Is it possible to clone a MF Plus EV1, with any tool?
Has anyone been able to purchase a blank MF Plus EV1 card or get anything else to work?
This is what they look like:
Thank you for the help.
[-] Searching for ISO14443-A tag…
[+] UID: 04 4C 68 B1 88 63 80
[+] ATQA: 00 44
[+] SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 1K CL2
[=] -------------------------- ATS --------------------------
[+] ATS: 0C 75 77 80 02 C1 05 2F 2F 01 BC D6 [ D3 00 ]
[=] 0C… TL length is 12 bytes
[=] 75… T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=] 77… TA1 different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=] 80… TB1 SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[=] 02… TC1 NAD is NOT supported, CID is supported
[=] -------------------- Historical bytes --------------------
[=] C1 05 2F 2F 01 BC D6 MIFARE Plus X 4K (SL1)
[+] C1… Mifare or (multiple) virtual cards of various type
[+] 05… length is 5 bytes
[+] 2x… MIFARE Plus
[+] 2x… Released
[+] x1… VCS, VCSL, and SVC supported
[?] Hint: try hf mfp info
[+] Valid ISO 14443-A tag found
[=] Short AID search:
[?] Hint: card answers to all AID. It maybe the latest revision of plus/desfire/ultralight card.
sos for late reply, amals reply got it to catch my eye
mfp ev1 in SL1 is effectively a downgrade. you can run your luck with a 7b 1k Mifare classic uid changeable card as there is a high probability the system is looking for that (if they were wanting to use mifare plus properly they’d use SL2 mode and all the fun that brings)
the link amal gave would be worth a good shot. if the reader is expecting the card to respond correctly to ATS (not super likely) then you’d be a bit screwed
TLDR from what i can see they arent using mfp for its secure features looks more like someone was meant to get mifare classic and got these and was lucky they worked. ATQA SAK and UID check out as normal and for 3pass auth it should be fine
Thank you for the reply, Just got back to town. I will certainly try this, but 1st I am having problems copying the key that I have.
hf mf autopwn yields (Below), and there is no hf mfp autopwn
[usb] pm3 → hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 44 keys from hardcoded default array
[=] running strategy 1
[=] …
[=] Chunk 4.8s | found 25/32 keys (44)
[=] running strategy 2
[=] .
[=] Chunk 3.9s | found 26/32 keys (44)
[+] target sector 0 key type A – found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector 0 key type B – found valid key [ B578F38A6C61 ]
[+] target sector 2 key type A – found valid key [ A0A1A2A3A4A5 ]
[+] target sector 2 key type B – found valid key [ 0000015B5C31 ]
[+] target sector 3 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B – found valid key [ FFFFFFFFFFFF ]
I am missing some sections. Is there another way to extract the data? Do I need to sniff these? Can you help with the program codes I need to try? As always: Thank you for your help.
*Key codes not actual #s but representative
I’m actually trying to do the same thing as this guy. The autopwn command would be the way to go, right? I’ve tried starting it, but it starts trying to brute force it, so I wanted to ensure I was doing everything right before running it for the 12 hours it estimates it will take.
It says that it’s in SL1 mode and has backward functional compatibility with MIFARE classic 1k/4k (with an optional AES authentication). That’s good, right?
I’ve tried doing autopwn twice now but after about an hour of brute-forcing, it loses connection with the proxmark. I can’t mess with this anymore right at this moment, but I will check my power settings in Windows to see if maybe that’s causing it to time out.