[Key: b0b1b2b3b4b5] -> [................]
[Key: 4d3a99c351dd] -> [................]
[Key: 1a982c7e459a] -> [................]
[Key: aabbccddeeff] -> [................]
[Key: 714c5c886e97] -> [................]
[Key: 587ee5f9350f] -> [................]
[Key: a0478cc39091] -> [................]
[Key: 533cb6c723f6] -> [................]
[Key: 8fd0a4f256e9] -> [................]
Sector 00 - Unknown Key A Unknown Key B
Sector 01 - Unknown Key A Unknown Key B
Sector 02 - Unknown Key A Unknown Key B
Sector 03 - Unknown Key A Unknown Key B
Sector 04 - Unknown Key A Unknown Key B
Sector 05 - Unknown Key A Unknown Key B
Sector 06 - Unknown Key A Unknown Key B
Sector 07 - Unknown Key A Unknown Key B
Sector 08 - Unknown Key A Unknown Key B
Sector 09 - Unknown Key A Unknown Key B
Sector 10 - Unknown Key A Unknown Key B
Sector 11 - Unknown Key A Unknown Key B
Sector 12 - Unknown Key A Unknown Key B
Sector 13 - Unknown Key A Unknown Key B
Sector 14 - Unknown Key A Unknown Key B
Sector 15 - Unknown Key A Unknown Key B
mfoc: ERROR:
No sector encrypted with the default key has been found, exiting..Попробуем осуществить взлом через mfcuk.
Переходим в директорию
cd ~/nfc/mfcuk/src
mfcuk -C -R 0 -s 250 -S 250
Неудача
ERROR: mfcuk_key_recovery_block() (error code=0x03)
ERROR: mfcuk_key_recovery_block() (error code=0x03)
ERROR: mfcuk_key_recovery_block() (error code=0x03)
Вывод команды
libnfc - 1.7.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com
INFO: Connected to NFC reader: pn532_uart:/dev/ttyUSB0
VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
RECOVER: 0ERROR: mfcuk_key_recovery_block() (error code=0x03)
ERROR: mfcuk_key_recovery_block() (error code=0x03)
ERROR: mfcuk_key_recovery_block() (error code=0x03)Оставлял на сутки, ошибка циклически повторяется, при этом если запустить с ключём -v 3 процесс идет.
Ответ в интернете, я так и не нашел, перепробовал разные версии libnfc и mfcuk, оставлял вопросы разработчикам и пытался использовать специализированные дистрибутивы, типа kali linux, пытался взломать пустую карту, та же самая ошибка, результат одинаковый.
В одной из статей упоминается о успешном взломе с ACR122U reader libnfc-1.5.1 и mfcuk r65, но у меня сейчас нет такого устройства.
Решение проблемы
Как оказалось, существуют ‘weaker’ ключи, а в mfcuk не существует логики по данному типу. Огромное спасибо пользователю Stewart8 и его сообщению, где он описал проблему и пути её решения.
Для удобства я выкладываю отредактированные файлы crapto1.c и mfcuk.c, которые необходимо подменить в папке mfcuk/src и собрать утилиту заново.
Запускаем mfcuk
./mfcuk -C -R 0:A -s 250 -S 250И ждем пока maxhii=00ffffff и maxloi=00ffffff начнут повторяться:
Вывод mfcuk
mfcuk — 0.3.8
Mifare Classic DarkSide Key Recovery Tool — 0.3
by Andrei Costin, zveriu@gmail.com, andreicostin.com
INFO: Connected to NFC reader: pn532_uart:/dev/ttyUSB0
VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
RECOVER: 0
…
254592 candidates found, nonce 78882a2f
maxhi=3 maxhii=0030b0c5 maxlo=3 maxloi=00080e51
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
44928 candidates found, nonce 5578882a
maxhi=3 maxhii=000bee31 maxlo=3 maxloi=00080e51
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
354816 candidates found, nonce 5578882a
maxhi=4 maxhii=00895568 maxlo=3 maxloi=0000a513
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
153600 candidates found, nonce 688df49b
maxhi=4 maxhii=0030028f maxlo=4 maxloi=0016ef51
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
49152 candidates found, nonce a2701b19
maxhi=4 maxhii=0030028f maxlo=4 maxloi=0016ef51
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
59136 candidates found, nonce 02aa92c0
maxhi=5 maxhii=00ffffff maxlo=5 maxloi=00ffffff
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
206080 candidates found, nonce 32a03931
maxhi=6 maxhii=00ffffff maxlo=6 maxloi=00ffffff
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
40256 candidates found, nonce 78882a2f
maxhi=7 maxhii=00ffffff maxlo=7 maxloi=00ffffff
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
349440 candidates found, nonce a2701b19
maxhi=8 maxhii=00ffffff maxlo=8 maxloi=00ffffff
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
1344 candidates found, nonce 688df49b
maxhi=9 maxhii=00ffffff maxlo=9 maxloi=00ffffff
Обычно maxhi, maxlo не превышают в этот момент 5-6. На ошибки error code=0x03 не обращаем внимание.
Далее получаем ключ:ffffffffffff
maxhi=5 maxhii=00ffffff maxlo=5 maxloi=00ffffff
Запускам mfoc:
mfoc -O dump.mfd -k ffffffffffff-k ffffffffffff (ключ, который был получен через mfcuk)
В конце должны получить сообщение:
We have all sectors encrypted with the default keys..
Auth with all sectors succeeded, dumping keys to a file!Мы получили полный дамп, домофонного ключа, теперь запишем его в пустой ключ.
Делаем дамп пустого ключа:
mfoc -O blank_dump.mfdИ используя утилиту nfc-mfclassic (идет в комплекте с libnfc) записываем дамп в пустой ключ:
nfc-mfclassic w A ./blank_dump.mfd ./dump.mfd
NFC reader: Adafruit PN532 board via UART opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): dc b8 f9 2d
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.
Если у вашей болванки Changeable UID или unlocked, т.е. у которой, можно изменить идентификатор и сделать полный дубликат, то запустив:
nfc-mfclassic W a ./blank_dump.mfd ./dump.mfdи получим magic key.
Можно скопировать полученные ключи в любой RFID Emulator на том же Android и использовать свой телефон, как ключ.
Заключение
Как итог, я получил большой опыт в работе с RFID,
но к сожалению создать копию без знания одного из ключей в данный момент не представляется мне возможным
благодаря Stewart8 удалось сделать копию. Всем спасибо и я очень счастлив!
Ссылки
Страница проекта nfc-tools на GitHub
ACR122U, mfcuk, and mfoc: Cracking MIFARE Classic on Arch Linux
Can’t recover keys from ‘weaker’ cards
Исправленные файлы mfcuk
mfcuk -C -R 0:A -v 1 -o lalal.dmp
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file
'./data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'
INFO: Connected to NFC reader: ACS / ACR122U PICC Interface
INITIAL ACTIONS MATRIX - UID fb d5 dc 7f - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector | Key A |ACTS | RESL | Key B |ACTS | RESL
---------------------------------------------------------------------
0 | 000000000000 | . R | . . | 000000000000 | . . | . .
1 | 000000000000 | . . | . . | 000000000000 | . . | . .
2 | 000000000000 | . . | . . | 000000000000 | . . | . .
3 | 000000000000 | . . | . . | 000000000000 | . . | . .
4 | 000000000000 | . . | . . | 000000000000 | . . | . .
5 | 000000000000 | . . | . . | 000000000000 | . . | . .
6 | 000000000000 | . . | . . | 000000000000 | . . | . .
7 | 000000000000 | . . | . . | 000000000000 | . . | . .
8 | 000000000000 | . . | . . | 000000000000 | . . | . .
9 | 000000000000 | . . | . . | 000000000000 | . . | . .
10 | 000000000000 | . . | . . | 000000000000 | . . | . .
11 | 000000000000 | . . | . . | 000000000000 | . . | . .
12 | 000000000000 | . . | . . | 000000000000 | . . | . .
13 | 000000000000 | . . | . . | 000000000000 | . . | . .
14 | 000000000000 | . . | . . | 000000000000 | . . | . .
15 | 000000000000 | . . | . . | 000000000000 | . . | . .
VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
ACTION RESULTS MATRIX AFTER VERIFY - UID fb d5 dc 7f - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector | Key A |ACTS | RESL | Key B |ACTS | RESL
---------------------------------------------------------------------
0 | 000000000000 | . R | . . | 000000000000 | . . | . .
1 | 000000000000 | . . | . . | 000000000000 | . . | . .
2 | 000000000000 | . . | . . | 000000000000 | . . | . .
3 | 000000000000 | . . | . . | 000000000000 | . . | . .
4 | 000000000000 | . . | . . | 000000000000 | . . | . .
5 | 000000000000 | . . | . . | 000000000000 | . . | . .
6 | 000000000000 | . . | . . | 000000000000 | . . | . .
7 | 000000000000 | . . | . . | 000000000000 | . . | . .
8 | 000000000000 | . . | . . | 000000000000 | . . | . .
9 | 000000000000 | . . | . . | 000000000000 | . . | . .
10 | 000000000000 | . . | . . | 000000000000 | . . | . .
11 | 000000000000 | . . | . . | 000000000000 | . . | . .
12 | 000000000000 | . . | . . | 000000000000 | . . | . .
13 | 000000000000 | . . | . . | 000000000000 | . . | . .
14 | 000000000000 | . . | . . | 000000000000 | . . | . .
15 | 000000000000 | . . | . . | 000000000000 | . . | . .
RECOVER: 0mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)
and he cant recover any key
Original issue reported on code.google.com by dcirie...@gmail.com on 1 Mar 2014 at 7:41
I tried to recover keys from mifare 1k classic with ACR122U but the process never stop, some tips?
Hi,
This issue is still here …After adding more printf to debug code I saw that ACR122U fails transceive bits with always the same error NFC_ERFTRANS -20 (RF Transmission Error)
res = nfc_initiator_transceive_bits(pnd, abtArEnc, 64, abtArEncPar, abtRx, sizeof(abtRx), abtRxPar))
and res always= -20 —>NFC_ERFTRANS
error thrown here : https://github.com/nfc-tools/mfcuk/blob/master/src/mfcuk.c#L605
maybe this is related to Known Issues:
1. The tag fixation with ACR122 is not performing well if CPU is under high load (eg. Flash Movie playing in IE, etc.)
2. Either a bug in libnfc 1.2.1 or a bug in RATB card-types 0x88 consecutive authentication goes like — one fails, one ok, even though correct keys are used
2.a Maybe need to check AC bits?
2.b Maybe AC bits/0x88 cards need a read/write or failed operation in between for the «state» to be ok and next auth to be successful?
Does anyone has an idea to solve known issue 2.b ?
Originally posted by @xavave in #30 (comment)
Hello,
I am not too sure if I am actually having an issue, I have been running mfcuk for about 8 hours now with the command
mfcuk -C -R 0:A -s 250 -S 250 -v 3
to crack the key of my Mifair Classic 1K card.
Is it normal that I still am not having any results? How long does it usually take to find the first key?
Thanks!
Scenario
Tag: NPX Mifare Classic 1k, ISO14443A
Reader: ACR122U
Host: Raspberry Pi4, libnfc 1.8.0, mfcuk 0.3.8
Problem
Running sudo mfcuk -v 3 -C -R 0:A -w 6, the hit4 counter is stuck to 0 after 3+ hours of computation.
-----------------------------------------------------
Let me entertain you!
uid: 63fb0244
type: 08
key: 000000000000
block: 03
diff Nt: 331
hit4: 0
auths: 62876
-----------------------------------------------------
I got the same problem on other hosts, like a RPi2 and a Linux (Debian) PC with the same software.
I’ve two other tags, same type, same manifacturer, same host, same command. I got the key in less than 60 seconds. In these cases, the hit4 counter goes along the auths counter (i.e. 180 hit4, 180 auths).
Hello to everybody. Can anyone help me with this error?
rosario@rosario:~/mfcuk/src$ ./mfcuk -C -R 0:A -w 6 -v 3
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com
TRESHOLD: 6
INFO: Connected to NFC reader: ACS / ACR122U PICC Interface
VERIFY:
Key A sectors: 0Errore di segmentazione (core dump creato)
rosario@rosario:~/mfcuk/src$ nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): de 09 9e 6e
SAK (SEL_RES): 09
Hi,
It seems like there is an issue while trying to build on M1.
charaf@MBP mfcuk % autoreconf -is
./configure
make
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... ./install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking whether make supports nested variables... (cached) yes
checking for pkg-config... /opt/homebrew/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libnfc >= 1.7.0... yes
checking for inline... inline
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for _Bool... yes
checking for stdbool.h that conforms to C99... yes
checking for size_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint64_t... yes
checking for uint8_t... yes
checking build system type... aarch64-apple-darwin21.6.0
checking host system type... aarch64-apple-darwin21.6.0
checking for GNU libc compatible malloc... yes
checking for GNU libc compatible realloc... yes
checking for memset... yes
checking for strchr... yes
checking for strtoul... yes
checking for endian.h... no
checking for sys/endian.h... no
checking for CoreFoundation/CoreFoundation.h... yes
checking for byteswap.h... no
checking for unistd.h... (cached) yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
/Library/Developer/CommandLineTools/usr/bin/make all-recursive
Making all in src
CC mfcuk.o
mfcuk.c:154:4: warning: #warning is a language extension [-Wpedantic]
# warning "No bswap function found! Using untested alternatives..."
^
mfcuk.c:154:4: warning: "No bswap function found! Using untested alternatives..." [-W#warnings]
mfcuk.c:1571:15: warning: result of comparison of constant 0 with expression of type 'bool' is always false [-Wtautological-constant-compare]
if (0 > nfc_initiator_mifare_cmd(pnd, k, block, &mp)) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mfcuk.c:165:24: warning: unused function 'bswap_64' [-Wunused-function]
static inline uint64_t bswap_64(uint64_t x)
^
mfcuk.c:237:17: warning: unused function 'mfcuk_verify_key_block' [-Wunused-function]
static uint32_t mfcuk_verify_key_block(nfc_device *pnd, uint32_t uiUID, uint64_t ui64Key, mifare_key_type bKeyType, uint8_t bTagType, uint32_t uiBlock)
^
5 warnings generated.
CCLD mfcuk
I used two versions of MFCUK, one is the latest and another is a r55 binary that is precompiled and came with libnfc.dll (I had to provide libusb0.dll for this). I’m not sure what version of libnfc I have on both (probably different versions).
When compiling MFCUK, I did «autoreconf -is», «./configure», and «make». However, there was this message while executing the configure script (it still compiled though):
EDIT: link because GitHub removed lots of spaces: http://pastebin.com/kAhZwyeM
In both cases, I left MFCUK to recover a key (because MFOC couldn’t do it and spent hours probing to no success), and when I came back to it, I returned to a screenful of «ERROR: mfcuk_key_recovery_block() (error code=0x09)»
I couldn’t find anything about error code 0x09 anywhere, any help would be appreciated.
Hello, I am running mfcuk on a single key from a single sector. It is running for long time but what is surprising to me is that I always get Diff Nt and Auth equals:
Let me entertain you!
uid:
type: 08
key: 000000000000
block: 03
diff Nt: 5936
auths: 5936
I tried with many different timeouts (including 250/250). Result is the same. Any idea?
Hello there,
I’ve used mfcuk to crack a key of a sector of a classic mifare card and after a few hours i get spams of :
Endless mfcuk_key_recovery_block() error (code 0x09)
I’ve already tried mfoc to crack the key of that sector but nothing was found in 48h.
If someone could help me what does the error means ?
Thanks
Here the time experiment with same commands on mfcuk and mfoc and the same tag&reader but diferent versions of nfc-tools.
Results (min aprox):
MFCUK 0.3.3, libnfc 1.5.1 & mfoc 0.10.3 > Time to obtain all keys: 15 min (2min mfcuk and 10min mfoc with only one probe by sector)
MFCUK 0.3.8, libnfc 1.7,1 & mfoc 0.10.7 > Time to obtain all keys: 60 min (15min mfcuk and 45min mfoc with 20-45 probes by sector)
In two case i use these commands: «mfcuk -C -R 0:A -v 2» and «mfoc -k xxxxxxxxxxx -O keys.mfd -P 100»
Tag&reader: Mifare classic 1k tag, reader SCL3711.
Why the lastest version of nfc-tools are more slow?
Hello,
First of all I thank the creators of these wonderful tools that make it easy for us! But I happen to have a problem, and I hope to find the solution here!
I have a Mifare Classic 1k card, whose security makes me think of a Mifare Classic 1k Plus. Of course I try to clone it to have another copy.
As said before when I play mfcuk Diff Nt and Auth have all the time the same value over 2000. I do not know any sequence of the card, I still try several combolist through mfoc (keylist) but that did not give anything. I also tried to go through MilazyCracker (with crapto1 / craptev1), same result (mfoc: ERROR: No sector encrypted with the default key, exiting …).
I asked myself a question a little crazy, unless you have other solutions to offer me ahah. Is it possible to ask mfoc to test all possible combinations (with as parameter: characters abcdef0123456789, length 12), on a single sector (eg 0: A) for a day to fall on the right combination. Knowing that generating a file with all combinations would represent a file of 3 Peta bytes, rather huge.
Once this combination is found, execute the basic mfoc «nested» attack to recover the remaining 15 and 16 sectors. I count if it is possible to run on a raspberry pi (low consumption, …).
The attack will be extremely, extremely, extremely long, … I know, … but I have no choice. There is the problem of the power outage, and we must start all over again, problematic with an attack of such length.
I hope I have not rushed you with my questions but I am in my last ditches. If you wish to have additional information, and if you have other solutions, do not hesitate!
Thank you very much in advance !
PS: My apologies if you find spelling mistakes, I’m French 
SPECTERR.
xubuntu@xubuntu:~$ mfcuk -C -R 0:A -s 250 -S 250 -v 3 -w 6
mfcuk — 0.3.8
Mifare Classic DarkSide Key Recovery Tool — 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com
TRESHOLD: 6
INFO: Connected to NFC reader: ACS / ACR122U PICC Interface
VERIFY:
Key A sectors: 0Segmentation fault (core dumped)
What am i doing wrong?
So I got that SmartMX card with 4k emulation and tried to run the release version 0.3.8
Standard command ./mfcuk -C -R -1 throws a segfault.
Time to start gdb… This is the output:
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com
INFO: Connected to NFC reader: pn532_uart:/dev/ttyUSB0
VERIFY:
Key A sectors: 0
Program received signal SIGSEGV, Segmentation fault.
0x0000555555557295 in main (argc=<optimized out>, argv=<optimized out>) at mfcuk.c:1521
1521 for (j = 0; (j < crntNumVerifKeys) && (ptr_trailer->abtAccessBits[action_byte] & ACTIONS_VERIFY) && !(ptr_trailer->abtAccessBits[result_byte] & ACTIONS_VERIFY); j++) {
(gdb)
It seems like the program crashes at the verification of the keys.
The funny thing is that if the type parameter is given. It tries to authenticate but constantly throws error 0x08
The card OS is «atrust-acos»
What steps will reproduce the problem?
1. ./configure
2. make
3. src/mfcuk_keyrecovery_darkside -C
Original issue reported on code.google.com by romu...@libnfc.org on 1 Apr 2011 at 9:26
Like many others, I was unable to recover any keys, even from ‘blank’ cards with 0xffffffffffff default keys, getting an indefinite number of 0x03 errors.
Attempting to debug, I discovered that my cards were responding with NACK to all failed authentication attempts, regardless of parity bits, as described in section 4.3 of http://eprint.iacr.org/2009/137.pdf .
It appears that mfcuk 0.3.8 has no logic to detect or handle this behavior, and gets confused by assuming that all ‘hits’ have good plaintext parity, even though (with this card type) most do not.
I don’t know enough about cryptography to implement (or even understand) the elegant solution proposed in section 6.1 of the same paper.
However, I was able to recover keys by commenting out the parity checking logic in check_pfx_parity , putting candidate keys in a histogram table, and waiting until the same value was seen 4 times (with different nonces).
Sorry, I was just patching and don’t have any production code for this method (and I know it’s not the best method anyway).
The end result was that I got the desired data; many thanks for the program.
My ACR122U can detect the tag : ISO14443B-2 ST Rx and show me his UID.
But when I launch MFCUK, I got : Error no tag was found
-
help using rfid-tools & mfcuk
i installed rfid-tools and am trying to figure out how to use mfcuk. i believe i installed libnfc. because i went into the ubuntu store and installed anything that had to do with libnfc. how do i use mfcuk now? im under the assumption that i can use mfcuk to find the first key, then afterward use mfoc to find the rest. how do i do this? there are absolutely no guides anywhere at all about this. its really annoying.
-
Re: help using rfid-tools & mfcuk
kinda got it working. it detected my reader, i tried it on a blank card and got
tom@tom-3570R-370R-470R-450R-510R-4450RV:~$ mfcuk -C -R 0mfcuk — 0.3.2
Mifare Classic DarkSide Key Recovery Tool — 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.comINFO: Connected to NFC reader: ACS ACR122U PICC Interface 00 00 / ACR122U213 — PN532 v1.6 (0x07)
VERIFY:
Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e fRECOVER: 0^C
tom@tom-3570R-370R-470R-450R-510R-4450RV:~$
soo i guess it knows my card reader is there n stuff.i tried it with something that has keys i dont know and get this
tom@tom-3570R-370R-470R-450R-510R-4450RV:~$ mfcuk -C -R 0mfcuk — 0.3.2
Mifare Classic DarkSide Key Recovery Tool — 0.3
by Andrei Costin, snip, http://andreicostin.comINFO: Connected to NFC reader: ACS ACR122U PICC Interface 00 00 / ACR122U213 — PN532 v1.6 (0x07)
VERIFY:
Key A sectors: 0Bus error (core dumped)
tom@tom-3570R-370R-470R-450R-510R-4450RV:~$i dont even know what this code means. it just looked like people were typeing that and getting results… can someone give me something to work with!!!
Last edited by cariboo; January 28th, 2015 at 07:48 PM.
Reason: removed email address for safety
-
Re: help using rfid-tools & mfcuk
now i think when i put a blank card on it it just hangs, because when i try to x out of the terminal window it tells me something is still running. i left it up while i took a shower, which is like, 30 minutes. so for thirty minutes the same screen hung there… can someone please just point me in the right direction here? give me something to start with? anyone at all?
-
Re: help using rfid-tools & mfcuk
We don’t support this type of activity here. Thread closed.
You may want to try here to get your problem solved.