Noob needs help with Proxmark3 on Mifare Classic 1k

Trillotrix · April 6, 2026, 5:57pm

Hi everyone, have been happily using the Proxmark3 in my apartment for multiple years as they refuse to provide extra keys. My understanding is that they have always used Mifare 1k key fobs. However, after moving to a new room in the same building, I’ve been struggling with cloning my apartment key.

Here is my hf search results.

[usb] pm3 --> hf search
[\] Searching for ISO14443-A tag...
[=] ---------- ISO14443-A Information ----------
[+]  UID: FA FF C2 71   ( ONUID, re-used )
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=]
[=] Proprietary non iso14443-4 card found
[=] RATS not supported
[+] Prng detection..... hard
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A35
[=]                              : 6EED95695DD7E0C27A591E6F6F65962B
[=]                              : AF
[=]     Elliptic curve parameters: secp128r1
[=]              TAG IC Signature: 24F53B94D8238190FE243E6667E408C0
[=]                              : 539850F789AD2ACE854FA4929B8DAC86
[+]        Signature verification: successful

[?] Hint: Try `hf mf info`


[+] Valid ISO 14443-A tag found

When I try to run autopwn this is what happens
[usb] pm3 → hf mf autopwn

[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[!] Known key failed. Can’t authenticate to block   0 key type A
[=] MIFARE Classic EV1 card detected
[+] loaded 5 user keys
[+] loaded 61 hardcoded keys
[=] Running strategy 1
[=] Running strategy 2
[=] …
[+] Target sector   0 key type A – found valid key [ A0A1A2A3A4A5 ]
[+] Target sector   2 key type A – found valid key [ A0A1A2A3A4A5 ]
[+] Target sector  16 key type A – found valid key [ 5C8FF9990DA2 ]
[+] Target sector  17 key type B – found valid key [ 4B791BEA7BCC ]
[#] Auth error

[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[#] BCC0 incorrect, got 0x2d, expected 0x6d
[#] Using BCC0 =0x2d
[-] Tag isn’t vulnerable to Nested Attack (PRNG is probably not predictable).
[-] Nested attack failed → try hardnested

[=] ---------±--------±--------------------------------------------------------±----------------±------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=]        0 |       0 | Start using 16 threads and AVX512F SIMD core            |                 |
[=]        0 |       0 | Brute force benchmark: 4571 million (2^32.1) keys/s     | 140737488355328 |    9h
[=]        1 |       0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in  897 ms               | 140737488355328 |    9h
[=]        1 |       0 | Using 239 precalculated bitflip state tables            | 140737488355328 |    9h
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Auth2 error len=1
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Can’t select card (UID)
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth1 error
[#] AcquireEncryptedNonces: Auth2 error len=1

It seems to me that my Proxmark is failing to properly connect to the keyfob. These Auth1 errors and Can’t select cards repeat for tens of thousands of rows if not more.

The last thing to mention I believe is at the time, I tried my old apartment fob for the same building and autopwn worked with no issues, however this was about a month ago. I no longer have the key on me though since I moved out of the old room at this point.

Additionally, the proxmark I’m using is a cheap Aliexpress one. I don’t think it is absolute junk since it’s worked on three different Mifare Classic 1k fobs in my same building. However, I could definitely see the antenna/signal strength being terrible as a cause

What I’ve tried so far:

Use a spacer between the fob and the proxmark. Any kind of added space causes signal between the proxmark and the fob to be lost.
Completely uninstalled and reinstalled iceman. I don’t think this made any difference either.
Followed some of the steps and suggestions found in this thread. Would a better proxmark solve my issues?

Would love if anyone had any additional suggestions on what might be going wrong for me to resolve this?

Aoxhwjfoavdlhsvfpzha · April 6, 2026, 8:27pm

I agree it sounds like a connection issue, and I don’t think a new PM3 is likely to be the fix

However, a repeater board might help

I would be surprised if you couldn’t get a good coupling though just through trial and error

First, make sure the start-up text for the client isn’t showing any red firmware/client mismatch warnings

Then, as you’ve already done, keep moving your key all over/under/around the PM3

To help you with this, play with the hf tune and hf 14a reader -@ commands, these will give you some live feedback on your positioning, look for the spot with the lowest voltage, or most consistent reads respectively

amal · April 7, 2026, 2:07am

New keyfob? Prng means pseudo random number generator. Weak means it’s a shit generator and can be attacked. Hard means not susceptible to autopwn (generally speaking). Might have to do some sniffing and some advanced attacks.

godspeed · April 8, 2026, 12:21am

I did the same key by the sounds of it and had trouble getting mine to read correctly. You have to have the key in the correct location. I found placing the key directly on the proxmark, half in the HF rectangle, and half under the LF coil. I would then run this code hf 14a reader -@ and move the key around until I didn’t get any errors.

Ran hf mf autopwn many times, and with some luck, you can capture all the keys. It takes some patience.

Good luck!!

Trillotrix · April 8, 2026, 1:11am

Hey everyone, I just wanted to say I got it solved. I actually had to unscrew and remove the top portion of my Proxmark. There was a single tiny spot on top of the actual antenna where I was able to run autopwn and crack my key. I guess the key I currently have might be kind of weak so I had to get real close to get a strong enough signal.

amal · April 8, 2026, 2:03am

Alternatively, you could have put the transponder under the proxmark. The HF antenna is on the bottom PCB, not the middle.

Trillotrix · April 8, 2026, 2:45am

I actually was trying the bottom of my proxmark and for some reason I couldn’t find a position that worked.

amal · April 8, 2026, 8:40pm

crazy!