Ok so im having trouble

so whatever this proxmark is doing it isnt writing the correct key to block 0, I put it in the MATTYRUN standalone sniffed the key and came back with the wrong block0 key
Also, The capitalization of the letter in the UID

Memory terms and vernacular

To be clear, on Mifare cards memory is organized this way;

So there are sectors which contain 4 blocks of data 16 bytes long.

The first sector (sector 0 because why not start counting at 0) is what we are dealing with. Sector 0 is special because it houses important information about the chip (manufacturer data), the ID of the chip, and what it might be used for (MAD or Mifare Application Director).

For each sector, the last block is used for keeping key A and key B as well as access bit settings (permissions) defining how the sector will be secured with those keys.

Clarification

So you are saying you put your legitimate card up to the reader and sniffed this traffic and you were able to determine that the key used to communicate with the legitimate card is not the key that the autopwn process on that legitimate card came up with for sector 0?

I don’t believe I’ve ever seen a sniff log of a mifare ev1 card so I’m a bit out of my depth here, but how did you determine which key was being used (A or B) and that it was wrong? Can you post the data?

Matty mifare chk/dump/sim a.k.a MattyRun Started <<
[#] Current sector: 0, block: 3, key type: A, key count: 66
[#] [Γ£ô] Found valid key: [a0a1a2a3a4a5]

Screenshot 2021-07-17 225149
these are the dump comparisons, left is fob right is xm1

so i cwipe the xm1 and restore a new dump from the fob, they are identical, try to scan on door, dumped the xm1 no change.

cview the fob again to make sure it is staying the same, all the same.

I used HF MF RESTORE, it works on the cuid, it opened the door, but not the xm1, please tell me this thing isnt bricked

im erasing all dumps and keys and trying on the chip again.

the card works still not writing to the xm1

[usb] pm3 → hf mf restore
[=] Restoring hf-mf-BEF256C2-dump.bin to card
[=] block 0: BE F2 56 C2 D8 88 04 00 C8 19 00 20 00 00 00 15
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 1: AA 01 51 90 51 90 51 90 51 90 51 90 51 90 51 90
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 2: 51 90 51 90 51 90 51 90 51 90 51 90 51 90 51 90
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 3: A0 A1 A2 A3 A4 A5 78 77 88 C1 0D 25 8F E9 02 96
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 4: F8 12 91 AA F8 71 62 9C 4F 5A 17 A4 BD 16 36 D4
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 5: 40 00 F7 61 99 0A 7B 9F 4F C3 EE 09 C4 B5 BC AE
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 6: CF F1 96 81 18 DE 1B 88 68 20 63 C4 38 D8 08 31
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 7: CB BF EE 04 D8 8D 78 77 88 01 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 8: 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 00 00
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 9: EA F5 FF FF 15 0A 00 00 EA F5 FF FF 00 FF 00 FF
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 10: EA F5 FF FF 15 0A 00 00 EA F5 FF FF 00 FF 00 FF
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 11: CB BF EE 04 D8 8D 18 77 8E 06 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 12: 84 00 DD FD 12 28 94 00 01 FD 12 2C 84 00 CD FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 13: 12 2B 94 00 01 FD 12 30 94 00 01 FD 12 35 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 14: 01 FD 12 37 94 00 01 FD 12 37 98 00 01 FD 12 29
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 15: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 16: 94 00 01 FD 12 40 94 00 01 FD 12 40 98 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 17: 12 49 94 00 01 FD 12 54 94 00 01 FD 12 5B 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 18: 01 FD 12 5D 94 00 01 FD 12 64 94 00 01 FD 12 69
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 19: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 20: 94 00 01 FD 12 68 94 00 01 FD 12 68 98 00 0F FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 21: 12 68 94 00 01 FD 12 69 98 00 01 FD 12 58 98 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 22: 01 FD 12 D8 94 00 01 FD 13 4C 98 00 01 FD 13 37
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 23: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 24: 94 00 01 FD 13 59 98 00 01 FD 13 44 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 25: 16 A3 94 00 01 FD 16 CF 98 00 01 FD 16 BA 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 26: 01 FD 16 F1 98 00 01 FD 16 DB 98 00 01 FD 17 58
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 27: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 28: 98 00 01 FD 17 6F 98 00 01 FD 18 DD 98 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 29: 18 C9 98 00 01 FD 18 D5 98 00 01 FD 18 E2 98 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 30: 01 FD 18 F0 98 00 01 FD 19 5F 94 00 10 FD 1C FC
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 31: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 32: 98 00 01 FD 1D B6 98 00 01 FD 1E 81 98 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 33: 1E 83 98 00 01 FD 1E A0 98 00 01 FD 1E A7 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 34: 01 FD 1E D5 98 00 01 FD 1E BF 98 00 01 FD 1E D8
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 35: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 36: 98 00 01 FD 1E D9 98 00 01 FD 1E D9 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 37: 1F 16 98 00 01 FD 1F 01 94 00 01 FD 1F 28 98 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 38: 01 FD 1F 13 94 00 01 FD 1F 2A 98 00 01 FD 1F 15
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 39: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 40: 94 00 10 FD 23 DE 94 00 10 FD 0E EC 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 41: 10 FA 98 00 0F FD 10 FA 98 00 0F FD 10 FA 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 42: 01 FD 11 53 94 00 08 FD 11 55 04 00 F6 FD 11 53
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 43: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 44: 94 00 01 FD 11 63 94 00 08 FD 11 5F 94 00 10 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 45: 11 6A 04 00 FA FD 11 68 94 00 01 FD 11 85 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 46: 01 FD 11 91 84 00 D3 FD 11 95 98 00 01 FD 11 99
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 47: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 48: 94 00 01 FD 11 A8 84 01 FB FD 11 A8 18 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 49: 11 A5 18 00 01 FD 11 B7 98 00 0F FD 11 BF 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 50: 01 FD 11 C0 98 00 01 FD 11 AF 94 00 01 FD 11 E1
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 51: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 52: 98 00 0F FD 11 E0 94 00 01 FD 11 E5 94 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 53: 11 E5 D4 00 A1 FD 11 E0 04 01 FA FD 11 E4 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 54: 01 FD 11 EF 94 00 01 FD 11 F2 18 00 01 FD 11 EC
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 55: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 56: 84 01 F7 FD 11 F2 84 01 F6 FD 11 FE 84 01 F6 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 57: 11 FE 18 00 01 FD 12 03 B4 00 01 FD 12 0E 94 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 58: 01 FD 12 10 D4 00 A1 FD 12 0C 04 02 5C FD 12 0D
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 59: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] block 60: 18 00 01 FD 12 0F 84 02 5E FD 12 1D 18 00 01 FD
[#] Auth error
[=] Writing to manufacture block w key B ( fail )
[=] block 61: 12 18 94 00 01 FD 12 27 94 00 02 FD 12 23 00 00
[#] Auth error
[-] Write to block 1 w key B ( fail )
[=] block 62: 94 00 10 FD 0E EC 94 00 01 FD 00 00 00 00 28 11
[#] Auth error
[-] Write to block 2 w key B ( fail )
[=] block 63: CB BF EE 04 D8 8D 7F 07 88 07 80 9F 79 19 7B 9E
[#] Auth error
[-] Write to block 3 w key B ( fail )
[=] Done!

Ok so you were able to get an exact clone on the xM1 … so I think the only thing left to explore at this point is the door lock itself.

  • Can you post make, model, photos, etc. of the door lock you are trying?

  • Have you used the xFD HF keychain to determine the best location and orientation for presenting your xM1 to the reader?

So, at this point, I think I need a magnet to disrupt the field around the lock, lol Is that really a thing?

Not really a magnet but a passive coil that basically re-resonates the field and should allow you to get a very read with an x-series chip sitting over that coil.

so an LED? @amal

No, a wire coil, but it would be designed to act as a passive element coupled to the antenna in your phone.

In practice that means a specific size and shape of wire coil placed in a specific spot.

so you are telling me I would have to put something betwwen my hand and the lock

Yes…

See here.

@amal and @satur9 have discussed making a product like this (but presumably as a pcb, and maybe better tuned) but that was only in the last few days.

You might want to check out this thread and if you have a diagnostic card try using that between your implant and your reader to see if it helps.

Hey hey hey,you do not underestimate my tuning! :wink: :rofl:

2 Likes

will not even read now. Im pretty sure this thing is bricked ,
I can wrote to it but HF Search brings back error
i really need help with this chip

I have briefly skimmed through the post to understand the trials and tribulations so far but most likely have missed something somewhere.

I have had similar difficulties with my xM1 previously.

I would be interested in learning the answers to the following questions:

  • What has lead you to believe that the tag is bricked? The more details the better
  • What have you wrote to it and how did you verify it was successful?
  • What errors do you encounter when you try hf search after writing to it?
  • Do you have any MFC Gen1a tags to practice/experiment with that isn’t an implant?
1 Like