Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-11-19 01:08:45

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Mifare cloning

I'm hoping someone can help solve a few issues im having.

I trying to clone this mifare fob

Orginal

pm3 --> hf sea u

UID : C5 17 EA 2E
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK
Valid ISO14443-A Tag Found

once i find all the keys and make a new clone

Clone

pm3 --> hf sea u

UID : C5 17 EA 2E
ATQA : 00 04
 SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
Valid ISO14443-A Tag Found

The new clone doesn't work correctly though, the clone will open my front door but wont control my elevator.  Looking at the two "hf sea u" scans closer I noticed that the two SAK line is different. So i decided to read sec 0 on each fob

Orginal

isOk:01
data   : C5 17 EA 2E 16 88 04 00 C8 47 00 20 00 00 00 15
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

Clone

isOk:01
data   : C5 17 EA 2E 16 88 04 00 C8 47 00 20 00 00 00 15
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

to my surprise they both sector 0's are the same??? so I decided to manually write sec 0 to change SAK

"Manually changed UID Clone"

isOk:01
data   : C5 17 EA 2E 16 08 04 00 C8 47 00 20 00 00 00 15
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

Edited Clone

UID : C5 17 EA 2E
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
Valid ISO14443-A Tag Found

The New edited clone still doesn't work:(

I decide to go through each sector on the clone and compare it to each sector on the original and find that 4 sectors have differences in them. So i manually change each sector so that all sectors are all the same. I try the fob again and now the cloned fob that i have heavily edited wont even open the front door.

Do now i'm completely lost and don't know what to try next. Is anyone able to help point me in the right direction

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-764-gd0b3f131 2018-03-28 13:00:26
      os: iceman/master/ice_v3.1.0-764-gd0b3f131 2018-03-28 13:02:24
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 252237 bytes (48%) Free: 272051 bytes (52%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Orginal Trace
https://ufile.io/1umfq

Cloned Trace
https://ufile.io/l0ld5

Highly Edited Trace
https://ufile.io/7lahf

Last edited by Charlie (2018-11-19 01:12:19)

Offline

#2 2018-11-21 06:32:07

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Re: Mifare cloning

Any suggestions??

Offline

#3 2018-11-22 02:08:22

mazodude
Contributor
Registered: 2018-10-25
Posts: 6

Re: Mifare cloning

What are the contents of the rest of the 15 sectors?
Are they exactly the same?

Maybe the reader is checking for magic cards. Could you try a once changeable Mifare card (uid can be changed once)?

Last edited by mazodude (2018-11-22 02:14:11)

Offline

#4 2018-11-22 21:52:18

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Re: Mifare cloning

The following sectors were different

Sec 5 Block 20
Sec 7 Block 30
Sec 9 Block 36
Sec 10 Block 40,41,42

Offline

#5 2018-11-22 21:54:04

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Re: Mifare cloning

mazodude wrote:

What are the contents of the rest of the 15 sectors?
Are they exactly the same?

Maybe the reader is checking for magic cards. Could you try a once changeable Mifare card (uid can be changed once)?

I was wondering about that but thought it would be wierd for one reader(front door) to accept it and not another reader(elevator), which is why i thought the copying of the sectors must be the issue

Offline

#6 2018-11-22 22:27:02

mazodude
Contributor
Registered: 2018-10-25
Posts: 6

Re: Mifare cloning

If all the card data is exactly the same then it must be the only option left.

Offline

#7 2018-11-23 19:51:39

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Re: Mifare cloning

mazodude wrote:

If all the card data is exactly the same then it must be the only option left.


Any ideas why the 2 SAK appear different when i do a "hf search u" but when i look at sec 0 on both they are the same?

Offline

#8 2018-11-24 12:10:26

piwi
Contributor
Registered: 2013-06-04
Posts: 578

Re: Mifare cloning

We usually observe Byte 5 in Block 0 to be the SAK. But this is not specified and is not always the case.

Offline

#9 2018-11-28 07:41:15

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Re: Mifare cloning

Charlie wrote:

The following sectors were different

Sec 5 Block 20
Sec 7 Block 30
Sec 9 Block 36
Sec 10 Block 40,41,42

Any reason these blocks would be different when make a duplicate?

I tried on a different fob and had issues with the 2 blocks being different on that one too. None of the blocks that were incorrect on either fob were the same

Offline

#10 2018-12-08 02:33:26

NYCity25
Contributor
From: Mars
Registered: 2018-08-19
Posts: 12

Re: Mifare cloning

"00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF" <--A  key is missing,

Answers to magic commands (GEN 1a): YES <- thats  gen1 magic card, try undetectable magic card


ModHex    ifidighdhvhrifededfchihthbhkhrduhehvht

Offline

#11 2018-12-08 08:19:01

iceman
Administrator
Registered: 2013-04-25
Posts: 5,204
Website

Re: Mifare cloning

As NYcity25 says, 
Try a  magic gen2  card,    which doesn't use backdoor commands but enables block0 writing with normal commands.
or use a   "write-once" card,  which allows for writing to block0 once and afterwards it fuses it rending it unable to modifying block0 anymore


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#12 2018-12-12 09:20:20

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Re: Mifare cloning

So will I still be able to use the "cload" command with a "magic gen2" card or"write-once" card or will i have to go throught and write each sector by manually?

Offline

#13 2018-12-17 04:24:10

NYCity25
Contributor
From: Mars
Registered: 2018-08-19
Posts: 12

Re: Mifare cloning

what about "hf mf restore"


ModHex    ifidighdhvhrifededfchihthbhkhrduhehvht

Offline

#14 2018-12-20 14:49:00

Learner4Life
Contributor
Registered: 2017-09-14
Posts: 13

Re: Mifare cloning

@Charlie : Is it resolved ? Did you try to use Gen 2 card?

Offline

#15 2018-12-25 18:40:44

Mackwa
Contributor
Registered: 2016-06-10
Posts: 27

Re: Mifare cloning

As NYCity25 said:
Key A is probably missing?! Can you check if Key A is set to 000000000000 on original card?

And it's not unusual, that one terminal let you in and another doesn't work with the same card: depends on which sectors the terminals are reading from and which keys they use for authentication (can diff)

Offline

#16 2019-01-01 21:39:39

Charlie
Contributor
Registered: 2017-01-27
Posts: 82

Re: Mifare cloning

Learner4Life wrote:

@Charlie : Is it resolved ? Did you try to use Gen 2 card?

No, I dont have a Gen 2 card. Need to look around a purchase some new cards

Offline

#17 2019-01-01 22:41:53

marzipan
Contributor
Registered: 2018-12-10
Posts: 3

Re: Mifare cloning

No, I dont have a Gen 2 card. Need to look around a purchase some new cards

If you can wait a few weeks, you can get small quantities of Gen2 cards for $1 or less from China. Search Aliexpress for 'CUID' (the Chinese to English translation for Gen2).

I've tried many different Gen1a cards from China through Aliexpress. With Gen1a cards I found some (not all) reply with a different SAK from the written SAK but it never made any difference to the TDi readers on my apartment block. My TDi readers seem to ignore SAK.

It's possible your reader employs countermeasures against Gen1 and/or Gen1a. I found a mixture of TDi reader firmwares on my apartment complex; most work with Gen1a cards but some send a Magic wipe command (which the 'a' of Gen1a is immune too because it ignores the wipe command), some readers send the first part of a magic command and halt if a response is received (Gen1a is not immune to this, it fails).

Offline

Board footer

Powered by FluxBB