Noob Needing help cloning Mifare Classic 1k 14443-A tag

Equipter · July 10, 2024, 6:17pm

stool sample, mothers maiden name, names of last 4 life partners and a bisection of your left cornea. just the essentials

Hallic · July 10, 2024, 6:20pm

Don’t forget first pet’s name.

godspeed · July 11, 2024, 4:21am

I know, just my luck

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ Client ]
  Iceman/master/v4.18589-47-g81fd62034-suspect 2024-07-01 19:38:48 f1dc6862f
  compiled with............. MinGW-w64 13.2.0
  platform.................. Windows (64b) / x86_64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ Proxmark3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-07-01 19:37:17 f1dc6862f
       os: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-07-01 19:37:50 f1dc6862f
  compiled with GCC 12.2.0

 [ FPGA ]
  fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
  fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
  fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
  fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 63% used )

[usb] pm3 -->

godspeed · July 11, 2024, 4:24am

hf-mf-36FEEE62-dump.zip (1.2 KB)

The stool sample is in the mail

Equipter · July 11, 2024, 11:32am

ok great! you have a full and completed dump file! we can proceed with cloning!!

do you have a magic card/fob?

godspeed · July 11, 2024, 3:10pm

Finally some good news!

Yep, I have some that came with the PM3 from DT

Equipter · July 11, 2024, 3:32pm

awesome can you grab them and do hf mf info on them, see which ones say “Magic capabilities: gen1a”

when you find one that says that, do hf mf cload -f hf-mf-36FEEE62-dump that should load the dump into the magic card for you, it may take a few tries if the coupling is snaff

once it’s complete can you run a hf mf info on it and send a screenshot of that output

we are nearing completion!

godspeed · July 11, 2024, 4:15pm

[usb] pm3 --> hf mf info

[=] --- ISO14443-a Information ---------------------
[+]  UID: B7 4C 2F 6F
[+] ATQA: 00 04
[+]  SAK: 08 [2]

[=] --- Keys Information
[+] loaded  2 user keys
[+] loaded 61 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Sector 1 key A... FFFFFFFFFFFF
[+] Block 0.......... B7 4C 2F 6F BB 08 04 00 62 63 64 65 66 67 68 69

[=] --- Fingerprint
[+] FUDAN based card

[=] --- Magic Tag Information
[+] Magic capabilities... Gen 2 / CUID

[=] --- PRNG Information
[+] Prng................. weak

They are Gen 2. Will that make a difference?

godspeed · July 11, 2024, 4:27pm

Hi racast5,

I also tried what you said and followed the guide to reinstall Proxspace in the root directory C:/. It didn’t make any difference.

I also tried using the foam that came with the package to space it off, but that didn’t make a difference either.

The trick of using hf 14a reader -@ was a good tip. I could have that running to adjust the position of the fob on the PM3 until I got no errors, bad reads, etc. Then I tried running hf mf autopwn but still got auth errors or BCC0 errors. I haven’t been able to successfully run the autopwn again since the first time.

Maybe another faulty PM3?

Equipter · July 11, 2024, 4:41pm

gen2 will make a difference in the way we clone onto it yes.

can you autopwn that gen2 and let me know the output

Equipter · July 11, 2024, 4:41pm

honestly i’m gonna see how the coupling goes with these magic cards, i am thinking this might actually be a sneaky antenna design choice by schlage

godspeed · July 11, 2024, 4:46pm

[usb] pm3 --> hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )


[+] Generating binary key file
[+] Found keys have been dumped to `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-AAB92F6F-key-001.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 1024 bytes to binary file `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-AAB92F6F-dump-001.bin`
[+] Saved to json file `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-AAB92F6F-dump-001.json`
[=] autopwn execution time: 2 seconds

I did find a Gen1 from the pack I got from Alliexpress

Equipter · July 11, 2024, 4:56pm

ok gen1 is 100000x easier to do so go ahead with the cload command i mentioned earlier

also notice how easy that autopwn was? this definitely is smelling like a schlage thing.

godspeed · July 11, 2024, 4:59pm

[=] --- ISO14443-a Information ---------------------
[+]  UID: 36 FE EE 62
[+] ATQA: 00 04
[+]  SAK: 88 [2]

[=] --- Keys Information
[+] loaded  2 user keys
[+] loaded 61 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Block 0.......... 36 FE EE 62 44 88 04 00 C8 14 00 20 00 00 00 19

[=] --- Fingerprint

[=] --- Magic Tag Information
[+] Magic capabilities... Gen 1a

[=] --- PRNG Information
[+] Prng................. weak

godspeed · July 11, 2024, 5:00pm

I just tried it on the door.

It WORKS!

Equipter · July 11, 2024, 5:03pm

OOOH RAH!

that’s what we like to hear!

godspeed · July 15, 2024, 4:34am

Thanks for all your help with this!!

I smile every time I unlock the door.

I think you are right about it being isolated to Schlage. Scanning other fobs has been pretty easy.

Do you have anything to read/tutorials to learn more about cloning fobs? Such as how you know if you have found all the keys. Or what you did earlier with hf mf fchk -k d90e70052a98 -k 0F30CF835C18 -k FFFFFFFFFFFF --dump

Thanks,

Hallic · July 15, 2024, 4:40am

That’s the best part about all this… NFC locking handle on my bedroom. Been alone in this house for months now, still going to be alone in it for at least another month. Half the time when I walk out of my bedroom I’ll close the door just so I can scan beeeep unlock to get back in