github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-14 10:37:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

uniformize tools/mfc/card_reader

Browse source
This commit is contained in:
Philippe Teuwen 2024-09-02 11:11:40 +02:00
commit 5b6a898fe7
7 changed files with 60 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

28
tools/mfc/card_reader/mf_nonce_brute_examples.md
View file

@ -20,8 +20,8 @@ Sample trace:
TAG 08 b6 dd // sak
60 04 d1 3d // wanna auth block 0x04 with A key
TAG ed 12 9c 74 // 1st auth clear text nt
55 53 9f cc 41 8d e8 f3 // nr', ar' (nr^ks1, ar^ks2 )
TAG 05 49 e1 65 // at' ( at^ks3 )
55 53 9f cc 41 8d e8 f3 // {nr}, {ar} (nr^ks1, ar^ks2 )
TAG 05 49 e1 65 // {at} ( at^ks3 )
03 24 26 56 // wanna read block 0x04
TAG ac 69 ef 58 45 e1 c2 1d a9 47 a5 94 54 ef 5d c7 1e a9 // block 0x04 content
d4 3e a8 aa
@ -35,8 +35,8 @@ TAG a3 76 dc df c1 42 e0 ee c6 75 a4 ca eb 0c da eb 46 a0 // 18 bytes = 16 byte
-------Until this line we can recover key or decrypt communication with no troubles (see mfkey64 tool)--------------------------------
TAG 52 6e af 8b // nested auth encrypted tag nonce that we don't know
8e 21 3a 29 a4 80 7e 02 // nr_enc = nr^ks1, ar_enc = ar^ks2
TAG b9 43 74 8d // at_enc = at^ks3
8e 21 3a 29 a4 80 7e 02 // {nr} = nr^ks1, {ar} = ar^ks2
TAG b9 43 74 8d // {at} = at^ks3
e2 25 f8 32 // probably next command (actually is read block cmd, but we don't know it yet)
TAG 1f 26 82 8d 12 21 dd 42 c2 84 3e d0 26 7f 6b 2a 81 a9 // probably data
ba 85 1d 36 // probably read cmd
@ -54,7 +54,7 @@ Phase 1
Syntax:
`mf_nonce_brute <uid> <{nt}> <nt_par_err> <{nr}> <{ar}> <ar_par_err> <{at}> <at_par_err> [<{next_command}>]`
Example: if `nt` in trace is `8c! 42 e6! 4e!`, then `nt` is `8c42e64e` and `nt_par_err` is `1011`
Example: if `{nt}` in trace is `8c! 42 e6! 4e!`, then `{nt}` is `8c42e64e` and `nt_par_err` is `1011`
Example with parity (from this trace http://www.proxmark.org/forum/viewtopic.php?pid=550#p550) :
@ -66,13 +66,13 @@ Example with parity (from this trace http://www.proxmark.org/forum/viewtopic.php
+ 12313: 9 : 93 70 9c 59 9b 32 6c 6b 30
+ 64: 3 : TAG 08 b6 dd
+ 923318: 4 : 60 00 f5 7b AUTH Block 0
+ 112: 4 : TAG 82 a4 16 6c Nonce Tag (NT)
+ 6985: 8 : a1 e4! 58 ce! 6e ea! 41 e0! NR , AR
+ 64: 4 : TAG 5c! ad f4 39! AT
+ 112: 4 : TAG 82 a4 16 6c Nonce Tag (nt)
+ 6985: 8 : a1 e4! 58 ce! 6e ea! 41 e0! {nr}, {ar}
+ 64: 4 : TAG 5c! ad f4 39! {at}
+ 811513: 4 : 8e 0e! 5d! b9 AUTH Block 0 (nested)
+ 112: 4 : TAG 5a! 92 0d! 85! Nonce Tag (NT)
+ 6946: 8 : 98! d7 6b! 77 d6 c6 e8 70 NR , AR
+ 64: 4 : TAG ca 7e! 0b! 63! AT
+ 112: 4 : TAG 5a! 92 0d! 85! Nonce Tag ({nt})
+ 6946: 8 : 98! d7 6b! 77 d6 c6 e8 70 {nr}, {ar}
+ 64: 4 : TAG ca 7e! 0b! 63! {at}
+ 670868: 4 : 3e! 70 9c! 8a
+ 112: 4 : TAG 36! 41 24! 79
+ 9505: 8 : 1b! 8c 3a! 48! 83 5a 4a! 27
@ -87,7 +87,7 @@ Example with parity (from this trace http://www.proxmark.org/forum/viewtopic.php
```
./mf_nonce_brute 9c599b32 82a4166c 0000 a1e458ce 6eea41e0 0101 5cadf439 1001 8e0e5db9
| | | | | | | | |
+UID +nt_enc | +nr_enc +ar_enc | +at_enc | +encrypted next cmd
+UID +nt | +{nr} +{ar} | +{at} | +{next cmd}
+nt_par_err +at_par_err +at_par_err
```
@ -97,12 +97,12 @@ These two taken from above use the plaintext tagnonce `nt`=`82a4166c`, they sti
./mf_nonce_brute 9c599b32 82a4166c 0000 98d76b77 d6c6e870 0000 ca7e0b63 0111
```
This one uses the encrypted tagnonce `nt`=`5a920d85`, it finds a valid key.
This one uses the encrypted tagnonce `{nt}`=`5a920d85`, it finds a valid key.
```
./mf_nonce_brute 9c599b32 5a920d85 1011 98d76b77 d6c6e870 0000 ca7e0b63 0111
```
This one uses the encrypted tagnonce `nt`=`5a920d85` and the encrypted cmd `3e709c8a` to validate , it finds a valid key.
This one uses the encrypted tagnonce `{nt}`=`5a920d85` and the encrypted cmd `3e709c8a` to validate , it finds a valid key.
```
./mf_nonce_brute 9c599b32 5a920d85 1011 98d76b77 d6c6e870 0000 ca7e0b63 0111 3e709c8a
```