Incorrect work (looping in sector 33) with Mifare 4k cards

[masya-chel]

The application works great with 1k or 2k cards.
It doesn't work correctly with 4k cards.
The 4k card consists of 32 sectors with a size of 64 bytes (4 blocks), and 8 sectors with a size of 256 bytes (16 blocks).
When application working with a 4k card, the application successfully search keys for sectors 0-31 (the size of each sector is 64 bytes), but as soon as the key search reaches 32 sectors (the sector size is 256 bytes), the key search gets stuck in sector 33. The key search will not go beyond 33 sectors. See log bellow.

`

600 | 33B |    1677 | (6. guess: Sum(a8) = 112)                               |     94903107584 | 14min   
 619 | 33B |    1677 | Apply Sum(a8) and all bytes bitflip properties          |     65121910784 | 10min  
 625 | 33B |    1677 | Brute force phase:  12.28%                              |     64877424640 | 10min  
 631 | 33B |    1677 | Brute force phase:  36.33%                              |     64398696448 | 10min  
 639 | 33B |    1677 | Brute force phase:  65.61%                              |     63815827456 | 10min  
 644 | 33B |    1677 | Brute force phase:  86.58%                              |     63398297600 | 10min  
 647 | 33B |    1677 | (7. guess: Sum(a8) = 120)                               |     86009774080 | 13min  
 659 | 33B |    1677 | Apply Sum(a8) and all bytes bitflip properties          |     49862168576 |  8min  
 679 | 33B |    1677 | Brute force phase:  25.35%                              |     49128714240 |  7min  
 688 | 33B |    1677 | Brute force phase completed. Key found: bbbbbbbbbb32    |               0 |    0s  

Checking for key reuse...
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]
[Key: ************] -> [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx///x///]

Sector 00 - Found Key A: aaaaaaaaaa00 Found Key B: bbbbbbbbbb00
Sector 01 - Found Key A: aaaaaaaaaa01 Found Key B: bbbbbbbbbb01
Sector 02 - Found Key A: aaaaaaaaaa02 Found Key B: bbbbbbbbbb02
Sector 03 - Found Key A: aaaaaaaaaa03 Found Key B: bbbbbbbbbb03
Sector 04 - Found Key A: aaaaaaaaaa04 Found Key B: bbbbbbbbbb04
Sector 05 - Found Key A: aaaaaaaaaa05 Found Key B: bbbbbbbbbb05
Sector 06 - Found Key A: aaaaaaaaaa06 Found Key B: bbbbbbbbbb06
Sector 07 - Found Key A: aaaaaaaaaa07 Found Key B: bbbbbbbbbb07
Sector 08 - Found Key A: aaaaaaaaaa08 Found Key B: bbbbbbbbbb08
Sector 09 - Found Key A: aaaaaaaaaa09 Found Key B: bbbbbbbbbb09
Sector 10 - Found Key A: aaaaaaaaaa10 Found Key B: bbbbbbbbbb10
Sector 11 - Found Key A: aaaaaaaaaa11 Found Key B: bbbbbbbbbb11
Sector 12 - Found Key A: aaaaaaaaaa12 Found Key B: bbbbbbbbbb12
Sector 13 - Found Key A: aaaaaaaaaa13 Found Key B: bbbbbbbbbb13
Sector 14 - Found Key A: aaaaaaaaaa14 Found Key B: bbbbbbbbbb14
Sector 15 - Found Key A: aaaaaaaaaa15 Found Key B: bbbbbbbbbb15
Sector 16 - Found Key A: aaaaaaaaaa16 Found Key B: bbbbbbbbbb16
Sector 17 - Found Key A: aaaaaaaaaa17 Found Key B: bbbbbbbbbb17
Sector 18 - Found Key A: aaaaaaaaaa18 Found Key B: bbbbbbbbbb18
Sector 19 - Found Key A: aaaaaaaaaa19 Found Key B: bbbbbbbbbb19
Sector 20 - Found Key A: aaaaaaaaaa20 Found Key B: bbbbbbbbbb20
Sector 21 - Found Key A: aaaaaaaaaa21 Found Key B: bbbbbbbbbb21
Sector 22 - Found Key A: aaaaaaaaaa22 Found Key B: bbbbbbbbbb22
Sector 23 - Found Key A: aaaaaaaaaa23 Found Key B: bbbbbbbbbb23
Sector 24 - Found Key A: aaaaaaaaaa24 Found Key B: bbbbbbbbbb24
Sector 25 - Found Key A: aaaaaaaaaa25 Found Key B: bbbbbbbbbb25
Sector 26 - Found Key A: aaaaaaaaaa26 Found Key B: bbbbbbbbbb26
Sector 27 - Found Key A: aaaaaaaaaa27 Found Key B: bbbbbbbbbb27
Sector 28 - Found Key A: aaaaaaaaaa28 Found Key B: bbbbbbbbbb28
Sector 29 - Found Key A: aaaaaaaaaa29 Found Key B: bbbbbbbbbb29
Sector 30 - Found Key A: aaaaaaaaaa30 Found Key B: bbbbbbbbbb30
Sector 31 - Found Key A: aaaaaaaaaa31 Found Key B: bbbbbbbbbb31
Sector 32 - Found Key A: aaaaaaaaaa32 Found Key B: bbbbbbbbbb32
Sector 33 - Found Key A: aaaaaaaaaa33 Unknown Key B
Sector 34 - Found Key A: aaaaaaaaaa34 Unknown Key B
Sector 35 - Found Key A: aaaaaaaaaa35 Unknown Key B
Sector 36 - Found Key A: aaaaaaaaaa36 Found Key B: bbbbbbbbbb32 <<< wrong!!!
Sector 37 - Found Key A: aaaaaaaaaa37 Unknown Key B
Sector 38 - Found Key A: aaaaaaaaaa38 Unknown Key B
Sector 39 - Found Key A: aaaaaaaaaa39 Unknown Key B

Using sector 36 as an exploit sector

Mode: d, Auth command: 60 cf 0e 45
fc 7f d0 c7
{Ar}: bb 9a! 07! 28! 54! 26 3c ed!
{At}: 52! 91 c8! b1
Authentication completed.

Nested Auth number: 0
{AuthEnc}: 28! d4 20 6b! 00! 01 00! 01
{AuthEnResp}: 3c! ec 61 27!
Card is not vulnerable to nested attack

Using SSE2 SIMD core.

time | trg | #nonces | Activity | expected to brute force

     |     |         |                                                         | #states         | time   

---

   0 | 33B |       0 | Start using 2 threads and SSE2 SIMD core                |                 |        


   0 | 33B |       0 | Brute force benchmark: 111 million (2^26.7) keys/s      | 140737488355328 |   15d  

    
   3 | 33B |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   15d  

Mode: h, Auth command: 60 c0 f9 bd
e9 05 ba 3d
{Ar}: 0c a8! 08 07! 79 6c! 1a! 6a!
{At}: 84! 4d be cd
Authentication completed.

   9 | 33B |       1 | Apply bit flip properties                               | 140737488355328 |   15d  

Mode: h, Auth command: 60 c0 f9 bd
ab 66 a5 c0
{Ar}: 48! 65! d7! 95! 02 ef! 4c 26!
{At}: 0b 26 b4! 6f
Authentication completed.

   9 | 33B |       2 | Apply bit flip properties                               | 140737488355328 |   15d  

Mode: h, Auth command: 60 c0 f9 bd
31 54 14 e3
{Ar}: 20 5b e3! 6c fd! 4d! ca! 2c!
{At}: 19! c9 53! 40!
Authentication completed.`

[tavgar]

Exactly the same for me

[tavgar]

Any tips on how you've solved it or with an alternative?

[masya-chel]

Unfortunately, I have not solved this problem

[willem640]

I (hope I) fixed this in #19, there was a small mistake in the code causing larger sectors to not work. Edit: so you can use my branch until the PR is accepted