• Home

    • Howdy, Stranger!

    It looks like you're new here. If you want to get involved, click one of these buttons!

    Sign In Register

    Categories

    Are Noralsy key fobs T55x7 or Mifare?

    rabh
    in RFIDler General
    I've been trying to clone my apartment key fob, with a SCL3711 dongle. The fob looks like this: http://www.nacd.co.uk/kcp3000-proximity-key.html

    I've been under the impression that it is a Mifare device, because I get the following output from mfoc


    Found Mifare Classic 1k tag
    ISO/IEC 14443A (106 kbps) target:
        ATQA (SENS_RES): 00  04  
    * UID size: single
    * bit frame anticollision supported
           UID (NFCID1): xx  xx xx xx   
          SAK (SEL_RES): 08  
    * Not compliant with ISO/IEC 14443-4
    * Not compliant with ISO/IEC 18092

    Fingerprinting based on MIFARE type Identification Procedure:
    * MIFARE Classic 1K
    * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
    * SmartMX with MIFARE 1K emulation
    Other possible matches based on ATQA & SAK values: 

    However looking at the Proxmark forums (http://www.proxmark.org/forum/viewtopic.php?id=2580&p=1) the poster has a key which looks exactly like mine, but which is tagged as a T55x7. Is it possible mine is also a T55x7, but is reported as Mifare in the MFOC tool?

    I've been unable to clone my RFID key using the SCL3711 dongle with mfoc, but am trying to work out whether RFIDler would help me in that respect.

    Any help would be very much appreciated. Thanks.








    Comments

    • Adam
      I have seen Noralsy tags that are LF (ASK raw data), but it looks like yours must be a newer type and they've switched to HF/Mifare, in which case RFIDler won't help.

      What is the output of MFOC when you try to crack it?
    • rabh
      Thanks for the swift response Adam.

      Unfortunately mfoc never finds the key.




      SP:mfoc-master-june rabh$ sudo src/mfoc -O test.dmp
      Found Mifare Classic 1k tag
      ISO/IEC 14443A (106 kbps) target:
          ATQA (SENS_RES): 00  04  
      * UID size: single
      * bit frame anticollision supported
             UID (NFCID1): xx xx xx xx   
            SAK (SEL_RES): 08  
      * Not compliant with ISO/IEC 14443-4
      * Not compliant with ISO/IEC 18092

      Fingerprinting based on MIFARE type Identification Procedure:
      * MIFARE Classic 1K
      * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
      * SmartMX with MIFARE 1K emulation
      Other possible matches based on ATQA & SAK values:

      Try to authenticate to all sectors with default keys...
      Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
      [Key: ffffffffffff] -> [................]

      ....

      Sector 00 - Unknown Key A               Unknown Key B
      Sector 01 - Unknown Key A               Unknown Key B
      Sector 02 - Unknown Key A               Unknown Key B
      Sector 03 - Unknown Key A               Unknown Key B
      Sector 04 - Unknown Key A               Unknown Key B
      Sector 05 - Unknown Key A               Unknown Key B
      Sector 06 - Unknown Key A               Unknown Key B
      ...

      mfoc: ERROR: 

      No sector encrypted with the default key has been found, exiting.. 

      I've also tried mfcuk, and left it running overnight, but the diffNt keeps increasing (to over 36000), and never get a response.

      Any ideas on what I could do? I saw one option would be to try and snoop using a proxmark3, but unfortunately I can't justify the expense of buying one. If I could find somebody who could rent one, that might be an option.
    • Adam
      OK, that at least shows it's definitely a Mifare tag, so RFIDler is not the solution.

      I have a theory that mfcuk may work better using a non-USB interface, but that is as yet unproven. You could try it on an SPI/I2C based PN532 and raspberry pi, such as:


      Config is pretty simple:


      (you may also need to enable spi or i2c in  /boot/config.txt)

      pinouts are here:


      Let me know if this works!
    • Adam
      BTW, I've set this up and tested it and I found that I2C is way too slow, and although nfc-mfclassic was reliable with SPI at 50k, I had to slow it down to 10k to work with mfcuk. YMMV.

      device.connstring = "pn532_spi:/dev/spidev0.0:100000"


    • rabh
      Thanks Adam. I've tried another Mifare card and that seems to work with mfcuk, so I suspect it is an update to the Mifare chip to increase security, on the Noralsy. 

      The Pi is worth a try though, as that's a pretty cheap price. Will get hold of one and the I2C and give that a go, you never know.

      Thanks for all your help so far.
    • sinkie
      Hi rabh, how have you gotten on? I've got the same Noralsy fob and trying to clone it to a card (waiting on PN532 to arrive in the mail).
    • Onisan
      edited October 2016
      Try this key with mfoc and tell me if it is one of the keys.
      A22AE129C013
      I unfortunately don't have a Noralsy key to play with
      Sector 0, B Key i hope....
    Sign In or Register to comment.