Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
i use hf mf nested 1 0 A 8829DA9DAF76 d on PM3 to copy a FDi(Black color) Card,
and it demonstrate
Iterations count: 0
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|001| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|002| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|003| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|004| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|005| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|006| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|007| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|008| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|009| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|010| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|011| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|012| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|013| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|014| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|015| 8829da9daf76 | 1 | 8829da9daf76 | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
it should be successful but i dump it and copy into other card it not work, so i retry it using
hf mf mifare
and the result is
Card is not vulnerable to Darkside attack (its random number generator is not predictable).
why?
how can i copy it .
i have copied FDi a lot, but now in some new building, it become different, i can't copy it again
Offline
HI I have the same problem, does anyone know how to solve it ?
Offline
perhaps good on issue with M1 copy not working, to state where you roughly are. issue similar like this has been reported, also possible solution.
Offline
Same here, I have a FDI that I would like to make a duplicate of for a friend, Following
Offline
You sure you guys got the right magic card ?
Tested and proven it worked on my side.
Offline
I found this also on new FDI sites, I think the reader actually checks for the
Answers to magic commands:YES
If this is found it will not work. (My theory from 2 tests).
And in my case it actually somehow corrupted the card!! (Offensive card readers!)
However when I tried cloning again on a card that
Answers to magic commands:NO
but is still UID changeable it works.
On these non-magic (cannot use csetuid etc) but still UID changeable cards, you would run
hf mf restore
but that does not change the UID. You then have to write to block 0 individually to set it
hf mf wrbl 0 ...
I had one of these 'non-magic but still uid changeable' cards, however I don't remember when I got them from. I need more urgently.
All the 'UID changeable cards' I ordered in trying to find them are magic cards, ie.
Answers to magic commands:YES
Is there a thread or info on the type of magic cards (gen1 etc) and where I can order more of these
Answers to magic commands:NO
but is still UID changeable cards??
Offline
There is one producer who makes magic Mifare Classic Generation2 cards, which I know and has confirmed it from as of today.
The cards which I found is s70/4k/4b-uid and s50/1k/7b-uid
The stores in the trade parts section of which I have confirmed selling it is:
Lab401.com
rfxsecure.com
and my own proxmark3.tictail.se store.
--- Many stores claims to have it ---
if any of you forumusers finds and confirms that a shop has magic Mifare Classic generation2 tags, please notifiy me.
I know of magic Ultralight, Ultralight-C, NTAG 213/215/216...
Offline
Have just put in an order from rfxsecure.com. Will report back.
Offline
I have got the tags 's50 gen1' as rfxsecure calls it.
Answers to magic commands:NO
Have to write block 0 via
hf mf wrbl 0
I can confirm these are working on the 'newer / updated' FDI readers that can detect magic 'backdoor' clones.
Offline
Hello everyone,
Here is the interesting thing for me, I managed to get the few that I was playing with cloned, and working on a site, but its not as clear cut as I think it is.
The two apartment complex's that friends wanted there chunky black fobs turned into ISO cards, they are not actually hooked up to FDI Hardware (eg back end controllers and associated hardware) rather they are hooked up to another access control system (Inner Range C4000) On a bit of snooping I found that they are using the direct entry, which seems to take a portion of the cards information (not quite sure which as I havent done any testing) and uses that as its unique ID.
I only mention this, because when I cloned the cards, I used some UID Changeable 1k cards that I found from a local supplier, the cards dont answer to magic (gen 1) commands, but will allow me to hf dump the data out when it has the right keys, and write the data back on, the information when you run a hf check on seems to be correct, some of the fields dont marry up with the original card, but the card still works...
Just something interesting I found in my travels,
ReD
Offline
Yes I noticed these 'FDI' readers (No idea about back end controller) the contents of the card were all 0's except for the very first byte which was '01' (same on diffrent fobs), so yes I think it is just using the UID.
But also checks for the backdoor
Offline
Script to automate the writing of keys to these tags is up for review http://www.proxmark.org/forum/viewtopic … 638#p28638
Offline
And in my case it actually somehow corrupted the card!! (Offensive card readers!)
FYI This is what happens to a magic tag when it come into contact with an 'upgraded' FDI reader:
Just run the remagic script to fix.
Offline
quite intrusive actions of those readers, to clear block0.
Offline
Is this with a magic Chinese Backdoor tag or with a UID changeable one through MCT.
I wonder if the FDI reader can write to block 0 on both types as they need different commands.
If you don't have both I can send you the one you don't have so you can test.
Last edited by Onisan (2017-07-12 14:23:47)
Offline
My guess is that the reader attempts to corrupt the tags with chinese backdoor commands.
There are 5 types of Mifare S50 tags in the market now.
1) the UID changeable chinese backdoor (FDI non-compatible)
2) non chinese backdoor (hf mf wrbl) (FDI Compatible)
3) some FUID, CUID, UFUID. (unknown)
I will send some to Sam to test it out which works and which doesn't.
So stay tune.
Offline
quite intrusive actions of those readers, to clear block0.
That sounds quite devious but yet ingenious, to try and kill cloned cards, after all, it's just issuing a command during detect.
Offline
Pages: 1