first card works perfectly
Now I would like to expand the access to my 2 rooms
I have now compared the file
Now I compare room 1 to room 2 for comparison in the data.json
and see what's different
"Created": "proxmark3",
"FileType": "mfcard",
"blocks": {
"0": "E3447D862D880400C823002000000018",
"1": "63232190229000000000000000000000",
"2": "00000000000000000000000000000000",
"3": "A0A1A2A3A4A5787788C10D258FE90296",
"4": "B28AABAB8A1EC4f35d127991EF9ACE91",
"5": "880016125CF7F45E0B0CA4FAEFD14B48",
"6": "F53553F04E542BDDDDD5647830000CA",
"7": "CA17293E396778778801ABD42DD50E37",
"8": "00000000000000000000000000000000",
"9": "00000000000000000000000000000000",
"10": "00000000000000000000000000000000",
"11": "A0A1A2A3A4A578778805ABD42DD50E37",
--------------------------------------------------------------
"Created": "proxmark3",
"FileType": "mfcard",
"blocks": {
"0": "E3447D8AFC880400C823002000000018",
"1": "9F000000519000000000000000000000",
"2": "00000000000000000000000000000000",
"3": "A0A1A2A3A4A5787788C10D258FE90296",
"4": "47949CB2A4A0968F3AEDffffff0991DF",
"5": "1500160A5CF7F45E0B0CA4FAEFD14B48",
"6": "F53553F04E542E3447D86E856470000CA",
"7": "98F73A04432978778801E8D6223ACB49",
"8": "00000000000000000000000000000000",
"9": "00000000000000000000000000000000",
"10": "00000000000000000000000000000000",
"11": "A0A1A2A3A4A578778805E8D6223ACB49",
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : A1 41 A7 55
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf mf fchk 1 default_keys.dic
[+] Loaded 779 keys from default_keys.dic
[+] Running strategy 1
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
....
[+] Chunk: 10.0s | found 13/32 keys (85)
[+] Chunk: 0.7s | found 13/32 keys (85)
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
#db# Cmd Error: 04
[+] Chunk: 5.6s | found 32/32 keys (85)
[+] Time in checkkeys (fast): 16.3s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | 0d258fe90296 | 1 |
|001| ca1432342967 | 1 | abdfffd50e37 | 1 |
|002| a0a1a2a3a4a5 | 1 | abdfffd50e37 | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| eeb420209d0c | 1 | eeb420209d0c | 1 |
|006| 911e52fd7ce4 | 1 | 911e52fd7ce4 | 1 |
|007| 752fbb5b7b45 | 1 | 752fbb5b7b45 | 1 |
|008| 66b03aca6ee9 | 1 | 66b03aca6ee9 | 1 |
|009| 48734389edc3 | 1 | 48734389edc3 | 1 |
|010| 17193709adf4 | 1 | 17193709adf4 | 1 |
|011| 1acc3189578c | 1 | 1acc3189578c | 1 |
|012| c2b7ec7d4eb1 | 1 | c2b7ec7d4eb1 | 1 |
|013| 369a4663acd2 | 1 | 369a4663acd2 | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[usb] pm3 -->
hf mf dump
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
[-] could not read block 0 of sector 14
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
#db# Cmd Error: 04
#db# Read block error
[-] could not read block 0 of sector 15
[+] time: 67 seconds
[+] Succeded in dumping all blocks
[+] saved 1024 bytes to binary file hf-mf-A1 41 A7 55-data-2.bin
[+] saved 64 blocks to text file hf-mf-A1 41 A7 55-data-2.eml
[+] saved to json file hf-mf-A1 41 A7 55-data-2.json
[usb] pm3 -->
chip ist fehlerhaft
I've ordered the first time now see if the are good?
https://www.ebay.de/itm/4-x-NFC-Tag-mit-MIFARE-Classic-Chip-Schlüsselanhänger-Android-NFC-1k/331810678718?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2060353.m2749.l2649
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 399 AA DA 9A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Pl
[=] proprietary non iso14443-4 ca
[=] Answers to magic commands: NO
[+] Prng detection: HARD
[+] Valid ISO14443-A tag found
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | 0d258fe90296 | 1 |
|001| daddd93e1117 | 1 | abd333350e11 | 1 |
|002| a0a1a2a3a4a5 | 1 | abd333350e11 | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| eeb420209d0c | 1 | eeb420209d0c | 1 |
|006| 911e52fd7ce4 | 1 | 911e52fd7ce4 | 1 |
|007| 752fbb5b7b45 | 1 | 752fbb5b7b45 | 1 |
|008| 66b03aca6ee9 | 1 | 66b03aca6ee9 | 1 |
|009| 48734389edc3 | 1 | 48734389edc3 | 1 |
|010| 17193709adf4 | 1 | 17193709adf4 | 1 |
|011| 1acc3189578c | 1 | 1acc3189578c | 1 |
|012| c2b7ec7d4eb1 | 1 | c2b7ec7d4eb1 | 1 |
|013| 369a4663acd2 | 1 | 369a4663acd2 | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
hf-mf-399 AA DA 9A-data.json
{
"Created": "proxmark3",
"FileType": "mfcard",
"blocks": {
"0": "399AADA9A2D880400C823002000000018",
"1": "9F01DDDD519000000000000000000000",
"2": "00000000000000000000000000000000",
"3": "A0A1A2A3A4A5787788C10D2aaaa90296",
"4": "B28AABAB8A1EC4E3447D863245ACE91",
"5": "8800162342F7F45E0B0CA4FAEFD14B48",
"6": "F53553F04E542BB5DEE85fffff0000CA",
"7": "CA17293E396778778801ABD4aaaa0E37",
"8": "00000000000000000000000000000000",
"9": "00000000000000000000000000000000",
"10": "00000000000000000000000000000000",
"11": "A0A1A2A3A4A578778805ABD42DD50E37",
"12": "00000000000000000000000000000000",
"13": "00000000000000000000000000000000",
"14": "00000000000000000000000000000000",
"15": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"16": "00000000000000000000000000000000",
"17": "00000000000000000000000000000000",
"18": "00000000000000000000000000000000",
"19": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"20": "00000000000000000000000000000000",
"21": "00000000000000000000000000000000",
"22": "00000000000000000000000000000000",
"23": "EEB420209D0C78778800EEB420209D0C",
"24": "00000000000000000000000000000000",
"25": "00000000000000000000000000000000",
"26": "00000000000000000000000000000000",
"27": "911E52FD7CE478778800911E52FD7CE4",
"28": "00000000000000000000000000000000",
"29": "00000000000000000000000000000000",
"30": "00000000000000000000000000000000",
"31": "752FBB5B7B4578778800752FBB5B7B45",
"32": "00000000000000000000000000000000",
"33": "00000000000000000000000000000000",
"34": "00000000000000000000000000000000",
"35": "66B03ACA6EE97877880066B03ACA6EE9",
"36": "00000000000000000000000000000000",
"37": "00000000000000000000000000000000",
"38": "00000000000000000000000000000000",
"39": "48734389EDC37877880048734389EDC3",
"40": "00000000000000000000000000000000",
"41": "00000000000000000000000000000000",
"42": "00000000000000000000000000000000",
"43": "17193709ADF47877880017193709ADF4",
"44": "00000000000000000000000000000000",
"45": "00000000000000000000000000000000",
"46": "00000000000000000000000000000000",
"47": "1ACC3189578C787788001ACC3189578C",
"48": "00000000000000000000000000000000",
"49": "00000000000000000000000000000000",
"50": "00000000000000000000000000000000",
"51": "C2B7EC7D4EB178778800C2B7EC7D4EB1",
"52": "00000000000000000000000000000000",
"53": "00000000000000000000000000000000",
"54": "00000000000000000000000000000000",
"55": "369A4663ACD278778800369A4663ACD2",
"56": "00000000000000000000000000000000",
"57": "00000000000000000000000000000000",
"58": "00000000000000000000000000000000",
"59": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"60": "00000000000000000000000000000000",
"61": "00000000000000000000000000000000",
"62": "00000000000000000000000000000000",
"63": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF"
},
"Card": {
"UID": "399AADA9",
"SAK": "88",
"ATQA": "0400"
},
"SectorKeys": {
"0": {
"KeyA": "A0A1A2A3A4A5",
"KeyB": "0D258ffff299",
"AccessConditions": "787788C1",
"AccessConditionsText": {
"block0": "rdAB wrB",
"block1": "rdAB wrB",
"block2": "rdAB wrB",
"block3": "wrAbyB rdCbyAB wrCbyB wrBbyB",
"UserData": "C1"
}
Copy chip
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 399AADA9
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
I have to buy reasonable chips can you recommend me on ebay?
]]>if everything is 100% the same BUT the UID then it is linked to the UID (in part at least)
[=] Answers to magic commands: NO : This means the card does not appear to be a gen1/magic card, so the csetuid wont work.
Answers to magic commands (GEN 1a): YES : This means the card does work with csetuid.
There are many types of cards. if its not a magic card then the csetuid wont work.
If its a CUID then it may allow block 0 to be change via the normal block write command.
if its a FUID then it may allow block 0 to be changed BUT ONLY ONCE
For the card you say only allowed the UID to be changed once. Can you re-run the hf search and post.
]]>the programmer was connected to the lock of the door with a cable and there were 3 chips per room
The locks for the door were newly installed only 3 months ago
]]>Are you saying you have three different mifare classic cards and want one to do the job of all three ?
this may or may not work.
On an original mifare card the UID (in block 0) is not changeable, and was intended to be different for every card (and they are moving to 7 or 10 byte UID over the old 4 byte UID).
So assuming your cards are all 4 byte mifare classic, I would expect them all to have different UIDs.
and while I don't know how your access system works, I would expect the UID will play a part in that.
(e.g. some systems only use the uid, others are more secure).
If the system uses the UID then it may not work. On the other hand, if it simply uses the UID for card selection and uses the data in the blocks/sectors for access control (i.e. UID is not validated) then as long as each access card stores data in different sectors, it could work.
You need to work on a plan to turn the unknown into knows.
e.g. Work with each card one by one. make a clone of card A and check that it works (this will ensure you have everything needed for card A), then repeat for Card B and C. If all goes well you will then know you have all the bits for a single card copy.
Next, check if all three cards use different sectors to store the data, if they overlap, is it the same data and keys (and permissions).
Then create a card with all the different sectors and one of the UIDs and see if it works.
Key Note: The UID is not meant to be changeable. the csetuid (and other c commands) are for the magic cards and not normal mifare cards. Iceman posted about the different types of cards and the functions.
]]>[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 399 AA DA 9A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO maybe that's why, how can I change that?or do I have to buy other chips
[+] Prng detection: HARD
[+] Valid ISO14443-A tag found
[usb] pm3 --> hf sea
[=] Checking for known tags...
UID : 399 AA DA 9A
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES maybe that's why, how can I change that?or do I have to buy other chips
[+] Prng detection: WEAK
[+] Valid ISO14443-A tag found
]]>|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | 0d258fe90296 | 1 |
|001| dd172fff3967 | 1 | abd42aa32e37 | 1 |
|002| a0a1a2a3a4a5 | 1 | abd42aa32e37 | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| eeb420209d0c | 1 | eeb420209d0c | 1 |
|006| 911e52fd7ce4 | 1 | 911e52fd7ce4 | 1 |
|007| 752fbb5b7b45 | 1 | 752fbb5b7b45 | 1 |
|008| 66b03aca6ee9 | 1 | 66b03aca6ee9 | 1 |
|009| 48734389edc3 | 1 | 48734389edc3 | 1 |
|010| 17193709adf4 | 1 | 17193709adf4 | 1 |
|011| 1acc3189578c | 1 | 1acc3189578c | 1 |
|012| c2b7ec7d4eb1 | 1 | c2b7ec7d4eb1 | 1 |
|013| 369a4663acd2 | 1 | 369a4663acd2 | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
The access system is self-sufficient, it was programmed on-site there is a baterie included
So I have here 6 different chips for one and the same zutriets system and all Chip fählt the same B Key does not exist.
Is it because 2 B Key is not default_keys?
Are there any bigger key lists? I already have iceman from rdv40 + official + of course
]]>Quick high level overview.
Mifare classic cards come in a few sizes. depending on the size they will have X sectors (the tech sheets will tell you)
For each sector there are 2 keys, A and B as well as some data blocks and some permissions.
Now, we need to think about what the card is used for and how they do it. This will be 100% up to the system designers.
For example.
I could write an access system that could work as follows.
User walks up to a door access reader. Places the card on the reader and the card ID is read and sent to the back end.
The back end looks up the ID and makes a quick call (UID exists so continue or UID does not exist, so don't open the door)
If we continue, the back end then instructs the reader to read the data from block Y with key A.
The data is sent to the back end, and checked... Yes the data was correct.
The back end could then tell the reader to update the card with some new data and save back to block Y and write with Key B
(i.e. the permissions were set such that A could read and B could write)
Why would they do this... simple, by writing new data on every use, then a clone will only work once unless its re-cloned. and the original will fail if the clone is the new one, so it would need updating.
Do they do that ? thats up to the system developers.
So know that we know what they could do, it is up to you to find out what you need to know and how your system works.
e.g. Read the entire card. Use the card, re-read the card and compare to the first read. Did anything change ?
Next, if you think you have enough data/keys, then try it.
30 von 32 key
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | 0d333390296 | 1 |
|001| fff7293e1117 | 1 | ------------ | 0 | last 2 kay are B key where only ------------ stands ?
|002| a0a1a2a3a4a5 | 1 | ------------ | 0 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| eeb420209d0c | 1 | eeb420ff9d0c | 1 |
|006| 911e52fd7ce4 | 1 | 911e52fd7ce4 | 1 |
|007| 752fbb5b7b45 | 1 | 752fbb5b7b45 | 1 |
|008| 66b03aca6ee9 | 1 | 66b03aca6ee9 | 1 |
|009| 48734389edc3 | 1 | 48734389edc3 | 1 |
|010| 17193709adf4 | 1 | 17193709adf4 | 1 |
|011| 1acc3189578c | 1 | 1acc3189578c | 1 |
|012| c2b7ec7d4eb1 | 1 | c2b7ec7d4eb1 | 1 |
|013| 369a4663acd2 | 1 | 369a4663acd2 | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[+] Printing keys to binary file hf-mf-19 2B 33 14-key.bin ...
-mf-19 2B 33 14-data.json
"Created": "proxmark3",
"FileType": "mfcard",
"blocks": {
"0": "19 2B 33 142D880400C823002000000018",
"1": "9F033390119000000000000000000000",
"2": "00000000000000000000000000000000",
"3": "A0A1A2A3A4A5787788C10D258FE90296",
"4": "B28AABAB8A1EC4E3447D8691EF9ACE91",
"5": "8800100A5CFffffffffffB0CA4FAEFD14B48",
"6": "F53553F04E3232B5DEE85647839900CA",
"7": "CA172ffff96778778801000000000000",
"8": "00000000000000000000000000000000",
"9": "00000000000000000000000000000000",
"10": "00000000000000000000000000000000",
"11": "A0A1A2A3A4A578778805000000000000",
"12": "00000000000000000000000000000000",
"13": "00000000000000000000000000000000",
"14": "00000000000000000000000000000000",
"15": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"16": "00000000000000000000000000000000",
"17": "00000000000000000000000000000000",
"18": "00000000000000000000000000000000",
"19": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"20": "00000000000000000000000000000000",
"21": "00000000000000000000000000000000",
"22": "00000000000000000000000000000000",
"23": "EEB420209D0C78778800EEB420209D0C",
"24": "00000000000000000000000000000000",
"25": "00000000000000000000000000000000",
"26": "00000000000000000000000000000000",
"27": "911E52FD7CE478778800911E52FD7CE4",
"28": "00000000000000000000000000000000",
"29": "00000000000000000000000000000000",
"30": "00000000000000000000000000000000",
"31": "752FBB5B7B4578778800752FBB5B7B45",
"32": "00000000000000000000000000000000",
"33": "00000000000000000000000000000000",
"34": "00000000000000000000000000000000",
"35": "66B03ACA6EE97877880066B03ACA6EE9",
"36": "00000000000000000000000000000000",
"37": "00000000000000000000000000000000",
"38": "00000000000000000000000000000000",
"39": "48734389EDC37877880048734389EDC3",
"40": "00000000000000000000000000000000",
"41": "00000000000000000000000000000000",
"42": "00000000000000000000000000000000",
"43": "17193709ADF47877880017193709ADF4",
"44": "00000000000000000000000000000000",
"45": "00000000000000000000000000000000",
"46": "00000000000000000000000000000000",
"47": "1ACC3189578C787788001ACC3189578C",
"48": "00000000000000000000000000000000",
"49": "00000000000000000000000000000000",
"50": "00000000000000000000000000000000",
"51": "C2B7EC7D4EB178778800C2B7EC7D4EB1",
"52": "00000000000000000000000000000000",
"53": "00000000000000000000000000000000",
"54": "00000000000000000000000000000000",
"55": "369A4663ACD278778800369A4663ACD2",
"56": "00000000000000000000000000000000",
"57": "00000000000000000000000000000000",
"58": "00000000000000000000000000000000",
"59": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF",
"60": "00000000000000000000000000000000",
"61": "00000000000000000000000000000000",
"62": "00000000000000000000000000000000",
"63": "FFFFFFFFFFFFFF078069FFFFFFFFFFFF"
},
"Card": {
"UID": "33232333",
"SAK": "88",
"ATQA": "0400"
},
"