Open cefedrific opened 5 years ago
Hi,
I encountered the same error. I don't know why this happens but I do know what happens and how you can circumvent it:
Have a look at the following code (and ignore the printf statements I jammed in there for debugging): file: src/mfoc.c
// Try A key, auth() + read()
memcpy(mp.mpa.abtKey, t.sectors[i].KeyA, sizeof(t.sectors[i].KeyA));
int res;
fprintf(stdout, "Trying key A\n");
if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, block, &mp)) < 0) {
fprintf(stdout, "authfail\n");
if (res != NFC_EMFCAUTHFAIL) {
nfc_perror(r.pdi, "nfc_initiator_mifare_cmd");
goto error;
}
mf_configure(r.pdi);
mf_anticollision(t, r);
} else { // and Read
fprintf(stdout, "and read\n");
if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) >= 0) {
fprintf(stdout, "read A ok\n");
fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'A', bytes_to_num(t.sectors[i].KeyA, 6));
print_hex(mp.mpd.abtData, 16);
mf_configure(r.pdi);
mf_select_tag(r.pdi, &(t.nt));
failure = false;
} else {
fprintf(stdout, "read A failed with err %d\n", res);
// Error, now try read() with B key
if (res != NFC_ERFTRANS) {
nfc_perror(r.pdi, "nfc_initiator_mifare_cmd");
//goto error; <------ COMMENT THIS LINE <------------
}
mf_configure(r.pdi);
mf_anticollision(t, r);
memcpy(mp.mpa.abtKey, t.sectors[i].KeyB, sizeof(t.sectors[i].KeyB));
fprintf(stdout, "Trying key B\n");
Basically it first attempts to authenticate with KEY A. which succeeds, it then tries to read with KEY A. Which fails with an AUTH error.
For some odd reason it does not fail with an auth error in the first check. Which trips up the application because it does not expect an auth error after that point.
Because of this it does not try with KEY B, which would have worked.
The solution that worked for me was to simply comment out the goto error;
, recompile, and everything worked perfectly.
Hope this helps someone else
It's no odd because KEY A has no read right. ACs bits are 4b 44 bb, so it behaves correctly. KEYA can auth but will not read the block 12/13.
Regardless. It makes no sense that the tool just errors out and quits instead of trying the second key, which would just work... This fixes that.
Hi,
I encountered the same error. I don't know why this happens but I do know what happens and how you can circumvent it:
Have a look at the following code (and ignore the printf statements I jammed in there for debugging): file: src/mfoc.c
// Try A key, auth() + read() memcpy(mp.mpa.abtKey, t.sectors[i].KeyA, sizeof(t.sectors[i].KeyA)); int res; fprintf(stdout, "Trying key A\n"); if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, block, &mp)) < 0) { fprintf(stdout, "authfail\n"); if (res != NFC_EMFCAUTHFAIL) { nfc_perror(r.pdi, "nfc_initiator_mifare_cmd"); goto error; } mf_configure(r.pdi); mf_anticollision(t, r); } else { // and Read fprintf(stdout, "and read\n"); if ((res = nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) >= 0) { fprintf(stdout, "read A ok\n"); fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'A', bytes_to_num(t.sectors[i].KeyA, 6)); print_hex(mp.mpd.abtData, 16); mf_configure(r.pdi); mf_select_tag(r.pdi, &(t.nt)); failure = false; } else { fprintf(stdout, "read A failed with err %d\n", res); // Error, now try read() with B key if (res != NFC_ERFTRANS) { nfc_perror(r.pdi, "nfc_initiator_mifare_cmd"); //goto error; <------ COMMENT THIS LINE <------------ } mf_configure(r.pdi); mf_anticollision(t, r); memcpy(mp.mpa.abtKey, t.sectors[i].KeyB, sizeof(t.sectors[i].KeyB)); fprintf(stdout, "Trying key B\n");
Basically it first attempts to authenticate with KEY A. which succeeds, it then tries to read with KEY A. Which fails with an AUTH error.
For some odd reason it does not fail with an auth error in the first check. Which trips up the application because it does not expect an auth error after that point.
Because of this it does not try with KEY B, which would have worked.
The solution that worked for me was to simply comment out the
goto error;
, recompile, and everything worked perfectly.Hope this helps someone else
I confirm this works on my practical case
Big Thanks @pollev pollev
hello all mfoc find me the three missing keys but do not create the dump
sudo mfoc -f key.txt -O test1.mfd [sudo] Mot de passe de ___ : The custom key 0x6c449f91af6b has been added to the default keys The custom key 0x07364b58ce42 has been added to the default keys The custom key 0x0419f24294b5 has been added to the default keys The custom key 0xb0b1b2b3b4b5 has been added to the default keys The custom key 0xa0a1a2a3a4a5 has been added to the default keys Found Mifare Classic 1k tag ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 04 00
SAK (SEL_RES): 08
Fingerprinting based on MIFARE type Identification Procedure: Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys... Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found [Key: 6c449f91af6b] -> [...............] [Key: 07364b58ce42] -> [..............] [Key: 0419f24294b5] -> [.\............] [Key: b0b1b2b3b4b5] -> [\\\\\\\\] [Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx] [Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx] [Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx] [Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx] [Key: 000000000000] -> [xxxxxxxxxxxxxxxx] [Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx] [Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx] [Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx] [Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx] [Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx] [Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx] [Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx] [Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx] [Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]
Sector 00 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 01 - Found Key A: a0a1a2a3a4a5 Found Key B: 07364b58ce42 Sector 02 - Found Key A: a0a1a2a3a4a5 Found Key B: 0419f24294b5 Sector 03 - Found Key A: a0a1a2a3a4a5 Found Key B: 6c449f91af6b Sector 04 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 05 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 06 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 07 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 08 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 09 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 10 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 11 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 12 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 13 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 14 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5 Sector 15 - Found Key A: a0a1a2a3a4a5 Found Key B: b0b1b2b3b4b5
We have all sectors encrypted with the default keys..
Auth with all sectors succeeded, dumping keys to a file! Block 63, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 62, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 58, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 54, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 50, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 48, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 47, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 46, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 45, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 44, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 43, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 42, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 41, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 40, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 39, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 38, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 37, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 36, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 35, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 34, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 33, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 32, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 31, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 30, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 29, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 28, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 27, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 26, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 25, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 24, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 23, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 22, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 21, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 20, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 19, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 18, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 17, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 16, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 15, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 4b 44 bb ea 00 00 00 00 00 00
Block 14, type A, key a0a1a2a3a4a5 :00 00 44 39 15 4a e4 00 00 00 00 00 4d 49 43 00
nfc_initiator_mifare_cmd: Mifare Authentication Failed
the file is created but it is empty would anyone have an idea to solve this problem?