search

nfc-tools / mfoc-hardnested

A fork of mfoc integrating hardnested code from the proxmark
GNU General Public License v2.0
191 stars 31 forks source link

Incorrect work (looping in sector 33) with Mifare 4k cards #10

Open masya-chel opened 2 years ago

masya-chel commented 2 years ago

The application works great with 1k or 2k cards. It doesn't work correctly with 4k cards. The 4k card consists of 32 sectors with a size of 64 bytes (4 blocks), and 8 sectors with a size of 256 bytes (16 blocks). When application working with a 4k card, the application successfully search keys for sectors 0-31 (the size of each sector is 64 bytes), but as soon as the key search reaches 32 sectors (the sector size is 256 bytes), the key search gets stuck in sector 33. The key search will not go beyond 33 sectors. See log bellow.

`

600 | 33B |    1677 | (6. guess: Sum(a8) = 112)                               |     94903107584 | 14min   
 619 | 33B |    1677 | Apply Sum(a8) and all bytes bitflip properties          |     65121910784 | 10min  
 625 | 33B |    1677 | Brute force phase:  12.28%                              |     64877424640 | 10min  
 631 | 33B |    1677 | Brute force phase:  36.33%                              |     64398696448 | 10min  
 639 | 33B |    1677 | Brute force phase:  65.61%                              |     63815827456 | 10min  
 644 | 33B |    1677 | Brute force phase:  86.58%                              |     63398297600 | 10min  
 647 | 33B |    1677 | (7. guess: Sum(a8) = 120)                               |     86009774080 | 13min  
 659 | 33B |    1677 | Apply Sum(a8) and all bytes bitflip properties          |     49862168576 |  8min  
 679 | 33B |    1677 | Brute force phase:  25.35%                              |     49128714240 |  7min  
 688 | 33B |    1677 | Brute force phase completed. Key found: bbbbbbbbbb32    |               0 |    0s

Checking for key reuse... [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ****] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]

Sector 00 - Found Key A: aaaaaaaaaa00 Found Key B: bbbbbbbbbb00 Sector 01 - Found Key A: aaaaaaaaaa01 Found Key B: bbbbbbbbbb01 Sector 02 - Found Key A: aaaaaaaaaa02 Found Key B: bbbbbbbbbb02 Sector 03 - Found Key A: aaaaaaaaaa03 Found Key B: bbbbbbbbbb03 Sector 04 - Found Key A: aaaaaaaaaa04 Found Key B: bbbbbbbbbb04 Sector 05 - Found Key A: aaaaaaaaaa05 Found Key B: bbbbbbbbbb05 Sector 06 - Found Key A: aaaaaaaaaa06 Found Key B: bbbbbbbbbb06 Sector 07 - Found Key A: aaaaaaaaaa07 Found Key B: bbbbbbbbbb07 Sector 08 - Found Key A: aaaaaaaaaa08 Found Key B: bbbbbbbbbb08 Sector 09 - Found Key A: aaaaaaaaaa09 Found Key B: bbbbbbbbbb09 Sector 10 - Found Key A: aaaaaaaaaa10 Found Key B: bbbbbbbbbb10 Sector 11 - Found Key A: aaaaaaaaaa11 Found Key B: bbbbbbbbbb11 Sector 12 - Found Key A: aaaaaaaaaa12 Found Key B: bbbbbbbbbb12 Sector 13 - Found Key A: aaaaaaaaaa13 Found Key B: bbbbbbbbbb13 Sector 14 - Found Key A: aaaaaaaaaa14 Found Key B: bbbbbbbbbb14 Sector 15 - Found Key A: aaaaaaaaaa15 Found Key B: bbbbbbbbbb15 Sector 16 - Found Key A: aaaaaaaaaa16 Found Key B: bbbbbbbbbb16 Sector 17 - Found Key A: aaaaaaaaaa17 Found Key B: bbbbbbbbbb17 Sector 18 - Found Key A: aaaaaaaaaa18 Found Key B: bbbbbbbbbb18 Sector 19 - Found Key A: aaaaaaaaaa19 Found Key B: bbbbbbbbbb19 Sector 20 - Found Key A: aaaaaaaaaa20 Found Key B: bbbbbbbbbb20 Sector 21 - Found Key A: aaaaaaaaaa21 Found Key B: bbbbbbbbbb21 Sector 22 - Found Key A: aaaaaaaaaa22 Found Key B: bbbbbbbbbb22 Sector 23 - Found Key A: aaaaaaaaaa23 Found Key B: bbbbbbbbbb23 Sector 24 - Found Key A: aaaaaaaaaa24 Found Key B: bbbbbbbbbb24 Sector 25 - Found Key A: aaaaaaaaaa25 Found Key B: bbbbbbbbbb25 Sector 26 - Found Key A: aaaaaaaaaa26 Found Key B: bbbbbbbbbb26 Sector 27 - Found Key A: aaaaaaaaaa27 Found Key B: bbbbbbbbbb27 Sector 28 - Found Key A: aaaaaaaaaa28 Found Key B: bbbbbbbbbb28 Sector 29 - Found Key A: aaaaaaaaaa29 Found Key B: bbbbbbbbbb29 Sector 30 - Found Key A: aaaaaaaaaa30 Found Key B: bbbbbbbbbb30 Sector 31 - Found Key A: aaaaaaaaaa31 Found Key B: bbbbbbbbbb31 Sector 32 - Found Key A: aaaaaaaaaa32 Found Key B: bbbbbbbbbb32 Sector 33 - Found Key A: aaaaaaaaaa33 Unknown Key B Sector 34 - Found Key A: aaaaaaaaaa34 Unknown Key B Sector 35 - Found Key A: aaaaaaaaaa35 Unknown Key B Sector 36 - Found Key A: aaaaaaaaaa36 Found Key B: bbbbbbbbbb32 <<< wrong!!! Sector 37 - Found Key A: aaaaaaaaaa37 Unknown Key B Sector 38 - Found Key A: aaaaaaaaaa38 Unknown Key B Sector 39 - Found Key A: aaaaaaaaaa39 Unknown Key B

Using sector 36 as an exploit sector

Mode: d, Auth command: 60 cf 0e 45
fc 7f d0 c7
{Ar}: bb 9a! 07! 28! 54! 26 3c ed! {At}: 52! 91 c8! b1
Authentication completed.

Nested Auth number: 0 {AuthEnc}: 28! d4 20 6b! 00! 01 00! 01
{AuthEnResp}: 3c! ec 61 27! Card is not vulnerable to nested attack

Using SSE2 SIMD core.

time | trg | #nonces | Activity | expected to brute force 

     |     |         |                                                         | #states         | time   
   0 | 33B |       0 | Start using 2 threads and SSE2 SIMD core                |                 |        

   0 | 33B |       0 | Brute force benchmark: 111 million (2^26.7) keys/s      | 140737488355328 |   15d  

   3 | 33B |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   15d

Mode: h, Auth command: 60 c0 f9 bd
e9 05 ba 3d
{Ar}: 0c a8! 08 07! 79 6c! 1a! 6a! {At}: 84! 4d be cd
Authentication completed.

   9 | 33B |       1 | Apply bit flip properties                               | 140737488355328 |   15d

Mode: h, Auth command: 60 c0 f9 bd
ab 66 a5 c0
{Ar}: 48! 65! d7! 95! 02 ef! 4c 26! {At}: 0b 26 b4! 6f
Authentication completed.

   9 | 33B |       2 | Apply bit flip properties                               | 140737488355328 |   15d

Mode: h, Auth command: 60 c0 f9 bd
31 54 14 e3
{Ar}: 20 5b e3! 6c fd! 4d! ca! 2c! {At}: 19! c9 53! 40! Authentication completed.`

tavgar commented 2 years ago

Exactly the same for me

tavgar commented 2 years ago

Any tips on how you've solved it or with an alternative?

masya-chel commented 2 years ago

Unfortunately, I have not solved this problem

willem640 commented 1 year ago

I (hope I) fixed this in #19, there was a small mistake in the code causing larger sectors to not work. Edit: so you can use my branch until the PR is accepted