mfoc-hardnested
mfoc-hardnested copied to clipboard
nfc-tools
Incorrect work (looping in sector 33) with Mifare 4k cards
The application works great with 1k or 2k cards. It doesn't work correctly with 4k cards. The 4k card consists of 32 sectors with a size of 64 bytes (4 blocks), and 8 sectors with a size of 256 bytes (16 blocks). When application working with a 4k card, the application successfully search keys for sectors 0-31 (the size of each sector is 64 bytes), but as soon as the key search reaches 32 sectors (the sector size is 256 bytes), the key search gets stuck in sector 33. The key search will not go beyond 33 sectors. See log bellow.
`
600 | 33B | 1677 | (6. guess: Sum(a8) = 112) | 94903107584 | 14min
619 | 33B | 1677 | Apply Sum(a8) and all bytes bitflip properties | 65121910784 | 10min
625 | 33B | 1677 | Brute force phase: 12.28% | 64877424640 | 10min
631 | 33B | 1677 | Brute force phase: 36.33% | 64398696448 | 10min
639 | 33B | 1677 | Brute force phase: 65.61% | 63815827456 | 10min
644 | 33B | 1677 | Brute force phase: 86.58% | 63398297600 | 10min
647 | 33B | 1677 | (7. guess: Sum(a8) = 120) | 86009774080 | 13min
659 | 33B | 1677 | Apply Sum(a8) and all bytes bitflip properties | 49862168576 | 8min
679 | 33B | 1677 | Brute force phase: 25.35% | 49128714240 | 7min
688 | 33B | 1677 | Brute force phase completed. Key found: bbbbbbbbbb32 | 0 | 0s
Checking for key reuse... [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///] [Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
Sector 00 - Found Key A: aaaaaaaaaa00 Found Key B: bbbbbbbbbb00 Sector 01 - Found Key A: aaaaaaaaaa01 Found Key B: bbbbbbbbbb01 Sector 02 - Found Key A: aaaaaaaaaa02 Found Key B: bbbbbbbbbb02 Sector 03 - Found Key A: aaaaaaaaaa03 Found Key B: bbbbbbbbbb03 Sector 04 - Found Key A: aaaaaaaaaa04 Found Key B: bbbbbbbbbb04 Sector 05 - Found Key A: aaaaaaaaaa05 Found Key B: bbbbbbbbbb05 Sector 06 - Found Key A: aaaaaaaaaa06 Found Key B: bbbbbbbbbb06 Sector 07 - Found Key A: aaaaaaaaaa07 Found Key B: bbbbbbbbbb07 Sector 08 - Found Key A: aaaaaaaaaa08 Found Key B: bbbbbbbbbb08 Sector 09 - Found Key A: aaaaaaaaaa09 Found Key B: bbbbbbbbbb09 Sector 10 - Found Key A: aaaaaaaaaa10 Found Key B: bbbbbbbbbb10 Sector 11 - Found Key A: aaaaaaaaaa11 Found Key B: bbbbbbbbbb11 Sector 12 - Found Key A: aaaaaaaaaa12 Found Key B: bbbbbbbbbb12 Sector 13 - Found Key A: aaaaaaaaaa13 Found Key B: bbbbbbbbbb13 Sector 14 - Found Key A: aaaaaaaaaa14 Found Key B: bbbbbbbbbb14 Sector 15 - Found Key A: aaaaaaaaaa15 Found Key B: bbbbbbbbbb15 Sector 16 - Found Key A: aaaaaaaaaa16 Found Key B: bbbbbbbbbb16 Sector 17 - Found Key A: aaaaaaaaaa17 Found Key B: bbbbbbbbbb17 Sector 18 - Found Key A: aaaaaaaaaa18 Found Key B: bbbbbbbbbb18 Sector 19 - Found Key A: aaaaaaaaaa19 Found Key B: bbbbbbbbbb19 Sector 20 - Found Key A: aaaaaaaaaa20 Found Key B: bbbbbbbbbb20 Sector 21 - Found Key A: aaaaaaaaaa21 Found Key B: bbbbbbbbbb21 Sector 22 - Found Key A: aaaaaaaaaa22 Found Key B: bbbbbbbbbb22 Sector 23 - Found Key A: aaaaaaaaaa23 Found Key B: bbbbbbbbbb23 Sector 24 - Found Key A: aaaaaaaaaa24 Found Key B: bbbbbbbbbb24 Sector 25 - Found Key A: aaaaaaaaaa25 Found Key B: bbbbbbbbbb25 Sector 26 - Found Key A: aaaaaaaaaa26 Found Key B: bbbbbbbbbb26 Sector 27 - Found Key A: aaaaaaaaaa27 Found Key B: bbbbbbbbbb27 Sector 28 - Found Key A: aaaaaaaaaa28 Found Key B: bbbbbbbbbb28 Sector 29 - Found Key A: aaaaaaaaaa29 Found Key B: bbbbbbbbbb29 Sector 30 - Found Key A: aaaaaaaaaa30 Found Key B: bbbbbbbbbb30 Sector 31 - Found Key A: aaaaaaaaaa31 Found Key B: bbbbbbbbbb31 Sector 32 - Found Key A: aaaaaaaaaa32 Found Key B: bbbbbbbbbb32 Sector 33 - Found Key A: aaaaaaaaaa33 Unknown Key B Sector 34 - Found Key A: aaaaaaaaaa34 Unknown Key B Sector 35 - Found Key A: aaaaaaaaaa35 Unknown Key B Sector 36 - Found Key A: aaaaaaaaaa36 Found Key B: bbbbbbbbbb32 <<< wrong!!! Sector 37 - Found Key A: aaaaaaaaaa37 Unknown Key B Sector 38 - Found Key A: aaaaaaaaaa38 Unknown Key B Sector 39 - Found Key A: aaaaaaaaaa39 Unknown Key B
Using sector 36 as an exploit sector
Mode: d, Auth command: 60 cf 0e 45
fc 7f d0 c7
{Ar}: bb 9a! 07! 28! 54! 26 3c ed!
{At}: 52! 91 c8! b1
Authentication completed.
Nested Auth number: 0
{AuthEnc}: 28! d4 20 6b! 00! 01 00! 01
{AuthEnResp}: 3c! ec 61 27!
Card is not vulnerable to nested attack
Using SSE2 SIMD core.
time | trg | #nonces | Activity | expected to brute force
| | | | #states | time
0 | 33B | 0 | Start using 2 threads and SSE2 SIMD core | |
0 | 33B | 0 | Brute force benchmark: 111 million (2^26.7) keys/s | 140737488355328 | 15d
3 | 33B | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 15d
Mode: h, Auth command: 60 c0 f9 bd
e9 05 ba 3d
{Ar}: 0c a8! 08 07! 79 6c! 1a! 6a!
{At}: 84! 4d be cd
Authentication completed.
9 | 33B | 1 | Apply bit flip properties | 140737488355328 | 15d
Mode: h, Auth command: 60 c0 f9 bd
ab 66 a5 c0
{Ar}: 48! 65! d7! 95! 02 ef! 4c 26!
{At}: 0b 26 b4! 6f
Authentication completed.
9 | 33B | 2 | Apply bit flip properties | 140737488355328 | 15d
Mode: h, Auth command: 60 c0 f9 bd
31 54 14 e3
{Ar}: 20 5b e3! 6c fd! 4d! ca! 2c!
{At}: 19! c9 53! 40!
Authentication completed.`
I (hope I) fixed this in #19, there was a small mistake in the code causing larger sectors to not work. Edit: so you can use my branch until the PR is accepted
