Proxmark3 community

rsoandrew

Member

Registered: 2013-08-03

Posts: 8

Mifare 1K with keys - Clone Help

I have a Mifare 1k card and know the keys. I understand that unless I get a special Chinese card, I can't change the UID. I would like to clone the contents of one card to another and see if the access system (parking) checks UIDs.

I've read various documentation and threads, including this one - http://www.proxmark.org/forum/viewtopic.php?id=1136 (I can't post links)  that seems to outline the process the best,  but I can't seem to find anything to do this easily (except if you use the Android Mifare tools - weird that there isn't something similarly easy for Windows/Linux).

As I summarized the thread it looks like you have to
1) Run hf mf nested with a key and the d option to write the dumpkeys.bin.
2) Run hf mf dump1k which will use the keys in dumpkeys.bin
3) Run hf mf restore1k to write the data to the new card.

I'm still stuck at number one. I have the keys from the card I got from running mfuc in kali linux. I've tried to us hf mf nested with a specific block and the corresponding key but this is the output

proxmark3> hf mf nested 1 4 A 205b182ae3ab d
--block no:04 key type:00 key:20 5b 18 2a e3 ab  etrans:0
Block shift=0
Testing known keys. Sector count=16
#db# Can't select card
#db# Can't select card 

Here is my mfuc dump in case I am doing something wrong with that information

Found Key: B [b917389f0e12]
Auth with all sectors succeeded, dumping keys to a file!

Block 63, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 62, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 61, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 60, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 59, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 58, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 57, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 56, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 55, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 54, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 53, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 52, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 51, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 50, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 49, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 48, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 47, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 46, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 45, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 44, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 43, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 42, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 41, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 40, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 39, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 38, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 37, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 36, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 35, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 34, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 33, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 32, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 31, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 30, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 29, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 28, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 27, type A, key b9c2e19d7a32 :00  00  00  00  00  00  78  77  88  ff  00  00  00  00  00  00  
Block 26, type A, key b9c2e19d7a32 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 25, type A, key b9c2e19d7a32 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 24, type A, key b9c2e19d7a32 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 23, type A, key d4274c76171f :00  00  00  00  00  00  78  77  88  ff  00  00  00  00  00  00  
Block 22, type A, key d4274c76171f :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 21, type A, key d4274c76171f :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 20, type A, key d4274c76171f :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 19, type A, key f30caf5b3078 :00  00  00  00  00  00  78  77  88  ff  00  00  00  00  00  00  
Block 18, type A, key f30caf5b3078 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 17, type A, key f30caf5b3078 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 16, type A, key f30caf5b3078 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 15, type A, key ee115a6c2d65 :00  00  00  00  00  00  78  77  88  ff  00  00  00  00  00  00  
Block 14, type A, key ee115a6c2d65 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 13, type A, key ee115a6c2d65 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 12, type A, key ee115a6c2d65 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 11, type A, key 05763dc1c64e :00  00  00  00  00  00  78  77  88  ff  00  00  00  00  00  00  
Block 10, type A, key 05763dc1c64e :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 09, type A, key 05763dc1c64e :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 08, type A, key 05763dc1c64e :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
Block 07, type A, key 205b182ae3ab :00  00  00  00  00  00  78  77  88  ff  00  00  00  00  00  00  
Block 06, type A, key 205b182ae3ab :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 05, type A, key 205b182ae3ab :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 04, type A, key 205b182ae3ab :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
Block 03, type A, key 5fa0cbff9c94 :00  00  00  00  00  00  78  77  88  ff  00  00  00  00  00  00  
Block 02, type A, key 5fa0cbff9c94 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 01, type A, key 5fa0cbff9c94 :85  13  27  9f  ff  ff  12  2f  14  2f  ff  ff  ff  ff  00  00  
Block 00, type A, key 5fa0cbff9c94 :42  de  da  58  1e  08  04  00  85  00  aa  bb  cc  dd  ee  ff  

Can anybody get me back on track? I seem to be stumped. Incidently, I have rfidiot installed with an acr122 if there is an easier way to do this than use the proxmark. It seems like proxmark is the easiest though. Thanks.

midnitesnake

Contributor

Registered: 2012-05-11

Posts: 151

Re: Mifare 1K with keys - Clone Help

Have you tried?:

proxmark3> hf mf nested 1 0 A 5fa0cbff9c94 d

rsoandrew

Member

Registered: 2013-08-03

Posts: 8

Re: Mifare 1K with keys - Clone Help

Have you tried?:

proxmark3> hf mf nested 1 0 A 5fa0cbff9c94 d

I'm fairly certain that I tried that command as well but decided to try it again. It ran but not for the reason you might think. I always run hw tune before I start using the proxmark just to check to make sure it is working and there is connectivity. When I ran tune it told me that my HF antenna was unusable. I looked and the cord came loose from the hirose connector on the proxmark. I reinserted the plug firmly, ran the command again and it executed. But did it work? It seems to have found different/no keys. What do you think of this output? I expected something similar to the mfuc output. I'm running 756.

...Got 0 keys from proxmark.
Iterations count: 0
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  5fa0cbff9c94  | 1 |  000000000000  | 0 |
|001|  000000000000  | 0 |  000000000000  | 0 |
|002|  000000000000  | 0 |  000000000000  | 0 |
|003|  000000000000  | 0 |  000000000000  | 0 |
|004|  000000000000  | 0 |  000000000000  | 0 |
|005|  000000000000  | 0 |  000000000000  | 0 |
|006|  000000000000  | 0 |  000000000000  | 0 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...

iceman

Administrator

Registered: 2013-04-25

Posts: 9,507

Website

Re: Mifare 1K with keys - Clone Help

It seems that you got all the keys you need to read the card.  Try the  hf mf dump command to get all data from your card.

piwi

Contributor

Registered: 2013-06-04

Posts: 704

Re: Mifare 1K with keys - Clone Help

It seems that you got all the keys you need to read the card.

Depends on what he "needs". He doesn't have all the keys yet (column res == 0 means key not found). hf mf nested tries each sector 10 times, so this shouldn't happen if the communication over the air is OK. Note: shortest distance isn't best. It's best to have a distance of a few millimeters between card and antenna.

iceman

Administrator

Registered: 2013-04-25

Posts: 9,507

Website

Re: Mifare 1K with keys - Clone Help

There you go and I learn something new. The res-column was new to me.

rsoandrew

Member

Registered: 2013-08-03

Posts: 8

Re: Mifare 1K with keys - Clone Help

It seems that you got all the keys you need to read the card.

Depends on what he "needs". He doesn't have all the keys yet (column res == 0 means key not found). hf mf nested tries each sector 10 times, so this shouldn't happen if the communication over the air is OK. Note: shortest distance isn't best. It's best to have a distance of a few millimeters between card and antenna.

I'll try again and move the card away from the antenna. Right now I have it laying right on top of it.

I wonder if there is a way to seed the keys that mfuc found to help in the process?

rsoandrew

Member

Registered: 2013-08-03

Posts: 8

Re: Mifare 1K with keys - Clone Help

I've tried it until the tag was so far away the card wasn't read. The results each time were the same as the first time.

piwi

Contributor

Registered: 2013-06-04

Posts: 704

Re: Mifare 1K with keys - Clone Help

From the output you had provided:

#db# Can't select card - Usually a (at least temporary) communication problem between PM and card. This is recovered by repeating the select command.
...Got 0 keys from proxmark - This could be a result of the above. Or the PM couldn't find a valid (crypted) nonce because it didn't get the timing right. This would be recovered by retrying.
Iterations count: 0 - This means that the PM couldn't deliver a valid key. Not for any sector and not after 10 retries. This is definitely not OK and needs to be further investigated.

All the keys you have found so far are therefore the result of hf mf chk, which runs as a first step in hf mf nested (with a limited set of known keys but including the key you had provided).

Is this a standard Classic Mifare card? 4 Bytes or 7 Bytes UID?

To further narrow down possible errors or bugs could you please set an increased debugging level (hf mf dbg 3), then run hf mf nested again and provide the output?

rsoandrew

Member

Registered: 2013-08-03

Posts: 8

Re: Mifare 1K with keys - Clone Help

From the output you had provided:

#db# Can't select card - Usually a (at least temporary) communication problem between PM and card. This is recovered by repeating the select command.
...Got 0 keys from proxmark - This could be a result of the above. Or the PM couldn't find a valid (crypted) nonce because it didn't get the timing right. This would be recovered by retrying.
Iterations count: 0 - This means that the PM couldn't deliver a valid key. Not for any sector and not after 10 retries. This is definitely not OK and needs to be further investigated.

The first errors -- #db# can't select card -- were because the antenna cable had come loose.

All the keys posted in my first post were from mfuc with an ACR122 reader.

All the keys you have found so far are therefore the result of hf mf chk, which runs as a first step in hf mf nested (with a limited set of known keys but including the key you had provided).

I checked one key with hf mf chk

proxmark3> hf mf chk 1 A 5fa0cbff9c94
chk key[0] 5fa0cbff9c94
--SectorsCnt:0 block no:0x01 key type:A key count:1
Found valid key:[5fa0cbff9c94]

Is this a standard Classic Mifare card? 4 Bytes or 7 Bytes UID?

This should be a Mifare Classic 1K.

To further narrow down possible errors or bugs could you please set an increased debugging level (hf mf dbg 3), then run hf mf nested again and provide the output?

I changed the debugging level and here is the output.

proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host

# LF antenna:  0.00 V @   125.00 kHz
# LF antenna:  0.00 V @   134.00 kHz
# LF optimal:  0.00 V @ 12000.00 kHz
# HF antenna:  6.93 V @    13.56 MHz
# Your LF antenna is unusable.
proxmark3> hf mf dbg 3
#db# Debug level: 3
proxmark3> hf mf nested 1 0 A 5fa0cbff9c94 d
--block no:00 key type:00 key:5f a0 cb ff 9c 94  etrans:0
Block shift=0
Testing known keys. Sector count=16

.#db# distance: min=2000 max=0 avg=0
..Got 0 keys from proxmark.

.#db# distance: min=2000 max=0 avg=0
..Got 0 keys from proxmark.

{the above is repeated over and over dozens of times}

.#db# distance: min=2000 max=0 avg=0
..Got 0 keys from proxmark.
Iterations count: 0
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  5fa0cbff9c94  | 1 |  000000000000  | 0 |
|001|  000000000000  | 0 |  000000000000  | 0 |
|002|  000000000000  | 0 |  000000000000  | 0 |
|003|  000000000000  | 0 |  000000000000  | 0 |
|004|  000000000000  | 0 |  000000000000  | 0 |
|005|  000000000000  | 0 |  000000000000  | 0 |
|006|  000000000000  | 0 |  000000000000  | 0 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...

piwi

Contributor

Registered: 2013-06-04

Posts: 704

Re: Mifare 1K with keys - Clone Help

Hmm, strange. Your antenna isn't good (6.93V is quite low, you would expect 12-14V, see http://www.proxmark.org/forum/viewtopic.php?id=153 for antenna building tipps) - but on the other hand the hf mf chk command seems to work...

#db# distance: min=2000 max=0 avg=0   is an indicator that the PM couldn't authenticate against the card - even with the provided key (or you have pressed the button on the PM).

To be sure about your card: what is the result of hf 14a reader ?

rsoandrew

Member

Registered: 2013-08-03

Posts: 8

Re: Mifare 1K with keys - Clone Help

Hmm, strange. Your antenna isn't good (6.93V is quite low, you would expect 12-14V, see http://www.proxmark.org/forum/viewtopic.php?id=153 for antenna building tipps) - but on the other hand the hf mf chk command seems to work...

I think was because I ran hw tune with the card too close (it was being read). When I remove the card I get 8.31v which is what my antenna is supposed to read. I have the pre-made HF antenna from proxmark3.com - http://www.proxmark3.com/item_hfapcb.html - their specs say it should read between 8 and 9 volts.

#db# distance: min=2000 max=0 avg=0   is an indicator that the PM couldn't authenticate against the card - even with the provided key (or you have pressed the button on the PM).

To be sure about your card: what is the result of hf 14a reader ?

Here are the results of hf 14a reader. I never tried it before since I knew it was a 1K card. I see that is says the card is not compliant. Is that normal?

proxmark3> hf 14a reader
ATQA : 04 00
 UID : 42 de da 58
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k
proprietary non iso14443a-4 card found, RATS not supported

midnitesnake

Contributor

Registered: 2012-05-11

Posts: 151

Re: Mifare 1K with keys - Clone Help

I have the following questions, in an attempt to debug possible problems/fixes:
What is your firmware/os version?
Have you checked you cables for possible damage?
Have you tried swapping your cables (ie changing the usb cable with another usb cable, and other antenna cable for a 2nd antenna cable)?
Can you try another antenna?
Have you tried another Mifare card?

Its odd that it only effects sectors 2 - 27, it appears to be intermittent?