Was attempting to clone a Mifare 1k to another 1k, was able to read the data after an autopwn, (nested didn’t work,) dumped, and then used hf mf restore and was given an error that the bin couldn’t be found as it was trying to find a different file than the one that was dumped. Tried to do it manually and it either fails or doesn’t read data back on the new card. Any help would be appreciated as I’m still pretty new to this. Screenshots will explain it far better than I can, Proxmark3 Easy.
Post the dump file? (if it has no sensitive data)
ok so
we will call the key you’re making a copy of KeyX and the one you’re copying it onto, KeyY
when doing restore you give KeyX contents file and KeyY key file
you need to autopwn both cards
hf mf restore --1k -f KeyX -k KeyY
it cannot authorise the sectors for writing if you don’t give it the correct key file
2 Likes
Also this 
If the card is not a magic card, you will need authorization to write.
hf mf restore is the non magic command (directwrite be damned --uid) so it needs authorisation anyway, if you don’t supply the keyfile and try to write to a gen1a it still wont be able to do it because its not using magic commands 
the magic restore command is cload 
1 Like
Blank card is magic gen1a, original card doesn’t say when searched
Somewhat understood. How do I rename each card? Step by step, I autopwn the original (KeyX) then autopwn the blank, then rename, then run --1k -f KeyX -k KeyY?
you don’t need to rename them i was using Keyx and keyY as example names for your files
Oh I see, so autopwn both and then just use the key bin files instead of the dump file in the command? Just in the right order
so use the content dump file of the key you’re making a copy of, and use the key dump file of the key you’re copying onto
Just attempted and after running the command every block was met with fail
so you have a source mifare classic 1k with UID D207EB86 and you are trying to write to another Mifare classic 1k magic (type 1a)?
your dump looks fine but i dont have a spare card to test loading it
if this is the case you can write to the new card with the command
hf mf cload -f hf-mf-D207EB86-dump.bin
if its a 1a magic card then you dont need to worry about the keyfile from the new card, if this is not a magic card you will need the keyfile for the new card to write to the protected sectors and your command to change the UID wont work.
If the above doesnt work - what os are you using, proxmark version (hw version), and what is the output of hf 14a info for both tags?
1 Like
Just ran that command and it said it was successful but when I ran hf mf ekeyprn the keys were all zeros instead of the original card keys. Mac OS with v4.14831 - Frostbit
Blank Card: UID: D2 07 EB 86
[+] ATQA: 00 04
[+] SAK: 88 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 1a
[+] Prng detection: weak
[#] Auth error
Card being copied:
UID: D2 07 EB 86
[+] ATQA: 00 04
[+]
SAK:
08 [2]
[+]
Possible types:
MiFaRE Classic 1k
[=] proprietary non is014443-4 card found, RATS not supported
[+] Prng detection: hard
Tag Signature
IC signature public key name: NXP Mifare Classic MFC1C14_
[=] IC signature
public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27
l=
Elliptic curve parameters: NID_secp128r1
[=]
TAG IC Signature: 00B3FC3EFA889EB6AFA65EB212AC29BFFD8C4F768D635E88FBD0519FB039D399
Signature verification: successful
what does hf mf cview show on the new tag?
Line zero is in red. So it possibly did work?
blk | data | ascii
[=] ----±------------------------------------------------±----------------
[=] 0 | D2 07 EB 86 B8 88 04 00 C8 24 00 20 00 00 00 18 | …$. …
[=] 1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] 3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 4 | 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] 5 | 00 00 00 00 00 00 00 00 00 00 00 00 05 A4 08 77 | …w
[=] 6 | F2 00 00 00 02 10 00 00 00 00 00 00 10 83 1A 41 | …A
[=] 7 | AC A5 79 E2 4A A3 F0 FF 00 00 4C 5A DF 67 F2 1D | …y.J…LZ.g…
[=] 8 | 11 CB 11 AE C2 89 AB ED 81 1E 18 99 BD 8D F6 BB | …
[=] 9 | 99 D1 EA 29 4D C5 2B 31 2A D0 C4 3A 5E FC A8 5A | …)M.+1*…:^…Z
[=] 10 | DA 67 03 A2 10 94 75 AE 64 C1 1E D9 64 AE 67 FA | .g…u.d…d.g.
[=] 11 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 12 | 7A A7 2E 62 C8 DF 1F 7F D0 AA 36 50 16 A6 82 B9 | z…b…6P…
[=] 13 | C2 BE 06 37 72 FF 93 E6 F8 EC CF B1 4B FB 9B 1C | …7r…K…
[=] 14 | 34 76 9E 46 23 71 0E 81 13 05 4F 82 FA 92 76 7C | 4v.F#q…O…v|
[=] 15 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 16 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 17 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 18 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 19 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 20 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 21 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 22 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 23 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 24 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 25 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 26 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 27 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 28 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 29 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 30 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 31 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 32 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 33 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 34 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 35 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 36 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 37 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 38 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 39 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 40 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 41 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 42 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 43 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 44 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 45 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 46 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 47 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 48 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 49 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 50 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 51 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 52 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 53 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 54 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 55 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 56 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 57 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 58 | FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | …
[=] 59 | 22 47 BF 95 4D 96 7F 07 88 FF 22 47 BF 95 4D 96 | "G…M…"G…M.
[=] 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
Wait - this command is reading the keys from the emulator on the proxmark, not any real cards, so unless you load the dump into the emulator (hf mf eload -f ) this will be all zeros or all Fs - whatever the default is.
If you want to load the contents of a real card use the autopwn to crack load and dump all in 1, or use cview/csave to view magic cards.
If not a magic card to dump a card use "hf mf dump -k " for non magic cards but you will need to supply a valid key file, otherwise use autopwn.
If autopwn cant find the keys (interestingly my xm1+ is immune to the darkside attack) add the known defaults dictionary “hf mf autopwn -f mfc_default_keys”, and if that fails you might need to resort to sniffing a genuine read and decoding it.
Have you tried the cloned key on whatever it is used for? Your dump of the clone looks identical to your original dump so it looks like it cloned fine
2 Likes
Got it, I just tested and it worked. Thanks for the help and clarification
2 Likes