Hi. New to fob cloning. Looking to get this cloned. I have a proxmark3. No idea what blank fob I would need or how to clone. Any help would be appreciated. TIA
Is it set up on your computer?
I’m pretty sure URMET is LF
So lets start off with:
placing it overlapping the red circular antenna and doing
lf search
and share the results
You may need to move itvaround to get a read.
If it reads, you most likely will want a T5577 fob to write to.
If you have no luck with lf search
try
hf search
Let us know how you go, we may need to tweak some things
Hi, unfortunately I don’t have it with me. I have a little side hustle cloning fobs so would need to be prepared before hand before the customer arrives
urmet come in em4100/MFC4B/MFP7B
em4100 are cloneable
mfc4b are cloneable but they have certain clone detection techniques
MFP7B can’t be cloned.
This is the results i got
[usb] pm3 → hf search
[-] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 52 9F 70 56 ( ONUID, re-used )
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]
[+] Prng detection… hard
[=]
[=] — Tag Signature
[=] IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 136DF9BAFF6AF4E52AADE057326BE317CF9BB6545F1BBC8406DD9605EE160F28
[+] Signature verification: successful
then it’s mifare classic which can be cloned but they deploy various anti cloning protections so you need to work around that
I did autopwn and then cload onto a blank mifare classic fob. Did not work
Is the blank a Gen1a?
Did you read the “cloned” tag and confirm it wrote? Did the tag data change in any way?
Also on the original, are any of the sectors password protected?
yes a gen1a mifare classic
yes it changed, the UID and the Sec. However when trying to run autopwn on the clone it gave this message:
[=] Running darkside …
[-] Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.
[-] No usable key was found!
Do you have access to an android phone? Can you scan it with tag info and provide a screen shot of the sectors?
You can do this with PM3 but I can’t remember the command. Someone will chip in on this.
I suspect a sector is encrypted and that is what the system is using to determine whether or not to grant access.
all sectors are “encrypted” to the same degree not one more so than the only.
a gen1a won’t work.
you either need to grab a key from the reader or scale the attack to include the full dictionary and the longer block space to account for the signature which has a static key which will let you nested attack the rest of the sectors.