-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NFC: Emulating of SAVED Mifare Classic not working #2577
Comments
What brand is the lock? I'd like to see if this is a problem for all emulation, or against a specific lock. |
Going to research it now on 0.81.1-rc |
If you could provide additional details about lock and what card you are using, that would be helpful, tried Mifare Classic 1k and 4k and was not succesful so far |
Also, having the full card dump will help out a lot |
I’m experiencing the same issue as OP. The reader is a Schlage lock |
I have the same issue as OP. Here's the Schlage model: https://www.schlage.com/en/home/products/BE467GRWFFF.html?fbclid=IwAR29B_GfcXJUn_cKD3ezzMMTAhIU_PCkSxDqYFbRcEwzHy6_i11rw30EsHI |
Could you please try to reproduce the issue on previous release |
The lock brand is Schlage. The same one @Panduhsaur mentioned (https://www.schlage.com/en/home/products/BE467GRWFFF.html) Key fob is a Schlage 9651t |
How can I do this? I attempted to download the .zip and the tar.gz file, but when I go on qFlipper (windows) -> install from file -> and select one or the other, the downgrade fails |
@gornekich That did it! I used fbt to build and flash version 0.79.1 and I am now able to save and then emulate the key fob with success Additional note ill mention for debugging purposes:
|
Update: After successfully saving and emulating the keyfob in version 0.79.1. I then updated the firmware to version 0.81.1 and could emulate the saved keyfob with success. |
As the previous user mentioned, downgrading to version 0.79.1 fixed the issue.
|
Could you please us dump of a key with latest release and 0.79.1, we would like to compare files. You could mail them to [email protected]. If by chance any of you have proxmark, then let us know a way to contact you |
Here are some of my observations: (A) is purely UID based, all sectors are filled with zeroes with FFFFFFFFFFFF as both keys and 000/000/000/001 access bits Results of emulating card A with flipper:
Results of emulating card B:
There are no notable differences between 0.79.1 and 0.81 dumps in my case.
|
A key dump of the 2 versions you mentioned have been emailed to the link you provided. Unfortunately I do not own a proxmark |
I can confirm this issue is still ongoing on most recent firmware. When reading an NFC fob and emulating from the initial read it will function. As soon as you save that read, the emulation will no longer work. I have the same Schlage device as the one previously listed. |
I also have identical Schlage lock and fob type. Confirming that on the latest version installed (0.83.1), I am unable to emulate the NFC from a saved Mifare classic 1K. I have 30/32 keys found and 16/16 sectors read. When I read the key fob, I am able to confirm that emulation DOES work. However after saving emulation no longer functions/detected by the reader. |
Currently this fix is blocked by NFC refactoring process. I will update this issue once refactor is done, cannot give any ETA. |
I'm confirming that this is still broken in the latest release [0.84.1]. Attempted on a freshly updated flipper. |
I was just wondering about this issue. Glad it's being worked on. |
fixed in dev |
Can you share the PR this was fixed in? Thanks! |
|
Just installed the .85 RC. Completely possible I'm doing something wrong but this seems to actually eliminate the ability of the Flipper to even emulate the MIFARE classic initially. In the current firmware, you can emulate your MIFARE classic NFC after an initial read but upon saving it will no longer function if you attempt to emulate. On the RC firmware .85, even the initial emulation fails for me now. Rolling back to the .84.2 firmware initial emulation once again functions, saved emulation fails. Not sure if this ties into the NFC refactoring you mentioned - but the issue doesn't appear to be fixed in .85 |
So you actually get all keys and sectors on the card, but emulation does not work? Did you go through detect reader step again? |
I read 16/16 sectors and get 30/32 keys (same as firmware .84.2). I ran through the entire card read process again and detected reader to get nonces again as well (on both firmwares). Ran through the same process on both firmwares. Firmware .85 will not even succeed at initial emulation, .84.2 will. |
And you ran the Mfkey attack and scanned the key again after? |
Yes. This is something I would love to work… so I went through the whole process twice to make sure it wasn’t me messing up. |
@davenukem can you please send all the files needed to reproduce your problem? Please include the card dumps from 0.84.2 and from 0.85, the nonce files from running Detect reader, along with the sector numbers and key letters to which the reader is trying authenticate (e.g. Sector 8 Key A). If your card contains private data - you can send it to me directly: [email protected]. Also, do you have a proxmark3? Having a trace file from it would greatly simplify things. |
I’ll try and get this over in the next day or so.
I don’t have a proxmark (but maybe this is a reason to finally snag one!).
Expect an update shortly.
Edit: never using that reply from email feature again…
|
I see your cellphone number. |
I tried this same process on the latest version. Emulation no longer functions after retrieving the keys, but before saving. I've also tried saving the read and then doing a detect reader. That also does not work (the reader doesn't detect the NFC emulation). However after completing a read, when performing a "detect reader" in that same menu, while collecting the nonces the reader detects the emulated signal and unlocks the door. This only occurs during the "detect reader" function while nonces are being collected. I'm performing this on the latest stable 0.85.2 |
I just sent an email with the key that is generated and the user dictionary I create from the nonces on the reader to Astrrra. Unfortunately wasn't able to roll back to old firmware due to some time constraints on my end. Upon doing it again today I can confirm what Meppss was saying. The detect reader function emulation actually does trigger the device while acquiring nonces and not when you try and emulate from the same menu post reading. Overall, extremely odd behavior and seems to be some kind of disconnect between how NFC reads are being saved and passed to the emulate function immediately post read. Hopefully this helps move this issue along. |
Confirming this is fixed as of 0.86.2 |
Seems like I'm still having issue with this as of the latest release (0.87.0). Though could be a fluke, so I'll try again next week. |
I'm having the same issue. I successfully got the keys to a Mifare Classic 1K card (Keys found: 32/32, Sectors read: 16/16), but I'm unable to open the lock (either through directly emulating the card after read or after the card is saved). I'm using FW 0.87.1. |
Ran into this issue yesterday as well. Was originally assuming a corrupted card dump, but converting the flipper nfc file to proxmark bin and uploading it to a proxmark with HF_MFCSIM let me correctly emulate the card there. |
we need exchange dump (can be sniffed with proxmark) |
@bwachter @AlexMilender could you check this again on latest firmware? |
Now it is working! Thanks |
Yes, it is working in v0.94.1. Thanks! |
Describe the bug.
Emulation of Mifare Classic produces different results depending on if the Mifare Classic fob has been saved or not.
I am able to successfully read a Mifare Classic key fob using NFC read functionality.
If I do NOT save the read, but instead emulate it directly after the read. The emulation works as expected and i am able to open my key fob lock
If I DO save the read and then try to emulate that saved read. The emulation does not work as expected and I am unable to open my key fob lock
Reproduction
Successful able to open keyfob lock
Unsuccessful in opening keyfob lock
Target
Flipper Zero Release 0.80.1
Logs
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: