search

nfc-tools / mfoc

Mifare Classic Offline Cracker
GNU General Public License v2.0
1.22k stars 269 forks source link

MFOC doesnt work on certain types of Mifare classic card. #11

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I am on MFOC 0.10.7 on libnfc 1.7.1.

I have tried with other cards and there is no problem retrieving the keys under 
5 minutes. However this card seems to be taking a long time.

The card is a mifare classic 1K but the manufacturer is unknown.

There are 13 other sectors using the default keys of a1a2a3a4a5a6/b1b2b3b4b5b6.

Is it possible that mifare classic cards has been patched? or is there any 
suggestions to retrieve the keys of this particular card.

On a side note, may I ask if there is any way to get mfoc to exploit other 
sectors instead of 0? Maybe there's a chance.

mac-1320:src user$ mfoc -P 8000 -O dump
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  44  
* UID size: double
* bit frame anticollision supported
       UID (NFCID1): 2f  f0  b8  be  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (7 Byte UID) 2K, Security level 1
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [..x.............]
[Key: a0a1a2a3a4a5] -> [..x.////////////]
[Key: d3f7d3f7d3f7] -> [..x.////////////]
[Key: 000000000000] -> [..x.////////////]
[Key: b0b1b2b3b4b5] -> [..x.xxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [..x.xxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [..x.xxxxxxxxxxxx]
[Key: aabbccddeeff] -> [..x.xxxxxxxxxxxx]
[Key: 714c5c886e97] -> [..x.xxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [..x.xxxxxxxxxxxx]
[Key: a0478cc39091] -> [..x.xxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [..x.xxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [..x.xxxxxxxxxxxx]

Sector 00 -  UNKNOWN_KEY [A]  Sector 00 -  UNKNOWN_KEY [B]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  UNKNOWN_KEY [B]  
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  FOUND_KEY   [B]  
Sector 03 -  UNKNOWN_KEY [A]  Sector 03 -  UNKNOWN_KEY [B]  
Sector 04 -  FOUND_KEY   [A]  Sector 04 -  FOUND_KEY   [B]  
Sector 05 -  FOUND_KEY   [A]  Sector 05 -  FOUND_KEY   [B]  
Sector 06 -  FOUND_KEY   [A]  Sector 06 -  FOUND_KEY   [B]  
Sector 07 -  FOUND_KEY   [A]  Sector 07 -  FOUND_KEY   [B]  
Sector 08 -  FOUND_KEY   [A]  Sector 08 -  FOUND_KEY   [B]  
Sector 09 -  FOUND_KEY   [A]  Sector 09 -  FOUND_KEY   [B]  
Sector 10 -  FOUND_KEY   [A]  Sector 10 -  FOUND_KEY   [B]  
Sector 11 -  FOUND_KEY   [A]  Sector 11 -  FOUND_KEY   [B]  
Sector 12 -  FOUND_KEY   [A]  Sector 12 -  FOUND_KEY   [B]  
Sector 13 -  FOUND_KEY   [A]  Sector 13 -  FOUND_KEY   [B]  
Sector 14 -  FOUND_KEY   [A]  Sector 14 -  FOUND_KEY   [B]  
Sector 15 -  FOUND_KEY   [A]  Sector 15 -  FOUND_KEY   [B]  

Using sector 02 as an exploit sector
Sector: 0, type A, probe 0, distance 24267 .....
Sector: 0, type A, probe 1, distance 38049 .....
Sector: 0, type A, probe 2, distance 35545 .....
Sector: 0, type A, probe 3, distance 39176 .....
Sector: 0, type A, probe 4, distance 23788 .....

...

Sector: 0, type A, probe 1898, distance 24569 .....

The mfoc has been running for 3 hours but to no avail.

Original issue reported on code.google.com by maxz1...@gmail.com on 23 Mar 2014 at 11:06

GoogleCodeExporter commented 9 years ago 
I could have a similar problem.

ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 40  e8  2c  1f  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [x\xxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [x\xxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [x\xxxxxxxxxxxxxx]
[Key: 000000000000] -> [x\xxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [x\xxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [x\xxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [x\xxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [x\xxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [x\xxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [x\xxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [x\xxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [x\xxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [x\xxxxxxxxxxxxxx]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  FOUND_KEY   [B]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  FOUND_KEY   [B]  
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  FOUND_KEY   [B]  
Sector 03 -  FOUND_KEY   [A]  Sector 03 -  FOUND_KEY   [B]  
Sector 04 -  FOUND_KEY   [A]  Sector 04 -  FOUND_KEY   [B]  
Sector 05 -  FOUND_KEY   [A]  Sector 05 -  FOUND_KEY   [B]  
Sector 06 -  FOUND_KEY   [A]  Sector 06 -  FOUND_KEY   [B]  
Sector 07 -  FOUND_KEY   [A]  Sector 07 -  FOUND_KEY   [B]  
Sector 08 -  FOUND_KEY   [A]  Sector 08 -  FOUND_KEY   [B]  
Sector 09 -  FOUND_KEY   [A]  Sector 09 -  FOUND_KEY   [B]  
Sector 10 -  FOUND_KEY   [A]  Sector 10 -  FOUND_KEY   [B]  
Sector 11 -  FOUND_KEY   [A]  Sector 11 -  FOUND_KEY   [B]  
Sector 12 -  FOUND_KEY   [A]  Sector 12 -  FOUND_KEY   [B]  
Sector 13 -  FOUND_KEY   [A]  Sector 13 -  FOUND_KEY   [B]  
Sector 14 -  FOUND_KEY   [A]  Sector 14 -  FOUND_KEY   [B]  
Sector 15 -  FOUND_KEY   [A]  Sector 15 -  FOUND_KEY   [B]  

Using sector 00 as an exploit sector
Sector: 1, type A, probe 0, distance 35029 .....
Sector: 1, type A, probe 1, distance 28911 .....
Sector: 1, type A, probe 2, distance 31888 .....
Sector: 1, type A, probe 3, distance 24325 .....
Sector: 1, type A, probe 4, distance 33525 .....
...
Sector: 1, type A, probe 1616, distance 41175 .....
Sector: 1, type A, probe 1617, distance 38282 .....
Sector: 1, type A, probe 1618, distance 36207 .....
Sector: 1, type A, probe 1619, distance 41301 .....

Original comment by joost.va...@gmail.com on 4 Jul 2014 at 9:11

GoogleCodeExporter commented 9 years ago 
Same issue for me :
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 70  3a  06  df  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [////////////////]
[Key: d3f7d3f7d3f7] -> [////////////////]
[Key: 000000000000] -> [////////////////]
[Key: b0b1b2b3b4b5] -> [x/////xxxxxxxxxx]
[Key: 4d3a99c351dd] -> [x/////xxxxxxxxxx]
[Key: 1a982c7e459a] -> [x/////xxxxxxxxxx]
[Key: aabbccddeeff] -> [x/////xxxxxxxxxx]
[Key: 714c5c886e97] -> [x/////xxxxxxxxxx]
[Key: 587ee5f9350f] -> [x/////xxxxxxxxxx]
[Key: a0478cc39091] -> [x/////xxxxxxxxxx]
[Key: 533cb6c723f6] -> [x/////xxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [x/////xxxxxxxxxx]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  FOUND_KEY   [B]  
Sector 01 -  FOUND_KEY   [A]  Sector 01 -  UNKNOWN_KEY [B]  
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  UNKNOWN_KEY [B]  
Sector 03 -  FOUND_KEY   [A]  Sector 03 -  UNKNOWN_KEY [B]  
Sector 04 -  FOUND_KEY   [A]  Sector 04 -  UNKNOWN_KEY [B]  
Sector 05 -  FOUND_KEY   [A]  Sector 05 -  UNKNOWN_KEY [B]  
Sector 06 -  FOUND_KEY   [A]  Sector 06 -  FOUND_KEY   [B]  
Sector 07 -  FOUND_KEY   [A]  Sector 07 -  FOUND_KEY   [B]  
Sector 08 -  FOUND_KEY   [A]  Sector 08 -  FOUND_KEY   [B]  
Sector 09 -  FOUND_KEY   [A]  Sector 09 -  FOUND_KEY   [B]  
Sector 10 -  FOUND_KEY   [A]  Sector 10 -  FOUND_KEY   [B]  
Sector 11 -  FOUND_KEY   [A]  Sector 11 -  FOUND_KEY   [B]  
Sector 12 -  FOUND_KEY   [A]  Sector 12 -  FOUND_KEY   [B]  
Sector 13 -  FOUND_KEY   [A]  Sector 13 -  FOUND_KEY   [B]  
Sector 14 -  FOUND_KEY   [A]  Sector 14 -  FOUND_KEY   [B]  
Sector 15 -  FOUND_KEY   [A]  Sector 15 -  FOUND_KEY   [B]  

Using sector 00 as an exploit sector
Sector: 1, type B, probe 0, distance 21652 .....
Sector: 1, type B, probe 1, distance 31633 .....
Sector: 1, type B, probe 2, distance 37318 .....
...

And no key retrieval... 
Did you found any fix/tips to find the key ?

Original comment by spawnrider on 11 Jul 2014 at 12:01

GoogleCodeExporter commented 9 years ago 
Hi,

Any update on this issue ?

Original comment by spawnrider on 12 Aug 2014 at 1:17

GoogleCodeExporter commented 9 years ago 
Tha same problem for me too. I have ran about 3.000 Probes and NOTHING until 
now.

Come on guys, anyone have resolved it? :/

Original comment by Borb...@gmail.com on 15 Oct 2014 at 6:51

GoogleCodeExporter commented 9 years ago 
Same problem here.. 
In my case it's a 7 bytes UID card

mfoc -O mifarecard.dump -P 1500 -T 4
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  44  
* UID size: double
* bit frame anticollision supported
       UID (NFCID1): 04  ca  0c  72  cf  2b  90  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (7 Byte UID) 2K, Security level 1
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxxxx...........]
[Key: a0a1a2a3a4a5] -> [xxxxx...........]
[Key: d3f7d3f7d3f7] -> [xxxxx...........]
[Key: 000000000000] -> [xxxxx...........]
[Key: b0b1b2b3b4b5] -> [xxxxx...........]
[Key: 4d3a99c351dd] -> [xxxxx...........]
[Key: 1a982c7e459a] -> [xxxxx...........]
[Key: aabbccddeeff] -> [xxxxx...........]
[Key: 714c5c886e97] -> [xxxxx...........]
[Key: 587ee5f9350f] -> [xxxxx...........]
[Key: a0478cc39091] -> [xxxxx...........]
[Key: 533cb6c723f6] -> [xxxxx...........]
[Key: 8fd0a4f256e9] -> [xxxxx...........]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  FOUND_KEY   [B]  
Sector 01 -  FOUND_KEY   [A]  Sector 01 -  FOUND_KEY   [B]  
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  FOUND_KEY   [B]  
Sector 03 -  FOUND_KEY   [A]  Sector 03 -  FOUND_KEY   [B]  
Sector 04 -  FOUND_KEY   [A]  Sector 04 -  FOUND_KEY   [B]  
Sector 05 -  UNKNOWN_KEY [A]  Sector 05 -  UNKNOWN_KEY [B]  
Sector 06 -  UNKNOWN_KEY [A]  Sector 06 -  UNKNOWN_KEY [B]  
Sector 07 -  UNKNOWN_KEY [A]  Sector 07 -  UNKNOWN_KEY [B]  
Sector 08 -  UNKNOWN_KEY [A]  Sector 08 -  UNKNOWN_KEY [B]  
Sector 09 -  UNKNOWN_KEY [A]  Sector 09 -  UNKNOWN_KEY [B]  
Sector 10 -  UNKNOWN_KEY [A]  Sector 10 -  UNKNOWN_KEY [B]  
Sector 11 -  UNKNOWN_KEY [A]  Sector 11 -  UNKNOWN_KEY [B]  
Sector 12 -  UNKNOWN_KEY [A]  Sector 12 -  UNKNOWN_KEY [B]  
Sector 13 -  UNKNOWN_KEY [A]  Sector 13 -  UNKNOWN_KEY [B]  
Sector 14 -  UNKNOWN_KEY [A]  Sector 14 -  UNKNOWN_KEY [B]  
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY [B]  

Using sector 00 as an exploit sector
Sector: 5, type A, probe 0, distance 33359 .....
Sector: 5, type A, probe 1, distance 39318 .....
Sector: 5, type A, probe 2, distance 30364 .....
Sector: 5, type A, probe 3, distance 20115 .....
Sector: 5, type A, probe 4, distance 44699 .....
Sector: 5, type A, probe 5, distance 32928 .....
Sector: 5, type A, probe 6, distance 27700 .....
Sector: 5, type A, probe 7, distance 50797 .....
Sector: 5, type A, probe 8, distance 28976 .....
Sector: 5, type A, probe 9, distance 25543 .....
Sector: 5, type A, probe 10, distance 29278 ..... 
...

Original comment by noudje1...@gmail.com on 21 Nov 2014 at 1:01

GoogleCodeExporter commented 9 years ago 
I've the same problem with an canteen card. Is it possible that this card is a 
"plus" version of the mifare classic card? But I thought that there are no 
mifare plus cards available with 1kb of memory.

ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): f2  df  e2  dd
      SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxxxxxxxx....xxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxx....xxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxx....xxx]
[Key: 000000000000] -> [xxxxxxxxx....xxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxx\\\\xxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxx\\\\xxx]
[Key: 1a982c7e459a] -> [xxxxxxxxx\\\\xxx]
[Key: aabbccddeeff] -> [xxxxxxxxx\\\\xxx]
[Key: 714c5c886e97] -> [xxxxxxxxx\\\\xxx]
[Key: 587ee5f9350f] -> [xxxxxxxxx\\\\xxx]
[Key: a0478cc39091] -> [xxxxxxxxx\\\\xxx]
[Key: 533cb6c723f6] -> [xxxxxxxxx\\\\xxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxx\\\\xxx]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  FOUND_KEY   [B]
Sector 01 -  FOUND_KEY   [A]  Sector 01 -  FOUND_KEY   [B]
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  FOUND_KEY   [B]
Sector 03 -  FOUND_KEY   [A]  Sector 03 -  FOUND_KEY   [B]
Sector 04 -  FOUND_KEY   [A]  Sector 04 -  FOUND_KEY   [B]
Sector 05 -  FOUND_KEY   [A]  Sector 05 -  FOUND_KEY   [B]
Sector 06 -  FOUND_KEY   [A]  Sector 06 -  FOUND_KEY   [B]
Sector 07 -  FOUND_KEY   [A]  Sector 07 -  FOUND_KEY   [B]
Sector 08 -  FOUND_KEY   [A]  Sector 08 -  FOUND_KEY   [B]
Sector 09 -  UNKNOWN_KEY [A]  Sector 09 -  FOUND_KEY   [B]
Sector 10 -  UNKNOWN_KEY [A]  Sector 10 -  FOUND_KEY   [B]
Sector 11 -  UNKNOWN_KEY [A]  Sector 11 -  FOUND_KEY   [B]
Sector 12 -  UNKNOWN_KEY [A]  Sector 12 -  FOUND_KEY   [B]
Sector 13 -  FOUND_KEY   [A]  Sector 13 -  FOUND_KEY   [B]
Sector 14 -  FOUND_KEY   [A]  Sector 14 -  FOUND_KEY   [B]
Sector 15 -  FOUND_KEY   [A]  Sector 15 -  FOUND_KEY   [B]

Using sector 00 as an exploit sector
Sector: 9, type A, probe 0, distance 35259 .....
Sector: 9, type A, probe 1, distance 24873 .....
Sector: 9, type A, probe 2, distance 46546 .....
Sector: 9, type A, probe 3, distance 38165 .....
Sector: 9, type A, probe 4, distance 38649 .....
Sector: 9, type A, probe 5, distance 40566 .....
Sector: 9, type A, probe 6, distance 46797 .....
Sector: 9, type A, probe 7, distance 42466 .....
Sector: 9, type A, probe 8, distance 25620 .....
Sector: 9, type A, probe 9, distance 39589 .....
Sector: 9, type A, probe 10, distance 36912 .....

Original comment by samsung....@googlemail.com on 22 Nov 2014 at 5:09

GoogleCodeExporter commented 9 years ago 
I have the same problem MFOC cannot recover keys on (mifare classic 1k) card =/

root@mifare:~/mifare# mfoc -P 100000 -O 111.mfd -k 111111111111 -k 111111111111 
-k 111111111111 ......
The custom key 0x111111111111 has been added to the default keys
The custom key 0x111111111111 has been added to the default keys
The custom key 0x111111111111 has been added to the default keys
....
....
....
The custom key 0x111111111111 has been added to the default keys
The custom key 0x111111111111 has been added to the default keys
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 11  11  11  11  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: 111111111111] -> [./..............]
[Key: 111111111111] -> [.//.............]
[Key: 111111111111] -> [.////...........]
[Key: 111111111111] -> [./////..........]
[Key: 111111111111] -> [./////.../......]
[Key: 111111111111] -> [./////...//.....]
[Key: 111111111111] -> [./////...///....]
[Key: 111111111111] -> [.x////...///....]
[Key: 111111111111] -> [.xx///...///....]
[Key: 111111111111] -> [.xxxx/...///....]
[Key: 111111111111] -> [.xxxxx...///....]
[Key: 111111111111] -> [.xxxxx...x//....]
[Key: 111111111111] -> [.xxxxx...xx/....]
[Key: ffffffffffff] -> [xxxxxxxxxxx/xxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxx/xxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxx/xxxx]
[Key: 000000000000] -> [xxxxxxxxxxx/xxxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxx/xxxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxx/xxxx]
[Key: 1a982c7e459a] -> [xxxxxxxxxxx/xxxx]
[Key: aabbccddeeff] -> [xxxxxxxxxxx/xxxx]
[Key: 714c5c886e97] -> [xxxxxxxxxxx/xxxx]
[Key: 587ee5f9350f] -> [xxxxxxxxxxx/xxxx]
[Key: a0478cc39091] -> [xxxxxxxxxxx/xxxx]
[Key: 533cb6c723f6] -> [xxxxxxxxxxx/xxxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxx/xxxx]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  FOUND_KEY   [B]  
Sector 01 -  FOUND_KEY   [A]  Sector 01 -  FOUND_KEY   [B]  
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  FOUND_KEY   [B]  
Sector 03 -  FOUND_KEY   [A]  Sector 03 -  FOUND_KEY   [B]  
Sector 04 -  FOUND_KEY   [A]  Sector 04 -  FOUND_KEY   [B]  
Sector 05 -  FOUND_KEY   [A]  Sector 05 -  FOUND_KEY   [B]  
Sector 06 -  FOUND_KEY   [A]  Sector 06 -  FOUND_KEY   [B]  
Sector 07 -  FOUND_KEY   [A]  Sector 07 -  FOUND_KEY   [B]  
Sector 08 -  FOUND_KEY   [A]  Sector 08 -  FOUND_KEY   [B]  
Sector 09 -  FOUND_KEY   [A]  Sector 09 -  FOUND_KEY   [B]  
Sector 10 -  FOUND_KEY   [A]  Sector 10 -  FOUND_KEY   [B]  
Sector 11 -  FOUND_KEY   [A]  Sector 11 -  UNKNOWN_KEY [B]  
Sector 12 -  FOUND_KEY   [A]  Sector 12 -  FOUND_KEY   [B]  
Sector 13 -  FOUND_KEY   [A]  Sector 13 -  FOUND_KEY   [B]  
Sector 14 -  FOUND_KEY   [A]  Sector 14 -  FOUND_KEY   [B]  
Sector 15 -  FOUND_KEY   [A]  Sector 15 -  FOUND_KEY   [B]  

Using sector 00 as an exploit sector
Sector: 11, type B, probe 0, distance 27992 .....
Sector: 11, type B, probe 1, distance 31535 .....
Sector: 11, type B, probe 2, distance 44903 .....
....
....
....
Sector: 11, type B, probe 30707, distance 31067 .....
Sector: 11, type B, probe 30708, distance 44328 .....
Sector: 11, type B, probe 30709, distance 35697 .....
Sector: 11, type B, probe 30710, distance 29793 .....
Sector: 11, type B, probe 30711, distance 41959 .....
Sector: 11, type B, probe 30712, distance 21826 .....
Sector: 11, type B, probe 30713, distance 42576 .....
Sector: 11, type B, probe 30714, distance 24317 .....

5 days after still nothing ... 
Can somebody tell me how to recover last key on sector 11:B ???

Original comment by architec...@gmail.com on 12 Feb 2015 at 6:01

GoogleCodeExporter commented 9 years ago 
I encountered the same problem while handling a mifare 1k card, mfoc goes for 
days without recovering a new key. However, using a combination of the nested 
attack(mfoc) and the dark side attack(mfcuk) I managed to go over this.
Whenever mfoc would get stuck in an specific key (for example key A from sector 
3), I would save/write down the keys already found (aside the default one), 
stop the nested attack and start looking for that specific key with mfcuk (wich 
allways took a few hours). Then, I would feed mfoc with the new found key (I 
actually added the keys to mfoc's source and recompiled it) to continue the 
nested attack, mfoc would then proceed in finding a few more keys, but would 
eventualy get stuck again, wich brings us to the end of the cycle.
It took a few days to end this proccess and recover all the keys (1 default and 
31 non-default). Not sure if it was just because all the 32 keys were 
different, or if the card is a possible "plus" version as mencioned in other 
comments or if my computer is just weak.

Anyways, can't finish without saying that, apparently, the latest version of 
the mfcuk is having some trouble with the latest version of libnfc and the 
recovered key comes with the first four bytes wrong (checked). After some 
reading, found that an older version of libnfc and mfcuk would go together and 
work, however mfoc wouldn't work with suck version of libnfc.

Versions that worked for me:
mfcuk r65 with libnfc 1.5.1;
mfoc latest with libnfc latest.

1) Compiled and installed libnfc 1.5.1 in local directory;
2) Used mfcuk with libnfc 1.5.1 and used mfoc with the latest.

This post helped a lot in doing such:
https://zozs.se/2014/08/18/acr122u-mfcuk-mfoc-cracking-mifare-classic-on-arch-li
nux/

Hope this helps someone here.

Original comment by mains...@gmail.com on 13 Mar 2015 at 5:16