Cloning to XM1+ with proxmark 3 (SOLVED KINDA)

Equipter · February 26, 2021, 9:08pm

ofc ofc

kaizokuj · February 26, 2021, 9:10pm

Ah, my tendency to disable them emoticons bit me in the ass

turbo2ltr · February 26, 2021, 9:14pm

In general, you would enroll your implant the exact same way you would enroll the “proper” tag.

Equipter · February 27, 2021, 4:30pm

to fix his issue we reinstalled a fresh precompile and dried cloading a dump of his card (broken memory xm1) and that didn’t take neither did cwipes so we went block by block all the way to 63

Pilgrimsmaster · February 27, 2021, 6:13pm

But thanks for the update

Did you try autopwn?

skynet · July 18, 2021, 6:00am

im strugling to config my xm1 to operate my apartment door.

what I do know is I have cards, Rings, NFC tags and fobs that work fine and I can “cload”. these no problems with PM3.

KEYFOB =
[usb] pm3 → hf search
Searching for ISO14443-A tag…
[+] UID: 83 C1 61 84
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] — Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: C6DAEB075D03A29E7CEEC391507D0C2502F95AA69317CA8E2CA589CDC5A2AD2B
[+] Signature verification: successful
[?] Hint: try hf mf commands
[+] Valid ISO14443-A tag found
[usb] pm3 →

CARD 1 =
[usb] pm3 → hf search
Searching for ISO14443-A tag…
[+] UID: 7D A4 FA 2D
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] — Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 20203E7B14C4A370DAB177E2BAE8AD29A95EFCF79979F85ACE38BD5F6C1AAECF
[+] Signature verification: successful
[?] Hint: try hf mf commands
[+] Valid ISO14443-A tag found
[usb] pm3 →

CARD 2=
[usb] pm3 → hf search
Searching for ISO14443-A tag…
[+] UID: 83 C1 61 84
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try hf mf commands
[+] Valid ISO14443-A tag found
[usb] pm3 →

NFC/RFID ring =
[usb] pm3 → hf search
Searching for ISO14443-A tag…
[+] UID: 04 D7 E4 FA AC 65 80
[+] ATQA: 00 44
[+] SAK: 00 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Ultralight
[+] MIFARE Ultralight C
[+] MIFARE Ultralight EV1
[+] MIFARE Ultralight Nano
[+] MIFARE Hospitality
[+] NTAG 2xx
[=] proprietary non iso14443-4 card found, RATS not supported
[?] Hint: try hf mfu info
[+] Valid ISO14443-A tag found
[usb] pm3 →

ALL THESE ABOVE options work with no problems .

the strange thing with the door reader is that the hearing field detector does not respond , regardless of the orientation. ( not faulty )

I also have a NeXT installed also. this does not read on my door either. I have programmed it as a Business card just for fun.

So now, I’m onto my 2nd implant and still no luck, I need a bit of help. anyone ?

amal · July 18, 2021, 4:43pm

So, the xFD keychain doesn’t work on the lock, nor does the NExT or xM1… I think we found the problem… the door lock reader is too weak and / or not designed in a way that will let you use an implant.

What make and model is the door lock?

amal · July 18, 2021, 4:44pm

You might have one option which is to apply an “extender”… a ring antenna with capacitor that basically does nothing but extend the magnetic field a bit. They don’t really exist as a product but it might be worth designing and producing some for situations like this.

@Satur9 … what do you think?

APartOfMe · July 18, 2021, 5:58pm

YES! I would buy some of these in a heartbeat, and I know a bunch of others here would as well. That would be an incredibly helpful product.

Pilgrimsmaster · July 18, 2021, 6:08pm

like @Az_F phone solution but for a reader

Satur9 · July 18, 2021, 11:07pm

I’m exploring standalone LC resonators for the CoM credit card chips, I’m definitely willing to design and order a test flex board with 6-8 standalone antennas. I may even be able to put two flat rectangles on the board to act as the capacitor, in lieu of a surface mount one. That would reduce the z-height and the cost.

Do you want me to give that a go this week? I think it’s worth the investment because there’s many use cases, and they can have adhesive pre-applied with only one factory involved.

kaizokuj · July 18, 2021, 11:59pm

Ah well here you have the thread I’ve previously made and what was done, this is the same issue I mailed support about (I’m J P)

amal · July 19, 2021, 12:35am

go-go-go-toby-stephens

skynet · July 19, 2021, 4:46am

I’M HAPPY TO TRY THIS! @amil I will do a screen capture of the process to show you what im doing., perhaps i have no clue

Kdude0 · July 23, 2022, 9:53pm

Just came across this thread while searching for info about the tag IC signature. I have a Classic Mifare 1k card that I cloned onto a Magic Mifare card that seems to be successful, other than the clone doesn’t work. I saw the Proxmark outputs above and noticed that in one case the ic signature copied, and another where it says “auth error”. I was wondering if this IC signature be used by some door locks as an identifier or not? Everything else, UID, keys, etc. all matches right now between the original and the clone. Thanks

Equipter · July 24, 2022, 12:14am

in my extensive experience regarding mifare classic systems, they don’t check for originality sig because most don’t know it’s there. it’s not referenced in the pub datasheet, only the paid one. most systems don’t know to look for it.

chances are the reasons your xm1 isn’t working is because it’s too small to couple with the reader

Kdude0 · July 24, 2022, 1:35am

I figured the xM1 wouldn’t work due to the power and coupling, however the fact that the magic Mifare card won’t work (same form factor as the original card) has me wondering. It should definitely be coupling and the only difference in the programming that I can see is the ic signature/key.

Equipter · July 24, 2022, 1:50am

could be a variety of things most likely magic detection, it’y possible it’s checking for a signature but not even HID, paxton saflok etc check for that whereas magic detection (reader sends magic wakeup g1 command of cred responds, ignore and deny) is much more common

StarGazer1258 · July 24, 2022, 2:13am

Are you sure the ATQA and SAK are the same on the clone? I’ve seen them get changed for some reason when cloning a card.

You can use NXP TagInfo under the “Block 0 analysis” to see if it’s a valid combo.