Ok so im having trouble

This community is really the jewel of our little corner of biohacking.

6 Likes

This is a dormakaba system.

Based on now removed information the tag type of your source transponder is a MFC1C14_x which is a mifare classic ev1 chip with improved / hardened random number generator. It seems though that your proxmark3 was still able to determine access bits and make a dump of the protected memory in secured sectors. What’s not matching up here is the SAK, but there may also be other checks the readers are doing.

With the advent of magic chips out of china, it’s now possible and has been seen in the wild that readers will issue magic chip backdoor commands to the chip to see if it responds… and if it does then it will refuse to work. I’m unsure if your system is doing this, but it is a possibility.

One approach might be to obtain a magic gen1a and a magic Gen2 in card or key fob format and attempt to get the system to recognize those. The gen2 magic chip type does not use backdoor commands, it simply allows sector 0 to be written. The down side is that because there is no backdoor to get around all security settings, accidentally setting access bits incorrectly can result in a sector being locked out forever, just like any normal mifare chip. Some people have talked about ways to recover these types of sectors from a magic Gen2 chip but I don’t recall any actual proof.

There are proper instructions laid out to attempt to fix a soft brick of sector 0 in the proxmark 3 magic card notes: proxmark3/magic_cards_notes.md at master · RfidResearchGroup/proxmark3 · GitHub

However, that definitely doesn’t help when it’s the access bits. Saying that, that’s literally no different at all to a genuine mifare chip… it’s less of a detractor / ‘easy’ way to brick your implant and more of a reason that the gen1a might be a better option, especially if the system that you are cloning from has weird access conditions. IIRC Mifare Classic tool even has an access condition encoder and decoder, and I think the dev was looking into adding warning before attempting to clone weird / permanent access conditions, though I don’t know if that has been implemented yet.

While there are ways to set access bits in such a way that the keys are blocked from reading or changing each other, that is not my primary concern. The Mifare spec dictates that access bits be written in a specific way with both normal and matching inverted bits… and if you write an invalid bit pattern or there is a bit flip error during transmission, the entire sector will be bricked… no data will be readable and no keys either. This is my primary concern when playing around with writing data to sectors, especially since we are dealing with magic chips with sometimes wonky signal detection, small antennas, and one-handed proxmark3 operation.

NFC-Access-Control-for-Mifare-S50.pdf (631.1 KB)

That said, it would still be a concern if you were dealing with a mifare card that had secured one or more sectors using access bit settings which permanently set the entire block to read-only with no key access (meaning you can’t change the keys or access bits).

Interesting, is there any data as to how often this happens with flexM1 gen 2 devices vs with flexM1 gen 1a devices that can be recovered?

not really… i don’t think we’ve sold more than a handful of flexM1 gen2 (pun!) … the xM1 is more popular by far.

so do the block 0 keys have to match the rest?
and can I rewrite them in the JSON if i need to?

Each sector can be secured individually so the keys can be whatever the application wants them to be. Sector 0 on a mifare chip is a special sector with the ID and the MAD (mifare application directory) and is normally read only.

You can definitely change the content of the JSON file, however when changing access bits there is a calculation that needs to be done properly to set the bits correctly or the sector will brick. To read more about this, check this post;

In short the important thing I think is that the xM1 sector data matches the source chip. If the sak value doesn’t match after cloning then I believe there is a way to change it after the fact. Can you write the dump file to the xM1 and then do an autopwn on it to save it’s own dump file (be sure to back up your original source dump file first). Then you can compare to see that the sector data and keys are identical.

so whatever this proxmark is doing it isnt writing the correct key to block 0, I put it in the MATTYRUN standalone sniffed the key and came back with the wrong block0 key
Also, The capitalization of the letter in the UID

Memory terms and vernacular

To be clear, on Mifare cards memory is organized this way;

So there are sectors which contain 4 blocks of data 16 bytes long.

The first sector (sector 0 because why not start counting at 0) is what we are dealing with. Sector 0 is special because it houses important information about the chip (manufacturer data), the ID of the chip, and what it might be used for (MAD or Mifare Application Director).

For each sector, the last block is used for keeping key A and key B as well as access bit settings (permissions) defining how the sector will be secured with those keys.

Clarification

So you are saying you put your legitimate card up to the reader and sniffed this traffic and you were able to determine that the key used to communicate with the legitimate card is not the key that the autopwn process on that legitimate card came up with for sector 0?

I don’t believe I’ve ever seen a sniff log of a mifare ev1 card so I’m a bit out of my depth here, but how did you determine which key was being used (A or B) and that it was wrong? Can you post the data?

Matty mifare chk/dump/sim a.k.a MattyRun Started <<
[#] Current sector: 0, block: 3, key type: A, key count: 66
[#] [Γ£ô] Found valid key: [a0a1a2a3a4a5]

Screenshot 2021-07-17 225149
these are the dump comparisons, left is fob right is xm1

so i cwipe the xm1 and restore a new dump from the fob, they are identical, try to scan on door, dumped the xm1 no change.

cview the fob again to make sure it is staying the same, all the same.

I used HF MF RESTORE, it works on the cuid, it opened the door, but not the xm1, please tell me this thing isnt bricked

im erasing all dumps and keys and trying on the chip again.

the card works still not writing to the xm1

[usb] pm3 → hf mf restore
[=] Restoring hf-mf-BEF256C2-dump.bin to card
[=] block 0: BE F2 56 C2 D8 88 04 00 C8 19 00 20 00 00 00 15
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 1: AA 01 51 90 51 90 51 90 51 90 51 90 51 90 51 90
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 2: 51 90 51 90 51 90 51 90 51 90 51 90 51 90 51 90
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 3: A0 A1 A2 A3 A4 A5 78 77 88 C1 0D 25 8F E9 02 96
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 4: F8 12 91 AA F8 71 62 9C 4F 5A 17 A4 BD 16 36 D4
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 5: 40 00 F7 61 99 0A 7B 9F 4F C3 EE 09 C4 B5 BC AE
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 6: CF F1 96 81 18 DE 1B 88 68 20 63 C4 38 D8 08 31
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 7: CB BF EE 04 D8 8D 78 77 88 01 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 8: 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 00 00
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 9: EA F5 FF FF 15 0A 00 00 EA F5 FF FF 00 FF 00 FF
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 10: EA F5 FF FF 15 0A 00 00 EA F5 FF FF 00 FF 00 FF
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 11: CB BF EE 04 D8 8D 18 77 8E 06 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 12: 84 00 DD FD 12 28 94 00 01 FD 12 2C 84 00 CD FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 13: 12 2B 94 00 01 FD 12 30 94 00 01 FD 12 35 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 14: 01 FD 12 37 94 00 01 FD 12 37 98 00 01 FD 12 29
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 15: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 16: 94 00 01 FD 12 40 94 00 01 FD 12 40 98 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 17: 12 49 94 00 01 FD 12 54 94 00 01 FD 12 5B 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 18: 01 FD 12 5D 94 00 01 FD 12 64 94 00 01 FD 12 69
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 19: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 20: 94 00 01 FD 12 68 94 00 01 FD 12 68 98 00 0F FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 21: 12 68 94 00 01 FD 12 69 98 00 01 FD 12 58 98 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 22: 01 FD 12 D8 94 00 01 FD 13 4C 98 00 01 FD 13 37
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 23: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 24: 94 00 01 FD 13 59 98 00 01 FD 13 44 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 25: 16 A3 94 00 01 FD 16 CF 98 00 01 FD 16 BA 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 26: 01 FD 16 F1 98 00 01 FD 16 DB 98 00 01 FD 17 58
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 27: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 28: 98 00 01 FD 17 6F 98 00 01 FD 18 DD 98 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 29: 18 C9 98 00 01 FD 18 D5 98 00 01 FD 18 E2 98 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 30: 01 FD 18 F0 98 00 01 FD 19 5F 94 00 10 FD 1C FC
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 31: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 32: 98 00 01 FD 1D B6 98 00 01 FD 1E 81 98 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 33: 1E 83 98 00 01 FD 1E A0 98 00 01 FD 1E A7 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 34: 01 FD 1E D5 98 00 01 FD 1E BF 98 00 01 FD 1E D8
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 35: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 36: 98 00 01 FD 1E D9 98 00 01 FD 1E D9 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 37: 1F 16 98 00 01 FD 1F 01 94 00 01 FD 1F 28 98 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 38: 01 FD 1F 13 94 00 01 FD 1F 2A 98 00 01 FD 1F 15
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 39: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 40: 94 00 10 FD 23 DE 94 00 10 FD 0E EC 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 41: 10 FA 98 00 0F FD 10 FA 98 00 0F FD 10 FA 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 42: 01 FD 11 53 94 00 08 FD 11 55 04 00 F6 FD 11 53
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 43: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 44: 94 00 01 FD 11 63 94 00 08 FD 11 5F 94 00 10 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 45: 11 6A 04 00 FA FD 11 68 94 00 01 FD 11 85 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 46: 01 FD 11 91 84 00 D3 FD 11 95 98 00 01 FD 11 99
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 47: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 48: 94 00 01 FD 11 A8 84 01 FB FD 11 A8 18 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 49: 11 A5 18 00 01 FD 11 B7 98 00 0F FD 11 BF 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 50: 01 FD 11 C0 98 00 01 FD 11 AF 94 00 01 FD 11 E1
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 51: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 52: 98 00 0F FD 11 E0 94 00 01 FD 11 E5 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 53: 11 E5 D4 00 A1 FD 11 E0 04 01 FA FD 11 E4 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 54: 01 FD 11 EF 94 00 01 FD 11 F2 18 00 01 FD 11 EC
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 55: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 56: 84 01 F7 FD 11 F2 84 01 F6 FD 11 FE 84 01 F6 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 57: 11 FE 18 00 01 FD 12 03 B4 00 01 FD 12 0E 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 58: 01 FD 12 10 D4 00 A1 FD 12 0C 04 02 5C FD 12 0D
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 59: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 60: 18 00 01 FD 12 0F 84 02 5E FD 12 1D 18 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 61: 12 18 94 00 01 FD 12 27 94 00 02 FD 12 23 00 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 62: 94 00 10 FD 0E EC 94 00 01 FD 00 00 00 00 28 11
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 63: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] Done!

Ok so you were able to get an exact clone on the xM1 … so I think the only thing left to explore at this point is the door lock itself.

  • Can you post make, model, photos, etc. of the door lock you are trying?

  • Have you used the xFD HF keychain to determine the best location and orientation for presenting your xM1 to the reader?

So, at this point, I think I need a magnet to disrupt the field around the lock, lol Is that really a thing?