Hi everyone,
I’m sure people saw the title and thought another noob who hasn’t done any research or bothered to look through the forum. I have done a lot of research and have found a similar situation with no resolution. But maybe I missed something also.
What I’m looking to do is clone my apartment fob. It’s a Schlage 9691T. From my research, it’s a dual frequency fob, low for low-security community doors and high for apartment doors. Before diving deeper into my knowledge of RFID, I had the fob scanned at a kiosk that duplicates fobs. The kiosk fob works for the LF doors, and surprisingly, once for the apartment door (before never working again)
I’m using a Proxmark3 Easy with the Iceman, and getting an LF reading is easy and pretty straightforward. However, getting an HF reading can be tricky. Getting the fob in the correct position on the reader, even after you have it in place and don’t touch it, will stop picking it up when using the command ‘hf search’ again.
Let’s start with the basics and show. ‘hw version’
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ Client ]
Iceman/master/v4.18589-47-g81fd62034-suspect 2024-06-24 22:44:22 f1dc6862f
compiled with............. MinGW-w64 13.2.0
platform.................. Windows (64b) / x86_64
Readline support.......... present
QT GUI support............ present
native BT support......... absent
Python script support..... present
Lua SWIG support.......... present
Python SWIG support....... present
[ Proxmark3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-06-24 22:42:54 f1dc6862f
os: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-06-24 22:43:34 f1dc6862f
compiled with GCC 12.2.0
[ FPGA ]
fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 63% used )
Now is where my troubles begin. Once I do have the fob in a position where I get consistent reads, running ‘hf search’ I get the following. Notice the Prng detection is hard. I only see people with tutorials with weak that seems to be my first issue.
[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+] UID: 94 E8 DD 2D
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 867C495BA70D724747B627A98D31A4BA50D5CF9CF9FA1FE1E3629029F8B18D02
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
The second issue is when I try to run ‘hf mf autopwn’ I get varying results that basically end the same.
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
I saw someone else have the same thing, and it was a software error. But any advice would be greatly appreciated.
Thanks so much,
[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[+] loaded 5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] ......
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector 16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector 17 key type A -- found valid key [ 75CCB59C9BED ]
[+] target sector 17 key type B -- found valid key [ 4B791BEA7BCC ]
[#] BCC0 incorrect, got 0x00, expected 0x01
[#] Aborting
[#] BCC0 incorrect, got 0x00, expected 0x01
[#] Aborting
[-] Tag isn't vulnerable to Nested Attack (PRNG is probably not predictable).
[-] Nested attack failed --> try hardnested
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1540 million (2^30.5) keys/s | 140737488355328 | 25h
[=] 2 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1572 ms | 140737488355328 | 25h
[=] 2 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 25h
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error