Clone a Mifare Classic 4k to dUG4T

chipman · May 19, 2026, 2:24pm

Hello everyone,

I am trying to clone a Mifare Classic 4K to a dUG4T, so far without success.

What is the best way to do this?

[usb] pm3 → hf search
[|] Searching for ISO14443-A tag…
[+] UID: 9A 7D BC AA
[+] ATQA: 00 02

+\] SAK: 18 \[2

[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection… hard

I have already managed to create a bin file using HF MF AUTOPWN, but I cannot get it to write to my dUG4T.

It returns the following errors:

[usb] pm3 → hf mf restore --4k
[+] Loaded binary key file C:\Working\ProxSpace\pm3/hf-mf-9A7DBCAA-key.bin
[=] Using key file hf-mf-9A7DBCAA-key.bin
[+] Loaded 1024 bytes from binary file hf-mf-9A7DBCAA-dump.bin

[=] blk | data | status
[=] -----±------------------------------------------------±---------------
[#] Auth error
[=] 0 | 9F 8D BC AA F1 98 02 00 E3 33 00 20 00 00 00 22 | ( fail ) key B
[#] Auth error
[=] 0 | 9F 8D BC AA F1 98 02 00 E3 33 00 20 00 00 00 22 | ( fail ) key A
[#] Auth error
[=] 1 | 8D 00 34 48 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key B
[#] Auth error
[=] 1 | 8D 00 34 48 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key A
[#] Auth error
[=] 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key B
[#] Auth error
[=] 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key A
[#] Auth error
[=] 3 | A0 A1 A2 A3 A4 A5 78 77 88 C2 99 32 92 61 FA 99 | ( fail ) key B
[#] Auth error
[=] 3 | A0 A1 A2 A3 A4 A5 78 77 88 C2 99 32 92 61 FA 99 | ( fail ) key A
[#] Auth error
[=] 4 | 19 D0 8F FD C0 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key B
[#] Auth error
[=] 4 | 19 D0 8F FD C0 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key A
[#] Auth error
[=] 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key B
[#] Auth error
[=] 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key A
[#] Auth error
[=] 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key B
[#] Auth error
[=] 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( fail ) key A
[#] Auth error
[=] 7 | 37 02 BD 21 95 C3 78 77 88 69 2C 5E FE 1B E2 47 | ( fail ) key B
[#] Auth error
[=] 7 | 37 02 BD 21 95 C3 78 77 88 69 2C 5E FE 1B E2 47 | ( fail ) key A
[=] 8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[=] 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( fail ) key B
[=] 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | ( ok )
[#] Auth error
[=] 64 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key B
[#] Auth error
[=] 64 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key A
[#] Auth error
[=] 65 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key B
[#] Auth error
[=] 65 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key A
[#] Auth error
[=] 66 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key B
[#] Auth error
[=] 66 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key A
[!] Invalid Access Conditions on sector 16, replacing with default values
[#] Auth error
[=] 67 | 00 00 00 00 00 00 FF 07 80 69 00 00 00 00 00 00 | ( fail ) key B
[#] Auth error
[=] 67 | 00 00 00 00 00 00 FF 07 80 69 00 00 00 00 00 00 | ( fail ) key A
[=] 68 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 69 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 70 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 17, replacing with default values
[=] 71 | 00 00 D6 57 45 E9 FF 07 80 69 00 00 58 57 FB E9 | ( fail ) key B
[=] 71 | 00 00 D6 57 45 E9 FF 07 80 69 00 00 58 57 FB E9 | ( ok )
[=] 72 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 73 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 74 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 18, replacing with default values
[=] 75 | 00 16 00 8C 4D 00 FF 07 80 69 00 04 00 80 43 3A | ( fail ) key B
[=] 75 | 00 16 00 8C 4D 00 FF 07 80 69 00 04 00 80 43 3A | ( ok )
[=] 76 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 77 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 78 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 19, replacing with default values
[=] 79 | 53 00 59 00 53 00 FF 07 80 69 5C 57 6F 72 6B 69 | ( fail ) key B
[=] 79 | 53 00 59 00 53 00 FF 07 80 69 5C 57 6F 72 6B 69 | ( ok )
[=] 80 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 81 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 82 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 20, replacing with default values
[=] 83 | 54 00 45 00 4D 00 FF 07 80 69 6E 67 5C 50 72 6F | ( fail ) key B
[=] 83 | 54 00 45 00 4D 00 FF 07 80 69 6E 67 5C 50 72 6F | ( ok )
[=] 84 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 85 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 86 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 21, replacing with default values
[=] 87 | 5F 00 50 00 52 00 FF 07 80 69 78 53 70 61 63 65 | ( fail ) key B
[=] 87 | 5F 00 50 00 52 00 FF 07 80 69 78 53 70 61 63 65 | ( ok )
[=] 88 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 89 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 90 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 22, replacing with default values
[=] 91 | 45 00 46 00 49 00 FF 07 80 69 5C 70 6D 33 2F 2E | ( fail ) key B
[=] 91 | 45 00 46 00 49 00 FF 07 80 69 5C 70 6D 33 2F 2E | ( ok )
[=] 92 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 93 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 94 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 23, replacing with default values
[=] 95 | 58 00 3D 00 43 00 FF 07 80 69 70 72 6F 78 6D 61 | ( fail ) key B
[=] 95 | 58 00 3D 00 43 00 FF 07 80 69 70 72 6F 78 6D 61 | ( ok )
[=] 96 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 97 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 98 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 24, replacing with default values
[=] 99 | 3A 00 2F 00 57 00 FF 07 80 69 72 6B 33 2F 72 65 | ( fail ) key B
[=] 99 | 3A 00 2F 00 57 00 FF 07 80 69 72 6B 33 2F 72 65 | ( ok )
[=] 100 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 101 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 102 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 25, replacing with default values
[=] 103 | 6F 00 72 00 6B 00 FF 07 80 69 73 6F 75 72 63 65 | ( fail ) key B
[=] 103 | 6F 00 72 00 6B 00 FF 07 80 69 73 6F 75 72 63 65 | ( ok )
[=] 104 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 105 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 106 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 26, replacing with default values
[=] 107 | 69 00 6E 00 67 00 FF 07 80 69 73 2F 68 61 72 64 | ( fail ) key B
[=] 107 | 69 00 6E 00 67 00 FF 07 80 69 73 2F 68 61 72 64 | ( ok )
[=] 108 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 109 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 110 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 27, replacing with default values
[=] 111 | 2F 00 50 00 72 00 FF 07 80 69 6E 65 73 74 65 64 | ( fail ) key B
[=] 111 | 2F 00 50 00 72 00 FF 07 80 69 6E 65 73 74 65 64 | ( ok )
[=] 112 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 113 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 114 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 28, replacing with default values
[=] 115 | 6F 00 78 00 53 00 FF 07 80 69 5F 74 61 62 6C 65 | ( fail ) key B
[=] 115 | 6F 00 78 00 53 00 FF 07 80 69 5F 74 61 62 6C 65 | ( ok )
[=] 116 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 117 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 118 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 29, replacing with default values
[=] 119 | 70 00 61 00 63 00 FF 07 80 69 73 2F 62 69 74 66 | ( fail ) key B
[=] 119 | 70 00 61 00 63 00 FF 07 80 69 73 2F 62 69 74 66 | ( ok )
[=] 120 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 121 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[=] 122 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( ok )
[!] Invalid Access Conditions on sector 30, replacing with default values
[=] 123 | 65 00 2F 00 6D 00 FF 07 80 69 6C 69 70 5F 31 5F | ( fail ) key B
[=] 123 | 65 00 2F 00 6D 00 FF 07 80 69 6C 69 70 5F 31 5F | ( ok )
[#] Auth error
[=] 124 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key B
[#] Auth error
[=] 124 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key A
[#] Auth error
[=] 125 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key B
[#] Auth error
[=] 125 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key A
[#] Auth error
[=] 126 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key B
[#] Auth error
[=] 126 | 00 00 00 00 00 00 00 00 C2 19 B9 41 7C 8C 34 00 | ( fail ) key A
[!] Invalid Access Conditions on sector 31, replacing with default values
…
[#] Auth error
[=] 255 | 5C 50 72 6F 78 53 FF 07 80 69 5C 50 72 6F 78 53 | ( fail ) key B
[#] Auth error
[=] 255 | 5C 50 72 6F 78 53 FF 07 80 69 5C 50 72 6F 78 53 | ( fail ) key A

How can I clone this so that it is written correctly on the dUGT4?

Pilgrimsmaster · May 19, 2026, 7:47pm

I assume your dUG4 is set up correctly?

hf mf cset --4k --t 1

We may not get this first try, but lets give it a crack

Lets first wipe the UG4

hf mf cwipe --4k

Now lets dump the original card

hf mf autopwn --4k

here you could/ should check that the .bin file is exactly 4k (4096 bytes)
I think I saw in your massive text above a 1k result

rather than

hf mf restore

let’s try

hf mf cload -f hf-mf-9A7DBCAA-dump.bin

You can confirm with a

hf search

You will hopefully see the correct UID 9A 7D BC AA and 4k SAK

If you get an error, do a compare on MCT, there are a few more steps on here, but it is great for identifying where errors occur rather than having to read through massive long text.

As I said, we might not get it first time, but lets try and see where we get

If autopwn fails to get the key at Key B like last time, we may need to use the dictionary.
It will be
hf mf chk.....some other shit

But lets start with autopwn

17792199704831868702818020796521

If you have a flipper

chipman · May 20, 2026, 2:26pm

Good afternoon

I have already tried it a bit, but this command doesn’t work: hf mf cset --4k --t1 … I put my 4k in with “script run hf_mf_ultimatecard -t7” and this command doesn’t work either: hf mf cwipe --4k … I do that with script run hf_mf_ultimatecard -w0
I can do the autopwn --4k, but then if I want to write it back I do it with: " hf mf gload --4k -f hf-mf-9A7DBCAA-dump-005.bin"

[+] Loaded 4096 bytes from binary file hf-mf-9A7DBCAA-dump-005.bin
[=] Copying to magic gen4 GTU MIFARE Classic 4K
[=] Starting block: 0. Ending block: 255.

but if I eventually read it out with hf mf gview he gives this :[usb] pm3 → hf mf gview
[+] View magic gen4 GTU MIFARE Classic 1K

Does anyone have any suggestions? I feel like I’m almost there, but right now it’s only showing 63 blk out of 255 blk.

Pilgrimsmaster · May 20, 2026, 9:36pm

The fact that you got a clean 4096-byte source dump means your original card data is good.

Now we need to sort the writing.

I think there was a change in firmware around the UG4

can you confirm you are on the latest?

If not, update and try the above again.

Update commands

cd proxmark3
git pull
make clean && make all OR make -j (it will allow for parallel compiling and goes faster. - Thanks @ Iceman) OR make -j4 (for compiling in parallel on all cores - Thanks @ equipter)
./pm3-flash-bootrom
./pm3-flash-fullimage
pm3

Infact, there are no errors so it may have written, but not showing because your ug4 appears to still be set up as 1k

Use a test card if you have one (you should)

Lets wipe it
script run hf_mf_ultimatecard -w0

and set up that 4k version

script run hf_mf_ultimatecard -t2

and write it

hf mf gload --4k -f hf-mf-9A7DBCAA-dump-005.bin

Let us know how that goes

We’ll get you there

FYI

Where you can find these commands

github.com/RfidResearchGroup/proxmark3

doc/magic_cards_notes.md?hl=en-GB

master

<a id="top"></a>

# Notes on Magic Cards, aka UID changeable

This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372

Useful docs:

* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf)

# Table of Contents

* [Low frequency](#low-frequency)
  * [T55xx](#t55xx)
  * [EM4x05](#em4x05)
  * [ID82xx series](#id82xx-series)
    * [ID8265](#id8265)
    * [ID8211](#id8211)
    * [ID-F8268](#id-f8268)
  * [H series](#h-series)

This file has been truncated. show original

chipman · May 21, 2026, 6:45am

Good morning

I tried again but why do you write -t2? Is that Mifare Mini? Shouldn’t that be T7?

I have updated everything to the latest and when I write it with Gload it says 4k but when I read it with the gview command it says again that it is a Mifare 1K

Pilgrimsmaster · May 21, 2026, 7:03am

I think T7 was correct the old firmware

T2 in the new firmware is MFC 4k

script run hf_mf_ultimatecard -h
should give you a help menu

chipman · May 21, 2026, 7:08am

Nathan Glaser
v1.0.5
Created - Jan 2022
This script enables easy programming of an Ultimate Mifare Magic card
Usage
script run hf_mf_ultimatecard -h -k -c -w -u -t -p -a -s -o -v -q <atqa/sak> -g -z -m -n

Arguments
-h this help
-c read magic configuration
-u UID (8-20 hexsymbols), set UID on tag
-t tag type to impersonate
1 = Mifare Mini S20 4-byte | 15 = NTAG 210
2 = Mifare Mini S20 7-byte | 16 = NTAG 212
3 = Mifare Mini S20 10-byte | 17 = NTAG 213
4 = Mifare 1k S50 4-byte | 18 = NTAG 215
5 = Mifare 1k S50 7-byte | 19 = NTAG 216
6 = Mifare 1k S50 10-byte | 20 = NTAG I2C 1K
7 = Mifare 4k S70 4-byte | 21 = NTAG I2C 2K
8 = Mifare 4k S70 7-byte | 22 = NTAG I2C 1K PLUS
9 = Mifare 4k S70 10-byte | 23 = NTAG I2C 2K PLUS

chipman · May 21, 2026, 7:09am

8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 “Y8888P”

Release... v4.21128 - Permafrost

ghost.713!

Proxmark3

MCU....... AT91SAM7S512 Rev B
Memory.... 512 KB ( 72% used )
Target.... PM3 GENERIC

Client.... Iceman/master/v4.21128 2026-02-25 16:15:01
Bootrom... Iceman/master/v4.21128-suspect 2026-02-25 16:15:01 ddaba4e24
OS........ Iceman/master/v4.21128-suspect 2026-02-25 16:15:01 ddaba4e24

Pilgrimsmaster · May 21, 2026, 7:28am

From your post

Created - Jan 2022

7 = Mifare 4k S70 4-byte | 21 = NTAG I2C 2K

pretty sure thats the old one.
Anyway
Using your setup

Wipe
script run hf_mf_ultimatecard -w0

Configure
script run hf_mf_ultimatecard -t 7 -u 9A7DBCAA

Write
hf mf gload --4k -f hf-mf-9A7DBCAA-dump-005.bin

Check
hf mf gview

chipman · May 21, 2026, 7:44am

[+] Card loaded 256 blocks from file
[=] Done!
[usb] pm3 → hf mf gview
[+] View magic gen4 GTU MIFARE Classic 1K

nope

chipman · May 21, 2026, 10:49am

In the meantime, I have already made further progress:

[usb] pm3 → hf mf dump --4k
[+] Saved 4096 bytes to binary file C:/proxmark3-v4.21128/hf-mf-9A7DBCAA-dump-002.bin
[usb] pm3 → script run hf_mf_ultimatecard -w0
[usb] pm3 → hf mf gload --4k -f hf-mf-9A7DBCAA-dump-002.bin

It still shows Mifare 1K when reading the Gview, but the chip does work on the reader with a cylinder on the door.
If I try it on the wall reader in the entrance, it doesn’t read them or… and I’m afraid of that, the coil isn’t strong enough, or it might have something to do with the fact that it isn’t being displayed as 4K after all
I also have a FlexMT installed, but I don’t know if I’ll be able to get it copied onto that because that’s 1K.

Is the flexUG4 stronger than the dUG4T ?

amal · May 21, 2026, 11:14am

No, the dUG4T has a much better antenna

chipman · May 21, 2026, 12:02pm

Ok … It still shows Mifare 1K when reading the Gview, but the chip does work on the reader with a cylinder on the door.
If I try it on the wall reader in the entrance, it doesn’t read them or… and I’m afraid of that, the coil isn’t strong enough, or it might have something to do with the fact that it isn’t being displayed as 4K after all

Do you have any idea What the reason for this is?

chipman · May 21, 2026, 12:51pm

Is there an option to have a Mifare 4K with changeable ID made with a large coil?

chipman · May 22, 2026, 6:14am

Ok … It still shows Mifare 1K when reading the Gview, but the chip does work on the reader with a cylinder on the door.
If I try it on the wall reader in the entrance, it doesn’t read them or… and I’m afraid of that, the coil isn’t strong enough, or it might have something to do with the fact that it isn’t being displayed as 4K after all

Do you have any idea What the reason for this is?

The 2 top readers now read the dUG4T perfectly after cloning the Mifare 4K card.

The RFID reader hanging in the entrance hall shown below will not read this one.
If I hold an RFID repeater in front of it, it reads it, but just not sufficiently.
Could it be that the reader is not strong enough or the chip coil is not strong enough?

Or does anyone else have a solution, because this is actually quite frustrating since I have to walk around with a badge card now

chipman · May 22, 2026, 6:25am

Ok … It still shows Mifare 1K when reading the Gview, but the chip does work on the reader with a cylinder on the door.
If I try it on the wall reader in the entrance, it doesn’t read them or… and I’m afraid of that, the coil isn’t strong enough, or it might have something to do with the fact that it isn’t being displayed as 4K after all

Do you have any idea What the reason for this is?

The 2 top readers now read the dUG4T perfectly after cloning the Mifare 4K card.

The RFID reader hanging in the entrance hall shown below will not read this one.
If I hold an RFID repeater in front of it, it reads it, but just not sufficiently.
Could it be that the reader is not strong enough or the chip coil is not strong enough?
Or could it still be related to the programming, since it still indicates Mifare 1K when reading it out with “hf mf gview”

Does anyone else have a solution, because this is actually quite frustrating since I have to walk around with a badge card now

VenomRolls · May 22, 2026, 6:53am

~~What does something like hf 14a info say? Are you able to try sniffing a test card or emulate the card on the proxmark and see if it works?~~

Scratch that, misread. If it’s just that reader it’s more than likely to be the reader’s antenna. With a dUG4, you’d expect pretty good performance with most things but I suspect it’s still possible to have a miss. It may still be useful to try the above command to see what the low level stats are but it’s not inherently a problem for gview to show weird types, especially with gen4 stuff.