Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi,all,I faced strange case,I cloned mifare classic 1 k to a chinease magic card,and after cloned,both original and copied fob were identical,but original fob works on door but cloned fob not working at all,I like get some advice from experts and point me out for any mistake I've made,thanks in advance..
1)original fob
UID : 32 F1 1D 07
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: HARD
found 2 keys from hardnested|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ------------ | 0 | ------------ | 0 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
675 | 3280 | Brute force phase completed. Key found: abb3444b7edb | 0 | 0s
--target block no: 56, target key type:B, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
863 | 2191 | Brute force phase completed. Key found: fe1988b42b06
after that I dump the data and cmd cload to save to chinese magic card.result below[+] Loaded 64 blocks from file: 32f11d07.eml
UID : 32 F1 1D 07
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A Tag Found
it looks to me uid and atqa and sak values identical with original fob and also data too identical,can any one advice me what to check and any right direction from here...
Offline
unclear if you dumped the card with a complete key file.
The system could have detection against Gen1a tags. What type of system is it?
Offline
Thanks for your pointing out Iceman,I believed I have found keys dumped out below,
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-1075-ga5dfd9b1-dirty-unclean 2019-02-28 13:57:34
os: iceman/master/ice_v3.1.0-1075-ga5dfd9b1-dirty-unclean 2019-02-28 13:57:47
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S256 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 256K bytes, Used: 237349 bytes (91%) Free: 24795 bytes ( 9%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[+] Loaded 64 blocks from file: 32f11d07.eml
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
[-] No known 125/134 KHz tags Found!
UID : 32 F1 1D 07
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Answers to magic commands (GEN 1a): YES
[+] Prng detection: WEAK
[+] Valid ISO14443-A Tag Found
[+] Loaded 664 keys from default_keys.dic
[+] Running strategy 1
[-] Chunk: 3.6s | found 30/32 keys (85)
[-] Chunk: 2.8s | found 30/32 keys (85)
[-] Chunk: 2.8s | found 30/32 keys (85)
[-] Chunk: 2.8s | found 30/32 keys (85)
[-] Chunk: 2.8s | found 30/32 keys (85)
[-] Chunk: 2.8s | found 30/32 keys (85)
[-] Chunk: 2.8s | found 30/32 keys (85)
[-] Chunk: 2.3s | found 32/32 keys (69)
[+] Time in checkkeys (fast): 22.8s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| abb3444b7edb | 1 | fe1988b42b06 | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file default_keys.dic...
Found keys have been dumped to file default_keys.dic. 0xffffffffffff has been inserted for unknown keys.
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
[+] successfully read block 0 of sector 0.
[+] successfully read block 1 of sector 0.
[+] successfully read block 2 of sector 0.
[+] successfully read block 3 of sector 0.
[+] successfully read block 0 of sector 1.
[+] successfully read block 1 of sector 1.
[+] successfully read block 2 of sector 1.
[+] successfully read block 3 of sector 1.
[+] successfully read block 0 of sector 2.
[+] successfully read block 1 of sector 2.
[+] successfully read block 2 of sector 2.
[+] successfully read block 3 of sector 2.
[+] successfully read block 0 of sector 3.
[+] successfully read block 1 of sector 3.
[+] successfully read block 2 of sector 3.
[+] successfully read block 3 of sector 3.
[+] successfully read block 0 of sector 4.
[+] successfully read block 1 of sector 4.
[+] successfully read block 2 of sector 4.
[+] successfully read block 3 of sector 4.
[+] successfully read block 0 of sector 5.
[+] successfully read block 1 of sector 5.
[+] successfully read block 2 of sector 5.
[+] successfully read block 3 of sector 5.
[+] successfully read block 0 of sector 6.
[+] successfully read block 1 of sector 6.
[+] successfully read block 2 of sector 6.
[+] successfully read block 3 of sector 6.
[+] successfully read block 0 of sector 7.
[+] successfully read block 1 of sector 7.
[+] successfully read block 2 of sector 7.
[+] successfully read block 3 of sector 7.
[+] successfully read block 0 of sector 8.
[+] successfully read block 1 of sector 8.
[+] successfully read block 2 of sector 8.
[+] successfully read block 3 of sector 8.
[+] successfully read block 0 of sector 9.
[+] successfully read block 1 of sector 9.
[+] successfully read block 2 of sector 9.
[+] successfully read block 3 of sector 9.
[+] successfully read block 0 of sector 10.
[+] successfully read block 1 of sector 10.
[+] successfully read block 2 of sector 10.
[+] successfully read block 3 of sector 10.
[+] successfully read block 0 of sector 11.
[+] successfully read block 1 of sector 11.
[+] successfully read block 2 of sector 11.
[+] successfully read block 3 of sector 11.
[+] successfully read block 0 of sector 12.
[+] successfully read block 1 of sector 12.
[+] successfully read block 2 of sector 12.
[+] successfully read block 3 of sector 12.
[+] successfully read block 0 of sector 13.
[+] successfully read block 1 of sector 13.
[+] successfully read block 2 of sector 13.
[+] successfully read block 3 of sector 13.
[+] successfully read block 0 of sector 14.
[+] successfully read block 1 of sector 14.
[+] successfully read block 2 of sector 14.
[+] successfully read block 3 of sector 14.
[+] successfully read block 0 of sector 15.
[+] successfully read block 1 of sector 15.
[+] successfully read block 2 of sector 15.
[+] successfully read block 3 of sector 15.
[+] dumped 64 blocks (1024 bytes) to file hf-mf-32F11D07-data.bin
Offline
Ok, so dump is good.
and now try simulate with your pm3, afterwards read the trace list and see if the reader has some funky stuff going on.
Offline
While dumping out,I did not have any error messge at all,I will also post two data for both original and cloned one below,
1)dump data for original fob
32 f1 1d 07 d9 88 04 00 c8 50 00 20 00 00 00 17
c5 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 31 52 00 00
a0 a1 a2 a3 a4 a5 78 77 88 c1 b0 b1 b2 b3 b4 b5
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
53 a2 30 6d cc 42 c9 73 bb 06 4e c7 f1 4e a0 c7
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ab b3 44 4b 7e db 78 77 88 69 fe 19 88 b4 2b 06
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
2)dump data for cloned fob
32f11d07d9880400c850002000000017
c50e0000000000000000000000000000
00000000000000000000000031520000
a0a1a2a3a4a5787788c1b0b1b2b3b4b5
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
53a2306dcc42c973bb064ec7f14ea0c7
00000000000000000000000000000000
00000000000000000000000000000000
abb3444b7edb78778869fe1988b42b06
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
Last edited by seanedu (2019-08-12 20:44:42)
Offline
eload it and sim , and look at trace list afterwards.
Offline
you mean cload,I am using chinease magic card,I will try and see how it goes,but one question is when you said look at trace list mean do hf list 14a?
Offline
hi,Iceman,here I got some trace result below,
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2244 | 4612 | Tag | 04 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10692 | 16580 | Tag | 32 f1 1d 07 d9 | |
18816 | 29280 | Rdr | 93 70 32 f1 1d 07 d9 fb 0c | ok | SELECT_UID
30532 | 34052 | Tag | 08 b6 dd | |
487808 | 492576 | Rdr | e0 80 31 73 | ok | RATS
493764 | 494404 | Tag | 04 | |
945792 | 946784 | Rdr | 40 | | MAGIC WUPC1
948036 | 948612 | Tag |0a! | |
952832 | 954144 | Rdr | 43 | | MAGIC WUPC2
955332 | 955908 | Tag |0a! | |
959872 | 964640 | Rdr | 50 00 57 cd | ok | HALT
does it look ok?@Iceman
Offline
What did you do to get that trace?
Did you do a eload/sim against reader?
Offline
Hi,Iceman,sorry for the delaying answer your question,that was not from pm3 eload/sim,got that from cmd,hf list 14a,but I have read other threads on forum,and I noticed that sak values been changed from 08 to 88,so I've changed sak value to 08 and tested on reader,no luck,at this point,like you mentioned earlier,system might have detected gen1 card,so I will order some gen2 cards and will test and let you know if that is gonna resolve my issue with cloning mf 1k fobs,thanks for your help any how...
Offline