iceman1001
commented
3 years ago Interesting,
run gdb and see if there is a memory leak leading to the segmentation fault
Closed socram8888 closed 3 years ago
iceman1001
commented
3 years ago Interesting,
run gdb and see if there is a memory leak leading to the segmentation fault
socram8888
commented
3 years ago Running with GDB and debug on the same card:
[usb] pm3 --> hf mf hardnested 8 a 749934CC8ED3 0 a s
[=] Target block no: 0, target key type:A, known target key: 0x000000000000 (not set)
[=] File action: none, Slow: Yes, Tests: 0
[+] Using AVX2 SIMD core.
[New Thread 0x7ffffda90700 (LWP 23329)]
[New Thread 0x7ffff7ff0700 (LWP 23330)]
[New Thread 0x7ffffd280700 (LWP 23331)]
[New Thread 0x7ffffca70700 (LWP 23332)]
[Thread 0x7ffffda90700 (LWP 23329) exited]
[Thread 0x7ffff7ff0700 (LWP 23330) exited]
[Thread 0x7ffffca70700 (LWP 23332) exited]
[Thread 0x7ffffd280700 (LWP 23331) exited]
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 132 million (2^27.0) keys/s | 140737488355328 | 12d
21 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 12d
[#] AcquireNonces: Auth1 error
[New Thread 0x7ffffca70700 (LWP 23333)]
[New Thread 0x7ffffd280700 (LWP 23334)]
[New Thread 0x7ffff7ff0700 (LWP 23335)]
[New Thread 0x7ffffda90700 (LWP 23336)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffca70700 (LWP 23333) exited]
[Thread 0x7ffffda90700 (LWP 23336) exited]
[Thread 0x7ffffd280700 (LWP 23334) exited]
32 | 112 | Apply bit flip properties | 2847574327296 | 6h
[Thread 0x7ffff7ff0700 (LWP 23335) exited]
[New Thread 0x7ffffda90700 (LWP 23337)]
[New Thread 0x7ffff7ff0700 (LWP 23338)]
[New Thread 0x7ffffd280700 (LWP 23339)]
[New Thread 0x7ffffca70700 (LWP 23340)]
[#] AcquireNonces: Auth2 error len=1
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth2 error len=1
[Thread 0x7ffffca70700 (LWP 23340) exited]
[Thread 0x7ffffda90700 (LWP 23337) exited]
[Thread 0x7ffffd280700 (LWP 23339) exited]
33 | 223 | Apply bit flip properties | 2248744894464 | 5h
[Thread 0x7ffff7ff0700 (LWP 23338) exited]
[New Thread 0x7ffffca70700 (LWP 23341)]
[New Thread 0x7ffffd280700 (LWP 23342)]
[New Thread 0x7ffff7ff0700 (LWP 23343)]
[New Thread 0x7ffffda90700 (LWP 23344)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth2 error len=1
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffff7ff0700 (LWP 23343) exited]
[Thread 0x7ffffca70700 (LWP 23341) exited]
[Thread 0x7ffffda90700 (LWP 23344) exited]
34 | 334 | Apply bit flip properties | 2095387901952 | 4h
[Thread 0x7ffffd280700 (LWP 23342) exited]
[New Thread 0x7ffffda90700 (LWP 23345)]
[New Thread 0x7ffff7ff0700 (LWP 23346)]
[New Thread 0x7ffffd280700 (LWP 23347)]
[New Thread 0x7ffffca70700 (LWP 23348)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffda90700 (LWP 23345) exited]
[Thread 0x7ffffd280700 (LWP 23347) exited]
[Thread 0x7ffff7ff0700 (LWP 23346) exited]
[Thread 0x7ffffca70700 (LWP 23348) exited]
35 | 446 | Apply bit flip properties | 2095387901952 | 4h
[New Thread 0x7ffffca70700 (LWP 23349)]
[New Thread 0x7ffffd280700 (LWP 23350)]
[New Thread 0x7ffff7ff0700 (LWP 23351)]
[New Thread 0x7ffffda90700 (LWP 23352)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth2 error len=1
[Thread 0x7ffff7ff0700 (LWP 23351) exited]
[Thread 0x7ffffca70700 (LWP 23349) exited]
[Thread 0x7ffffd280700 (LWP 23350) exited]
36 | 558 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffda90700 (LWP 23352) exited]
[New Thread 0x7ffffda90700 (LWP 23353)]
[New Thread 0x7ffff7ff0700 (LWP 23354)]
[New Thread 0x7ffffd280700 (LWP 23355)]
[New Thread 0x7ffffca70700 (LWP 23356)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffca70700 (LWP 23356) exited]
[Thread 0x7ffff7ff0700 (LWP 23354) exited]
[Thread 0x7ffffd280700 (LWP 23355) exited]
37 | 670 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffda90700 (LWP 23353) exited]
[New Thread 0x7ffffca70700 (LWP 23357)]
[New Thread 0x7ffffd280700 (LWP 23358)]
[New Thread 0x7ffff7ff0700 (LWP 23359)]
[New Thread 0x7ffffda90700 (LWP 23360)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffda90700 (LWP 23360) exited]
[Thread 0x7ffffca70700 (LWP 23357) exited]
[Thread 0x7ffff7ff0700 (LWP 23359) exited]
39 | 782 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffd280700 (LWP 23358) exited]
[New Thread 0x7ffffda90700 (LWP 23361)]
[New Thread 0x7ffff7ff0700 (LWP 23362)]
[New Thread 0x7ffffd280700 (LWP 23363)]
[New Thread 0x7ffffca70700 (LWP 23364)]
[#] AcquireNonces: Auth2 error len=1
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffd280700 (LWP 23363) exited]
[Thread 0x7ffff7ff0700 (LWP 23362) exited]
[Thread 0x7ffffda90700 (LWP 23361) exited]
40 | 893 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffca70700 (LWP 23364) exited]
[New Thread 0x7ffffca70700 (LWP 23365)]
[New Thread 0x7ffffd280700 (LWP 23366)]
[New Thread 0x7ffff7ff0700 (LWP 23367)]
[New Thread 0x7ffffda90700 (LWP 23368)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffd280700 (LWP 23366) exited]
[Thread 0x7ffffca70700 (LWP 23365) exited]
[Thread 0x7ffffda90700 (LWP 23368) exited]
41 | 1004 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffff7ff0700 (LWP 23367) exited]
[New Thread 0x7ffffda90700 (LWP 23369)]
[New Thread 0x7ffff7ff0700 (LWP 23370)]
[New Thread 0x7ffffd280700 (LWP 23371)]
[New Thread 0x7ffffca70700 (LWP 23372)]
[#] AcquireNonces: Can't select card (UID)
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffca70700 (LWP 23372) exited]
[Thread 0x7ffffda90700 (LWP 23369) exited]
[Thread 0x7ffffd280700 (LWP 23371) exited]
42 | 1114 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffff7ff0700 (LWP 23370) exited]
[New Thread 0x7ffffca70700 (LWP 23373)]
[New Thread 0x7ffffd280700 (LWP 23374)]
[New Thread 0x7ffff7ff0700 (LWP 23375)]
[New Thread 0x7ffffda90700 (LWP 23376)]
[Thread 0x7ffffda90700 (LWP 23376) exited]
[Thread 0x7ffffd280700 (LWP 23374) exited]
[Thread 0x7ffff7ff0700 (LWP 23375) exited]
43 | 1223 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffca70700 (LWP 23373) exited]
[New Thread 0x7ffffda90700 (LWP 23377)]
[New Thread 0x7ffff7ff0700 (LWP 23378)]
[New Thread 0x7ffffd280700 (LWP 23379)]
[New Thread 0x7ffffca70700 (LWP 23380)]
[#] AcquireNonces: Auth2 error len=1
[Thread 0x7ffff7ff0700 (LWP 23378) exited]
[Thread 0x7ffffca70700 (LWP 23380) exited]
[Thread 0x7ffffda90700 (LWP 23377) exited]
45 | 1332 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffd280700 (LWP 23379) exited]
[New Thread 0x7ffffca70700 (LWP 23381)]
[New Thread 0x7ffffd280700 (LWP 23382)]
[New Thread 0x7ffff7ff0700 (LWP 23383)]
[New Thread 0x7ffffda90700 (LWP 23384)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth2 error len=1
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffda90700 (LWP 23384) exited]
[Thread 0x7ffffca70700 (LWP 23381) exited]
[Thread 0x7ffff7ff0700 (LWP 23383) exited]
46 | 1443 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffd280700 (LWP 23382) exited]
[New Thread 0x7ffffda90700 (LWP 23385)]
[New Thread 0x7ffff7ff0700 (LWP 23386)]
[New Thread 0x7ffffd280700 (LWP 23387)]
[New Thread 0x7ffffca70700 (LWP 23388)]
[#] AcquireNonces: Auth2 error len=1
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth2 error len=1
[Thread 0x7ffffda90700 (LWP 23385) exited]
[Thread 0x7ffff7ff0700 (LWP 23386) exited]
[Thread 0x7ffffca70700 (LWP 23388) exited]
47 | 1554 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffd280700 (LWP 23387) exited]
[New Thread 0x7ffffca70700 (LWP 23389)]
[New Thread 0x7ffffd280700 (LWP 23390)]
[New Thread 0x7ffff7ff0700 (LWP 23391)]
[New Thread 0x7ffffda90700 (LWP 23392)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffd280700 (LWP 23390) exited]
[Thread 0x7ffffca70700 (LWP 23389) exited]
[Thread 0x7ffffda90700 (LWP 23392) exited]
48 | 1663 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffff7ff0700 (LWP 23391) exited]
[New Thread 0x7ffffda90700 (LWP 23393)]
[New Thread 0x7ffff7ff0700 (LWP 23394)]
[New Thread 0x7ffffd280700 (LWP 23395)]
[New Thread 0x7ffffca70700 (LWP 23396)]
[Thread 0x7ffffd280700 (LWP 23395) exited]
[Thread 0x7ffffda90700 (LWP 23393) exited]
[Thread 0x7ffffca70700 (LWP 23396) exited]
49 | 1772 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffff7ff0700 (LWP 23394) exited]
[New Thread 0x7ffffca70700 (LWP 23397)]
[New Thread 0x7ffffd280700 (LWP 23398)]
[New Thread 0x7ffff7ff0700 (LWP 23399)]
[New Thread 0x7ffffda90700 (LWP 23400)]
[#] AcquireNonces: Auth2 error len=1
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth2 error len=1
[#] AcquireNonces: Can't select card (UID)
[Thread 0x7ffff7ff0700 (LWP 23399) exited]
[Thread 0x7ffffd280700 (LWP 23398) exited]
[Thread 0x7ffffca70700 (LWP 23397) exited]
50 | 1881 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffda90700 (LWP 23400) exited]
[New Thread 0x7ffffda90700 (LWP 23401)]
[New Thread 0x7ffff7ff0700 (LWP 23402)]
[New Thread 0x7ffffd280700 (LWP 23403)]
[New Thread 0x7ffffca70700 (LWP 23404)]
[#] AcquireNonces: Auth1 error
[#] AcquireNonces: Auth1 error
[Thread 0x7ffffd280700 (LWP 23403) exited]
[Thread 0x7ffff7ff0700 (LWP 23402) exited]
[Thread 0x7ffffda90700 (LWP 23401) exited]
52 | 1991 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffca70700 (LWP 23404) exited]
[New Thread 0x7ffffca70700 (LWP 23405)]
[New Thread 0x7ffffd280700 (LWP 23406)]
[New Thread 0x7ffff7ff0700 (LWP 23407)]
[New Thread 0x7ffffda90700 (LWP 23408)]
[Thread 0x7ffffca70700 (LWP 23405) exited]
[Thread 0x7ffffda90700 (LWP 23408) exited]
[Thread 0x7ffffd280700 (LWP 23406) exited]
53 | 2098 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffff7ff0700 (LWP 23407) exited]
[New Thread 0x7ffffda90700 (LWP 23409)]
[New Thread 0x7ffff7ff0700 (LWP 23410)]
[New Thread 0x7ffffd280700 (LWP 23411)]
[New Thread 0x7ffffca70700 (LWP 23412)]
[Thread 0x7ffffd280700 (LWP 23411) exited]
[Thread 0x7ffff7ff0700 (LWP 23410) exited]
[Thread 0x7ffffca70700 (LWP 23412) exited]
54 | 2204 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffda90700 (LWP 23409) exited]
[New Thread 0x7ffffca70700 (LWP 23413)]
[New Thread 0x7ffffd280700 (LWP 23414)]
[New Thread 0x7ffff7ff0700 (LWP 23415)]
[New Thread 0x7ffffda90700 (LWP 23416)]
[Thread 0x7ffffca70700 (LWP 23413) exited]
[Thread 0x7ffffda90700 (LWP 23416) exited]
[Thread 0x7ffffd280700 (LWP 23414) exited]
55 | 2311 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffff7ff0700 (LWP 23415) exited]
[New Thread 0x7ffffda90700 (LWP 23417)]
[New Thread 0x7ffff7ff0700 (LWP 23418)]
[New Thread 0x7ffffd280700 (LWP 23419)]
[New Thread 0x7ffffca70700 (LWP 23420)]
[Thread 0x7ffffca70700 (LWP 23420) exited]
[Thread 0x7ffffd280700 (LWP 23419) exited]
[Thread 0x7ffff7ff0700 (LWP 23418) exited]
56 | 2419 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffda90700 (LWP 23417) exited]
[New Thread 0x7ffffca70700 (LWP 23421)]
[New Thread 0x7ffffd280700 (LWP 23422)]
[New Thread 0x7ffff7ff0700 (LWP 23423)]
[New Thread 0x7ffffda90700 (LWP 23424)]
[Thread 0x7ffffca70700 (LWP 23421) exited]
[Thread 0x7ffffd280700 (LWP 23422) exited]
[Thread 0x7ffff7ff0700 (LWP 23423) exited]
57 | 2527 | Apply bit flip properties | 0 | 0s
[Thread 0x7ffffda90700 (LWP 23424) exited]
Thread 1 "proxmark3" received signal SIGSEGV, Segmentation fault.
0x0000000008189856 in count_bitarray_AND_AVX2 (A=0x2f5af080, B=0xe) at hardnested_bitarray_core.c:212
212 A[i] &= B[i];Backtrace:
(gdb) bt
#0 0x0000000008189856 in count_bitarray_AND_AVX2 (A=0x2f5af080, B=0xe) at hardnested_bitarray_core.c:212
#1 0x00000000081817b0 in count_bitarray_AND (A=0x2f5af080, B=0xe) at hardnested_bitarray_core.c:571
#2 0x00000000080a96aa in apply_sum_a0 () at src/cmdhfmfhard.c:1277
#3 0x00000000080aa0d9 in acquire_nonces (blockNo=8 '\b', keyType=0 '\000', key=0x7ffffffeddb0 "t\231\064", <incomplete sequence \323>, trgBlockNo=0 '\000', trgKeyType=0 '\000',
nonce_file_write=false, slow=true, filename=0x7ffffffed9c0 "") at src/cmdhfmfhard.c:1481
#4 0x00000000080ad384 in mfnestedhard (blockNo=8 '\b', keyType=0 '\000', key=0x7ffffffeddb0 "t\231\064", <incomplete sequence \323>, trgBlockNo=0 '\000', trgKeyType=0 '\000', trgkey=0x0,
nonce_file_read=false, nonce_file_write=false, slow=true, tests=0, foundkey=0x7ffffffed5d8, filename=0x7ffffffed9c0 "") at src/cmdhfmfhard.c:2323
#5 0x0000000008089f09 in CmdHF14AMfNestedHard (Cmd=0x881d151 "8 a 749934CC8ED3 0 a s") at src/cmdhfmf.c:1973
#6 0x0000000008104732 in CmdsParse (Commands=0x829da60 <CommandTable>, Cmd=0x881d146 "hardnested 8 a 749934CC8ED3 0 a s") at src/cmdparser.c:250
#7 0x0000000008094535 in CmdHFMF (Cmd=0x881d146 "hardnested 8 a 749934CC8ED3 0 a s") at src/cmdhfmf.c:5474
#8 0x0000000008104732 in CmdsParse (Commands=0x829c460 <CommandTable>, Cmd=0x881d143 "mf hardnested 8 a 749934CC8ED3 0 a s") at src/cmdparser.c:250
#9 0x00000000080527b5 in CmdHF (Cmd=0x881d143 "mf hardnested 8 a 749934CC8ED3 0 a s") at src/cmdhf.c:390
#10 0x0000000008104732 in CmdsParse (Commands=0x82a1540 <CommandTable>, Cmd=0x881d140 "hf mf hardnested 8 a 749934CC8ED3 0 a s") at src/cmdparser.c:250
#11 0x0000000008103e79 in CommandReceived (Cmd=0x881d140 "hf mf hardnested 8 a 749934CC8ED3 0 a s") at src/cmdmain.c:306
#12 0x000000000814dc3a in main_loop (script_cmds_file=0x0, script_cmd=0x0, stayInCommandLoop=false) at src/proxmark3.c:422
#13 0x000000000814f7eb in main (argc=2, argv=0x7ffffffee598) at src/proxmark3.c:1074I've stumbled upon this bug again with another tag. Pinging @pwpiwi as per @iceman1001's recommendation. Using:
hf mf hardnested r f hf-mf-02520397-nonces_8_b_crashed.binThe result seems to be vary between yielding NaNs and crashing:
iceman1001
commented
3 years ago AVX2...
On my WSL-1 , Ubuntu 20.04, I get the NaN but it doesn't crash.
socram8888
commented
3 years ago For the record, this issue seems to also affect azcid's original bitslice implementation from which I think Proxmark's is based. Running that program with this trace causes also a segmentation fault:
socram8888
commented
3 years ago Here's one ZIP with three set of nonces. One succeeds and yields the correct password, other fails "gracefully" with NaNs. The third one, if ran after either of the first two, will yield crash 100% of the times.
Gator96100
commented
3 years ago I was a little bored and did some digging. The crash is caused by a wrong VECTOR_SIZE at hardnested_bf_core.c:234 where bs_ones.bytes only has 8 elements, but VECTOR_SIZE is 16. When fixing this hardnested will go into NaN. This is what @iceman1001 also noticed.
The reason why it goes into NaN is that the every states_bitarray is empty, but I have very limited knowledge on how hardnested works. My understanding is that this bug is caused by a faulty nonces collection. Maybe caused by VECTOR_SIZE?
@socram8888 is would be interesting if this issue happens on a arm device, as it would force skip all CPU optimizations.
pwpiwi
commented
3 years ago Not sure if I can help here - I cannot confirm the issue on Official Repo:
proxmark3> hf mf hard r f hf-mf-02520397-nonces_8_b_crashed.bin
--target block no: 0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 832 million (2^29.6) keys/s | 140737488355328 | 2d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
3 | 0 | Reading nonces from file nonces.bin... | 140737488355328 | 2d
9 | 2576 | (1. guess: Sum(a8) = 256) | 43343982592 | 52s
11 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 22471231488 | 27s
11 | 2576 | Starting brute force... | 43343982592 | 52s
13 | 2576 | (2. guess: Sum(a8) = 224) | 168287371264 | 3min
15 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 162218934272 | 3min
15 | 2576 | Starting brute force... | 168287371264 | 3min
16 | 2576 | (3. guess: Sum(a8) = 192) | 266080583680 | 5min
19 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 226682142720 | 5min
19 | 2576 | Starting brute force... | 266080583680 | 5min
21 | 2576 | Brute force phase completed. Key found: 26940b21ff5d | 0 | 0s
proxmark3> hf mf hard r f hf-mf-02520397-nonces_8_b_failed.bin
--target block no: 0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 682 million (2^29.3) keys/s | 140737488355328 | 2d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
3 | 0 | Reading nonces from file nonces.bin... | 140737488355328 | 2d
9 | 2576 | (1. guess: Sum(a8) = 256) | 96781238272 | 2min
10 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 75909160960 | 2min
12 | 2576 | (2. guess: Sum(a8) = 224) | 574836310016 | 14min
14 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 568768790528 | 14min
14 | 2576 | Starting brute force... | 574836310016 | 14min
16 | 2576 | (3. guess: Sum(a8) = 192) | 934388105216 | 23min
19 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 894989238272 | 22min
20 | 2576 | Brute force phase completed. Key found: 26940b21ff5d | 0 | 0s
proxmark3> hf mf hard r f hf-mf-02520397-nonces_8_b_success.bin
--target block no: 0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 738 million (2^29.5) keys/s | 140737488355328 | 2d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
3 | 0 | Reading nonces from file nonces.bin... | 140737488355328 | 2d
9 | 2576 | (1. guess: Sum(a8) = 256) | 185844023296 | 4min
11 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 164971036672 | 4min
11 | 2576 | Starting brute force... | 185844023296 | 4min
13 | 2576 | (2. guess: Sum(a8) = 224) | 1252417994752 | 28min
15 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 1246351982592 | 28min
16 | 2576 | (3. guess: Sum(a8) = 192) | 2048233570304 | 46min
19 | 2576 | Apply Sum(a8) and all bytes bitflip properties | 2008834244608 | 45min
21 | 2576 | Brute force phase completed. Key found: 26940b21ff5d | 0 | 0s@Gator96100: Nope. bs_ones.bytes has MAX_BITSLICES / 8 elements. And we have #define VECTOR_SIZE (MAX_BITSLICES/8). Therefore no issue at hardnested_bf_core.c:234
iceman1001
commented
3 years ago hw Are you running a other version of the offical client? I don't see a "f" param in hardnested. Seem to be printing "nonces.bin" too.
One my WSL-1 / Ubuntu 20.02, GCC 9.3.0 with latest official repo I get NaN for the failed.
iceman@TAU:~/offical$ uname -a
Linux TAU 4.4.0-19041-Microsoft #488-Microsoft Mon Sep 01 13:43:00 PST 2020 x86_64 x86_64 x86_64 GNU/Linux
iceman@TAU:~/offical$ gcc --version
gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
iceman@TAU:~/offical$ git status
On branch master
Your branch is up to date with 'origin/master'.
iceman@TAU:~/offical$ cp ../pm3_rrg/hf-mf-02520397-nonces_8_b_failed.bin nonces.bin
iceman@TAU:~/offical$ ./client/proxmark3 /dev/ttyS3
proxmark3> hf mf hard r
--target block no: 0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 2692 million (2^31.3) keys/s | 140737488355328 | 15h
2 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 15h
4 | 0 | Reading nonces from file nonces.bin... | 140737488355328 | 15h
4 | 2352 | Read 2352 nonces from file. cuid=02520397 | 140737488355328 | 15h
10 | 2352 | (1. guess: Sum(a8) = 256) | 172903488 | 0s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 172903488 | 0s
10 | 2352 | (2. guess: Sum(a8) = 224) | 662762368 | 0s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 660299072 | 0s
10 | 2352 | (3. guess: Sum(a8) = 192) | 1602485504 | 1s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 1598877696 | 1s
10 | 2352 | Starting brute force... | 1602485504 | 1s
10 | 2352 | (4. guess: Sum(a8) = 160) | 6465369600 | 2s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 4884802048 | 2s
10 | 2352 | (5. guess: Sum(a8) = 176) | 9887611904 | 4s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 9791420416 | 4s
10 | 2352 | (6. guess: Sum(a8) = 128) | 13637745664 | 5s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 1706415872 | 1s
10 | 2352 | (7. guess: Sum(a8) = 144) | 2447330560 | 1s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 774127744 | 0s
10 | 2352 | Starting brute force... | 2447330560 | 1s
10 | 2352 | (8. guess: Sum(a8) = 200) | 1332744064 | 0s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 1328216576 | 0s
10 | 2352 | (9. guess: Sum(a8) = 136) | 2176605184 | 1s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 336858208 | 0s
10 | 2352 | (10. guess: Sum(a8) = 152) | 708820160 | 0s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 497411904 | 0s
10 | 2352 | (11. guess: Sum(a8) = 120) | 2315717376 | 1s
10 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 476113632 | 0s
10 | 2352 | Starting brute force... | 2315717376 | 1s
10 | 2352 | (12. guess: Sum(a8) = 112) | 1853415040 | 1s
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 180533184 | 0s
11 | 2352 | (13. guess: Sum(a8) = 96) | 1654045440 | 1s
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 73756920 | 0s
11 | 2352 | (14. guess: Sum(a8) = 104) | 217532320 | 0s
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 6125606 | 0s
11 | 2352 | (15. guess: Sum(a8) = 80) | 163280608 | 0s
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 67121448 | 0s
11 | 2352 | (16. guess: Sum(a8) = 64) | 549649344 | 0s
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 5084 | 0s
11 | 2352 | (17. guess: Sum(a8) = 56) | 5270172 | 0s
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 736812 | 0s
11 | 2352 | (18. guess: Sum(a8) = 32) | 95058088 | 0s
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | 0 | 0s
11 | 2352 | (19. guess: Sum(a8) = 0) | -nan | -nand
11 | 2352 | Apply Sum(a8) and all bytes bitflip properties | -nan | -nand
proxmark3>@pwpiwi You are correct that bs_ones.bytes and VECTOR_SIZE have the same size, it was a visual bug that let me think they are not the same size. However, it does have a segmentation fault at hardnested_bf_core.c:234.
iceman1001
commented
3 years ago @pwpiwi feel free to join the discord server, https://discord.gg/8yYTKGVf
pwpiwi
commented
3 years ago Indeed, f option doesn't exist on official repo and is silently ignored. After copying to nonces.bin I can confirm the error on official repo. It is some time ago since I had looked into the code but I will have a look...
I am anonymously and "read only" on discord.
iceman1001
commented
3 years ago I can imagine the sheer amount of ppl trying to get hold of you, but so far the discord server has been cordial to all the famous ones who are there. And still, we all love to see you active again :)
doegox
commented
3 years ago So the error is not on the memcpy line but the alloc just before.
p->len[EVEN_STATE] becomes = 0 and the bucket_size alloc on the stack becomes far too large
doegox
commented
3 years ago if in brute_force_bs I check for len too, it doesn't crash anymore
if (p->states[ODD_STATE] != NULL && p->states[EVEN_STATE] != NULL &&
p->len[ODD_STATE] != 0 && p->len[EVEN_STATE] != 0) {but warning
Having defined states pointers while len is zero is weird...
iceman1001
commented
3 years ago when I add a breakpoint there and since I am manually stepping, the failed nonce file acts different. Its almost like a race condition...
doegox
commented
3 years ago the failed doesn't have these len=0, only the crashed
iceman1001
commented
3 years ago ...is that p-> pointer thread safe?? I get a sneaky feeling the crash is threads based.
iceman1001
commented
3 years ago the len = 0 patch, I am wrong, Its not thread concurrency its with the candidate generation.
And with that I give up.
doegox
commented
3 years ago @socram8888 please try latest. It should solve the crash at least.
socram8888
commented
3 years ago @doegox indeed, the crash has been solved.
@pwpiwi I see you managed to crack all three files. If you were running an older version, do you know from when or the specific commit? We could try diffing the hardnested files to find if there's any regression.
doegox
commented
3 years ago @pwpiwi I see you managed to crack all three files. If you were running an older version, do you know from when or the specific commit? We could try diffing the hardnested files to find if there's any regression.
No, he confirmed the error is on official repo too (https://github.com/RfidResearchGroup/proxmark3/issues/1085#issuecomment-766735189)
socram8888
commented
3 years ago @pwpiwi I see you managed to crack all three files. If you were running an older version, do you know from when or the specific commit? We could try diffing the hardnested files to find if there's any regression.
No, he confirmed the error is on official repo too (#1085 (comment))
Not sure, in https://github.com/RfidResearchGroup/proxmark3/issues/1085#issuecomment-766408559 he did manage to crack them
EDIT: My bad, just realized he's cracking a different file due to the lack of f switch.
pwpiwi
commented
3 years ago @socram8888: all three nonce files in your nonce pack belong to the same card with key bb1502c29e80 ?
socram8888
commented
3 years ago @socram8888: all three nonce files in your nonce pack belong to the same card with key bb1502c29e80 ?
Yes, same card and same sector. It's a public transport card, a Mifare Plus in SL1.
iceman1001
commented
3 years ago @socram8888 some news? or can we close this one as not resolved
socram8888
commented
3 years ago Can't say anything, I've not tried this attack since last time where it was broken. Unless somebody has re-checked the atack's code, it should be still broken.
iceman1001
commented
3 years ago ok, closing because of no progress.
While running the hardnested against some (probably) original Mifare Plus 1K 4-byte NUID cards, if there's any kind of authentication error, there's a high chance that the attack will fail with:
Hw version:
Hw status:
Successful attack:
Failed attack where it aborts with no result:
Times going NaN:
Segfaulting:
The hardware does not seem to blame, as by repeatedly running the attack, it got each and every key. Also interesting is that, between a failed and a successful attack, the position of the tag itself didn't change, so it is probably some software-related timing issue that is not being gracefully handled.