Cloning a Badge for a Smart Gym Locker

Hello Maybe you people can help me out.

I’m currently experimenting with my gym wrist band that’s basically a Mifare Classic 1k chip embedded in a wrist band. It has two functions:

• Open the front door to the building.
• Lock and unlock the locker.

I’ve (kind of?) successfully cloned the wrist band to a Magic Mifare Classic 1k card (not an implant, yet). Well, at least it opens the front door. However, it doesn’t work in combination with the RFID-based locker. It doesn’t lock or unlock when presenting the cloned card. This is the type of lock that’s installed:

You basically push the wrist band against the black thingy and push it in. If your tag is accepted, it stays inside and closes the lock.

I think there are two possible scenarios:

1. Some kind of RFID reception problem. However, I know that the people working in the gym also use RFID cards like I did, instead of wrist bands to open the lockers. I’ve also tested a few other positions to present my card, with no luck.

2. I didn’t clone the wrist band properly. I’ve used a Proxmark3 easy with the latest Iceman firmware and the autopwn command for Mifare-based chips. This the log of identifying, pwning and dumping the wrist band:

pm3 --> hf mf info

[=] --- ISO14443-a Information ---------------------
[+]  UID: 2E 5A A9 E1
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 223F930225BFBA6A56F94C6BA907A1EE7163AA0DA2C98AECAD31D428E82DEA7D
[+]        Signature verification: successful

[=] --- Keys Information
[+] loaded  2 user keys
[+] loaded 61 keys from hardcoded default array
[+] Sector 0 key A... A0A1A2A3A4A5
[+] Sector 1 key A... FFFFFFFFFFFF

[=] --- Fingerprint

[=] --- Magic Tag Information
[=] <N/A>

[=] --- PRNG Information
[+] Prng................. hard


[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[+] loaded  5 user keys
[+] loaded 61 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] .
[+] target sector   0 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector   5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector  16 key type A -- found valid key [ 5C8FF9990DA2 ]
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]
[+] target sector  17 key type A -- found valid key [ 75CCB59C9BED ]
[+] target sector  17 key type B -- found valid key [ 4B791BEA7BCC ]
[=] Hardnested attack starting...
[SNIP]

[+] target sector   0 key type B -- found valid key [ 8627C10A7014 ]
[=] Hardnested attack starting...
[SNIP]
[+]  017 | 071 | 75CCB59C9BED | D | 4B791BEA7BCC | D ( * )
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )
[=] ( * ) These sectors used for signature. Lays outside of user memory
[?] MAD key detected. Try `hf mf mad` for more details


[+] Generating binary key file
[+] Found keys have been dumped to `[...]hf-mf-2E5AA9E1-key-003.bin`
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[#] Block  16 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  4 block  0
[#] Block  17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  17 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  18 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  19 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  19 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY A,  swapping to KEY B
[#] Block   4 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  1 block  0
[#] Block   5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   5 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   6 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   7 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   8 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  2 block  0
[#] Block   9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block   9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  12 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  3 block  0
[#] Block  13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  13 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  14 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  15 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  20 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  5 block  0
[#] Block  21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  21 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  22 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  23 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  24 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  6 block  0
[#] Block  25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  28 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  7 block  0
[#] Block  29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  29 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  30 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  31 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  32 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  8 block  0
[#] Block  33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  33 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  34 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  35 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  36 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector  9 block  0
[#] Block  37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  37 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  38 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  39 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  40 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 10 block  0
[#] Block  41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  41 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  42 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  43 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  44 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 11 block  0
[#] Block  45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  45 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  46 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  47 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  48 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 12 block  0
[#] Block  49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  49 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  50 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  51 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  52 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 13 block  0
[#] Block  53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  53 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  54 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  55 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  56 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 14 block  0
[#] Block  57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  57 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  58 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  59 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  60 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 15 block  0
[#] Block  61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  61 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  62 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  63 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block  63 Cmd 0x30 Wrong response len, expected 18 got 0
[-] ⛔ fast dump reported back failure w KEY B
[-] ⛔ Dump file is PARTIAL complete
[=] downloading card content from emulator memory
[+] Saved 1024 bytes to binary file `[...]hf-mf-2E5AA9E1-dump-006.bin`
[+] Saved to json file `[...]hf-mf-2E5AA9E1-dump-006.json`
[=] autopwn execution time: 43 seconds

[usb] pm3 --> hf mf dump
[=] Using... hf-mf-2E5AA9E1-key.bin
[+] Loaded binary key file `[...]hf-mf-2E5AA9E1-key.bin`
[=] Reading sector access bits...
[=] .................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
 🕓 Sector... 15 block... 3 ( ok )
[+] Succeeded in dumping all blocks

[+] time: 9 seconds


[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | 2E 5A A9 E1 3C 88 04 00 C8 23 00 20 00 00 00 15 | .Z..<....#. ....
[=]      |   1 | 15 00 00 00 00 00 00 00 C0 2E 00 00 00 00 00 00 | ................
[=]      |   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   3 | A0 A1 A2 A3 A4 A5 78 77 88 C1 86 27 C1 0A 70 14 | ......xw...'..p.
[=]    1 |   4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    2 |   8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    3 |  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    4 |  16 | 12 AF 00 00 16 00 00 00 00 00 00 00 00 98 BE 01 | ................
[=]      |  17 | 00 00 00 00 80 FF FF 0C 80 FF FF 80 00 00 00 00 | ................
[=]      |  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  19 | A0 A1 A2 A3 A4 A5 0F 00 FF AA CA A3 C3 B5 6D 7A | ..............mz
[=]    5 |  20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    6 |  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    7 |  28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    8 |  32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    9 |  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   10 |  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   11 |  44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   12 |  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   13 |  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   14 |  56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   15 |  60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] -----+-----+-------------------------------------------------+-----------------
[?] MAD key detected. Try `hf mf mad` for more details

[+] Saved 1024 bytes to binary file `[...]hf-mf-2E5AA9E1-dump-007.bin`
[+] Saved to json file `[...]hf-mf-2E5AA9E1-dump-007.json`
[usb] pm3 --> hf mf mad
[=] Authentication ( ok )
[#] Auth error

[=] --- MIFARE App Directory Information ----------------
[=] -----------------------------------------------------

[=] ------------ MAD v1 details -------------
[!] ⚠️  Card publisher not present 0x00

[=] ---------------- Listing ----------------
[=]  00 MAD v1
[=]  01 [0000] free
[=]  02 [0000] free
[=]  03 [0000] free
[=]  04 [2EC0] (unknown)
[=]  05 [0000] free
[=]  06 [0000] free
[=]  07 [0000] free
[=]  08 [0000] free
[=]  09 [0000] free
[=]  10 [0000] free
[=]  11 [0000] free
[=]  12 [0000] free
[=]  13 [0000] free
[=]  14 [0000] free
[=]  15 [0000] free

This is the log of reading the clone:

[usb] pm3 --> hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] .................................................................

[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | 2E 5A A9 E1 3C 88 04 00 C8 23 00 20 00 00 00 15 | .Z..<....#. ....
[=]      |   1 | 15 00 00 00 00 00 00 00 C0 2E 00 00 00 00 00 00 | ................
[=]      |   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   3 | A0 A1 A2 A3 A4 A5 78 77 88 C1 86 27 C1 0A 70 14 | ......xw...'..p.
[=]    1 |   4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    2 |   8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    3 |  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    4 |  16 | 12 AF 00 00 16 00 00 00 00 00 00 00 00 98 BE 01 | ................
[=]      |  17 | 00 00 00 00 80 FF FF 0C 80 FF FF 80 00 00 00 00 | ................
[=]      |  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  19 | A0 A1 A2 A3 A4 A5 0F 00 FF AA CA A3 C3 B5 6D 7A | ..............mz
[=]    5 |  20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    6 |  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    7 |  28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    8 |  32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    9 |  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   10 |  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   11 |  44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   12 |  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   13 |  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   14 |  56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   15 |  60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] -----+-----+-------------------------------------------------+-----------------
[?] MAD key detected. Try `hf mf mad` for more details

[usb] pm3 --> hf mf mad
[=] Authentication ( ok )
[#] Auth error

[=] --- MIFARE App Directory Information ----------------
[=] -----------------------------------------------------

[=] ------------ MAD v1 details -------------
[!] ⚠️  Card publisher not present 0x00

[=] ---------------- Listing ----------------
[=]  00 MAD v1
[=]  01 [0000] free
[=]  02 [0000] free
[=]  03 [0000] free
[=]  04 [2EC0] (unknown)
[=]  05 [0000] free
[=]  06 [0000] free
[=]  07 [0000] free
[=]  08 [0000] free
[=]  09 [0000] free
[=]  10 [0000] free
[=]  11 [0000] free
[=]  12 [0000] free
[=]  13 [0000] free
[=]  14 [0000] free
[=]  15 [0000] free

Is the dump actually okay? It showed plenty of errors after autopwn but not after i dumped it to a file. Or could they be checking for the NXP signature? From my understanding it’s not possible for me to clone this signature to my magic card, so the reader could be able to detect that. But on the other hand, that does feel a bit far fetched, considering the RFID lock accepts various types and forms of tags…

Any idea? Thanks! <3

Could you run both an hf search and an lf search on the original wristband, please?

Sure, thanks for your reply:

[usb] pm3 --> hf search
 🕙  Searching for ISO14443-A tag...
[+]  UID: 2E 5A A9 E1
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... hard
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 223F930225BFBA6A56F94C6BA907A1EE7163AA0DA2C98AECAD31D428E82DEA7D
[+]        Signature verification: successful

[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found


[+]  UID: 2E 5A A9 E1
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... hard
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 223F930225BFBA6A56F94C6BA907A1EE7163AA0DA2C98AECAD31D428E82DEA7D
[+]        Signature verification: successful

[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 --> lf search

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
 🕔 Searching for COTAG tag......

[-] ⛔ No data found!
[?] Maybe not an LF tag?

Thanks!

Have you tried re-running the hf mf autopwn? Does it error out every time?

Yes, it always produces the same errors. Although If I’m running a dump command after autopwn it seems to dump all contents without any error. I’m not sure how to interpret these errors that autopwn produces tbh

With Mifare Classic
I find a very good diagnostic tool to be

MCT app

Screenshot_20240419_204758_MIFARE Classic Tool1080×1389 119 KB

Specifically the Diff Tool

Screenshot_20240419_204825_MIFARE Classic Tool1080×1798 115 KB

Heres an example

Screenshot_20240419_205217_MIFARE Classic Tool1075×3621 346 KB

If you tick
“Hide identical Sectors”

It shows only what you need to focus on

You’ll see in my example above, there are only 4 sectors (of 16) so I have already filtered out 75% of the data I dont need to deal with.

In your example above, my guess your (N)UID will be associated with your membership and access to the gym, BUT your locker access will be in your other sectors and thats what you haven’t copied over…

Oh I thought I copied all sectors. I’ve ran the dump command for both the original and the clone and the resultung bin files had the same SHA256 hash. I’ve also compared the text output of pm3 that is being printed after dumping the cards and they are also equal.

Currently is feels like its not reading everything from the original. at least not correctly

I’m suspecting the reader detects that a gen1 magic card was presented. I’m ordering gen2 magic cards and I will report back

Hahaha, well, after my last post I sent you about MCT.

I drafted another message but didn’t send it, because you totally ignored me

was this

You don’t happen to have a Mifare Classic gen2 card do you?

MCT would have done that for you, faster and removes the human error…just sayin

Hopefully you have better luck with the gen2

If you plan on playing in the RFID world a bit more, a test card pack is a great investment

Hi!

No idea where that’s coming from but I didn’t ignore you, maybe I should have responded to your post instead of replying to the read. Anyways, I double checked the data written to the cards because of your comment. I don’t have an Android phone, so I think checking file hashes is a valid option. Nevertheless, thanks for your valuable input and for responding to my questions. Let’s see if the Gen2 card will work <3

Just jokes buddy

I guessed you may not have had an android.

All good
So I’ve found another Magic Gen1a card (Gen2 will arrive on Friday) and that one worked. The difference is this:

[=] --- Magic Tag Information
[+] Magic capabilities... Gen1a
[+] Magic capabilities... Gen 4 GDM / USCUID ( Gen1 Magic Wakeup )

So i guess this card doesn’t use the regular backdoor commands to write the UID, which the reader would eventually detect. Interesting.

So I guess this wouldn’t work with an xMagic but with an xM1 Gen2, is that correct?

My suggestion for now is wait until Friday and test with your gen2 card.

Then you’ll be able to confirm what options you have available to you.

Okay so I tested two Gen1 cards and one gen2 card. Only the gen2 card worked, which confirms that the reader checks for the gen1 backdoor command.

Thanks for your help!

Thanks for the update.
We dont see the “backdoor checker” in operation very often at all