MrKeyFob app DRM

Has anyone played with the MrKeyFob cloning app? Have figured out all of the DRM it uses for LF rfids (password and trace data) and mifares (special UID and some data in 1 block) but have not figured what it uses for iClass. From my understanding from inspecting the blank MrKeyFob iClass fobs and preliminary inspection of decompiling the .exe, it uses some data on block 18 that is unique to each fob most likely tied into the CSN. This value changes when a credential is is written to it using the app.

I can share the app, dumps, and sniffs for validating a blank, writing, wiping

Already started scrutinizing the decompiled version

I’ve never really looked at this, but my curiosity is piqued. I’ve DM’d you :slight_smile:

Can you send me a dump of a MKF Mifare, and a dump of the MKF iClass? I haven’t been able to get my hands on either. And would like to take a look at both. If you have more than one dump of the iclass it would help to see what method he is using to calculate off the CSN and How the MKF software green lights the fob to work.

1 Like

I included dumps of:

2 mrkeyfob iclass tags
mifare classic 1k gen 4 gdm
LF t5577 restore file to make compatible with program (need to write pg1 also)

Dumps: mrkeyfob dumps - Google Drive

MKF windows app: - Google Drive

well we’re all in this together in figuring out what exactly MrKeyFob uses for its own proprietary DRM. Also interesting how MKF explicitly violates the pm3 open source license by not publishing the code.

I’ll take a look at the iclass ones tomorrow, and see if I can figure out, what calculation method he is using for 18 and how he verify s 18. I would like to see if the software phones home to verify the iclass. It will be interesting. Does the Mifare have DRM on it? Wonder why he’s using GDM fobs now.

Pm’d you - also have more information in terms of sniffing the transaction from pm3 running MKF software and iClass tag. Not too much useful information but the more info we have on this the better.

the DRM for mifare is just the UID set to 00 00 00 00 by the looks of it