proxmark3
proxmark3 copied to clipboard
Published
20 hours ago •
RfidResearchGroup
RfidResearchGroup
Hardnested for MFC EV1 not successfull on PM3 rdv4 with AVX512 system
Hi. I have (temporary) access to genuine MIFARE Classic EV1 tag. I tried to recover the keys using the hardnested method and noticed something strange: It works on the PM3 Easy but it does NOT work on the PM3 rdv4.
PM3 rdv4:
[usb] pm3 --> hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 0 --tb
[=] Target block no 0, target key type: B, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 16 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 2065 million (2^30,9) keys/s | 140737488355328 | 19h
[=] 0 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 316 ms | 140737488355328 | 19h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 19h
[=] 3 | 112 | Apply bit flip properties | 102512648192 | 50s
[=] 4 | 224 | Apply bit flip properties | 30904090624 | 15s
[=] 5 | 336 | Apply bit flip properties | 22416209920 | 11s
[=] 6 | 448 | Apply bit flip properties | 21135179776 | 10s
[=] 7 | 560 | Apply bit flip properties | 21135179776 | 10s
[=] 8 | 671 | Apply bit flip properties | 21135179776 | 10s
[=] 9 | 779 | Apply bit flip properties | 21135179776 | 10s
[=] 9 | 890 | Apply bit flip properties | 21135179776 | 10s
[=] 10 | 997 | Apply bit flip properties | 21135179776 | 10s
[=] 11 | 1106 | Apply bit flip properties | 21135179776 | 10s
[=] 12 | 1216 | Apply bit flip properties | 21135179776 | 10s
[=] 13 | 1326 | Apply bit flip properties | 21135179776 | 10s
[=] 15 | 1437 | Apply Sum property. Sum(a0) = 128 | 1825428480 | 1s
[=] 16 | 1548 | Apply bit flip properties | 1677347072 | 1s
[=] 17 | 1660 | Apply bit flip properties | 1677347072 | 1s
[=] 18 | 1770 | Apply bit flip properties | 1677347072 | 1s
[=] 18 | 1770 | (Ignoring Sum(a8) properties) | 1677347072 | 1s
PM3 Easy:
[usb] pm3 --> hf mf hardnested --blk 0 -a -k a0a1a2a3a4a5 --tblk 0 --tb
[=] Target block no 0, target key type: B, known target key: 000000000000 (not set)
[=] File action: none, Slow: No, Tests: 0
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 16 threads and AVX512F SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1933 million (2^30,8) keys/s | 140737488355328 | 20h
[=] 0 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 450 ms | 140737488355328 | 20h
[=] 0 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 20h
[=] 3 | 112 | Apply bit flip properties | 248164073472 | 2min
[=] 5 | 224 | Apply bit flip properties | 24915030016 | 13s
[=] 6 | 335 | Apply bit flip properties | 21135179776 | 11s
[=] 6 | 447 | Apply bit flip properties | 21135179776 | 11s
[=] 7 | 558 | Apply bit flip properties | 21135179776 | 11s
[=] 8 | 669 | Apply bit flip properties | 21135179776 | 11s
[=] 9 | 780 | Apply bit flip properties | 21135179776 | 11s
[=] 10 | 891 | Apply bit flip properties | 21135179776 | 11s
[=] 11 | 1001 | Apply bit flip properties | 21135179776 | 11s
[=] 13 | 1110 | Apply Sum property. Sum(a0) = 128 | 1887103872 | 1s
[=] 13 | 1222 | Apply bit flip properties | 1887103872 | 1s
[=] 14 | 1333 | Apply bit flip properties | 1887103872 | 1s
[=] 15 | 1441 | Apply bit flip properties | 1887103872 | 1s
[=] 16 | 1441 | (Ignoring Sum(a8) properties) | 1887103872 | 1s
[=] 18 | 1441 | Brute force phase completed. Key found: XXXXXXXXXXXX | 0 | 0s
I've tried a lot for the PM3 rdv4. Repeated over 10 times, changed the card position, changed the distance between card an PM3, etc., but it always pauses at (Ignoring Sum(a8) properties) for some seconds and then fails.
Since it is so reproducible for this card, I think it might be a bug. Is something preventing the PM3 rdv4 from entering the brute force phase? I'm on arch using the latest code from the repo.
