webmagic86

Up for you, as I have a similar situation reading a mifare tag, sector 1 reads as follows: ``` 0000D2000000088E0000000000000000 00000000000000000000000000000000 A0B1C2D3E4F5FFFFFFFFFFFFFFFFFFFF ------------FF0F00FFFFFFFFFFFFFF ``` I was able to copy this...

@ikarus23 I did several tests, using Android 9 (Sony XZ1) and 11 (Pixel 4a), all reporting the same readings. @vykintazo my card has default keys for sector 0 (copied on...

> Also, your block 0 `0000D2000000088E0000000000000000` looks very off. The UID does not look very valid. Does the tag have a 4 bytes long UID? If so, the BCC in...

First tests with PN532+USB-TTL, but still no luck trying to recover my A-key on sector 1. `mfoc` ERROR: No success, maybe you should increase the probes.

Hello @ikarus23, I think I made a big step forward in understanding the issue. Using the app I managed to write and update sector 1, block 0 on the original...

This morning I understood why I was able to write sector 1, block 0. Access conditions (FF0F00 + FF as user bytes) allowed me to update the block using key...

> At this point, I'm not sure if there is an issue with your tag. Could be. One explanation I have is that the tag sometimes returns negative to an...

Update: I finally got my hands on PM3 and tested the card.. got my real keyA `001122334455` (maybe we can add it in the dictionary). ``` +Sector: 0 DE30DE0D3D0804006263646566676869 00000000000000000000000000000000...

Yes @ikarus23, I remember we discussed about it, and I agree with the explanation you gave. Fudan may have left this vulnerability on purpose. Let's see if you can reproduce...

@NikoCosmico01 @Hmvgit any update for static nonces?