Dealing with MIFARE Classic 1k static encrypted nonces (Sniffing w/Proxmark 3 Easy)

Version Used

Client… Iceman/master/v4.18341-16-gc183894cb 2024-04-01 11:49:57
Bootrom… Iceman/master/v4.18341-16-gc183894cb-suspect 2024-04-01 11:49:15
OS… Iceman/master/v4.18341-16-gc183894cb-suspect 2024-04-01 11:49:33

This comes up now and again and has been sorted on the forum but I found a method that I feel is quite clear. I ran into this when playing with the SwitchBot Keypad. So, if you see this:

Follow these steps:

Put the tag on your proxmark and run the following command
hf 14a sniff
Scan the tag with the reader while its up against the proxmark. Let it register a few times for good measure then press the button on the side of your proxmark to stop the sniff.

trace list -1 -t mf

Now that you’ve got a potential key, check it:
hf mf chk --1k -k <the key you sniffed, in this case: 3996CC3FD975>

If that checks out:
hf mf autopwn -k <the confirmed key: 3996CC3FD975>

Hopefully that helps.


Dude i would buy you a beer and high five you right now if you were here. I too have a switchbot lock that i have been trying to put on a fob instead of the card it comes with. I came across this post by accident (was looking for something else) But this is exactly what i was looking for the last month or so. Thanks!

Your post is also helping me finding keys for a laundry card that i was trying to crack for the last month now. Many thanks again for posting!!


Any advice if I can only get 1 key and when I do the autopwn with said key it still gives “static encrypted nonce detected. Aborted”?

Hrm… I’d need to see more of the process you’re using. Feel free to block out the keys. I left them in because we aren’t using the lock/card for anything.

static encrypted nonces? your only option would be to sniff, if you can do the sniff and upload the trace ill pick through and pull any keys being used

1 Like

I actually stumbled into finding the keys. After multiple attempts of sniffing and autopwn-ing, I realized you could autopwn with multiple keys/keyfiles. The other two keys were default keys. My new current problem is getting the dump file to clone over to a magic gen 4 card. But I made whole post on that (over here).)).