Fob cloning Urmet


Hi. New to fob cloning. Looking to get this cloned. I have a proxmark3. No idea what blank fob I would need or how to clone. Any help would be appreciated. TIA

1 Like

Is it set up on your computer?

I’m pretty sure URMET is LF

So lets start off with:
placing it overlapping the red circular antenna and doing
lf search
and share the results

You may need to move itvaround to get a read.

If it reads, you most likely will want a T5577 fob to write to.

If you have no luck with lf search

try

hf search

Let us know how you go, we may need to tweak some things

4 Likes

Hi, unfortunately I don’t have it with me. I have a little side hustle cloning fobs so would need to be prepared before hand before the customer arrives

urmet come in em4100/MFC4B/MFP7B

em4100 are cloneable

mfc4b are cloneable but they have certain clone detection techniques

MFP7B can’t be cloned.

2 Likes

This is the results i got

[usb] pm3 → hf search
[-] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 52 9F 70 56 ( ONUID, re-used )
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]
[+] Prng detection… hard
[=]
[=] — Tag Signature
[=] IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 136DF9BAFF6AF4E52AADE057326BE317CF9BB6545F1BBC8406DD9605EE160F28
[+] Signature verification: successful

then it’s mifare classic which can be cloned but they deploy various anti cloning protections so you need to work around that

1 Like

I did autopwn and then cload onto a blank mifare classic fob. Did not work :pensive:

Is the blank a Gen1a?

Did you read the “cloned” tag and confirm it wrote? Did the tag data change in any way?

1 Like

Also on the original, are any of the sectors password protected?

1 Like

yes a gen1a mifare classic

yes it changed, the UID and the Sec. However when trying to run autopwn on the clone it gave this message:

[=] Running darkside …
[-] Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.
[-] No usable key was found!

Do you have access to an android phone? Can you scan it with tag info and provide a screen shot of the sectors?

You can do this with PM3 but I can’t remember the command. Someone will chip in on this.

I suspect a sector is encrypted and that is what the system is using to determine whether or not to grant access.

all sectors are “encrypted” to the same degree not one more so than the only.

a gen1a won’t work.

you either need to grab a key from the reader or scale the attack to include the full dictionary and the longer block space to account for the signature which has a static key which will let you nested attack the rest of the sectors.

3 Likes