Copying access cards / fobs / badges to a chip implant

This post will cover the steps to hopefully copy a card, fob, or badge you currently possess (source chip) into a chip implant that supports cloning (target chip). I say “hopefully” because you need a couple things to be right to make this happen.

Requirements

There are two things that are necessary for your source chip to be cloneable to a target chip.

  • Your source chip needs to be a simple device with weak breakable security, or no security features at all. Don’t worry, most access control systems use completely insecure chips that can easily be read by anyone. This surprises some people, but it comes down to profit margin for the security company and cost for the owners of the access system, so it should not be that much of a surprise. Secure chips cost more, and therefore are not actually used by many access systems.

  • Your source chip needs to have a compatible target chip. This simply means that we need a target chip that is compatible with your source chip. Basically speaking, the programmable target chip needs to be able to look like your source chip in every respect once the programming (cloning) is done. Because chips with reprogrammable serial numbers (also called UIDs) are not the norm, there are only a few types of source chips that can be cloned to a target chip.

Basic steps to cloning

  1. Identify if you have a card, fob, or badge (“source chip”) that can be cloned and determine if a reprogrammable “target chip” exists which is compatible with your “source chip”

  2. Purchase the tools and target chip implant, then perform the cloning procedure

Step 1) Identify the type of source chip you want to copy

There are two primary frequency families of passive RFID chips. There are LF (low frequency) chips which operate on 125kHz, and HF (high frequency) chips which operate at 13.56MHz. There is really only one type of HF chip that can be cloned, but many different types of simple LF chips that can be. I cover the differences in this video!

Steps to identify your chip

  • Try scanning the source chip with an app called TagInfo using an Android phone preferably. The app does exist for iPhone on App Store, but iPhone has some serious limitations when it comes to scanning chips that are not specifically used for sharing NFC data, and typically chips used for access control do not also have NFC data on them.

  • If your source chip fails to scan with your NFC enabled smartphone, you may need a Proxmark3 in order to identify the source chip. On the plus side, you will probably need a Proxmark3 to do the actual cloning as well, so it’s a descent investment.

13.56MHz Mifare Classic 1k chips

In the HF family of 13.56MHz chips, the Mifare “Classic” 1K chip is really only kind of chip that has weak security and more importantly has a compatible target chip that exists which can look and read like a Mifare Classic 1k chip, and that target chip is called a “Magic Mifare 1k” chip. The Magic Mifare 1k chip comes in a few different flavors but the ones we sell are called gen1a and gen2. The differences between these two “generations” of the Magic Mifare 1k chips has to how data is copied to the chip, which I detail in this post;

If you have a Mifare Classic 1K chip with a 4 byte ID, then the only products you can copy that to are products that contain a Magic Mifare 1k chip; The xM1, flexM1, flexMT, or the Magic Ring.

125kHz common access chips

Most inexpensive access systems use one type of LF 125kHz chip or another because LF chips tend to be simple, reliable, and very inexpensive. This also means almost all of them are not secured in any way. Common names for these types of low frequency chips include EM41xx, EM4200, HID 1326 ProxCard II, HID 1346 ProxCard III, Indala, Pyramid, Viking, AMV, ioProx, Presco (and more).

The good news is that a company called Atmel makes a 125kHz chip called the T5577 which is specifically designed to be able to emulate a huge variety of common 125kHz access chips used by various access control systems. That means if you have an LF 125kHz source chip in a card, fob, or badge, then it’s very likely you could clone that to any of our products that contain a T5577 chip. Here’s a video about the T5577 that explains why it’s such a cool chip.

If you have a low frequency source chip that the Proxmark3 can identify, then you will want a product that contains a T5577 chip such as the xEM, NExT, flexEM, flexMT, or the Magic Ring.

Step 2) Cloning the source chip to the target chip

13.56MHz Mifare Classic 1k source chip

If you have a Mifare Classic 1k sourced chip, watch this video

125kHz low frequency source chip

If you have a source chip that the Proxmark3 can recognize with an LF scan, and supports a clone option within the command menu system for that type of LF chip, then you should be able to clone it to a product with a T5577 chip. Check out this video for examples of how this is done.

More reading

2 Likes