Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2019-12-08 22:08:31
- pclever
- Contributor
- Registered: 2018-07-15
- Posts: 9
[Solved HF/LF] Schlage 9691T
Hello,
I have been attempting to clone a Schlage 9691T fob and I am having a difficult time getting it to work.
I read this post which had a lot of useful information about the fob.
This fob has both a LF and HF tag in it. Cloning the LF tag was easy, cloning HF is proving to be more difficult.
This is what the fob and reader look like:
Steps Taken to Attempt Cloning
NOTE: I have modified the UID slightly to prevent uploading the info to the internet.
My pm3 indicates the Schlage 9691T is a Mifare Classic tag
[usb] pm3 --> hf search [=] Checking for known tags... [\] Searching for ISO14443-A tag... UID : 32 29 6E 65 ATQA : 00 04 SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1 [=] proprietary non iso14443-4 card found, RATS not supported [+] Prng detection: HARD [+] Valid ISO14443-A tag foundI checked that the UID changeable card (magic Chinese card) is the same type:
[usb] pm3 --> hf search [=] Checking for known tags... [\] Searching for ISO14443-A tag... UID : 08 90 D2 3C ATQA : 00 04 SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1 [=] proprietary non iso14443-4 card found, RATS not supported [+] Magic capabilities : Gen 1a [+] Prng detection: WEAK [+] Valid ISO14443-A tag foundI read the Schlage 9691T data:
[usb] pm3 --> hf mf rdsc 0 a ffffffffffff --sector no:0 key type:A key:FF FF FF FF FF FF isOk:01 data : 32 29 6E 65 12 88 04 00 C8 18 00 20 00 00 00 18 data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF Trailer decoded: Access block 0: rdAB wrAB incAB dectrAB Access block 1: rdAB wrAB incAB dectrAB Access block 2: rdAB wrAB incAB dectrAB Access block 3: wrAbyA rdCbyA wrCbyA rdBbyA wrBbyA UserData: 69Then attempted to clone to magic Chinese card:
hf mf csetblk 0 32296E6512880400C818002000000018The magic Chinese card now has identical sector data:
[usb] pm3 --> hf mf rdsc 0 a ffffffffffff --sector no:0 key type:A key:FF FF FF FF FF FF isOk:01 data : 32 29 6E 65 12 88 04 00 C8 18 00 20 00 00 00 18 data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF Trailer decoded: Access block 0: rdAB wrAB incAB dectrAB Access block 1: rdAB wrAB incAB dectrAB Access block 2: rdAB wrAB incAB dectrAB Access block 3: wrAbyA rdCbyA wrCbyA rdBbyA wrBbyA UserData: 69
The Issue
Even though I believe I have successfully cloned the HF tag the door reader doesn't unlock or even make a beep/LED blink with the new card.
My theory is that the HF chip is for unlocking the door and the LF tag is for getting into the building.
I tested the LF tag I cloned on facility doors and it worked like a charm.
I then was wondering if the door reader required both HF and LF tags to open. I tested that with my cloned 2 cards stacked on each other and it still didn't work.
Does anyone have any ideas for additional things I can try?
Last edited by pclever (2019-12-10 01:24:06)
Offline
#2 2019-12-09 03:11:39
- pclever
- Contributor
- Registered: 2018-07-15
- Posts: 9
Re: [Solved HF/LF] Schlage 9691T
I am still a beginner with all this proxmark stuff but I just tried a few new things and I think I made some progress.
Please let me know if I am on the right track...
Commands
hf mf chk *1 ? d mfc_default_keys
[usb] pm3 --> hf mf chk *1 ? d mfc_default_keys
[+] Loaded 865 keys from mfc_default_keys
...
[+] Time in checkkeys: 434 seconds
[=] testing to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ------------ | 0 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ------------ | 0 | ------------ | 0 |
|005| ------------ | 0 | ------------ | 0 |
|006| ------------ | 0 | ------------ | 0 |
|007| ------------ | 0 | ------------ | 0 |
|008| ------------ | 0 | ------------ | 0 |
|009| ------------ | 0 | ------------ | 0 |
|010| ------------ | 0 | ------------ | 0 |
|011| ------------ | 0 | ------------ | 0 |
|012| ------------ | 0 | ------------ | 0 |
|013| ------------ | 0 | ------------ | 0 |
|014| ------------ | 0 | ------------ | 0 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
[+] Printing keys to binary file hf-mf-32296E65-key.bin ...
[+] Found keys have been dumped to hf-mf-32296E65-key.bin --> 0xffffffffffff has been inserted for unknown keys.hf mf dump 1
[usb] pm3 --> hf mf dump 1
[=] Reading sector access bits...
..#db# Can't select card
[-] could not read block 0 of sector 14
[+] successfully read block 0 of sector 15.
[+] successfully read block 1 of sector 15.
[+] successfully read block 2 of sector 15.
[+] successfully read block 3 of sector 15.
[+] time: 63 seconds
[+] Succeeded in dumping all blocks
[+] saved 1024 bytes to binary file hf-mf-32296E65-data.bin
[+] saved 64 blocks to text file hf-mf-32296E65-data.eml
[+] saved to json file hf-mf-32296E65-data.jsonhf mf cload hf-mf-32296E65-data
[usb] pm3 --> hf mf cload hf-mf-32296E65-data
[+] loaded 1024 bytes from text file hf-mf-32296E65-data.eml
[=] Copying to magic card
................................................................
[+] Card loaded 64 blocks from file
[usb] pm3 --> hf mf cload hf-mf-32296E65-data
[+] loaded 1024 bytes from text file hf-mf-32296E65-data.eml
[=] Copying to magic card
................................................................
[+] Card loaded 64 blocks from fileResult
Still doesn't work...
I was not entirely sure what happened during the check keys command but it appeared to be something similar to a rainbow table attack.
It looked to be successful (on sector 0 at least) and wrote data to the keys file.
After writing to the magic chinese card again "hf mf rdsc 0 a ffffffffffff" returned the same data (that's good I think).
Can anyone tell me if I messed something up or if I am doing something wrong?
Offline
#3 2019-12-09 10:02:50
- JohnDoePM
- Contributor
- Registered: 2018-07-08
- Posts: 49
Re: [Solved HF/LF] Schlage 9691T
[-] could not read block 0 of sector 14
I experienced that entrance access cards/systems need exact clones, i.e. all sectors/blocks have to be identical.
Seems that at least one block of your source card can't be read.
Try the hardnested command for that one and see what you get.
Offline
#4 2019-12-09 23:25:14
- pclever
- Contributor
- Registered: 2018-07-15
- Posts: 9
Re: [Solved HF/LF] Schlage 9691T
So I ran "hf mf hardnested 0 A FFFFFFFFFFFF 4 A" and it returned a key!
[usb] pm3 --> hf mf hardnested 0 A FFFFFFFFFFFF 4 A
--target block no: 4, target key type:A, known target key: 0x000000000000 (not set), file action: none, Slow: No, Tests: 0
[+] Using AVX2 SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 4 threads and AVX2 SIMD core | |
0 | 0 | Brute force benchmark: 497 million (2^28.9) keys/s | 140737488355328 | 3d
1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 3d
6 | 112 | Apply bit flip properties | 32624326656 | 66s
7 | 223 | Apply bit flip properties | 8446125568 | 17s
8 | 334 | Apply bit flip properties | 6189602304 | 12s
9 | 445 | Apply bit flip properties | 4885248000 | 10s
10 | 557 | Apply bit flip properties | 4885248000 | 10s
11 | 668 | Apply bit flip properties | 4637494784 | 9s
12 | 777 | Apply bit flip properties | 4492251136 | 9s
13 | 889 | Apply bit flip properties | 4349389312 | 9s
13 | 999 | Apply bit flip properties | 4349389312 | 9s
14 | 1111 | Apply bit flip properties | 4349389312 | 9s
17 | 1221 | Apply Sum property. Sum(a0) = 128 | 448853856 | 1s
17 | 1332 | Apply bit flip properties | 378045376 | 1s
18 | 1441 | Apply bit flip properties | 378045376 | 1s
19 | 1552 | Apply bit flip properties | 378045376 | 1s
19 | 1552 | (Ignoring Sum(a8) properties) | 378045376 | 1s
22 | 1552 | Brute force phase completed. Key found: ef1232ab18a0 | 0 | 0sI then ran the same command with blocks 1,2,3 and they returned the same key.
Next I tried to check the key and it only seemed to show up in one sector...
[usb] pm3 --> hf mf chk *1 ? ef1232ab18a0
[ 0] key EF 12 32 AB 18 A0
................................
[+] Time in checkkeys: 6 seconds
[=] testing to read key B...
Reading block 7
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ------------ | 0 | ------------ | 0 |
|001| ef1232ab18a0 | 1 | ------------ | 0 |
|002| ------------ | 0 | ------------ | 0 |
|003| ------------ | 0 | ------------ | 0 |
|004| ------------ | 0 | ------------ | 0 |
|005| ------------ | 0 | ------------ | 0 |
|006| ------------ | 0 | ------------ | 0 |
|007| ------------ | 0 | ------------ | 0 |
|008| ------------ | 0 | ------------ | 0 |
|009| ------------ | 0 | ------------ | 0 |
|010| ------------ | 0 | ------------ | 0 |
|011| ------------ | 0 | ------------ | 0 |
|012| ------------ | 0 | ------------ | 0 |
|013| ------------ | 0 | ------------ | 0 |
|014| ------------ | 0 | ------------ | 0 |
|015| ------------ | 0 | ------------ | 0 |
|---|----------------|---|----------------|---|Since I am new to this I next thought to try to read the card again with the key:
[usb] pm3 --> hf mf rdsc 0 a ef1232ab18a0
--sector no:0 key type:A key:EF 12 32 AB 18 A0
#db# Auth error
isOk:00[usb] pm3 --> hf mf rdsc 1 a ef1232ab18a0
--sector no:1 key type:A key:EF 12 32 AB 18 A0
isOk:01
data : 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 04 9A 16 6F
data : F2 00 00 00 00 77 00 00 00 00 00 00 28 71 1A 41
trailer: 00 00 00 00 00 00 F0 FF 00 00 00 00 00 00 00 00
Trailer decoded:
Access block 4: rdAB wrB
Access block 5: rdAB wrB
Access block 6: rdAB wrB
Access block 7: wrAbyB rdCbyAB wrBbyB
UserData: 00[usb] pm3 --> hf mf rdsc 2 a ef1232ab18a0
--sector no:0 key type:A key:EF 12 32 AB 18 A0
#db# Auth error
isOk:00[usb] pm3 --> hf mf rdsc 3 a ef1232ab18a0
--sector no:0 key type:A key:EF 12 32 AB 18 A0
#db# Auth error
isOk:00Am I doing this right? And if so can someone let me know ideas on what to try next?
I don't see any commands that let me pass in a key value and write data to the magic chinese card and I am a little confused on if there is even more data on the fob I need to extract.
Thanks!
Offline
#5 2019-12-09 23:40:31
- pclever
- Contributor
- Registered: 2018-07-15
- Posts: 9
Re: [Solved HF/LF] Schlage 9691T
I also just noticed a 12 digit string on the back of the fob that looks similar to the key hardnested found.
I tried reading sectors 0-4 with the string and I tried a "chk" command with it, neither worked on the fob.
Do you know if that could be used anywhere?
Offline
#6 2019-12-10 01:21:35
- pclever
- Contributor
- Registered: 2018-07-15
- Posts: 9
Re: [Solved HF/LF] Schlage 9691T
I GOT IT WORKING!!!
It turned out that the tag had 3 keys. TWO for sector 1 (A and B), then another key for sector 1-14 (same key for A and B).
Sector 0 and 15 had no key (ffffffffffff).
Steps to clone Schlage 9691T fob:
HF:
hf mf autopwn
hf mf cload hf-mf-<insert_UID>-data
LF:
lf t55 detect
lf t55 dump
lf hid clone <insert_UID>
That was a good learning exercise!
Next I will try to clone both HF and LF tags to one of these 2-in-1 cards on ebay.
...Stay tuned for my experience with that.
Offline
#7 2021-03-05 03:10:35
- Navster
- Contributor
- Registered: 2017-07-09
- Posts: 50
Re: [Solved HF/LF] Schlage 9691T
hi im having the same problem even though i have all the keys what version of pm3 software were you using?
Thanks in advance
Offline
#8 2021-03-05 10:03:49
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: [Solved HF/LF] Schlage 9691T
Interesting, schlage seem to use sector 1, block 2 , to store raw wiegand. That will make it easy to write onto a LF.
[H10301] - HID H10301 26-bit; FC: 77 CN: 2871 parity: valid Offline
Pages: 1