honestly i would return your proxmark at this point mate, the keys I’ve sent you should do the trick and make it so you can dump them but your proxmark is not playing nice, aliexpress proxmark quality is incredibly shoddy and the recent influx of even lower quality proxmarks makes finding a good one a real challenge.
DT sell one “pm3” hyperlink should take you to the product page, they’re a bit more expensive but they’re order-fabbed by DT for assured quality & flashed with the iceman bootloader for easy updating.
for the love of god do not get a chameleon ultra the chameleon ultra is still in its very very beginning dev stages and is essentially useless at the moment, development for the firmware has basically been abandoned, its fully open source so someone someday might pick it up and decide to make it worthwhile but as it currently stands, buying one would be a waste of money.
the proxmark is what you need, you just need a reliable one.
Thanks for the help. I appreciate the help and the time and effort you have put in. I placed an order using the link you provided. I’ll let you know once it arrives and give some updates on how much better it works
And thanks for the heads up on the Chameleon Ultra. It’s marketed very well as something that’s easy to use and can do ‘most’ of the functions of the Proxmark
yeah its marketed well but its currently not capable of anything more than some very basic high frequency things. nothing even close to what the proxmark does
Yeah, I backed it, sounded like it was supposed to be the “Next Best Thing”, but it pretty much just sits there on my desk mocking me… Love the form factor though.
Hi Equipter, While I’m waiting for the new Proxmark to arrive, could you tell me how you opened the trace file to help me understand what you did? As you probably guessed, I’m using the Windows-based Proxspace and didn’t see how to open it.
ooh ok not bad, not the one i was expecting. general source recent generation piswords design proxmark, one data line’d microusb port (shame) and looks like you’ve got one that comes with SPI flash which is neat. definitely still sounds like a hw problem most likely to do with the hf antenna itself.
in terms of the traces i saved your files to my pm folder and ran
trace load -f schlagetrace trace list -1 -t mf
you should immediately see one of our keys, auto cracked by mfkey64 by the proxmark client (so handy), the second key was a nested authentication (when one sector is authenticated within another) so i parsed the nonces through nested and it gave us the other key. there was a nested auth that got bad crc and didn’t spit out a correct key but i just ignored that.
curious to know @amal do DT’s proxmarks come with SPI flash? if yes it might be worth bragging about mentioning in the listing cuz it expands standalone capability. can happily do a paragraph for you abt it if you’d like. Also curious, what’s the ohm value of the resistor R23 on DT boards? if it’s 1mohm next time you order more from your manufacturer have them swap it for something closer to 100kohm like 01E, if it’s 1mohm it basically just makes lf simulation impossible
Well, the new Proxmark arrived from DT. It seems to be having the same issue as my old one. I performed the HW tune to see the voltage of this Proxmark. Same as the old one HF is below 20v. Again, I read somewhere that it should be 20v or above.
[usb] pm3 --> hw tune
[=] -------- Reminder ----------------------------
[=] `hw tune` doesn't actively tune your antennas.
[=] It's only informative.
[=] Measuring antenna characteristics...
[/] 10
[=] -------- LF Antenna ----------
[+] 125.00 kHz ........... 27.75 V
[+] 134.83 kHz ........... 19.03 V
[+] 125.00 kHz optimal.... 27.75 V
[+]
[+] Approx. Q factor measurement
[+] Frequency bandwidth... 7.3
[+] Peak voltage.......... 8.1
[+] LF antenna............ ok
[=] -------- HF Antenna ----------
[+] 13.56 MHz............. 15.20 V
[+]
[+] Approx. Q factor measurement
[+] Peak voltage.......... 4.4
[+] HF antenna ( ok )
[=] -------- LF tuning graph ------------
[+] Orange line - divisor 95 / 125.00 kHz
[+] Blue line - divisor 88 / 134.83 kHz
[=] Q factor must be measured without tag on the antenna
When I tried HF search, I got a better result, but when I tried hf mf autopwn, I got the same result as before.
[usb] pm3 --> hf search
[\] Searching for ISO14443-A tag...
[+] UID: 94 E8 DD 2D
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 867C495BA70D724747B627A98D31A4BA50D5CF9CF9FA1FE1E3629029F8B18D02
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
The only place I could see this referenced is on the original proxmark3 repo, but it references LF antennas only. Also it should be said this is for the original proxmark design and probably cannot reliably be applied to modern designs.
For what it’s worth, I was trying to do the exact same thing as you, and getting the EXACT same results. Followed this whole thread hoping it would help me. I ordered a new PM3 easy from dangerous things, started with a completely fresh directory --following the guide to the letter. And … it just worked. It took seconds.
I have the exact same card, schlage 9691t. I didn’t have to do anything but let autopwn run for 20 seconds and it finished. I’ve already cloned three cards.
Maybe there’s just a hardware lottery. But I was jumping through every hoop, tuning, sniffing, emulating the reader, the card. Running different hardnested attacks, autopwn. It was fun, but it should not be that difficult. My experience was that it was at least 99% purely a hardware/installation issue.
Hey there! Thanks for getting in touch. Many posts I read never seem to have an ending, and we never find out if they ended up getting it to work. If they did, they didn’t post about what they did to get it to work. So it’s great to hear your success story! It gave me hope to keep trying.
I have played around with it again tonight for a few hours. Placing the fob in different positions on the PM3 to try get a better reading. It seems to have paid off, as I ended up with this!
[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[+] loaded 5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] .....
[=] running strategy 2
[=] .....
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector 16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector 17 key type A -- found valid key [ 75CCB59C9BED ]
[+] target sector 17 key type B -- found valid key [ 4B791BEA7BCC ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1447 million (2^30.4) keys/s | 140737488355328 | 27h
[=] 1 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1318 ms | 140737488355328 | 27h
[=] 1 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 27h
[#] BCC0 incorrect, got 0x00, expected 0x44
[#] Aborting
[#] AcquireEncryptedNonces: Can't select card (ALL)
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[=] 5 | 112 | Apply bit flip properties | 16329647104 | 11s
[=] 6 | 222 | Apply bit flip properties | 1956066816 | 1s
[=] 7 | 333 | Apply bit flip properties | 1762851072 | 1s
[=] 8 | 444 | Apply bit flip properties | 667738496 | 0s
[=] 9 | 556 | Apply bit flip properties | 667738496 | 0s
[=] 10 | 667 | Apply bit flip properties | 618806016 | 0s
[#] AcquireEncryptedNonces: Can't select card (UID)
[=] 10 | 778 | Apply bit flip properties | 585574272 | 0s
[=] 11 | 889 | Apply bit flip properties | 585574272 | 0s
[=] 12 | 998 | Apply bit flip properties | 585574272 | 0s
[=] 12 | 1108 | Apply bit flip properties | 585574272 | 0s
[=] 13 | 1218 | Apply bit flip properties | 585574272 | 0s
[=] 14 | 1327 | Apply bit flip properties | 585574272 | 0s
[=] 16 | 1437 | Apply Sum property. Sum(a0) = 128 | 24838254 | 0s
[=] 16 | 1437 | (Ignoring Sum(a8) properties) | 24838254 | 0s
[=] 17 | 1437 | Brute force phase completed. Key found: C12DDE98A184 | 0 | 0s
[+] target sector 1 key type A -- found valid key [ C12DDE98A184 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1508 million (2^30.5) keys/s | 140737488355328 | 26h
[=] 1 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1325 ms | 140737488355328 | 26h
[=] 1 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 26h
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth1 error
[=] 5 | 112 | Apply bit flip properties | 5874223616 | 4s
[=] 6 | 223 | Apply bit flip properties | 0 | 0s
[=] 6 | 335 | Apply bit flip properties | 0 | 0s
[=] 7 | 445 | Apply bit flip properties | 0 | 0s
[=] 8 | 557 | Apply bit flip properties | 0 | 0s
[=] 9 | 669 | Apply bit flip properties | 0 | 0s
[=] 10 | 779 | Apply bit flip properties | 0 | 0s
[=] 11 | 890 | Apply bit flip properties | 0 | 0s
[=] 11 | 1000 | Apply bit flip properties | 0 | 0s
[=] 12 | 1109 | Apply bit flip properties | 0 | 0s
[#] AcquireEncryptedNonces: Auth1 error
[-] No match for the First_Byte_Sum (127), is the card a genuine MFC Ev1?
[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[+] loaded 5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] .....
[=] running strategy 2
[=] .....
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector 16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector 17 key type A -- found valid key [ 75CCB59C9BED ]
[+] target sector 17 key type B -- found valid key [ 4B791BEA7BCC ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1358 million (2^30.3) keys/s | 140737488355328 | 29h
[=] 2 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1691 ms | 140737488355328 | 29h
[=] 2 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 29h
[=] 5 | 112 | Apply bit flip properties | 14181048320 | 10s
[=] 6 | 224 | Apply bit flip properties | 9606128640 | 7s
[=] 8 | 334 | Apply bit flip properties | 3392153344 | 2s
[#] AcquireEncryptedNonces: Auth1 error
[=] 9 | 446 | Apply bit flip properties | 1836767360 | 1s
[=] 10 | 558 | Apply bit flip properties | 701124416 | 1s
[=] 11 | 670 | Apply bit flip properties | 589938560 | 0s
[=] 12 | 776 | Apply bit flip properties | 585574272 | 0s
[=] 12 | 887 | Apply bit flip properties | 585574272 | 0s
[=] 13 | 997 | Apply bit flip properties | 585574272 | 0s
[=] 13 | 1108 | Apply bit flip properties | 585574272 | 0s
[=] 16 | 1218 | Apply Sum property. Sum(a0) = 128 | 32815608 | 0s
[=] 16 | 1218 | (Ignoring Sum(a8) properties) | 32815608 | 0s
[=] 17 | 1218 | Brute force phase completed. Key found: C12DDE98A184 | 0 | 0s
[+] target sector 1 key type A -- found valid key [ C12DDE98A184 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1540 million (2^30.5) keys/s | 140737488355328 | 25h
[=] 1 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1299 ms | 140737488355328 | 25h
[=] 1 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 25h
[=] 5 | 112 | Apply bit flip properties | 48376217600 | 31s
[=] 6 | 223 | Apply bit flip properties | 10290469888 | 7s
[=] 6 | 335 | Apply bit flip properties | 7822354944 | 5s
[=] 7 | 446 | Apply bit flip properties | 5831894016 | 4s
[=] 8 | 558 | Apply bit flip properties | 5807241728 | 4s
[=] 9 | 670 | Apply bit flip properties | 5807241728 | 4s
[=] 10 | 782 | Apply bit flip properties | 5681572864 | 4s
[=] 11 | 893 | Apply bit flip properties | 5567847424 | 4s
[=] 11 | 1003 | Apply bit flip properties | 5567847424 | 4s
[=] 12 | 1113 | Apply bit flip properties | 5567847424 | 4s
[=] 13 | 1222 | Apply bit flip properties | 5567847424 | 4s
[=] 14 | 1332 | Apply bit flip properties | 5567847424 | 4s
[=] 16 | 1444 | Apply Sum property. Sum(a0) = 128 | 328238688 | 0s
[=] 17 | 1553 | Apply bit flip properties | 328238688 | 0s
[=] 18 | 1661 | Apply bit flip properties | 328238688 | 0s
[=] 19 | 1769 | Apply bit flip properties | 328238688 | 0s
[=] 19 | 1769 | (Ignoring Sum(a8) properties) | 328238688 | 0s
[=] 21 | 1769 | Brute force phase completed. Key found: FDDEC2700696 | 0 | 0s
[+] target sector 1 key type B -- found valid key [ FDDEC2700696 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1540 million (2^30.5) keys/s | 140737488355328 | 25h
[=] 1 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1313 ms | 140737488355328 | 25h
[=] 1 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 25h
[=] 5 | 112 | Apply bit flip properties | 1212281257984 | 13min
[=] 6 | 224 | Apply bit flip properties | 505995460608 | 5min
[=] 7 | 335 | Apply bit flip properties | 432474423296 | 5min
[=] 7 | 445 | Apply bit flip properties | 374087942144 | 4min
[=] 8 | 557 | Apply bit flip properties | 369538596864 | 4min
[=] 9 | 669 | Apply bit flip properties | 369538596864 | 4min
[=] 10 | 781 | Apply bit flip properties | 369272356864 | 4min
[=] 11 | 891 | Apply bit flip properties | 369272356864 | 4min
[=] 11 | 1002 | Apply bit flip properties | 369272356864 | 4min
[=] 12 | 1113 | Apply bit flip properties | 369272356864 | 4min
[=] 13 | 1223 | Apply bit flip properties | 369272356864 | 4min
[=] 15 | 1333 | Apply Sum property. Sum(a0) = 128 | 66768596992 | 43s
[=] 15 | 1442 | Apply bit flip properties | 40683692032 | 26s
[#] AcquireEncryptedNonces: Auth1 error
[=] 16 | 1549 | Apply bit flip properties | 40683692032 | 26s
[=] 17 | 1657 | Apply bit flip properties | 10063248384 | 7s
[=] 18 | 1768 | Apply bit flip properties | 10063248384 | 7s
[#] AcquireEncryptedNonces: Auth1 error
[=] 19 | 1879 | Apply bit flip properties | 10063248384 | 7s
[=] 19 | 1987 | Apply bit flip properties | 10063248384 | 7s
[=] 20 | 1987 | (1. guess: Sum(a8) = 0) | 10063248384 | 7s
[=] 20 | 1987 | Apply Sum(a8) and all bytes bitflip properties | 10042353664 | 7s
[=] 20 | 1987 | (2. guess: Sum(a8) = 32) | 52660539392 | 34s
[=] 21 | 1987 | Apply Sum(a8) and all bytes bitflip properties | 52561797120 | 34s
[=] 21 | 1987 | Brute force phase completed. Key found: 5EF729FAB3DF | 0 | 0s
[+] target sector 2 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 2 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 3 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 3 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 4 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 4 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 5 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 6 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 6 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 7 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 7 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 8 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 9 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 9 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 10 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 10 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 11 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 11 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 12 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 12 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 13 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 13 key type B -- found valid key [ 5EF729FAB3DF ]
[+] target sector 14 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 14 key type B -- found valid key [ 5EF729FAB3DF ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1532 million (2^30.5) keys/s | 140737488355328 | 26h
[=] 1 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 1314 ms | 140737488355328 | 26h
[=] 1 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 26h
[=] 5 | 112 | Apply bit flip properties | 861824417792 | 9min
[=] 5 | 224 | Apply bit flip properties | 559661449216 | 6min
[=] 6 | 335 | Apply bit flip properties | 466073550848 | 5min
[=] 7 | 446 | Apply bit flip properties | 415568592896 | 5min
[=] 8 | 557 | Apply bit flip properties | 370379227136 | 4min
[=] 9 | 668 | Apply bit flip properties | 370379227136 | 4min
[=] 10 | 780 | Apply bit flip properties | 369272356864 | 4min
[=] 10 | 890 | Apply bit flip properties | 369272356864 | 4min
[=] 11 | 1001 | Apply bit flip properties | 369272356864 | 4min
[=] 12 | 1113 | Apply bit flip properties | 369272356864 | 4min
[#] AcquireEncryptedNonces: Auth1 error
[=] 13 | 1224 | Apply bit flip properties | 369272356864 | 4min
[=] 14 | 1335 | Apply bit flip properties | 369272356864 | 4min
[=] 14 | 1446 | Apply bit flip properties | 369272356864 | 4min
[=] 16 | 1557 | Apply Sum property. Sum(a0) = 128 | 94858100736 | 62s
[=] 17 | 1667 | Apply bit flip properties | 94858100736 | 62s
[=] 18 | 1774 | Apply bit flip properties | 75917746176 | 50s
[=] 18 | 1885 | Apply bit flip properties | 75917746176 | 50s
[=] 19 | 1996 | Apply bit flip properties | 75917746176 | 50s
[=] 20 | 2105 | Apply bit flip properties | 75917746176 | 50s
[=] 21 | 2105 | (Ignoring Sum(a8) properties) | 75917746176 | 50s
[=] 125 | 2105 | Brute force phase completed. Key found: 5EF729FAB3DF | 0 | 0s
[+] target sector 5 key type A -- found valid key [ 5EF729FAB3DF ]
[+] target sector 8 key type B -- found valid key [ 5EF729FAB3DF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | C12DDE98A184 | H | FDDEC2700696 | H
[+] 002 | 011 | 5EF729FAB3DF | H | 5EF729FAB3DF | R
[+] 003 | 015 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 004 | 019 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 005 | 023 | 5EF729FAB3DF | H | 5EF729FAB3DF | R
[+] 006 | 027 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 007 | 031 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 008 | 035 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 009 | 039 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 010 | 043 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 011 | 047 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 012 | 051 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 013 | 055 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 014 | 059 | 5EF729FAB3DF | R | 5EF729FAB3DF | R
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | D ( * )
[+] 017 | 071 | 75CCB59C9BED | D | 4B791BEA7BCC | D ( * )
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[=] ( * ) These sectors used for signature. Lays outside of user memory
[+] Generating binary key file
[+] Found keys have been dumped to `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-36FEEE62-key-003.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 1024 bytes to binary file `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-36FEEE62-dump.bin`
[+] Saved to json file `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-36FEEE62-dump.json`
[=] autopwn execution time: 215 seconds
Is there anything else I need to do to get those missing keys?
Now I have entered the command you said, and I got the following: I’m guessing it’s not meant to have that many errors? I have excluded a lot of the errors, or it would be super long. But I tacked the last part at the end.
What does your setup look like? The auth errors remind me of the same problem you’ve been seeing. When it worked for me, the printouts were continuous with none of the auth errors or BCC0 errors.
I’m no expert, all I can say is what worked for me:
Followed the dangerous things set up guide to the letter (including putting proxspace near the root directory C:/, I didn’t do this on my first attempt with the old board)
For the HF signal, the card needs to be spaced from the board about an inch. I got some spare pieces of foam that came in a package and laid my card on top of that. I also put the board on top of a piece of foam on my wood desk just to try and decrease interference, and make sure nothing else is around it.
I used the command “hf 14a reader -@” to test the signal strength. You should be getting consistent printouts every second of your cards ID numbers. If you see errors, or if you see the ID changing because of dropped/weak signal, that seemed to be correlated with whether or not the autopwn would work. Once I got my new setup, I got nothing but good reads from that command.
You have some known keys now, you can feed those into the autopwn command with -k “KEYKEYKEYKEY”. I did this on my final attempt, not sure if it changes anything or just speeds it up.
It kinda seems like one bad “read” between the pm3 and card is enough to throw off the autopwn, so if you’re not getting consistent signal from it due to a bad antennae, card spacing, or some other interference, I’d try and change one of those.
I think there are some other options involving sniffing the traffic between the reader and card, especially with your known keys, but I’d just double check those other things first.
