Posted inCardiagtech

Decoding the Schlage 9691t Key Fob: Understanding Diagnostics and Errors

No Comments

The Schlage 9691t Key Fob is a crucial component in modern vehicle security systems, providing keyless entry and ignition capabilities. For automotive locksmiths and security specialists, understanding how to diagnose and troubleshoot these fobs is essential. This article delves into interpreting diagnostic outputs from tools like Proxmark3 when interacting with a Schlage 9691t key fob, specifically focusing on the information revealed by hf mf info and hf mf autopwn commands. We’ll break down these outputs to help you understand the health and potential issues of these key fobs.

When working with key fobs, especially those using RFID technology like the Schlage 9691t, tools like Proxmark3 are invaluable for diagnostics. The hf mf info command is used to gather basic information about a Mifare Classic tag, which is often the underlying technology in key fobs. Below is an example output from running this command on a Schlage 9691t key fob:

[usb] pm3 --> hf mf info [=] --- ISO14443-a Information --------------------- [+] UID: AA AA AA AA [+] ATQA: 00 04 [+] SAK: 08 [2] [=] [=] --- Tag Signature [=] IC signature public key name: NXP MIFARE Classic MFC1C14_x [=] IC signature public key value: 044F6d3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF [=] Elliptic curve parameters: NID_secp128r1 [=] TAG IC Signature: C89BA61AFB0E40B9FA1CD29A3D13D95056D4F02129D29F5DB642F412EF87C4C7 [+] Signature verification: successful [=] --- Keys Information [+] loaded 2 user keys [+] loaded 61 keys from hardcoded default array [#] BCC0 incorrect, got 0x28, expected 0x68 [#] Aborting [=] <N/A> [=] --- Magic Tag Information [=] <N/A> [=] --- PRNG Information [+] Prng................. hard

Understanding hf mf info Output:

  • UID (Unique Identifier): AA AA AA AA in this example is the unique serial number of the key fob. This is how the system identifies a specific key fob.
  • ATQA (Answer To reQuest A): 00 04 indicates the type of card and its communication capabilities.
  • SAK (Select AcKnowledge): 08 [2] provides further details about the card’s capabilities and standards compliance.
  • Tag Signature: This section confirms the authenticity of the Mifare Classic chip.
    • IC signature public key name: Identifies the chip manufacturer and model (NXP MIFARE Classic MFC1C14_x).
    • IC signature public key value: The public key used for cryptographic verification.
    • TAG IC Signature: The actual signature from the tag.
    • Signature verification: successful: Indicates the key fob is using a genuine NXP chip and the signature is valid, which is a good sign for the fob’s integrity.
  • Keys Information: Shows keys loaded for authentication attempts. The “[#] BCC0 incorrect” warning might indicate a minor issue in checksum calculation but doesn’t necessarily mean a critical failure.
  • Magic Tag Information & PRNG Information: <N/A> and hard respectively, these sections are less critical for basic key fob diagnosis in this context.

While hf mf info provides basic details, hf mf autopwn is a more advanced command used to attempt to automatically recover keys from Mifare Classic cards. Analyzing the output of this command, especially when errors occur, is crucial for troubleshooting.

[usb] pm3 --> hf mf autopwn [=] MIFARE Classic EV1 card detected [+] loaded 5 user keys [+] loaded 61 keys from hardcoded default array [=] running strategy 1 [=] running strategy 2 [=] ..... [+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 16 key type A -- found valid key [ 5C8FF9990DA2 ] [+] target sector 16 key type B -- found valid key [ D01AFEEB890A ] [+] target sector 17 key type A -- found valid key [ 75CCB59C9BED ] [=] Hardnested attack starting... [=] ---------+---------+---------------------------------------------------------+-----------------+------- [=] | | | Expected to brute force [=] Time | #nonces | Activity | #states | time [=] ---------+---------+---------------------------------------------------------+-----------------+------- [=] 0 | 0 | Start using 16 threads and AVX512F SIMD core | | [=] 0 | 0 | Brute force benchmark: 1670 million (2^30.6) keys/s | 140737488355328 | 23h [=] 7 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 6457 ms | 140737488355328 | 23h [=] 7 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 23h [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth2 error len=0 [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth2 error len=1 [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth2 error len=1 [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth1 error [#] AcquireEncryptedNonces: Auth2 error len=1 [#] AcquireEncryptedNonces: Auth1 error

Analyzing hf mf autopwn Output and Errors:

  • MIFARE Classic EV1 card detected: Confirms the fob is recognized as a Mifare Classic EV1 type.
  • Keys Found: The output shows that autopwn successfully found keys for several sectors (0, 15, 16, 17). The FFFFFFFFFFFF keys are default keys and 5C8FF9990DA2, D01AFEEB890A, 75CCB59C9BED are likely specific keys for those sectors. This initial success suggests the fob is responsive and communicating.
  • Hardnested attack starting…: This indicates the tool is moving to a more advanced attack method if simple key recovery fails to unlock all sectors.
  • [#] AcquireEncryptedNonces: Auth1 error / Auth2 error: These repeated errors are the key issue. They signify authentication failures during the nested attack phase.

Possible Causes for Authentication Errors:

  • Incorrect Keys: Even though some keys were found, they might not be sufficient to authenticate for all sectors, or the recovered keys might be incorrect for the sectors targeted in the nested attack.
  • Key Fob Security Features: The Schlage 9691t key fob or the Mifare Classic EV1 chip might have security features that prevent or hinder these types of automated attacks, especially after some initial keys are revealed. This could include anti-cloning mechanisms or more complex authentication protocols in certain sectors.
  • Communication Issues: While less likely given the initial successful communication, intermittent communication problems could also lead to authentication errors.
  • Tool Limitations: It’s possible that hf mf autopwn, even with its advanced strategies, might not be able to bypass the specific security of this particular key fob in all scenarios.

Troubleshooting and Further Steps:

  • Verify Key Compatibility: Ensure the keys being used (default and any recovered keys) are actually compatible with the Schlage 9691t system.
  • Manual Key Loading and Authentication: Try manually loading the recovered keys and attempting authentication sector by sector to pinpoint where the authentication fails.
  • Explore Different Attack Strategies: Proxmark3 offers various attack methods. Experimenting with different strategies beyond autopwn might yield better results.
  • Firmware and Tool Updates: Ensure your Proxmark3 firmware and client software are up to date, as updates often include improvements to attack strategies and bug fixes.
  • Consult Documentation and Community: Refer to the Proxmark3 documentation and online communities for specific advice related to Mifare Classic EV1 and Schlage key fobs. Other users may have encountered similar issues and found solutions.

Conclusion:

Diagnosing key fobs like the Schlage 9691t involves understanding both the basic information provided by commands like hf mf info and the more in-depth analysis of attack attempts like hf mf autopwn. While initial communication and key recovery might be successful, authentication errors during advanced attacks, as seen with “Auth1 error” and “Auth2 error”, indicate potential security mechanisms or key mismatches. Troubleshooting requires a systematic approach, verifying keys, exploring different attack methods, and leveraging community resources to overcome these challenges and gain a deeper understanding of the key fob’s security profile. For professionals in automotive security, mastering these diagnostic techniques is crucial for effectively working with modern keyless entry systems.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *