Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-12-08 22:08:31

pclever
Contributor
Registered: 2018-07-15
Posts: 9

[Solved HF/LF] Schlage 9691T

Hello,
I have been attempting to clone a Schlage 9691T fob and I am having a difficult time getting it to work.

I read this post which had a lot of useful information about the fob.
This fob has both a LF and HF tag in it. Cloning the LF tag was easy, cloning HF is proving to be more difficult.

This is what the fob and reader look like:
mSSCCRs.jpg


Steps Taken to Attempt Cloning

NOTE: I have modified the UID slightly to prevent uploading the info to the internet.

  1. My pm3 indicates the Schlage 9691T is a Mifare Classic tag

    [usb] pm3 --> hf search
    [=] Checking for known tags...
    
    [\] Searching for ISO14443-A tag... UID : 32 29 6E 65
    ATQA : 00 04
     SAK : 08 [2]
    TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
    [=] proprietary non iso14443-4 card found, RATS not supported
    [+] Prng detection: HARD
    
    [+] Valid ISO14443-A tag  found
  2. I checked that the UID changeable card (magic Chinese card) is the same type:

    [usb] pm3 --> hf search
    [=] Checking for known tags...
    
    [\] Searching for ISO14443-A tag... UID : 08 90 D2 3C
    ATQA : 00 04
     SAK : 08 [2]
    TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
    [=] proprietary non iso14443-4 card found, RATS not supported
    [+] Magic capabilities : Gen 1a
    [+] Prng detection: WEAK
    
    [+] Valid ISO14443-A tag  found
  3. I read the Schlage 9691T data:

    [usb] pm3 --> hf mf rdsc 0 a ffffffffffff
    --sector no:0 key type:A key:FF FF FF FF FF FF
    
    isOk:01
    data   : 32 29 6E 65 12 88 04 00 C8 18 00 20 00 00 00 18
    data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF
    Trailer decoded:
    Access block 0: rdAB wrAB incAB dectrAB
    Access block 1: rdAB wrAB incAB dectrAB
    Access block 2: rdAB wrAB incAB dectrAB
    Access block 3: wrAbyA rdCbyA wrCbyA rdBbyA wrBbyA
    UserData: 69
  4. Then attempted to clone to magic Chinese card:

    hf mf csetblk 0 32296E6512880400C818002000000018
  5. The magic Chinese card now has identical sector data:

    [usb] pm3 --> hf mf rdsc 0 a ffffffffffff
    --sector no:0 key type:A key:FF FF FF FF FF FF
    
    isOk:01
    data   : 32 29 6E 65 12 88 04 00 C8 18 00 20 00 00 00 18
    data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF
    Trailer decoded:
    Access block 0: rdAB wrAB incAB dectrAB
    Access block 1: rdAB wrAB incAB dectrAB
    Access block 2: rdAB wrAB incAB dectrAB
    Access block 3: wrAbyA rdCbyA wrCbyA rdBbyA wrBbyA
    UserData: 69
The Issue

Even though I believe I have successfully cloned the HF tag the door reader doesn't unlock or even make a beep/LED blink with the new card.

My theory is that the HF chip is for unlocking the door and the LF tag is for getting into the building.
I tested the LF tag I cloned on facility doors and it worked like a charm.

I then was wondering if the door reader required both HF and LF tags to open. I tested that with my cloned 2 cards stacked on each other and it still didn't work.

Does anyone have any ideas for additional things I can try?

Last edited by pclever (2019-12-10 01:24:06)

Offline

#2 2019-12-09 03:11:39

pclever
Contributor
Registered: 2018-07-15
Posts: 9

Re: [Solved HF/LF] Schlage 9691T

I am still a beginner with all this proxmark stuff but I just tried a few new things and I think I made some progress.
Please let me know if I am on the right track...


Commands

hf mf chk *1 ? d mfc_default_keys

[usb] pm3 --> hf mf chk *1 ? d mfc_default_keys
[+] Loaded 865 keys from mfc_default_keys
...
[+] Time in checkkeys: 434 seconds

[=] testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ------------  | 0 |  ------------  | 0 |
|002|  ------------  | 0 |  ------------  | 0 |
|003|  ------------  | 0 |  ------------  | 0 |
|004|  ------------  | 0 |  ------------  | 0 |
|005|  ------------  | 0 |  ------------  | 0 |
|006|  ------------  | 0 |  ------------  | 0 |
|007|  ------------  | 0 |  ------------  | 0 |
|008|  ------------  | 0 |  ------------  | 0 |
|009|  ------------  | 0 |  ------------  | 0 |
|010|  ------------  | 0 |  ------------  | 0 |
|011|  ------------  | 0 |  ------------  | 0 |
|012|  ------------  | 0 |  ------------  | 0 |
|013|  ------------  | 0 |  ------------  | 0 |
|014|  ------------  | 0 |  ------------  | 0 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
[+] Printing keys to binary file hf-mf-32296E65-key.bin ...
[+] Found keys have been dumped to hf-mf-32296E65-key.bin  --> 0xffffffffffff has been inserted for unknown keys.

hf mf dump 1

[usb] pm3 --> hf mf dump 1
[=] Reading sector access bits...
..#db# Can't select card
[-] could not read block  0 of sector 14
[+] successfully read block  0 of sector 15.
[+] successfully read block  1 of sector 15.
[+] successfully read block  2 of sector 15.
[+] successfully read block  3 of sector 15.
[+] time: 63 seconds


[+] Succeeded in dumping all blocks

[+] saved 1024 bytes to binary file hf-mf-32296E65-data.bin
[+] saved 64 blocks to text file hf-mf-32296E65-data.eml
[+] saved to json file hf-mf-32296E65-data.json

hf mf cload hf-mf-32296E65-data

[usb] pm3 --> hf mf cload hf-mf-32296E65-data
[+] loaded 1024 bytes from text file hf-mf-32296E65-data.eml
[=] Copying to magic card
................................................................

[+] Card loaded 64 blocks from file
[usb] pm3 --> hf mf cload hf-mf-32296E65-data
[+] loaded 1024 bytes from text file hf-mf-32296E65-data.eml
[=] Copying to magic card
................................................................

[+] Card loaded 64 blocks from file
Result

Still doesn't work...
I was not entirely sure what happened during the check keys command but it appeared to be something similar to a rainbow table attack.
It looked to be successful (on sector 0 at least) and wrote data to the keys file.

After writing to the magic chinese card again "hf mf rdsc 0 a ffffffffffff" returned the same data (that's good I think).

Can anyone tell me if I messed something up or if I am doing something wrong?

Offline

#3 2019-12-09 10:02:50

JohnDoePM
Contributor
Registered: 2018-07-08
Posts: 49

Re: [Solved HF/LF] Schlage 9691T

pclever wrote:

[-] could not read block  0 of sector 14

I experienced that entrance access cards/systems need exact clones, i.e. all sectors/blocks have to be identical.
Seems that at least one block of your source card can't be read.
Try the hardnested command for that one and see what you get.

Offline

#4 2019-12-09 23:25:14

pclever
Contributor
Registered: 2018-07-15
Posts: 9

Re: [Solved HF/LF] Schlage 9691T

So I ran "hf mf hardnested 0 A FFFFFFFFFFFF 4 A" and it returned a key!

[usb] pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 4 A
--target block no:  4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
[+] Using AVX2 SIMD core.



 time    | #nonces | Activity                                                | expected to brute force
         |         |                                                         | #states         | time
------------------------------------------------------------------------------------------------------
       0 |       0 | Start using 4 threads and AVX2 SIMD core                |                 |
       0 |       0 | Brute force benchmark: 497 million (2^28.9) keys/s      | 140737488355328 |    3d
       1 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    3d
       6 |     112 | Apply bit flip properties                               |     32624326656 |   66s
       7 |     223 | Apply bit flip properties                               |      8446125568 |   17s
       8 |     334 | Apply bit flip properties                               |      6189602304 |   12s
       9 |     445 | Apply bit flip properties                               |      4885248000 |   10s
      10 |     557 | Apply bit flip properties                               |      4885248000 |   10s
      11 |     668 | Apply bit flip properties                               |      4637494784 |    9s
      12 |     777 | Apply bit flip properties                               |      4492251136 |    9s
      13 |     889 | Apply bit flip properties                               |      4349389312 |    9s
      13 |     999 | Apply bit flip properties                               |      4349389312 |    9s
      14 |    1111 | Apply bit flip properties                               |      4349389312 |    9s
      17 |    1221 | Apply Sum property. Sum(a0) = 128                       |       448853856 |    1s
      17 |    1332 | Apply bit flip properties                               |       378045376 |    1s
      18 |    1441 | Apply bit flip properties                               |       378045376 |    1s
      19 |    1552 | Apply bit flip properties                               |       378045376 |    1s
      19 |    1552 | (Ignoring Sum(a8) properties)                           |       378045376 |    1s
      22 |    1552 | Brute force phase completed. Key found: ef1232ab18a0    |               0 |    0s

I then ran the same command with blocks 1,2,3 and they returned the same key.
Next I tried to check the key and it only seemed to show up in one sector...


[usb] pm3 --> hf mf chk *1 ? ef1232ab18a0
[ 0] key EF 12 32 AB 18 A0
................................
[+] Time in checkkeys: 6 seconds

[=] testing to read key B...
Reading block 7
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ------------  | 0 |  ------------  | 0 |
|001|  ef1232ab18a0  | 1 |  ------------  | 0 |
|002|  ------------  | 0 |  ------------  | 0 |
|003|  ------------  | 0 |  ------------  | 0 |
|004|  ------------  | 0 |  ------------  | 0 |
|005|  ------------  | 0 |  ------------  | 0 |
|006|  ------------  | 0 |  ------------  | 0 |
|007|  ------------  | 0 |  ------------  | 0 |
|008|  ------------  | 0 |  ------------  | 0 |
|009|  ------------  | 0 |  ------------  | 0 |
|010|  ------------  | 0 |  ------------  | 0 |
|011|  ------------  | 0 |  ------------  | 0 |
|012|  ------------  | 0 |  ------------  | 0 |
|013|  ------------  | 0 |  ------------  | 0 |
|014|  ------------  | 0 |  ------------  | 0 |
|015|  ------------  | 0 |  ------------  | 0 |
|---|----------------|---|----------------|---|

Since I am new to this I next thought to try to read the card again with the key:

[usb] pm3 --> hf mf rdsc 0 a ef1232ab18a0
--sector no:0 key type:A key:EF 12 32 AB 18 A0

#db# Auth error
isOk:00
[usb] pm3 --> hf mf rdsc 1 a ef1232ab18a0
--sector no:1 key type:A key:EF 12 32 AB 18 A0

isOk:01
data   : 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 04 9A 16 6F
data   : F2 00 00 00 00 77 00 00 00 00 00 00 28 71 1A 41
trailer: 00 00 00 00 00 00 F0 FF 00 00 00 00 00 00 00 00
Trailer decoded:
Access block 4: rdAB wrB
Access block 5: rdAB wrB
Access block 6: rdAB wrB
Access block 7: wrAbyB rdCbyAB wrBbyB
UserData: 00
[usb] pm3 --> hf mf rdsc 2 a ef1232ab18a0
--sector no:0 key type:A key:EF 12 32 AB 18 A0

#db# Auth error
isOk:00
[usb] pm3 --> hf mf rdsc 3 a ef1232ab18a0
--sector no:0 key type:A key:EF 12 32 AB 18 A0

#db# Auth error
isOk:00

Am I doing this right? And if so can someone let me know ideas on what to try next?
I don't see any commands that let me pass in a key value and write data to the magic chinese card and I am a little confused on if there is even more data on the fob I need to extract.

Thanks!

Offline

#5 2019-12-09 23:40:31

pclever
Contributor
Registered: 2018-07-15
Posts: 9

Re: [Solved HF/LF] Schlage 9691T

I also just noticed a 12 digit string on the back of the fob that looks similar to the key hardnested found.
I tried reading sectors 0-4 with the string and I tried a "chk" command with it, neither worked on the fob.

Do you know if that could be used anywhere?

Offline

#6 2019-12-10 01:21:35

pclever
Contributor
Registered: 2018-07-15
Posts: 9

Re: [Solved HF/LF] Schlage 9691T

I GOT IT WORKING!!!

It turned out that the tag had 3 keys. TWO for sector 1 (A and B), then another key for sector 1-14 (same key for A and B).
Sector 0 and 15 had no key (ffffffffffff).


Steps to clone Schlage 9691T fob:

HF:

  1. hf mf autopwn

  2. hf mf cload hf-mf-<insert_UID>-data

LF:

  1. lf t55 detect

  2. lf t55 dump

  3. lf hid clone <insert_UID>


That was a good learning exercise!
Next I will try to clone both HF and LF tags to one of these 2-in-1 cards on ebay.
...Stay tuned for my experience with that.

Offline

#7 2021-03-05 03:10:35

Navster
Contributor
Registered: 2017-07-09
Posts: 50

Re: [Solved HF/LF] Schlage 9691T

hi im having the same problem even though i have all the keys what version of pm3 software were you using?
Thanks in advance

Offline

#8 2021-03-05 10:03:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [Solved HF/LF] Schlage 9691T

Interesting,  schlage seem to use sector 1,  block 2 ,  to store raw wiegand.   That will make it easy to write onto a LF.

[H10301] - HID H10301 26-bit;  FC: 77  CN: 2871    parity: valid   

Offline

Board footer

Powered by FluxBB