Cloning Schlage 9651T

I have been trying to clone my Schlage 9651T tag for a bit with no luck

  • First, I started by doing a HF and LF search which returned nothing for the LF side and the following for the HF side.
[usb] pm3 --> hf search
 🕛  Searching for ISO14443-A tag...          
[+]  UID: B2 63 CE F5 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=] 
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: F86964F96539A44192D9207DF000B4D75B0B749F7E91F87B9F94F71420672463
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found
  • This indicates that the card is a MIFARE Classic 1K card so I ran hf mf chk which gave me the following
[+] found keys:

[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 001 | ------------   | 0 | ------------   | 0 |
[+] | 002 | ------------   | 0 | ------------   | 0 |
[+] | 003 | ------------   | 0 | ------------   | 0 |
[+] | 004 | ------------   | 0 | ------------   | 0 |
[+] | 005 | ------------   | 0 | ------------   | 0 |
[+] | 006 | ------------   | 0 | ------------   | 0 |
[+] | 007 | ------------   | 0 | ------------   | 0 |
[+] | 008 | ------------   | 0 | ------------   | 0 |
[+] | 009 | ------------   | 0 | ------------   | 0 |
[+] | 010 | ------------   | 0 | ------------   | 0 |
[+] | 011 | ------------   | 0 | ------------   | 0 |
[+] | 012 | ------------   | 0 | ------------   | 0 |
[+] | 013 | ------------   | 0 | ------------   | 0 |
[+] | 014 | ------------   | 0 | ------------   | 0 |
[+] | 015 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )
  • This only got 4 keys; however, I still tried to run hf mf dump which threw up an auth error for most of the blocks but still gave me the following
[+] Succeeded in dumping all blocks

[+] saved 1024 bytes to binary file hf-mf-B263CEF5-dump-1.bin
[+] saved 64 blocks to text file hf-mf-B263CEF5-dump-1.eml
[+] saved to json file hf-mf-B263CEF5-dump-1.json
  • I then put a magic 1k card onto the reader and ran hf mf cload which gave
[usb] pm3 --> hf mf cload -f hf-mf-B263CEF5-dump-1.eml
[+] loaded 1024 bytes from text file hf-mf-B263CEF5-dump-1.eml
[=] Copying to magic gen1a card
[=] .................................................................

[+] Card loaded 64 blocks from file
[=] Done!
[usb] pm3 --> hf search
 🕒  Searching for ISO14443-A tag...          
[+]  UID: B2 63 CE F5 
[+] ATQA: 00 04
[+]  SAK: 88 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 1a
[#] 1 static nonce 01200145
[+] Static nonce: yes
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found
  • When I tried to use the new card on the reader (Schlage MT11 I think) it does not even recognize that a card is being held up to the reader.

  • After this I tried to use hf mf autopwn with no luck either

[usb] pm3 --> hf mf autopwn
[!] ⚠️  no known key was supplied, key recovery might fail
[+] loaded 42 keys from hardcoded default array
[=] running strategy 1
[=] ...
[=] Chunk 6.6s | found 4/32 keys (42)
[=] running strategy 2
[=] ...
[=] Chunk 6.5s | found 4/32 keys (42)
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 10 threads and no SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 855 million (2^29.7) keys/s      | 140737488355328 |    2d
[=]        3 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    2d
[=]        5 |     112 | Apply bit flip properties                               |   1771511611392 | 35min
[=]        6 |     224 | Apply bit flip properties                               |    559695724544 | 11min
[=]        7 |     336 | Apply bit flip properties                               |    388692967424 |  8min
[=]        8 |     448 | Apply bit flip properties                               |    372024573952 |  7min
[=]        8 |     560 | Apply bit flip properties                               |    372024573952 |  7min
[=]        9 |     671 | Apply bit flip properties                               |    372024573952 |  7min
[=]       10 |     783 | Apply bit flip properties                               |    372024573952 |  7min
[=]       11 |     895 | Apply bit flip properties                               |    372024573952 |  7min
[=]       12 |    1006 | Apply bit flip properties                               |    372024573952 |  7min
[=]       13 |    1117 | Apply bit flip properties                               |    372024573952 |  7min
[=]       14 |    1227 | Apply bit flip properties                               |    372024573952 |  7min
[=]       14 |    1337 | Apply bit flip properties                               |    372024573952 |  7min
[=]       15 |    1443 | Apply bit flip properties                               |    372024573952 |  7min
[=]       16 |    1551 | Apply bit flip properties                               |    372024573952 |  7min
[=]       17 |    1659 | Apply bit flip properties                               |    372024573952 |  7min
[-] ⛔ No match for the First_Byte_Sum (132), is the card a genuine MFC Ev1? 
  • I also tried to run hf mf csetuid and hf mf darkside but that didn’t get me anywhere either.
[usb] pm3 --> hf mf csetuid -u b263cef5
[+] old block 0... B263CEF5EA880400C837002000000018
[+] new block 0... B263CEF5EA880400C837002000000018
[+] Old UID... B2 63 CE F5 
[+] New UID... B2 63 CE F5  ( verified )
[usb] pm3 --> hf mf darkside
[=] Expected execution time is about 25seconds on average
[=] Press pm3-button to abort

[=] Running darkside .[-] ⛔ card is not vulnerable to Darkside attack (its random number generator is not predictable)
  • Any ideas on where to go from here?

I would trying suggest b key.

What verison of PM3 are you using?

Do hw version and post the output please. :slight_smile:

We use very similar readers at my workplace and they are very particular about the information on the card. If it is not formatted properly, you will not even get a beep. You will likely need to get the keys for all sectors and make a full copy before it will work.

Yeah I figured that might be the case. Here is what hw version returns

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  RRG/Iceman/master/v4.14831 2022-01-11 19:17:19
  compiled with............. Clang/LLVM Apple LLVM 13.0.0 (clang-1300.0.29.30)
  platform.................. OSX / aarch64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... absent
  Lua SWIG support.......... present
  Python SWIG support....... absent

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.14831 2022-01-11 19:17:19
       os: RRG/Iceman/master/v4.14831 2022-01-11 19:17:19
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )

This issue on GitHub mentions a very similar error to what you are experiencing, on the exact same version in fact. I’m guessing you used brew to install it as well?

Later on in that issue, another user states that building from latest source fixes the issue for them. I would try that and see what results you get. See here for how to build depending on your platform.

Edit:
Just realized they mentioned:

However, the version installed with brew install proxmark/proxmark3/proxmark3 works fine without any Auth1 error.

2 Likes

Nice find thank you! That didn’t seem to fix it but I did run the latest non-stable version from GitHub and that seem to fix it. Now when I run hf mf autopwn I can get all of the keys and load the dump file on to the new tag with hf mf cload. This seemed to work and the new tag scans perfectly. Thanks again for your help!

2 Likes

I’m glad you got it working! If you have more questions or just want to chat, don’t hesitate to post. Plenty of friendly and helpful folk around here. :slightly_smiling_face:

Just as a curious question, do you plan to get an implant to clone to?

I already have a NExT for my other ID cards. I might get a flexM1 or a xM1 if I keep running into MIFARE Classic 1k cards though.

1 Like

If you do, I can give you pointers on the best way(s) to present it to the Schlage/AptiQ readers. I use my xM1 at work everyday and have gotten quite good at it.

The xM1 is a great xSeries implant, but there is currently no stock, and nobody knows when/if it will be back in stock because of chip supply sourcing issues.
HOWEVER
I highly reccomend the FlexM1, I use mine a lot, the performace and read range is really good,so if you are considering getting one, go for it!

If you weren’t aware, you can also store NDEF data sets * with caveat

1 Like