Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Are Noralsy key fobs T55x7 or Mifare?

I've been trying to clone my apartment key fob, with a SCL3711 dongle. The fob looks like this: http://www.nacd.co.uk/kcp3000-proximity-key.html

I've been under the impression that it is a Mifare device, because I get the following output from mfoc


Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): xx  xx xx xx   
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values: 

However looking at the Proxmark forums (http://www.proxmark.org/forum/viewtopic.php?id=2580&p=1) the poster has a key which looks exactly like mine, but which is tagged as a T55x7. Is it possible mine is also a T55x7, but is reported as Mifare in the MFOC tool?

I've been unable to clone my RFID key using the SCL3711 dongle with mfoc, but am trying to work out whether RFIDler would help me in that respect.

Any help would be very much appreciated. Thanks.








Comments

  • I have seen Noralsy tags that are LF (ASK raw data), but it looks like yours must be a newer type and they've switched to HF/Mifare, in which case RFIDler won't help.

    What is the output of MFOC when you try to crack it?
  • Thanks for the swift response Adam.

    Unfortunately mfoc never finds the key.




    SP:mfoc-master-june rabh$ sudo src/mfoc -O test.dmp
    Found Mifare Classic 1k tag
    ISO/IEC 14443A (106 kbps) target:
        ATQA (SENS_RES): 00  04  
    * UID size: single
    * bit frame anticollision supported
           UID (NFCID1): xx xx xx xx   
          SAK (SEL_RES): 08  
    * Not compliant with ISO/IEC 14443-4
    * Not compliant with ISO/IEC 18092

    Fingerprinting based on MIFARE type Identification Procedure:
    * MIFARE Classic 1K
    * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
    * SmartMX with MIFARE 1K emulation
    Other possible matches based on ATQA & SAK values:

    Try to authenticate to all sectors with default keys...
    Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
    [Key: ffffffffffff] -> [................]

    ....

    Sector 00 - Unknown Key A               Unknown Key B
    Sector 01 - Unknown Key A               Unknown Key B
    Sector 02 - Unknown Key A               Unknown Key B
    Sector 03 - Unknown Key A               Unknown Key B
    Sector 04 - Unknown Key A               Unknown Key B
    Sector 05 - Unknown Key A               Unknown Key B
    Sector 06 - Unknown Key A               Unknown Key B
    ...

    mfoc: ERROR: 

    No sector encrypted with the default key has been found, exiting.. 

    I've also tried mfcuk, and left it running overnight, but the diffNt keeps increasing (to over 36000), and never get a response.

    Any ideas on what I could do? I saw one option would be to try and snoop using a proxmark3, but unfortunately I can't justify the expense of buying one. If I could find somebody who could rent one, that might be an option.
  • OK, that at least shows it's definitely a Mifare tag, so RFIDler is not the solution.

    I have a theory that mfcuk may work better using a non-USB interface, but that is as yet unproven. You could try it on an SPI/I2C based PN532 and raspberry pi, such as:


    Config is pretty simple:


    (you may also need to enable spi or i2c in  /boot/config.txt)

    pinouts are here:


    Let me know if this works!
  • BTW, I've set this up and tested it and I found that I2C is way too slow, and although nfc-mfclassic was reliable with SPI at 50k, I had to slow it down to 10k to work with mfcuk. YMMV.

    device.connstring = "pn532_spi:/dev/spidev0.0:100000"


  • Thanks Adam. I've tried another Mifare card and that seems to work with mfcuk, so I suspect it is an update to the Mifare chip to increase security, on the Noralsy. 

    The Pi is worth a try though, as that's a pretty cheap price. Will get hold of one and the I2C and give that a go, you never know.

    Thanks for all your help so far.
  • Hi rabh, how have you gotten on? I've got the same Noralsy fob and trying to clone it to a card (waiting on PN532 to arrive in the mail).
  • edited October 2016
    Try this key with mfoc and tell me if it is one of the keys.
    A22AE129C013
    I unfortunately don't have a Noralsy key to play with
    Sector 0, B Key i hope....
Sign In or Register to comment.