Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Dear community,
my aim is to make a working clone of a Mifare classic 4k. The card belongs to a Salto 4XS system. This is the card:
proxmark3> hf search
UID : ** ** ** **
ATQA : 00 02
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: HARDENED (hardnested)
Valid ISO14443A Tag Found - Quiting Search
proxmark3>
What I have done:
I bought a 4K Mifare UID Modifiable card from Lab401:
proxmark3> hf search
UID : ** ** ** **
ATQA : 00 02
SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor command (GEN 1b) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
proxmark3>
With the Mifare Classic Tool I read the complete card with all keys.
On the card I like to clone it says regarding generic tag info:
UID:
********(4 byte)
RF Technology:
ISO/IEC 14443, Type A
ATQA:
0002
SAK:
18
ATS:
-
Then I set blocks 0 to 3 of the UID modifiable card with a Proxmark 3 by
proxmark3> hf mf csetblk
After that, I assured that with a
proxmark3> hf mf rdbl 0 A A0A1A2A3A4A5
I can read block 0 (1,2) of the card with the (standard) keys I wrote to the trailer sector.
In addition, I wrote all the other sectors (except sector 0) from the card dump to the UID modifiable card. After that, again I read the now complete card with the MFC and assured that the content of the UID modifiable card is completely identical with the dump on my phone.
What 's my problem:
If I try the card on any doors, I get error code: Not an authorized Salto card format.
Explanation from here, page 2, last entry.
What 's my question:
Could it be possible that the card I try to clone has a 7 byte UID instead of the 4 byte of my modifiable card ? How can I distinguish that ? How can the reader interpret two cards with the same content in different ways ? How can I correct that ? Do I need 7 byte UID modifiable cards ?
What is more, I have a few other dumps of cards of that system on my phone. None of them have identical bytes at the beginning of block 0, sector 0. How could this come, as I tended to think that all cards from a manufacturer have identical bytes at the beginning of block 0 ?
Best regards,
JD.
Last edited by JohnDoePM (2018-09-27 18:24:14)
Offline
Hi JohnDoePM,
I probably cannot help you with your problem but I have a question regarding your description.
Do I understand correctly that all blocks on both cards are identical except block 0?
You only wrote the first 4 bytes of block 0 of your 4K Mifare UID Modifiable card?
How does the rest of block 0 look like? Are there any differences?
I ask because at the moment I have an issues with a copied card as well as it is not recognized. It is a different system and only a 1K Mifare card but that is why I ask if there are any differences in block 0 or if both your cards are fully identical. I have heard that some readers can identify Chinese backdoor cards and do not accept them. Maybe this is the case with your Salto 4XS system and your GEN 1b card as well.
In another thread different kind of cards are discussed:
CUID
magic card, generation 2, block0 writeable serveral times, with normal mifare commands.
Purpose: to be used with any rfid reader/writer which supports mifare (like a smartphone)FUID
unfused card, or write-once card. Normal card but you can re-write UID once , with normal mifare commands.
Purpose: parking/elevator system with "anti-clone" feature where it "re-writes" block 0, effectivly making sure your clone doesn't work.UFUID
Magic card, generation 1a, answers to backdoor commands
Some user later suggests that UFUID can be fused so that it does not answer to backdoor commands anymore.
If you cards are fully identical maybe the reader checks for backdoor commands and one of these more sophisticated special cards can get you around that additional check. But I do not even know if such cards exist for the 4K Mifare.
Cheers
ImSchatten360
Offline
Have a look at sectors 35 to 39 - did you also change those?
Offline
@ henc:
The source card (i.e. card I want to clone) doesn't have sectors 35 to 39 ....(?)
Regards,
JD.
Offline
The source card (i.e. card I want to clone) doesn't have sectors 35 to 39 ....(?)
Mifare 4K cards should have 39 sectors.
Did you mean, that these sectors are empty (0x00) on your source card?
Can you sniff the communication between terminal and your (cloned) cards?
If yes, maybe you can find differences between the two cards during sniffing the communication ...
Offline
@ Mackwa:
Thanks for replying, actually I scanned the "source' card with the Mifare Classic Tool and regarding sector 2,3,35-39 it replied :
"No keys found or dead sector."
Any further ideas what I could check else?
Last edited by JohnDoePM (2018-11-06 16:29:16)
Offline