Mifare Classic Key Recovery tool - "Dark Side" Attack (Page 1 of 3)

The code seems for windows "only" at the moment.
Are you using the current (SVN) version of libnfc?

Hi *dudux,

Thanks for your interest in the sources. To answer shortly your questions:
1. For the sake of shortening the release time, the windows version of the .c files was released, i.e. it is a version is uses Sleep() function from windows.h. If you have MS Visual Studio 2005/2008, you can use it with vs-2005 solution of libnfc

2. It absolutely works on linux/cygwin + gcc - just remove the windows.h and use sleep() function from stdlib.h or keep both and do yourself a generic wrapper sleep function with #ifdef - plenty of options are available as you see, and there is no magic involved

3. In near future, the code will be improved and packaged properly - so it will compile smooth based on configuration of the compiler

4. Please do not get desperate at first compiling errors - search engines and forums are your friend - you are not a script-kiddie, are you?

Best of luck and shout your questions in case of troubles.

Thanks

Thank you very much for making this project zveriu.

It needs just a few minor tweaks I guess to make it running on all platforms, but it windows it seems to work fine
Though it is kind of confusing that it asks for a "key" and a "block", the block I understand, but the key is going to be recovered right?

My pleasure to contribute to the open source community - hopefully it will not be used in abusive/illegal manners though (relying on the users' thoughtful actions!)

Tweaks and improvements are on the way - just stay tuned for the toolkit to get it's spin and dices rolling

Actually the history behind is like this - the sample code used as basis for this project (which is a code provided by you roel - thanks) required key and block (the auth example).

However, given what the tool is supposed to do, it makes KEY the parameter useless (at most optional just to make a positive/negative test for authentication) as well as BLOCK parameter optional - if a block parameter is supplied, that block will be used in 60 xx AUTH command, otherwise a random/default block (eg. block 0) will be used.

And yes, even if the key parameter is required (though not needed - just pass some bogus 12 hex digits), the real key for some sector is being successfully recovered - exactly what the tool is supposed to do.

All - please let me know improvements and features wish-list and I will check what I can incorporate and improve to make it worth all the time spent on this

NOTE: the tool still have some minor bugs, to be improved on version 0.2, specifically some reported that this text comes in the logs and thus no key is recovered sometimes:

SUCCESS
Trying to recover the key
Press 1 to continue search of other keys...
Press anything else to exit...
At: 0d

Authentication Succesful

A quick-fix would be to find these lines of code and introduce the ones with comments below:

// If someone wonders why (i<(1<<20)) - this is the size of malloc() in lsfr_common_prefix(), so this is max number of states in the list
// List which is ZERO-terminated, i.e. both odd and even are zero when the list finishes
for (i=0; (state) && ((state+i)->odd != 0 || (state+i)->even != 0) && (i<(1<<20)); i++)
                {
                    current_state = state + i;
                    lfsr_rollback_word(current_state, uid ^ ptrFoundTagNonceEntry->tagNonce, 0);
                    crypto1_get_lfsr(current_state, &key_recovered);
                    printf("\nkey recovered: %012llx\n\n", key_recovered);
flag_key_recovered = 1; // ADD THIS LINE, ALSO DECLARE VARIABLE AHEAD
                }

crypto1_destroy(state);

// ADD THIS BLOCK
if (!flag_key_recovered)
{
printf("{Nr} is not a DEADBEEF.... Need to find BEEF ALIVE!... Trying next one...\n");
ptrFoundTagNonceEntry->spoofNrEnc++;
        ptrFoundTagNonceEntry->spoofArEnc = 0xFACECAFE;
        ptrFoundTagNonceEntry->spoofParBitsEnc = 0x0;

        // First we need to satisfy STAGE1
        ptrFoundTagNonceEntry->current_out_of_8 = -1;

return false;
}

Hi all,

Version 0.2 is there. Should be no issues with portability. If better portability options are there, please advise and I will incorporate, however I have defined a wrapping sleep(x) macro which gets to Sleep() on WIN32 and select() on __STDC__ compilers. Seems to work and compile fine on both MSVS2005 and Cygwin.

http://code.google.com/p/tk-libnfc-crap … loads/list

Also included the 0xDEADBEEF {Nr} variation in case the key is not recoverable for 0xDEADBEEF.

For me works fine on both Win and Cygwin. Some people reported to have compiled on MacOS without big issues. Version 0.2 should pose no problems with compilation.

Working towards improvements for v0.3

Stay tuned

Have a nice and productive-sleepless night

Regards,
zveriu - http://andreicostin.com

the code is working in windows.with cygwin and libnfc,but i want to use the code under linux
i am testing it under windows
However,i hope that version0.3 works with unix systems

Regards

Last edited by *dudux (2009-11-17 19:58:06)

Perfect! I will try it immediately.

Thanks to roel and zveriu for help

Regards

Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)

root@ubuntu:~/Escritorio/zv_mf_dark_side# nfc-list
The following (NFC) ISO14443A tag was found:

    ATQA (SENS_RES): 00  04  
       UID (NFCID1): 95  3e  17  72  
      SAK (SEL_RES): 88  

Edit:Reason Stupid question ^^
INFO - 4-bit (uiRxLen=4) error code 0x5 encrypted (abtRx=0x02)

It works really good , thx for this tool.

Last edited by Likesmoke (2009-11-27 17:57:52)

i have the same error but in other sector

Approximately how long does it take for the MFCUK to recover a key for example with

-R 1

option?

Mine is calculating 20mins already... firstly I tried mfcuk -R 1, now it's running with mfcuk -R -1 .... still no result.

The keys are already known to me, i just want to test it.... did I do something wrong (forgot some argument on the command line) or is it because this card is especially "stubborn" ?