Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Cybergibbons 🚲🚲🚲 Profile picture
@cybergibbons
Dec 17, 2023 23 tweets 7 min read Read on X
Scrolly
I finally caved and bought a Flipper Zero.

Whilst it's useful, there's a fair few bits of it that aren't particularly well explained.

Let's start with the Mifare Classic reading!

What's it doing, and how is it doing it? Image
There are two dictionaries stored on the SD card in the device - both in /nfc/assets/

mf_classic_dict.nfc (built-in dictionary)
mf_classic_dict_user.nfc (user dictionary) Image
The built-in dictionary in the stock firmware has 1244 keys in it.

The built-in dictionary in XFW firmware has 3851 keys in it.

(not sure why the number shown differs on the device)
The stock one has the four "standard" Mifare keys right at the top.

I'd say 90% of cards will be caught by these four.

github.com/flipperdevices…
Image
Oddly, XFW pushes the A0A1A2A3A4A5 and
D3F7D3F7D3F7 keys way down the list to rows 3474 and 3487.

These are stock keys when using the Mifare tags to store NDEF data, which is very common! Not sure why they have been pushed down. Image
You can add your own keys into mf_classic_dict_user.nfc and it will be scanned before the other file.

By default this is empty - you store specific keys you have found in here.

You don't want to fill it with thousands of keys that won't work as it will use this first.
If you do fill it up, you end up skipping FFFFFFFFFFFF or 000000000000 - which will be nearly all cards!

The odd thing is there are loads of file packs drifting around with thousands of rows in the user dictionary - so you will spend a *lot* longer finding default keys.
An example are the files promoted in the very popular @TalkingSasquach "getting started" videos. This will massively slow down reading most cards.

github.com/skizzophrenic/…
Nearly all cards will be read with the default keys, but you will get ones that won't be.

A good example is this Premier Inn hotel card. The Flipper has found 29/32 keys, leaving one sector unread and one only read.

But what keys were actually found? The UI does not tell us. Image
We can use the debug logging over the USB cable.

Here we can see that block zero, key A was found to be A0A1A2A3A4A5 on block 0, the first block of sector 1.

It then goes through and tries the same key on all other sectors on the card - it also works on block 8 (sector 3). Image
It keeps on going through and finds most of the keys.

It's a bit painful to keep an eye on serial logging though.

An upside of the Mifare format is the keys are in the data you read back. Image
Now, once it is done, we can save the Mifara card data to a file on the SD card, and examine it.

First up, notice how the first chunk of data in block 0 is the UID of the card. You can never write to this on a genuine card. Image
It can also tell us the keys and what we can do with them.

Block 3 contains the key A, access bits, and key B of Sector 0.

keyA = A0A1A2A3A4A5
keyB = 0D258FE90296 Image
The access bits - 787788 - are a bit complex to explain concisely.

It decodes as:
Block 0,1,2 - Read with Key A/B, Write with Key B.
Block 3 (sector trailer) - Key B can write Key A/B, that's all.

(you can never write block 0 on real Mifare cards, or you could change the UID). Image
That's a pretty standard config - a set of keys to read the data (e.g. door readers would do this) and set of keys to write the data (e.g. the programmer at the front desk).
Sector 1 is still locked - this is the one that we didn't find key A or B for!

It's likely this is used for access control. It's likely to be a different set of keys for each hotel. Image
And sector 2 - we only found key A, which allows us to read block 8,9,10 but not write.

These are all 00 anyway, so there is a chance this doesn't matter if cloning the card. Image
The blocks with the keys set to FFFFFFFFFFFF for both A and B, and with the access bits set to FF0780 are in what is called "transport condition" - there are no restrictions in reading or writing. Image
So, a quick summary:
* 4 sectors in transport condition (unused)
* 10 sectors with non-default keys but in the XFW dictionary
* 1 sector where we didn't find key B so can't write
* 1 sector where we found neither key
But looking through the key dictionary of the Flipper, it looks like there is a lot of fluff there.

I'm probably going to trim mine right down so that it only contains the most useful keys, and then add ones to the user dictionary for specific situations.
The search strategy across the blocks seems quite sensible though - if the Flipper finds a key on a sector, it will then try it across all the sectors immediately to see if the same key is used across multiple.
For those who care about the access bits:


And a calculator, for the other direction:

blog.saltedbrain.org/2023/03/decodi…
calc.gmss.ru/Mifare1k/
So, given that most Mifare cards use the default keys, and so many systems just use the UID anyway, I think the Flipper will be fairly successful at cloning access control cards.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cybergibbons 🚲🚲🚲

Cybergibbons 🚲🚲🚲 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cybergibbons

Cybergibbons 🚲🚲🚲 Profile picture
May 18, 2024
A quick comment thread on the NTSB prelim MV Dali report.

The ship had a pretty typical 6.6kV HV/440V LV power system.
Image
Image
They were operating with the HV bus-tie breaker closed. This is, as far as I know, totally normal on most non-DP (dynamic positioning) vessels. Image
Operating using a single transformer and with the LV bus-tie closed was not something I remembered doing too often.

We'd normally have both transformers running and the LV bus-tie open.

You'd typically have about 2MW of load, and it was good to share it over both transformers
Image
Image
Read 16 tweets
Cybergibbons 🚲🚲🚲 Profile picture
May 3, 2024
The UK mains electricity system in houses is a bit unique.

We have what is called a "ring main" where a large number of sockets are connected in a loop. The loop can provide 32A, but each individual plug can only do 13A.

So we have fuses in our plugs to limit current. Image
The idea of these is that they limit the current to each thing you plug into your ring main. The plug/socket can only handle 13A and not 32A, so you need something to limit it.
At the same time, everything you plug into a ring main should be CE certified and have a suitably sized internal fuse. The internal fuse will be smaller than the plug top fuse.

The idea is that the fuse closest to the device with a fault fails.

This is called "discrimination". Image
Read 7 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Apr 28, 2024
Found a really quirky route to the OT side of a ship this week.

The corporate machines were on the 10.0.73.0/24 range.

When ARP scanning on this network, I could see a host on 192.168.1.45 - odd.

So I set my IP to 192.168.1.123 and scan 192.168.1.45 - a Windows machine.
It's called CHIEFPC and it's a HP.

Current corp machines are Lenovo. And not named by role.

I head down to the chief's office and find that his old HP machine is being used for the CCTV onboard the vessel - which is on 192.168.1.0/24.
It's just been connected to the nearest socket.

It's logged in and is local admin, I dump SAM and SYSTEM, put on a share and head back to my machine.

Extract accounts/hashes using secretsdump, and crack with john-the-ripper locally.
Read 15 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Apr 9, 2024
A thread of the variety of products on ships that allow remote monitoring of critical systems on ships.

Just really want to put to bed the idea that systems are always air gapped.

Kongsberg offer multiple systems allowing remote monitoring of ICMS.
kongsberg.com/globalassets/m…
Image
Wartsila NACOS, another of the very popular ICMS, allows remote maintenance of their systems.

wartsila.com/docs/default-s…
Image
Hyundai as part of the Hi-whatever ICMS allow remote monitoring.

hd-marinesolution.com/eng/CMS/Conten…
Image
Read 5 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Apr 3, 2024
I broadly agree with this thread, but there's a few aspects where I think the scale and magnitude of the issues on modern ships is maybe not clear.

The number of modern vessels that have all their critical safety systems air gapped is getting lower and lower.
What do I mean by critical systems?

Steering (which, oddly, depends on the type of vessel)
Propulsion (which can be the same as steering)
Power management system
ECDIS (electronic charts, which may or may not directly impact navigation)
Let's look at a few of the times we've found air gaps eroded on vessels.

This is the console used to control dynamic positioning on an offshore support vessel. This is designed to hold position, with control over propulsion and steering. Image
Read 26 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Mar 30, 2024
Ships might be "wide open" to cyber attack, but in my opinion, this shows a lack of nuance around what is being attacked, what the impact would be, and if it would be stopped by the crew.
I would say that IT security - the corporate stuff - in maritime is as bad as it can get.

Getting from IT to OT - operational technology, the actual moving bits - is much harder.

(or just to OT, direct, another topic)
We've ended up in the situation where nearly all ships differ to others.

I think this makes ensuring they're secure hard. We need to check each one.

Conversely, it means that attacking them is hard, as you need to understand each one.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(