Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I'm hoping someone can help solve a few issues im having.
I trying to clone this mifare fob
Orginal
pm3 --> hf sea u
UID : C5 17 EA 2E
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK
Valid ISO14443-A Tag Found
once i find all the keys and make a new clone
Clone
pm3 --> hf sea u
UID : C5 17 EA 2E
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
Valid ISO14443-A Tag Found
The new clone doesn't work correctly though, the clone will open my front door but wont control my elevator. Looking at the two "hf sea u" scans closer I noticed that the two SAK line is different. So i decided to read sec 0 on each fob
Orginal
isOk:01
data : C5 17 EA 2E 16 88 04 00 C8 47 00 20 00 00 00 15
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF
Clone
isOk:01
data : C5 17 EA 2E 16 88 04 00 C8 47 00 20 00 00 00 15
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF
to my surprise they both sector 0's are the same??? so I decided to manually write sec 0 to change SAK
"Manually changed UID Clone"
isOk:01
data : C5 17 EA 2E 16 08 04 00 C8 47 00 20 00 00 00 15
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF
Edited Clone
UID : C5 17 EA 2E
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
Valid ISO14443-A Tag Found
The New edited clone still doesn't work:(
I decide to go through each sector on the clone and compare it to each sector on the original and find that 4 sectors have differences in them. So i manually change each sector so that all sectors are all the same. I try the fob again and now the cloned fob that i have heavily edited wont even open the front door.
Do now i'm completely lost and don't know what to try next. Is anyone able to help point me in the right direction
Proxmark3 RFID instrument
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-764-gd0b3f131 2018-03-28 13:00:26
os: iceman/master/ice_v3.1.0-764-gd0b3f131 2018-03-28 13:02:24
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 252237 bytes (48%) Free: 272051 bytes (52%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
Orginal Trace
https://ufile.io/1umfq
Cloned Trace
https://ufile.io/l0ld5
Highly Edited Trace
https://ufile.io/7lahf
Last edited by Charlie (2018-11-19 01:12:19)
Offline
Any suggestions??
Offline
What are the contents of the rest of the 15 sectors?
Are they exactly the same?
Maybe the reader is checking for magic cards. Could you try a once changeable Mifare card (uid can be changed once)?
Last edited by mazodude (2018-11-22 02:14:11)
Offline
The following sectors were different
Sec 5 Block 20
Sec 7 Block 30
Sec 9 Block 36
Sec 10 Block 40,41,42
Offline
What are the contents of the rest of the 15 sectors?
Are they exactly the same?Maybe the reader is checking for magic cards. Could you try a once changeable Mifare card (uid can be changed once)?
I was wondering about that but thought it would be wierd for one reader(front door) to accept it and not another reader(elevator), which is why i thought the copying of the sectors must be the issue
Offline
If all the card data is exactly the same then it must be the only option left.
Offline
If all the card data is exactly the same then it must be the only option left.
Any ideas why the 2 SAK appear different when i do a "hf search u" but when i look at sec 0 on both they are the same?
Offline
We usually observe Byte 5 in Block 0 to be the SAK. But this is not specified and is not always the case.
Offline
The following sectors were different
Sec 5 Block 20
Sec 7 Block 30
Sec 9 Block 36
Sec 10 Block 40,41,42
Any reason these blocks would be different when make a duplicate?
I tried on a different fob and had issues with the 2 blocks being different on that one too. None of the blocks that were incorrect on either fob were the same
Offline
"00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF" <--A key is missing,
Answers to magic commands (GEN 1a): YES <- thats gen1 magic card, try undetectable magic card
Offline
As NYcity25 says,
Try a magic gen2 card, which doesn't use backdoor commands but enables block0 writing with normal commands.
or use a "write-once" card, which allows for writing to block0 once and afterwards it fuses it rending it unable to modifying block0 anymore
Offline
So will I still be able to use the "cload" command with a "magic gen2" card or"write-once" card or will i have to go throught and write each sector by manually?
Offline
what about "hf mf restore"
Offline
@Charlie : Is it resolved ? Did you try to use Gen 2 card?
Offline
As NYCity25 said:
Key A is probably missing?! Can you check if Key A is set to 000000000000 on original card?
And it's not unusual, that one terminal let you in and another doesn't work with the same card: depends on which sectors the terminals are reading from and which keys they use for authentication (can diff)
Offline
@Charlie : Is it resolved ? Did you try to use Gen 2 card?
No, I dont have a Gen 2 card. Need to look around a purchase some new cards
Offline
No, I dont have a Gen 2 card. Need to look around a purchase some new cards
If you can wait a few weeks, you can get small quantities of Gen2 cards for $1 or less from China. Search Aliexpress for 'CUID' (the Chinese to English translation for Gen2).
I've tried many different Gen1a cards from China through Aliexpress. With Gen1a cards I found some (not all) reply with a different SAK from the written SAK but it never made any difference to the TDi readers on my apartment block. My TDi readers seem to ignore SAK.
It's possible your reader employs countermeasures against Gen1 and/or Gen1a. I found a mixture of TDi reader firmwares on my apartment complex; most work with Gen1a cards but some send a Magic wipe command (which the 'a' of Gen1a is immune too because it ignores the wipe command), some readers send the first part of a magic command and halt if a response is received (Gen1a is not immune to this, it fails).
Offline
The new clone doesn't work correctly though, the clone will open my front door but wont control my elevator.
This is usually the case that door is hf mf 1k, which you cloned correctly.
The elevators are lf hid, so you need to clone the lf 125k part of the fob, too!
Run an lf sea on your key?
Offline
Pages: 1