Dispositivo que permite leer casi cualquier etiqueta RFID (Radio Frequency Identification), así como clonarlas o suplantarlas. Se puede manejar de modo autónomo sin la necesidad de un PC. Se le conoce como Proxmark 3 Easy porque es una versión simplificada y de bajo coste de la Proxmark 3.

• CPU: AT91SAM7S256
• Almacenamiento: 256Kb / 512 Kb SPI flash
• Interfaz: 4 LEDs de modo y 1 botón físico.
• Antenas:
  • Antena de baja frecuencia: 125,00 kHz
  • Antena de alta frecuencia: 13,56 MHz

Permite leer y escribir RFID y NFC.

Proxmark3 incluye:

• Antena de alta frecuencia incorporada, coincidencia de profundidad de antena, elimina los puntos ciegos, lee todos los datos de la tarjeta que fluyen sin interrupción.

2. Aumenta el análisis de la tasa de clave secreta, el tamaño de la tarjeta se lo lleva todo. 3. Rastreando datos, completamente estable, baja tasa de error. 4. La antena de baja frecuencia para mejorar la relación señal-ruido, cuanto mayor sea la tasa de reconocimiento, diseño desmontable para satisfacer diversas necesidades. 5. Sin interfaz de antena, no es necesario enchufarlo porque es fácil dañarlo. 6. Cancele la batería de litio, simple y conveniente. (Sin conexión puede usar la fuente de alimentación móvil) 7. Además del relé original y otros que no están relacionados, son de bajo costo, livianos y portátiles. Compatible con todo el firmware oficial, según necesidad de cepillar cualquier versión. Según su preferencia, puede utilizar la “línea de comandos” oficial o “Proxmark Tool.exe” para operar (Antena de baja frecuencia instalada en el lado derecho) # Antena LF: 30,41 V @ 125,00 kHz # Antena LF: 22,01 V @ 134,00 kHz # Antena HF: 28,43 V @ 13,56 MHz (Antena de baja frecuencia instalada a la izquierda) Voltaje de funcionamiento: 3,5-5,5 V Trabajo actual: 50-130mA Dimensiones de longitud y anchura: 54mm * 86,6mm Grosor: 6,2mm (más delgado) 9,8mm (más tornillo) 15,8 (más antena de baja frecuencia).

Función: Alta frecuencia: Modo de tarjeta operativa: 1. Lector de tarjetas convencional M1 S50 y otras tarjetas 14443A Clase B. 2. Utilice el sector 0 de análisis de vulnerabilidad de PRNG. 3. El uso de la vulnerabilidad anidada (mfoc) resuelve toda la tarjeta. Modo de tarjeta analógica: 1. Tarjeta analógica Mifare serie S50 / Ultralight / DESFire UID. 2. Datos analógicos de todo el sector M1 S50. (Elija un lector de tarjetas) 3. Carcasa analógica M1 S50, para obtener datos y calcular la clave secreta (elija un lector de tarjetas). Modo silencioso: 1. Comunicación de datos de rastreo silencioso entre la tarjeta M1 S50 y el lector de tarjetas, clave secreta analítica. 2. Lector de tarjetas de clase B 14443A de detección silenciosa con datos de comunicación completos. El dispositivo lector se puede utilizar para la depuración y el análisis del comportamiento. Baja Frecuencia: Modo de tarjeta operativa: 1. Lea ID, HID, T55XX, Indala y otras tarjetas de baja frecuencia. 2. Mediante la tarjeta T55XX escribe ID / HID / Indala, convertida en tres tarjetas. Modo de tarjeta analógica: 1. Introduzca la tarjeta ID / HID, analógica al tipo de tarjeta especificado. 2. Esquemas de modulación analógica especificados en tarjetas de datos y ASK / FSK / PSK Modo silencioso: 1. Olfatee los datos en silencio entre la tarjeta y el lector (pocos, no probados)

Antena de alta frecuencia (IC HF ANT): Elimina las zonas muertas al momento de generar una lectura de información, además es capaz de leer los datos de las tarjetas o dispositivos RFID basados en altas frecuencias sin interrupciones (se debe tener en cuenta si las tarjetas están programadas con un alto/medio nivel de seguridad).

Antena de baja frecuencia (ID LF ANT): Es utilizada para mejorar el SNR (Relación Señal/Ruido), permite una tasa de reconocimiento de dispositivos más alta, además de leer tarjetas o dispositivos RFID basados en bajas frecuencias sin interrupciones (se debe tener en cuenta si las tarjetas están programadas con un alto/medio nivel de seguridad).

Indicadores de estado LED (ABCD Status LED): Muestran el estado en el que está funcionando nuestro dispositivo, los cuales pueden ser programados y configurados para que funcione de la manera que el operador deseé.

La mía la adquirí en Aliexpress en la tienda de PiSwords por unos 40 €.

El firmware Iceman para Proxmark es un firmware de código abierto que se utiliza para actualizar el software de un dispositivo Proxmark. El firmware Iceman ofrece una serie de mejoras sobre el firmware original.

En Arch Linux, instalamos el paquete proxmark3 que provee todas las utilidades del repositorio Iceman. Si no, tenemos que compilarlas desde el anterior repositorio.

Grabamos en la memoria de arranque:

pm3-flash-bootrom

Ejemplo de salida:

# pm3-flash-bootrom
[=] Session log /root/.proxmark3/logs/log_20231209.txt
[+] About to use the following file:
[+]    /usr/bin/../share/proxmark3/firmware/bootrom.elf
[+] Loading ELF file /usr/bin/../share/proxmark3/firmware/bootrom.elf
[+] ELF file version Iceman/master/v4.16717 2023-06-26 13:10:45 de506fd18

[+] Waiting for Proxmark3 to appear on /dev/ttyACM0
 🕑  59 found
[+] Entering bootloader...
[+] (Press and release the button only to abort)
[+] Waiting for Proxmark3 to appear on /dev/ttyACM0
 🕑  49 found
[!!] 🚨 ====================== OBS ! ===========================================
[!!] 🚨 Note: Your bootloader does not understand the new CMD_BL_VERSION command
[!!] 🚨 It is recommended that you first update your bootloader alone,
[!!] 🚨 reboot the Proxmark3 then only update the main firmware


[!!] 🚨 ------------- Follow these steps -------------------

[!!] 🚨  1)   ./pm3-flash-bootrom
[!!] 🚨  2)   ./pm3-flash-fullimage
[!!] 🚨  3)   ./pm3

[=] ---------------------------------------------------

[=] Available memory on this board: UNKNOWN

[!!] 🚨 ====================== OBS ! ======================================
[!!] 🚨 Note: Your bootloader does not understand the new CHIP_INFO command
[=] Permitted flash range: 0x00100000-0x00140000
[+] Loading usable ELF segments:
[+]    0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
[+]    1: V 0x00200000 P 0x00100200 (0x00000d40->0x00000d40) [R X] @0x298

[+] Flashing...
[+] Writing segments for file: /usr/bin/../share/proxmark3/firmware/bootrom.elf
[+]  0x00100000..0x001001ff [0x200 / 1 blocks]
. ok
[+]  0x00100200..0x00100f3f [0xd40 / 7 blocks]
....... ok

[+] All done

[=] Have a nice day!

Desenchufamos el dispositivo de nuestro equipo.

Instalamos el firmware con:

pm3-flash-fullimage

Si se queda esperando indefinidamente es que Proxmark no ha entrado en modo bootloader, así que para forzarlo, pulsamos el botón que hay en un lateral del dispositivo y, sin soltarlo, enchufamos el dispositivo al ordenador (2 de los 4 LEDs deberían quedarse encendidos, lo cual indica que estamos en modo bootloader). Si todo ha ido bien, continuará el proceso:

pm3-flash-fullimage
[=] Waiting for Proxmark3 to appear...
[=] Session log /root/.proxmark3/logs/log_20231209.txt
[+] About to use the following file:
[+]    /usr/bin/../share/proxmark3/firmware/fullimage.elf
[+] Loading ELF file /usr/bin/../share/proxmark3/firmware/fullimage.elf
[+] ELF file version Iceman/master/v4.16717 2023-06-26 13:10:45 de506fd18

[+] Waiting for Proxmark3 to appear on /dev/ttyACM0
 🕑  59 found
[=] Available memory on this board: 512K bytes

[=] Permitted flash range: 0x00102000-0x00180000
[+] Loading usable ELF segments:
[+]    0: V 0x00102000 P 0x00102000 (0x00048fcc->0x00048fcc) [R X] @0x98
[+]    1: V 0x00200000 P 0x0014afcc (0x00001ae2->0x00001ae2) [R X] @0x49068
[=] Note: Extending previous segment from 0x48fcc to 0x4aaae bytes

[+] Flashing...
[+] Writing segments for file: /usr/bin/../share/proxmark3/firmware/fullimage.elf
[+]  0x00102000..0x0014caad [0x4aaae / 598 blocks]
...................................................................
        @@@  @@@@@@@ @@@@@@@@ @@@@@@@@@@   @@@@@@  @@@  @@@
        @@! !@@      @@!      @@! @@! @@! @@!  @@@ @@!@!@@@
        !!@ !@!      @!!!:!   @!! !!@ @!@ @!@!@!@! @!@@!!@!
        !!: :!!      !!:      !!:     !!: !!:  !!! !!:  !!!
        :    :: :: : : :: :::  :      :    :   : : ::    :
        .    .. .. . . .. ...  .      .    .   . . ..    .
...................................................................
...................................................................
......................... ok

[+] All done

[=] Have a nice day!

Ahora ya podemos usar el cliente pm3 para conectarnos con Proxmark (mediante el conector micro USB que hay en el lateral más corto):

pm3 /dev/ttyACM0

Esta es la salida del comando lsusb cuando se conecta la Proxmark 3 Easy:

(...)
Bus 002 Device 006: ID 9ac4:4b8f J. Westhues ProxMark-3 RFID Instrument

sudo pm3-flash-bootrom

sudo pm3-flash-fullimage

pm3

El cliente se conectará a la Proxmark y mostrará un resumen:

[=] Session log /root/.proxmark3/logs/log_20231209.txt
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC


  8888888b.  888b     d888  .d8888b.
  888   Y88b 8888b   d8888 d88P  Y88b
  888    888 88888b.d88888      .d88P
  888   d88P 888Y88888P888     8888"
  8888888P"  888 Y888P 888      "Y8b.
  888        888  Y8P  888 888    888
  888        888   "   888 Y88b  d88P
  888        888       888  "Y8888P"    [ ☕ ]

Release v4.16717 - seven
[=] Creating initial preferences file
[=] Saving preferences...
[+] saved to json file /root/.proxmark3/preferences.json
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
  [ Proxmark3 RFID instrument ]

    MCU....... AT91SAM7S512 Rev B
    Memory.... 512 KB ( 60% used )

    Client.... Iceman/master/v4.16717 2023-06-26 13:10:45
    Bootrom... Iceman/master/v4.16717 2023-06-26 13:10:45
    OS........ Iceman/master/v4.16717 2023-06-26 13:10:45
    Target.... PM3 GENERIC


[=] No previous history could be loaded

A partir de ahora estaremos en una sesión interactiva. Posibles comandos:

• clear: limpia la pantalla
• help: ayuda
• quit: salimos del cliente
• hw version: información sobre el hardware (la Proxmark) que está conectado al PC.
• hw status
• hw tune: verifica que tenemos las dos antenas disponibles
• auto: revisa qué tipo de tarjeta está sobre las antenas de la Proxmark,

Si tenemos el siguiente error:

🚨 ERROR: cannot communicate with the Proxmark

Hay que instalar el firmware de Iceman.

Salida de hw tune:

[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
 🕛   9
[=] ---------- LF Antenna ----------
[+] LF antenna: 25,91 V - 125,00 kHz
[+] LF antenna: 20,65 V - 134,83 kHz
[+] LF optimal: 26,38 V - 126,32 kHz
[+] Approx. Q factor (*): 7,0 by frequency bandwidth measurement
[+] Approx. Q factor (*): 7,7 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 14,70 V - 13.56 MHz
[+] Approx. Q factor (*): 4,3 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134,83 kHz, 95 (red) is 125,00 kHz.

Lo importante es que se muestre que tanto la antena LF como la HF estén OK.

Si sabemos el tipo de tarjeta, lo colocaremos en el lector correspondiente y ejecutaremos:

• lf search: para tarjetas de baja frecuencia
• hf search: para identificar tarjetas de alta frecuencia.

Ejemplo de uso hf search:

[usb] pm3 --> hf search
 🕔  Searching for ISO14443-A tag...
[+]  UID: 2A 5E DD 3D
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 1a
[#] 1 static nonce 01200145
[+] Static nonce: yes
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

Las tarjetas MIFARE Classic son de alta frecuencia, así que para leerla y averiguar qué tipo es, ejecutamos en pm3:

hf search

Ejemplo de salida:

[usb] pm3 --> hf search
 🕙  Searching for ISO14443-A tag...
[+]  UID: 3E EF 84 1F
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 1a
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands

Podemos verificar si está cifrada:

hf mf chk

Salida:

[usb] pm3 --> hf mf chk
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 2 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )

Si todos los sectores tienen un valor de FFFFFFFFFFFF quiere decir que pueden leerse y, por tanto, clonarse.

Si alguno tuviera ---------- quiere decir que está cifrado y no puede ser leído salvo que consigamos descifrarlo.

Ejemplo de etiqueta cifrada:

[usb] pm3 --> hf mf chk
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 6 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | ------------ | 0 | ------------ | 0
[+]  001 | 007 | ------------ | 0 | ------------ | 0
[+]  002 | 011 | ------------ | 0 | ------------ | 0
[+]  003 | 015 | ------------ | 0 | ------------ | 0
[+]  004 | 019 | ------------ | 0 | ------------ | 0
[+]  005 | 023 | ------------ | 0 | ------------ | 0
[+]  006 | 027 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )

Para tratar de descifrarlo automáticamente, lanzamos varios ataques según las vulnerabilidades encontradas:

hf mf autopwn

Si todo ha ido bien, veremos algo como:

(...)
[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | 4A6352684677 | N | 536653644C65 | N
[+]  001 | 007 | 4A6352684677 | R | 536653644C65 | R
[+]  002 | 011 | 4A6352684677 | R | 536653644C65 | R
[+]  003 | 015 | 4A6352684677 | R | 536653644C65 | R
[+]  004 | 019 | 4A6352684677 | R | 536653644C65 | R
[+]  005 | 023 | 4A6352684677 | R | 536653644C65 | R
[+]  006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )


[+] Generating binary key file
[+] Found keys have been dumped to /root/hf-mf-61B76774-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file /root/hf-mf-61B76774-dump.bin
[+] saved 64 blocks to text file /root/hf-mf-61B76774-dump.eml
[+] saved to json file /root/hf-mf-61B76774-dump.json
[=] autopwn execution time: 10 seconds

Podemos ver que ha usado dos tipos de ataque:

• Nested: parte de una clave válida.
• Reused.

Ponemos la nueva tarjeta (donde vamos a clonar) y verificamos su estado:

hf mf cview

Ejemplo de salida:

[usb] pm3 --> hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] .................................................................

[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | 3E EF 84 1F 4A 08 04 00 62 63 64 65 66 67 68 69 | >...J...bcdefghi
[=]      |   1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    1 |   4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    2 |   8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    3 |  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    4 |  16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    5 |  20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    6 |  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    7 |  28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    8 |  32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    9 |  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   10 |  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   11 |  44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   12 |  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   13 |  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   14 |  56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   15 |  60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] -----+-----+-------------------------------------------------+-----------------
[?] cyan = value block with decoded value

Procedemos a la clonación cargando los datos de la tarjeta original:

hf mf cload -f hf-mf-61B76774-dump

Si todo ha ido bien, veremos el siguiente proceso completo:

[usb] pm3 --> hf mf cload -f hf-mf-61B76774-dump
[+] loaded 1024 bytes from binary file hf-mf-61B76774-dump
[=] Copying to magic gen1a card
[=] .................................................................

[+] Card loaded 64 blocks from file
[=] Done!

Si ahora hacemos hf mf cview la información será distinta:

[usb] pm3 --> hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] .................................................................

[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | 61 B7 67 74 C5 08 04 00 02 EB 16 EF F6 38 B6 1D | a.gt.........8..
[=]      |   1 | 00 00 80 49 00 00 00 00 00 00 00 00 00 00 00 00 | ...I............
[=]      |   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   3 | 4A 63 52 68 46 77 78 77 88 00 53 66 53 64 4C 65 | JcRhFwxw..SfSdLe
[=]    1 |   4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   6 | 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 | ................
[=]      |   7 | 4A 63 52 68 46 77 78 77 88 00 53 66 53 64 4C 65 | JcRhFwxw..SfSdLe
[=]    2 |   8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  11 | 4A 63 52 68 46 77 78 77 88 00 53 66 53 64 4C 65 | JcRhFwxw..SfSdLe
[=]    3 |  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  15 | 4A 63 52 68 46 77 78 77 88 00 53 66 53 64 4C 65 | JcRhFwxw..SfSdLe
[=]    4 |  16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  19 | 4A 63 52 68 46 77 78 77 88 00 53 66 53 64 4C 65 | JcRhFwxw..SfSdLe
[=]    5 |  20 | 00 04 20 19 05 29 03 36 01 00 00 00 00 00 00 00 | .. ..).6........
[=]      |  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  23 | 4A 63 52 68 46 77 78 77 88 00 53 66 53 64 4C 65 | JcRhFwxw..SfSdLe
[=]    6 |  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    7 |  28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    8 |  32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    9 |  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   10 |  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   11 |  44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   12 |  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   13 |  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   14 |  56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   15 |  60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] -----+-----+-------------------------------------------------+-----------------
[?] cyan = value block with decoded value

Podemos verificar que tiene el mismo cifrado que la tarjeta original:

hf mf chk

Leemos información de la etiqueta RFID:

lf search

Resultado:

=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] ⚠️  Specify one authentication mode
[+] EM 410x ID 3D0024E44F
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : BC0024A7FF
[=] HoneyWell IdentKey
[+]     DEZ 8          : 02418015
[+]     DEZ 10         : 0002418015
[+]     DEZ 5.5        : 00036.58719
[+]     DEZ 3.5A       : 061.58719
[+]     DEZ 3.5B       : 000.58719
[+]     DEZ 3.5C       : 036.58719
[+]     DEZ 14/IK2     : 00261995423071
[+]     DEZ 15/IK3     : 000807456253946
[+]     DEZ 20/ZK      : 11120000020410071510
[=]
[+] Other              : 58719_036_12418015
[+] Pattern Paxton     : 1027154784 [0x3D39235F]
[+] Pattern 1          : 1161022 [0x11B73E]
[+] Pattern Sebury     : 58719 36 2518015  [0xE55F 0x24 0x24E55F]
[+] VD / ID            : 061 / 0002518015
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands

Retiramos la tarjeta y ponemos la tarjeta de destino (la clonada):

lf em 410 clone --id 3D0024E44F

La ID será la que nos apareció antes (donde pone [+] EM 410x ID 3D0024E44F)

Resultado:

[usb] pm3 --> lf em 410 clone --id 3D0024E44F
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 3D0024E44F (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff9b600153d52bd2

[+] Done
[?] Hint: try `lf em 410x reader` to verify

Como nos aconseja, verificamos que se haya grabado dicha ID:

lf em 410 reader

Salida:

[usb] pm3 --> lf em 410 reader
[+] EM 410x ID 3D0024E44F

• How to clone EM410x to another EM410x RFID Tag

• Portal edificio: tag 125 kH EM 410x
• Pulsera solana: MIFARE Classic 1K (13,56 MHz) sin cifrar.
• Pulsera Casa del agua: MIFARE Classic 1K (13,56 MHz) cifrada.
• Portal edificio G: MIFARE Classic 1K (13,56 MHz) cifrada.

• Repositorio Iceman para Proxmark
• Hacking de tarjetas NFC: MIFARE Classic 1k (Parte 1 de 4)
• Proxmark Basics: Cloning MIFARE
• Getting started with the Proxmark3 Easy
• Conociendo la Proxmark 3 en profundidad
• Proxmark3 #1: Presentación. Leer, copiar y clonar tarjetas RFID.