Cloning Schlage 9651T

I have been trying to clone my Schlage 9651T tag for a bit with no luck

  • First, I started by doing a HF and LF search which returned nothing for the LF side and the following for the HF side.
[usb] pm3 --> hf search
 đź•›  Searching for ISO14443-A tag...          
[+]  UID: B2 63 CE F5 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=] 
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: F86964F96539A44192D9207DF000B4D75B0B749F7E91F87B9F94F71420672463
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found
  • This indicates that the card is a MIFARE Classic 1K card so I ran hf mf chk which gave me the following
[+] found keys:

[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 001 | ------------   | 0 | ------------   | 0 |
[+] | 002 | ------------   | 0 | ------------   | 0 |
[+] | 003 | ------------   | 0 | ------------   | 0 |
[+] | 004 | ------------   | 0 | ------------   | 0 |
[+] | 005 | ------------   | 0 | ------------   | 0 |
[+] | 006 | ------------   | 0 | ------------   | 0 |
[+] | 007 | ------------   | 0 | ------------   | 0 |
[+] | 008 | ------------   | 0 | ------------   | 0 |
[+] | 009 | ------------   | 0 | ------------   | 0 |
[+] | 010 | ------------   | 0 | ------------   | 0 |
[+] | 011 | ------------   | 0 | ------------   | 0 |
[+] | 012 | ------------   | 0 | ------------   | 0 |
[+] | 013 | ------------   | 0 | ------------   | 0 |
[+] | 014 | ------------   | 0 | ------------   | 0 |
[+] | 015 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )
  • This only got 4 keys; however, I still tried to run hf mf dump which threw up an auth error for most of the blocks but still gave me the following
[+] Succeeded in dumping all blocks

[+] saved 1024 bytes to binary file hf-mf-B263CEF5-dump-1.bin
[+] saved 64 blocks to text file hf-mf-B263CEF5-dump-1.eml
[+] saved to json file hf-mf-B263CEF5-dump-1.json
  • I then put a magic 1k card onto the reader and ran hf mf cload which gave
[usb] pm3 --> hf mf cload -f hf-mf-B263CEF5-dump-1.eml
[+] loaded 1024 bytes from text file hf-mf-B263CEF5-dump-1.eml
[=] Copying to magic gen1a card
[=] .................................................................

[+] Card loaded 64 blocks from file
[=] Done!
[usb] pm3 --> hf search
 đź•’  Searching for ISO14443-A tag...          
[+]  UID: B2 63 CE F5 
[+] ATQA: 00 04
[+]  SAK: 88 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 1a
[#] 1 static nonce 01200145
[+] Static nonce: yes
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found
  • When I tried to use the new card on the reader (Schlage MT11 I think) it does not even recognize that a card is being held up to the reader.

  • After this I tried to use hf mf autopwn with no luck either

[usb] pm3 --> hf mf autopwn
[!] ⚠️  no known key was supplied, key recovery might fail
[+] loaded 42 keys from hardcoded default array
[=] running strategy 1
[=] ...
[=] Chunk 6.6s | found 4/32 keys (42)
[=] running strategy 2
[=] ...
[=] Chunk 6.5s | found 4/32 keys (42)
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time 
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 10 threads and no SIMD core                 |                 |
[=]        0 |       0 | Brute force benchmark: 855 million (2^29.7) keys/s      | 140737488355328 |    2d
[=]        3 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    2d
[=]        5 |     112 | Apply bit flip properties                               |   1771511611392 | 35min
[=]        6 |     224 | Apply bit flip properties                               |    559695724544 | 11min
[=]        7 |     336 | Apply bit flip properties                               |    388692967424 |  8min
[=]        8 |     448 | Apply bit flip properties                               |    372024573952 |  7min
[=]        8 |     560 | Apply bit flip properties                               |    372024573952 |  7min
[=]        9 |     671 | Apply bit flip properties                               |    372024573952 |  7min
[=]       10 |     783 | Apply bit flip properties                               |    372024573952 |  7min
[=]       11 |     895 | Apply bit flip properties                               |    372024573952 |  7min
[=]       12 |    1006 | Apply bit flip properties                               |    372024573952 |  7min
[=]       13 |    1117 | Apply bit flip properties                               |    372024573952 |  7min
[=]       14 |    1227 | Apply bit flip properties                               |    372024573952 |  7min
[=]       14 |    1337 | Apply bit flip properties                               |    372024573952 |  7min
[=]       15 |    1443 | Apply bit flip properties                               |    372024573952 |  7min
[=]       16 |    1551 | Apply bit flip properties                               |    372024573952 |  7min
[=]       17 |    1659 | Apply bit flip properties                               |    372024573952 |  7min
[-] â›” No match for the First_Byte_Sum (132), is the card a genuine MFC Ev1? 
  • I also tried to run hf mf csetuid and hf mf darkside but that didn’t get me anywhere either.
[usb] pm3 --> hf mf csetuid -u b263cef5
[+] old block 0... B263CEF5EA880400C837002000000018
[+] new block 0... B263CEF5EA880400C837002000000018
[+] Old UID... B2 63 CE F5 
[+] New UID... B2 63 CE F5  ( verified )
[usb] pm3 --> hf mf darkside
[=] Expected execution time is about 25seconds on average
[=] Press pm3-button to abort

[=] Running darkside .[-] â›” card is not vulnerable to Darkside attack (its random number generator is not predictable)
  • Any ideas on where to go from here?

I would trying suggest b key.

What verison of PM3 are you using?

Do hw version and post the output please. :slight_smile:

We use very similar readers at my workplace and they are very particular about the information on the card. If it is not formatted properly, you will not even get a beep. You will likely need to get the keys for all sectors and make a full copy before it will work.

Yeah I figured that might be the case. Here is what hw version returns

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  RRG/Iceman/master/v4.14831 2022-01-11 19:17:19
  compiled with............. Clang/LLVM Apple LLVM 13.0.0 (clang-1300.0.29.30)
  platform.................. OSX / aarch64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... absent
  Lua SWIG support.......... present
  Python SWIG support....... absent

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.14831 2022-01-11 19:17:19
       os: RRG/Iceman/master/v4.14831 2022-01-11 19:17:19
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )

This issue on GitHub mentions a very similar error to what you are experiencing, on the exact same version in fact. I’m guessing you used brew to install it as well?

Later on in that issue, another user states that building from latest source fixes the issue for them. I would try that and see what results you get. See here for how to build depending on your platform.

Edit:
Just realized they mentioned:

However, the version installed with brew install proxmark/proxmark3/proxmark3 works fine without any Auth1 error.

2 Likes

Nice find thank you! That didn’t seem to fix it but I did run the latest non-stable version from GitHub and that seem to fix it. Now when I run hf mf autopwn I can get all of the keys and load the dump file on to the new tag with hf mf cload. This seemed to work and the new tag scans perfectly. Thanks again for your help!

2 Likes

I’m glad you got it working! If you have more questions or just want to chat, don’t hesitate to post. Plenty of friendly and helpful folk around here. :slightly_smiling_face:

Just as a curious question, do you plan to get an implant to clone to?

I already have a NExT for my other ID cards. I might get a flexM1 or a xM1 if I keep running into MIFARE Classic 1k cards though.

1 Like

If you do, I can give you pointers on the best way(s) to present it to the Schlage/AptiQ readers. I use my xM1 at work everyday and have gotten quite good at it.

The xM1 is a great xSeries implant, but there is currently no stock, and nobody knows when/if it will be back in stock because of chip supply sourcing issues.
HOWEVER
I highly reccomend the FlexM1, I use mine a lot, the performace and read range is really good,so if you are considering getting one, go for it!

If you weren’t aware, you can also store NDEF data sets * with caveat

1 Like

Honestly these are great reads and a lot of good information here that will help a lot of other people I’m still having trouble because I have not successfully been able to transfer any information to my magic cards because I don’t have all the damn keys yet I thought I did I also need to get a different prox so that’s holding me back from a lot of this because I’m at the mercy of an icopyx or a flipper and while both are powerful they both have their shortcomings as well I’m literally trying to read this damn reader pad 20 times to try and get all nonces needed for all sectors. Like others I’m stuck on 4 out of the 32 keys. My property manager sees me on camera and comes out and says

" boy what in the hell are you doing!"

I said I have a new device that allows me to store my keys all in one place so I don’t have to carry around these hundred dollar fobs that you sell and she said well if it’s going to be all that much effort I’ll just give you a damn fob I said well then it wouldn’t be as fun and challenging and she rolls her eyes and says I’m crazy and that I can’t do something like this I told her well it’s my damn apartment and there’s no Do Not Duplicate on this key and come hell or high water I’m going to figure it out she said knock yourself out and I said but instead of that key fob can I have admin rights to your encoding system? she started laughing and walked off lol

2 Likes

If I clone my apartment schlage key can management detect it. I forget my key at home sometimes when I go to the bar with friends and I would like to leave a spare in my car.

Who is management? Are they a crack security team at a big company? Is it old lady Gladys who sits behind front desk at your apartment complex and can barely find the power button on the monitor? It also depends I guess on which type of magic chip you’re talking about. Some systems can probe for magic gen1a chips with work by using and responding to a “back door” magic command. But even if the system can detect this and deny your implant / ring / magic chip, whether or not “management” would see or even understand any potential log entry or alert about it is questionable… if the system even looks for magic chips.

Generally speaking, a gen2 chip might be undetectable if sector 0 has proper security keys and access bits set, but the only way for the system to tell would be to attempt a potentially destructive write process to sector 0 and I doubt a security probe of any kind would go that far.

1 Like