Closed Fl0-0 closed 1 year ago
I would think your card has a bad coupling with the device, so you need to find a better spot where you don't get all the failed selects and auths. Those failed ones is most likely the cause to your partial dump.
You are right for the better spot (small patch tags could be tricky), selects and auths errors are due to that. I think it is not the reason because with perfect coupling i have the same issue: the autopwn
dump is missing key B read blocks. hf mf dump
always works fine regarding key B reads.
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
[=] Chunk: 1.2s | found 27/32 keys (23)
[=] running strategy 2
[=] Chunk: 1.2s | found 27/32 keys (23)
[+] target sector: 0 key type: A -- found valid key [ FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 1 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 1 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 2 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 2 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 3 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 3 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 10 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 11 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 12 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 13 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 14 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 15 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 944 million (2^29.8) keys/s | 140737488355328 | 2d
5 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
8 | 112 | Apply bit flip properties | 117135532032 | 2min
9 | 224 | Apply bit flip properties | 9343000576 | 10s
10 | 336 | Apply bit flip properties | 4195979264 | 4s
11 | 447 | Apply bit flip properties | 2056948096 | 2s
12 | 559 | Apply bit flip properties | 1709359104 | 2s
12 | 671 | Apply bit flip properties | 1709359104 | 2s
13 | 783 | Apply bit flip properties | 1601324928 | 2s
13 | 893 | Apply bit flip properties | 1601324928 | 2s
14 | 1002 | Apply bit flip properties | 1601324928 | 2s
15 | 1112 | Apply bit flip properties | 1601324928 | 2s
16 | 1223 | Apply bit flip properties | 1601324928 | 2s
17 | 1334 | Apply bit flip properties | 1601324928 | 2s
19 | 1443 | Apply Sum property. Sum(a0) = 120 | 158699808 | 0s
20 | 1443 | Brute force phase completed. Key found: XXXXXXXXXXXX | 0 | 0s
[+] target sector: 10 key type: B -- found valid key [ XX XX XX XX XX XX ]
[+] target sector: 11 key type: B -- found valid key [ XX XX XX XX XX XX ]
[+] target sector: 12 key type: B -- found valid key [ XX XX XX XX XX XX ]
[+] target sector: 13 key type: B -- found valid key [ XX XX XX XX XX XX ]
[+] target sector: 14 key type: B -- found valid key [ XX XX XX XX XX XX ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | ffffffffffff | D |
[+] | 001 | ffffffffffff | D | ffffffffffff | D |
[+] | 002 | ffffffffffff | D | ffffffffffff | D |
[+] | 003 | ffffffffffff | D | ffffffffffff | D |
[+] | 004 | ffffffffffff | D | ffffffffffff | D |
[+] | 005 | ffffffffffff | D | ffffffffffff | D |
[+] | 006 | ffffffffffff | D | ffffffffffff | D |
[+] | 007 | ffffffffffff | D | ffffffffffff | D |
[+] | 008 | ffffffffffff | D | ffffffffffff | D |
[+] | 009 | ffffffffffff | D | ffffffffffff | D |
[+] | 010 | a0a1a2a3a4a5 | D | XXXXXXXXXXXX | H |
[+] | 011 | a0a1a2a3a4a5 | D | XXXXXXXXXXXX | R |
[+] | 012 | a0a1a2a3a4a5 | D | XXXXXXXXXXXX | R |
[+] | 013 | a0a1a2a3a4a5 | D | XXXXXXXXXXXX | R |
[+] | 014 | a0a1a2a3a4a5 | D | XXXXXXXXXXXX | R |
[+] | 015 | ffffffffffff | D | ffffffffffff | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-9XXXXXXE-key-2.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-9XXXXXXE-dump-7.bin
[+] saved 64 blocks to text file hf-mf-9XXXXXXE-dump-7.eml
[+] saved to json file hf-mf-9XXXXXXE-dump-7.json
[=] autopwn execution time: 25 seconds
[usb] pm3 --> hf mf dump
[=] Using `hf-mf-9XXXXXXE-key.bin`
[=] Reading sector access bits...
................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
[+] successfully read block 0 of sector 0.
[+] successfully read block 1 of sector 0.
[+] successfully read block 2 of sector 0.
[+] successfully read block 3 of sector 0.
[+] successfully read block 0 of sector 1.
[+] successfully read block 1 of sector 1.
[+] successfully read block 2 of sector 1.
[+] successfully read block 3 of sector 1.
[+] successfully read block 0 of sector 2.
[+] successfully read block 1 of sector 2.
[+] successfully read block 2 of sector 2.
[+] successfully read block 3 of sector 2.
[+] successfully read block 0 of sector 3.
[+] successfully read block 1 of sector 3.
[+] successfully read block 2 of sector 3.
[+] successfully read block 3 of sector 3.
[+] successfully read block 0 of sector 4.
[+] successfully read block 1 of sector 4.
[+] successfully read block 2 of sector 4.
[+] successfully read block 3 of sector 4.
[+] successfully read block 0 of sector 5.
[+] successfully read block 1 of sector 5.
[+] successfully read block 2 of sector 5.
[+] successfully read block 3 of sector 5.
[+] successfully read block 0 of sector 6.
[+] successfully read block 1 of sector 6.
[+] successfully read block 2 of sector 6.
[+] successfully read block 3 of sector 6.
[+] successfully read block 0 of sector 7.
[+] successfully read block 1 of sector 7.
[+] successfully read block 2 of sector 7.
[+] successfully read block 3 of sector 7.
[+] successfully read block 0 of sector 8.
[+] successfully read block 1 of sector 8.
[+] successfully read block 2 of sector 8.
[+] successfully read block 3 of sector 8.
[+] successfully read block 0 of sector 9.
[+] successfully read block 1 of sector 9.
[+] successfully read block 2 of sector 9.
[+] successfully read block 3 of sector 9.
[+] successfully read block 0 of sector 10.
[+] successfully read block 1 of sector 10.
[+] successfully read block 2 of sector 10.
[+] successfully read block 3 of sector 10.
[+] successfully read block 0 of sector 11.
[+] successfully read block 1 of sector 11.
[+] successfully read block 2 of sector 11.
[+] successfully read block 3 of sector 11.
[+] successfully read block 0 of sector 12.
[+] successfully read block 1 of sector 12.
[+] successfully read block 2 of sector 12.
[+] successfully read block 3 of sector 12.
[+] successfully read block 0 of sector 13.
[+] successfully read block 1 of sector 13.
[+] successfully read block 2 of sector 13.
[+] successfully read block 3 of sector 13.
[+] successfully read block 0 of sector 14.
[+] successfully read block 1 of sector 14.
[+] successfully read block 2 of sector 14.
[+] successfully read block 3 of sector 14.
[+] successfully read block 0 of sector 15.
[+] successfully read block 1 of sector 15.
[+] successfully read block 2 of sector 15.
[+] successfully read block 3 of sector 15.
[+] time: 17 seconds
[+] Succeeded in dumping all blocks
[+] saved 1024 bytes to binary file hf-mf-9XXXXXXE-dump-8.bin
[+] saved 64 blocks to text file hf-mf-9XXXXXXE-dump-8.eml
[+] saved to json file hf-mf-9XXXXXXE-dump-8.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝
╚═╝ ╚═╝ ╚═╝╚════╝ ❄️ bleeding edge ☕
https://github.com/rfidresearchgroup/proxmark3/
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-1135-g8d2e26d7 2020-09-17 14:51:33
compiled with GCC 10.2.0 OS:Linux ARCH:x86_64
[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: absent
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-1000-g5d357a60 2020-09-07 11:31:26
os: RRG/Iceman/master/v4.9237-1135-g8d2e26d7 2020-09-17 14:52:14
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 291376 bytes (56%) Free: 232912 bytes (44%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait...
🕛 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 66.52 V - 125.00 kHz
[+] LF antenna: 35.22 V - 134.83 kHz
[+] LF optimal: 67.38 V - 126.32 kHz
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 47.09 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.
[usb] pm3 --> hw status
[#] Memory
[#] BigBuf_size.............42472
[#] Available memory........42472
[#] Tracing
[#] tracing ................1
[#] traceLen ...............0
[#] dma8 memory.............-2111696
[#] dma16 memory............-2111696
[#] toSend memory...........-2111696
[#] Current FPGA image
[#] mode.................... HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
[#] Flash memory
[#] Baudrate................24 MHz
[#] Init....................OK
[#] Memory size.............2 mbits / 256 kb
[#] Unique ID...............0xD-----------------------------
[#] Smart card module (ISO 7816)
[#] version.................v3.11
[#] LF Sampling config
[#] [q] divisor.............95 ( 125.00 kHz )
[#] [b] bits per sample.....8
[#] [d] decimation..........1
[#] [a] averaging...........Yes
[#] [t] trigger threshold...0
[#] [s] samples to skip.....0
[#] LF Sampling Stack
[#] Max stack usage.........3952 / 8480 bytes
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] long leading reference | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] leading zero | 29 | 17 | 15 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
[#]
[#] HF 14a config
[#] [a] Anticol override......0: No (follow standard)
[#] [b] BCC override..........0: No (follow standard)
[#] [2] CL2 override..........0: No (follow standard)
[#] [3] CL3 override..........0: No (follow standard)
[#] [r] RATS override.........0: No (follow standard)
[#] Transfer Speed
[#] Sending packets to client...
[#] Time elapsed............500ms
[#] Bytes transferred.......280576
[#] Transfer Speed PM3 -> Client = 561152 bytes/s
[#] Various
[#] Max stack usage.........4096 / 8480 bytes
[#] DBGLEVEL................1 ( ERROR )
[#] ToSendMax...............-1
[#] ToSend BUFFERSIZE.......2308
[#] Slow clock..............31480 Hz
[#] Installed StandAlone Mode
[#] HF Mifare sniff/simulation - (Craig Young)
[#] Flash memory dictionary loaded
[#] Mifare..................933 keys
[#] T55x7...................110 keys
[#] iClass..................7 keys
[usb] pm3 -->
good good, at least one cause is gone and only the B key. Now, which are the access rights for that sector? Both key A and B fails three times...
Sectors 10 to 14 have the same access rights and the same keys: a0a1 a2a3 a4a5 0f00 ffff XXXX XXXX XXXX
0F00FF
access conditions tells us that block 0,1 and 2 of the sector could be read or write only by key B.
Alright, something to work with.
As expected, keyA fails and the keyB works.
Only difference now is that your keyB was found be hardnested. And since you filtered it out, I can't see if its used correct. Does your "keyfile" or the json dump file have the correct keyB inside?
Yes the correct keys are inside partial dumps !
When i try it with a gen 1a card with the same random B key on 4 sectors it works fine but the key was found by nested not hardnested:
[+] Card wiped successfully
[usb] pm3 --> hf mf cwipe
🕗 wipe block 63
[+] Card wiped successfully
[usb] pm3 --> hf mf csetb 47 a0a1a2a3a4a50f00ffffc95e34c0a15e
--block number:47 data:A0 A1 A2 A3 A4 A5 0F 00 FF FF C9 5E 34 C0 A1 5E
[usb] pm3 --> hf mf csetb 51 a0a1a2a3a4a50f00ffffc95e34c0a15e
--block number:51 data:A0 A1 A2 A3 A4 A5 0F 00 FF FF C9 5E 34 C0 A1 5E
[usb] pm3 --> hf mf csetb 55 a0a1a2a3a4a50f00ffffc95e34c0a15e
--block number:55 data:A0 A1 A2 A3 A4 A5 0F 00 FF FF C9 5E 34 C0 A1 5E
[usb] pm3 --> hf mf csetb 59 a0a1a2a3a4a50f00ffffc95e34c0a15e
--block number:59 data:A0 A1 A2 A3 A4 A5 0F 00 FF FF C9 5E 34 C0 A1 5E
[usb] pm3 --> hf mf cgetsc 14
# | data - sector 14 / 0x0E
----+------------------------------------------------
56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
59 | A0 A1 A2 A3 A4 A5 0F 00 FF FF C9 5E 34 C0 A1 5E
Sector trailer decoded:
----------------------------------------------
Key A A0A1A2A3A4A5
Key B C95E34C0A15E
Access rights
block 56 rdB wrB
block 57 rdB wrB
block 58 rdB wrB
block 59 wrAbyB rdCbyAB wrCbyB wrBbyB
UserData 0xff
----------------------------------------------
[usb] pm3 --> hf mf autopwn
[#] 1 static nonce 01200145
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
[=] Chunk: 1.2s | found 28/32 keys (23)
[=] running strategy 2
[=] Chunk: 1.2s | found 28/32 keys (23)
[+] target sector: 0 key type: A -- found valid key [ FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 1 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 1 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 2 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 2 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 3 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 3 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 10 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 11 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 12 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 13 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 14 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 15 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [ FF FF FF FF FF FF ]
[+] Found 59538 key candidates
[------ CUT -----]
[+] target block: 44 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] target sector: 11 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] target sector: 12 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] target sector: 13 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] target sector: 14 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | ffffffffffff | D |
[+] | 001 | ffffffffffff | D | ffffffffffff | D |
[+] | 002 | ffffffffffff | D | ffffffffffff | D |
[+] | 003 | ffffffffffff | D | ffffffffffff | D |
[+] | 004 | ffffffffffff | D | ffffffffffff | D |
[+] | 005 | ffffffffffff | D | ffffffffffff | D |
[+] | 006 | ffffffffffff | D | ffffffffffff | D |
[+] | 007 | ffffffffffff | D | ffffffffffff | D |
[+] | 008 | ffffffffffff | D | ffffffffffff | D |
[+] | 009 | ffffffffffff | D | ffffffffffff | D |
[+] | 010 | ffffffffffff | D | ffffffffffff | D |
[+] | 011 | a0a1a2a3a4a5 | D | c95e34c0a15e | C |
[+] | 012 | a0a1a2a3a4a5 | D | c95e34c0a15e | R |
[+] | 013 | a0a1a2a3a4a5 | D | c95e34c0a15e | R |
[+] | 014 | a0a1a2a3a4a5 | D | c95e34c0a15e | R |
[+] | 015 | ffffffffffff | D | ffffffffffff | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-01020304-key-1.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A, swapping to KEY B
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-01020304-dump-1.bin
[+] saved 64 blocks to text file hf-mf-01020304-dump-1.eml
[+] saved to json file hf-mf-01020304-dump-1.json
[=] autopwn execution time: 182 seconds
Maybe it is related to hardnested found keys, i will try it all my 'hardnested' card.
It seem to related to the hardnesteded recovery.
OK i've tried it with a 'real' card (a blank mifare plus)
[usb] pm3 --> hf search
🕘 Searching for ISO14443-A tag...
[+] UID: 9D 33 12 EA
[+] ATQA: 00 02
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 1K / Classic 1K CL2
[+] MIFARE Plus 2K / Plus EV1 2K
[+] MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[+] MIFARE Plus 2K / Plus CL2 2K
[+] MIFARE Classic 4K / Classic 4K CL2
[=] SAK incorrectly claims that card doesn't support RATS
[+] ATS: 0C 75 77 80 02 C1 05 2F 2F 00 35 C7 60 D3
[+] - TL : length is 12 bytes
[+] - T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[+] - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[+] - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[+] - TC1 : NAD is NOT supported, CID is supported
[+] Prng detection: hard
[?] Hint: try `hf mfp info`
[+] Valid ISO14443-A tag found
it is blank:
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | 000000000000 | D |
[+] | 001 | ffffffffffff | D | 000000000000 | D |
[+] | 002 | ffffffffffff | D | 000000000000 | D |
[+] | 003 | ffffffffffff | D | 000000000000 | D |
[+] | 004 | ffffffffffff | D | 000000000000 | D |
[+] | 005 | ffffffffffff | D | 000000000000 | D |
[+] | 006 | ffffffffffff | D | 000000000000 | D |
[+] | 007 | ffffffffffff | D | 000000000000 | D |
[+] | 008 | ffffffffffff | D | 000000000000 | D |
[+] | 009 | ffffffffffff | D | 000000000000 | D |
[+] | 010 | ffffffffffff | D | 000000000000 | D |
[+] | 011 | ffffffffffff | D | 000000000000 | D |
[+] | 012 | ffffffffffff | D | 000000000000 | D |
[+] | 013 | ffffffffffff | D | 000000000000 | D |
[+] | 014 | ffffffffffff | D | 000000000000 | D |
[+] | 015 | ffffffffffff | D | 000000000000 | D |
[+] |-----|----------------|---|----------------|---|
[usb] pm3 --> hf mf wrbl 59 A FFFFFFFFFFFF a0a1a2a3a4a50f00ffffc95e34c0a15e
--block no 59, key A - FF FF FF FF FF FF
--data: A0 A1 A2 A3 A4 A5 0F 00 FF FF C9 5E 34 C0 A1 5E
isOk:01
it fails the same way:
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
[=] Chunk: 0.9s | found 31/32 keys (23)
[=] running strategy 2
[=] Chunk: 0.9s | found 31/32 keys (23)
[+] target sector: 0 key type: A -- found valid key [ FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 1 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 1 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 2 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 2 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 3 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 3 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 4 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 5 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 6 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 7 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 8 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 9 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 10 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 11 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 11 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 12 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 12 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 13 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 13 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 14 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 15 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 1003 million (2^29.9) keys/s | 140737488355328 | 2d
5 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
9 | 112 | Apply bit flip properties | 547718463488 | 9min
10 | 224 | Apply bit flip properties | 413813243904 | 7min
11 | 336 | Apply bit flip properties | 404062502912 | 7min
12 | 448 | Apply bit flip properties | 359153106944 | 6min
13 | 559 | Apply bit flip properties | 355892789248 | 6min
13 | 670 | Apply bit flip properties | 355892789248 | 6min
14 | 780 | Apply bit flip properties | 355892789248 | 6min
15 | 891 | Apply bit flip properties | 355892789248 | 6min
15 | 1002 | Apply bit flip properties | 355892789248 | 6min
16 | 1114 | Apply bit flip properties | 355892789248 | 6min
17 | 1222 | Apply bit flip properties | 355892789248 | 6min
18 | 1332 | Apply bit flip properties | 355892789248 | 6min
19 | 1442 | Apply bit flip properties | 355892789248 | 6min
20 | 1551 | Apply bit flip properties | 355892789248 | 6min
22 | 1659 | Apply Sum property. Sum(a0) = 128 | 68516155392 | 68s
22 | 1768 | Apply bit flip properties | 43498967040 | 43s
23 | 1875 | Apply bit flip properties | 43498967040 | 43s
24 | 1985 | Apply bit flip properties | 43498967040 | 43s
25 | 2094 | Apply bit flip properties | 43498967040 | 43s
25 | 2094 | (Ignoring Sum(a8) properties) | 43498967040 | 43s
104 | 2094 | Brute force phase completed. Key found: c95e34c0a15e | 0 | 0s
[+] target sector: 14 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | 000000000000 | D |
[+] | 001 | ffffffffffff | D | 000000000000 | D |
[+] | 002 | ffffffffffff | D | 000000000000 | D |
[+] | 003 | ffffffffffff | D | 000000000000 | D |
[+] | 004 | ffffffffffff | D | 000000000000 | D |
[+] | 005 | ffffffffffff | D | 000000000000 | D |
[+] | 006 | ffffffffffff | D | 000000000000 | D |
[+] | 007 | ffffffffffff | D | 000000000000 | D |
[+] | 008 | ffffffffffff | D | 000000000000 | D |
[+] | 009 | ffffffffffff | D | 000000000000 | D |
[+] | 010 | ffffffffffff | D | 000000000000 | D |
[+] | 011 | ffffffffffff | D | 000000000000 | D |
[+] | 012 | ffffffffffff | D | 000000000000 | D |
[+] | 013 | ffffffffffff | D | 000000000000 | D |
[+] | 014 | a0a1a2a3a4a5 | D | c95e34c0a15e | H |
[+] | 015 | ffffffffffff | D | 000000000000 | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-9D3312EA-key-3.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-9D3312EA-dump-4.bin
[+] saved 64 blocks to text file hf-mf-9D3312EA-dump-4.eml
[+] saved to json file hf-mf-9D3312EA-dump-4.json
[=] autopwn execution time: 108 seconds
i tried the release v4.9237 and it works fine !
┌──(flo㉿kali)-[~/tools/NFC/RfidResearchGroup-proxmark3]
└─$ git reset --hard v4.9237
HEAD is now at 833bc4d9 Release v4.9237 - Ice Coffee :coffee:
┌──(flo㉿kali)-[~/tools/NFC/RfidResearchGroup-proxmark3]
└─$ make clean && make
┌──(flo㉿kali)-[~/tools/NFC/RfidResearchGroup-proxmark3/client]
└─$ ./proxmark3 /dev/ttyACM0 --flash --image fullimage.elf
[=] Session log /home/flo/.proxmark3/log_20200918.txt
[=] Loading Preferences...
[+] loaded from JSON file /home/flo/.proxmark3/preferences.json
[+] About to use the following file:
[+] /home/flo/tools/NFC/RfidResearchGroup-proxmark3/client/../armsrc/obj/fullimage.elf
[+] Waiting for Proxmark3 to appear on /dev/ttyACM0
🕑 59 found
[+] Entering bootloader...
[+] (Press and release the button only to abort)
[+] Waiting for Proxmark3 to appear on /dev/ttyACM0
🕑 49 found
[=] Available memory on this board: 512K bytes
[=] Permitted flash range: 0x00102000-0x00180000
[+] Loading ELF file /home/flo/tools/NFC/RfidResearchGroup-proxmark3/client/../armsrc/obj/fullimage.elf
[+] Loading usable ELF segments:
[+] 0: V 0x00102000 P 0x00102000 (0x00042e88->0x00042e88) [R X] @0x94
[+] 1: V 0x00200000 P 0x00144e88 (0x00001360->0x00001360) [RW ] @0x42f1c
[=] Note: Extending previous segment from 0x42e88 to 0x441e8 bytes
[+] Flashing...
[+] Writing segments for file: /home/flo/tools/NFC/RfidResearchGroup-proxmark3/client/../armsrc/obj/fullimage.elf
[+] 0x00102000..0x001461e7 [0x441e8 / 545 blocks]
...................................................................
@@@ @@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@ @@@ @@@
@@! !@@ @@! @@! @@! @@! @@! @@@ @@!@!@@@
!!@ !@! @!!!:! @!! !!@ @!@ @!@!@!@! @!@@!!@!
!!: :!! !!: !!: !!: !!: !!! !!: !!!
: :: :: : : :: ::: : : : : : :: :
. .. .. . . .. ... . . . . . .. .
...................................................................
........................................ OK
[+] All done
Have a nice day!
┌──(flo㉿kali)-[~/tools/NFC/RfidResearchGroup-proxmark3/client]
└─$ ./proxmark3 /dev/ttyACM0
[=] Session log /home/flo/.proxmark3/log_20200918.txt
[=] Loading Preferences...
[+] loaded from JSON file /home/flo/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗ ❄️ iceman@icesql.net
██║ ██║ ╚═╝ ██║█████╔╝ https://github.com/rfidresearchgroup/proxmark3/
╚═╝ ╚═╝ ╚═╝╚════╝ Release v4.9237 - Ice Coffee ☕
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237 2020-09-18 11:07:51
compiled with GCC 10.2.0 OS:Linux ARCH:x86_64
[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: absent
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-1000-g5d357a60 2020-09-07 11:31:26
os: RRG/Iceman/master/v4.9237 2020-09-18 11:08:58
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 287205 bytes (55%) Free: 237083 bytes (45%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
[=] Chunk: 0.9s | found 31/32 keys (23)
[=] running strategy 2
[=] Chunk: 0.9s | found 31/32 keys (23)
[+] target sector: 0 key type: A -- found valid key [FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 1 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 1 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 2 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 2 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 3 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 3 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 4 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 4 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 5 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 5 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 6 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 6 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 7 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 7 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 8 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 8 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 9 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 9 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 10 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 11 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 11 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 12 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 12 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 13 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 13 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] target sector: 14 key type: A -- found valid key [A0 A1 A2 A3 A4 A5 ]
[+] target sector: 15 key type: A -- found valid key [FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [00 00 00 00 00 00 ]
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 963 million (2^29.8) keys/s | 140737488355328 | 2d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
5 | 112 | Apply bit flip properties | 663345758208 | 11min
6 | 224 | Apply bit flip properties | 405082308608 | 7min
6 | 336 | Apply bit flip properties | 366620508160 | 6min
7 | 445 | Apply bit flip properties | 362402250752 | 6min
8 | 557 | Apply bit flip properties | 355892789248 | 6min
9 | 668 | Apply bit flip properties | 355892789248 | 6min
9 | 779 | Apply bit flip properties | 355892789248 | 6min
10 | 891 | Apply bit flip properties | 355892789248 | 6min
11 | 1000 | Apply bit flip properties | 355892789248 | 6min
12 | 1111 | Apply bit flip properties | 355892789248 | 6min
13 | 1221 | Apply bit flip properties | 355892789248 | 6min
#db# AcquireNonces: Can't select card (UID)
13 | 1332 | Apply bit flip properties | 355892789248 | 6min
14 | 1444 | Apply bit flip properties | 355892789248 | 6min
15 | 1553 | Apply bit flip properties | 355892789248 | 6min
#db# AcquireNonces: Can't select card (ALL)
17 | 1662 | Apply Sum property. Sum(a0) = 128 | 43498967040 | 45s
18 | 1771 | Apply bit flip properties | 43498967040 | 45s
18 | 1878 | Apply bit flip properties | 43498967040 | 45s
19 | 1986 | Apply bit flip properties | 28114264064 | 29s
20 | 2095 | Apply bit flip properties | 28114264064 | 29s
21 | 2204 | Apply bit flip properties | 28114264064 | 29s
22 | 2310 | Apply bit flip properties | 28114264064 | 29s
22 | 2310 | (1. guess: Sum(a8) = 0) | 28114264064 | 29s
23 | 2310 | Apply Sum(a8) and all bytes bitflip properties | 26644373504 | 28s
24 | 2310 | Brute force phase completed. Key found: c95e34c0a15e | 0 | 0s
[+] target sector: 14 key type: B -- found valid key [C9 5E 34 C0 A1 5E ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | 000000000000 | D |
[+] | 001 | ffffffffffff | D | 000000000000 | D |
[+] | 002 | ffffffffffff | D | 000000000000 | D |
[+] | 003 | ffffffffffff | D | 000000000000 | D |
[+] | 004 | ffffffffffff | D | 000000000000 | D |
[+] | 005 | ffffffffffff | D | 000000000000 | D |
[+] | 006 | ffffffffffff | D | 000000000000 | D |
[+] | 007 | ffffffffffff | D | 000000000000 | D |
[+] | 008 | ffffffffffff | D | 000000000000 | D |
[+] | 009 | ffffffffffff | D | 000000000000 | D |
[+] | 010 | ffffffffffff | D | 000000000000 | D |
[+] | 011 | ffffffffffff | D | 000000000000 | D |
[+] | 012 | ffffffffffff | D | 000000000000 | D |
[+] | 013 | ffffffffffff | D | 000000000000 | D |
[+] | 014 | a0a1a2a3a4a5 | D | c95e34c0a15e | H |
[+] | 015 | ffffffffffff | D | 000000000000 | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-9D3312EA-key-4.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
#db# Cmd Error: 04
#db# Cmd Error: 04
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-9D3312EA-dump-5.bin
[+] saved 64 blocks to text file hf-mf-9D3312EA-dump-5.eml
[+] saved to json file hf-mf-9D3312EA-dump-5.json
[=] autopwn execution time: 28 seconds
The dumps are fine.
ok, the timeout is 2 sec, so the card might be dumping, but client timesout.
Try changing these two timesout to 4000 instead and see if that solves your problem https://github.com/RfidResearchGroup/proxmark3/blob/master/client/src/cmdhfmf.c#L925-L939
No it doesn't:
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-9D3312EA-key-5.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-9D3312EA-dump-6.bin
[+] saved 64 blocks to text file hf-mf-9D3312EA-dump-6.eml
[+] saved to json file hf-mf-9D3312EA-dump-6.json
[=] autopwn execution time: 131 seconds
[usb] pm3 -->
┌──(flo㉿kali)-[~/tools/NFC/RfidResearchGroup-proxmark3/client]
└─$ git diff
diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c
index 6bd4c9c2..f105ab05 100644
--- a/client/src/cmdhfmf.c
+++ b/client/src/cmdhfmf.c
@@ -922,7 +922,7 @@ static int FastDumpWithEcFill(uint8_t numsectors) {
clearCommandBuffer();
SendCommandNG(CMD_HF_MIFARE_EML_LOAD, (uint8_t *)&payload, sizeof(payload));
- bool res = WaitForResponseTimeout(CMD_HF_MIFARE_EML_LOAD, &resp, 2000);
+ bool res = WaitForResponseTimeout(CMD_HF_MIFARE_EML_LOAD, &resp, 4000);
if (res == false) {
PrintAndLogEx(WARNING, "Command execute timeout");
return PM3_ETIMEOUT;
@@ -936,7 +936,7 @@ static int FastDumpWithEcFill(uint8_t numsectors) {
clearCommandBuffer();
SendCommandNG(CMD_HF_MIFARE_EML_LOAD, (uint8_t *)&payload, sizeof(payload));
- res = WaitForResponseTimeout(CMD_HF_MIFARE_EML_LOAD, &resp, 2000);
+ res = WaitForResponseTimeout(CMD_HF_MIFARE_EML_LOAD, &resp, 4000);
if (res == false) {
PrintAndLogEx(WARNING, "Command execute timeout");
return PM3_ETIMEOUT;
Bugger, lets enable some debug output
hw dbg 2
hf mf autopwn
I've tried ecfill command, it fails the same way:
[usb] pm3 --> hf mf ekeyprn
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 001 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 002 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 003 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 004 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 005 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 006 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 007 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 008 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 009 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 010 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 011 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 012 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 013 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 014 | a0a1a2a3a4a5 | 1 | c95e34c0a15e | 1 |
[+] | 015 | ffffffffffff | 1 | 000000000000 | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success)
[usb] pm3 --> hf mf ecfill A
--params: numSectors: 16, keyType: A
[usb] pm3 -->
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[usb] pm3 --> hf mf ecfill B
--params: numSectors: 16, keyType: B
[usb] pm3 -->
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[usb] pm3 --> hf mf eview
[=] downloading from emulator memory
[=] ----+-------------------------------------------------+-----------------
[=] blk | data | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 000 | 9D 33 12 EA 56 18 02 00 04 BA 24 15 BA 90 06 11 | .3..V.....$.....
[=] 001 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 002 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 003 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 004 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 005 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 006 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 007 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 008 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 009 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 011 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 012 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 013 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 014 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 015 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 016 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 017 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 018 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 019 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 021 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 022 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 023 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 024 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 025 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 026 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 027 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 028 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 029 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 031 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 032 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 033 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 034 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 035 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 036 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 037 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 038 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 039 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 041 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 042 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 043 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 044 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 045 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 046 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 047 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 048 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 049 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 051 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 052 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 053 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 054 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 055 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 056 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 057 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 058 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 059 | A0 A1 A2 A3 A4 A5 00 00 00 00 C9 5E 34 C0 A1 5E | ...........^4..^
[=] 060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 061 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 062 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 063 | FF FF FF FF FF FF 04 00 46 8E 00 00 00 00 00 00 | ........F.......
[=] ----+-------------------------------------------------+-----------------
Let's enable debug:
[usb] pm3 --> hw dbg 2 [usb] pm3 --> [#] DBGLEVEL................2 ( INFO )
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1
[=] Chunk: 0.9s | found 31/32 keys (23)
[=] running strategy 2
[=] Chunk: 0.9s | found 31/32 keys (23)
[+] target sector: 0 key type: A -- found valid key [ FF FF FF FF FF FF ] (used for nested / hardnested attack)
[+] target sector: 0 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 1 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 1 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 2 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 2 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 3 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 3 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 4 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 4 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 5 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 5 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 6 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 6 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 7 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 7 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 8 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 8 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 9 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 9 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 10 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 10 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 11 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 11 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 12 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 12 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 13 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 13 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[+] target sector: 14 key type: A -- found valid key [ A0 A1 A2 A3 A4 A5 ]
[+] target sector: 15 key type: A -- found valid key [ FF FF FF FF FF FF ]
[+] target sector: 15 key type: B -- found valid key [ 00 00 00 00 00 00 ]
[#] READ BLOCK FINISHED
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 1011 million (2^29.9) keys/s | 140737488355328 | 2d
5 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
9 | 112 | Apply bit flip properties | 556506087424 | 9min
10 | 224 | Apply bit flip properties | 397373276160 | 7min
11 | 335 | Apply bit flip properties | 378576371712 | 6min
12 | 447 | Apply bit flip properties | 360039251968 | 6min
12 | 558 | Apply bit flip properties | 355892789248 | 6min
13 | 669 | Apply bit flip properties | 355892789248 | 6min
14 | 780 | Apply bit flip properties | 355892789248 | 6min
14 | 888 | Apply bit flip properties | 355892789248 | 6min
15 | 998 | Apply bit flip properties | 355892789248 | 6min
16 | 1109 | Apply bit flip properties | 355892789248 | 6min
17 | 1221 | Apply bit flip properties | 355892789248 | 6min
18 | 1330 | Apply bit flip properties | 355892789248 | 6min
18 | 1439 | Apply bit flip properties | 355892789248 | 6min
19 | 1548 | Apply bit flip properties | 355892789248 | 6min
20 | 1657 | Apply bit flip properties | 355892789248 | 6min
21 | 1765 | Apply bit flip properties | 355892789248 | 6min
22 | 1874 | Apply bit flip properties | 355892789248 | 6min
23 | 1983 | Apply bit flip properties | 355892789248 | 6min
25 | 2090 | Apply Sum property. Sum(a0) = 128 | 43498967040 | 43s
25 | 2200 | Apply bit flip properties | 43498967040 | 43s
26 | 2306 | Apply bit flip properties | 43498967040 | 43s
27 | 2412 | Apply bit flip properties | 43498967040 | 43s
27 | 2412 | (Ignoring Sum(a8) properties) | 43498967040 | 43s
109 | 2412 | Brute force phase completed. Key found: c95e34c0a15e | 0 | 0s
[+] target sector: 14 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | 000000000000 | D |
[+] | 001 | ffffffffffff | D | 000000000000 | D |
[+] | 002 | ffffffffffff | D | 000000000000 | D |
[+] | 003 | ffffffffffff | D | 000000000000 | D |
[+] | 004 | ffffffffffff | D | 000000000000 | D |
[+] | 005 | ffffffffffff | D | 000000000000 | D |
[+] | 006 | ffffffffffff | D | 000000000000 | D |
[+] | 007 | ffffffffffff | D | 000000000000 | D |
[+] | 008 | ffffffffffff | D | 000000000000 | D |
[+] | 009 | ffffffffffff | D | 000000000000 | D |
[+] | 010 | ffffffffffff | D | 000000000000 | D |
[+] | 011 | ffffffffffff | D | 000000000000 | D |
[+] | 012 | ffffffffffff | D | 000000000000 | D |
[+] | 013 | ffffffffffff | D | 000000000000 | D |
[+] | 014 | a0a1a2a3a4a5 | D | c95e34c0a15e | H |
[+] | 015 | ffffffffffff | D | 000000000000 | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-9D3312EA-key-7.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] Sector[15]. Auth nested error
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] Error reading sector 0 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 3
[#] Sector[ 1]. Auth nested error
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-9D3312EA-dump-8.bin
[+] saved 64 blocks to text file hf-mf-9D3312EA-dump-8.eml
[+] saved to json file hf-mf-9D3312EA-dump-8.json
[=] autopwn execution time: 113 seconds
It looks like fast dump tries to read sector 0 !
it fails because it tries to read the wrong sectors with key B.
you need the emulator mem to have keys first.
hw dbg 2
hf mf ecfill
And yes, ecfill tries to read sector 0 to x, it doesn't keep track of which sectors / blocks already read. which I assume is the reason to the problem.
[usb] pm3 --> hw dbg 2
[usb] pm3 -->
[#] DBGLEVEL................2 ( INFO )
[usb] pm3 --> hf mf ekeyprn
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 001 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 002 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 003 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 004 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 005 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 006 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 007 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 008 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 009 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 010 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 011 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 012 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 013 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 014 | a0a1a2a3a4a5 | 1 | c95e34c0a15e | 1 |
[+] | 015 | ffffffffffff | 1 | 000000000000 | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success)
[usb] pm3 --> hf mf ecfill A
--params: numSectors: 16, keyType: A
[usb] pm3 -->
[#] Cmd Error 04
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] Sector[15]. Auth nested error
[usb] pm3 --> hf mf ecfill B
--params: numSectors: 16, keyType: B
[usb] pm3 -->
[#] Cmd Error 04
[#] Error reading sector 0 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 3
[#] Sector[ 1]. Auth nested error
[usb] pm3 --> hf mf eview
[=] downloading from emulator memory
[=] ----+-------------------------------------------------+-----------------
[=] blk | data | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 000 | 9D 33 12 EA 56 18 02 00 04 BA 24 15 BA 90 06 11 | .3..V.....$.....
[=] 001 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 002 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 003 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 004 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 005 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 006 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 007 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 008 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 009 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 011 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 012 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 013 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 014 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 015 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 016 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 017 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 018 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 019 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 021 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 022 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 023 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 024 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 025 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 026 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 027 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 028 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 029 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 031 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 032 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 033 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 034 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 035 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 036 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 037 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 038 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 039 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 041 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 042 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 043 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 044 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 045 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 046 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 047 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 048 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 049 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 051 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 052 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 053 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 054 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 055 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 056 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 057 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 058 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 059 | A0 A1 A2 A3 A4 A5 00 00 00 00 C9 5E 34 C0 A1 5E | ...........^4..^
[=] 060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 061 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 062 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 063 | FF FF FF FF FF FF 04 00 46 8E 00 00 00 00 00 00 | ........F.......
[=] ----+-------------------------------------------------+-----------------
pull latest, flash and test
128 | 1763 | Brute force phase completed. Key found: c95e34c0a15e | 0 | 0s
[+] target sector: 14 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | 000000000000 | D |
[+] | 001 | ffffffffffff | D | 000000000000 | D |
[+] | 002 | ffffffffffff | D | 000000000000 | D |
[+] | 003 | ffffffffffff | D | 000000000000 | D |
[+] | 004 | ffffffffffff | D | 000000000000 | D |
[+] | 005 | ffffffffffff | D | 000000000000 | D |
[+] | 006 | ffffffffffff | D | 000000000000 | D |
[+] | 007 | ffffffffffff | D | 000000000000 | D |
[+] | 008 | ffffffffffff | D | 000000000000 | D |
[+] | 009 | ffffffffffff | D | 000000000000 | D |
[+] | 010 | ffffffffffff | D | 000000000000 | D |
[+] | 011 | ffffffffffff | D | 000000000000 | D |
[+] | 012 | ffffffffffff | D | 000000000000 | D |
[+] | 013 | ffffffffffff | D | 000000000000 | D |
[+] | 014 | a0a1a2a3a4a5 | D | c95e34c0a15e | H |
[+] | 015 | ffffffffffff | D | 000000000000 | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-9D3312EA-key-10.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] Sector[15]. Auth nested error
[#] Emulator fill sectors finished
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] Error reading sector 0 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 3
[#] Sector[ 1]. Auth nested error
[#] Sector[ 2]. Auth nested error
[#] Sector[ 3]. Auth nested error
[#] Sector[ 4]. Auth nested error
[#] Sector[ 5]. Auth nested error
[#] Sector[ 6]. Auth nested error
[#] Sector[ 7]. Auth nested error
[#] Sector[ 8]. Auth nested error
[#] Sector[ 9]. Auth nested error
[#] Sector[10]. Auth nested error
[#] Sector[11]. Auth nested error
[#] Sector[12]. Auth nested error
[#] Sector[13]. Auth nested error
[#] Sector[14]. Auth nested error
[#] Sector[15]. Auth nested error
[#] Emulator fill sectors finished
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-9D3312EA-dump-10.bin
[+] saved 64 blocks to text file hf-mf-9D3312EA-dump-10.eml
[+] saved to json file hf-mf-9D3312EA-dump-10.json
[=] autopwn execution time: 132 seconds
[usb] pm3 --> hf mf ekeyprn
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 001 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 002 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 003 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 004 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 005 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 006 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 007 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 008 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 009 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 010 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 011 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 012 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 013 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 014 | a0a1a2a3a4a5 | 1 | c95e34c0a15e | 1 |
[+] | 015 | ffffffffffff | 1 | 000000000000 | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success)
[usb] pm3 --> hf mf ecfill A
--params: numSectors: 16, keyType: A
[usb] pm3 -->
[#] Cmd Error 04
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] Sector[15]. Auth nested error
[#] Emulator fill sectors finished
[usb] pm3 --> hf mf ecfill B
--params: numSectors: 16, keyType: B
[usb] pm3 -->
[#] Cmd Error 04
[#] Error reading sector 0 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 3
[#] Sector[ 1]. Auth nested error
[#] Sector[ 2]. Auth nested error
[#] Sector[ 3]. Auth nested error
[#] Sector[ 4]. Auth nested error
[#] Sector[ 5]. Auth nested error
[#] Sector[ 6]. Auth nested error
[#] Sector[ 7]. Auth nested error
[#] Sector[ 8]. Auth nested error
[#] Sector[ 9]. Auth nested error
[#] Sector[10]. Auth nested error
[#] Sector[11]. Auth nested error
[#] Sector[12]. Auth nested error
[#] Sector[13]. Auth nested error
[#] Sector[14]. Auth nested error
[#] Sector[15]. Auth nested error
[#] Emulator fill sectors finished
[usb] pm3 --> hf mf eview
[=] downloading from emulator memory
[=] ----+-------------------------------------------------+-----------------
[=] blk | data | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 000 | 9D 33 12 EA 56 18 02 00 04 BA 24 15 BA 90 06 11 | .3..V.....$.....
[=] 001 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 002 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 003 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 004 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 005 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 006 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 007 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 008 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 009 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 011 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 012 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 013 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 014 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 015 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 016 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 017 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 018 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 019 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 021 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 022 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 023 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 024 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 025 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 026 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 027 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 028 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 029 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 031 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 032 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 033 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 034 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 035 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 036 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 037 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 038 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 039 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 041 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 042 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 043 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 044 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 045 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 046 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 047 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 048 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 049 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 051 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 052 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 053 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 054 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 055 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 056 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 057 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 058 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 059 | A0 A1 A2 A3 A4 A5 00 00 00 00 C9 5E 34 C0 A1 5E | ...........^4..^
[=] 060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 061 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 062 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 063 | FF FF FF FF FF FF 04 00 46 8E 00 00 00 00 00 00 | ........F.......
[=] ----+-------------------------------------------------+-----------------
Now its the nested auth,.
If you comment out line 1977 and forward, armsrc/mifarecmd.c fct MifareECardLoad Like this, compile, flash, and test..
for (uint8_t sectorNo = 0; sectorNo < sectorcnt; sectorNo++) {
uint64_t ui64Key = emlGetKey(sectorNo, keytype);
//if (sectorNo == 0) {
if (mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keytype, ui64Key, AUTH_FIRST)) {
retval = PM3_EPARTIAL;
if (DBGLEVEL > DBG_ERROR) Dbprintf("Sector[%2d]. Auth error", sectorNo);
continue;
}
/*
} else {
if (mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keytype, ui64Key, AUTH_NESTED)) {
retval = PM3_EPARTIAL;
if (DBGLEVEL > DBG_ERROR) Dbprintf("Sector[%2d]. Auth nested error", sectorNo);
continue;
}
}
*/
[+] target sector: 14 key type: B -- found valid key [ C9 5E 34 C0 A1 5E ]
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | D | 000000000000 | D |
[+] | 001 | ffffffffffff | D | 000000000000 | D |
[+] | 002 | ffffffffffff | D | 000000000000 | D |
[+] | 003 | ffffffffffff | D | 000000000000 | D |
[+] | 004 | ffffffffffff | D | 000000000000 | D |
[+] | 005 | ffffffffffff | D | 000000000000 | D |
[+] | 006 | ffffffffffff | D | 000000000000 | D |
[+] | 007 | ffffffffffff | D | 000000000000 | D |
[+] | 008 | ffffffffffff | D | 000000000000 | D |
[+] | 009 | ffffffffffff | D | 000000000000 | D |
[+] | 010 | ffffffffffff | D | 000000000000 | D |
[+] | 011 | ffffffffffff | D | 000000000000 | D |
[+] | 012 | ffffffffffff | D | 000000000000 | D |
[+] | 013 | ffffffffffff | D | 000000000000 | D |
[+] | 014 | a0a1a2a3a4a5 | D | c95e34c0a15e | H |
[+] | 015 | ffffffffffff | D | 000000000000 | D |
[+] |-----|----------------|---|----------------|---|
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-9D3312EA-key-11.bin--> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] Error reading sector 1 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 3
[#] Emulator fill sectors finished
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] Error reading sector 0 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 3
[#] Emulator fill sectors finished
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-9D3312EA-dump-11.bin
[+] saved 64 blocks to text file hf-mf-9D3312EA-dump-11.eml
[+] saved to json file hf-mf-9D3312EA-dump-11.json
[=] autopwn execution time: 41 seconds
[usb] pm3 -->
It fails reading all sectors except 0,3 and 15 now.
[usb] pm3 --> hf mf ekeyprn
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 001 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 002 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 003 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 004 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 005 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 006 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 007 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 008 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 009 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 010 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 011 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 012 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 013 | ffffffffffff | 1 | 000000000000 | 1 |
[+] | 014 | a0a1a2a3a4a5 | 1 | c95e34c0a15e | 1 |
[+] | 015 | ffffffffffff | 1 | 000000000000 | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success)
[usb] pm3 --> hf mf ecfill A
--params: numSectors: 16, keyType: A
[usb] pm3 -->
[#] Cmd Error 04
[#] Error reading sector 1 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 3
[#] Emulator fill sectors finished
[usb] pm3 --> hf mf ecfill B
--params: numSectors: 16, keyType: B
[usb] pm3 -->
[#] Cmd Error 04
[#] Error reading sector 0 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 0 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 1 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 2 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 3 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 4 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 5 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 6 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 7 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 8 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 9 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 10 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 11 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 12 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 13 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 14 block 3
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 0
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 1
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 2
[#] wrong response len 0 (expected 18)
[#] Error reading sector 15 block 3
[#] Emulator fill sectors finished
[usb] pm3 --> hf mf eview
[=] downloading from emulator memory
[=] ----+-------------------------------------------------+-----------------
[=] blk | data | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 000 | 9D 33 12 EA 56 18 02 00 04 BA 24 15 BA 90 06 11 | .3..V.....$.....
[=] 001 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 002 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 003 | FF FF FF FF FF FF FF 07 80 69 00 00 00 00 00 00 | .........i......
[=] 004 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 005 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 006 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 007 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 008 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 009 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 011 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 012 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 013 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 014 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 015 | FF FF FF FF FF FF 04 00 46 8E 00 00 00 00 00 00 | ........F.......
[=] 016 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 017 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 018 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 019 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 021 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 022 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 023 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 024 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 025 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 026 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 027 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 028 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 029 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 031 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 032 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 033 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 034 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 035 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 036 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 037 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 038 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 039 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 041 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 042 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 043 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 044 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 045 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 046 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 047 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 048 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 049 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 051 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 052 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 053 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 054 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 055 | FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 | ................
[=] 056 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 057 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 058 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 059 | A0 A1 A2 A3 A4 A5 00 00 00 00 C9 5E 34 C0 A1 5E | ...........^4..^
[=] 060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 061 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 062 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] 063 | FF FF FF FF FF FF 04 00 46 8E 00 00 00 00 00 00 | ........F.......
[=] ----+-------------------------------------------------+-----------------
There has been some fixes for hardnested, try pulling latest and see if this issue still persist
Unfortunately, the issue still persist.
Ping! I believe we did some fixing for dump to also use key b, have you tested the latest source?
Pong !
Still have the issue with hf mf autopwn
:
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
Works well with hf mf dump
just after, with keys in memory.
yeah, so the dump command handles it with A/B, now autopwn should do the say...
I think this issue has been sorted. Would you mind pulling latest / compile / flash and test ?
The issue is still there :(
What is your output current run, and a dump of the card you use to test?
The output is exactly the same https://github.com/RfidResearchGroup/proxmark3/issues/960#issuecomment-694783399 .
If you want the dump i can send it to you, just tell me where.
you on discord? mifare channel, pm me, or here.
it is quite impossible you have the same output using the latest source, "Auth nested error" doesn't exist in the code anymore.
Issue fixed with latest. Thanks @iceman1001 for the investigation !
Describe the bug
hf mf autopwn
failed to dump with key B:hf mf dump
works well.To Reproduce Steps to reproduce the behavior:
hf mf autopwn
fast dump reported back failure w KEY B
and the partial dumpshf mf dump
Screenshots
Desktop (please complete the following information):