Well I’ll try to find them, do you have a link yet?
@Aoxhwjfoavdlhsvfpzha now i have a tag uid writable of right dimension so now i’ll try to clone the key. can you indicate me how to do?have i to modify the uid or will it be cloned? tnx
You should be able to do:
hf mf cload -f hf-mf-6E7BE4FB-dump.bin
That should copy everything including the UID
But may not include the fix for:
1 Like
well the cloning gave a positive result. there is only one problem now: the tag is slightly wider than the hole and I had to bend it a bit to get it to fit, at the first attempt it was read regularly, then no more. the original continues to be read so I assume there was no uid ban but it remains to be seen if the clone tag was physically damaged or there is something else. what do you think?
yes, it is physically damaged. proxmark does not read it anymore
ah yep, that can definitely happen if you bend/tense a tag. with your measurements you got earlier try and buy a tag with a smaller diameter
2 Likes
I think the problem is another one now, I’ve thrown away 3 tags now, they are read by the drinks dispenser reader, the products are also dispensed and then they become unusable. They are not even read by the proxmark anymore @Aoxhwjfoavdlhsvfpzha @Equipter
Try hf mf cview on one of them to see if they’ll still respond to the backdoor commands
It’s possible the reader knows to check for magic commands, and is trying to brick the tags intentionally, but it seems weird that it would also dispense the drink if it could tell the tag was fake
If it is detecting magic cards, I think pretty much the only way to go is to look into a different gen magic card, either Gen2 or Gen4 might work
2 Likes
well I recovered some gen2 tags
[+] UID: C2 46 94 5D
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities… Gen 2 / CUID
[+] Prng detection… weak
but:
[usb] pm3 → hf mf cload -f hf-mf-6E7BE4FB-dump.bin
[+] Loaded 1024 bytes from binary file hf-mf-6E7BE4FB-dump.bin
[=] Copying to magic gen1a card
[=] .[#] wupC1 error
[!] Can’t set magic card block: 0
what does it mean? Thank you @Aoxhwjfoavdlhsvfpzha @Equipter
hf mf cload is a command that only works on gen1a magic mifare classic tags, you have gen2
you can either use the restore command or hf mf wrbl to go block by block setting the data
1 Like
[usb] pm3 → hf mf restore --1k -f hf-mf-6E7BE4FB-key.bin -k hf-mf-B2380B5D-key.bin
[+] Loaded binary key file hf-mf-B2380B5D-key.bin
[=] Using key file hf-mf-B2380B5D-key.bin
[+] Loaded 216 bytes from binary file hf-mf-6E7BE4FB-key.bin
[=] blk | data | status
[=] -----±------------------------------------------------±---------------
[=] 0 | A0 A1 A2 A3 A4 A5 0D 73 6F 01 51 71 0E F6 0B 9B | ( ok )
[#] BCC0 incorrect, got 0xa4, expected 0x00
[#] Aborting
[#] Can’t select card
[=] 1 | 14 BF 0F A4 DB 1A 8E F6 08 2B 7C 71 7D 54 09 B1 | ( fail ) key B
[#] BCC0 incorrect, got 0xa4, expected 0x00
[#] Aborting
[#] Can’t select card
[=] 1 | 14 BF 0F A4 DB 1A 8E F6 08 2B 7C 71 7D 54 09 B1 | ( fail ) key A
[#] BCC0 incorrect, got 0xa4, expected 0x00
[#] Aborting
[#] Can’t select card
…
and:
[usb] pm3 → hf search
[-] Searching for ISO14443-A tag…[#] BCC0 incorrect, got 0xa4, expected 0x00
[#] Aborting
[#] BCC0 incorrect, got 0xa4, expected 0x00
[#] Aborting
dead!
@Aoxhwjfoavdlhsvfpzha @Equipter
2 chips burned
yeah you just uploaded the key.bin file and not the data file with the -f flag… aka instead of writing data to the tag you wrote the values of the keys to the blocks… that would indeed soft brick the tag
2 Likes
I think you should be able to recover them
1 Like
oh you definitely can. just write block 0 with that of a normal card. you’ll need to disable BCC checking because that got overwritten but definitely fixable
2 Likes
with a new tag
[usb] pm3 → hf mf restore --1k -f hf-mf-6E7BE4FB-dump.bin -k hf-mf-B2F7625D-key.bin
[+] Loaded binary key file hf-mf-B2F7625D-key.bin
[=] Using key file hf-mf-B2F7625D-key.bin
[+] Loaded 1024 bytes from binary file hf-mf-6E7BE4FB-dump.bin
[=] blk | data | status
[=] -----±------------------------------------------------±---------------
[=] 0 | 6E 7B E4 FB 0A 88 04 00 C8 38 00 20 00 00 00 15 | ( ok )
[=] 1 | D5 00 26 88 26 88 69 88 00 00 00 00 00 00 00 00 | ( ok )
[=] 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 3 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 4 | 25 C5 49 56 BC 40 C6 FD A4 00 43 D7 E2 04 D2 E9 | ( ok )
[=] 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 | ( ok )
[=] 6 | 87 11 CD 30 00 00 00 00 00 00 00 00 00 00 00 03 | ( ok )
[=] 7 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 8 | 73 5A 83 6E 6A ED DC FF 6B 7E 4B 4B 7E C2 2F 08 | ( ok )
[=] 9 | 52 B2 5D 6B 55 0B A5 D0 98 02 0C F0 84 B9 DD B9 | ( ok )
[=] 10 | 87 11 CD 30 00 00 00 00 00 00 00 00 00 00 00 03 | ( ok )
[=] 11 | FF FF FF FF FF FF 08 77 8F 00 FF FF FF FF FF FF | ( ok )
[=] 12 | 93 FE FF 7F 6C 01 00 80 93 FE FF 7F 0D F2 0D F2 | ( ok )
[=] 13 | 93 FE FF 7F 6C 01 00 80 93 FE FF 7F 0D F2 0D F2 | ( ok )
[=] 14 | 31 01 13 70 69 C9 1C 6B 6B CC 18 57 39 F5 18 35 | ( ok )
[!] Strict ReadOnly Access Conditions on block 2 detected
[=] Skipping, use --force to override and write this data
[!] Strict ReadOnly Access Conditions on block 3 detected
[=] Skipping, use --force to override and write this data
[=] 15 | FF FF FF FF FF FF 37 8C 3C 00 FF FF FF FF FF FF | ( ok )
[=] 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 19 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 23 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 27 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 31 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 35 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 39 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 43 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 47 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 51 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 55 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 59 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 63 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] -----±------------------------------------------------±---------------
[usb] pm3 → hf search
[-] Searching for ISO14443-A tag…
[+] UID: 6E 7B E4 FB
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities… Gen 2 / CUID
[+] Prng detection… weak
[?] Hint: use hf mf commands
[usb] pm3 → hf mf auto
[!] no known key was supplied, key recovery might fail
[+] loaded 5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[+] target sector 0 key type A – found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A – found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B – found valid key [ FFFFFFFFFFFF ]
it wrote the uid only…
@Aoxhwjfoavdlhsvfpzha @Equipter
redo it with the --force flag
it didn’t just write the UID you can see it has written many data blocks it just hasn’t written data that contains obscure access conditions, of which it tells you to use the force parameter to write those blocks.
1 Like
[usb] pm3 → hf mf restore --1k -f hf-mf-6E7BE4FB-dump.bin -k hf-mf-6E7BE4FB-key-001.bin(after first attempt, the new target tag has same uid of the source tag) --force
[+] Loaded binary key file hf-mf-6E7BE4FB-key-001.bin
[=] Using key file hf-mf-6E7BE4FB-key-001.bin
[+] Loaded 1024 bytes from binary file hf-mf-6E7BE4FB-dump.bin
[=] blk | data | status
[=] -----±------------------------------------------------±---------------
[=] 0 | 6E 7B E4 FB 0A 88 04 00 C8 38 00 20 00 00 00 15 | ( ok )
[=] 1 | D5 00 26 88 26 88 69 88 00 00 00 00 00 00 00 00 | ( ok )
[=] 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 3 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 4 | 25 C5 49 56 BC 40 C6 FD A4 00 43 D7 E2 04 D2 E9 | ( ok )
[=] 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 | ( ok )
[=] 6 | 87 11 CD 30 00 00 00 00 00 00 00 00 00 00 00 03 | ( ok )
[=] 7 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 8 | 73 5A 83 6E 6A ED DC FF 6B 7E 4B 4B 7E C2 2F 08 | ( ok )
[=] 9 | 52 B2 5D 6B 55 0B A5 D0 98 02 0C F0 84 B9 DD B9 | ( ok )
[=] 10 | 87 11 CD 30 00 00 00 00 00 00 00 00 00 00 00 03 | ( ok )
[=] 11 | FF FF FF FF FF FF 08 77 8F 00 FF FF FF FF FF FF | ( ok )
[=] 12 | 93 FE FF 7F 6C 01 00 80 93 FE FF 7F 0D F2 0D F2 | ( fail ) key B
[=] 12 | 93 FE FF 7F 6C 01 00 80 93 FE FF 7F 0D F2 0D F2 | ( fail ) key A
[=] 13 | 93 FE FF 7F 6C 01 00 80 93 FE FF 7F 0D F2 0D F2 | ( fail ) key B
[=] 13 | 93 FE FF 7F 6C 01 00 80 93 FE FF 7F 0D F2 0D F2 | ( fail ) key A
[=] 14 | 31 01 13 70 69 C9 1C 6B 6B CC 18 57 39 F5 18 35 | ( fail ) key B
[=] 14 | 31 01 13 70 69 C9 1C 6B 6B CC 18 57 39 F5 18 35 | ( fail ) key A
[!] Strict ReadOnly Access Conditions on block 2 detected
[!] Strict ReadOnly Access Conditions on block 3 detected
[=] 15 | FF FF FF FF FF FF 37 8C 3C 00 FF FF FF FF FF FF | ( fail ) key B
[=] 15 | FF FF FF FF FF FF 37 8C 3C 00 FF FF FF FF FF FF | ( fail ) key A
[=] 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 19 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 23 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 27 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 31 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 35 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 39 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 43 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 47 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 51 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 55 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 59 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 63 | FF FF FF FF FF FF 78 77 88 00 FF FF FF FF FF FF | ( ok )
[=] -----±------------------------------------------------±---------------
[?] try hf mf dump --ns to verify
[=] Done!
[usb] pm3 → hf mf dump --ns
[=] Using… hf-mf-6E7BE4FB-key.bin
[+] Loaded binary key file hf-mf-6E7BE4FB-key.bin
[=] Reading sector access bits…
[=] …[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
[!] Trying with key B instead…
[=] …[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
[-] Failed to read access rights for sector 0 ( fallback to default )
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
.[#] Auth error
[!] Trying with key B instead…
all failed!
dump requires you to provide the keyfile or else it will just pick the one associated with the UID which in your case doesn’t match the full dump.
can you autopwn the original and autopwn this gen2 and send me the .json files of each please, i will go through diff them and send you the commands to correct the blocks
3 Likes
of course.
now with argument --ka:
[usb] pm3 → hf mf restore --1k -f hf-mf-6E7BE4FB-dump.bin -k hf-mf-6E7BE4FB-key-001.bin --ka --force
[+] found keys:
[+] -----±----±-------------±–±-------------±—
[+] Sec | Blk | key A |res| key B |res
[+] -----±----±-------------±–±-------------±—
[+] 000 | 003 | A0A1A2A3A4A5 | D | 1CBA75CFBC6E | N
[+] 001 | 007 | 0D736F015171 | N | 1D08FB230855 | N
[+] 002 | 011 | 0EF60B9B14BF | N | 1E886ADCCFDE | N
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | 082B7C717D54 | N | 18B97CAE1700 | N
[+] 005 | 023 | 09B1F2CDD616 | N | 19011FBDCEDC | N
[+] 006 | 027 | 0ACAE50D1095 | N | 1AD19209DAB1 | N
[+] 007 | 031 | 0B6766D8C301 | N | 1BCE7DC59C13 | N
[+] 008 | 035 | 04741791C2EE | N | 14EFE6B19393 | N
[+] 009 | 039 | 059186E8B774 | N | 150943654CEF | N
[+] 010 | 043 | 06D9AAFB7BD9 | N | 168CC705FB17 | N
[+] 011 | 047 | 07E792E2F2BF | N | 17D665D2B75D | N
[+] 012 | 051 | 009FEFE27057 | N | 10E700DDD545 | N
[+] 013 | 055 | 019CE4CFB7C6 | N | 11181931EA0B | N
[+] 014 | 059 | 027EBE457FE8 | N | 12D7652D43EB | N
[+] 015 | 063 | 034C38AE543A | N | 13790B174632 | N
[+] -----±----±-------------±–±-------------±—
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try hf mf mad for more details
[=] -----±----±------------------------------------------------±----------------
[=] sec | blk | data | ascii
[=] -----±----±------------------------------------------------±----------------
[=] 0 | 0 | 6E 7B E4 FB 0A 88 04 00 C8 38 00 20 00 00 00 15 | n{…8. …
[=] | 1 | D5 00 26 88 26 88 69 88 00 00 00 00 00 00 00 00 | …&.&.i…
[=] | 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 3 | A0 A1 A2 A3 A4 A5 78 77 88 00 1C BA 75 CF BC 6E | …xw…u…n
[=] 1 | 4 | 25 C5 49 56 BC 40 C6 FD A4 00 43 D7 E2 04 D2 E9 | %.IV.@…C…
[=] | 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 | …
[=] | 6 | 87 11 CD 30 00 00 00 00 00 00 00 00 00 00 00 03 | …0…
[=] | 7 | 0D 73 6F 01 51 71 78 77 88 00 1D 08 FB 23 08 55 | .so.Qqxw…#.U
[=] 2 | 8 | 73 5A 83 6E 6A ED DC FF 6B 7E 4B 4B 7E C2 2F 08 | sZ.nj…k~KK~./.
[=] | 9 | 52 B2 5D 6B 55 0B A5 D0 98 02 0C F0 84 B9 DD B9 | R.]kU…
[=] | 10 | 87 11 CD 30 00 00 00 00 00 00 00 00 00 00 00 03 | …0…
[=] | 11 | 0E F6 0B 9B 14 BF 08 77 8F 00 1E 88 6A DC CF DE | …w…j…
[=] 3 | 12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 15 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] 4 | 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 19 | 08 2B 7C 71 7D 54 78 77 88 00 18 B9 7C AE 17 00 | .+|q}Txw…|…
[=] 5 | 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 23 | 09 B1 F2 CD D6 16 78 77 88 00 19 01 1F BD CE DC | …xw…
[=] 6 | 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 27 | 0A CA E5 0D 10 95 78 77 88 00 1A D1 92 09 DA B1 | …xw…
[=] 7 | 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 31 | 0B 67 66 D8 C3 01 78 77 88 00 1B CE 7D C5 9C 13 | .gf…xw…}…
[=] 8 | 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 35 | 04 74 17 91 C2 EE 78 77 88 00 14 EF E6 B1 93 93 | .t…xw…
[=] 9 | 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 39 | 05 91 86 E8 B7 74 78 77 88 00 15 09 43 65 4C EF | …txw…CeL.
[=] 10 | 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 43 | 06 D9 AA FB 7B D9 78 77 88 00 16 8C C7 05 FB 17 | …{.xw…
[=] 11 | 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 47 | 07 E7 92 E2 F2 BF 78 77 88 00 17 D6 65 D2 B7 5D | …xw…e…]
[=] 12 | 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 51 | 00 9F EF E2 70 57 78 77 88 00 10 E7 00 DD D5 45 | …pWxw…E
[=] 13 | 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 55 | 01 9C E4 CF B7 C6 78 77 88 00 11 18 19 31 EA 0B | …xw…1…
[=] 14 | 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 59 | 02 7E BE 45 7F E8 78 77 88 00 12 D7 65 2D 43 EB | .~.E…xw…e-C.
[=] 15 | 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 63 | 03 4C 38 AE 54 3A 78 77 88 00 13 79 0B 17 46 32 | .L8.T:xw…y…F2
[=] -----±----±------------------------------------------------±----------------
[?] MAD key detected. Try hf mf mad for more details