Closed jason-phillips closed 4 years ago
vk496
commented
4 years ago Hello,
I tried to reproduce your problem without success (neither 1k or 4k cards).
Could you please share your dump (the correct one) and the full mfoc command you use (to replicate the access patterns with the same data).
Also, the output of nfc-list -v would be useful.
Salu2
jason-phillips
commented
4 years ago Hello,
Thank you for looking into this!
The output of nfc-list -v is :
$ nfc-list -v nfc-list uses libnfc 1.7.1 NFC device: ACS / ACR122U PICC Interface opened 0 ISO14443A passive target(s) found.
0 Felica (212 kbps) passive target(s) found.
0 Felica (424 kbps) passive target(s) found.
0 ISO14443B passive target(s) found.
0 ISO14443B' passive target(s) found.
0 ISO14443B-2 ST SRx passive target(s) found.
0 ISO14443B-2 ASK CTx passive target(s) found.
0 Jewel passive target(s) found.
Attached are two files, the full dump and the "fixed" dump which is the dump expected and verified from an android app dump.
The full command used to generate the dump was: ./mfoc -O ritz1.dmp
Thanks! Jason
On Sun, Dec 15, 2019 at 5:46 AM Valentin notifications@github.com wrote:
Hello,
I tried to reproduce your problem without success (neither 1k or 4k cards).
Could you please share your dump (the correct one) and the full mfoc command you use (to replicate the access patterns with the same data).
Also, the output of nfc-list -v would be useful.
Salu2
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/vk496/mfoc/issues/15?email_source=notifications&email_token=AMOAY2HD2Q6H47JOCFZIX2DQYYDH5A5CNFSM4J2XQBQ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG4WGRY#issuecomment-565797703, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMOAY2F33ZL4VQGSTRS536LQYYDH5ANCNFSM4J2XQBQQ .
vk496
commented
4 years ago Answering by email will show the attached files. I think you need upload them through Github Web.
Also, the nfc-list -v should be done with the NFC tag and the reader.
Salu2
jason-phillips
commented
4 years ago Ah, my bad. Hopefully this works better. Attempting to attache files here. card-dumps.zip
Output with card:
$ nfc-list -v
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 42 d6 7c 6d
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
0 Felica (212 kbps) passive target(s) found.
0 Felica (424 kbps) passive target(s) found.
0 ISO14443B passive target(s) found.
0 ISO14443B' passive target(s) found.
0 ISO14443B-2 ST SRx passive target(s) found.
0 ISO14443B-2 ASK CTx passive target(s) found.
0 Jewel passive target(s) found.Hi,
The project moved to https://github.com/nfc-tools/mfoc-hardnested
If you feel that this problem should still be solved, reopen the issue there please. Thank you :)
When using the hardnested branch with a 1K mifare card, it successfully finds the keys, but the saved dump has zeroed the last block's access conditions. When copying the dump to a blank card, it results in zeroing the access conditions on the new card, making the last block of the card unrecoverable.
Command used: mfoc -O file.dmp
Last two blocks of the file.dmp: 0000:0380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0000:0390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0000:03A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0000:03B0 | 2A 2C 13 CC 24 2A FF 07 80 69 FF FF FF FF FF FF | ,.Ì$ÿ..iÿÿÿÿÿÿ 0000:03C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0000:03D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0000:03E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0000:03F0 | 2A 2C 13 CC 24 2A 00 00 00 00 FF FF FF FF FF FF | ,.Ì$....ÿÿÿÿÿÿ
Expected last line: 0000:03F0 | 2A 2C 13 CC 24 2A FF 07 80 69 FF FF FF FF FF FF | ,.Ì$ÿ..iÿÿÿÿÿÿ
As you can see the access conditions (FF 07 80 69) are zero'd out.
This has happened on multiple source cards