Cloning a "Mifare Classic 1k" to the xM1+

hf mf mifare
————————————————————————-
Executing command. Expected execution time: 25sec on average :slightly_smiling_face:
Press the key on the proxmark3 device to abort both proxmark3 and client.
————————————————————————-

You should get something like:
uid(XXXXX) nt(XXXXX) par(XXXXX) ks(XXXXX) nr(XXXXX)
|diff|{nr} |ks3|ks3^5|parity |

| 00 |00000001| b | e |1,0,1,0,0,1,1,0|
| 20 |00000021| 7 | 2 |1,0,1,0,1,0,1,1|
| 40 |00000001| 1 | 4 |1,0,1,0,0,0,0,0|
| 60 |00000061| e | b |1,0,1,1,1,1,1,0|
| 80 |00000081| f | a |1,0,1,0,1,1,0,0|
| a0 |000000a1| 5 | 0 |1,0,1,1,0,0,0,1|
| c0 |00000001| c | 9 |1,0,0,1,0,0,1,0|
| e0 |000000e1| d | 8 |1,0,1,0,0,0,1,1|
key_count:1
——————————————————————
Key found: XXXXX
Found valid key: XXXXX

Nice! We have cracked the first key in just a matter of seconds! Now, let’s run the Nested Attack in order to escalate to the other 32 keys and get everything we need in order to read the entire memory contents:

hf mf nested 1 0 A KEY_HERE d

(wait a little bit… )

———————————————–
uid:xxx len=2 trgbl=0 trgkey=1
Found valid key:xxxxx
———————————————–
uid:xxx len=2 trgbl=4 trgkey=0
Found valid key:xxxxx
———————————————–
uid:xxx len=2 trgbl=4 trgkey=1
Found valid key:xxxxxx
———————————————–
and so on… then, finally, all keys are yours!
|—|—————-|—|—————-|—|
|sec|key A |res|key B |res|
|—|—————-|—|—————-|—|
|000| xxx | 1 | xxx | 1 |
|001| xxx | 1 | xxx | 1 |
|002| xxx | 1 | xxx | 1 |
[…snip…]

Now we own the keys and can obtain the memory contents next. After you run the command below you will get a binary file within the client folder called “dumpkeys.bin” that you can read using any HEX editor.

hf mf dump

That’s it! Three commands and less than four minutes to pull information out of a “secure” card. you’ll get a file called “dumpdata.bin” Awesome!

To program a “magic” card,

hf mf csetuid UID_hex w

If you want wipe card then add w into command line.

hf mf restore 1

4 Likes