Have a mifare 1k hardnested ICT card with a 256 AES encryption on top. Did a hardnested attack found keys. Dumped keys. Did a script run dumptoemul.lua and did a hf my cload xxxxxxxx
Compared dumps everything is the same but still can’t open the door? Thoughts? Any help and guidance would be appreciated!!
Is it gen1a and does the door check for magic cards?
Yes a gen 1a
This is ICT’s implementation of a diversified key scheme and provides additional security measures on top of the MIFARE Classic standard. Card data is protected with a diversified authentication key and encrypted with an AES256 algorithm, effectively plugging the known security flaw which allows cards to be created in a series. This however does not prevent the duplication of a card.
Try to sniff the communication between the door and the card and check if the door uses magic commands
1 Like
Have you considered the cards might need to be migrated? The data in the Mifare blocks probably has a counter.
Given you’ve got keys; run a dump on your official card, tap it against your reader device that’s doing the auth, then dump again. See if the data’s the same or different in a hex editor. If it’s different, you have to use one or the other. Once you use one, the other will fail.
2 Likes
No I did not think that. However I did do a dump of the card before and after tap and everything seemed to be the same. Obviously I’m missing something?
Some things which could be causing the issues:
- Magic gen 1a detection
- Checking SAK values (08 vs 88)
- Maybe checking ATQA value? If the dump is the same, it’s probably the same too, but gen 1a will blindly play the ATQA bytes
I would reiterate axolotl’s suggestion to sniff the communication, it would allow you to see exactly what the difference is at least between the reader and the tag.
You should be able to sniff the tag <-> reader communication with hf 14a sniff - I recommend placing the pm3 between the tag and the reader. If it is a pm3 easy, remove the LF antenna and middle PCB before doing this.
I will double check. Ty
the added layer of 256 AES encryption from ICT on the card. Is that cracked when cloning?
No, but as long as you only use one card (assuming it changes each time you use it, which you seem to suggest it does not do) and it is an identical copy it should still work
Really appreciate your help. Wondering if it is the 1 gen a detection? I have a proxmark 3 RDV4 coming. I have been using a primary 3 easy. Hoping may make a difference? I tried using a Jakom 3 but is hard to detect on the proxmark 3 easy. The ring uses a m1 chip m1 s50 I believe
Don’t think that’d be the case, though the better analog frontend (antenna) should make it a bit easier to sniff the communication. I.e. might help with the Jakon 3, but shouldn’t change the existing clone result.
