Question about Mifare sectors used for signature? (sector 16 & 17)

XEMON · May 24, 2026, 7:02pm

Hello yall,

Im working with a new system, and came across a new (to me) “MIFARE Classic 1K” … one with 18 sectors …
After doing some research it seems sector 16 and 17 are for “NXP hardware signature", but both cards have the same read every single time. It also appears they might actually be Classic 2K?

I have 2 cards for this system, and block 16 and 17 are identical on both cards

One of the odd thing is that the autopwn detects it as an EV1

Info seems sparce online and somewhat contradictory with what the PM3 gives (and within itself too).

It lets me dump the files to magic 1K, but im not sure how its gonna work without the last 2 blocks. Any way around it? and better commands or blanks to use?


[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag...
[=] ---------- ISO14443-A Information ----------
[+]  UID: xx xx xx xx   ( ONUID, re-used )
[+] ATQA: xx xx
[+]  SAK: xx [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=]
[=] Proprietary non iso14443-4 card found
[=] RATS not supported
[+] Prng detection..... hard
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: xxxxxxxxxxxx
[=]                              : xxxxxxxxxxxx
[=]                              : xxxxxxxxxxxx
[=]     Elliptic curve parameters: xxxxxxxxxxxx
[=]              TAG IC Signature: xxxxxxxxxxxx
[=]                              : xxxxxxxxxxxx
[+]        Signature verification: successful

[?] Hint: Try `hf mf info`


[+] Valid ISO 14443-A tag found

[usb] pm3 --> hf mf info

[=] --- ISO14443-a Information -----------------------------
[+]  UID: xx xx xx xx
[+] ATQA: xx xx
[+]  SAK: xx [1]
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: xxxxxxxxxxxx
[=]                              : xxxxxxxxxxxx
[=]                              : xxxxxxxxxxxx
[=]     Elliptic curve parameters: xxxxxxxxxxxx
[=]              TAG IC Signature: xxxxxxxxxxxx
[=]                              : xxxxxxxxxxxx
[+]        Signature verification: successful

[=] --- Keys Information
[+] loaded 2 user keys
[+] loaded 61 hardcoded keys
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Sector 1 key A... FFFFFFFFFFFF
[+] Sector 1 key B... FFFFFFFFFFFF
[+] Block 0.......... xxxxxxxxxxxx | ... ...$

[=] --- Fingerprint
[+] n/a

[=] --- Magic Tag Information
[=] <n/a>

[=] --- PRNG Information
[+] Prng....... hard

[usb] pm3 --> hf mf autopwn

[!] Known key failed. Can't authenticate to block   0 key type A
[=] MIFARE Classic EV1 card detected
[+] loaded 5 user keys
[+] loaded 61 hardcoded keys
[=] Running strategy 1
[+] Target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector   9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Target sector  16 key type A -- found valid key [ xxxxxxxxxxxx ]
[+] Target sector  16 key type B -- found valid key [ xxxxxxxxxxxx ]
[+] Target sector  17 key type A -- found valid key [ xxxxxxxxxxxx ]
[+] Target sector  17 key type B -- found valid key [ xxxxxxxxxxxx ]

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  016 | 067 | xxxxxxxxxxxx | D | xxxxxxxxxxxx | D ( * )
[+]  017 | 071 | xxxxxxxxxxxx | D | xxxxxxxxxxxx | D ( * )
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )
[=] ( * ) These sectors used for signature. Lays outside of user memory


[+] Generating binary key file
[+] Found keys have been dumped to `xxx-key.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] Transferring keys to simulator memory ( ok )
[=] Dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 1152 bytes to binary file `xxx-dump.bin`
[+] Saved to json file xxx-dump.json
[=] Autopwn execution time: 3 seconds

Thanks,
X

Aoxhwjfoavdlhsvfpzha · May 24, 2026, 8:09pm

I don’t know if the tag signature changes per card or if it’s the same on every EV1 or per manufacturing run or something…

The keys at least should be the same for all of them on those blocks so any device can check the signature

As soon as I can I’ll dump one I have with a signature and you can see if it matches too

Generally I would trust the PM3 client to identify it, so I think it’s likely really an EV1 - instead of a 2k

Bonus info:

Iceman · May 24, 2026, 8:49pm

There is not one chance of collision regarding the signature.
If you have different UID, then the signature is different.

If you have same signature , this is not a genuine MFC Ev1 but maybe a clone but still, you would need the same UID, meaning it would be a magic card.

Too much uncertainties but take a deep look at UID and Signature values again.

Equipter · May 24, 2026, 9:38pm

you can be pretty confident that it will work without the signature. it is remarkably rare that the signature is even checked.

you can check if the system is polling the signature by emulating the full ev1 dump (or sniffing mitm between card and reader) and looking if the reader sends commands polling the signature, but again, unlikely to happen.

there are ways around it, GDM USCUID gen4 chips allow the addition of the signature, but do your due dilligence before splashing on those, youve got more chance of a reader doing gen1 detection or sakswap checking than you do it checking for the signature.

XEMON · May 25, 2026, 1:20am

thank you for the info, after re-checking both tags and comparing with my saves from earlier, i can confirm:

in hf search:

UID are different
both cards read as MIFARE Classic 1K
IC signature public key name are teh same
IC signature public key value are the same
Elliptic curve parameters are teh same
TAG IC Signature are different

in hf mf autopwn:

both rread as MIFARE Classic EV1 card

strategy 1 reads all sector as fff except sector 16 and 17, those are all the same keys:

[+] Target sector  16 key type A – found valid key
[+] Target sector  16 key type B – found valid key
[+] Target sector  17 key type A – found valid key
[+] Target sector  17 key type B – found valid key

the recap show:

[+] -----±----±-------------±–±-------------±—
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----±----±-------------±–±-------------±—
[+]  000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  016 | 067 | [same key for both cards] | D | [same key for both cards]| D ( * )
[+]  017 | 071 | [same key for both cards]| D | [same key for both cards]| D ( * )
[+] -----±----±-------------±–±-------------±—
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )
[=] ( * ) These sectors used for signature. Lays outside of user memory

so cheap clones trying to hide somethign?
(given the installation, i would not be surprised …)

Unfortunately i dont think the usb cable for my PM3 will reach, im in the US and this new installation is in the UE
Ill send some cloned Gen1 and Gen2 and see if just the UID match works while i try to source a few of those elusive GDM USCUID gen4 chips …

thanks y’all for the quick and detailed response!

Iceman · May 25, 2026, 2:53am

The public key is the same if the same private/public key set was used when signing the card.
However that is not the generated signature.

With that said you have genuine MFC Ev1 with different UID and their matching signatures.

Like @Equipter said before you need to check if your reader tries to verify signature or not in order to make a successful clone. Not that common yet but for hotel system it has changed the last year. Follow his instructions and you will know