Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-07-29 19:00:48

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

Issue: When executing the read sector to key type B it returns a Cmd Error: 04 isOk: 00. The read sector works on Side A without issues.

See below sectors 3 and 4 output the error. When executing the read sectors (to all 15 sectors) to Side A I do not get the Cmd error.
Keep in mind I performed the hardnested and was able to obtain all the keys on both side A and B.


proxmark3> hf mf rdsc 0 B 0d258fe90296
--sector no:0 key type:B key:0d 25 8f e9 02 96            
           
#db# READ SECTOR FINISHED          
isOk:01          
data   : ad 77 86 ad f1 88 04 00 c8 33 00 20 00 00 00 17           
data   : 6f 01 51 90 51 90 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
trailer: 00 00 00 00 00 00 78 77 88 c1 00 00 00 00 00 00           
proxmark3> hf mf rdsc 1 B 85cb6eef7c70
--sector no:1 key type:B key:85 cb 6e ef 7c 70            
           
#db# READ SECTOR FINISHED          
isOk:01          
data   : 7a cc c0 e7 d3 ce 54 82 45 f3 44 64 2e f1 5f 7f           
data   : e1 00 51 8e 92 10 fd d2 d8 00 15 fe 3f 37 39 1b           
data   : 50 5d 7d 6c 05 80 ec 0f da c0 f9 f0 53 00 00 35           
trailer: 00 00 00 00 00 00 78 77 88 04 00 00 00 00 00 00           
proxmark3> hf mf rdsc 2 B 85cb6eef7c70
--sector no:2 key type:B key:85 cb 6e ef 7c 70            
           
#db# READ SECTOR FINISHED          
isOk:01          
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
trailer: 00 00 00 00 00 00 78 77 88 05 00 00 00 00 00 00           

proxmark3> hf mf rdsc 3 B ffffffffffff                      <<<<<<--------------------------- Error
--sector no:3 key type:B key:ff ff ff ff ff ff            
           
#db# Cmd Error: 04          
#db# Read sector  3 block  0 error          
#db# READ SECTOR FINISHED          
isOk:00          
proxmark3> hf mf rdsc 4 B ffffffffffff                      <<<<<<--------------------------- Error
--sector no:4 key type:B key:ff ff ff ff ff ff            
           
#db# Cmd Error: 04          
#db# Read sector  4 block  0 error          
#db# READ SECTOR FINISHED          
isOk:00          
proxmark3> hf mf rdsc 5 B eeb420209d0c
--sector no:5 key type:B key:ee b4 20 20 9d 0c         

Here is my hw ver and hw tune:

proxmark3> hw ver

[[[ Cached information ]]]

          

Prox/RFID mark3 RFID instrument          

bootrom: /-suspect 2018-07-23 05:17:00

os: /-suspect 2018-07-23 05:18:19

LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04

HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

          

uC: AT91SAM7S256 Rev B          

Embedded Processor: ARM7TDMI          

Nonvolatile Program Memory Size: 256K bytes. Used: 199763 bytes (76). Free: 62381 bytes (24).          

Second Nonvolatile Program Memory Size: None          

Internal SRAM Size: 64K bytes          

Architecture Identifier: AT91SAM7Sxx Series          

Nonvolatile Program Memory Type: Embedded Flash Memory          

          

proxmark3> 

proxmark3> 

proxmark3> hw tune



Measuring antenna characteristics, please wait.........          

# LF antenna: 45.24 V @   125.00 kHz          

# LF antenna: 22.41 V @   134.00 kHz          

# LF optimal: 45.24 V @   125.00 kHz          

# HF antenna: 25.66 V @    13.56 MHz          

Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Offline

#2 2018-07-29 19:47:21

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

Here's the keys that I obtained via hardnested. Again using these keys and reading sectors in side A works perfectly but side B sectors 3,4,14 and 15 outputs the error.

|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  a0a1a2a3a4a5  | 1 |  0d258fe90296  | 0 |          
|001|  a6c64e6cf2d0  | 0 |  85cb6eef7c70  | 0 |          
|002|  a0a1a2a3a4a5  | 1 |  85cb6eef7c70  | 0 |          
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04       
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04        
|005|  eeb420209d0c  | 0 |  eeb420209d0c  | 0 |          
|006|  911e52fd7ce4  | 0 |  911e52fd7ce4  | 0 |          
|007|  752fbb5b7b45  | 0 |  752fbb5b7b45  | 0 |          
|008|  66b03aca6ee9  | 0 |  66b03aca6ee9  | 0 |          
|009|  48734389edc3  | 0 |  48734389edc3  | 0 |          
|010|  17193709adf4  | 0 |  17193709adf4  | 0 |          
|011|  1acc3189578c  | 0 |  1acc3189578c  | 0 |          
|012|  c2b7ec7d4eb1  | 0 |  c2b7ec7d4eb1  | 0 |          
|013|  369a4663acd2  | 0 |  369a4663acd2  | 0 |          
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04          
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04         
|---|----------------|---|----------------|---|     

Last edited by actionbias (2018-07-29 19:47:37)

Offline

#3 2018-07-30 06:49:54

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

There is no A and B "side" of each sector. Keys A and B can have different access rights assigned to them. Most probably Key B is not allowed to read one or all of the sector blocks. If you can read the sector trailer with key A, the Access Bits will tell you...

Offline

#4 2018-07-31 17:57:33

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

piwi wrote:

There is no A and B "side" of each sector. Keys A and B can have different access rights assigned to them. Most probably Key B is not allowed to read one or all of the sector blocks. If you can read the sector trailer with key A, the Access Bits will tell you...

Thanks for the response.

I am able to get the sector trail with key A. But I'm not sure what the do you mean by the "Access Bits will tell you". Can you clarify?

Also, I'm trying to duplicate this key fob is it simply writing all the blocks for both A and B keys?

For e.g.

hf mf wrbl 0 A a0a1a2a3a4a5  ad7786adf1880400c833002000000017

Offline

#5 2018-07-31 18:32:49

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

This are some very basic questions and I propose that you do some basic reading first.

The sector trailer consist of 6 Bytes Key A, 3 Bytes Access Bits, 1 User Byte, 6 Bytes Key B.

There are online Access Bits calculators (e.g. http://www.algoritmauzmani.com/hizmetle … aplama.php). Enter your 3 Bytes Access Bits and you will know what Key B is allowed to read and write.

Offline

#6 2018-08-03 04:09:41

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

Now that I have all 63 blocks of data from the keys (type A) that I found via hardnested.

Do I simply write all 63 blocks?

hf mf wrbl 0 A ffffffffffff fd26894614880400c842002000000016
hf mf wrbl 1 A ffffffffffff 0f0003e103e103e103e103e103e103e1
hf mf wrbl 2 A ffffffffffff 03e103e103e103e103e103e103e103e1
.
.
.

All the way down to block 63?

Offline

#7 2018-08-03 06:57:56

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

In general, yes. But

  • There are 64 blocks instead of 63

  • Block 0 is write protected on standard cards

  • You need to modify the sector trailers to contain the A and B keys (they are shown as 00 when you read the block)

  • and last but not least: there is an easier way. Have a look at the dump and restore commands.

Offline

#8 2018-08-03 16:42:38

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

Thanks piwi.

When I run the

hf mf dump

I notice errors and authentication issues.
Is there a way to dump/restore/script with hardnested keys?

My workaround is manually reading all the sectors (hf mf rdsc) and with notepad delete all the information except for the block data.
Then save the file as a x.eml and then execute

 hm mf cload x.eml 

.

Last edited by actionbias (2018-08-03 19:23:46)

Offline

#9 2018-08-03 18:27:06

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

hf mf dump needs a file dumpkeys.bin. It must contain the 16 A keys followed by the 16 B keys in binary (i.e. it has the size of 16 * 2 * 6 = 192 bytes). Unfortunately there is currently no way to create it from the hf mf hardnested command. You may create it with a hex editor though.

Your way with the eml file should work as well.

Offline

#10 2018-08-03 19:25:34

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

Appreciate it piwi!

big_smile

Offline

#11 2018-08-04 03:37:09

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

Bad news. Tested the key fob and it didn't work. sad

- I took all the 64 block data copied it into a .eml file
- Ran the cload .eml file
- Got the outputs below

The key fob is the grey schlage key fob.


Original Key Fob

proxmark3> hf sea u
          
 UID : fd 26 89 46           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1                
proprietary non iso14443-4 card found, RATS not supported          
No chinese magic backdoor command detected          
Prng detection: HARDENED (hardnested)          

Valid ISO14443A Tag Found - Quiting Search

         



Cloned Copy

proxmark3> hf sea u
          
 UID : fd 26 89 46           
ATQA : 00 04          
 SAK : 88 [2]          
TYPE : Infineon MIFARE CLASSIC 1K                      
proprietary non iso14443-4 card found, RATS not supported          
Chinese magic backdoor commands (GEN 1a) detected          
Prng detection: WEAK          

Valid ISO14443A Tag Found - Quiting Search

Offline

#12 2018-08-06 07:14:45

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

After doing some soul searching I was able to figure it out. smile

scripts and hex editting did the trick.

Last edited by actionbias (2018-08-07 21:09:30)

Offline

#13 2019-08-12 21:46:34

theguy
Contributor
Registered: 2017-08-08
Posts: 52

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

@actionbias, I have a gray Schlage key fob, and I hid cloned it successfully, but the clones won't open the door. How did you discover the rfid type, what steps to clone a mifare if indeed mine's also a mifare?

lf search yields Valid HID Prox ID Found! so I thought I was done. Maybe it's a mifare though???

Offline

#14 2019-08-28 19:52:03

squishy
Contributor
Registered: 2019-02-18
Posts: 14

Re: Mifare classic 1k plus 2k SL1 | Key Type B outputs CMD Error: 04

actionbias wrote:

Here's the keys that I obtained via hardnested. Again using these keys and reading sectors in side A works perfectly but side B sectors 3,4,14 and 15 outputs the error.

|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  a0a1a2a3a4a5  | 1 |  0d258fe90296  | 0 |          
|001|  a6c64e6cf2d0  | 0 |  85cb6eef7c70  | 0 |          
|002|  a0a1a2a3a4a5  | 1 |  85cb6eef7c70  | 0 |          
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04       
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04        
|005|  eeb420209d0c  | 0 |  eeb420209d0c  | 0 |          
|006|  911e52fd7ce4  | 0 |  911e52fd7ce4  | 0 |          
|007|  752fbb5b7b45  | 0 |  752fbb5b7b45  | 0 |          
|008|  66b03aca6ee9  | 0 |  66b03aca6ee9  | 0 |          
|009|  48734389edc3  | 0 |  48734389edc3  | 0 |          
|010|  17193709adf4  | 0 |  17193709adf4  | 0 |          
|011|  1acc3189578c  | 0 |  1acc3189578c  | 0 |          
|012|  c2b7ec7d4eb1  | 0 |  c2b7ec7d4eb1  | 0 |          
|013|  369a4663acd2  | 0 |  369a4663acd2  | 0 |          
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04          
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |  <---- key b hf mf rdsc returns CMD Error: 04         
|---|----------------|---|----------------|---|     

Bro would you mind sharing how were you able to hardnested it when you have a sector key? because when i do a hardnested with the keys i got from using hf mf chk they could not authenticate as the hardnested uses blocks and not sector. So im quite confuse on how to get the block keys using the sector keys.

Offline

Board footer

Powered by FluxBB