Can't detect HF on Schlage 9691T using Proxmark3

Hi Everyone-

I just bought the PM3 and I have a Schlage 9691T key fob. The problem is I can’t even get my PM3 to detect the HF tag inside this fob. I can detect LF just fine, I can even copy that to a T55 no problem. But the HF is a 13.56 MHz signal that I would assume should be detectable by the PM3 because a lot of users have these schlage 9691T’s.

Any assistance would be appreciated!

Thanks.


1 Like

Can you scan it with your phone?

Have you played around with placement of the tag much? Tried setting the tag underneath the PM3, etc…

Have another HF tag you can test the PM3 with?

2 Likes

Also, you can use hf 14a reader -@ to continuously scan for the tag to help find the correct placement

3 Likes
  • can you screenshot the startup of the pm3 client to show the client and firmware versions match?

  • can you take the fob off and run hw tune to ensure the antenna is performing?

3 Likes

Hi @amal-

Can confirm that client/firmware match. I reinstalled today to be sure. Also, I ran an hw tune. While I’m not sure what the data mean, I think this looks like the antennas are working.

Additionally, the PM3 came with CUID HF cards that are being detected

The first search is my Schlage 9691T and the second hf search is the CUID card that came with the PM3

1 Like

Hi @Aoxhwjfoavdlhsvfpzha -

This actually yielded something interesting. When I run the tag up against it in continuous mode with hf 14a reader -@, I do indeed find “something”, but I can’t replicate the find using hf search. Any ideas?

1 Like

UPDATE:

I actually got one successful read on the hf search. I used the hf 14a reader -@ to find the tag and get this read.

Because the tag is so hard to find, I am concerned that maybe my antenna might not be properly tuned, or something might be awry with the hardware perhaps? I haven’t been able to replicate the read with hf search even in the same position. So i am fearful if I am even getting the correct data off of this.

If I wanted to crack the mifare classic, I think I would want a stable connection too.

1 Like

put it under the proxmark so the round bottom is half poking out and do hf mf autopwn

1 Like


Can you confirm if this is 4byte or 7 byte

ie.
00:11:22:33
or
00:11:22:33:44:55:66

Also this

TagInfo

IF you can scan with your phone
and have a gen2 to write to, you could just use MCT

2 Likes

like this

or try a corner

2 Likes

OR
you could try again on the top, but ½-ing the circular part of the fob with the antenna trace (red dashed lines), which is actually on the bottom board, sometimes some seperation/ standoff helps, sometimes it doesn’t.

2 Likes

Are you going to try to write to an implant?
If so, which one?

2 Likes

@Pilgrimsmaster, I found a location that seems to be pretty stable as shown here. Also, I can confirm it is a 4-bit key. I am not sure if it is a Gen2, but I could get a read using TagInfo.

@Equipter- I started running hf mf autopwn, but it’s been running for about 10 minutes. About how long should I expect this to run in your estimation? Also, are these error codes being thrown expected?

Thank you for your help!

3 Likes

If you mean an implant inside my skin? No sir.

1 Like

Going to be uploading the TagInfo scan here in case it comes in handy. My ultimate goal is to copy this fob to a card of some sort. Hopefully one that the PM3 came with.

** TagInfo Scan (version 5.0.0) 14-Sep-24 10:05:21 **
Report Type: – IC INFO ------------------------------

IC Manufacturer:

NXP Semiconductors

IC Type:

MIFARE Classic EV1 (MF1S50)

– NDEF ------------------------------

No NDEF Data Storage Present:

Maximum NDEF storage size after format: 716 bytes

– EXTRA ------------------------------

Memory Information:

1 kB

  • 16 sectors, with 4 blocks per sector
  • 64 blocks, with 16 bytes per block

IC Information:

Full product name: MF1S503xX/V1

Block 0 analysis:

UID: XX:XX:XX:XX

  • NXP Semiconductors
  • Re-used (Old) Non-Unique ID
    Check Byte: 0x7D
    SAK: 0x88
    ATQA: 0x0400
    Manufacturer data:
  • C8 33 00 20 00 00 00 22 |.3. …"|
    • Revision: C8
    • Fab: TSMC
    • Production date: week 33, 2022
      ~ PQE0/1: 33 22

Originality Check (asymmetric):

Signature verified with NXP public key

TagInfo Version:

Version :5.0.0

Device Info:

Device Model :Google ( Pixel 3 )
Android OS Version :13

– FULL SCAN ------------------------------

Technologies Supported:

MIFARE Classic compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

Android Technology Information:

Tag description:

  • TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareClassic, android.nfc.tech.NdefFormatable]
  • Maximum transceive length: 253 bytes
  • Default maximum transceive time-out: 618 ms

Detailed Protocol Information:

ID: XX:XX:XX:XX
ATQA: 0x0400
SAK: 0x08

Memory Content:

Sector 0 (0x00)
[00] r-- 8A 5F 01 A9 7D 88 04 00 C8 33 00 20 00 00 00 22 |._…}…3. …"|
[01] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[02] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[03] wxx FF:FF:FF:FF:FF:FF FF:07:80 69 FF:FF:FF:FF:FF:FF
Factory default key Factory default key (readable)

Sector 1 (0x01)
[04] ??? – – – – – – – – – – – – – – – –
[05] ??? – – – – – – – – – – – – – – – –
[06] ??? – – – – – – – – – – – – – – – –
[07] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 2 (0x02)
[08] ??? – – – – – – – – – – – – – – – –
[09] ??? – – – – – – – – – – – – – – – –
[0A] ??? – – – – – – – – – – – – – – – –
[0B] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 3 (0x03)
[0C] ??? – – – – – – – – – – – – – – – –
[0D] ??? – – – – – – – – – – – – – – – –
[0E] ??? – – – – – – – – – – – – – – – –
[0F] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 4 (0x04)
[10] ??? – – – – – – – – – – – – – – – –
[11] ??? – – – – – – – – – – – – – – – –
[12] ??? – – – – – – – – – – – – – – – –
[13] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 5 (0x05)
[14] ??? – – – – – – – – – – – – – – – –
[15] ??? – – – – – – – – – – – – – – – –
[16] ??? – – – – – – – – – – – – – – – –
[17] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 6 (0x06)
[18] ??? – – – – – – – – – – – – – – – –
[19] ??? – – – – – – – – – – – – – – – –
[1A] ??? – – – – – – – – – – – – – – – –
[1B] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 7 (0x07)
[1C] ??? – – – – – – – – – – – – – – – –
[1D] ??? – – – – – – – – – – – – – – – –
[1E] ??? – – – – – – – – – – – – – – – –
[1F] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 8 (0x08)
[20] ??? – – – – – – – – – – – – – – – –
[21] ??? – – – – – – – – – – – – – – – –
[22] ??? – – – – – – – – – – – – – – – –
[23] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 9 (0x09)
[24] ??? – – – – – – – – – – – – – – – –
[25] ??? – – – – – – – – – – – – – – – –
[26] ??? – – – – – – – – – – – – – – – –
[27] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 10 (0x0A)
[28] ??? – – – – – – – – – – – – – – – –
[29] ??? – – – – – – – – – – – – – – – –
[2A] ??? – – – – – – – – – – – – – – – –
[2B] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 11 (0x0B)
[2C] ??? – – – – – – – – – – – – – – – –
[2D] ??? – – – – – – – – – – – – – – – –
[2E] ??? – – – – – – – – – – – – – – – –
[2F] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 12 (0x0C)
[30] ??? – – – – – – – – – – – – – – – –
[31] ??? – – – – – – – – – – – – – – – –
[32] ??? – – – – – – – – – – – – – – – –
[33] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 13 (0x0D)
[34] ??? – – – – – – – – – – – – – – – –
[35] ??? – – – – – – – – – – – – – – – –
[36] ??? – – – – – – – – – – – – – – – –
[37] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 14 (0x0E)
[38] ??? – – – – – – – – – – – – – – – –
[39] ??? – – – – – – – – – – – – – – – –
[3A] ??? – – – – – – – – – – – – – – – –
[3B] ??? XX:XX:XX:XX:XX:XX --:–:-- – XX:XX:XX:XX:XX:XX
(unknown key) (unknown key)

Sector 15 (0x0F)
[3C] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3D] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3E] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3F] wxx FF:FF:FF:FF:FF:FF FF:07:80 69 FF:FF:FF:FF:FF:FF
Factory default key Factory default key (readable)

r/R=read, w/W=write, i/I=increment,
d=decr/transfer/restore, x=r+w, X=R+W
data block: r/w/i/d:key A|B, R/W/I:key B only,
I/i implies d, *=value block
trailer (order: key A, AC, key B): r/w:key A,
W:key B, R:key A|B, (r)=readable key
AC: W implies R+r, R implies r


1 Like

This is interesting. Been struggling with the 8843T fob for months. Please keep us updated

those are desfire & hidprox. you definitely arent cloning the desfire chip. they’re too secure.

you could clone the lf chip but that would only give you access to whatever the lf chip is provisioned for, which wont be your apartment door for sure.

Exactly. I was able to clone the LF for common areas immediately with the pm3. But somehow, after a few months, they all stopped working at the same time and new clones are inoperable. The complex uses regular keys for the apartments. I’ve been using the original fob and see if it changes but there is nothing. Clearly there’s something I’m missing.

sounds like the flicked the switched and turned common area access to the desfire credential. can you take a photo of the readers in the common areas? i’m guessing probably MT series which wouldn’t make it that improbable that they realised they could be using more secure access.

if the desfires weren’t provisioned with applications the potentiality that they’re just using the desfire UID is certainly on the table.

you could do
hf mf sim --uid [desfire uid] --sak 08 --atqa 0004 and with your proxmark plugged into your laptop, tap it to the reader, if it opens then they’re just using the uid and you can go ahead and get a 7b uid magic card and copy over the UID.

if it doesn’t; you’re out of luck it seems.

have you rescanned the lf credential to check it’s still the same ID as it’s always been?

2 Likes

I can send a pic of the readers. I can’t find any change on the original fob itself with lf. Later I will attempt the hf mf sim you suggested.

I’m all for the security. But it doesn’t work. It’s a really bad area. I have had numerous people try to open my door in the middle of the night. Packages are always just taken or opened in the spot. Cars are constantly broken into. Bikes are stolen. It’s only hindering the good people that pay to live here. Nothing is done about this. We can’t have family and friends come stay for a length of time. Without sacrificing access to our home for someone. The call box that is for the main entrance works a fraction of the time. My elderly grandmother had to wait outside for over an hour one time because we couldn’t get back quick enough. My card often beeps and nothing happens on many of the entrances. I’ll have to scan it 2-3 times. The company that has implemented this electronic system is absolutely horrible. And not even in the same state.