Back for more posts
hardware
nfc
side projects
tech
Share:
6 min read - 1027 words
Date published: 1-Aug-2022
Date modified: 1-Aug-2022
Weekend Project: Duplicating My Apartment Key Fob
Context
I just moved into this apartment building in the Upper (*5) west side of NYC (Pic for reference)
In order to get into a building, you need to have a key fob like so and tag it to the reader station. The building management only give me 3 of them, also the fob utility sucks. It's an ugly rubber wristband, which is an extra thing I have to remember before I left the house.
Thus begin my quest to make some copy myself (and hopefully in a better shape)
My naivete
Initially, I thought this should just be a NFC tag, which you should be able to clone using any NFC reader/writer, including my phone.
Turns out, the process is a bit more complicated. There are multiple variants of NFC tag out there (popular ones are Mifare 1K, Mifare 4k, Proximity, etc). Not only that but they can also operate in a few different frequency, and have couple of strategies to prevent cloning or content reading, for security purposes (you can learn more from this stackexchange question)
Does this mean it is impossible? nope. There are just a few step to successfully cloning them
The Actual Process
Requirement
- A Proxmark3 RDV3
- The original Key Fob
- An NFC tag of the same variant with the original and interchangeable UID
Procedure
- Clone the Proxmark3 software repo, this will also retrieve latest standard NFC decryption keys
$ git clone https://github.com/Proxmark/proxmark3
- Compile them in to executable
$ cd Proxmark3/ $ make clean && make all
- Flash the device to latest firmware
$ cd Proxmark3/ $ client/flasher /dev/cu.usbmodem11201 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
- Find the usb port of the device and bind them to the program
$ ls /dev/cu.usbmodem* # should be the something like /dev/cu.usbmodem<random_number> $ client/Proxmark3 /dev/cu.usbmodem11201 proxmark3>
- place the original tag up and retrieve info
proxmark3> hf search UID : 1b 1c 8f 22 ATQA : 00 04 SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 proprietary non iso14443-4 card found, RATS not supported No chinese magic backdoor command detected Prng detection: HARDENED (hardnested) Valid ISO14443A Tag Found - Quiting Search
- NFC tag is broken up into multiple sector, each might have its own encryption keys. we need to find those keys in order to copy them successfully. Luckily, most manufacturer simply use one of the default keys, which we can brute force to figure out using this tool
proxmark3> hf mf chk *1 ? d # this will check each sector against they public keys list file. If they are all good, it will dump a encrypt key into a nice table
--chk keys. sectors:16, block no: 0, key type:?, eml:n, dmp=y checktimeout=471 us
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9
To cancel this operation press the button on the proxmark...
--o
|---|----------------|----------------|
|sec|key A |key B |
|---|----------------|----------------|
|000| ffffffffffff | ffffffffffff |
|001| ffffffffffff | ffffffffffff |
|002| ffffffffffff | ffffffffffff |
|003| ffffffffffff | ffffffffffff |
|004| ffffffffffff | ffffffffffff |
|005| ffffffffffff | ffffffffffff |
|006| ffffffffffff | ffffffffffff |
|007| ffffffffffff | ffffffffffff |
|008| ffffffffffff | ffffffffffff |
|009| ffffffffffff | ffffffffffff |
|010| ffffffffffff | ffffffffffff |
|011| ffffffffffff | ffffffffffff |
|012| ffffffffffff | ffffffffffff |
|013| ffffffffffff | ffffffffffff |
|014| ffffffffffff | ffffffffffff |
|015| ffffffffffff | ffffffffffff |
|---|----------------|----------------|
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.
- If you see this, your tag can be fully copied. You can dump all the data out for cloning
proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
...
- Get the new blank NFC tag and you can copy the content over
proxmark3> hf search
UID : 89 6c bb 3b
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
proxmark3> hf mf restore
Restoring dumpdata.bin to card
Writing to block 0: 1b 1c 8f 22 aa 88 04 00 c8 18 00 20 00 00 00 14
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
- Some reader system also check for UID of the tag, which is usually a read-only section for NFC tag. This is why you need an interchangable UID tag in order to fully clone other NFC. Check the UID of the original fob (mine was
1b 1c 8f 22) and you can write it to the cloned one like so
proxmark3> hf mf csetuid 1b1c8f22
uid:1b 1c 8f 22
Chinese magic backdoor commands (GEN 1a) detected
old block 0: 89 6c bb 3b 65 08 04 00 62 63 64 65 66 67 68 69
new block 0: 1b 1c 8f 22 aa 08 04 00 62 63 64 65 66 67 68 69
old UID:89 6c bb 3b
new UID:1b 1c 8f 22
And that's it! Below are some pictures of the fob and devices for references
