Cloning MF Plus EV1s

Is it possible to clone a MF Plus EV1, with any tool?
Has anyone been able to purchase a blank MF Plus EV1 card or get anything else to work?
This is what they look like:

Thank you for the help.

[-] Searching for ISO14443-A tag…
[+] UID: 04 4C 68 B1 88 63 80
[+] ATQA: 00 44
[+] SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 1K CL2
[=] -------------------------- ATS --------------------------
[+] ATS: 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 [ D3 00 ]
[=] 0C… TL length is 12 bytes
[=] 75… T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=] 77… TA1 different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=] 80… TB1 SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[=] 02… TC1 NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[=] C1 05 2F 2F 01 BC D6 MIFARE Plus X 4K (SL1)
[+] C1… Mifare or (multiple) virtual cards of various type
[+] 05… length is 5 bytes
[+] 2x… MIFARE Plus
[+] 2x… Released
[+] x1… VCS, VCSL, and SVC supported
[?] Hint: try hf mfp info

[+] Valid ISO 14443-A tag found

[=] Short AID search:
[?] Hint: card answers to all AID. It maybe the latest revision of plus/desfire/ultralight card.

You may want to blank out the uid part of your post if that is a card/fob being used for something

1 Like

I changed a few of those digits before I posted it. Thanks.

Ah okay

I think these guys might have a card that can be a target.

https://www.rfxsecure.com/?s=mifare+ev1

sos for late reply, amals reply got it to catch my eye

mfp ev1 in SL1 is effectively a downgrade. you can run your luck with a 7b 1k Mifare classic uid changeable card as there is a high probability the system is looking for that (if they were wanting to use mifare plus properly they’d use SL2 mode and all the fun that brings)

the link amal gave would be worth a good shot. if the reader is expecting the card to respond correctly to ATS (not super likely) then you’d be a bit screwed

TLDR from what i can see they arent using mfp for its secure features looks more like someone was meant to get mifare classic and got these and was lucky they worked. ATQA SAK and UID check out as normal and for 3pass auth it should be fine

1 Like

Thank you for the reply, Just got back to town. I will certainly try this, but 1st I am having problems copying the key that I have.
hf mf autopwn yields (Below), and there is no hf mfp autopwn

[usb] pm3 β†’ hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 44 keys from hardcoded default array
[=] running strategy 1
[=] …
[=] Chunk 4.8s | found 25/32 keys (44)
[=] running strategy 2
[=] .
[=] Chunk 3.9s | found 26/32 keys (44)
[+] target sector 0 key type A – found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector 0 key type B – found valid key [ B578F38A6C61 ]
[+] target sector 2 key type A – found valid key [ A0A1A2A3A4A5 ]
[+] target sector 2 key type B – found valid key [ 0000015B5C31 ]
[+] target sector 3 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B – found valid key [ FFFFFFFFFFFF ]

[!!] Error: No response from Proxmark3.

I am missing some sections. Is there another way to extract the data? Do I need to sniff these? Can you help with the program codes I need to try? As always: Thank you for your help.
*Key codes not actual #s but representative

Can you confirm the client and firmware version matches?

1 Like
Client.... Iceman/master/v4.14831-976-g8b4701efe 2022-10-09 09:39:18
Bootrom... Iceman/master/v4.14831-976-g8b4701efe 2022-10-09 09:35:35
OS........ Iceman/master/v4.14831-976-g8b4701efe 2022-10-09 09:36:15
Target.... PM3 GENERIC

hmmmmm