Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Is there a way to write the keys / sectors to a blank ISO 14443A card, without using the dump keys function?
Offline
Not sure what you mean with "dump keys function". You need to have a dumpkeys.bin file to run "hf mf dump" (the keys are required to read each sector) and you need it to run "hf mf restore" (the keys are written to the blank card).
And please don't cross post.
Offline
If you just want to change the keys/data on one or two sectors. You could use
Usage: hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>
sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F
You will need to know the existing keys on that sector.
Note: Make sure you get the key block 100% correct, if you get it wrong then you can lock out any to all of that sector
The Permissions can catch you out
e.g. from above.
000102030405 060708 09 0A0B0C0D0E0F
Key A Permissions data Key B
Last edited by mwalker (2019-06-24 03:57:02)
Offline
If you just want to change the keys/data on one or two sectors. You could use
Usage: hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>
sample: hf mf wrbl 0 A FFFFFFFFFFFFYou will need to know the existing keys on that sector.
I have all keys for the sector as shown in the above screenshot.
http://prntscr.com/o5s2bn <- Where is the block data on this sample?
Offline
Sorry, I cut and paste it rather then copy.
I have corrected the post above.
it was from the help file on the proxmark client
hr mf wrbl h
edit:
A little more detail
if the command was
hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F
then it will be
write to block 0
Use key A for the write
Current Key A (for block 0) for sector 1 (blocks 0-3) value is FFFFFFFFFFFF
And the data I want to store is : 000102030405060708090A0B0C0D0E0F
Please note that is an example only, DONT use this data, use the correct vetted data for your write.
What I would do is the following (to change a key)
Let say you want to change the key for sector 3
We know there are 4 blocks per sector and we know the keys are in the last block (4th) for each sector.
So, Sector 3 * 4 = 12 is the first block for sector 3
12,13,14 - data blocks
15 Key Block for Sector 3
so lets look at the current data (assuming key A has read/write permissions)
hf mf rdbl 15 A <current a key>
for this example, lets say it returned 000102030405060708090A0B0C0D0E0F
then if you want to change key A, change the first 12 hex digits.
if you want to change key B, change the last 12 hex digits.
LEAVE the middle 4 bytes (8 characters/Digits) alone.
Double check the new packet. and make sure the middle 4 bytes have not changed (when just changing keys)
Lets say we want to change the A key to AAAAAAAAAAAA and the B key to BBBBBBBBBBBB
then
000102030405060708090A0B0C0D0E0F
AAAAAAAAAAAA06070809BBBBBBBBBBBB
now write that back
hf mf wrbl 15 A <current A key> AAAAAAAAAAAA60708090BBBBBBBBBBBB
Again I stress DONT use the data from this example, use the data from your card or you know is correct for your purpose.
if you get the middle data wrong (permissions) this can lock that sector which may not be recoverable.
If you have a magic card that supports the magic commands then practice with that.
Last edited by mwalker (2019-06-24 04:17:16)
Offline
Sorry, I cut and paste it rather then copy.
I have corrected the post above.
it was from the help file on the proxmark client
hr mf wrbl h
No problem, thanks!
Theoretically, can you program (write) each sector (1-15) into the new magic hard, line by line?
And where do I find/download the block data (see here: http://prntscr.com/o5sfug
(I have the keys and sectors for the Mifare 1k card)
Offline
Have a look at all the hf mf options
ie.
hf mf
Then for each option
hf mf <opt> h
e.g.
one option is
rdbl Read MIFARE classic block
proxmark3> hf mf rdbl h
Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>
sample: hf mf rdbl 0 A FFFFFFFFFFFF
So you can read one block.
Have a look at the dump option.
everything is there to do it by hand one block at a time.
the Magic card functions only work on magic cards, but handy if you are using one, clearly say "magic" in the help
Last edited by mwalker (2019-06-24 06:05:38)
Offline
Please be aware that in most cases you won't get the keys when reading the sector trailer. Instead you will get all zeroes instead of the keys. When writing back the sector trailer you therefore would need to set both keys, even if you want to change only one.
More pitfalls: the access conditions may not allow writing to the sector trailer.
Offline
Please be aware that in most cases you won't get the keys when reading the sector trailer. Instead you will get all zeroes instead of the keys. When writing back the sector trailer you therefore would need to set both keys, even if you want to change only one.
More pitfalls: the access conditions may not allow writing to the sector trailer.
From this screenshot do I have all of the keys? http://prntscr.com/o5u5qu
I think so...
Also, what do you mean by "sector trailer".
Thanks Piwi.
Offline
Please be aware that in most cases you won't get the keys when reading the sector trailer. Instead you will get all zeroes instead of the keys. When writing back the sector trailer you therefore would need to set both keys, even if you want to change only one.
More pitfalls: the access conditions may not allow writing to the sector trailer.
Thanks piwi, good catch.
One of the reasons I was recommending playing with a full magic card first, lots of ways to brick a card when you are learning.
I have a test card with a locked sector:)
Offline
you may have a look at the Mifare Classic datasheet, if you are not familiar how it works ...
https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf
Look at page 7 and following for the memory layout of a card and the sector trailer stuff ...
Offline
From this screenshot do I have all of the keys? http://prntscr.com/o5u5qu
This is hard to answer. The screenshot shows the keys in the emulator memory. The emulator memory is initialized with all keys FFFFFFFFFFFF.
Offline
Is this error due to not having the correct keys when reading the sector trailer:
You can see during the attempted "HF MF DUMP" there are errors: #db# Authentication failed. Card timeout errors. See here: http://prntscr.com/o5ol8f
Offline
Yes errors say that what is wrong, even if they all have keys and they want to change what because of the coding change is very problematic and takes a lot of time
copying a card 1 to 1 is easy but other things are not
Offline
Yes errors say that what is wrong, even if they all have keys and they want to change what because of the coding change is very problematic and takes a lot of time
copying a card 1 to 1 is easy but other things are not
Any guide or steps to fix this issue ?
Offline