I have been trying to clone my Schlage 9651T tag for a bit with no luck
- First, I started by doing a HF and LF search which returned nothing for the LF side and the following for the HF side.
[usb] pm3 --> hf search
đź•› Searching for ISO14443-A tag...
[+] UID: B2 63 CE F5
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: F86964F96539A44192D9207DF000B4D75B0B749F7E91F87B9F94F71420672463
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
- This indicates that the card is a MIFARE Classic 1K card so I ran hf mf chk which gave me the following
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 001 | ------------ | 0 | ------------ | 0 |
[+] | 002 | ------------ | 0 | ------------ | 0 |
[+] | 003 | ------------ | 0 | ------------ | 0 |
[+] | 004 | ------------ | 0 | ------------ | 0 |
[+] | 005 | ------------ | 0 | ------------ | 0 |
[+] | 006 | ------------ | 0 | ------------ | 0 |
[+] | 007 | ------------ | 0 | ------------ | 0 |
[+] | 008 | ------------ | 0 | ------------ | 0 |
[+] | 009 | ------------ | 0 | ------------ | 0 |
[+] | 010 | ------------ | 0 | ------------ | 0 |
[+] | 011 | ------------ | 0 | ------------ | 0 |
[+] | 012 | ------------ | 0 | ------------ | 0 |
[+] | 013 | ------------ | 0 | ------------ | 0 |
[+] | 014 | ------------ | 0 | ------------ | 0 |
[+] | 015 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )
- This only got 4 keys; however, I still tried to run hf mf dump which threw up an auth error for most of the blocks but still gave me the following
[+] Succeeded in dumping all blocks
[+] saved 1024 bytes to binary file hf-mf-B263CEF5-dump-1.bin
[+] saved 64 blocks to text file hf-mf-B263CEF5-dump-1.eml
[+] saved to json file hf-mf-B263CEF5-dump-1.json
- I then put a magic 1k card onto the reader and ran hf mf cload which gave
[usb] pm3 --> hf mf cload -f hf-mf-B263CEF5-dump-1.eml
[+] loaded 1024 bytes from text file hf-mf-B263CEF5-dump-1.eml
[=] Copying to magic gen1a card
[=] .................................................................
[+] Card loaded 64 blocks from file
[=] Done!
[usb] pm3 --> hf search
đź•’ Searching for ISO14443-A tag...
[+] UID: B2 63 CE F5
[+] ATQA: 00 04
[+] SAK: 88 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 1a
[#] 1 static nonce 01200145
[+] Static nonce: yes
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
-
When I tried to use the new card on the reader (Schlage MT11 I think) it does not even recognize that a card is being held up to the reader.
-
After this I tried to use hf mf autopwn with no luck either
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 42 keys from hardcoded default array
[=] running strategy 1
[=] ...
[=] Chunk 6.6s | found 4/32 keys (42)
[=] running strategy 2
[=] ...
[=] Chunk 6.5s | found 4/32 keys (42)
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 10 threads and no SIMD core | |
[=] 0 | 0 | Brute force benchmark: 855 million (2^29.7) keys/s | 140737488355328 | 2d
[=] 3 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 2d
[=] 5 | 112 | Apply bit flip properties | 1771511611392 | 35min
[=] 6 | 224 | Apply bit flip properties | 559695724544 | 11min
[=] 7 | 336 | Apply bit flip properties | 388692967424 | 8min
[=] 8 | 448 | Apply bit flip properties | 372024573952 | 7min
[=] 8 | 560 | Apply bit flip properties | 372024573952 | 7min
[=] 9 | 671 | Apply bit flip properties | 372024573952 | 7min
[=] 10 | 783 | Apply bit flip properties | 372024573952 | 7min
[=] 11 | 895 | Apply bit flip properties | 372024573952 | 7min
[=] 12 | 1006 | Apply bit flip properties | 372024573952 | 7min
[=] 13 | 1117 | Apply bit flip properties | 372024573952 | 7min
[=] 14 | 1227 | Apply bit flip properties | 372024573952 | 7min
[=] 14 | 1337 | Apply bit flip properties | 372024573952 | 7min
[=] 15 | 1443 | Apply bit flip properties | 372024573952 | 7min
[=] 16 | 1551 | Apply bit flip properties | 372024573952 | 7min
[=] 17 | 1659 | Apply bit flip properties | 372024573952 | 7min
[-] â›” No match for the First_Byte_Sum (132), is the card a genuine MFC Ev1?
- I also tried to run hf mf csetuid and hf mf darkside but that didn’t get me anywhere either.
[usb] pm3 --> hf mf csetuid -u b263cef5
[+] old block 0... B263CEF5EA880400C837002000000018
[+] new block 0... B263CEF5EA880400C837002000000018
[+] Old UID... B2 63 CE F5
[+] New UID... B2 63 CE F5 ( verified )
[usb] pm3 --> hf mf darkside
[=] Expected execution time is about 25seconds on average
[=] Press pm3-button to abort
[=] Running darkside .[-] â›” card is not vulnerable to Darkside attack (its random number generator is not predictable)
- Any ideas on where to go from here?