so whare did we left of
i was once again helpt bij @cexshun and @Jirvin
when you did everything in the last post and that all worked we now can clone a mifare clasic 1k
so we when you fire up your proxmark 3 easy you should first start a hardware tune first make sure your card is not near the device as this may damage the card
then you can run this command
so you know your device is good to go
it should tell you if thare is something not working
now we should do a hf search to see if it reads the card and then what kind of card it is mine looked like this
proxmark3> hf search
UID : ( your UID )
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
that’s what my card looks like i did take my uid out of it
now we can try and find the first key so we can crack the rest of the card so the command we will run now is
then let that run it can take quite some time mine takes about 15 minute’s when that’s done
then the software tel’s you this
proxmark3> hf mf mifare
Executing command. Expected execution time: 25sec on average
Press button on the proxmark3 device to abort both proxmark3 and client.
…Found a possible key. Trying to authenticate…
Found valid key: A KEY
then you should write down that key because we will need it for the next command or just copy it
now we are going to do a nested attack
the next command will be
- hf mf nested 1 0 A YOURKEY d
then the proxmark will try that key to find the remaining other keys now let it run and it should look something like this
Nested statistic:
Iterations count: 137
Time in nested: 87,216 (0,637 sec per key)
|—|----------------|—|----------------|—|
sec |
key A |
res |
key B |
res |
000 |
000000000000 |
1 |
000000000000 |
1 |
001 |
000000000000 |
1 |
000000000000 |
1 |
002 |
000000000000 |
1 |
000000000000 |
1 |
003 |
000000000000 |
1 |
000000000000 |
1 |
004 |
000000000000 |
1 |
000000000000 |
1 |
005 |
000000000000 |
1 |
000000000000 |
1 |
006 |
000000000000 |
1 |
000000000000 |
1 |
007 |
000000000000 |
1 |
000000000000 |
1 |
008 |
000000000000 |
1 |
000000000000 |
1 |
009 |
000000000000 |
1 |
000000000000 |
0 |
010 |
000000000000 |
1 |
000000000000 |
1 |
011 |
000000000000 |
1 |
000000000000 |
1 |
012 |
000000000000 |
1 |
000000000000 |
1 |
013 |
000000000000 |
1 |
000000000000 |
1 |
014 |
000000000000 |
1 |
000000000000 |
1 |
015 |
000000000000 |
0 |
000000000000 |
1 |
— |
---------------- |
— |
---------------- |
— |
Printing keys to binary file dumpkeys.bin…
proxmark3>
i did change all the keys to zero here so it will be a bit different for you
now it should have found all keys if not its gonna be a a bit more difficult and i will make a new post for that some day
now we should make a file with all the keys inside of it must be .dic file
so we can tel the software to use those keys instead of the defealt keys
so place your file in a place ware you can easily make a path to so you’r command should be something like this but then of course with your path to the file
- hf mf chk *1 ? d /home/simon/garagekeys.dic
now you can run the next command
so now we can convert this to the file we are going to use to write to new card or your xm1+
so now we can run this script to convert the file
- script run dumptoemul -0 dumpdata.bin
now that gave you a file name you need that in the next step
now take of your source card an put on your target card or xm1+ first try on a test card to be sure
and then run this command
and now you have cloned your source card to whatever you want
i want to thank @cexshun and @Jirvin once more since they helped me alot this time again
and if thare is something not wright in this just pleasy tel me
greeting’s
-simon