Summary
I’m trying to clone RFID fob to a blank magic card. I’ve successfully dumped the original card, but cannot write block 0 (manufacturer block) to the blank card. All other blocks also fail.
Setup
- OS: Fedora Linux
- Tool: Proxmark3 (Iceman firmware
v4.20728-395-ga219a3413, built 2026-02-22) - Original card: MIFARE Plus S 2K in Security Level 1 (behaves as MIFARE Classic)
- Blank card: Purchased from AliExpress — listed as “NFC RFID 13.56MHz S50 1K with 0 block 7 Bytes UID Changeable Writable Smart Card Gen3 Chinese Magic Key Tags IC Token for Clone” — XCRFID Store
Original Card Details
UID: 04 1A 84 32 8B 74 80 (7-byte / double)
ATQA: 00 44
SAK: 08
Type: MIFARE Plus S 2K in SL1
Step 1: Dumped Original Card — SUCCESS
hf mf autopwn successfully cracked all 16 sectors and dumped the card in ~2 seconds.
Key file: hf-mf-041A84328B7480-key-001.bin
Dump file: hf-mf-041A84328B7480-dump-001.bin
Dump JSON: hf-mf-041A84328B7480-dump-001.json
Block 0 from dump:
04 1A 84 32 8B 74 80 08 44 00 02 01 11 00 34 22
Step 2: Identified Blank Card Type
hf search
Result:
UID: 04 CD E5 00 02 F5 AC (7-byte)
ATQA: 00 44
SAK: 08
Magic capabilities: Gen 1a
Magic capabilities: Gen 4 GDM / USCUID (Magic Auth)
Prng: weak
TAG IC Signature verification: failed
hf mf info
Confirmed:
Magic capabilities: Gen 1a
Magic capabilities: Gen 4 GDM / USCUID (Magic Auth)
Backdoor key: same as key A/B
Step 3: GDM Configuration
hf mf gdmcfg
Output:
0100000000005A5A005A005A005A0008
0100............................ Magic wakeup enabled, no GDM cfg block access
....00.......................... Magic wakeup style Gen1a 40(7)/43
............5A.................. Key B use blocked when readable by ACL
..............5A................ CUID enabled
..................5A............ MFC EV1 perso. Unfused
......................5A........ Magic auth enabled
..........................5A.... MFC EV1 signature enabled
..............................08 SAK
Key observations:
0100= Magic wakeup enabled, but no GDM cfg block access- Magic Auth (
5A) is enabled — this appears to be blocking writes - CUID is enabled
- 7-byte UID (CL2) mode is active
All Approaches Tried — All Failed
1. hf mf restore (standard restore)
hf mf restore --1k -u 041A84328B7480 -k hf-mf-041A84328B7480-key-001.bin -f hf-mf-041A84328B7480-dump-001.bin --ka
Result: Every block — ( fail ) with Auth error
2. hf mf cload (Gen1a magic load)
hf mf cload -f hf-mf-041A84328B7480-dump-001.bin
Result:
Write block failed
Can't set magic card block: 0
Hint: Verify that it is a GDM and not USCUID derivative
3. hf mf csetblk (Gen1a block write)
hf mf csetblk --blk 0 -d 041A84328B7480084400020111003422
Result: Can't write block. error=-1
4. hf mf gdmsetblk (GDM block write)
hf mf gdmsetblk --blk 0 -d 041A84328B7480084400020111003422
Result: Write ( fail )
5. hf mf gdmsetcfg — tried to disable Magic Auth
Attempted to change config byte at position 11 from 5A (enabled) to 00 (disabled):
hf mf gdmsetcfg --gen1a -d 0100000000005A5A005A0000005A0008
hf mf gdmsetcfg --gdm -d 0100000000005A5A005A0000005A0008
Both result: Write ( fail )
Note: The config says no GDM cfg block access (first byte 01) — this may be why config writes fail.
6. Raw Gen1a wakeup sequence (40/43)
hf 14a raw -ak -b 7 40 → [+] 0A ✓
hf 14a raw -k 43 → [+] 0A ✓
hf 14a raw -k A000 → (no response)
hf 14a raw -ck 041A84328B7480084400020111003422 → (no response)
Magic wakeup succeeds (both 0A ACKs), but subsequent write and read commands return nothing.
Also tried reading block 0 after wakeup:
hf 14a raw -ak -b 7 40 → 0A
hf 14a raw -k 43 → 0A
hf 14a raw -ck 3000 → (empty)
7. hf mf gen3blk / hf mf gen3uid (tried as Gen3)
Both immediately failed with error -10 — card is not Gen3.
8. script run hf_mf_uscuid_prog -t 4 -u 041A84328B7480
Magic wakeup succeeds (0A 0A), but then:
ERROR: Tag sent wrong length of config!
attempt to index a number value (local 'configdata')
Patched the script to handle nil configbuffer, but then:
ERROR: Tag sent wrong length of config!
ERROR: Tag did not ACK `A800` command!
The E000 config read command returns nothing (or wrong length), and A800 (block 0 write prefix) is not acknowledged.
Current Theory
The card has Magic Auth enabled in its GDM config (5A at byte 11), which requires a password-authenticated session before any writes are accepted. However:
- The GDM config itself cannot be modified (
no GDM cfg block access, first byte =01) - The raw Gen1a backdoor (
40/43) wakes the card up but subsequent commands get no response - The
E000config read (needed for USCUID script) returns nothing, suggesting the card doesn’t respond to GDM config read commands either
It seems like the card is in a state where:
- Gen1a wakeup works (gets
0A 0A) - But neither the Gen1a write path nor the GDM write path actually accepts writes to block 0
Questions
- Given this GDM config (
0100000000005A5A005A005A005A0008), what is the correct procedure to write block 0? - Is the
Magic Auth(5Aat byte 11) requiring a specific password/sequence that I’m missing? - The
no GDM cfg block accessflag — can this be bypassed, or does it permanently block config writes? - Is there a way to reset/wipe this card to a clean state so writes work?
- Any known issues with this specific XCRFID store card that might explain this behavior?
Environment
- Proxmark3 firmware: Iceman
v4.20728-395-ga219a3413-suspect(2026-02-22) - OS: Fedora Linux, x86_64
- All standard tools available (
hf mf c*,hf mf gdm*,hf mf gen3*, Lua scripts)