Cloning Schalge 9691T fob with Proxmark3 Easy

jacksonr_37 · August 7, 2024, 8:36pm

Hello!

I was hoping to get some help or a walkthrough on how I might go about using my Proxmark3 Easy to clone a Shclage 9691T dual frequency rfid fob.

Here are some links with information about this card:

I still need to go through the setup with my proxmark but any info I can get about initial steps for cloning (e.g. commands needed, cards/fobs needed to create a clone, etc).

Thanks in advance!

Aoxhwjfoavdlhsvfpzha · August 7, 2024, 11:06pm

I believe these are a combo of HID Prox and Mifare Classic 1k

The relevant PM3 sections are:
lf hid
and:
hf mf

in particular, cloning these goes something like:

lf search
lf hid clone -r [data]

and, for the HF side:

hf mf autopwn
a little potential troubleshooting here, and finally:
hf mf restore or hf mf cload depending on what kind of blank you have

jacksonr_37 · August 12, 2024, 2:18am

Thank you for your initial response! I have tried running the hf mf autpwn, and it doesn’t seem to get anywhere…it gets stuck in a loop with errors like this:
AcquireEncryptedNonces: Auth1 error

Any ideas?

Aoxhwjfoavdlhsvfpzha · August 12, 2024, 2:22am

Could be a coupling error, try moving the card around and see if you can get a better connection

You can use
hf mf info
to confirm it can communicate with the card

and you can use
hf tune
to help find the sweet spot, run that command and move the card around until you see the lowest numbers

jacksonr_37 · August 12, 2024, 2:37am

It does seem to be detecting the fob ok. Here are the results of running hf mf info (I changed what the UID says):

[usb] pm3 --> hf mf info

[=] --- ISO14443-a Information ---------------------
[+]  UID: AA AA AA AA
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: C89BA61AFB0E40B9FA1CD29A3D13D95056D4F02129D29F5DB642F412EF87C4C7
[+]        Signature verification: successful

[=] --- Keys Information
[+] loaded  2 user keys
[+] loaded 61 keys from hardcoded default array
[#] BCC0 incorrect, got 0x28, expected 0x68
[#] Aborting
[=] <N/A>

[=] --- Magic Tag Information
[=] <N/A>

[=] --- PRNG Information
[+] Prng................. hard

And this is the result from hf mf autopwn:

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] .....
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector  17 key type A -- found valid key [ 75CCB59C9BED ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |
     | Expected to brute force
[=]  Time    | #nonces | Activity
     | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX512F SIMD core            |                 |
[=]        0 |       0 | Brute force benchmark: 1670 million (2^30.6) keys/s     | 140737488355328 |   23h
[=]        7 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 6457 ms
     | 140737488355328 |   23h
[=]        7 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   23h
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=0
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error

And those errors continue until it seems to timeout.

Aoxhwjfoavdlhsvfpzha · August 12, 2024, 2:45am

To be honest with you, that’s beyond me if it isn’t a coupling error, not sure what exactly that error means

But, there are some other options:
You can try
hf mf fchk --1k -f mfc_default_keys.dic
and you may get lucky and find all the keys that way

or you can try sniffing the keys from the reader, here’s a little more info about that:

double or, you can wait for someone who knows more than me to come by and help us both, which usually doesn’t take too long

jacksonr_37 · August 12, 2024, 2:57am

I appreciate the help regardless.

I did try running the command you suggested, this is what it returned. Can’t tell if it’s very useful though.

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  001 | 007 | ------------ | 0 | ------------ | 0
[+]  002 | 011 | ------------ | 0 | ------------ | 0
[+]  003 | 015 | ------------ | 0 | ------------ | 0
[+]  004 | 019 | ------------ | 0 | ------------ | 0
[+]  005 | 023 | ------------ | 0 | ------------ | 0
[+]  006 | 027 | ------------ | 0 | ------------ | 0
[+]  007 | 031 | ------------ | 0 | ------------ | 0
[+]  008 | 035 | ------------ | 0 | ------------ | 0
[+]  009 | 039 | ------------ | 0 | ------------ | 0
[+]  010 | 043 | ------------ | 0 | ------------ | 0
[+]  011 | 047 | ------------ | 0 | ------------ | 0
[+]  012 | 051 | ------------ | 0 | ------------ | 0
[+]  013 | 055 | ------------ | 0 | ------------ | 0
[+]  014 | 059 | ------------ | 0 | ------------ | 0
[+]  015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )

Aoxhwjfoavdlhsvfpzha · August 12, 2024, 2:59am

It is in fact not particularly useful

autopwn would likely be much more useful if you can get it to work, I’ll try to look into the error and see if I can find a solution

Aoxhwjfoavdlhsvfpzha · August 12, 2024, 3:07am

How did you install the PM3 client, did you follow a guide? Which guide? Are you on windows?

Is it a PM3 easy? Where’d you buy it from?

It’s not sitting on anything metal or near anything that may be causing interference?

jacksonr_37 · August 12, 2024, 3:22am

I followed a popular pm3 setup guide posted on a dangerous things forum. It is in fact a pm3 easy, purchased from Amazon and I am on a Windows system. It is possible the surface I’ve been working has metal that’s causing interference.
This is the setup I followed:

I was able to successfully clone a different low frequency fob with no problem, it’s just this Schlage fob that’s giving me issues.

Aoxhwjfoavdlhsvfpzha · August 12, 2024, 3:29am

I don’t think it is, but if you wanted to rule out any issues with the client you’re using, you could download the latest release version:

or some pre-compiled binaries:
https://proxmarkbuilds.org/
instead of pulling the current repo from github

It’s possible it’s an issue with your specific PM3, sometimes and from some retailers they can be hit-or-miss

but beyond that most of the mentions of this issue I could find ended up being a connection issue, so definitely try moving the card all about on/under/around the PM3. Try giving it a bit of an air gap between the PM3 too

Do you have any other HF tags to test?

jacksonr_37 · August 12, 2024, 3:33am

I can definitely try reinstalling the client.
And unfortunately I don’t have any other hf fobs to try

Aoxhwjfoavdlhsvfpzha · August 12, 2024, 3:35am

I don’t think it’s likely to be a problem with the client, but, you never know

Dang