Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-12-09 01:30:42

Ricky1993
Contributor
Registered: 2016-12-09
Posts: 18

problem of M1 card copy (FDi Black)

i use hf mf nested 1 0 A 8829DA9DAF76 d  on PM3 to copy a FDi(Black color) Card,
and it demonstrate
Iterations count: 0


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|001|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|002|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|003|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|004|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|005|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|006|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|007|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|008|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|009|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|010|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|011|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|012|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|013|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|014|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|015|  8829da9daf76  | 1 |  8829da9daf76  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...

it should be successful but i dump it and copy into other card it not work, so i retry it using

hf mf mifare

and the result is

Card is not vulnerable to Darkside attack (its random number generator is not predictable).

why?
how can i copy it .
i have copied FDi a lot, but now in some new building, it become different, i can't copy it again

Offline

#2 2017-05-11 09:16:10

vishal36
Contributor
Registered: 2017-02-03
Posts: 18

Re: problem of M1 card copy (FDi Black)

HI I have the same problem, does anyone know how to solve it ?

Offline

#3 2017-05-11 09:32:18

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: problem of M1 card copy (FDi Black)

perhaps good on issue with M1 copy not working, to state where you roughly are. issue similar like this has been reported, also possible solution.

Offline

#4 2017-05-30 12:43:28

redbris
Contributor
Registered: 2017-05-27
Posts: 30

Re: problem of M1 card copy (FDi Black)

Same here, I have a FDI that I would like to make a duplicate of for a friend, Following smile

Offline

#5 2017-06-12 13:30:55

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: problem of M1 card copy (FDi Black)

You sure you guys got the right magic card ?

Tested and proven it worked on my side.

Offline

#6 2017-06-22 06:07:13

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: problem of M1 card copy (FDi Black)

I found this also on new FDI sites, I think the reader actually checks for the

Answers to magic commands:YES

If this is found it will not work. (My theory from 2 tests).
And in my case it actually somehow corrupted the card!! (Offensive card readers!) mad

However when I tried cloning again on a card that

Answers to magic commands:NO

but is still UID changeable it works.

On these non-magic (cannot use csetuid etc) but still UID changeable cards, you would run

hf mf restore

but that does not change the UID. You then have to write to block 0 individually to set it

hf mf wrbl 0 ... 

I had one of these 'non-magic but still uid changeable' cards, however I don't remember when I got them from. I need more urgently.
All the 'UID changeable cards' I ordered in trying to find them are magic cards, ie.

Answers to magic commands:YES

Is there a thread or info on the type of magic cards (gen1 etc) and where I can order more of these

Answers to magic commands:NO

but is still UID changeable cards??

Offline

#7 2017-06-22 07:58:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: problem of M1 card copy (FDi Black)

There is one producer who makes magic Mifare Classic Generation2 cards,  which I know and has confirmed it from as of today.
The cards which I found is s70/4k/4b-uid  and s50/1k/7b-uid

The stores in the trade parts section of which I have confirmed selling it is:
Lab401.com
rfxsecure.com
and my own proxmark3.tictail.se store.   

--- Many stores claims to have it  ---
if any of you forumusers finds and confirms that a shop has magic Mifare Classic generation2 tags, please notifiy me.


I know of magic Ultralight, Ultralight-C, NTAG 213/215/216...

Offline

#8 2017-06-22 10:23:04

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: problem of M1 card copy (FDi Black)

Have just put in an order from rfxsecure.com. Will report back.

Offline

#9 2017-07-10 02:56:52

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: problem of M1 card copy (FDi Black)

I have got the tags 's50 gen1' as rfxsecure calls it.

Answers to magic commands:NO

Have to write block 0 via

hf mf wrbl 0

I can confirm these are working on the 'newer / updated' FDI readers that can detect magic 'backdoor' clones.

Offline

#10 2017-07-10 03:53:04

redbris
Contributor
Registered: 2017-05-27
Posts: 30

Re: problem of M1 card copy (FDi Black)

Hello everyone,

Here is the interesting thing for me, I managed to get the few that I was playing with cloned, and working on a site, but its not as clear cut as I think it is.

The two apartment complex's that friends wanted there chunky black fobs turned into ISO cards, they are not actually hooked up to FDI Hardware (eg back end controllers and associated hardware) rather they are hooked up to another access control system (Inner Range C4000) On a bit of snooping I found that they are using the direct entry, which seems to take a portion of the cards information (not quite sure which as I havent done any testing) and uses that as its unique ID.

I only mention this, because when I cloned the cards, I used some UID Changeable 1k cards that I found from a local supplier, the cards dont answer to magic (gen 1) commands, but will allow me to hf dump the data out when it has the right keys, and write the data back on, the information when you run a hf check on seems to be correct, some of the fields dont marry up with the original card, but the card still works...

Just something interesting I found in my travels,

ReD

Offline

#11 2017-07-10 04:06:01

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: problem of M1 card copy (FDi Black)

Yes I noticed these 'FDI' readers (No idea about back end controller) the contents of the card were all 0's except for the very first byte which was '01' (same on diffrent fobs), so yes I think it is just using the UID.
But also checks for the backdoor wink

Offline

#12 2017-07-10 05:45:00

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: problem of M1 card copy (FDi Black)

Script to automate the writing of keys to these tags is up for review http://www.proxmark.org/forum/viewtopic … 638#p28638

Offline

#13 2017-07-12 13:20:29

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: problem of M1 card copy (FDi Black)

samburner3 wrote:

And in my case it actually somehow corrupted the card!! (Offensive card readers!) mad

FYI This is what happens to a magic tag when it come into contact with an 'upgraded' FDI reader:

lhlLuLy.png

Just run the remagic script to fix.

Offline

#14 2017-07-12 13:41:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: problem of M1 card copy (FDi Black)

quite intrusive actions of those readers,  to clear block0.

Offline

#15 2017-07-12 14:22:50

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: problem of M1 card copy (FDi Black)

Is this with a magic Chinese Backdoor tag or with a UID changeable one through MCT.
I wonder if the FDI reader can write to block 0 on both types as they need different commands.
If you don't have both I can send you the one you don't have so you can test.

Last edited by Onisan (2017-07-12 14:23:47)

Offline

#16 2017-07-13 11:47:17

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: problem of M1 card copy (FDi Black)

My guess is that the reader attempts to corrupt the tags with chinese backdoor commands.

There are 5 types of Mifare S50 tags in the market now.
1) the UID changeable chinese backdoor (FDI non-compatible)
2) non chinese backdoor (hf mf wrbl) (FDI Compatible)
3) some FUID, CUID, UFUID.  (unknown)

I will send some to Sam to test it out which works and which doesn't.

So stay tune.

Offline

#17 2017-07-13 11:58:26

phiber
Contributor
Registered: 2016-10-11
Posts: 37

Re: problem of M1 card copy (FDi Black)

iceman wrote:

quite intrusive actions of those readers,  to clear block0.

That sounds quite devious but yet ingenious, to try and kill cloned cards, after all, it's just issuing a command during detect.

Offline

Board footer

Powered by FluxBB