Great work, Simon!
For those playing along at home, it seems the missing step was using the csetuid command to do the block 0 write since gen1a isn’t directly writeable. Or the alternative, cload to restore the card using the backdoor.
And looks like the reason the second try to restore failed is that the keys had already been changed the first time, and weren’t provided to the restore command.
Yeah, it was strange. csetuid didn’t matter as Simon even changed random characters in his UID on a working magic card we were using for practice, and it still worked. For some reason, the test card was working, but not the implant. I had him use
hf mf restore
After a dump. That worked on the magic card, but not the implant. So we started over, cwipe and remagic the card. @Jirvin came in explaining cload, so we used that technique and it worked great. Kind of a head scratcher.
I look forward to Simon’s write up, and I hope he picks up cards of various formats and keeps practicing on various tech. By the end of the session, Simon was even doing things on his own before we told him to do it. It was very refreshing as many people come to forums looking for someone to do it for them. Simon genuinely wanted assistance, not free labor, and I really think he learned something.
I don’t own an RDV 4 yet, but when I do, I already have the ProxLF module for it 
Instead I owned two proxmark3 easy, so I sold one to @simon_beer
My apologies that I couldn’t be of much help the past couple days.
Makes sense! I couldn’t see you letting go of your only Proxmark so assumed it was an upgrade.
It’s all good, plenty of us around that are happy to help!
so yesterday evening and night @cexshun and @Jirvin and me
where on a quest a quest to make the xm1+ work with my system
and also make my proxmark 3 easy work
so first thing first i started out with the wrong software for the older proxmark 3 easy because its memory is smaller then the newer ones
i tried to flash the iceman firmware but that is to large for the older proxmark 3 easy so i needed to flash it with the original firmware and that worked it did take a while to get it to work if first needed to make shure everything the software needs was installed on my pc ( ubuntu )
also download the needed files here this is the original software for the promark 3 easy
then open up a terminal in the folder where you unpacked al the files and run these commands first
sudo apt update
sudo apt upgrade
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc+±arm-none-eabi-newlib libpcsclite-dev pcscd
now we need to enter the repository
and then we need to run
thare are also some blacklist rules we need to install
after this make sure you logout out and then to make sure your rights are changed
now its needs to be compiled
make shure thare are no erros or missing files or it wil not work
if that al worked we can now plug in the proxmark 3 easy
we now need to know on what port it is so we can flash the firmware to the proxmark
it will properly be a CDC device and that will look something like this
[10416.461687] usb 2-1.2: new full-speed USB device number 12 using ehci_hcd
[10416.555093] usb 2-1.2: New USB device found, idVendor=9ac4, idProduct=4b8f
[10416.555105] usb 2-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[10416.555108] usb 2-1.2: Product: PM3
[10416.555111] usb 2-1.2: Manufacturer: proxmark.org
[10416.555871] cdc_acm 2-1.2:1.0: ttyACM0: USB ACM device
the last line tells you what port its on the ttyACM0: that’s the port but this could be different on your system
so first its best to only flash the bootrom and not both at the same time since this can lead to some errors poping up and we don’t want that of course
first run make sure you have the wright port entered here as will or it wont work
with me it worked like this and then run this command it also re flashes the boot but with me it wouldn’t work other wise for some reason
now the proxmark should be ready to use turn it of and on again but be VERY VERY sure its done with the flash
and change back into the folder
now you can run the client with
always do a hw tune make sure there is no card on the antenna or something i can image it wont be good for your card we can now also check if everything worked properly
with these commands
hw status
hw version
hw tune
to make sure the promark3 is in good working order
now that we have the proxmark 3 running and working we can copy or clone some cards and crack
my next post will be a walk though of that
if i said something wrong please tell me i am in no way a expert in Linux or proxmark but this work’d for me and maybe someone gets theirs to work with this as wel
greeting
-simon
Haha, see this is why I said take notes that write up is amazing and will be a very good reference for anyone with issues on a xm1
so whare did we left of
i was once again helpt bij @cexshun and @Jirvin
when you did everything in the last post and that all worked we now can clone a mifare clasic 1k
so we when you fire up your proxmark 3 easy you should first start a hardware tune first make sure your card is not near the device as this may damage the card
then you can run this command
so you know your device is good to go
it should tell you if thare is something not working
now we should do a hf search to see if it reads the card and then what kind of card it is mine looked like this
proxmark3> hf search
UID : ( your UID )
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
that’s what my card looks like i did take my uid out of it
now we can try and find the first key so we can crack the rest of the card so the command we will run now is
then let that run it can take quite some time mine takes about 15 minute’s when that’s done
then the software tel’s you this
…Found a possible key. Trying to authenticate…
Found valid key: A KEY
then you should write down that key because we will need it for the next command or just copy it
now we are going to do a nested attack
the next command will be
then the proxmark will try that key to find the remaining other keys now let it run and it should look something like this
Nested statistic:
Iterations count: 137
Time in nested: 87,216 (0,637 sec per key)
|—|----------------|—|----------------|—|
| sec | key A | res | key B | res |
|---|---|---|---|---|
| 000 | 000000000000 | 1 | 000000000000 | 1 |
| 001 | 000000000000 | 1 | 000000000000 | 1 |
| 002 | 000000000000 | 1 | 000000000000 | 1 |
| 003 | 000000000000 | 1 | 000000000000 | 1 |
| 004 | 000000000000 | 1 | 000000000000 | 1 |
| 005 | 000000000000 | 1 | 000000000000 | 1 |
| 006 | 000000000000 | 1 | 000000000000 | 1 |
| 007 | 000000000000 | 1 | 000000000000 | 1 |
| 008 | 000000000000 | 1 | 000000000000 | 1 |
| 009 | 000000000000 | 1 | 000000000000 | 0 |
| 010 | 000000000000 | 1 | 000000000000 | 1 |
| 011 | 000000000000 | 1 | 000000000000 | 1 |
| 012 | 000000000000 | 1 | 000000000000 | 1 |
| 013 | 000000000000 | 1 | 000000000000 | 1 |
| 014 | 000000000000 | 1 | 000000000000 | 1 |
| 015 | 000000000000 | 0 | 000000000000 | 1 |
| — | ---------------- | — | ---------------- | — |
Printing keys to binary file dumpkeys.bin…
proxmark3>
i did change all the keys to zero here so it will be a bit different for you
now it should have found all keys if not its gonna be a a bit more difficult and i will make a new post for that some day
now we should make a file with all the keys inside of it must be .dic file
so we can tel the software to use those keys instead of the defealt keys
so place your file in a place ware you can easily make a path to so you’r command should be something like this but then of course with your path to the file
now you can run the next command
so now we can convert this to the file we are going to use to write to new card or your xm1+
so now we can run this script to convert the file
now that gave you a file name you need that in the next step
now take of your source card an put on your target card or xm1+ first try on a test card to be sure
and then run this command
and now you have cloned your source card to whatever you want
i want to thank @cexshun and @Jirvin once more since they helped me alot this time again
and if thare is something not wright in this just pleasy tel me
greeting’s
-simon