stool sample, mothers maiden name, names of last 4 life partners and a bisection of your left cornea. just the essentials
Don’t forget first pet’s name.
I know, just my luck
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ Client ]
Iceman/master/v4.18589-47-g81fd62034-suspect 2024-07-01 19:38:48 f1dc6862f
compiled with............. MinGW-w64 13.2.0
platform.................. Windows (64b) / x86_64
Readline support.......... present
QT GUI support............ present
native BT support......... absent
Python script support..... present
Lua SWIG support.......... present
Python SWIG support....... present
[ Proxmark3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-07-01 19:37:17 f1dc6862f
os: Iceman/master/v4.18589-47-g81fd62034-suspect 2024-07-01 19:37:50 f1dc6862f
compiled with GCC 12.2.0
[ FPGA ]
fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 63% used )
[usb] pm3 -->
ok great! you have a full and completed dump file! we can proceed with cloning!!
do you have a magic card/fob?
awesome can you grab them and do hf mf info
on them, see which ones say “Magic capabilities: gen1a”
when you find one that says that, do hf mf cload -f hf-mf-36FEEE62-dump
that should load the dump into the magic card for you, it may take a few tries if the coupling is snaff
once it’s complete can you run a hf mf info
on it and send a screenshot of that output
we are nearing completion!
[usb] pm3 --> hf mf info
[=] --- ISO14443-a Information ---------------------
[+] UID: B7 4C 2F 6F
[+] ATQA: 00 04
[+] SAK: 08 [2]
[=] --- Keys Information
[+] loaded 2 user keys
[+] loaded 61 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Sector 1 key A... FFFFFFFFFFFF
[+] Block 0.......... B7 4C 2F 6F BB 08 04 00 62 63 64 65 66 67 68 69
[=] --- Fingerprint
[+] FUDAN based card
[=] --- Magic Tag Information
[+] Magic capabilities... Gen 2 / CUID
[=] --- PRNG Information
[+] Prng................. weak
They are Gen 2. Will that make a difference?
Hi racast5,
I also tried what you said and followed the guide to reinstall Proxspace in the root directory C:/. It didn’t make any difference.
I also tried using the foam that came with the package to space it off, but that didn’t make a difference either.
The trick of using hf 14a reader -@ was a good tip. I could have that running to adjust the position of the fob on the PM3 until I got no errors, bad reads, etc. Then I tried running hf mf autopwn but still got auth errors or BCC0 errors. I haven’t been able to successfully run the autopwn again since the first time.
Maybe another faulty PM3?
gen2 will make a difference in the way we clone onto it yes.
can you autopwn that gen2 and let me know the output
honestly i’m gonna see how the coupling goes with these magic cards, i am thinking this might actually be a sneaky antenna design choice by schlage
[usb] pm3 --> hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[+] Generating binary key file
[+] Found keys have been dumped to `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-AAB92F6F-key-001.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 1024 bytes to binary file `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-AAB92F6F-dump-001.bin`
[+] Saved to json file `C:\Users\micha\Downloads\ProxSpace\ProxSpace\pm3/hf-mf-AAB92F6F-dump-001.json`
[=] autopwn execution time: 2 seconds
I did find a Gen1 from the pack I got from Alliexpress
ok gen1 is 100000x easier to do so go ahead with the cload command i mentioned earlier
also notice how easy that autopwn was? this definitely is smelling like a schlage thing.
[=] --- ISO14443-a Information ---------------------
[+] UID: 36 FE EE 62
[+] ATQA: 00 04
[+] SAK: 88 [2]
[=] --- Keys Information
[+] loaded 2 user keys
[+] loaded 61 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Block 0.......... 36 FE EE 62 44 88 04 00 C8 14 00 20 00 00 00 19
[=] --- Fingerprint
[=] --- Magic Tag Information
[+] Magic capabilities... Gen 1a
[=] --- PRNG Information
[+] Prng................. weak
I just tried it on the door.
It WORKS!
OOOH RAH!
that’s what we like to hear!
Thanks for all your help with this!!
I smile every time I unlock the door.
I think you are right about it being isolated to Schlage. Scanning other fobs has been pretty easy.
Do you have anything to read/tutorials to learn more about cloning fobs? Such as how you know if you have found all the keys. Or what you did earlier with hf mf fchk -k d90e70052a98 -k 0F30CF835C18 -k FFFFFFFFFFFF --dump
Thanks,
That’s the best part about all this… NFC locking handle on my bedroom. Been alone in this house for months now, still going to be alone in it for at least another month. Half the time when I walk out of my bedroom I’ll close the door just so I can scan beeeep unlock to get back in