Noob Needing help cloning Mifare Classic 1k 14443-A tag

Hi everyone,

I’m sure people saw the title and thought another noob who hasn’t done any research or bothered to look through the forum. I have done a lot of research and have found a similar situation with no resolution. But maybe I missed something also.

What I’m looking to do is clone my apartment fob. It’s a Schlage 9691T. From my research, it’s a dual frequency fob, low for low-security community doors and high for apartment doors. Before diving deeper into my knowledge of RFID, I had the fob scanned at a kiosk that duplicates fobs. The kiosk fob works for the LF doors, and surprisingly, once for the apartment door (before never working again)

I’m using a Proxmark3 Easy with the Iceman, and getting an LF reading is easy and pretty straightforward. However, getting an HF reading can be tricky. Getting the fob in the correct position on the reader, even after you have it in place and don’t touch it, will stop picking it up when using the command ‘hf search’ again.

Let’s start with the basics and show. ‘hw version’

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ Client ]
  Iceman/master/v4.18589-47-g81fd62034-suspect 2024-06-24 22:44:22 f1dc6862f
  compiled with............. MinGW-w64 13.2.0
  platform.................. Windows (64b) / x86_64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ Proxmark3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-06-24 22:42:54 f1dc6862f
       os: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-06-24 22:43:34 f1dc6862f
  compiled with GCC 12.2.0

 [ FPGA ]
  fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
  fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
  fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
  fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 63% used )

Now is where my troubles begin. Once I do have the fob in a position where I get consistent reads, running ‘hf search’ I get the following. Notice the Prng detection is hard. I only see people with tutorials with weak that seems to be my first issue.

[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+]  UID: 94 E8 DD 2D
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... hard
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 867C495BA70D724747B627A98D31A4BA50D5CF9CF9FA1FE1E3629029F8B18D02
[+]        Signature verification: successful

[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

The second issue is when I try to run ‘hf mf autopwn’ I get varying results that basically end the same.

[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error

I saw someone else have the same thing, and it was a software error. But any advice would be greatly appreciated.

Thanks so much,

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] ......
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector  17 key type A -- found valid key [ 75CCB59C9BED ]
[+] target sector  17 key type B -- found valid key [ 4B791BEA7BCC ]
[#] BCC0 incorrect, got 0x00, expected 0x01
[#] Aborting
[#] BCC0 incorrect, got 0x00, expected 0x01
[#] Aborting
[-] Tag isn't vulnerable to Nested Attack (PRNG is probably not predictable).
[-] Nested attack failed --> try hardnested
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
[=]        0 |       0 | Brute force benchmark: 1540 million (2^30.5) keys/s     | 140737488355328 |   25h
[=]        2 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1572 ms               | 140737488355328 |   25h
[=]        2 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   25h
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error

That’s kinda strange

Can you try hf 14a config --bcc ignore and then retry hf mf auto

Make sure to run hf 14a config --bcc std afterwards to return to normal

As for the coupling you may try setting the fob sort of half-on-half-off the antenna if you haven’t already, or putting something small and non-conductive between the tag and the antenna to space it off a little

You should also make sure the PM3 isn’t sitting over a conductive surface

I’m not sure if there were any other syntax needed at the end of hf 14a config --bcc ignore. But it came back as below.

[usb] pm3 --> hf 14a config --bcc ignore
[usb] pm3 -->

Totally, I try every which way to try and get the tag to read.

I have it currently on a rubber mouse pad.

That just disables BCC checking, you still need to actually try it out on the card

The rubber mouse pad isn’t on a metal desk, right?

[usb] pm3 --> hf 14a config --bcc ignore
[usb] pm3 --> hf mf auto
[=] MIFARE Classic EV1 card detected
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[#] BCC0 incorrect, got 0x51, expected 0x11
[#] Using BCC0 =0x51
[#] ChkKeys_fast: Can't select card (ALL)
[=] running strategy 2
[=] .....
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector  17 key type A -- found valid key [ 75CCB59C9BED ]
[+] target sector  17 key type B -- found valid key [ 4B791BEA7BCC ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
[=]        0 |       0 | Brute force benchmark: 1574 million (2^30.6) keys/s     | 140737488355328 |   25h
[=]        2 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1595 ms               | 140737488355328 |   25h
[=]        2 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   25h
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        5 |     112 | Apply bit flip properties                               |      9722996736 |    6s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        6 |     224 | Apply bit flip properties                               |       957384832 |    1s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        7 |     336 | Apply bit flip properties                               |       843564288 |    1s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        8 |     447 | Apply bit flip properties                               |       592479424 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        9 |     559 | Apply bit flip properties                               |       592479424 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       10 |     670 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       11 |     782 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       11 |     892 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       12 |    1004 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       13 |    1116 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[=]       14 |    1225 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       14 |    1335 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       15 |    1442 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       16 |    1552 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       17 |    1660 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       18 |    1771 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[=]       19 |    1876 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       20 |    1988 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[=]       21 |    2098 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[=]       22 |    2208 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       23 |    2319 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[=]       24 |    2430 | Apply bit flip properties                               |       585574272 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[-] No match for the First_Byte_Sum (127), is the card a genuine MFC Ev1?

[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[usb] pm3 -->

No, on a wooden desk

Thanks very much for your help. I’m sure this will also be helpful to someone else in the future.

Try this real quick:
hf mf autopwn -f mfc_default_keys

[usb] pm3 --> hf mf autopwn -f mfc_default_keys
[=] MIFARE Classic EV1 card detected
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[+] Loaded 1819 keys from dictionary file `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3\proxmark3\client\dictionaries/mfc_default_keys.dic`
[=] running strategy 1
[=] .......
[=] running strategy 2
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] ......
[=] .
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector  17 key type A -- found valid key [ 75CCB59C9BED ]
[+] target sector  17 key type B -- found valid key [ 4B791BEA7BCC ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 8 threads and AVX2 SIMD core                |                 |
[=]        0 |       0 | Brute force benchmark: 1574 million (2^30.6) keys/s     | 140737488355328 |   25h
[=]        1 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1384 ms               | 140737488355328 |   25h
[=]        1 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |   25h
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        5 |     112 | Apply bit flip properties                               |     34995617792 |   22s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        6 |     224 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[=]        7 |     335 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        8 |     447 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]        9 |     558 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       10 |     669 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       11 |     780 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       11 |     892 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[=]       12 |    1003 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       13 |    1115 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=]       14 |    1222 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[=]       15 |    1333 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[=]       15 |    1440 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[=]       16 |    1548 | Apply bit flip properties                               |               0 |    0s
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[-] No match for the First_Byte_Sum (131), is the card a genuine MFC Ev1?
[#] AcquireEncryptedNonces: Auth2 error len=1

[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[usb] pm3 -->

Hmm, well, I’m out of ideas, there’s definitely something going on here that’s beyond me

It shouldn’t be too long before someone who knows more than me stumbles on this thread, so don’t lose hope quite yet

Thanks for your help! Hopefully, someone knows what’s going wrong here.

EV1 cards with hard protected random number generators can be difficult or possibly impossible to crack if I’m remembering right.

Your next best bet might be to try to use your proxmark3 to sniff the conversation between reader and card to see what’s going on between them a d learn something.

ev1 arent specific in this, hardend PRNG is something that can be applied in manufacturing to non-ev1 and ev1
(ev1 just means it has a signature there was no revision to the crypto)

in terms of impossibility for cracking that would be static encrypted nonces, this fob doesn’t have that but even if it did, sniffing would then be the next route. in this case though schalges are a bitch to couple with sometimes & depending on where this person got their proxmark it could be one of the incredibly low quality ones, which is my thinking since it was getting bad bcc and the auth errors indicate a positioning error. lets sniff anyway

@godspeed remind me, have we spoken on discord? I’ve done a lot of schlage 9691Ts recently.

anyhoo.

hf 14a snff

take the proxmark and sandwich it between the fob and reader:
FOB | PM3 | PCD
approach the reader like this and do a couple of taps, the fob should still be able to authenticate and unlock the reader like this, once you’ve unlocked the door a couple of times, end the simulation and do trace save -f schlagetrace

pop the file over to me on here if you can via DMs if that’s more preferable for you, I will load it up and pick through for your missing keys and give you a command to run. we may need to repeat this process/ a similar process of emulating a partial credential and collecting partial-auth nonces but this is something that can be overcome.

That’s what the hardnested attack is for, right?

Is the goal now to sniff the sections actually used by the readers and focus explicitly on those bits, or will sniffing more passwords somehow help us dump the whole fob?

yep,
nested - weak prng
hardnested - hardened prng
static nested - static nonce (unencrypted)
static encrypted nonce so far has no tested attack.

its schlage there’s only 3 keys we are missing.

KeyA KeyB for sec1
KEYA&B (same key value) for sectors 2-14

all of those keys are required & are sent in the sniff.

in general terms when sniffing for keys you will only get whatever the reader is sending which will also tell you which ones you need. if there are sectors not authenticated in the trace but still having unknown keys you likely don’t need those sectors, if a clone still doesn’t work you can double back with a sim of the partial dump & look at the trace and see if the reader later authenticates those missing sectors after confirming it can auth the sectors you got the keys for in the initial sniff.

FYI for later when we do have a full dump you’ll need to follow this: Explaination of Mifare Classic SAK Swapping anti cloning defense · GitHub

Hi @Equipter, No, it wasn’t me. I don’t go on Discord much. But I’m sure many questions are asked about cloning Schlage 9691T. It seems pretty like a pretty popular fob to clone.

I appreciate the help on this one. I’m not able to send you a direct message here. I’m not sure if that’s because I’m new and don’t have the clout yet. I tried messaging you on Discord @ Equip#1515, but it says you aren’t accepting friend requests.

But here is the sniff. It’s a zip file, as I can’t upload the trace file. Let me know if it’s readable or if I need to try again.
schlagetrace.zip (4.9 KB)

Again, thanks for the help. I’m sure many people will hopefully learn from this post.

yeah i turned off discord friend requests I was getting inundated with folk adding me from all over.

your trace has a few problem areas but it was able to provide some good content so lets work with that first.

hf mf fchk -k d90e70052a98 -k 0F30CF835C18 -k FFFFFFFFFFFF --dump

lmk how this command pans out for you

Yeah, I totally get it.

[usb] pm3 --> hf mf fchk -k d90e70052a98 -k 0F30CF835C18 -k FFFFFFFFFFFF --dump
[+] loaded  3 user keys
[+] loaded 61 keys from hardcoded default array
[=] Running strategy 1
[=] You can cancel this operation by pressing the pm3 button
[=] ..
[=] Running strategy 2
[#] BCC0 incorrect, got 0x11, expected 0x31
[#] Using BCC0 =0x11
[#] ChkKeys_fast: Can't select card (ALL)
[=] time in checkkeys (fast) 5.9s

[!] No keys found

This is what I got

this is a coupling error. hold your schlage key about an inch above the proxmark and run the command again

Got a better result this time

[usb] pm3 --> hf mf fchk -k d90e70052a98 -k 0F30CF835C18 -k FFFFFFFFFFFF --dump
[+] loaded  3 user keys
[+] loaded 61 keys from hardcoded default array
[=] Running strategy 1
[#] BCC0 incorrect, got 0x11, expected 0x31
[#] Using BCC0 =0x11
[#] ChkKeys_fast: Can't select card (ALL)
[=] Running strategy 2
[=] ...
[=] time in checkkeys (fast) 7.9s


[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  001 | 007 | ------------ | 0 | ------------ | 0
[+]  002 | 011 | ------------ | 0 | 0F30CF835C18 | 1
[+]  003 | 015 | FFFFFFFFFFFF | 1 | 0F30CF835C18 | 1
[+]  004 | 019 | FFFFFFFFFFFF | 1 | ------------ | 0
[+]  005 | 023 | FFFFFFFFFFFF | 1 | 0F30CF835C18 | 1
[+]  006 | 027 | 0F30CF835C18 | 1 | 0F30CF835C18 | 1
[+]  007 | 031 | 0F30CF835C18 | 1 | 0F30CF835C18 | 1
[+]  008 | 035 | 0F30CF835C18 | 1 | FFFFFFFFFFFF | 1
[+]  009 | 039 | 0F30CF835C18 | 1 | 0F30CF835C18 | 1
[+]  010 | 043 | 0F30CF835C18 | 1 | ------------ | 0
[+]  011 | 047 | FFFFFFFFFFFF | 1 | ------------ | 0
[+]  012 | 051 | 0F30CF835C18 | 1 | 0F30CF835C18 | 1
[+]  013 | 055 | 0F30CF835C18 | 1 | 0F30CF835C18 | 1
[+]  014 | 059 | 0F30CF835C18 | 1 | 0F30CF835C18 | 1
[+]  015 | 063 | ------------ | 0 | FFFFFFFFFFFF | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )

[+] Generating binary key file
[+] Found keys have been dumped to `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-94E8DD2D-key.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0

same thing coupling error, when and where did you get your proxmark from? I’ve seen a lot of recent shit quality proxmarks hitting the market that struggle with coupling super badly.

try placing the schlage fob under the proxmark and redoing the command.

edit: when you get a chance could you take & post a photo of your proxmark, I’m interested in what the middle and base board look like.

I have up clouted you to basic.
You should be able to DM now.

unless there is sensitive information, keeping your thread public allows all those that follow to share in your learning