Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2018-07-29 19:00:48
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
Issue: When executing the read sector to key type B it returns a Cmd Error: 04 isOk: 00. The read sector works on Side A without issues.
See below sectors 3 and 4 output the error. When executing the read sectors (to all 15 sectors) to Side A I do not get the Cmd error.
Keep in mind I performed the hardnested and was able to obtain all the keys on both side A and B.
proxmark3> hf mf rdsc 0 B 0d258fe90296
--sector no:0 key type:B key:0d 25 8f e9 02 96
#db# READ SECTOR FINISHED
isOk:01
data : ad 77 86 ad f1 88 04 00 c8 33 00 20 00 00 00 17
data : 6f 01 51 90 51 90 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 78 77 88 c1 00 00 00 00 00 00
proxmark3> hf mf rdsc 1 B 85cb6eef7c70
--sector no:1 key type:B key:85 cb 6e ef 7c 70
#db# READ SECTOR FINISHED
isOk:01
data : 7a cc c0 e7 d3 ce 54 82 45 f3 44 64 2e f1 5f 7f
data : e1 00 51 8e 92 10 fd d2 d8 00 15 fe 3f 37 39 1b
data : 50 5d 7d 6c 05 80 ec 0f da c0 f9 f0 53 00 00 35
trailer: 00 00 00 00 00 00 78 77 88 04 00 00 00 00 00 00
proxmark3> hf mf rdsc 2 B 85cb6eef7c70
--sector no:2 key type:B key:85 cb 6e ef 7c 70
#db# READ SECTOR FINISHED
isOk:01
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 78 77 88 05 00 00 00 00 00 00
proxmark3> hf mf rdsc 3 B ffffffffffff <<<<<<--------------------------- Error
--sector no:3 key type:B key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read sector 3 block 0 error
#db# READ SECTOR FINISHED
isOk:00
proxmark3> hf mf rdsc 4 B ffffffffffff <<<<<<--------------------------- Error
--sector no:4 key type:B key:ff ff ff ff ff ff
#db# Cmd Error: 04
#db# Read sector 4 block 0 error
#db# READ SECTOR FINISHED
isOk:00
proxmark3> hf mf rdsc 5 B eeb420209d0c
--sector no:5 key type:B key:ee b4 20 20 9d 0c Here is my hw ver and hw tune:
proxmark3> hw ver
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2018-07-23 05:17:00
os: /-suspect 2018-07-23 05:18:19
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 199763 bytes (76). Free: 62381 bytes (24).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>
proxmark3>
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 45.24 V @ 125.00 kHz
# LF antenna: 22.41 V @ 134.00 kHz
# LF optimal: 45.24 V @ 125.00 kHz
# HF antenna: 25.66 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.Offline
#2 2018-07-29 19:47:21
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
Here's the keys that I obtained via hardnested. Again using these keys and reading sectors in side A works perfectly but side B sectors 3,4,14 and 15 outputs the error.
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | 0d258fe90296 | 0 |
|001| a6c64e6cf2d0 | 0 | 85cb6eef7c70 | 0 |
|002| a0a1a2a3a4a5 | 1 | 85cb6eef7c70 | 0 |
|003| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04
|004| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04
|005| eeb420209d0c | 0 | eeb420209d0c | 0 |
|006| 911e52fd7ce4 | 0 | 911e52fd7ce4 | 0 |
|007| 752fbb5b7b45 | 0 | 752fbb5b7b45 | 0 |
|008| 66b03aca6ee9 | 0 | 66b03aca6ee9 | 0 |
|009| 48734389edc3 | 0 | 48734389edc3 | 0 |
|010| 17193709adf4 | 0 | 17193709adf4 | 0 |
|011| 1acc3189578c | 0 | 1acc3189578c | 0 |
|012| c2b7ec7d4eb1 | 0 | c2b7ec7d4eb1 | 0 |
|013| 369a4663acd2 | 0 | 369a4663acd2 | 0 |
|014| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04
|015| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04
|---|----------------|---|----------------|---| Last edited by actionbias (2018-07-29 19:47:37)
Offline
#3 2018-07-30 06:49:54
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
There is no A and B "side" of each sector. Keys A and B can have different access rights assigned to them. Most probably Key B is not allowed to read one or all of the sector blocks. If you can read the sector trailer with key A, the Access Bits will tell you...
Offline
#4 2018-07-31 17:57:33
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
There is no A and B "side" of each sector. Keys A and B can have different access rights assigned to them. Most probably Key B is not allowed to read one or all of the sector blocks. If you can read the sector trailer with key A, the Access Bits will tell you...
Thanks for the response.
I am able to get the sector trail with key A. But I'm not sure what the do you mean by the "Access Bits will tell you". Can you clarify?
Also, I'm trying to duplicate this key fob is it simply writing all the blocks for both A and B keys?
For e.g.
hf mf wrbl 0 A a0a1a2a3a4a5 ad7786adf1880400c833002000000017Offline
#5 2018-07-31 18:32:49
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
This are some very basic questions and I propose that you do some basic reading first.
The sector trailer consist of 6 Bytes Key A, 3 Bytes Access Bits, 1 User Byte, 6 Bytes Key B.
There are online Access Bits calculators (e.g. http://www.algoritmauzmani.com/hizmetle … aplama.php). Enter your 3 Bytes Access Bits and you will know what Key B is allowed to read and write.
Offline
#6 2018-08-03 04:09:41
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
Now that I have all 63 blocks of data from the keys (type A) that I found via hardnested.
Do I simply write all 63 blocks?
hf mf wrbl 0 A ffffffffffff fd26894614880400c842002000000016
hf mf wrbl 1 A ffffffffffff 0f0003e103e103e103e103e103e103e1
hf mf wrbl 2 A ffffffffffff 03e103e103e103e103e103e103e103e1
.
.
.
All the way down to block 63?Offline
#7 2018-08-03 06:57:56
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
In general, yes. But
There are 64 blocks instead of 63
Block 0 is write protected on standard cards
You need to modify the sector trailers to contain the A and B keys (they are shown as 00 when you read the block)
and last but not least: there is an easier way. Have a look at the dump and restore commands.
Offline
#8 2018-08-03 16:42:38
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
Thanks piwi.
When I run the
hf mf dump I notice errors and authentication issues.
Is there a way to dump/restore/script with hardnested keys?
My workaround is manually reading all the sectors (hf mf rdsc) and with notepad delete all the information except for the block data.
Then save the file as a x.eml and then execute
hm mf cload x.eml .
Last edited by actionbias (2018-08-03 19:23:46)
Offline
#9 2018-08-03 18:27:06
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
hf mf dump needs a file dumpkeys.bin. It must contain the 16 A keys followed by the 16 B keys in binary (i.e. it has the size of 16 * 2 * 6 = 192 bytes). Unfortunately there is currently no way to create it from the hf mf hardnested command. You may create it with a hex editor though.
Your way with the eml file should work as well.
Offline
#10 2018-08-03 19:25:34
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
Appreciate it piwi!
Offline
#11 2018-08-04 03:37:09
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
Bad news. Tested the key fob and it didn't work. 
- I took all the 64 block data copied it into a .eml file
- Ran the cload .eml file
- Got the outputs below
The key fob is the grey schlage key fob.
Original Key Fob
proxmark3> hf sea u
UID : fd 26 89 46
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDENED (hardnested)
Valid ISO14443A Tag Found - Quiting Search
Cloned Copy
proxmark3> hf sea u
UID : fd 26 89 46
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting SearchOffline
#12 2018-08-06 07:14:45
- actionbias
- Contributor
- Registered: 2017-07-22
- Posts: 26
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
After doing some soul searching I was able to figure it out. 
scripts and hex editting did the trick.
Last edited by actionbias (2018-08-07 21:09:30)
Offline
#13 2019-08-12 21:46:34
- theguy
- Contributor
- Registered: 2017-08-08
- Posts: 52
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
@actionbias, I have a gray Schlage key fob, and I hid cloned it successfully, but the clones won't open the door. How did you discover the rfid type, what steps to clone a mifare if indeed mine's also a mifare?
lf search yields Valid HID Prox ID Found! so I thought I was done. Maybe it's a mifare though???
Offline
#14 2019-08-28 19:52:03
- squishy
- Contributor
- Registered: 2019-02-18
- Posts: 14
Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04
Here's the keys that I obtained via hardnested. Again using these keys and reading sectors in side A works perfectly but side B sectors 3,4,14 and 15 outputs the error.
|---|----------------|---|----------------|---| |sec|key A |res|key B |res| |---|----------------|---|----------------|---| |000| a0a1a2a3a4a5 | 1 | 0d258fe90296 | 0 | |001| a6c64e6cf2d0 | 0 | 85cb6eef7c70 | 0 | |002| a0a1a2a3a4a5 | 1 | 85cb6eef7c70 | 0 | |003| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04 |004| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04 |005| eeb420209d0c | 0 | eeb420209d0c | 0 | |006| 911e52fd7ce4 | 0 | 911e52fd7ce4 | 0 | |007| 752fbb5b7b45 | 0 | 752fbb5b7b45 | 0 | |008| 66b03aca6ee9 | 0 | 66b03aca6ee9 | 0 | |009| 48734389edc3 | 0 | 48734389edc3 | 0 | |010| 17193709adf4 | 0 | 17193709adf4 | 0 | |011| 1acc3189578c | 0 | 1acc3189578c | 0 | |012| c2b7ec7d4eb1 | 0 | c2b7ec7d4eb1 | 0 | |013| 369a4663acd2 | 0 | 369a4663acd2 | 0 | |014| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04 |015| ffffffffffff | 1 | ffffffffffff | 1 | <---- key b hf mf rdsc returns CMD Error: 04 |---|----------------|---|----------------|---|
Bro would you mind sharing how were you able to hardnested it when you have a sector key? because when i do a hardnested with the keys i got from using hf mf chk they could not authenticate as the hardnested uses blocks and not sector. So im quite confuse on how to get the block keys using the sector keys.
Offline