MFC reader only attacks?

[doegox]

• recovering from sniffed data
• super magic2 read & break
• super magic2 mode emulated in pm3? => hf mf sim x

[doegox]

There are apparently at least two types of supercard:

• https://github.com/nfc-tools/nfc-supercard
  • working with I think https://web.archive.org/web/20190204031026/http://www.xfpga.com/html_products/super-mifare-cracker-card-1k-115.html
• https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c
  • see https://www.netscylla.com/blog/2018/05/17/cracking-mifare-with-the-super-card.html

Codes to deal with these cards are different, e.g. for mine I needed to decrypt card data with DES and key=1122334455667788 while I don't see anything like that in their code, and their code doesn't work on my card (well it returns no error but garbage key :D).

[iceman1001]

I wouldn't be surprised if there is many supercards.
I have seen the card with a battery on it. And yours is just a card. The battery version has a heap of nonces to download and crack. Is a thread on forum about someone solving that one.

isn't supercard2 the same as these implemented reader only attacks hf 14a sim x hf mf sim x

[doegox]

yes indeed, btw pm3 needs to see many attempts (AUTH-A) before it breaks the key, 2 is never enough, sometimes I need 8 attempts. Strange. (and I see all attempts properly in mf list) My card needs exactly 2 attempts.

[doegox]

And I've the impression I never reach https://github.com/RfidResearchGroup/proxmark3/blob/master/client/cmdhfmf.c#L2290 while I get

#db# Collected two pairs of AR/NR which can be used to extract keyB from reader for sector 0:          
#db# ../tools/mfkey/mfkey32v2 00000000 fc73e3da 26b2f085 bf96af82 013eb1df 6cd2d9f4 a9a340f3          
#db# Emulator stopped. Tracing: 1  trace length: 572           

so the key is not broken automatically

[iceman1001]

yeah, that is the crappy difference between 14a sim x and mf sim x. It is hooked up to interactive .. like sim x i
otherwise you only get the debugstatement. I think 14a sim x is behaving like I want it to (or like we want it to act)

Mceloff wanted to bring those debug statements back. I said no. Better to let x param execute the darn attack as soon as we got the responses. It should also use the Mobeious attack. Where 2 auth req should be enough

[doegox]

Bummer. Yeah got it working now. And hf 14a sim x much nicer

[iceman1001]

Good.
This is also one of those quirks that proxmark client consists of. You have to know this in order to understand. You also need to know that you can get up to 8 nonce pairs.. (if I remember it correct) meaning we can get 8keys if reader is using it that way.
We can also make emulator key being updated with the found key. :) meaning the simulation can become smarter as the reader tries to authenticate... making it go to the next step in its process.

[iceman1001]

Another issue / wish on our list. Making sim x attack nicer and behaive the same on both 14a / mf

[iceman1001]

Speaking of which... @doegox this issue.. now that we added supercard to the client,...