nfc-tools / mfoc

Mifare Classic Offline Cracker
GNU General Public License v2.0
1.26k stars 268 forks source link

nfc_initiator_mifare_cmd: Mifare Authentication Failed #69

Open cefedrific opened 5 years ago

cefedrific commented 5 years ago

hello all mfoc find me the three missing keys but do not create the dump

sudo mfoc -f key.txt -O test1.mfd [sudo] Mot de passe de ___ :  The custom key 0x6c449f91af6b has been added to the default keys The custom key 0x07364b58ce42 has been added to the default keys The custom key 0x0419f24294b5 has been added to the default keys The custom key 0xb0b1b2b3b4b5 has been added to the default keys The custom key 0xa0a1a2a3a4a5 has been added to the default keys Found Mifare Classic 1k tag ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 04 00

Fingerprinting based on MIFARE type Identification Procedure: Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys... Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found [Key: 6c449f91af6b] -> [...............] [Key: 07364b58ce42] -> [..............] [Key: 0419f24294b5] -> [.\............] [Key: b0b1b2b3b4b5] -> [\\\\\\\\] [Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx] [Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx] [Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx] [Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx] [Key: 000000000000] -> [xxxxxxxxxxxxxxxx] [Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx] [Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx] [Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx] [Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx] [Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx] [Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx] [Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx] [Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx] [Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 01 - Found Key A: a0a1a2a3a4a5 Found Key B: 07364b58ce42 Sector 02 - Found Key A: a0a1a2a3a4a5 Found Key B: 0419f24294b5 Sector 03 - Found Key A: a0a1a2a3a4a5 Found Key B: 6c449f91af6b Sector 04 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 05 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 06 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 07 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 08 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 09 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 10 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 11 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 12 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 13 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 14 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 15 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file! Block 63, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 62, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 58, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 54, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 50, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 48, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 47, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 46, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 45, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 44, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 43, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 42, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 41, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 40, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 39, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 38, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 37, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 36, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 35, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 34, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 33, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 32, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 31, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 30, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 29, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 28, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 27, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 26, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 25, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 24, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 23, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 22, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 21, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 20, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 19, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 18, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 17, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 16, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 15, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 4b 44 bb ea 00 00 00 00 00 00
Block 14, type A, key a0a1a2a3a4a5 :00 00 44 39 15 4a e4 00 00 00 00 00 4d 49 43 00
nfc_initiator_mifare_cmd: Mifare Authentication Failed

the file is created but it is empty would anyone have an idea to solve this problem?

pollev commented 4 years ago

Hi,

I encountered the same error. I don't know why this happens but I do know what happens and how you can circumvent it:

Have a look at the following code (and ignore the printf statements I jammed in there for debugging): file: src/mfoc.c

// Try A key, auth() + read()
      memcpy(mp.mpa.abtKey, t.sectors[i].KeyA, sizeof(t.sectors[i].KeyA));
      int res;
      fprintf(stdout, "Trying key A\n");
      if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, block, &mp)) < 0) {
        fprintf(stdout, "authfail\n");
        if (res != NFC_EMFCAUTHFAIL) {
          nfc_perror(r.pdi, "nfc_initiator_mifare_cmd");
          goto error;
        }
        mf_configure(r.pdi);
        mf_anticollision(t, r);
      } else { // and Read
        fprintf(stdout, "and read\n");
        if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) >= 0) {
          fprintf(stdout, "read A ok\n");
          fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'A', bytes_to_num(t.sectors[i].KeyA, 6));
          print_hex(mp.mpd.abtData, 16);
          mf_configure(r.pdi);
          mf_select_tag(r.pdi, &(t.nt));
          failure = false;
        } else {
          fprintf(stdout, "read A failed with err %d\n", res);
          // Error, now try read() with B key
          if (res != NFC_ERFTRANS) {
            nfc_perror(r.pdi, "nfc_initiator_mifare_cmd");
            //goto error;  <------ COMMENT THIS LINE <------------
          }
          mf_configure(r.pdi);
          mf_anticollision(t, r);
          memcpy(mp.mpa.abtKey, t.sectors[i].KeyB, sizeof(t.sectors[i].KeyB));
          fprintf(stdout, "Trying key B\n");

Basically it first attempts to authenticate with KEY A. which succeeds, it then tries to read with KEY A. Which fails with an AUTH error.

For some odd reason it does not fail with an auth error in the first check. Which trips up the application because it does not expect an auth error after that point.

Because of this it does not try with KEY B, which would have worked.

The solution that worked for me was to simply comment out the goto error;, recompile, and everything worked perfectly.

Hope this helps someone else

priv commented 4 years ago

It's no odd because KEY A has no read right. ACs bits are 4b 44 bb, so it behaves correctly. KEYA can auth but will not read the block 12/13.

pollev commented 4 years ago

Regardless. It makes no sense that the tool just errors out and quits instead of trying the second key, which would just work... This fixes that.

OLivecode7 commented 4 months ago

Hi,

I encountered the same error. I don't know why this happens but I do know what happens and how you can circumvent it:

Have a look at the following code (and ignore the printf statements I jammed in there for debugging): file: src/mfoc.c

// Try A key, auth() + read()
      memcpy(mp.mpa.abtKey, t.sectors[i].KeyA, sizeof(t.sectors[i].KeyA));
      int res;
      fprintf(stdout, "Trying key A\n");
      if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, block, &mp)) < 0) {
        fprintf(stdout, "authfail\n");
        if (res != NFC_EMFCAUTHFAIL) {
          nfc_perror(r.pdi, "nfc_initiator_mifare_cmd");
          goto error;
        }
        mf_configure(r.pdi);
        mf_anticollision(t, r);
      } else { // and Read
        fprintf(stdout, "and read\n");
        if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) >= 0) {
          fprintf(stdout, "read A ok\n");
          fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'A', bytes_to_num(t.sectors[i].KeyA, 6));
          print_hex(mp.mpd.abtData, 16);
          mf_configure(r.pdi);
          mf_select_tag(r.pdi, &(t.nt));
          failure = false;
        } else {
          fprintf(stdout, "read A failed with err %d\n", res);
          // Error, now try read() with B key
          if (res != NFC_ERFTRANS) {
            nfc_perror(r.pdi, "nfc_initiator_mifare_cmd");
            //goto error;  <------ COMMENT THIS LINE <------------
          }
          mf_configure(r.pdi);
          mf_anticollision(t, r);
          memcpy(mp.mpa.abtKey, t.sectors[i].KeyB, sizeof(t.sectors[i].KeyB));
          fprintf(stdout, "Trying key B\n");

Basically it first attempts to authenticate with KEY A. which succeeds, it then tries to read with KEY A. Which fails with an AUTH error.

For some odd reason it does not fail with an auth error in the first check. Which trips up the application because it does not expect an auth error after that point.

Because of this it does not try with KEY B, which would have worked.

The solution that worked for me was to simply comment out the goto error;, recompile, and everything worked perfectly.

Hope this helps someone else

I confirm this works on my practical case

Big Thanks @pollev pollev