Re: Mifare Classic Offline Cracker

Hello,

valentijn wrote:

So I started hacking around in MFOC and was able to filter out most of the problems.

Nice, what was the problem ?

valentijn wrote:

So I have only two questions: are there any volunteers with crashing ACR122U207 readers out there?

I have some ACR122U102 and one ACR122U206, I can test... BTW, I don't have these problems before.

valentijn wrote:

And where should I send the source?

You can create an issue on the issue tracker and submit your patch(es) or you can directly send it to me.

Romuald Conty

Re: Mifare Classic Offline Cracker

The problem seemed to be, that (some versions of) the ACR122 crash when after

if (!nfc_initiator_transceive_bits(r.pdi, AuthEnc, 32, AuthEncPar,Rx, &RxLen, RxPar)) {

, there is no communication with the reader while

for (m = d->median-d->tolerance; m <= d->median+d->tolerance; m +=2) {

is running. This also explains why setting the "distance" option (-T) low helps mfoc to continue (See remarks at http://www.libnfc.org/community/topic/2 … ng-mfoc/).
I don't know what causes this, and why some ACR122's are affected and some (notably: yours) are not; but putting the

nfc_configure(pdi,NDO_HANDLE_CRC,true);
nfc_configure(pdi,NDO_HANDLE_PARITY,true);

code inside mf_enhanced_auth() did the trick. Some of the folks at http://www.ov-chipkaart.org/?page_id=24 already tested this and so far, it seems to work well (it does for me).
The patch so far is rather intrusive, as I removed all calls to mf_configure, to replace these with individual nfc_configure() calls. This doesn't always work out well: sometimes, resetting the CRC or parity-handling at the end of mf_enhanced_auth still fails - and will stop mfoc. Also, my current mfoc.c code is a mess, with out-commented printf() and sleep() calls all over the place.
As a stop gap, for those that do have the problem, there's a link to the hacked up source code at my blog (I won't repeat it here, see above links). I'll fix the minor issues in a few days, clean up the source; then I'll file a proper bug and put a (proper, cleaned up) patch in the issue tracker.

53 (edited by Baquinjam Palas 2011-07-30 10:52:59)

Re: Mifare Classic Offline Cracker

It´s  dificult if sms are stored in phone´s memory, but not impossible. If they are in your SIM card it´s easier.



I only know for Nokia phones (symbian):

http://84productions.blogspot.com/2008/ … nokia.html


http://www.securityfocus.com/archive/1/468652/30/


If sms are stored in your SIM card, it´s possible to do it with this tool:

http://vidstrom.net/stools/undeletesms/

You´ll need a SIM smartcard reader for connecting it to your pc.

Regards.

Re: Mifare Classic Offline Cracker

Hi. I've posted this before but I realized it was in the wrong topic, so I deleted from the other topic to post here.

I have one SCL3711 Dongle and I'm having issues. I'm a quite upset about that because I can't make it work. When I run nfc-list I get everything normal like that:

nfc-list uses libnfc 1.5.1 (rexported)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): 2c  4d  cf  88  
      SAK (SEL_RES): 08

But when I run mfoc I get the error:

wender@ubuntu:~$ mfoc -O try1.mfd
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 2c  4d  cf  88  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on ATQA & SAK values:
* Mifare Classic 1K
* Mifare Plus (4-byte UID) 2K SL1
* SmartMX with Mifare 1K emulation
[Key: ffffffffffff] -> [................]
[Key: 000000000000] -> [................]

Sector 00 -  UNKNOWN_KEY [A]  Sector 00 -  UNKNOWN_KEY [b]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  UNKNOWN_KEY [b]  
Sector 02 -  UNKNOWN_KEY [A]  Sector 02 -  UNKNOWN_KEY [b]  
Sector 03 -  UNKNOWN_KEY [A]  Sector 03 -  UNKNOWN_KEY [b]  
Sector 04 -  UNKNOWN_KEY [A]  Sector 04 -  UNKNOWN_KEY [b]  
Sector 05 -  UNKNOWN_KEY [A]  Sector 05 -  UNKNOWN_KEY [b]  
Sector 06 -  UNKNOWN_KEY [A]  Sector 06 -  UNKNOWN_KEY [b]  
Sector 07 -  UNKNOWN_KEY [A]  Sector 07 -  UNKNOWN_KEY [b]  
Sector 08 -  UNKNOWN_KEY [A]  Sector 08 -  UNKNOWN_KEY [b]  
Sector 09 -  UNKNOWN_KEY [A]  Sector 09 -  UNKNOWN_KEY [b]  
Sector 10 -  UNKNOWN_KEY [A]  Sector 10 -  UNKNOWN_KEY [b]  
Sector 11 -  UNKNOWN_KEY [A]  Sector 11 -  UNKNOWN_KEY [b]  
Sector 12 -  UNKNOWN_KEY [A]  Sector 12 -  UNKNOWN_KEY [b]  
Sector 13 -  UNKNOWN_KEY [A]  Sector 13 -  UNKNOWN_KEY [b]  
Sector 14 -  UNKNOWN_KEY [A]  Sector 14 -  UNKNOWN_KEY [b]  
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY [b]  
mfoc: ERROR: 

No sector encrypted with the default key has been found, exiting..

Guys, please help me. I tried to reinstall everything, even the ubuntu to try again from zero but nothing changes. I'm using Ubuntu 11.10 via wubi, amd64,  libnfc 1.5.1, mfoc 0.10.2 (by Thomas Hood package because I can't compile from nfc-tools source).

I tried http://www.openpcd.org/Live live cd with same results. Is this a libnfc issue, mfoc issue or SCL3711? I read that this dongle is very good and compatible but it doesn't seems to work and I'm very disappointed. Plus, my linux skills are limited.

What can I do?
Thanks

Re: Mifare Classic Offline Cracker

Nobody? Please guys, help me on this. I realized that this problem is not only in mfoc. I mean, when I tried to do a dump from one rfid card using nfc-mfclassic I got:

wender@ubuntu:~/Downloads/mfoc-0.10.2$ nfc-mfclassic r dump.mfd keys.mfd
Connected to NFC reader: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
Found MIFARE Classic card:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): 2c  4d  cf  88 
      SAK (SEL_RES): 08 
Guessing size: seems to be a 1024-byte card
Reading out 64 blocks |nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
nfc_initiator_transceive_bytes: Mifare Authentication Error
!
Error: authentication failed for block 0x3f

It seems both software can't recover the keys. I'm out of ideas. Please help!
Thanks.

Re: Mifare Classic Offline Cracker

I have the same problem here... Using Ubuntu 11.10, ACR122U102 and mfoc 0.10.3.
But the case is: I already made a dump from this card some time ago and now I can't make another dump... ¬¬

running nfc-list:

nfc-list uses libnfc 1.5.1 (rexported)
pn53x_check_communication: Operation timed-out
Connected to NFC device: ACS ACR122U 00 00 / ACR122U102 - PN532 v1.4 (0x07)
1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): eb  f4  61  20  
      SAK (SEL_RES): 08 

running mfoc -P 50 -T 30 -O mycard.mfd:

    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): eb  f4  61  20  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on ATQA & SAK values:
* Mifare Classic 1K
* Mifare Plus (4-byte UID) 2K SL1
* SmartMX with Mifare 1K emulation
[Key: ffffffffffff] -> [................]
[Key: 000000000000] -> [................]

Sector 00 -  UNKNOWN_KEY [A]  Sector 00 -  UNKNOWN_KEY [b]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  UNKNOWN_KEY [b]  
Sector 02 -  UNKNOWN_KEY [A]  Sector 02 -  UNKNOWN_KEY [b]  
Sector 03 -  UNKNOWN_KEY [A]  Sector 03 -  UNKNOWN_KEY [b]  
Sector 04 -  UNKNOWN_KEY [A]  Sector 04 -  UNKNOWN_KEY [b]  
Sector 05 -  UNKNOWN_KEY [A]  Sector 05 -  UNKNOWN_KEY [b]  
Sector 06 -  UNKNOWN_KEY [A]  Sector 06 -  UNKNOWN_KEY [b]  
Sector 07 -  UNKNOWN_KEY [A]  Sector 07 -  UNKNOWN_KEY [b]  
Sector 08 -  UNKNOWN_KEY [A]  Sector 08 -  UNKNOWN_KEY [b]  
Sector 09 -  UNKNOWN_KEY [A]  Sector 09 -  UNKNOWN_KEY [b]  
Sector 10 -  UNKNOWN_KEY [A]  Sector 10 -  UNKNOWN_KEY [b]  
Sector 11 -  UNKNOWN_KEY [A]  Sector 11 -  UNKNOWN_KEY [b]  
Sector 12 -  UNKNOWN_KEY [A]  Sector 12 -  UNKNOWN_KEY [b]  
Sector 13 -  UNKNOWN_KEY [A]  Sector 13 -  UNKNOWN_KEY [b]  
Sector 14 -  UNKNOWN_KEY [A]  Sector 14 -  UNKNOWN_KEY [b]  
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY [b]  
mfoc: ERROR: 

No sector encrypted with the default key has been found, exiting... 

Any idea?

Re: Mifare Classic Offline Cracker

cmd_k, at least you could make 1 dump. :-|
May be its hardware, I'm not sure.

Re: Mifare Classic Offline Cracker

Hi,

MFOC is totally clear, it can't recover your keys. MFOC need to know at least one sector's key to recover the others.

MFCUK could give more result... but far to be sure...

Note: Mifare Authentication Error are normal since it tries multiple keys and the MIFARE Classic denied them.

Romuald Conty

Re: Mifare Classic Offline Cracker

I have a question. I manged to Dump a Card with mfoc with a OpenPCD 2 . On a Rasperry. I Takes very Long.
Is there a way to Dump a second card with the keys of the first Card in no Time?

I Looking for a way to demonstrate the Mifare weaknes on Facility Security. 
Is it Possible to Dump a card by touching it,or must the attacker have access for 1-2 (Rasperry 1h) min to the card?

Re: Mifare Classic Offline Cracker

Hallo,
Did anybody try MFOC against a Mifare emulated with a mobile phone?

I have to crack a Mifare classic emulated, but after more 100 probes no key come out. I have 10 sectors encrypted with default keys and other with private keys, so I have more then 1 sector to be used as exploit sector.
I am using MFOC 0.10.6 with an SCL3711 and libnfc 1.7.0-rc7.

I captured the traffic between the reader and the mobile phone and the difference between the answer of a card and the phone is that the phone sometime uses APDU to send data. However these data are correctly received at application layer (to MFOC). Any idea of what could be the problem? Timing due to the different type of command received?

Thanks, bye.

Re: Mifare Classic Offline Cracker

MFOC always returns error:
> mfoc: ERROR: only Mifare Classic is supported

I am using an ACR-122U and mfoc-0.10.7

When I run nfc-list, I get:
> nfc-list uses libnfc 1.6.0-rc1 (r)
> NFC device: ACS / ACR122U PICC Interface opened

In Open Suse, the Device Info for the ACR-122U reads as:
USB Version
1.01
Vendor ID
0x72f
(Advanced Card Systems, Ltd)
Product ID
0x2200
Revision
0.00

This is a Mifare 4K card (a blank) and I have also tried others that are not blank.
I have installed a few different OS flavors (Open Suse 12.3, 13.1, the BackTrack build, and am getting ready to download Fedora).

Is it that these ACR-122u devices are just not the thing to use???

Re: Mifare Classic Offline Cracker

Hi,

nfc-list have to find your tag to be able to MFOC properly.

You may have a problem with your setup.

Romuald Conty

Re: Mifare Classic Offline Cracker

Hi,
When launching mfoc on my 1k mifare card, I'm getting the following error. The device (ACR122u) is disabled after getting the error and I need to re attach it to the PC.

[LIBNFC-1.7.1,MFOC-0.10.2-PCSCdriver]

pi@raspberrypi ~ $ sudo mfoc -P 500 -O dump1
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): -- -- -- --
      SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [//..............]
[Key: d3f7d3f7d3f7] -> [//..............]
[Key: 000000000000] -> [//..............]
[Key: b0b1b2b3b4b5] -> [//..............]
[Key: 4d3a99c351dd] -> [//..............]
[Key: 1a982c7e459a] -> [//..............]
[Key: aabbccddeeff] -> [//..............]
[Key: 714c5c886e97] -> [//..............]
[Key: 587ee5f9350f] -> [//..............]
[Key: a0478cc39091] -> [//..............]
[Key: 533cb6c723f6] -> [//..............]
[Key: 8fd0a4f256e9] -> [//..............]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  UNKNOWN_KEY [b]
Sector 01 -  FOUND_KEY   [A]  Sector 01 -  UNKNOWN_KEY [b]
Sector 02 -  UNKNOWN_KEY [A]  Sector 02 -  UNKNOWN_KEY [b]
Sector 03 -  UNKNOWN_KEY [A]  Sector 03 -  UNKNOWN_KEY [b]
Sector 04 -  UNKNOWN_KEY [A]  Sector 04 -  UNKNOWN_KEY [b]
Sector 05 -  UNKNOWN_KEY [A]  Sector 05 -  UNKNOWN_KEY [b]
Sector 06 -  UNKNOWN_KEY [A]  Sector 06 -  UNKNOWN_KEY [b]
Sector 07 -  UNKNOWN_KEY [A]  Sector 07 -  UNKNOWN_KEY [b]
Sector 08 -  UNKNOWN_KEY [A]  Sector 08 -  UNKNOWN_KEY [b]
Sector 09 -  UNKNOWN_KEY [A]  Sector 09 -  UNKNOWN_KEY [b]
Sector 10 -  UNKNOWN_KEY [A]  Sector 10 -  UNKNOWN_KEY [b]
Sector 11 -  UNKNOWN_KEY [A]  Sector 11 -  UNKNOWN_KEY [b]
Sector 12 -  UNKNOWN_KEY [A]  Sector 12 -  UNKNOWN_KEY [b]
Sector 13 -  UNKNOWN_KEY [A]  Sector 13 -  UNKNOWN_KEY [b]
Sector 14 -  UNKNOWN_KEY [A]  Sector 14 -  UNKNOWN_KEY [b]
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY [b]


Using sector 00 as an exploit sector
nfc_initiator_init: Input / Output Error
Sector: 2, type A, probe 0, distance 21821

It seems I can't find a proper fix for this.

Re: Mifare Classic Offline Cracker

hello
again, long time after war...

have you blacklisted pn533 and nfc driver ?

and, delete pccd deamon in /etc/init.d/

reboot and try.

Re: Mifare Classic Offline Cracker

Friend 'm with same problem , says there is no key in the sector. but when I put another card it works normally. I'm using ubuntu 4.14 lts libnfc 1.6.0 mfoc 0.10.6 . ( acr122u )
there is a version for windows copilada in which the same card has the same message, but the other works the same way .

anyone have any idea ?