Closed radeksh closed 2 years ago
iceman1001
commented
2 years ago Doesn't really sound like a source code problem, sounds more like a user problem, We have discord and PM3 Forum to ask questions at.
What is the output for hf 14a info ?
and have you tried some distance between tag and antenna (1-2cm for 14A styled cards)
and I see you haven't followed the setup guides, which I suggest you do.
radeksh
commented
2 years ago @iceman1001 thanks for reply,
output of hf 14a info:
[usb] pm3 --> hf 14a info
[+] UID: E3 CA 13 5D
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Card didn't answer to CL1 select all
[#] Card didn't answer to CL1 select all
[#] Auth error
[?] Hint: try `hf mf` commandsI was using that setup guide: https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Linux-Installation-Instructions.md is there anything else I should follow?
I'll try distance between antenna and tag right now
iceman1001
commented
2 years ago Try some distance.
atkfromabove
commented
2 years ago I am having the exact same issue on both OSX and Kali Linux
atkfromabove
commented
2 years ago I ran the test 3 times and it exits at around 5074 and 5075.
radeksh
commented
2 years ago hey @iceman1001 I've tried with some distance, but unfortunately result is exactly the same (stops at 5075).
I found somewhere on web (i can't find link right now) that this may be related to memory management on hardware itself (and as @atkfromabove had same problem on Kali and MacOS it sounds it isn't user issue).
I've followed all setup guides on fresh parrot install and result is the same
iceman1001
commented
2 years ago With 1-2cm distance you shouldn't get the "cant select card" message any more when running.
@przytular you have a hf 14a info output from your card?
radeksh
commented
2 years ago hey @iceman1001 i pasted output in that comment: https://github.com/RfidResearchGroup/proxmark3/issues/1734#issuecomment-1197806384 my problem isn't error "can't select card", but device frozen with error
[!!] šØ Error: No response from Proxmark3
d4g
commented
2 years ago Just as a question: are you using the blueshark addon? I got the same error when the blueshark battery was low on power. Then running sth stressful would lead to a reset of either the Bluetooth connection or the proxmark.
radeksh
commented
2 years ago @d4g thanks for input, negative, I'm using just pure RDV4 unit, without blueshark module
iceman1001
commented
2 years ago so lets eliminate things. compile and flash device for without btaddon. run autopwn (use usb cable)
iceman1001
commented
2 years ago it says you are running parrot os. on which metal are you running?
iceman1001
commented
2 years ago and how much RAM do you have on your host OS?
radeksh
commented
2 years ago hey @iceman1001 thanks for reply
it says you are running parrot os. on which metal are you running?
it's laptop system76 gazelle (https://tech-docs.system76.com/models/gaze15/README.html)
cause i hope by metal you mean hardware?
would you like me to execute specific command, ie. lshw ?
and how much RAM do you have on your host OS?
32 GB
compile and flash device for without btaddon.
ok, i'll need some time to try that
iceman1001
commented
2 years ago so you have enough RAM, you are not on M1/ or a ARM based cpu, you use 1-2cm of distance between tag and antenna,
I dunno, I ran out of ideas.
atkfromabove
commented
2 years ago It's odd when the error occurs since the proxmark is no longer responding. I have to unplug and replug the proxmark for it to start responding again. If I try to continue with other commands they no longer work correctly until I physically cycle the device and restart the pm3 application.
It's tough to test any changes since the program takes so long before the error occurs (~1.5 hours).
I've re-compiled the source and flashed the firmware without the BTaddon but the error still occurs at the same point (5075).
iceman1001
commented
2 years ago This is where I see an issue. Somehow the hardnested command can't collect any new nonces. You only get one...
Can you try running it with the slow flag?
iceman1001
commented
2 years ago if you pull latest, I pushed a minor fix for the slow param in autopwn command.
hf mf autopwn --slow --1k -f mfc_default_keys
and do you have a picture of that card?
atkfromabove
commented
2 years ago if you pull latest, I pushed a minor fix for the slow param in autopwn command.
hf mf autopwn --slow --1k -f mfc_default_keysand do you have a picture of that card?
Pulled the git and ran that command. The error happened even earlier this time at 1535.
[usb] pm3 --> hf mf autopwn --slow --1k -f mfc_default_keys
[!] ā ļø no known key was supplied, key recovery might fail
[+] loaded 1465 keys from dictionary file /Users/Documents/Scripts/proxmark3/client/dictionaries/mfc_default_keys.dic
[=] running strategy 1
[=] ......
[=] Chunk 13.3s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 1.0s | found 2/32 keys (85)
[=] Chunk 0.4s | found 2/32 keys (20)
[=] running strategy 2
[=] ......
[=] Chunk 13.2s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] ......
[=] Chunk 13.0s | found 2/32 keys (85)
[=] .
[=] Chunk 3.2s | found 2/32 keys (20)
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[-] ā Tag isn't vulnerable to Nested Attack (PRNG is probably not predictable).
[-] ā Nested attack failed --> try hardnested
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2796 million (2^31.4) keys/s | 140737488355328 | 14h
[=] 4 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 14h
[=] 7 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 8 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 9 | 1 | Apply bit flip properties | 140737488355328 | 14h
...
[=] 1529 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 1530 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 1531 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 1531 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 1532 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 1533 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 1534 | 1 | Apply bit flip properties | 140737488355328 | 14h
[=] 1535 | 1 | Apply bit flip properties | 140737488355328 | 14h
[!!] šØ Error: No response from Proxmark3Here is a picture of the card. It was a small wristband for a hotel.
iceman1001
commented
2 years ago So I am curious of the output from running these following commands. I wanna see if the nonce changes, so run it all and copy pasta the output here.
hf mf rdbl --blk 0 -b -k ffffffffffff
hf mf list
hf mf rdbl --blk 0 -b -k ffffffffffff
hf mf listSo I am curious of the output from running these following commands. I wanna see if the nonce changes, so run it all and copy pasta the output here.
hf mf rdbl --blk 0 -b -k ffffffffffff hf mf list hf mf rdbl --blk 0 -b -k ffffffffffff hf mf list
[usb] pm3 --> hf mf rdbl --blk 0 -b -k ffffffffffff
[=] # | sector 00 / 0x00 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | 73 84 18 C2 2D 08 04 00 03 4D AC 2E 3A 00 46 90 | s...-....M..:.F.
[usb] pm3 --> hf mf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 188 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52(7) | | WUPA
2116 | 4484 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10564 | 16388 | Tag |73 84 18 c2 2d | |
112128 | 122656 | Rdr |93 70 73 84 18 c2 2d 8b ce | ok | SELECT_UID
123716 | 127236 | Tag |08 b6 dd | |
129536 | 134304 | Rdr |61 00 2d 62 | ok | AUTH-B(0)
135748 | 140420 | Tag |9e 7e 1e dd | | AUTH: nt
150016 | 159392 | Rdr |a3! 1c d4 fe 90 45! 37! fe | | AUTH: nr ar (enc)
160452 | 165188 | Tag |16! bf! 91! 70 | | AUTH: at (enc)
171136 | 175904 | Rdr |aa c8! f4! 8f | |
| | * | key FFFFFFFFFFFF prng WEAK | |
| | * |30 00 02 A8 | ok | READBLOCK(0)
176964 | 197828 | Tag |1b cd 0d! a2! 94! 82! c8 2c 08 24 ba 1f 5b! 66 f8! 27! 21! 87! | |
| | * |73 84 18 C2 2D 08 04 00 03 4D AC 2E 3A 00 46 90 E0 47 | ok |
211072 | 215776 | Rdr |63! c5 01 7d | |
| | * |50 00 57 CD | ok | HALT
[usb] pm3 --> hf mf rdbl --blk 0 -b -k ffffffffffff
[=] # | sector 00 / 0x00 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | 73 84 18 C2 2D 08 04 00 03 4D AC 2E 3A 00 46 90 | s...-....M..:.F.
[usb] pm3 --> hf mf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 188 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52(7) | | WUPA
2116 | 4484 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10564 | 16388 | Tag |73 84 18 c2 2d | |
19200 | 29728 | Rdr |93 70 73 84 18 c2 2d 8b ce | ok | SELECT_UID
30788 | 34308 | Tag |08 b6 dd | |
36608 | 41376 | Rdr |61 00 2d 62 | ok | AUTH-B(0)
42820 | 47556 | Tag |b0 9a 9f 73 | | AUTH: nt
57088 | 66464 | Rdr |07! e6! c6 41! d0 d3! 22! b4! | | AUTH: nr ar (enc)
67524 | 72260 | Tag |c9 db! 2b b4! | | AUTH: at (enc)
78208 | 82912 | Rdr |74 f8 9b! 9f | |
| | * | key FFFFFFFFFFFF prng WEAK | |
| | * |30 00 02 A8 | ok | READBLOCK(0)
84036 | 104900 | Tag |16 5a! a9! 23 c9! 8d b5 54 52! 55 16! 40! 0e f3 d0! 97 11 94 | |
| | * |73 84 18 C2 2D 08 04 00 03 4D AC 2E 3A 00 46 90 E0 47 | ok |
118144 | 122848 | Rdr |df e1! fc! 8d | |
| | * |50 00 57 CD | ok | HALT
so you get a different nonce each time... nothing makes sense, your device is flashed with same firmware as your pm3 client. (from same build)
you don't run on a M1/ Arm based cpu you have enough RAM you are connected with USB to pm3
I am afraid I can not figure out what is going on here. Maybe someone else might find something but I will give up now.
iceman1001
commented
2 years ago I see that you still haven't run the init script on your device, but that shouldn't matter,
mem info
mem spiffs info
mem spiffs treeSo maybe this may be hardware / problem with device itself?
iceman1001
commented
2 years ago if you have rdv4, the spiffs might be of concern. Hence I wanted you to test it
atkfromabove
commented
2 years ago if you have rdv4, the spiffs might be of concern. Hence I wanted you to test it
Just ran the mem spiff commands and re-ran the tests.
Same result. The device errors out still.
iceman1001
commented
2 years ago I am afraid I have no idea whats wrong.
iceman1001
commented
2 years ago The others who has had issue with only getting one nonce, has tried running the key recovery against a MIFARE Plus card. It depends on which Security Level the card is in. For instance SL3 will not work with MFC commands.
I will close this issue now.
mywalkb
commented
1 year ago I have the same issue how also #1760, when retrieve nonces they are normal and not predictable, while in MifareAcquireEncryptedNonces receivedAnswer is always 0020F414, maybe @pwpiwi can clear this wrong behaviour? I have many mifare and only this card has this issue, it's very simple white mifare.
It's SL1 as all others working mifare
[=] --- Security Level (SL)
[+] SL mode: SL1
[=] SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authenticationI have the same issue how also #1760, when retrieve nonces they are normal and not predictable, while in MifareAcquireEncryptedNonces receivedAnswer is always 0020F414, maybe @pwpiwi can clear this wrong behaviour? I have many mifare and only this card has this issue, it's very simple white mifare.
It's SL1 as all others working mifare
[=] --- Security Level (SL) [+] SL mode: SL1 [=] SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication
I'd enjoy seeing this issue re-opened since I am still having the problem
radeksh
commented
1 year ago @iceman1001 what I see on other device this card is Mifare Classic 1K - is it suitable for proxmark3? @mywalkb I have same, simple white card @atkfromabove unfortunatelly it isn't re-opened, and in my opinion it probably should as 3 users already reporting same issue.
I'm trying to find common ground on all these cases
p.s. it's funny because it's my first card i've tried to use with proxmark and it isn't working, what a luck :sweat_smile:
iceman1001
commented
1 year ago if its one card which give "1" nonce in hardnested, this is a clone MFC which has shown peculiar behavior which hardnested and static nested can't not solve at the moment.
Not a issue related to the source code.
radeksh
commented
1 year ago @iceman1001 yeah, that's the one now I see, thank's for explanation!
iceman1001
commented
1 year ago Feel free to find a solution for it
iceman1001
commented
1 year ago Got another card with a static encrypted nonce.
Hello, I have problem with my brand new Proxmark3 RDV4 and pm3 client
Describe the bug After running
hf mf autopwncommand proxmark always stuck on the same lines on hardnested attack:(always at 5073)
Full command log:
After that all leds are on (constant light, no blinking indicating computing)
To Reproduce Steps to reproduce the behavior:
hf mf autopwncommandExpected behavior Found hidden mifare keys
Desktop (please complete the following information):
hw version
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134,83 kHz, 95 (red) is 125,00 kHz.