Help for clone Mifare 1K

kayser88 · 2015-09-01 16:24:18

Hello everybody,

i start with PM3 and i have a problem for understand how clone Mifare 1k ....
i understand, i need 3 informations ( UID , Key A and Key B )
i have different tags:

For exemple : First step
----------------------------------------------
proxmark3> hf search

UID : 84 33 25 aa
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS
Answers to chinese magic backdoor commands:

Valid ISO14443A Tag Found - Quiting Search
-------------------------------------------------------

if i understand i can see the UID and i know it's Mifare CLASSIC 1K

Second Step :
--------------------------------------------------------
proxmark3> hf mf chk *1 ? t
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 0, block: 3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block: 7, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
Found keys have been transferred to the emulator memory
----------------------------------------------------------------------

If i understand i found keys "ffffffffffff"

Step 3 :
-----------------------------------------------------------------------
proxmark3> hf mf nested 1 0 A ffffffffffff d
Testing known keys. Sector count=16
nested...
Time in nested: 4.230 (inf sec per key)

Iterations count: 0

|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
--------------------------------------------------------

And now i don't know what i can do...
i instaled HxD software for open .bin file

My Proxmark has been updated :

proxmark3> hw ver
Prox/RFID mark3 RFID instrument
bootrom: master/v2.2 2015-07-31 11:28:11
os: master/v2.2 2015-07-31 11:28:12
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 162219 bytes (31%). Free: 362069 bytes (69%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

Thank you for your help i know for many people it's not too hard but for me its no very simple ...

kayser88 · 2015-09-17 02:58:49

sorry for my stupid question ... now its good i know how to clone Mifare 1K

sbg1102 · 2015-10-20 15:52:09

May I know how do you buy all those hardware and magic clone card? appreciate if you can give me one stop solutions? Thanks a lot

iceman · 2015-10-20 18:42:16

if you read under the "trade parts" category, u'll find stores where they sell magic 1k / 4k tag. ref http://www.proxmark.org/forum/viewforum.php?id=17
If you search the ads on taobao or ebay you'll find these tags. There is also a number of users here that sells them.

sbg1102 · 2015-10-21 05:57:52

iceman wrote:

if you read under the "trade parts" category, u'll find stores where they sell magic 1k / 4k tag. ref http://www.proxmark.org/forum/viewforum.php?id=17
If you search the ads on taobao or ebay you'll find these tags. There is also a number of users here that sells them.

I tried to send two touchtag to xfpga Micheal Huang, no reply from him, don't know why he want to cheat me. Just ask him to modify toll touch card value only. any low cost equipment besides proxmark 3 and UID changeable card can do this job? Please help me, iceman.

iceman · 2015-10-21 08:48:55

I don't have any contact with xfpga.

But what is it that you want to do?

sbg1102 · 2015-10-21 09:51:06

iceman wrote:

I don't have any contact with xfpga.
But what is it that you want to do?

I didn't want xfpga since their credibility is so low. I want to clone one touch card with credit to another magic UID changeable card. What hardware (affordable and cheaper than proxmark3) and which supplier you normally liaise with?

iceman · 2015-10-21 10:29:29

Since I have a PM3, I don't know much of the cloner market.

But for the purpose I guess the "ACR122U" r/w and some kind of nfc libary would do.
If the touch card is a normal Mifare S50 1K card then even some mobile phones would do. This is not my area.

sbg1102 · 2015-10-21 13:49:22

iceman wrote:

Since I have a PM3, I don't know much of the cloner market.
But for the purpose I guess the "ACR122U" r/w and some kind of nfc libary would do.
If the touch card is a normal Mifare S50 1K card then even some mobile phones would do. This is not my area.

Iceman, is it possible using ACR122U writer t modify touch tag epayment load values

iceman · 2015-10-21 14:00:30

The ACR122U R/W together with some libnfc, libfreefare should be enough to do the trick.

It comes down to the tag, what kind it is, and if the tag has data protection like crc, encryption of data.

sbg1102 · 2015-10-21 15:13:25

iceman wrote:

The ACR122U R/W together with some libnfc, libfreefare should be enough to do the trick.
It comes down to the tag, what kind it is, and if the tag has data protection like crc, encryption of data.

if the tag has data protection on value credit and encryption of data, then ACR122U R/W can't be used? how about Proxmark3?

mariolino · 2015-10-21 16:13:08

sbg1102 wrote:

iceman wrote:
The ACR122U R/W together with some libnfc, libfreefare should be enough to do the trick.
It comes down to the tag, what kind it is, and if the tag has data protection like crc, encryption of data.
if the tag has data protection on value credit and encryption of data, then ACR122U R/W can't be used? how about Proxmark3?

The approach should be:
1) find the default keys;
2) dumps cards;
3) dumps analysis in relation of the amount included ( credit );
4) if needed, decryption data.

With the ACR122U you can find the default keys using mfoc/mfcuk but it doesn't work for all mifare, it is an old project.
When you got the Keys, you are able to go the following steps.... It is usually easy to find the credit encryption.

Good luck

Last edited by mariolino (2015-10-21 16:18:17)

sbg1102 · 2015-10-21 21:50:53

mariolino wrote:

sbg1102 wrote:
iceman wrote:
The ACR122U R/W together with some libnfc, libfreefare should be enough to do the trick.
It comes down to the tag, what kind it is, and if the tag has data protection like crc, encryption of data.
if the tag has data protection on value credit and encryption of data, then ACR122U R/W can't be used? how about Proxmark3?
The approach should be:
1) find the default keys;
2) dumps cards;
3) dumps analysis in relation of the amount included ( credit );
4) if needed, decryption data.
With the ACR122U you can find the default keys using mfoc/mfcuk but it doesn't work for all mifare, it is an old project.
When you got the Keys, you are able to go the following steps.... It is usually easy to find the credit encryption.
Good luck

Could proxmark more easier to do all abovementioned steps? if no, how can I find out all the commands required as I am just newbie in this field

iceman · 2015-10-22 08:39:04

It doesn't matter so much collecting data on a certain device, as understanding the data once you have it.

If the data is protected, you'll need to figure the solution if there exists one. This step is the most timeconsuming.

You have a lot to study.

-- legal stuff
The ticket system companies usually don't want ppl to get free rides. If you send tags to somewhere asking for them to fiddle with a value, you are asking them to commit fraud. If you want to add value to your ticket tag, you are commiting fraud as well.

sbg1102 · 2015-10-27 07:01:14

iceman wrote:

It doesn't matter so much collecting data on a certain device, as understanding the data once you have it.
If the data is protected, you'll need to figure the solution if there exists one. This step is the most timeconsuming.
You have a lot to study.

-- legal stuff
The ticket system companies usually don't want ppl to get free rides. If you send tags to somewhere asking for them to fiddle with a value, you are asking them to commit fraud. If you want to add value to your ticket tag, you are commiting fraud as well.

因为大道公司是大盗，人民水深火热

kayser88 · 2015-10-27 14:42:27

Yes i bought chiness card on xfpga it was perfect no problem.

I buy Mifare 1k with back door and card and keyfog 125 khz 5557 ( they works perfectly )

sbg1102 · 2015-11-02 15:59:39

kayser88 wrote:

Yes i bought chiness card on xfpga it was perfect no problem.
I buy Mifare 1k with back door and card and keyfog 125 khz 5557 ( they works perfectly )

Give me the model which can work one ? Which model you bought?

sbg1102 · 2015-11-12 15:28:28

kayser88 wrote:

Yes i bought chiness card on xfpga it was perfect no problem.
I buy Mifare 1k with back door and card and keyfog 125 khz 5557 ( they works perfectly )

lived very suffer in my country with ridiculous toll fee, can someone help me how to buy off the shelf mifare cloner and uid changeable card?

nfcopy · 2015-11-23 06:43:51

This is a research forum, not some underground criminals lair.

Proxmark3 community

Announcement

#1 2015-09-01 16:24:18

Help for clone Mifare 1K

#2 2015-09-17 02:58:49

Re: Help for clone Mifare 1K

#3 2015-10-20 15:52:09

Re: Help for clone Mifare 1K

#4 2015-10-20 18:42:16

Re: Help for clone Mifare 1K

#5 2015-10-21 05:57:52

Re: Help for clone Mifare 1K

#6 2015-10-21 08:48:55

Re: Help for clone Mifare 1K

#7 2015-10-21 09:51:06

Re: Help for clone Mifare 1K

#8 2015-10-21 10:29:29

Re: Help for clone Mifare 1K

#9 2015-10-21 13:49:22

Re: Help for clone Mifare 1K

#10 2015-10-21 14:00:30

Re: Help for clone Mifare 1K

#11 2015-10-21 15:13:25

Re: Help for clone Mifare 1K

#12 2015-10-21 16:13:08

Re: Help for clone Mifare 1K

#13 2015-10-21 21:50:53

Re: Help for clone Mifare 1K

#14 2015-10-22 08:39:04

Re: Help for clone Mifare 1K

#15 2015-10-27 07:01:14

Re: Help for clone Mifare 1K

#16 2015-10-27 14:42:27

Re: Help for clone Mifare 1K

#17 2015-11-02 15:59:39

Re: Help for clone Mifare 1K

#18 2015-11-12 15:28:28

Re: Help for clone Mifare 1K

#19 2015-11-23 06:43:51

Re: Help for clone Mifare 1K

Board footer