GeZhi Electronic Co.Ltd.

GeZhi Electronic Co.Ltd.

Products Category
Contact Us

Name: Michael
Tel: +86-13113330725
Fax: +86-13113330725
Mobile: +86-13113330725
E-mail: xfpga@hotmail.com
Add: JinKe industry DaShi PanYu District GuangZhou City China
MSN: xfpga@hotmail.com
Skype: gezhitech007
QQ: 1074079485
MSN: xfpga@hotmail.com SKYPE: gezhitech007 QQ: 1074079485

MIFARE Tag Operations with proxmark3

Author : xfpga Date : 2012-12-12 13:03:48

MIFARE Tag Operations with proxmark3

Operations can be executed from menu "hf 14a" or "hf mf"

proxmark3> hf 14a
help            
Display help
list            
List ISO 14443a history
reader          
Acts same as ISO14443 Type A reader
sim              
<UID> -- Fake ISO 14443a tag
snoop            
Eavesdrop ISO 14443 Type A


proxmark3
> hf mf
help            
This help
dbg              
Set default debug mode
rdbl            
Read MIFARE classic block
rdsc            
Read MIFARE classic sector
dump1k          
Dump MIFARE classic tag to binary file
restore1k        
Restore MIFARE classic binary file to BLANK tag
wrbl            
Write MIFARE classic block
chk              
Test block up to 8 keys
mifare          
Read parity error messages. param - <used card nonce>
nested          
Test nested authentication
sim              
Simulate MIFARE 1k card
eclr            
Clear simulator memory block
eget            
Get simulator memory block
eset            
Set simulator memory block
eload            
Load from file emul dump
esave            
Save to file emul dump
ecfill          
Fill simulator memory with help of keys from simulator
ekeyprn          
Print keys from simulator memory

Short MIFARE HOWTO I have placed here: MIFARE HOWTO

Command set 'hf 14a'

hf 14a list

It displays the log of communication between the card and either proxmark or reader in 'hf 14a snoop'

sample:

proxmark3> hf mf rdbl 0 a ffffffffffff
--block no:00 key type:00 key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk
:01 data:e6 84 87 f3 16 88 04 00 46 8e 45 55 4d 70 41 04

proxmark3
> hf 14a list
recorded activity
:
 ETU    
:rssi: who bytes
---------+----+----+-----------
 
+      0:    :     52
 
+    236:   0: TAG 04  00
 
+      0:    :     93  20
 
+    452:   0: TAG e6  84  87  f3  16
 
+      0:    :     93  70  e6  84  87  f3  16  5e  35
 
+    308:   0: TAG 08  b6  dd
 
+      0:    :     60  00  f5  7b
 
+    428:   0: TAG 11  67  0f  29
 
+      0:    :     62  c6  da  97  5a  07  ab  21     !crc
 
+    380:   0: TAG eb! 31  34! 96!
 
+      0:    :     e0  08  2b  d1     !crc
 
+   1396:   0: TAG c4! 33! 62! 23! 46! 3d  6d  60  38  22! 04! b0  b8  82! 05 e0! 80  fe!    !crc
 
+      0:    :     40  48  02  fd     !crc

hf 14a reader

It employs anticollision and reads several parameters from the card

sample:

proxmark3> hf 14a reader
ATQA
: 04 00
 UID
: e6 84 87 f3 00 00 00 00 00 00 00 00
 SAK
: 08 [2]
 SAK
: MIFARE CLASSIC 1K
proprietary non
-iso14443a card found, RATS not supported

hf 14a sim

Simulator up to end of anticollision state of the card.

hf 14a snoop

It sniffs communication between the card and the reader.

sample of reading card from another reader:

  • anticollision
  • select
  • authenticate sector 1 with key A and key ffffffffffff
  • read block 4 (<09090909090909090909090909090909>)
  • halt
proxmark3> hf 14a snoop
#db# cancelled_a
#db# 4 0 4
#db# 20 af 7f
proxmark3
> hf 14a list
recorded activity
:
 ETU    
:rssi: who bytes
---------+----+----+-----------
 
+      0:   0: TAG 04  00
 
+    920:    :     93  20
 
+     64:   0: TAG e6  84  87  f3  16
 
+   1792:    :     93  70  e6  84  87  f3  16  5e  35
 
+     64:   0: TAG 08  b6  dd
 
+ 666066:    :     60  04  d1  3d
 
+    112:   0: TAG 5c  22  92  7f
 
+    977:    :     3b  7c  58  2b  07  32  e7  e9     !crc
 
+     65:   0: TAG 76  b5! 82  f7!
 
+ 713540:    :     d5  c1  1c  d9     !crc
 
+     72:   0: TAG 49  12! b4! ee! 88  ed  f5! ae  00  93  f1  20! 39  eb  e5
58! 9f  c8     !crc
 
+1639720:    :     7f  7d  5f  07     !crc

Command set 'hf mf'

hf mf dbg

It sets debug level of commands in "hf mf" menu.

debug levels:

  • 0 - no debug messages
  • 1 - error messages
  • 2 - all messages
  • 4 - extended debug mode

Level 1 or 0 is recommended. With advanced debugging, some commands may work abnormally (because of the time required to print debug message).

hf mf rdbl

It reads block from a mifare card.

hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>

  • block number must be between 0x00 and 0xFF
  • key must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
  • key must be 12 hex symbols (for example: FFFFFFFFFFFF)

Command to read block 0 from mifare card with authentication params: key A, key FFFFFFFFFFFF:

correct execution

proxmark3> hf mf rdbl 0 a ffffffffffff
--block no:00 key type:00 key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk
:01 data:e6 84 87 f3 16 88 04 00 46 8e 45 55 4d 70 41 04

'isOk:01' - the command is executed correctly 'data:...' - block data

incorrect execution

proxmark3> hf mf rdbl 0 a ffffffffffff
--block no:00 key type:00 key:ff ff ff ff ff ff
#db# Can't select card
#db# READ BLOCK FINISHED
isOk
:00

'Can't select card' - text error.

'isOk:00' - the command is not executed.

hf mf rdsc

It reads sector from a mifare card.

hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>

  • sector number must be between 0x00 and 0x3F
  • key must be 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
  • key must be 12 hex symbols (for example: FFFFFFFFFFFF)

Command to read sector 0 from mifare card with authentication params: key A, key FFFFFFFFFFFF:

correct execution

proxmark3> hf mf rdsc 0 a ffffffffffff
--sector no:00 key type:00 key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED

isOk
:01
data
:e6 84 87 f3 16 88 04 00 46 8e 45 55 4d 70 41 04
data
:02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02

data
:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data
:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

'isOk:01' - the command is executed correctly.

'data:...' - sector data. blocks 0-4 of sector.

incorrect execution

proxmark3> hf mf rdsc 0 a ffffffffffff
--sector no:00 key type:00 key:ff ff ff ff ff ff
#db# Can't select card
#db# READ SECTOR FINISHED

isOk
:00

'Can't select card' - text error.

'isOk:00' the command is not executed.

hf mf wrbl

It writes block onto mifare card.

hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>

  • block number must be between 0x00 and 0xFF
  • key must be 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
  • key must be 12 hex symbols (8 bytes) (for example: FFFFFFFFFFFF)
  • block data must be 32 hex symbols (16 bytes) (for example: FFFFFFFFFFFF)
Do not try to write into the sector trailers unless you know what you are doing!!!

 

It may damage the card!

 

correct execution

proxmark3> hf mf wrbl 4 a ffffffffffff 01010101010101010101010101010101
--block no:04 key type:00 key:ff ff ff ff ff ff
--data: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
#db# WRITE BLOCK FINISHED
isOk
:01

'isOk:01' - the command is executed correctly.

After that, I have issued the read command to check:

proxmark3> hf mf rdbl 4 a ffffffffffff
--block no:04 key type:00 key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk
:01 data:01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01

incorrect execution

proxmark3> hf mf wrbl 0 a ffffffffffff 01010101010101010101010101010101
--block no:00 key type:00 key:ff ff ff ff ff ff
--data: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk
:00

'Can't select card' - text error.

'isOk:00' the command is not executed.

 

hf mf chk

It checks several keys (up to 8) in specific card sector.

hf mf chk <block number> <key A/B> [<key (12 hex symbols)>]

  • block number must be between 0x00 and 0xFF
  • key type must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
  • key must be 12 hex symbols (8 bytes) (for example: FFFFFFFFFFFF)
sample:

 

 proxmark3> hf mf chk 0 A FFFFFFFFFFFF a0a1a2a3a4a5 b0b1b2b3b4b5
--block no:00 key type:00 key count:3
isOk
:01 valid key:ffffffffffff

'isOk:01' - the command is executed correctly.

'valid key' - the correct key

hf mf mifare

It implements mifare "darkside" attack.

hf mf mifare [wrong Nt]

  • wrong Nt - it dont use this Nt to collect statistical information.

It is recommended that if 'hf mf mifare' found wrong key then run hf mf mifare <Nt>, where Nt - from previous run of the command.

After executing of the attack it tests key. If it found an invalid key it prints "Found invalid key. ( Nt=XXXXXXXX".

example of a correct execution:

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. It may take up to 30 min.
Press the key on proxmark3 device to abort proxmark3.
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
.....#db#
 COMMAND mifare FINISHED


isOk
:01


uid
(e68487f3) nt(ec49e598) par(2c4c3c24d44c6c4c) ks(0b0f060f0c0f0100)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| b |  e  |0,0,1,1,0,1,0,0|
| 20 |00000020| f |  a  |0,0,1,1,0,0,1,0|
| 40 |00000040| 6 |  3  |0,0,1,1,1,1,0,0|
| 60 |00000060| f |  a  |0,0,1,0,0,1,0,0|
| 80 |00000080| c |  9  |0,0,1,0,1,0,1,1|
| a0 |000000a0| f |  a  |0,0,1,1,0,0,1,0|
| c0 |000000c0| 1 |  4  |0,0,1,1,0,1,1,0|
| e0 |000000e0| 0 |  5  |0,0,1,1,0,0,1,0|
------------------------------------------------------------------
Key found:63590b680000

Found invalid key. ( Nt=ec49e598
proxmark3
> hf mf mifare ec49e598
-------------------------------------------------------------------------
Executing command. It may take up to 30 min.
Press the key on proxmark3 device to abort proxmark3.
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
...................................................

isOk
:01


uid
(e68487f3) nt(d993ca31) par(2c4ce424d44c6c84) ks(0b0f0e0f0c0f0108)


|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| b |  e  |0,0,1,1,0,1,0,0|
| 20 |00000020| f |  a  |0,0,1,1,0,0,1,0|
| 40 |00000040| e |  b  |0,0,1,0,0,1,1,1|
| 60 |00000060| f |  a  |0,0,1,0,0,1,0,0|
| 80 |00000080| c |  9  |0,0,1,0,1,0,1,1|
| a0 |000000a0| f |  a  |0,0,1,1,0,0,1,0|
| c0 |000000c0| 1 |  4  |0,0,1,1,0,1,1,0|
| e0 |000000e0| 8 |  d  |0,0,1,0,0,0,0,1|
#db# COMMAND mifare FINISHED
------------------------------------------------------------------
Key found:ffffffffffff

Found valid key:ffffffffffff

Result is ok).

hf mf nested

It implements mifare "nested authentication" attack. It needs to know at least one sector key to use it.

There are 2 main modes:

  • all sectors attack.

Firstly it tries public keys for all sector, then makes nested attack and then tests the keys. It makes up to 10 attempts to attack one sector. You can cpecify a block number and it calculates offset from the beginning of the sector (block shift) and attacks all the rest sectors with this offset.hf mf nested <card memory> <block number> <key A/B> <key (12 hex symbols)> [t]

  • one sector attack. It attacks only one sector. It intends to use for testing if card can be broken via this attack.

hf mf nested o <block number> <key A/B> <key (12 hex symbols)> <target block number> <target key A/B> [t]

Where:

  • Card memory: 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K
  • block number must be between 0x00 and 0xFF
  • key type must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
  • key must be 12 hex symbols (8 bytes) (for example: FFFFFFFFFFFF)
  • target block number must be between 0x00 and 0xFF
  • target key type must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
  • t - transfer keys into emulator memory. Fills the emulator memory with extracted keys.

Example of one sector attack:

proxmark3> hf mf nested o 0 a ffffffffffff 4 a
--block no:00 key type:00 key:ff ff ff ff ff ff  etrans:0
--target block no:04 target key type:00

..uid:e68487f3 len=5 trgbl=4 trgkey=0
uid
:e68487f3 len=1 trgbl=4 trgkey=0
uid
:e68487f3 len=5 trgbl=4 trgkey=0
uid
:e68487f3 len=1 trgbl=4 trgkey=0
uid
:e68487f3 len=2 trgbl=4 trgkey=0
uid
:e68487f3 len=5 trgbl=4 trgkey=0
uid
:e68487f3 len=3 trgbl=4 trgkey=0
uid
:e68487f3 len=2 trgbl=4 trgkey=0
------------------------------------------------------------------
Total keys count:1657647
cnt
=0 key= 31 09 f5 fe af ff
cnt
=1 key= ff ff ff ff ff ff
cnt
=2 key= 8c 9b fa 2f dd ff
cnt
=3 key= 0e a7 5a ff ff ff
cnt
=4 key= 11 c4 ff 7e dd ff
cnt
=5 key= ad 1a 73 7f dd ff
cnt
=6 key= f1 59 f0 2c 63 c2
cnt
=7 key= 63 74 f0 2c 2f 15
cnt
=8 key= 88 60 f0 2c da e8
cnt
=9 key= e0 b5 f0 2c 15 60
cnt
=10 key= ec 0f f0 2d 2d 74
cnt
=11 key= ec b9 f0 2b fb 6a
cnt
=12 key= 2c b3 f0 2d 50 20
cnt
=13 key= e1 ed f0 2b fb 4a
cnt
=14 key= c7 e1 f0 2b f1 ea
cnt
=15 key= ab 80 f0 2b c5 ec
Found valid key:ffffffffffff

Example of all sectors attack:

proxmark3> hf mf nested 1 0 a ffffffffffff
--block no:00 key type:00 key:ff ff ff ff ff ff  etrans:0
Block shift=0
Testing known keys. Sector count=16
nested
...
Iterations count: 0
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|

 

hf mf sim

It simulates MIFARE classic tag. Tag contents is stored into the emulator memory and can be read and written by the following commands.

hf mf sim <UID 8 hex digits>

  • 4 byte UID if specified - replaces UID that is stored into the emulator memory. However, the replacement doesn't get loaded into the memory.

hf mf eclr

It fills the memory of emulator of a blank MIFARE 1K card with default (0xFFFFFFFFFFFF) keys.

hf mf eget

It gets blocks from the card emulator dump.

hf mf eget <block number>

  • block number must be between 0x00 and 0x63

Example of use:

proxmark3> hf mf eget 0

data
[0]:e6 84 87 f3 16 88 04 00 46 8e 45 55 4d 70 41 04
data
[1]:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data
[2]:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

hf mf eset

It sets block in the card emulator dump.

hf mf eset <block number> <block data (32 hex symbols)>

  • block number must be between 0x00 and 0x63
  • block data - '000102030405060708090a0b0c0d0e0f'

Example of use:

proxmark3> hf mf eset 1 000102030405060708090a0b0c0d0e0f

Just to make sure:

proxmark3> hf mf eget 0

data
[0]:e6 84 87 f3 16 88 04 00 46 8e 45 55 4d 70 41 04
data
[1]:00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
data
[2]:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

hf mf eload

It loads dump to the card emulator memory.

hf mf eload <file name>

  • file name without '.eml' extension.

hf mf esave

It saves dump from the card emulator memory.

hf mf esave <file name>

  • file name without '.eml' extension. If the file name is empty, the file name will be
the first 7 bytes in hex from emulator memory. (UID location).

hf mf ecfill

It fills the memory of MIFARE card emulator. It uses keys from the emulator memory (to view the keys: 'hf mf ekeyprn')

hf mf efill <key A/B>

  • key must be 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')

hf mf ekeyprn

It prints keys from the emulator memory (MIFARE classic 1K).

proxmark3> hf mf ekeyprn
|---|----------------|----------------|
|sec|key A           |key B           |
|---|----------------|----------------|
|000|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|001|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|002|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|003|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|004|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|005|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|006|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|007|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|008|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|009|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|010|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|011|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|012|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|013|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|014|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|015|  f0f0f0f0f0f0  |  f0f0f0f0f0f0  |
|---|----------------|----------------|