| | 1 | :: TRACE |
| | 2 | + 50422: : 26 |
| | 3 | + 64: 0: TAG 04 00 |
| | 4 | + 944: : 93 20 |
| | 5 | + 64: 0: TAG 9c 59 9b 32 6c |
| | 6 | + 1839: : 93 70 9c 59 9b 32 6c 6b 30 |
| | 7 | + 64: 0: TAG 08 b6 dd |
| | 8 | + 3783: : 60 32 64 69 |
| | 9 | + 113: 0: TAG 82 a4 16 6c |
| | 10 | + 1287: : a1 e4 58 ce 6e ea 41 e0 |
| | 11 | + 64: 0: TAG 5c ad f4 39 |
| | 12 | |
| | 13 | :: Sample of trace above, |
| | 14 | ./mfkey64 9c599b32 82a4166c a1e458ce 6eea41e0 5cadf439 |
| | 15 | |
| | 16 | ----------------------------------------------------------------------------------------------------- |
| | 17 | :: For mfkey32, you want to get two different NR_0/NR_1 values. |
| | 18 | |
| | 19 | :: <uid> <nt> <nr_0> <ar_0> <nr_1> <ar_1> |
| | 20 | ./mfkey32 52B0F519 5417D1F8 4D545EA7 E15AC8C2 DAC1A7F4 5AE5C37F |
| | 21 | |
| | 22 | :: For mfkey32v2 (moebius), you want to get two different NT/NT1 values. (like in the SIM commands) |
| | 23 | |
| | 24 | :: <uid> <nt> <nr_0> <ar_0> <nt1> <nr_1> <ar_1> |
| | 25 | ./mfkey32v2 12345678 1AD8DF2B 1D316024 620EF048 30D6CB07 C52077E2 837AC61A |
| | 26 | ./mfkey32v2 52B0F519 5417D1F8 4D545EA7 E15AC8C2 A1BA88C6 DAC1A7F4 5AE5C37F |
| | 27 | |
| | 28 | :: for mfkey64, you want to have the AT response from tag. |
| | 29 | |
| | 30 | :: <uid> <nt> <nr> <ar> <at> |
| | 31 | ./mfkey64 9C599B32 82A4166C A1E458CE 6EEA41E0 5CADF439 |
| | 32 | ./mfkey64 52B0F519 5417D1F8 4D545EA7 E15AC8C2 5056E41B |
| | 33 | |
| | 34 | ----------------------------------------------------------------------------------------------------- |
| | 35 | New functionality from @zhovner, |
| | 36 | ----------------------------------------------------------------------------------------------------- |
| | 37 | ### Communication decryption |
| | 38 | RDR 26 |
| | 39 | TAG 04 00 |
| | 40 | RDR 93 20 |
| | 41 | TAG 14 57 9f 69 b5 |
| | 42 | RDR 93 70 14 57 9f 69 b5 2e 51 |
| | 43 | TAG 08 b6 dd |
| | 44 | RDR 60 14 50 2d |
| | 45 | TAG ce 84 42 61 |
| | 46 | RDR f8 04 9c cb 05 25 c8 4f |
| | 47 | TAG 94 31 cc 40 |
| | 48 | RDR 70 93 df 99 |
| | 49 | TAG 99 72 42 8c e2 e8 52 3f 45 6b 99 c8 31 e7 69 dc ed 09 |
| | 50 | RDR 8c a6 82 7b |
| | 51 | TAG ab 79 7f d3 69 e8 b9 3a 86 77 6b 40 da e3 ef 68 6e fd |
| | 52 | RDR c3 c3 81 ba |
| | 53 | TAG 49 e2 c9 de f4 86 8d 17 77 67 0e 58 4c 27 23 02 86 f4 |
| | 54 | RDR fb dc d7 c1 |
| | 55 | TAG 4a bd 96 4b 07 d3 56 3a a0 66 ed 0a 2e ac 7f 63 12 bf |
| | 56 | RDR 9f 91 49 ea |
| | 57 | |
| | 58 | |
| | 59 | ./mfkey64 14579f69 ce844261 f8049ccb 0525c84f 9431cc40 7093df99 9972428ce2e8523f456b99c831e769dced09 8ca6827b ab797fd369e8b93a86776b40dae3ef686efd c3c381ba 49e2c9def4868d1777670e584c27230286f4 fbdcd7c1 4abd964b07d3563aa066ed0a2eac7f6312bf 9f9149ea |
| | 60 | |
| | 61 | Recovering key for: |
| | 62 | uid: 14579f69 |
| | 63 | nt: ce844261 |
| | 64 | {nr}: f8049ccb |
| | 65 | {ar}: 0525c84f |
| | 66 | {at}: 9431cc40 |
| | 67 | {enc0}: 7093df99 |
| | 68 | {enc1}: 9972428ce2e8523f456b99c831e769dced09 |
| | 69 | {enc2}: 8ca6827b |
| | 70 | {enc3}: ab797fd369e8b93a86776b40dae3ef686efd |
| | 71 | {enc4}: c3c381ba |
| | 72 | {enc5}: 49e2c9def4868d1777670e584c27230286f4 |
| | 73 | {enc6}: fbdcd7c1 |
| | 74 | {enc7}: 4abd964b07d3563aa066ed0a2eac7f6312bf |
| | 75 | {enc8}: 9f9149ea |
| | 76 | |
| | 77 | LFSR succesors of the tag challenge: |
| | 78 | nt': 76d4468d |
| | 79 | nt'': d5f3c476 |
| | 80 | |
| | 81 | Keystream used to generate {ar} and {at}: |
| | 82 | ks2: 73f18ec2 |
| | 83 | ks3: 41c20836 |
| | 84 | |
| | 85 | Decrypted communication: |
| | 86 | {dec0}: 3014a7fe |
| | 87 | {dec1}: c26935cfdb95c4b4a27a84b8217ae9e48217 |
| | 88 | {dec2}: 30152eef |
| | 89 | {dec3}: 493167c536c30f8e220b09675687067d4b31 |
| | 90 | {dec4}: 3016b5dd |
| | 91 | {dec5}: 493167c536c30f8e220b09675687067d4b31 |
| | 92 | {dec6}: 30173ccc |
| | 93 | {dec7}: 0000000000007e178869000000000000c4f2 |
| | 94 | {dec8}: 61148834 |
| | 95 | |
| | 96 | Found Key: [091e639cb715] |
projects / proxmark3-svn / blame_incremental