Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-11-19 01:08:45

Charlie
Contributor
Registered: 2017-01-27
Posts: 80

Mifare cloning

I'm hoping someone can help solve a few issues im having.

I trying to clone this mifare fob

Orginal

pm3 --> hf sea u

UID : C5 17 EA 2E
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK
Valid ISO14443-A Tag Found

once i find all the keys and make a new clone

Clone

pm3 --> hf sea u

UID : C5 17 EA 2E
ATQA : 00 04
 SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
Valid ISO14443-A Tag Found

The new clone doesn't work correctly though, the clone will open my front door but wont control my elevator.  Looking at the two "hf sea u" scans closer I noticed that the two SAK line is different. So i decided to read sec 0 on each fob

Orginal

isOk:01
data   : C5 17 EA 2E 16 88 04 00 C8 47 00 20 00 00 00 15
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

Clone

isOk:01
data   : C5 17 EA 2E 16 88 04 00 C8 47 00 20 00 00 00 15
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

to my surprise they both sector 0's are the same??? so I decided to manually write sec 0 to change SAK

"Manually changed UID Clone"

isOk:01
data   : C5 17 EA 2E 16 08 04 00 C8 47 00 20 00 00 00 15
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

Edited Clone

UID : C5 17 EA 2E
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
Valid ISO14443-A Tag Found

The New edited clone still doesn't work:(

I decide to go through each sector on the clone and compare it to each sector on the original and find that 4 sectors have differences in them. So i manually change each sector so that all sectors are all the same. I try the fob again and now the cloned fob that i have heavily edited wont even open the front door.

Do now i'm completely lost and don't know what to try next. Is anyone able to help point me in the right direction

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-764-gd0b3f131 2018-03-28 13:00:26
      os: iceman/master/ice_v3.1.0-764-gd0b3f131 2018-03-28 13:02:24
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 252237 bytes (48%) Free: 272051 bytes (52%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Orginal Trace
https://ufile.io/1umfq

Cloned Trace
https://ufile.io/l0ld5

Highly Edited Trace
https://ufile.io/7lahf

Last edited by Charlie (2018-11-19 01:12:19)

Offline

#2 2018-11-21 06:32:07

Charlie
Contributor
Registered: 2017-01-27
Posts: 80

Re: Mifare cloning

Any suggestions??

Offline

#3 2018-11-22 02:08:22

mazodude
Contributor
Registered: 2018-10-25
Posts: 4

Re: Mifare cloning

What are the contents of the rest of the 15 sectors?
Are they exactly the same?

Maybe the reader is checking for magic cards. Could you try a once changeable Mifare card (uid can be changed once)?

Last edited by mazodude (2018-11-22 02:14:11)

Offline

#4 2018-11-22 21:52:18

Charlie
Contributor
Registered: 2017-01-27
Posts: 80

Re: Mifare cloning

The following sectors were different

Sec 5 Block 20
Sec 7 Block 30
Sec 9 Block 36
Sec 10 Block 40,41,42

Offline

#5 2018-11-22 21:54:04

Charlie
Contributor
Registered: 2017-01-27
Posts: 80

Re: Mifare cloning

mazodude wrote:

What are the contents of the rest of the 15 sectors?
Are they exactly the same?

Maybe the reader is checking for magic cards. Could you try a once changeable Mifare card (uid can be changed once)?

I was wondering about that but thought it would be wierd for one reader(front door) to accept it and not another reader(elevator), which is why i thought the copying of the sectors must be the issue

Offline

#6 2018-11-22 22:27:02

mazodude
Contributor
Registered: 2018-10-25
Posts: 4

Re: Mifare cloning

If all the card data is exactly the same then it must be the only option left.

Offline

#7 2018-11-23 19:51:39

Charlie
Contributor
Registered: 2017-01-27
Posts: 80

Re: Mifare cloning

mazodude wrote:

If all the card data is exactly the same then it must be the only option left.


Any ideas why the 2 SAK appear different when i do a "hf search u" but when i look at sec 0 on both they are the same?

Offline

#8 2018-11-24 12:10:26

piwi
Moderator
Registered: 2013-06-04
Posts: 544

Re: Mifare cloning

We usually observe Byte 5 in Block 0 to be the SAK. But this is not specified and is not always the case.

Offline

#9 2018-11-28 07:41:15

Charlie
Contributor
Registered: 2017-01-27
Posts: 80

Re: Mifare cloning

Charlie wrote:

The following sectors were different

Sec 5 Block 20
Sec 7 Block 30
Sec 9 Block 36
Sec 10 Block 40,41,42

Any reason these blocks would be different when make a duplicate?

I tried on a different fob and had issues with the 2 blocks being different on that one too. None of the blocks that were incorrect on either fob were the same

Offline

#10 2018-12-08 02:33:26

NYCity25
Contributor
Registered: 2018-08-19
Posts: 10

Re: Mifare cloning

"00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF" <--A  key is missing,

Answers to magic commands (GEN 1a): YES <- thats  gen1 magic card, try undetectable magic card

Offline

#11 2018-12-08 08:19:01

iceman
Administrator
Registered: 2013-04-25
Posts: 4,995
Website

Re: Mifare cloning

As NYcity25 says, 
Try a  magic gen2  card,    which doesn't use backdoor commands but enables block0 writing with normal commands.
or use a   "write-once" card,  which allows for writing to block0 once and afterwards it fuses it rending it unable to modifying block0 anymore


&#20912;&#20154;

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB