search

flipperdevices / flipperzero-firmware

Flipper Zero firmware source code
https://flipperzero.one
GNU General Public License v3.0
12.63k stars 2.69k forks source link

MIFARE Classic 1K EV1 is recognized as 1K, 16 sectors/32 keys #3848

Open noproto opened 1 month ago

noproto commented 1 month ago

Describe the bug.

I have a MIFARE Classic 1K EV1 tag which I read with the Flipper and received this result:

image

Reading the same tag with the Proxmark results in:

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
(..)
[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  001 | 007 | 8A19D40CF2B5 | H | 8A19D40CF2B5 | R
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | 8A19D40CF2B5 | R | 8A19D40CF2B5 | R
[+]  016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | D ( * )
[+]  017 | 071 | 75CCB59C9BED | D | 4B791BEA7BCC | D ( * )
[+] -----+-----+--------------+---+--------------+----
[=] ( * ) These sectors used for signature. Lays outside of user memory

Because sectors_total is miscalculated, this is interfering with the dictionary attack (which is not attempting to read the two signature sectors or discover these keys) and further may cause the card to fail emulation at a legitimate reader.

Reproduction

Using an EV1 1K tag, read with official NFC app. Note 16 sectors and 32 keys tested.

Target

12.F7B9C6 R02, OFW 0.105.0

Logs

No response

Anything else?

No response

noproto commented 1 month ago

The tag is a 4B UID NXP MIFARE Classic MFC1C14_x. It appears to be possible to emulate a physical tag (if necessary) using certain magic tags if a MIFARE Classic 1K EV1 is not on hand/available: https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#uscuid-configuration-guide

doomwastaken commented 1 month ago

I just ordered few 1k ev1 4b and 7b cards (maybe we have them available on hand)