Cloning to XM1+ with proxmark 3 (SOLVED KINDA)

ofc ofc

1 Like

Ah, my tendency to disable them emoticons bit me in the ass :stuck_out_tongue:

1 Like

In general, you would enroll your implant the exact same way you would enroll the ā€œproperā€ tag.

1 Like

to fix his issue we reinstalled a fresh precompile and dried cloading a dump of his card (broken memory xm1) and that didnā€™t take neither did cwipes so we went block by block all the way to 63

1 Like

:nauseated_face:

But thanks for the update

Did you try autopwn?

im strugling to config my xm1 to operate my apartment door.

what I do know is I have cards, Rings, NFC tags and fobs that work fine and I can ā€œcloadā€. these no problems with PM3.

KEYFOB =
[usb] pm3 ā†’ hf search
:clock11: Searching for ISO14443-A tagā€¦
[+] UID: 83 C1 61 84
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] ā€” Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: C6DAEB075D03A29E7CEEC391507D0C2502F95AA69317CA8E2CA589CDC5A2AD2B
[+] Signature verification: successful
[?] Hint: try hf mf commands
[+] Valid ISO14443-A tag found
[usb] pm3 ā†’

CARD 1 =
[usb] pm3 ā†’ hf search
:clock4: Searching for ISO14443-A tagā€¦
[+] UID: 7D A4 FA 2D
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] ā€” Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 20203E7B14C4A370DAB177E2BAE8AD29A95EFCF79979F85ACE38BD5F6C1AAECF
[+] Signature verification: successful
[?] Hint: try hf mf commands
[+] Valid ISO14443-A tag found
[usb] pm3 ā†’

CARD 2=
[usb] pm3 ā†’ hf search
:clock9: Searching for ISO14443-A tagā€¦
[+] UID: 83 C1 61 84
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try hf mf commands
[+] Valid ISO14443-A tag found
[usb] pm3 ā†’

NFC/RFID ring =
[usb] pm3 ā†’ hf search
:clock2: Searching for ISO14443-A tagā€¦
[+] UID: 04 D7 E4 FA AC 65 80
[+] ATQA: 00 44
[+] SAK: 00 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Ultralight
[+] MIFARE Ultralight C
[+] MIFARE Ultralight EV1
[+] MIFARE Ultralight Nano
[+] MIFARE Hospitality
[+] NTAG 2xx
[=] proprietary non iso14443-4 card found, RATS not supported
[?] Hint: try hf mfu info
[+] Valid ISO14443-A tag found
[usb] pm3 ā†’

ALL THESE ABOVE options work with no problems .

the strange thing with the door reader is that the hearing field detector does not respond , regardless of the orientation. ( not faulty )

I also have a NeXT installed also. this does not read on my door either. I have programmed it as a Business card just for fun.

So now, Iā€™m onto my 2nd implant and still no luck, I need a bit of help. anyone ?

So, the xFD keychain doesnā€™t work on the lock, nor does the NExT or xM1ā€¦ I think we found the problemā€¦ the door lock reader is too weak and / or not designed in a way that will let you use an implant.

What make and model is the door lock?

You might have one option which is to apply an ā€œextenderā€ā€¦ a ring antenna with capacitor that basically does nothing but extend the magnetic field a bit. They donā€™t really exist as a product but it might be worth designing and producing some for situations like this.

@Satur9 ā€¦ what do you think?

1 Like

YES! I would buy some of these in a heartbeat, and I know a bunch of others here would as well. That would be an incredibly helpful product.

2 Likes

like @Az_F phone solution but for a reader

Iā€™m exploring standalone LC resonators for the CoM credit card chips, Iā€™m definitely willing to design and order a test flex board with 6-8 standalone antennas. I may even be able to put two flat rectangles on the board to act as the capacitor, in lieu of a surface mount one. That would reduce the z-height and the cost.

Do you want me to give that a go this week? I think itā€™s worth the investment because thereā€™s many use cases, and they can have adhesive pre-applied with only one factory involved.

3 Likes

Ah well here you have the thread Iā€™ve previously made and what was done, this is the same issue I mailed support about (Iā€™m J P)

go-go-go-toby-stephens

2 Likes

Iā€™M HAPPY TO TRY THIS! @amil Iā€‹ will do a screen capture of the process to show you what im doing., perhaps i have no clue

Just came across this thread while searching for info about the tag IC signature. I have a Classic Mifare 1k card that I cloned onto a Magic Mifare card that seems to be successful, other than the clone doesnā€™t work. I saw the Proxmark outputs above and noticed that in one case the ic signature copied, and another where it says ā€œauth errorā€. I was wondering if this IC signature be used by some door locks as an identifier or not? Everything else, UID, keys, etc. all matches right now between the original and the clone. Thanks :wink:

in my extensive experience regarding mifare classic systems, they donā€™t check for originality sig because most donā€™t know itā€™s there. itā€™s not referenced in the pub datasheet, only the paid one. most systems donā€™t know to look for it.

chances are the reasons your xm1 isnā€™t working is because itā€™s too small to couple with the reader

I figured the xM1 wouldnā€™t work due to the power and coupling, however the fact that the magic Mifare card wonā€™t work (same form factor as the original card) has me wondering. It should definitely be coupling and the only difference in the programming that I can see is the ic signature/key.

could be a variety of things most likely magic detection, itā€™y possible itā€™s checking for a signature but not even HID, paxton saflok etc check for that whereas magic detection (reader sends magic wakeup g1 command of cred responds, ignore and deny) is much more common

Are you sure the ATQA and SAK are the same on the clone? Iā€™ve seen them get changed for some reason when cloning a card.

You can use NXP TagInfo under the ā€œBlock 0 analysisā€ to see if itā€™s a valid combo.

2 Likes