Mifare 1k to Magic Ring - Bricked? [SOLVED]

autom8 · June 5, 2023, 5:03pm

I’m brand new to doing any RFID work and I think that unfortunately I may have gotten a bit over my skis. For some background, I any trying to clone a Schlage 9691T key fob which is used for my apartment building. These use a 125kHz chip for all of the exterior doors and common amenity areas and then the HF is a Mifare classic 1k which is only used for my apartment’s front door. With my Proxmark3 I was able to successfully clone both chips to a dual frequency card that uses a T557 and a gen1 Mifare 1k chip, however the issue comes when I am trying to do the same to write to the dual frequency magic ring which uses the gen2 chip. When I originally tried to clone the HF portion I used the same commands as for the gen1, which I think may have bricked it based on what I’ve read in a few other posts. Following this thread: Please Help! I think I bricked my Magic ring - #6 by Zwack I used the following command to try restoring the ring:

mf wrbl --blk 0 -k FFFFFFFFFFFF -d 0102030404080400000000000000BEAF --force

That works no problem, so I run autopwn on both the ring and on my fob and then try to restore from the fob to the ring with this command:

hf mf restore --1k -k hf-mf-01020304-key.bin -f hf-mf-F6C3D162-dump.bin

and oh lordy, she did not like that:

I do not have an Android phone in which to use MCT or any other tools aside from my Proxmark. Did I completely brick this ring’s HF chip? Any chance of restoring? Thanks very much for any help!

Pilgrimsmaster · June 5, 2023, 6:35pm

https://forum.dangerousthings.com/t/handy-dandy-tips-and-tricks/13041/17?u=pilgrimsmaster

autom8 · June 7, 2023, 10:30pm

Thanks very much for your help. I wanted to follow up with the resolution in case anyone else was having the same issue. I used the following commands as instructed in the link provided by Pilgrimsmaster:

hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip
hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 --force
hf mf wipe --gen2

What was interesting is that it actually took a few tries in order to get it to work successfully and I have absolutely no idea why that is because I didn’t change anything between the attempts apart from start over from the beginning after getting a string of errors when I tried to run to wipe command the first time. At any rate, it worked just fine the second time so I went back to attempting to clone my 9691T using:

hf mf restore

This worked without issue, but the ring would not open my lock. I dumped to text the contents of both the ring as well as the original fob and then used diff to compare the output. They were identical except for the latter half of block 0 on the ring. The UID on the ring was showing the same as the fob, but the rest of the data in that block was still what I had written to block 0 in the command above. Thus, I just ended up using the command:

hf mf wrbl --blk 0 -k FFFFFFFFFFFF XXX —force

where XXX was the value in block 0 on the fob in order then write it to the ring. The ring works perfectly now.

Cheers!