Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

I'm also having the same issue - also with a SCL3711

$ ./lsnfc
device = SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
UID=e41cc2a2
Several possible matches:
* NXP MIFARE Classic 1k
* NXP MIFARE Plus 1k
1 tag(s) on device.

mfcuk_keyrecovery_darkside seems to run forever (I stopped it after 24 hours):

$ ./mfcuk_keyrecovery_darkside -C -R 0 -M 8 -v 2
mfcuk - 0.3.2
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com


INFO: Connected to NFC reader: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)



INITIAL ACTIONS MATRIX - UID e2 a5 8a 17 - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector  |    Key A      |ACTS | RESL    |    Key B      |ACTS | RESL
---------------------------------------------------------------------
0       |  000000000000 | . R | . .     |  000000000000 | . R | . .
1       |  000000000000 | . . | . .     |  000000000000 | . . | . .
2       |  000000000000 | . . | . .     |  000000000000 | . . | . .
3       |  000000000000 | . . | . .     |  000000000000 | . . | . .
4       |  000000000000 | . . | . .     |  000000000000 | . . | . .
5       |  000000000000 | . . | . .     |  000000000000 | . . | . .
6       |  000000000000 | . . | . .     |  000000000000 | . . | . .
7       |  000000000000 | . . | . .     |  000000000000 | . . | . .
8       |  000000000000 | . . | . .     |  000000000000 | . . | . .
9       |  000000000000 | . . | . .     |  000000000000 | . . | . .
10      |  000000000000 | . . | . .     |  000000000000 | . . | . .
11      |  000000000000 | . . | . .     |  000000000000 | . . | . .
12      |  000000000000 | . . | . .     |  000000000000 | . . | . .
13      |  000000000000 | . . | . .     |  000000000000 | . . | . .
14      |  000000000000 | . . | . .     |  000000000000 | . . | . .
15      |  000000000000 | . . | . .     |  000000000000 | . . | . .


VERIFY: 
        Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
        Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f


ACTION RESULTS MATRIX AFTER VERIFY - UID e2 a5 8a 17 - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector  |    Key A      |ACTS | RESL    |    Key B      |ACTS | RESL
---------------------------------------------------------------------
0       |  000000000000 | . R | . .     |  000000000000 | . R | . .
1       |  000000000000 | . . | . .     |  000000000000 | . . | . .
2       |  000000000000 | . . | . .     |  000000000000 | . . | . .
3       |  000000000000 | . . | . .     |  000000000000 | . . | . .
4       |  000000000000 | . . | . .     |  000000000000 | . . | . .
5       |  000000000000 | . . | . .     |  000000000000 | . . | . .
6       |  000000000000 | . . | . .     |  000000000000 | . . | . .
7       |  000000000000 | . . | . .     |  000000000000 | . . | . .
8       |  000000000000 | . . | . .     |  000000000000 | . . | . .
9       |  000000000000 | . . | . .     |  000000000000 | . . | . .
10      |  000000000000 | . . | . .     |  000000000000 | . . | . .
11      |  000000000000 | . . | . .     |  000000000000 | . . | . .
12      |  000000000000 | . . | . .     |  000000000000 | . . | . .
13      |  000000000000 | . . | . .     |  000000000000 | . . | . .
14      |  000000000000 | . . | . .     |  000000000000 | . . | . .
15      |  000000000000 | . . | . .     |  000000000000 | . . | . .


RECOVER:  0

At first I thought the card is a MIFARE Plus, but I'm sure it's from 2007 and the plus was first available in 2008.

I tested several cards. I can read a blank card with known key 0xFFFFFFFFFFFF:

$ ./mfcuk_keyrecovery_darkside -C -V -1:A:ffffffffffff
mfcuk - 0.3.2
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com


INFO: Connected to NFC reader: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)


VERIFY: 
        Key A sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f
        Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER:  0 1 2 3 4 5 6 7 8 9 a b c d e f

With some more verbosity (-v 3):
The first four values stay the same. This is the last output after a short test of 10 minutes using the command line "./mfcuk_keyrecovery_darkside -C -R 0 -v 3":

-----------------------------------------------------
Let me entertain you!
    uid: e41cc2a2
   type: 08
    key: 000000000000
  block: 03
diff Nt: 1237
  auths: 3652
-----------------------------------------------------

No success with mfoc:

$ ./mfoc -O card.mfc
Found MIFARE Classic 1K card with uid: e41cc2a2
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [................]
[Key: d3f7d3f7d3f7] -> [................]
[Key: 000000000000] -> [................]
[Key: b0b1b2b3b4b5] -> [................]
[Key: 4d3a99c351dd] -> [................]
[Key: 1a982c7e459a] -> [................]
[Key: aabbccddeeff] -> [................]
[Key: 714c5c886e97] -> [................]
[Key: 587ee5f9350f] -> [................]
[Key: a0478cc39091] -> [................]
[Key: 533cb6c723f6] -> [.nfc_initiator_select_passive_target: Success
mfoc: ERROR: Tag has been removed

Second try:

./mfoc -O card.mfc
Found MIFARE Classic 1K card with uid: e41cc2a2
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [................]
[Key: d3f7d3f7d3f7] -> [................]
[Key: 000000000000] -> [................]
[Key: b0b1b2b3b4b5] -> [................]
[Key: 4d3a99c351dd] -> [................]
[Key: 1a982c7e459a] -> [................]
[Key: aabbccddeeff] -> [................]
[Key: 714c5c886e97] -> [................]
[Key: 587ee5f9350f] -> [................]
[Key: a0478cc39091] -> [................]
[Key: 533cb6c723f6] -> [................]
[Key: 8fd0a4f256e9] -> [................]

Sector 00 -  UNKNOWN_KEY [A]  Sector 00 -  UNKNOWN_KEY [b]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  UNKNOWN_KEY [b]  
Sector 02 -  UNKNOWN_KEY [A]  Sector 02 -  UNKNOWN_KEY [b]  
Sector 03 -  UNKNOWN_KEY [A]  Sector 03 -  UNKNOWN_KEY [b]  
Sector 04 -  UNKNOWN_KEY [A]  Sector 04 -  UNKNOWN_KEY [b]  
Sector 05 -  UNKNOWN_KEY [A]  Sector 05 -  UNKNOWN_KEY [b]  
Sector 06 -  UNKNOWN_KEY [A]  Sector 06 -  UNKNOWN_KEY [b]  
Sector 07 -  UNKNOWN_KEY [A]  Sector 07 -  UNKNOWN_KEY [b]  
Sector 08 -  UNKNOWN_KEY [A]  Sector 08 -  UNKNOWN_KEY [b]  
Sector 09 -  UNKNOWN_KEY [A]  Sector 09 -  UNKNOWN_KEY [b]  
Sector 10 -  UNKNOWN_KEY [A]  Sector 10 -  UNKNOWN_KEY [b]  
Sector 11 -  UNKNOWN_KEY [A]  Sector 11 -  UNKNOWN_KEY [b]  
Sector 12 -  UNKNOWN_KEY [A]  Sector 12 -  UNKNOWN_KEY [b]  
Sector 13 -  UNKNOWN_KEY [A]  Sector 13 -  UNKNOWN_KEY [b]  
Sector 14 -  UNKNOWN_KEY [A]  Sector 14 -  UNKNOWN_KEY [b]  
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY [b]  
mfoc: ERROR: 

No sector encrypted with the default key has been found, exiting..

Any ideas / hints?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hey guys, I would like to change the UID Mifare Classic 1 kilobytes or 4 kilobytes using mfcuk_keyrecovery_darkside. Can you write me the method how to do it? card is with the default keys, I know eventually get keys using mfoc. Can implement this change without proxmark? I have only touchatag reader. After changing the UID will be write data to the card?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi bobo,

Please read at least Mifare documentation before asking this kind of question... UID is not in a writable memory area...

Romuald Conty

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Ela1983 wrote:

Hello,

I have downloaded the latest version of the Key Recovery Tool. I try to use the precomiled binaries in Win XP Prof.
I have installed the latest version of libusb for windows.

I have an ACR122U-WB-R.

I place an Mifare Classic 1k on it. The Key A for Sector 0 is 0xFFFFFFFFFFFF.

So I start the program with mfcuk_keyrecovery_darkside_win32.exe -V 0:A:FFFFFFFFFFFF

Then the screen prints:


MFCUK - MiFare Classic Universal toolKit - 0.1
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com


INFO: Connected to NFC reader: ACR122U203 - PN532 v1.4 (0x07)


VERIFY:
    Key A sectors: 0 ERROR: tag was removed or cannot be selected
ERROR: AUTH sector 0, block 3, key ffffffffffff, key-type 0x60, error code 0x00
1 2 3 4 5 6 7 8 9 a b c d e f
    Key B sectors: 0 1 2 3 4 5 6 7 8 9 a b c d e f

RECOVER:  0 1 2 3 4 5 6 7 8 9 a b c d e f




What ma I doing wrong ?

Thank you very much for your help - Thanks a lot

Best regards

Ela1983

Hello Ela,

I have the same problem. I have recovered the key using mfoc since it used default keys. However, I wanted to test mfcuk. I had hard time making it compile and it does the same thing as yours.

Did you make it work ? Any help guys?

Thanks

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Same problem as described many times before, I've run this for hours (almost a day, actually) with no results.

Any update on this? I've seen reports of recovering keys in a matter of minutes...
Is this true, and currently bugged (or being used incorrectly or something)? Or is it just incredibly slow?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Alright, turns out it was finding a matching nonce once every ~10000 tries which.. err.. wasn't going to end well.
Changed the sleep time and it ended up finding each key in under an hour.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hello!

I'm running into some problems with MFCUK and I was hoping may be some of you could shed some guidance.

I am currently using the latest version of libnfc, compiled from source, v1.5.0 (r1122). I can use this successfully locally on Mac OS 10.6 and on a virtualized Ubuntu 11.04. I have tried lower versions of libnfc, mainly 1.4.0 and 1.4.2, but they do not seem to be compatible with my reader (Sony  RC-S360/SH, PN533) - I get "No NFC device found." error.

Now, it seems to me that mfcuk may have some incompatibilities when compiled against libnfc v1.5.0 (r1122). So, I was wondering if anybody knew whether this was the case or not. If it is, are there any known work-arounds? If anybody has been able to get mfcuk working with libnfc v1.5.0(r1122), I'd love to hear how they did it.

Thanks, any help is appreciated.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

ev0lution wrote:

Alright, turns out it was finding a matching nonce once every ~10000 tries which.. err.. wasn't going to end well.
Changed the sleep time and it ended up finding each key in under an hour.

evOlution ---How do you change the sleep time? Is it using -s syntax . Can you say what command did you enter?

Mine ran for 10 hours and  still running and it says error 0x008. Not sure how to fix it. Any help is greatly appreciated.

Thanks in advance.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

kishangupta wrote:

Hello Ela,

I have the same problem. I have recovered the key using mfoc since it used default keys. However, I wanted to test mfcuk. I had hard time making it compile and it does the same thing as yours.

Did you make it work ? Any help guys?

Thanks

Please read this document:
http://www.idvation.com/uploads/media/A … 113_03.pdf

Particularly about firmware version 2.06

60 (edited by timdexter 2011-12-31 22:08:31)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

well, mfcuk seems to be not working with acr122u207
has anyone fixed it yet or found a workaround?

UPDATE: well, it actually works, but with bugs. So it needs to be fixed

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi timdexter,
have you got a bugfree version to share? thanks!

62 (edited by baronsz 2012-06-18 10:58:04)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi,

I tried to use a MIFARE Classic on ACR122U207 and on ACR122U203 with mfcuk and mfoc but it failed. The libnfc-1.5.1 and its dependencies were installed successfully onto a Debian 5.0 and I could test default tools. Unfortunately, mfoc and mfcuk were very instable and could not finish the jobs. I also tried BackTrack 5 R2, the results were the same: communication failure occurred and hang up the applications (even card reader had to be re-plugged and pcscd restarted).

The error messages were different during different runs, but they all pointed to these functions and settings (some of them were already posted in this thread): "mfcuk_key_recovery_block() (error code=0x08)", "MFCUK_FAIL_COMM", "nfc_initiator_transceive_bytes()".

I saw, that libnfc works perfectly with ACR122U206 but even mfoc and mfcuk were tested? Could anyone suggest a HW device which is supported by mfoc and mfcuk? Unfortunately, ACR122 readers with older firmwares (such as ACR122U102) can not be bought... And I also know, that Proxmark3 can do the job, but it is not my case... Any idea is welcome!

UPDATE:

Just to answer my question: ACR122U207 made by ACS is good for developing (using tools), but is very instable with mfcuk/mfoc (but works with libnfc!). If you want to run mfcuk/mfoc, you should buy an ACR122-like reader made by Alcatel-Lucent: Touchatag.

mfcuk identifies Touchatag as:
INFO: Connected to NFC reader: ACS ACR 38U-CCID 01 00 / ACR122U102 - PN532 v1.4 (0x07)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

ev0lution wrote:

Alright, turns out it was finding a matching nonce once every ~10000 tries which.. err.. wasn't going to end well.
Changed the sleep time and it ended up finding each key in under an hour.

How did you changed sleep time? I tried usual mfcuk syntax and It cant find any keys in one entire day.
Thanks.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Guys, please help me. I'm using mfcuk on Ubuntu 11.10 with one SCL3711 reader. It seems ok, but it says:

WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'

But I guess it doesn't change anything, the card is not one of those cards, no need template.
I tried a card with this syntax:  mfcuk_keyrecovery_darkside -C -v 2 -R 3:A -M 8
I want to get only one key (in this case 3 key) to run after with mfoc, just to be fast.

But It takes a lot to find. Actually I'm running for more than 48 hours mfcuk, the led light is blinking normal green and the terminal shows:

ACTION RESULTS MATRIX AFTER VERIFY - UID 2c 4d cf 88 - TYPE 0x08 (MC1K)
---------------------------------------------------------------------
Sector    |    Key A    |ACTS | RESL    |    Key B    |ACTS | RESL
---------------------------------------------------------------------
0    |  000000000000    | . . | . .    |  000000000000    | . . | . .
1    |  000000000000    | . . | . .    |  000000000000    | . . | . .
2    |  000000000000    | . . | . .    |  000000000000    | . . | . .
3    |  000000000000    | . R | . .    |  000000000000    | . . | . .
4    |  000000000000    | . . | . .    |  000000000000    | . . | . .
5    |  000000000000    | . . | . .    |  000000000000    | . . | . .
6    |  000000000000    | . . | . .    |  000000000000    | . . | . .
7    |  000000000000    | . . | . .    |  000000000000    | . . | . .
8    |  000000000000    | . . | . .    |  000000000000    | . . | . .
9    |  000000000000    | . . | . .    |  000000000000    | . . | . .
10    |  000000000000    | . . | . .    |  000000000000    | . . | . .
11    |  000000000000    | . . | . .    |  000000000000    | . . | . .
12    |  000000000000    | . . | . .    |  000000000000    | . . | . .
13    |  000000000000    | . . | . .    |  000000000000    | . . | . .
14    |  000000000000    | . . | . .    |  000000000000    | . . | . .
15    |  000000000000    | . . | . .    |  000000000000    | . . | . .


RECOVER:  0 1 2 3

Until now mfcuk found nothing and I'm a little upset with that. If it could resume from last search... I read about people that took like 20 minutes or 1 hour to get keys and I'm running 2 days and nothing. Is there some syntax to try? What about sleep syntax? What can I do to find those keys without running one month this software?
Mfoc doesn't find keys because its not default keys.

Thanks

65 (edited by samph 2012-07-16 16:16:54)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

fter many issues, I think I successfully installed/compiled libnfc using these instructions.

Now I am trying to compile/install mfcuk. Once I get to the ./configure step I get the following error

Sam@Sam-PC /c/Users/Sam/Documents/mfcuk/mfcuk-read-only
$ ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.exe
checking for suffix of executables... .exe
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
./configure: line 3739: syntax error near unexpected token `LIBNFC,'
./configure: line 3739: `PKG_CHECK_MODULES(LIBNFC, libnfc >= $LIBNFC_REQUIRED_VE
RSION, , AC_MSG_ERROR([libnfc >= $LIBNFC_REQUIRED_VERSION is mandatory.]))'

I'm guessing this has something to do with my not properly telling something(pkg-config?) where libnfc is? Any help is greatly appreciated.

66 (edited by iruka 2012-08-22 15:56:29)

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

To people wondering about sleep delays, I've experimented with various DROP FIELD and CONSTANT DELAY setting combinations and settled with a value of 250ms for both.

./mfcuk -C -R 0 -v 3 -s 250 -S 250 -o dump.bin

I've had inconsistent but far better results than with no sleep delay at all. I've experimented with various combinations and stopped each attempt after it took one hour longer than my previous best configuration.
I did a few tests with 200ms increments, then narrowing it down to a 50ms window.

Tags with known keys were cracked in 5 minutes to 4 hours (worst performance with these settings). My current average is roughly 2 hours (100-130 minutes).

I'm using a SCL3711 dongle (PN533 chip), mfcuk compiled against libnfc 1.5.1.

During experiments, I almost always correctly got a gut feeling of wether the settings were right or wrong by watching the diff Nt / auth ratio (-v 3 only): diff Nt should stabilize quickly and I usually keep it under 200-300. Those are the different tag nonces encountered; as the attack aims at fixing them, keeping these as low as possible means you are being accurately fixing them and gaining more useful information.

In an attempt to improve software implementation and study the actual attack, I've begun experimenting with real-time versions of linux (RTAI / Xenomai) to see if using them would benefit to the darkside attack.

Hope this helps, I'll keep you posted on my experiments (conducted on my free time, so this will be a long road).

Edit:

Just forgot to mention the experiments were VERY sensitive of whether I was using an extension cord or not, the distance and orientation of the tags relative to the reader. I kept on using no extension cord and simply laying the cards centered on top of the dongle. I have not really investigated this beyond how it affected raw peformance (auth count/sec with minimal sleep delays).

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

iruka wrote:

To people wondering about sleep delays, I've experimented with various DROP FIELD and CONSTANT DELAY setting combinations and settled with a value of 250ms for both.

./mfcuk -C -R 0 -v 3 -s 250 -S 250 -o dump.bin

Genius, just genius! smile

I have one SCL3711 and was trying mfcuk without success. I just put that sleep settings and less than one hour I've got sector 0 keys. Then with that keys I ran mfoc and get all other keys and a dump.

Thanks Iruka!

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

iruka wrote:

I'm using a SCL3711 dongle (PN533 chip), mfcuk compiled against libnfc 1.5.1.

wender_reis wrote:

I have one SCL3711 and was trying mfcuk without success. I just put that sleep settings and less than one hour I've got sector 0 keys. Then with that keys I ran mfoc and get all other keys and a dump.

Wender_reis, did you use mfoc compiled against libnfc 1.5.1?


Maybe it would be an improvement to add those delays to mfoc too?

bool mfcuk_darkside_select_tag(...){
...
// {WPMCC09} 2.4. Tag nonces: "drop the field (for approximately 30us) to discharge all capacitors"
sleep(iSleepAtFieldOFF);
...
// Switch the field back on, and wait for a constant amount of time before authenticating
sleep(iSleepAfterFieldON);
...
}

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Ignas wrote:

Wender_reis, did you use mfoc compiled against libnfc 1.5.1?

Yes. I have Ubuntu 11.10 32bits installed and got mfoc installed using the compiled binaries from Thomas Hood. https://launchpad.net/~jdthood/+archive/nfc

Ignas wrote:

wender_reis, did you use mfoc compiled against libnfc 1.5.1?

Yes. I installed it the same way it describes in the website. You know, I'm not a linux guy so I don't understant much about syntax and those stuffs. Mfcuk took like 1 hour or less to get first sector key, I'm not sure exactly the time. Then I use mfoc -k keythatIgot -O file.mdf and in like 5 minutes I got all sector keys.

Ignas wrote:

Maybe it would be an improvement to add those delays to mfoc too?

Sure, it could be good, but I don't know how to do that.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hello,

FYI, I had upgrade the MFCUK code to compile against current devel (1.6.x) version of libnfc.

To test it, you have to use the devel (svn) version of both libnfc and MFCUK.

Feel free to report bugs at:
http://code.google.com/p/mfcuk/issues/list

Romuald Conty

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi,

./mfcuk -C -R 0 -v 3 -s 250 -S 250 -o dump.bin

i used the command above while i obtained the key but its incorrect
the card is using default key a0a1a2a3a4a5 on all sector / block but mfcuk give different key on each

should i change the sleep time to obtain the accurate result ?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

I stopped at diff Nt 64 and auths 2000. Took me a while. But I think its not very solid. For example: If you remove the NFC card, the programm wont recognize it!

Btw, do you have those kind of errors in your dmesg:

[14662.281312] usb 4-1: usbfs: process 15831 (pcscd) did not claim interface 0 before use

?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hi there,

I've been playing with mfcuk for almost a week. Although I get a bunch of keys, none of them are, in fact, valid (as mfoc and nfc-mfclassic states).
If I repeat the extraction of the keys for one particular sector, I may (or I may not) get the same keys obtained before, but in general, I do.
I've blown my head trying to figure the problem out.

I have -literally- no idea of what could be happening, so I ask for your help. I'm willing to read whatever it takes, so don't hesitate to leave here any document.

Thanks you in advance.

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

scratcher wrote:

Although I get a bunch of keys, none of them are, in fact, valid

Exactly the same for me sad
mfcuk quickly finds keys, but they are wrong.

However, I noticed that the last 2 bytes of the keys are always good, but the first 4 bytes are always wrong (sometimes random, sometimes the same).

Same wrong behavior with 2 different kinds of Mifare Classic 1K tags. The optimal mfcuk timings are different for each one, but the result is the same.

My hardware is SCL3711 (PN533).
I get the same wrong behavior with both Linux 32-bit and Windows XP 32-bit.

Any ideas ?

Re: Mifare Classic Key Recovery tool - "Dark Side" Attack

Hacktarus wrote:
scratcher wrote:

Although I get a bunch of keys, none of them are, in fact, valid

Exactly the same for me sad
mfcuk quickly finds keys, but they are wrong.

However, I noticed that the last 2 bytes of the keys are always good, but the first 4 bytes are always wrong (sometimes random, sometimes the same).

Same wrong behavior with 2 different kinds of Mifare Classic 1K tags. The optimal mfcuk timings are different for each one, but the result is the same.

My hardware is SCL3711 (PN533).
I get the same wrong behavior with both Linux 32-bit and Windows XP 32-bit.

Any ideas ?


the problem is 32-bit system try in 64-bit
there is bug in the code