I recently tried to duplicate RFID access with MIFARE 13.56MHz badges I ordered on AliE (here and here), from a similar chip to this one with the mifare classic tool app from my phone.
I succeded in cloning the one from my home place front door, but for some reason it seems I can’t manage to get it working with the one from my workplace, I get a quick blinking red light when I try to use it. When I try to scan both badges with NFC taginfo, everything is the same except the card ID.
I’m absolutely new to this so I may very well be missing something obvious, any idea ?
Looking at the output you shared of the tags on pastebin, Im actually surprised any of the clones worked given that their UIDs are different. However, the likely scenario is that there is some identifier the reader uses instead within the data blocks, probably in 1-5 would be my guess.
The dumps all had the first 6 (0-5) sectors without data since the keys werent used thus they couldnt be read. This is where I’m thinking your issue probably lies but its hard to say without seeing the data contained within.
Since you are using a phone (and MCT) to write to the cards you limit yourself to one type of magic Mifare Classic Card. The type of card that supports being wrote by a phone (and does not accept backdoor commands) is a gen2. On a review of the first Aliexpress link, it does seem that these cards support changing the UID/block 0 using MCT.
I would suggest if you are interested in doing more RFID and/or more complex operations then a Proxmark3 Easy would be a very necessary tool.
Given the above information, its hard to accurately advise where things have went awry. As a preliminary guess and suggestion as to what the issue may be would be to compare sectors 0-5 of the original card to any clones you make. In addition, you should also be cloning the UID of the original to any of the clones to make a 1-1 duplicate.
Ensuring these are the same may correct the issue you are facing.
Alright, I’ll try do meticulously check if there is any difference between the two first 6 sectors of each card, but I don’t really understand what is the real process of cloning if it copies only some of the data and not all of it ?
Regarding the last suggestion, I’m managing a student residence and my ultimate goal is to be able to provide card duplicates to tenants without having to deal with a local locksmith that will charge them 30€ each. So ultimately, buying a Proxmark3 would be feasible on business expanse, but only if I can somehow be sure before buying that it will work it because I’ll have to justify in the end.
The other way round, the badge can be added to the access control system so that it works. The reader doesn’t have an ID, the badges do. There has to be a mechanism to add new cards to an existing system.
The system will consist of one or more readers and an access controller. If it is a standalone system then you have to be able to add cards somehow. If it is a centrally controlled system then you might not have the ability.
Okay ! I tried to manually change the UID of the chip but it seems it can’t be done because I got an error message at the end saying the app tried as much as possible but wasn’t able to edit everything. After a bit of research it appears most chips come with a secured unalterable UID, I suspect this is the case with mine (but it doesn’t bother the reader from my home for some reason).
By “magic card”, you mean a special badge or a special encoder ? I’m thinking about ordering a cheap Proxmark3 from Aliexpress, is there anything specific I should be careful about when choosing one ?
You are much better off ordering a Proxmark3 Easy from Dangerous Things. They have the Iceman version of the code pre installed. Some versions have less memory, not so with the Dangerous Things one.
A “Magic” card is one which explicitly allows you to change the UID. Dangerous Things sells implants, but the XM1, FlexMN, FlexMT, and FlexM1 all contain “Magic” chips. You should read this post about Magic chips.
I cant say for the process you used to clone the card but I dont think the cloning process was only a partial clone. I have an assumption that your card, in the first 6 sectors, are using non-default keys; that is keys that are not commonly used when you get a new card from the factory. To elaborate more, the usual default key of a blank/non-provisioned card is usually FFFFFFFFFFFF (read: 12 hex bytes, all 0xF). TagInfo only has the default keys in the application thus if it uses non-default keys then TagInfo will show those sectors as unreadable with the note “unknown key”.
…it appears most chips come with a secured unalterable UID
This is accurate for non-magic cards hence the use of the word ‘magic’.
The ‘magic’ in these cards should be seen as additional features that aren’t available to their non-magic counterparts. For example, gen1a magic cards have an additional command set that bypasses any need for authentication (use of keys) to do any card operations (like read/write). However, since this is done by a special command set, its not easily done by a phone or generic encoder. This is why the proxmark is generally recommended to serve this purpose.
If you were to acquire a proxmark, Id be happy to help guide you through the processes of setting it up and some investigation into the Mifare cards you have, in addition to trying to clarify any questions/misc issues you are facing. Id be happy to walk you through the process of a cloning a MFC card so that you can offer that service in work by making duplicate tenant cards.
What can I say about your response! Thank you for sharing your knowledge with us. Your knowledge and understanding on the matter is definitely an incredible piece of information. I am really looking forward to your guiding tips for cloning an MFC card.