FlexDF2 as an alternative for a student card

Hello everyone, I’m new to biohacking and plan to buy my first implants in the next few weeks. My question is this: my uni’s student cards are Desfire EV1 4k. I know that Desfires are impossible to clone, but I’ve seen in other threads that if you approach the access administrators correctly, it’s possible to register your implant as a copy of your card.

  • Could the FlexDF2 work? Since it’s an EV2, is it compatible with systems using EV1s?

  • What would be the procedure for the admin to register my implant? I put my forearm on the reader/writer and it’s exactly the same as with a blank student card?

  • For certain basic uses, such as simple access to a building, is it possible for my uni to read only the card’s serial number? And if so, would a simple xMagi be enough to emulate the correct serial number?

Please feel free to correct any errors or misunderstandings I may have made, and thank you in advance for your answers.

  1. potentially compatible yes, we would need more information on the system being used to say for sure but apps for df ev1 work on ev2 if configured correctly.

  2. it depends. if your administration is able to register and encode blank desfires as valid credentials then yes, the process would just be you presenting your implant and letting them encode it. if they have to order pre-encoded cards with a registration application already present then you would not be able to use a flexDF as they are blank and do not contain the pre-encoded application for registration. it boils down again to the system in use.

  3. it is very unlikely but still possible that your university has some readers that only check for the UID, this is unlikely because running and maintaining a desfire system is expensive and it’s wasted if they’re not using the security features they’re paying for. IF there are UID only readers dotted about, an xmagic would not be sufficient. desfire is a 7Byte UID chipset and the xmagic/xm1/flexm1 only contains 4Byte UID. there is also the potential that if they check the UID, they could also be checking the chip version to validate it is a desfire. this can be tested by emulating UIDs and looking at the traces.

it’s important to note that if you’re committing to a flexDF2 and they are able to enroll & encode it, your implant will be fused with that application, able to be removed yes (not by you, not without the master key which you’re unable to obtain sans espionage) but the administration likely will not be able to do that as it’s not a feature of most systems to wipe an enrolled credential of its’s application. YMMV though.

if the above is the case, the application remaining on your implant may not be that big an issue as there is space for other applications (depending on size) for future use.

there is also no guarantee the administration will allow you to enroll your implant, it is up to their discretion and they may not agree to do so if it’s even possible

let us know if you have any more questions &/or if you’re able to pull up any information about the system and readers in use.


Thanks for your reply, I’ve got some more information while discussing with the admin:

  • the cards arrive blank and are printed and encoded on site by a Magicard 300. I’m not sure that this machine can encode without printing and in an “accessible” way (without me having to put my arm inside x) ).
  • for building access, the reader seems to be a STiD LXC according to the google image search. But it’s a 125 kHz reader ?!?

1 Like

STiDs good, super versatile system. weird the presence of the 125khz reader, have you checked to verify your card doesn’t contain a 125khz chip aswell as a desfire?

the STID architect system is super mailable allowing for a variety of different configurations so there is the potential your flexdf would work. https://stid-security.com/images/produits/lecteurs-haute-securite/logiciels/secard/MU_SECARD_V6.3_EN.pdf

as for encoding, you could send the implant through the encoder before it goes in you; or talk to the admins about which external R/W device can be used with the system for encoding, it’s not limited to badge printers there will be a wedge you can use for encoding


I don’t have an LF reader to hand, but I’m thinking of ordering one from Amazon to check. If my student card does have LF as well as HF Desfire, then chances are I can just emulate the LF uid to access the buildings?

As for using an external writer, it’s unlikely to work because the people managing the badges in my uni don’t seem to be qualified (they’re just secretaries following the Magicard instructions). And given that this will be my very first implant, I’m not keen on putting it through the machine beforehand to make sure it’s sterile.

1 Like

to make sure it’s sterile

well yes i did mean to do it in the package you receive it in :sweat_smile:.

if i were you id get the proxmark3 easy to take a look into your card further.

if you can; hold a flashlight up to the card while in a dark room and have a look at how many antennas and chips you can see

1 Like

Try shining a torch behind your card.

The DESFire SHOULD have a chip in a corner and an antenna that follows the perimiter.

IF it has and LF chip also, it SHOULD have a circular antenna in the centre of the card

It would look something like this

Here’s and example of an HF only lit from behind

If LF then that would be great news

1 Like

I plan to buy the proxmark at the same time as the implants to avoid paying $140 shipping twice :skull:
I’m going to check with the IT department to see if they have any available, after all that’s what engineering uni are for…

As for the lamp technique, I only have one coil and one chip (HF). But in that case how come the 125kHz STiD reader can identify my card? Unless it’s an HF variant that I couldn’t find with the photo.

1 Like

can’t find enough on it myself to say for sure but i’m 99.99% sure that the LXC/LXM is a multi tech model with configurable frequency. i’ve sent an email to a rep i know to get some clarification but given its a much older model but still capable of being linked into architect id say it’s a pretty sure bet given the evidence of you not having a 125khz chip in your card.

i’ve dug up a bit RE; STiDs default keys from the SECard software (STiDs enrolment software) however it’s unlikely they are using default keys. one would hope so at least given it’s an engineering school.

1 Like

After checking, the most recent buildings have an Arc-B easyline STiD reader, specially designed for desfire cards. All that’s left is to try and negotiate to encode the implant.
To make sure that the cards actually arrive blank (and not pre-encoded), would the following method work?

  1. Buy this type of card online NFC Cards NXP MIFARE® DESFire® EV2 - Shop NFC
  2. Attempt to encode it using their usual procedure
  3. If it works, then do the same with the implant.

In addition i would try to find out if they can ‘clear’ or ‘wipe’ the card again. If not, you might not be able to use the implant for anything else afterwards

After a lot of discussion and enquiries, I’ve got my latest information:

  • the current system does not allow cards to be wiped, as they are not intended to be reused.
  • Biomodifications are in a legal limbo, so I could get authorisation to register an implant, but I’d have to get a waiver from the head of my group of schools, and pass it off as scientific research.

If I’m going to have a useless implant at the end of my studies, I’m going to look into a Custom Work, and see how much it would cost me to transform a badge that’s already been encoded into an implant.