Help for GDM cloning mifare classic v1

hi i need help with this GDM, i need to clone a mifare classic 1k on this card but this is the condition of the new magic card and a don’t understand how to. whit help of @Aoxhwjfoavdlhsvfpzha i made a good clone on a GTU and i found all commands for this this one but for GDM i don’t know where to start.

Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 04 CD E5 00 02 D7 96 ( double )
[+] ATQA: 00 44
[+] SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[=]

[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Prng detection… weak
[=]
[=] — Tag Signature
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: A814400AC978A6BA100A64AC1A57606E5E7BE3441785B5D24B63FA0E90B5D3CC
[+] Signature verification: failed

[?] Hint: use hf mf gdm* magic commands
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

[usb] pm3 → hf mf gdmcfg

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 8500000000005A00005A005A005A0008
[+] 8500… Magic wakeup disabled
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …5A… Key B use blocked when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …5A… MFC EV1 perso. Unfused
[+] …00… Shadow mode disabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …5A… MFC EV1 signature enabled
[+] …00.. n/a
[+] …08 SAK

@Equipter

See where it says this

That gives you a starting point

Screenshot_20260120_220924_Brave1079×749 154 KB

so those are your options to try

Also, if you aren’t near a PM3 for physical testing, try @Aoxhwjfoavdlhsvfpzha’s fantastic online PM3 emulator tool, which can be found here
(shortcut to your hf mf gdm solution)

Deviant Ollam has a pretty good video explainer on GDM chips. He even goes through enabling/disabling magic wakeup. https://www.youtube.com/watch?v=lOHqsBjsE3U
The portion where he’s going through the PM3 commands is around the ~10:00 mark

Hmmmm, isn’t there a script for this?

script run hf_mf_uscuid_prog

It works but it’s also a bit janky, IIRC.

i bricked 2 cards…

6014869040129575871960×842 277 KB

i gave this:
hf mf gdmsetcfg -d 850000000000005A0000005A00000008

and bye bye:

60148690401295758691280×475 92.2 KB

i tryed this command:
hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800
but nothing…

my cards are this:

can you help me?

What do you get when you run

hf 14a info

well now i tryed this and something happen:
[usb] pm3 → hf 14a config --cl2 skip
[usb] pm3 → hf mf gdmsetcfg -d 7AFF00000000000000005A5A00000008
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Aborting
[#] Can’t select card
[-] Write ( fail )
[usb] pm3 → hf 14a config --bcc ignore
[usb] pm3 → hf mf gdmsetcfg -d 7AFF00000000000000005A5A00000008
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[+] Write ( ok )
[?] try hf mf gdmcfg to verify
[usb] pm3 → hf mf gdmcfg
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 7AFF00000000000000005A5A00000008
[+] 7AFF… Magic wakeup enabled with GDM cfg block access
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …00… Key B use allowed when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …00… MFC EV1 perso. 4B UID from Block 0
[+] …5A… Shadow mode enabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …00… MFC EV1 signature disabled
[+] …00.. n/a
[+] …08 SAK

[usb] pm3 → hf search
[-] Searching for ISO14443-A tag…[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02

[=] ---------- ISO14443-A Information ----------
[+] UID: 04 CD E5 00 ( ONUID, re-used )
[+] ATQA: 88 97
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02

[+] Magic capabilities… Gen 1a
[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Magic capabilities… Gen 4 GDM / USCUID ( Gen1 Magic Wakeup )
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[+] Prng detection… weak
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02

[?] Hint: use hf mf c* magic commands
[?] Hint: use hf mf gdm* --gen1a magic commands
[?] Hint: use hf mf gdm* magic commands
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

[usb] pm3 → hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] .[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
…

[=] -----±----±------------------------------------------------±----------------
[=] sec | blk | data | ascii
[=] -----±----±------------------------------------------------±----------------
[=] 0 | 0 | 04 CD E5 00 02 D7 97 88 44 00 C8 00 00 00 00 00 | …D…
[=] | 1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 1 | 4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 2 | 8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 3 | 12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 4 | 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 5 | 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 6 | 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 7 | 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 8 | 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 9 | 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 10 | 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 11 | 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 12 | 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 13 | 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 14 | 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] 15 | 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | …
[=] | 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | …i…
[=] -----±----±------------------------------------------------±----------------

[usb] pm3 →

but i see more errors

if i enable anticollision i see this:
[usb] pm3 → hf 14a config --std
[usb] pm3 → hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] .[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Aborting
[usb] pm3 →

[usb] pm3 → hf 14a info
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Aborting
[usb] pm3 →

can i hope to save them?

[usb] pm3 → hf mf cwipe
[]wipe block 63
[+] Card wiped successfully
[usb] pm3 → hf search
[] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 00 56 78 BB ( ONUID, re-used )
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]

[+] Magic capabilities… Gen 1a
[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Magic capabilities… Gen 4 GDM / USCUID ( Gen1 Magic Wakeup )
[+] Prng detection… weak

[?] Hint: use hf mf c* magic commands
[?] Hint: use hf mf gdm* --gen1a magic commands
[?] Hint: use hf mf gdm* magic commands
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

[usb] pm3 → hf mf gdmcfg

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 7AFF00000000000000005A5A00000008
[+] 7AFF… Magic wakeup enabled with GDM cfg block access
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …00… Key B use allowed when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …00… MFC EV1 perso. 4B UID from Block 0
[+] …5A… Shadow mode enabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …00… MFC EV1 signature disabled
[+] …00.. n/a
[+] …08 SAK

[usb] pm3 → hf 14a config --std
[usb] pm3 → hf search
[-] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 00 56 78 BB ( ONUID, re-used )
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]

[+] Magic capabilities… Gen 1a
[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Magic capabilities… Gen 4 GDM / USCUID ( Gen1 Magic Wakeup )
[+] Prng detection… weak

[?] Hint: use hf mf c* magic commands
[?] Hint: use hf mf gdm* --gen1a magic commands
[?] Hint: use hf mf gdm* magic commands
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

[usb] pm3 -
probably ok…

[usb] pm3 → hf mf gdmsetcfg -d 850000000000000000005A5A00000008
[+] Write ( ok )
[?] try hf mf gdmcfg to verify
[usb] pm3 → hf mf gdmcfg

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 850000000000000000005A5A00000008
[+] 8500… Magic wakeup disabled
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …00… Key B use allowed when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …00… MFC EV1 perso. 4B UID from Block 0
[+] …5A… Shadow mode enabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …00… MFC EV1 signature disabled
[+] …00.. n/a
[+] …08 SAK

[usb] pm3 → hf search
[/] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 00 56 78 BB ( ONUID, re-used )
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]

[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Prng detection… weak

[?] Hint: use hf mf gdm* magic commands
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

[usb] pm3 →

well now it response but is different from starting point, why?

start point:

second card:
[usb] pm3 → hf 14a config --bcc ignore
[usb] pm3 → hf mf gdmsetcfg -d 7AFF00000000000000005A5A00000008
[#] BCC0 incorrect, got 0x02, expected 0x2c
[#] Using BCC0 =0x02
[+] Write ( ok )
[?] try hf mf gdmcfg to verify
[usb] pm3 → hf mf cwipe
[|]wipe block 63
[+] Card wiped successfully
[usb] pm3 → hf 14a config --std
[usb] pm3 → hf search
[|] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 00 56 78 BB ( ONUID, re-used )
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]

[+] Magic capabilities… Gen 1a
[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Magic capabilities… Gen 4 GDM / USCUID ( Gen1 Magic Wakeup )
[+] Prng detection… weak

[?] Hint: use hf mf c* magic commands
[?] Hint: use hf mf gdm* --gen1a magic commands
[?] Hint: use hf mf gdm* magic commands
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

[usb] pm3 → hf mf gdmcfg

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 7AFF00000000000000005A5A00000008
[+] 7AFF… Magic wakeup enabled with GDM cfg block access
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …00… Key B use allowed when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …00… MFC EV1 perso. 4B UID from Block 0
[+] …5A… Shadow mode enabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …00… MFC EV1 signature disabled
[+] …00.. n/a
[+] …08 SAK

[usb] pm3 → hf 14a config --std
[usb] pm3 → hf mf gdmcfg

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 7AFF00000000000000005A5A00000008
[+] 7AFF… Magic wakeup enabled with GDM cfg block access
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …00… Key B use allowed when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …00… MFC EV1 perso. 4B UID from Block 0
[+] …5A… Shadow mode enabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …00… MFC EV1 signature disabled
[+] …00.. n/a
[+] …08 SAK

[usb] pm3 → hf mf gdmsetcfg -d 850000000000000000005A5A00000008
[+] Write ( ok )
[?] try hf mf gdmcfg to verify
[usb] pm3 → hf mf gdmcfg

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 850000000000000000005A5A00000008
[+] 8500… Magic wakeup disabled
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …00… Key B use allowed when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …00… MFC EV1 perso. 4B UID from Block 0
[+] …5A… Shadow mode enabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …00… MFC EV1 signature disabled
[+] …00.. n/a
[+] …08 SAK

[usb] pm3 →

well now i’d like to know why is changed something from original setup (like uid - double) and if this cards now are ok.
thankyou @Equipter @Ditto @Pilgrimsmaster @Aoxhwjfoavdlhsvfpzha

Those cards are GDM Gen4 and very easy to brick if the config is written blindly. The gdmsetcfg command you used overwrote critical config bytes, which disables magic wakeup and blocks further access. Once that happens, standard hf 14a raw commands will not recover the card.

You should only use hf mf gdm commands and read the current config first before writing anything. Do not write full config strings unless you know the exact byte layout for that chip batch. If magic wakeup is disabled, the card is permanently bricked.

At this point there is no recovery for those two cards. For the next ones, test in the PM 3 emulator, follow the documented GDM workflow, and never apply example configs verbatim.

Doesn’t this mean that Gen1a auth is disabled, but standard GDM auth will still work?

Confirmed! Card recovered!!! I hope it helps someone in my same situation and finally a working clone @aox !! I needed a GDM, the GTU according to some has different timings and may not be read!