Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Too me,if you compile mfoc with keys,you win a lot of time.
I dont use mfcuk now,because is very heavy.
Nevertheless,mfoc is during one minute only!!

developing the future!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi Andrei,

Thanks for the great tool - I've been testing it over the weekend while I've been working on libnfc, and I've got a couple of comments for your next release...

You've got two sections between "TEST" comments where you disconnect and re-connect in case the reader "hangs"... I don't think you need these - I took them out of my version and it's run hundreds of times without a problem...

Having said that, you need to be careful to disconnect after use with USB devices such as the pn531 or pn533 as they will be left in an unusable state (and will hang on next connection) if your program exits without disconnecting - for this reason you may want to try and trap CTL-C and do a cleanup before exiting... If you want to try it with USB devices, get the latest SVN revision (currently r235) which supports them quite reliably.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

adam@algroup.co.uk wrote:

Hi Andrei,

Thanks for the great tool - I've been testing it over the weekend while I've been working on libnfc, and I've got a couple of comments for your next release...

[MM], I am glad to see that is a useful tool and the community can benefit from it and push it further.
BTW, thanks for the twits as well smile

adam@algroup.co.uk wrote:

You've got two sections between "TEST" comments where you disconnect and re-connect in case the reader "hangs"... I don't think you need these - I took them out of my version and it's run hundreds of times without a problem...

Having said that, you need to be careful to disconnect after use with USB devices such as the pn531 or pn533 as they will be left in an unusable state (and will hang on next connection) if your program exits without disconnecting - for this reason you may want to try and trap CTL-C and do a cleanup before exiting... If you want to try it with USB devices, get the latest SVN revision (currently r235) which supports them quite reliably.

I've taken a note on these comments and will incorporate in future releases (there are talks of integrating the MFOC from nethemba with DarkSide tool. maybe MICMD will jump into the toolkit).

The current priority for me is a PoC for Mifare Classic SoftTag full emulation:
http://code.google.com/p/tk-libnfc-crap … gEmulation

Appreciate everyone's comments and feedback!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hello,

I've had problems compiling under Fedora 12. Could somebody help me? Details can be found here: http://code.google.com/p/tk-libnfc-crap … etail?id=3

I think it's due to a recent version of libnfc...

Thank you!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

I solved the problem after compiling libnfc-1.2.1 from source and removing libnfc-1.3.1 fedora package. By the way, minor tweaks should be done in order to make it compile under Fedora 12.

31

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Is there a libnfc-1.3.1 version of this app available?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Last revision (r34) from svn is up to date with lastest libnfc release.

33

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

wachutunai wrote:

Last revision (r34) from svn is up to date with lastest libnfc release.

All google code-links here returns 403.  Is this project moved to another location?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

me too...i cant access http://code.google.com/p/tk-libnfc-crapto1/ . Anything wrong?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Project moved to http://code.google.com/p/mfcuk/

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hello,

I have downloaded the latest version of the Key Recovery Tool. I try to use the precomiled binaries in Win XP Prof.
I have installed the latest version of libusb for windows.

I have an ACR122U-WB-R.

I place an Mifare Classic 1k on it. The Key A for Sector 0 is 0xFFFFFFFFFFFF.

So I start the program with mfcuk_keyrecovery_darkside_win32.exe -V 0:A:FFFFFFFFFFFF

Then the screen prints:


MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com


INFO: Connected to NFC reader: ACR122U203 - PN532 v1.4 (0x07)


VERIFY:
    Key A sectors: 0 ERROR: tag was removed or cannot be selected
ERROR: AUTH sector 0, block 3, key ffffffffffff, key-type 0x60, error code 0x00
1 2 3 4 5 6 7 8 9 a b c d e f
    Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER:  0 1 2 3 4 5 6 7 8 9 a b c d e f




What ma I doing wrong ?

Thank you very much for your help - Thanks a lot

Best regards

Ela1983

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi Ela, I just downloaded and built mfcuk and had the same problem.  I got it working by commenting out the call to nfc_initiator_select_tag at mfcuk_keyrecovery_darkside.c:1464-1467.  This is the failing call, and if you take a look you'll note that nfc_initiator_select_tag has already been called successfully by mfcuk_darkside_select_tag, which is itself called from line 1337 (nice line number too!).  This gets the verify command to work, and seems to also allow key recovery to run.  I haven't had a chance to investigate this further to determine the underlying reason for the two calls to nfc_initiator_select_tag.

- Eric

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Is there anyway to use this tool with an Omnikey Cardman 5321?

I'm only interested in the key, not a dump of the data. The key is stored on our reader, and as far as I can tell there is no way to recover it from the reader. So we would like to extract the key from on of the cards, because you can update the Cardman's keys (so we're actually interested in duplicating the reader, not the card)

39 (edited by Sly 2010-07-15 14:18:37)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi, did a build of the MFCUK from the svn trunk and compiled fine on linux x64 (ubuntu 10.04) with libnfc 1.3.4

odd problem though, when trying to do anything I get:

MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com

WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'
Segmentation fault

I'm guessing there's just something wrong with the directory or I need some files? I really don't know, there's not a lot of documentation surrounding the MFCUK usage. Anyone would can give a simple explanation of MFCUK usage or the darkside attack (is it the same as the exploit used by MFOC?) in general it would be cool thanks?

---- some time later....

My bad, didn't know you need to run MFCUK inside the /src/bin directory to be able to use the files specified above as i did a make install I typically ran it from the root directory of the trunk

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Did anyone succeed in recovering a key from an Infineon made Mifare Classic 1K card? (They go by the name of SLE 66R35.) Although I can control the timing of the commands after power-up quite well (I verified this with an oscilloscope), the nonces sent by the card still differ. It seems as if Infineon has implemented the random number generator differently (and better) than NXP.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hello, I've got a touchatag reader and I'm trying to get the key of a mifare 1k card. I've done with one card and it's worked ok, but with the card I'm trying now I don't get any result. I've been running the program for almost 1 day. The program is in verbose mode and this is what it's saying:

-----------------------------------------------------
Let me entertain you!
    uid: 736c335e
   type: 08
    key: 000000000000
  block: 1f
diff Nt: 60421
  auths: 173644
-----------------------------------------------------

Why am I getting no result?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

can you try read tag with default keys?

developing the future!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi *dudux, I think the reader works ok. I've already read other tags and I've been able to recover the key of one tag using mfcuk and mfoc. The problem is that specific tag, mfcuk doesn't recover the key, it's calculating for hours and still getting no result.

Thanks for your answer wink

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Is anyone using this with a non-ACR122 reader?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

sargun wrote:

Is anyone using this with a non-ACR122 reader?

Yes, why this question?

Romuald Conty

46 (edited by ZYx 2011-02-12 19:23:16)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi. First of all, since this is my first post, i would like to thank developers involved in all this great tools. Awesome work, seriously. Also, i apologize for my broken English, i'll try to do my best.

Ok, now to business. I recently (a week ago or so) ordered a Touchatag and started playing with it. After having some troubles trying to install libnfc+mfcuk (version incompatibilities, OS related problems, etc...), i finally managed to do it "almost" without errors with the help of post from this forum. Only just a warning when compiling mfcuk about "some constant being to big for type long" or something like that, that i fixed (i think) by adding the "ULL" suffix to the constant (is the initialization of a uint64_t variable).

Anyway, after changing <key>ifDriverOptions<key> from 0x0000 to 0x0004 everything seems to work, nfc-list shows the reader and tag info, pscs_scan also works, pcscd doesn't show any errors. The "configuration" i have is:

Ubuntu 10.04 (in 10.10 i can't make it work)
libnfc-1.3.4
libccid-1.3.11-1
pcscd-1.5.3
mfcuk r37

and here are the responses to some commands:

nfc-list:

Connected to NFC reader: ACS ACR122U PICC Interface 00 00 / ACR122U102 - PN532 v1.4 (0x07)

The following (NFC) ISO14443A tag was found:

    ATQA (SENS_RES): 00  04  
       UID (NFCID1): 7e  c5  0a  00  
      SAK (SEL_RES): 08

pcsc_scan:

PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.5.3
Scanning present readers...
0: ACS ACR122U PICC Interface 00 00

Sat Feb 12 04:34:44 2011
 Reader 0: ACS ACR122U PICC Interface 00 00
  Card state: Card inserted, 
  ATR: 3B BE 95 00 00 41 03 00 00 00 00 00 00 00 00 00 02 90 00

ATR: 3B BE 95 00 00 41 03 00 00 00 00 00 00 00 00 00 02 90 00
+ TS = 3B --> Direct Convention
+ T0 = BE, Y(1): 1011, K: 14 (historical bytes)
  TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
    125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TD(1) = 00 --> Y(i+1) = 0000, Protocol T = 0 
-----
+ Historical bytes: 41 03 00 00 00 00 00 00 00 00 00 02 90 00
  Category indicator byte: 41 (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B BE 95 00 00 41 03 00 00 00 00 00 00 00 00 00 02 90 00
    touchatag SAM card

pcscd -fd before connecting reader:

00000000 debuglog.c:224:DebugLogSetLevel() debug level=debug
00000529 pcscdaemon.c:505:main() pcsc-lite 1.5.3 daemon ready.
00497871 hotplug_libusb.c:403:HPEstablishUSBNotifications() Driver ifd-ccid.bundle does not support IFD_GENERATE_HOTPLUG. Using active polling instead.
00000031 hotplug_libusb.c:412:HPEstablishUSBNotifications() Polling forced every 1 second(s)

and after connecting the reader:

71241780 hotplug_libusb.c:477:HPAddHotPluggable() Adding USB device: 005:003
00000041 readerfactory.c:1024:RFInitializeReader() Attempting startup of ACS ACR122U PICC Interface 00 00 using /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
00000234 readerfactory.c:877:RFBindFunctions() Loading IFD Handler 3.0
00000060 ifdhandler.c:1532:init_driver() Driver version: 1.3.11
00000546 ifdhandler.c:1545:init_driver() LogLevel: 0x0003
00000465 ifdhandler.c:1565:init_driver() DriverOptions: 0x0004
00000022 ifdhandler.c:82:IFDHCreateChannelByName() lun: 0, device: usb:072f/2200:libusb:005:003
00001446 ccid_usb.c:285:OpenUSBByName() Manufacturer: Ludovic Rousseau (ludovic.rousseau@free.fr)
00000459 ccid_usb.c:295:OpenUSBByName() ProductString: Generic CCID driver
00000443 ccid_usb.c:301:OpenUSBByName() Copyright: This driver is protected by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version.
00049734 ccid_usb.c:501:OpenUSBByName() Found Vendor/Product: 072F/2200 (ACS ACR122U PICC Interface)
00000015 ccid_usb.c:503:OpenUSBByName() Using USB bus/device: 005/003
00000007 ccid_usb.c:852:ccid_check_firmware() Firmware (1.00) is bogus! but you choosed to use it
00003061 ccid_usb.c:893:get_data_rates() IFD does not support GET_DATA_RATES request: Success
00004982 ifdhandler.c:364:IFDHGetCapabilities() tag: 0xFB0, usb:072f/2200:libusb:005:003 (lun: 0)
00000015 readerfactory.c:249:RFAddReader() Using the pcscd polling thread
00002087 ifdhandler.c:364:IFDHGetCapabilities() tag: 0xFAE, usb:072f/2200:libusb:005:003 (lun: 0)
00000010 ifdhandler.c:418:IFDHGetCapabilities() Reader supports 1 slot(s)
00003962 ifdhandler.c:1043:IFDHPowerICC() action: PowerUp, usb:072f/2200:libusb:005:003 (lun: 0)
00051003 Card ATR: 3B BE 95 00 00 41 03 00 00 00 00 00 00 00 00 00 02 90 00

Next step, i decided to try recovering the keys from a NXP Mifare Classic 1K card (lsnfc confirms it)

lsnfc:

device = ACS ACR122U PICC Interface 00 00 / ACR122U102 - PN532 v1.4 (0x07)
  ISO14443A: NXP MIFARE Classic 1K (UID=7ec50a00)
1 tag(s) have been found.

with mfcuk, by doing:

mfcuk_keyrecovery_darkside -C -v 2 -R 1 -M 8

and it "seems" to work. It doesn't display any errors, the led blinks indicating some operation is being done, but the thing is that it has been running for 9 hours and still it can't recover any key. Here is the result of the command :

MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com


INFO: Connected to NFC reader: ACS ACR122U PICC Interface 00 00 / ACR122U102 - PN532 v1.4 (0x07)



INITIAL ACTIONS MATRIX - UID 7e c5 0a 00 - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector    |    Key A    |ACTS | RESL    |    Key B    |ACTS | RESL
---------------------------------------------------------------------
0    |  000000000000    | . . | . .    |  000000000000    | . . | . .
1    |  000000000000    | . R | . .    |  000000000000    | . R | . .
2    |  000000000000    | . . | . .    |  000000000000    | . . | . .
3    |  000000000000    | . . | . .    |  000000000000    | . . | . .
4    |  000000000000    | . . | . .    |  000000000000    | . . | . .
5    |  000000000000    | . . | . .    |  000000000000    | . . | . .
6    |  000000000000    | . . | . .    |  000000000000    | . . | . .
7    |  000000000000    | . . | . .    |  000000000000    | . . | . .
8    |  000000000000    | . . | . .    |  000000000000    | . . | . .
9    |  000000000000    | . . | . .    |  000000000000    | . . | . .
10    |  000000000000    | . . | . .    |  000000000000    | . . | . .
11    |  000000000000    | . . | . .    |  000000000000    | . . | . .
12    |  000000000000    | . . | . .    |  000000000000    | . . | . .
13    |  000000000000    | . . | . .    |  000000000000    | . . | . .
14    |  000000000000    | . . | . .    |  000000000000    | . . | . .
15    |  000000000000    | . . | . .    |  000000000000    | . . | . .


VERIFY: 
    Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
    Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f


ACTION RESULTS MATRIX AFTER VERIFY - UID 7e c5 0a 00 - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector    |    Key A    |ACTS | RESL    |    Key B    |ACTS | RESL
---------------------------------------------------------------------
0    |  000000000000    | . . | . .    |  000000000000    | . . | . .
1    |  000000000000    | . R | . .    |  000000000000    | . R | . .
2    |  000000000000    | . . | . .    |  000000000000    | . . | . .
3    |  000000000000    | . . | . .    |  000000000000    | . . | . .
4    |  000000000000    | . . | . .    |  000000000000    | . . | . .
5    |  000000000000    | . . | . .    |  000000000000    | . . | . .
6    |  000000000000    | . . | . .    |  000000000000    | . . | . .
7    |  000000000000    | . . | . .    |  000000000000    | . . | . .
8    |  000000000000    | . . | . .    |  000000000000    | . . | . .
9    |  000000000000    | . . | . .    |  000000000000    | . . | . .
10    |  000000000000    | . . | . .    |  000000000000    | . . | . .
11    |  000000000000    | . . | . .    |  000000000000    | . . | . .
12    |  000000000000    | . . | . .    |  000000000000    | . . | . .
13    |  000000000000    | . . | . .    |  000000000000    | . . | . .
14    |  000000000000    | . . | . .    |  000000000000    | . . | . .
15    |  000000000000    | . . | . .    |  000000000000    | . . | . .


RECOVER:  0 1

and waiting...

I have pcscd running with -fd to see what happens over there. This is what it shows when mfcuk_keyrecovery_darkside is launched:

winscard_msg_srv.c:239:SHMProcessEventsServer() Common channel packet arrival
winscard_msg_srv.c:248:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 6
pcscdaemon.c:147:SVCServiceRunLoop() A new context thread creation is requested: 6
winscard_svc.c:133:ContextThread() Thread is started: 6
winscard_msg_srv.c:317:SHMProcessEventsContext() command CMD_VERSION received by client 6
winscard_svc.c:189:ContextThread() Client is protocol version 3:0
winscard_msg_srv.c:317:SHMProcessEventsContext() command ESTABLISH_CONTEXT received by client 6
winscard.c:242:SCardEstablishContext() Establishing Context: 17034273
winscard_msg_srv.c:317:SHMProcessEventsContext() command RELEASE_CONTEXT received by client 6
winscard.c:253:SCardReleaseContext() Releasing Context: 17034273
winscard_msg_srv.c:306:SHMProcessEventsContext() Client has disappeared: 6
winscard_svc.c:146:ContextThread() Client die: 6
winscard_msg_srv.c:239:SHMProcessEventsServer() Common channel packet arrival
winscard_msg_srv.c:248:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 6
pcscdaemon.c:147:SVCServiceRunLoop() A new context thread creation is requested: 6
winscard_svc.c:133:ContextThread() Thread is started: 6
winscard_msg_srv.c:317:SHMProcessEventsContext() command CMD_VERSION received by client 6
winscard_svc.c:189:ContextThread() Client is protocol version 3:0
winscard_msg_srv.c:317:SHMProcessEventsContext() command ESTABLISH_CONTEXT received by client 6
winscard.c:242:SCardEstablishContext() Establishing Context: 16989034
winscard_msg_srv.c:317:SHMProcessEventsContext() command CONNECT received by client 6
winscard.c:303:SCardConnect() Attempting Connect to ACS ACR122U PICC Interface 00 00 using protocol: 3
prothandler.c:128:PHSetProtocol() Attempting PTS to T=0
ifdhandler.c:581:IFDHSetProtocolParameters() protocol T=0, usb:072f/2200:libusb:005:003 (lun: 0)
winscard.c:449:SCardConnect() Active Protocol: T=0
winscard.c:459:SCardConnect() hCard Identity: 118cb
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 6
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command DISCONNECT received by client 6
winscard.c:880:SCardDisconnect() Active Contexts: -1
winscard_msg_srv.c:317:SHMProcessEventsContext() command RELEASE_CONTEXT received by client 6
winscard.c:253:SCardReleaseContext() Releasing Context: 16989034
winscard_msg_srv.c:239:SHMProcessEventsServer() Common channel packet arrival
winscard_msg_srv.c:248:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 7
pcscdaemon.c:147:SVCServiceRunLoop() A new context thread creation is requested: 7
winscard_svc.c:133:ContextThread() Thread is started: 7
winscard_msg_srv.c:317:SHMProcessEventsContext() command CMD_VERSION received by client 7
winscard_svc.c:189:ContextThread() Client is protocol version 3:0
winscard_msg_srv.c:317:SHMProcessEventsContext() command ESTABLISH_CONTEXT received by client 7
winscard.c:242:SCardEstablishContext() Establishing Context: 17015746
winscard_msg_srv.c:317:SHMProcessEventsContext() command RELEASE_CONTEXT received by client 7
winscard.c:253:SCardReleaseContext() Releasing Context: 17015746
winscard_msg_srv.c:239:SHMProcessEventsServer() Common channel packet arrival
winscard_msg_srv.c:248:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 8
pcscdaemon.c:147:SVCServiceRunLoop() A new context thread creation is requested: 8
winscard_msg_srv.c:306:SHMProcessEventsContext() Client has disappeared: 7
winscard_svc.c:146:ContextThread() Client die: 7
winscard_svc.c:133:ContextThread() Thread is started: 8
winscard_msg_srv.c:317:SHMProcessEventsContext() command CMD_VERSION received by client 8
winscard_svc.c:189:ContextThread() Client is protocol version 3:0
winscard_msg_srv.c:317:SHMProcessEventsContext() command ESTABLISH_CONTEXT received by client 8
winscard_msg_srv.c:306:SHMProcessEventsContext() Client has disappeared: 6
winscard_svc.c:146:ContextThread() Client die: 6
winscard.c:242:SCardEstablishContext() Establishing Context: 16977423
winscard_msg_srv.c:317:SHMProcessEventsContext() command CONNECT received by client 8
winscard.c:303:SCardConnect() Attempting Connect to ACS ACR122U PICC Interface 00 00 using protocol: 3
winscard.c:449:SCardConnect() Active Protocol: T=0
winscard.c:459:SCardConnect() hCard Identity: 1fa6e
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8
winscard.c:1647:SCardTransmit() Send Protocol: T=0
ifdhandler.c:1170:IFDHTransmitToICC() usb:072f/2200:libusb:005:003 (lun: 0)
winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT_EXTENDED received by client 8

and it repeates over and over very fast...


I tried to identify the meaning of the lines to see if it was REALLY doing something or not, but honestly i don't know where to look. The three lines that repeates a lot i supose are related to the actual sending/reading information between tag and reader, but what i find strange are the (what i think are) reconnections that occur several times during the process (this are easily visible because the client number changes. Also in the beginning something "strange" about client disappeared happens), without any pattern (at least i can't see any).

I believe that something is not functioning properly, but i have no idea where to start. So, any help, tip, commentary, command responses from someone who achieved results so i can compare, anything, will be really appreciated.

Thank in advance, and sorry for the extension of the post, but i wanted to be as clear as posible.

47 (edited by Belial 2011-02-22 20:27:38)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

I have successfully compiled r2 for Windows using libnfc-1.3.3. I'm using XP Pro/7 with an ACR122U206. Performance seems to be a lot better under XP when it comes to timings and hitting the same nonces repeatedly.

Running some tests on cards from various manufacturers let me discover a really odd card.

It's a Mifare Classic 1K, and it seems to never respond with NAK (at least it didn't after over 250k authentications). It's susceptible to nonce fixation, so I don't suppose it's a Mifare Plus, which I've also tested to see if its RNG really is improved (it is, no repeated nonces after over 15k authentications).

I know the program works fine because I've recovered keys from both a 1K and 4K card from other manufacturers.

Has anyone else encountered such a card?

I'm also having trouble with one of those cards that always respond with NAK. Mfcuk gets through Stage 2 of the attack quite often, but never succeeds in recovering the key. Has anyone encountered this problem? Is it an issue with mfcuk or with crapto?

48

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Is there a libnfc 1.4.x version of some "Dark Side" tool available?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

No, but you could provide me a patch, I'll merge it into mfcuk upstream.

To be able to upgrade the code, use:
http://code.google.com/p/libnfc/source/ … trunk/NEWS

All changes are explained.

I hope it helps.

Romuald Conty

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi ZYx,

I'm having the same issues with an SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07). I haven't tried my touchatag reader, yet. Did you get this working? Otherwise, any advice?

mfcuk_keyrecovery_darkside -C -R 1 -v 2

just runs forever.

Thanks!

Max