Topic: The end of MFOC/MFCUK?

Hi guys!
I read recently that NXP fixed the Random Number Generator bug of being predictable that permits MFOC/ MFCUK to "guess" the missing keys of a Mifare Classic tag. I can't get any key for a vending machine sticker which is Mifare Classic Mini 0.3k tag.

Here is the log of MFOC :

Found Mifare Classic Mini tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): fb  fe  d8  c2  
      SAK (SEL_RES): 09  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Mini 0.3K
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [.....]
[Key: a0a1a2a3a4a5] -> [/////]
[Key: d3f7d3f7d3f7] -> [/////]
[Key: 000000000000] -> [/////]
[Key: b0b1b2b3b4b5] -> [x////]
[Key: 4d3a99c351dd] -> [x////]
[Key: 1a982c7e459a] -> [x////]
[Key: aabbccddeeff] -> [x////]
[Key: 714c5c886e97] -> [x////]
[Key: 587ee5f9350f] -> [x////]
[Key: a0478cc39091] -> [x////]
[Key: 533cb6c723f6] -> [x////]
[Key: 8fd0a4f256e9] -> [x////]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  FOUND_KEY   [b]  
Sector 01 -  FOUND_KEY   [A]  Sector 01 -  UNKNOWN_KEY [b]  
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  UNKNOWN_KEY [b]  
Sector 03 -  FOUND_KEY   [A]  Sector 03 -  UNKNOWN_KEY [b]  
Sector 04 -  FOUND_KEY   [A]  Sector 04 -  UNKNOWN_KEY [b]  


Using sector 00 as an exploit sector
Sector: 1, type B, probe 0, distance 38058 .....
Sector: 1, type B, probe 1, distance 40305 .....
Sector: 1, type B, probe 2, distance 27859 .....
Sector: 1, type B, probe 3, distance 19829 .....
Sector: 1, type B, probe 4, distance 50182 .....
Sector: 1, type B, probe 5, distance 26397 .....
Sector: 1, type B, probe 6, distance 36859 .....
Sector: 1, type B, probe 7, distance 37274 .....
Sector: 1, type B, probe 8, distance 39084 .....
Sector: 1, type B, probe 9, distance 37392 .....
Sector: 1, type B, probe 10, distance 44825 .....
...
Infinite probes

Note that the distance is very high. I also tried to MFCUK for 24h but without any result...

I'm running MFOC 0.10.7, MFCUK  0.3.8, libnfc 1.7.1 with ACR122U reader under Kali Linux live USB Key.

Any ideas?

Re: The end of MFOC/MFCUK?

I found a paper which talks about my new kind of "Hardened" Mifare Classic cards and the fixed PRNG :

cs.ru. nl/ ~rverdult/Ciphertext-only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards-CCS_2015.pdf

(remove blank spaces as I can't post links)

Re: The end of MFOC/MFCUK?

Try this : github. com/ aczid/ crypto1_bs (remove spaces)

It's a new implementation of the hardnested attack that works for the new "Hardened" Mifare Classic cards.
It was originally developped for proxmark hardware but there is also a libnfc implementation.

Re: The end of MFOC/MFCUK?

@khaliloo : How can implement this new hardnested attack in my Kali Linux? Could you explain me how to do it step by step?

Re: The end of MFOC/MFCUK?

just clone the sources and build