This is a follow up post to my earlier one looking to clone my apartment FOB since its a puck and used for everything from apartment entry to elevator to car garage. It’s one of these PFM01K’s, which look like glorified Mifare Classic 1K’s with a 7-byte UID. Earlier this week I had a shipment of some Magic 1K 7-bytes UID, Magic 4K 7-Byte UID, and 2 of the new Gen4 Ultimate Magic ones. I thought it would be a straight UID clone, but it appears to be more complex than that.
First off, here’s the original fob’s info, with dumped keys:
[=] hf search
[-] Searching for ISO14443-A tag...
[+] UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 44
[+] SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 57DCFA81E98AC4F031B3140DEB8563F9BE5830F6AC6EAE8742B9D264D2569528
[+] Signature verification: successful
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector 17 key type B -- using valid key [ 4B 79 1B EA 7B CC ] (used for nested / hardnested attack)
[+] loaded 45 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 5.3s | found 22/36 keys (45)
[=] running strategy 2
[=] ...
[=] Chunk 6.8s | found 22/36 keys (45)
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 6 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 7 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 8 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 9 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 10 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 11 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 12 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 13 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 14 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector 15 key type A -- found valid key [ 6A1987C40A21 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1613 million (2^30.6) keys/s | 140737488355328 | 24h
[=] 6 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 24h
[#] AcquireEncryptedNonces finished
[=] 9 | 112 | Apply bit flip properties | 723065044992 | 7min
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=] 11 | 224 | Apply bit flip properties | 374605742080 | 4min
[#] AcquireEncryptedNonces finished
[=] 12 | 336 | Apply bit flip properties | 373583380480 | 4min
[#] AcquireEncryptedNonces finished
[=] 13 | 448 | Apply bit flip properties | 372561018880 | 4min
[=] 14 | 558 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[=] 14 | 668 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[=] 15 | 777 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[=] 16 | 887 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[=] 17 | 997 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[=] 18 | 1108 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[=] 19 | 1219 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[=] 20 | 1330 | Apply bit flip properties | 372024573952 | 4min
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=] 22 | 1440 | Apply Sum property. Sum(a0) = 128 | 34853875712 | 22s
[=] 22 | 1550 | Apply bit flip properties | 17286682624 | 11s
[#] AcquireEncryptedNonces finished
[=] 23 | 1659 | Apply bit flip properties | 17286682624 | 11s
[#] AcquireEncryptedNonces finished
[=] 24 | 1770 | Apply bit flip properties | 17286682624 | 11s
[#] AcquireEncryptedNonces finished
[=] 25 | 1878 | Apply bit flip properties | 17286682624 | 11s
[#] AcquireEncryptedNonces finished
[=] 26 | 1878 | (1. guess: Sum(a8) = 256) | 17286682624 | 11s
[=] 27 | 1878 | Apply Sum(a8) and all bytes bitflip properties | 17024865280 | 11s
[=] 27 | 1878 | (2. guess: Sum(a8) = 224) | 59371520000 | 37s
[=] 27 | 1878 | Apply Sum(a8) and all bytes bitflip properties | 58800656384 | 36s
[=] 27 | 1878 | Brute force phase completed. Key found: 7F33625BC129 | 0 | 0s
[+] target sector 5 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 6 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 7 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 8 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 9 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 10 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 11 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 12 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 13 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 14 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector 15 key type B -- found valid key [ 7F33625BC129 ]
[#] Cmd Error 04
[#] Read block error
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=] 0 | 0 | Start using 16 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1362 million (2^30.3) keys/s | 140737488355328 | 29h
[=] 6 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 29h
[#] AcquireEncryptedNonces finished
[=] 9 | 112 | Apply bit flip properties | 7693851648 | 6s
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=] 10 | 224 | Apply bit flip properties | 1638654592 | 1s
[#] AcquireEncryptedNonces finished
[=] 11 | 336 | Apply bit flip properties | 1251086464 | 1s
[#] AcquireEncryptedNonces finished
[=] 12 | 448 | Apply bit flip properties | 1008151808 | 1s
[=] 13 | 560 | Apply bit flip properties | 975424832 | 1s
[#] AcquireEncryptedNonces finished
[=] 14 | 670 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 15 | 780 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 16 | 889 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 16 | 1001 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 17 | 1112 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 18 | 1219 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 19 | 1325 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 20 | 1436 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 21 | 1547 | Apply bit flip properties | 712448128 | 1s
[#] AcquireEncryptedNonces finished
[=] 23 | 1656 | Apply Sum property. Sum(a0) = 120 | 121225600 | 0s
[#] AcquireEncryptedNonces finished
[=] 23 | 1656 | (Ignoring Sum(a8) properties) | 121225600 | 0s
[=] 25 | 1656 | Brute force phase completed. Key found: D01AFEEB890A | 0 | 0s
[+] target sector 16 key type B -- found valid key [ D01AFEEB890A ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | 6A1987C40A21 | D | 7F33625BC129 | H
[+] 006 | 027 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 007 | 031 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 008 | 035 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 009 | 039 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 010 | 043 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 011 | 047 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 012 | 051 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 013 | 055 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 014 | 059 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 015 | 063 | 6A1987C40A21 | D | 7F33625BC129 | R
[+] 016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | H
[+] 017 | 071 | 5C8FF9990DA2 | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[=] FILE PATH: hf-mf-044EEDD2747281-key.bin
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-044EEDD2747281-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A, swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[=] FILE PATH: hf-mf-044EEDD2747281-dump.bin
[+] saved 1024 bytes to binary file hf-mf-044EEDD2747281-dump.bin
[=] FILE PATH: hf-mf-044EEDD2747281-dump.eml
[+] saved 64 blocks to text file hf-mf-044EEDD2747281-dump.eml
[=] FILE PATH: hf-mf-044EEDD2747281-dump.json
[+] saved to json file hf-mf-044EEDD2747281-dump.json
[=] autopwn execution time: 72 seconds
SALTO Keys and Dump.zip (2.2 KB)
So it looks like we got all the keys and a good dump. Problem now is getting it onto a card. I initially tried cloning the UID to both the 1K and 4K cards, which worked but the card reader refused them.
1K:
[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+] UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 42
[+] SAK: 18 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 4K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
[usb] pm3 --> hf mf gen3uid -u 044EEDD2747281
[+] Old UID... 04 12 19 C3 CC 98 02
[+] New UID... 04 4E ED D2 74 72 81
[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag...
[+] UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 44
[+] SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
4K:
[usb] pm3 --> hf mf gen3uid -u 044EEDD2747281
[+] Old UID... 04 12 19 C3 21 93 16
[+] New UID... 04 4E ED D2 74 72 81
[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+] UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 42
[+] SAK: 18 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 4K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found