Hf search auth error

mattconn24 · October 22, 2021, 7:50am

Hello all. I am very new to linux and to the Proxmark3. I am trying to copy my work badge to but I keep getting errors. As I don’t really know how to explain my problem I will post my terminal journey below. Any help would be great.

┌──(matthew㉿kali)-[~/proxmark3]
└─$ ./pm3          
[=] Session log /home/matthew/.proxmark3/logs/log_20211022.txt
[+] loaded from JSON file /home/matthew/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC


  ██████╗ ███╗   ███╗█████╗ 
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗
  ██║     ██║ ╚═╝ ██║█████╔╝ 
  ╚═╝     ╚═╝     ╚═╝╚════╝     [ ❄ Iceman ❄ ]




 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  RRG/Iceman/master/v4.14434-75-g908200bba 2021-10-22 02:17:16
  compiled with............. GCC 10.2.1 20210110
  platform.................. Linux / x86_64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... present
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.14434-75-g908200bba 2021-10-22 02:16:49
       os: RRG/Iceman/master/v4.14434-75-g908200bba 2021-10-22 02:18:06
  compiled with GCC 10.3.1 20210621 (release)

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )

[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
 🕛   9
[=] ---------- LF Antenna ----------
[+] LF antenna: 26.73 V - 125.00 kHz
[+] LF antenna: 18.81 V - 134.83 kHz
[+] LF optimal: 26.65 V - 123.71 kHz
[+] Approx. Q factor (*): 6.9 by frequency bandwidth measurement
[+] Approx. Q factor (*): 7.7 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.18 V - 13.56 MHz
[+] Approx. Q factor (*): 4.4 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

[usb] pm3 --> hf search
 🕕  Searching for ISO14443-A tag...          
[+]  UID: AB 9D A7 4D 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 --> hf mf chk --1k
[=] No key specified, trying default keys
[ 0] ffffffffffff
[ 1] 000000000000
[ 2] a0a1a2a3a4a5
[ 3] b0b1b2b3b4b5
[ 4] c0c1c2c3c4c5
[ 5] d0d1d2d3d4d5
[ 6] aabbccddeeff
[ 7] 1a2b3c4d5e6f
[ 8] 123456789abc
[ 9] 010203040506
[10] 123456abcdef
[11] abcdef123456
[12] 4d3a99c351dd
[13] 1a982c7e459a
[14] d3f7d3f7d3f7
[15] 714c5c886e97
[16] 587ee5f9350f
[17] a0478cc39091
[18] 533cb6c723f6
[19] 8fd0a4f256e9
[20] 0000014b5c31
[21] b578f38a5c61
[22] 96a301bce267
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 4 seconds

[=] testing to read key B...

[+] found keys:

[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 001 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 002 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 003 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 004 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 005 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 006 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 007 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 008 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 009 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 010 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 011 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 012 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 013 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 014 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 015 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )


[usb] pm3 --> hf mf --help
help             This help
list             List MIFARE history
-----------      ----------------------- recovery -----------------------
darkside         Darkside attack
nested           Nested attack
hardnested       Nested attack for hardened MIFARE Classic cards
staticnested     Nested attack against static nonce MIFARE Classic cards
autopwn          Automatic key recovery tool for MIFARE Classic
nack             Test for MIFARE NACK bug
chk              Check keys
fchk             Check keys fast, targets all keys on card
decrypt          [nt] [ar_enc] [at_enc] [data] - to decrypt sniff or trace
supercard        Extract info from a `super card`
-----------      ----------------------- operations -----------------------
auth4            ISO14443-4 AES authentication
dump             Dump MIFARE Classic tag to binary file
mad              Checks and prints MAD
ndefread         Prints NDEF records from card
personalize      Personalize UID (MIFARE Classic EV1 only)
rdbl             Read MIFARE Classic block
rdsc             Read MIFARE Classic sector
restore          Restore MIFARE Classic binary file to BLANK tag
setmod           Set MIFARE Classic EV1 load modulation strength
view             Display content from tag dump file
wipe             Wipe card to zeros and default keys/acc
wrbl             Write MIFARE Classic block
-----------      ----------------------- simulation -----------------------
sim              Simulate MIFARE card
ecfill           Fill emulator memory with help of keys from emulator
eclr             Clear emulator memory
egetblk          Get emulator memory block
egetsc           Get emulator memory sector
ekeyprn          Print keys from emulator memory
eload            Load from file emul dump
esave            Save to file emul dump
esetblk          Set emulator memory block
eview            View emulator memory
-----------      ----------------------- magic gen1 -----------------------
cgetblk          Read block from card
cgetsc           Read sector from card
cload            Load dump to card
csave            Save dump from card into file or emulator
csetblk          Write block to card
csetuid          Set UID on card
cview            View card
cwipe            Wipe card to default UID/Sectors/Keys
-----------      ----------------------- magic gen3 -----------------------
gen3uid          Set UID without changing manufacturer block
gen3blk          Overwrite manufacturer block
gen3freeze       Perma lock UID changes. irreversible
-----------      ----------------------- magic gen3 GTU -----------------------
gview            View card
[usb] pm3 --> hf mf rdbl --help

Read MIFARE Classic block

usage:
    hf mf rdbl [-habv] --blk <dec> [-k <hex>]

options:
    -h, --help                     This help
    --blk <dec>                    block number
    -a                             input key type is key A (def)
    -b                             input key type is key B
    -k, --key <hex>                key, 6 hex bytes
    -v, --verbose                  verbose output

examples/notes:
    hf mf rdbl --blk 0 -k FFFFFFFFFFFF
    hf mf rdbl -b 3 -v             -> get block 3, decode sector trailer
                                  

[usb] pm3 --> hf mf rdbl --blk 1 -k FFFFFFFFFFFF

[=]   # | sector 00 / 0x00                                | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   1 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ................ 

[usb] pm3 --> hf mf wrbl --blk 1 -f FFFFFFFFFF -d 
hf mf wrbl: invalid option "-f"
hf mf wrbl: option "-d" requires an argument
hf mf wrbl: unexpected argument "FFFFFFFFFF"
[!] ⚠  Try 'hf mf wrbl --help' for more information.

[usb] pm3 --> hf search
 🕐  Searching for ISO14443-A tag...          
[+]  UID: DD EB 7F F1 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 --> hf mf wrbl --blk 1 -f FFFFFFFFFF -d DDEB7FF105060708090A0B0C0D0E0F
hf mf wrbl: invalid option "-f"
hf mf wrbl: unexpected argument "FFFFFFFFFF"
[!] ⚠  Try 'hf mf wrbl --help' for more information.

[usb] pm3 --> hf mf wrbl --blk 1 -k FFFFFFFFFF -d DDEB7FF105060708090A0B0C0D0E0F[!] ⚠  block data must include 16 HEX bytes. Got 15
[usb] pm3 --> hf mf wrbl --blk 1 -k FFFFFFFFFF -d DDEB7FF10405060708090A0B0C0D0E0F
[=] Writing block no 1, key A - FFFFFFFFFF00
[=] data: DD EB 7F F1 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
[usb] pm3 --> hf mf wrbl --blk 0 -k FFFFFFFFFF -d DDEB7FF10405060708090A0B0C0D0E0F
[=] Writing block no 0, key A - FFFFFFFFFF00
[=] data: DD EB 7F F1 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
[usb] pm3 --> hf mf wrbl --blk 1 -k FFFFFFFFFF -d DDEB7FF10405060708090A0B0C0D0E0F
[=] Writing block no 1, key A - FFFFFFFFFF00
[=] data: DD EB 7F F1 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
[usb] pm3 --> hf mf wrbl --blk 1 -k FFFFFFFFFF -d DDEB7FF10405060708090A0B0C0D0E0F
[=] Writing block no 1, key A - FFFFFFFFFF00
[=] data: DD EB 7F F1 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
[usb] pm3 --> hf mf wrbl --help

Write MIFARE Classic block

usage:
    hf mf wrbl [-hab] --blk <dec> [-k <hex>] [-d <hex>]

options:
    -h, --help                     This help
    --blk <dec>                    block number
    -a                             input key type is key A (def)
    -b                             input key type is key B
    -k, --key <hex>                key, 6 hex bytes
    -d, --data <hex>               bytes to write, 16 hex bytes

examples/notes:
    hf mf wrbl --blk 1 -k FFFFFFFFFFFF -d 000102030405060708090a0b0c0d0e0f

[usb] pm3 --> hf mf wrbl --blk 1 -a -k FFFFFFFFFF -d DDEB7FF10405060708090A0B0C0D0E0F
[=] Writing block no 1, key A - FFFFFFFFFF00
[=] data: DD EB 7F F1 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
[usb] pm3 --> hf mf wrbl --blk 1 -b -k FFFFFFFFFF -d DDEB7FF10405060708090A0B0C0D0E0F
[=] Writing block no 1, key B - FFFFFFFFFF00
[=] data: DD EB 7F F1 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -a ...` instead
[usb] pm3 --> hf mf wrbl --blk 1 -a -k FFFFFFFFFF -d DDEB7FF10405060708090A0B0C0D0E0F
[=] Writing block no 1, key A - FFFFFFFFFF00
[=] data: DD EB 7F F1 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
[usb] pm3 -->

Zwack · October 22, 2021, 8:10am

What are you trying to copy your work badge to?

If your work card is that MiFare Classic 1k then you need to be trying to clone it to a magic card. If it’s a gen 1 magic card there is a special command to enable writing the first few blocks.

If it is a gen2 card then you just write to it.

Given that you are getting a write error either you are writing to the wrong type of card, or a gen 1 magic card but haven’t issued the backdoor command.

mattconn24 · October 22, 2021, 9:15am

I am trying to copy it to a Dangerous Things magic Ring. How do I issue the back door command and I will try that out. Thanks.

mattconn24 · October 22, 2021, 9:23am

Also, I believe this is an issue as I am getting the same result with my magic ring and the sample cards that came with my PM3.

[usb] pm3 --> hf search
 🕕  Searching for ISO14443-A tag...          
[+]  UID: AB 9D A7 4D 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
**[#] Auth error**
[?] Hint: try `hf mf` commands

Zwack · October 22, 2021, 12:35pm

I really should read the output more carefully. You are providing a key of FFFFFFFFFF which it is reporting as FFFFFFFFFF00. Try giving it the correct key of FFFFFFFFFFFF. (You are giving it a ten digit key it should be 12 digits)

mattconn24 · October 22, 2021, 12:51pm

It worked ok block 1 but when I tried to write the actual block 0 sector A data from my work badge to my magic card I got the following error.

[usb] pm3 --> hf mf wrbl --blk 0 -a -k a7fb48030498 -d DDEB7FF1B88804004885149159100611
[=] Writing block no 0, key A - A7FB48030498
[=] data: DD EB 7F F1 B8 88 04 00 48 85 14 91 59 10 06 11 
[#] Auth error
[-] ⛔ Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead
[usb] pm3 -->

Zwack · October 22, 2021, 1:02pm

There is no “sector a”

A is a key. Factory default is FFFFFFFFFFFF.

mattconn24 · October 22, 2021, 1:08pm

so the key is independent of the data? So the target card’s keys don’t need to match the read card? Just as long as the data matches correct? I was able to rewrite the target card’s 0 block using FFFFFFFFFFFF and the -d from my badge. Thanks a lot. I am still learning all of this.

Zwack · October 22, 2021, 1:23pm

I didn’t see you get that key anywhere in your output…

Here is a good guide on cloning a mifare card.

Note that you are using a magic gen 2 chip so you don’t need the csetuid command you should be able to write block 0 as part of the dump.

mattconn24 · October 22, 2021, 1:28pm

Sorry I should have posted it but I got the keys for my work badge with the autopwn cmd.

Zwack · October 22, 2021, 1:38pm

The simple answer is that the auth keys are stored in the sector trailer, so you will need to write them too. If you follow that guide you should have the dump and the keys files and can just write them back to the chip.

mattconn24 · October 22, 2021, 2:08pm

thank you so much for the help so far Zwack. I will update after following the guide that you posted.

mattconn24 · October 25, 2021, 5:07am

I made it into work using my cloned HF card! Thanks so much for the help. I do have another question that you may be able to help me with. I am thinking of getting an implant. I was looking at the Next, but is the ntag216 magic compatible? or do I need to go with the xm1? I would like to get something that is as versatility as possible but work entry was my primary goal.

Pilgrimsmaster · October 25, 2021, 5:25am

You cannot change the UID of the NTAG216 in the NExT

This is not Compatiable with the NExT Implant…
but is with the xM1
or FlexM1
or FlexMT
Where you could simply copy your card like you did with your test card.
HOWEVER
There is a possibility you could enroll the NExT into your work access system, but that would depend on the system…

The only thing to be aware of with the xM1 is the performance, they work great on good readers…bit can be a struggle on others.
The only way to know for sure is to try it.
The xM1 would “probably” work, but FlexM1 would have a much better chance of working

mattconn24 · October 25, 2021, 6:16am

Ok so the flexM1. I like the idea of getting the gen1 version due to not being able to mistakenly lock it, but how concerned do I need to be about the reader looking for the back door signal and rejecting it? The test card that I have successfully cloned was the gen2, how easy is it to accidentally lock it? Thanks in advance.

amal · October 25, 2021, 6:48am

It’s my understanding that this type of protection from the reader side is fairly uncommon outside of China, simply because these magic chips are so common inside of China.

Arnav33 · February 7, 2023, 3:10am

Hi I have tired to use the suggested guide but those commands don’t work exactly now and I keep getting the following error.

[usb] pm3 --> hf mf wrbl --blk 28 -a -k FFFFFFFFFFFF -d A7E3D446B699AFA92C9D071157C017D8
[=] Writing block no 28, key A - FFFFFFFFFFFF
[=] data: A7 E3 D4 46 B6 99 AF A9 2C 9D 07 11 57 C0 17 D8
[#] Auth error
[-] Write ( fail )
[?] Maybe access rights? Try specify keytype `hf mf wrbl -b ...` instead

I am trying to write to an empty Mifare classic 1k without changing the UID. Please help.

Pilgrimsmaster · February 7, 2023, 6:46am

Im typing on my phone, as I walk and away from my PM3, so my help wont be the best?

Are you writing to a gen1a or gen2?

You could do an autopwn…

or of you change the NUID with what you are doing you can just change it back (make sure you take a note of it)

hf mf csetuid

sorry not super helpful, but hope it at least points you in the right directions

Arnav33 · February 7, 2023, 11:40am

I’m trying to write to an empty regular Mifare classic 1k sticker. It is not a magic card. I tested my access system and block 0 is not important for the access so I just want to write the other blocks on the new sticker.

amal · February 7, 2023, 12:43pm

It says auth error… perhaps the block access bits are already set?

Can you use TagInfo to scan and share? Or read the block on proxmark?