Help: Unable to recover sector keys on genuine MIFARE Classic EV1 with Proxmark3

Support
1

Hello everyone,

I am trying to recover the keys of a genuine MIFARE Classic EV1 card using my Proxmark3, but I am running into several issues and I need guidance. Here is a detailed description of what I have tried so far:

Card detection

hf search

  • Result: MIFARE Classic 1K detected.

  • UID detected correctly.

Initial attempt with hf mf autopwn

hf mf autopwn

  • Detected the card as MIFARE Classic EV1.

  • Loaded 5 user keys and 61 hardcoded keys.

  • Targeted sectors 0, 16, 17 successfully and found some valid keys:

    • Sector 0 Key A: A0A1A2A3A4A5

    • Sector 16 Key A: 5C8FF9990DA2

    • Sector 16 Key B: D01AFEEB890A

    • Sector 17 Key A: 75CCB59C9BED

    • Sector 17 Key B: 4B791BEA7BCC

  • Attempted further attacks on other sectors but encountered repeated errors:

[#] AcquireEncryptedNonces: Can't select card (UID)
[#] AcquireEncryptedNonces: Auth1 error
[-] No match for the First_Byte_Sum (127), is the card a genuine MFC Ev1?

Hardnested attack attempts

  • Commands used:
hf mf hardnested --blk 0 -a -k A0A1A2A3A4A5 --tblk 1 --ta
hf mf hardnested -r --tk A0A1A2A3A4A5 --i2

  • Observations:

    • PM3 successfully detected the EV1 card and loaded nonces from file.

    • Attack tried all guesses for Sum(a8) with bitflip properties applied.

    • None of the attempts recovered the key for sector 1.

    • Final result:

[-] Failed to recover a key...
  • All logs indicate Auth1/Auth2 errors and inability to select the card for certain operations.

Attempts at brute-force with user/hard keys

  • I have tried loading user keys and hard keys files with hf mf setuserkeys and hf mf sethardkeys.

  • Commands like:

hf mf autopwn --blk 1 --ta
hf mf autopwn --blk 1 --tb

  • The brute-force attempts with known keys did not succeed.

  • Likely cause: genuine EV1 uses random keys per sector, and software-only attacks cannot derive them.

Side-channel consideration

  • I understand that software attacks fail on genuine EV1.

  • I am aware that side-channel attacks (power analysis, EM analysis, or fault injection) are theoretically effective but require additional lab equipment (and i dont have it).

Summary of the problem

  • Sectors like 0, 16, 17 are readable with known keys.

  • Sector 1 (and likely others) cannot be accessed: all hardnested, nested, or brute-force attacks with keys known online fail.

  • PM3 errors observed:

    • Auth1 error / Auth2 error len=1

    • Can't select card (UID)

    • Failed to recover a key

  • Goal: Recover keys for sector 1 (and possibly others) of a genuine EV1.

Questions / Help requested

  1. Is there any software-only method to recover sector keys on a genuine EV1?

  2. Are there special tricks or advanced PM3 features that I might not be aware of?

  3. Don’t tell me the only option is to do a side-channel attack (or attacks that include other hardware) because I don’t have the tools and I’m broke asf :joy_cat:.

Thank you in advance for your guidance!

2 Likes
2

You might try re-running autopwn with a dictionary:

hf mf autopwn -f mfc_default_keys

If that doesn’t work you may be able to sniff the keys from the reader, here’s some more info:

2 Likes
3

the output from the following commands is very helpful when trying to understand:

hf 14a info
hf mf info

Normally with a genuine NXP MIFARE Classic 1K Ev1, you can try

  • Distance between tag and antenna
  • slow parameter, hf mf autopwn --slow
5 Likes
4

Hi, thanks for the suggestions. I’ve tried re-running hf mf autopwn -f mfc_default_keys as well as using the --slow parameter, but it just keeps running for hours without finding any keys.

1 Like
5

I’ve also checked the outputs from:

hf 14a info
hf mf info

but that hasn’t helped me identify the missing keys.

Using brute-force, I’ve only managed to recover 5 keys out of 32 sectors so far.

Basically, I’m trying to do a full dump of a genuine NXP MIFARE Classic 1K EV1, but I need a reliable way to find the remaining keys for the protected sectors. Any advice would be greatly appreciated.

6

That was me who wanted to see the output of those commands.

1 Like
7

Sorry I didn’t understand, anyway, here it is.

infoMifarreClassic1k
infoMifarreClassic1k645×918 25.9 KB

1 Like
8

hf mf autopwn should do the trick.

try some distance between tag and antenna

2 Likes
9

I tried 2 times with the command hf mf autopwn --slow, and both times after some time it crashes.

immagine_2025-08-31_155105208
immagine_2025-08-31_155105208765×944 17.7 KB

after a while…

crashPM3
crashPM31004×573 9.75 KB

1 Like
10

tried some distance between tag and antenna?

and try the mfc_default_keys option to autopwn aswell.

you seem to have MFC card with a MAD on it.

2 Likes
11

It worked, thanks. The first attack I did with autopwn didn’t work because I was trying different positions during the attack, to see where was more signal. Then I tried hf mf autopwn --slow with the tag under pm3 (where there was more signal) and it worked, giving all the keys successfully. Thanks again for your help!

4 Likes
12

Hello again!
After running hf mf autopwn on a test card, the software detected 71 blocks, but when I exported the dump, using hf mf dump, it only showed 64 actual blocks.

How is it possible that blocks beyond the tag’s physical capacity are displayed? I understand that autopwn probably also displays virtual or control blocks to analyze sector patterns and authentication, but I’d like to better understand what they represent and whether they have any real role in reading/writing the tag. To clone it perfectly so that it functions like the original, do I need to include those blocks as well?