There isn’t a 4k implant, but if only the first few sectors are written to cloning should still work. And the UID is 4 bytes so that shouldn’t be a problem. 
2 Likes
Unless, by some incredible misfortune, the software checks the size of the transponder. I doubt it, most of those systems are dumber than bricks, but it’s possible.
1 Like
Or if it checks if the card/implant accepts magic commands, and rejects it if it does (more of a East Asian thing tho). Gen2 can solve that problem
1 Like
Heya, just reporting in:
- I sucessfully cloned my uni card (Mifare Classic EV1 4k (MF1S70)) to a KSEC magic gen2 classic 1k
- This was possible because my uni card uses a 4 byte NUID, and only the first two sectors contain information, so it doesn’t fill the whole 4k
- I was able to use the cloned card to print out some materials that I have been planning to read (the 2020 Poc||GTFO), which worked well, but:
– My card was evidently detected as a clone. There was no prompt or anything like that, but there was a longer delay between the reader reading the card (and beeping), and actually loging me into my account [sidenote: is it possible the magic card has a lower bandwith and that was responsible for slower data transfer? or some weird exception because the reader expects a 4k card, but gets a 1k that still reads right?]. Also, afterwards, the LED. on the reader displayed a ‘breathing’ animation, but still accepting subsequent reads on other cards - I assume that is part of the system being tamper-evident; I doubt the nice ladies running the shop know what it means though
– I have read the ToS very thoroughly, and there are no clauses on tampering/cloning, and the provider does not reserve the right to terminate your account at any time for any reason - so I should be pretty safe, or at least in a grey area
3 Likes
I think Gen 2 magic detection is quite uncommon, in some high security applications you might see it but usually they know better than to use a defeated card system.
One possibility is that it’s checking the card ‘version’ and seeing that it is 1k not 4k, but since the data is correct continuing anyway.
Perhaps the more likely possibility is that the breathing light is unrelated. Perhaps the reader tries to connect to a server to update balances there too, and if it can’t connect it does the transaction on the card directly and breathes until it can reconnect to server?
It seems weird they’d go to the trouble of detecting clones and fakes, then have it just continue without issue anyway.
1 Like
That is true, it could just be the 1k/4k thing and it throwing a bit of a tantrum. [Could it not just get detected by checking manufacturer data? Kinda like Taginfo does it, it says “unknown Mifare manufacturer, possibly cloned”.] That could probably explain the delay, and the breathing lights could be like a HDD light. The curious things is that they just don’t stop. Will have to observe further.
The reader definitely connects to the server, since there is no localy stored data either on the card (there is only a birthdate, card validity, UID, enrollment number) or on the reader/printer itsself. There, it checks the account balance, and allows you to securely print your files that you previously sent to that server through a web interface.
1 Like
Check out the ‘GET VERSION’ command on the datasheet, it’ll just straight up respond with card type and capacity when asked.
The ‘unknown manufacturer’ thing is interesting though, it could be that, but not sure how it can tell.
Either way, weird choice to validate and confirm its a fake then accept it and pretend nothing happened. Usually clone detection would prevent it from continuing, or in some cases nuke the cloned card - definitely more to this story!
1 Like
Do you think I could somehow eavesdrop on the communication between the card and the reader with a prox? Would definitely be interesting
1 Like
Yep! I’ve not done it before so I won’t try and regurgitate how-to’s, but there are sniff commands that will give you some idea of what its requesting from the card.
You’ll find info on the PM forum, or if you get stuck, Iceman’s Discord can probably help you out.
1 Like
actually this is not a supported command on older mifare classic stuff… only newer ntag. it’s not even included in ultralight chip roms.
if your clone card is gen2 then really the only thing that’s probably happening is it is trying to read ALL 4k of the memory and failing… so the fails to read above 1k are probably causing the panic… but since the next function of the system doesn’t actually do anything with that data (probably doesn’t even know it’s not there) then it proceeds as expected.
2 Likes
I stand corrected! Had my wires crossed in my head and thought it was part of the ISO spec!
1 Like
I’ve been looking mainly at Mifare Classics (MFC) for my thesis.
Most cards are identified by their ATQA and SAK values, however there is no difference between a 1k and a 4k in terms of those values. This is usually why they can be positivly identified as a MFC but can’t really suggest if its a 1k or 4k. Best way to tell would be to try to read sector 31 (last sector on a 4k). You could also scan it with NXP Tag Info, this should give you the chip type.
Depending on what sectors are being used, you might be able to use a 1k. From experience, most readers can’t tell the difference between a 1k or 4k card unless they use a sector >15 (ie only on a 4K).
If you can identify the reader, the datasheet may mention if it has clone detection. Usually this is done by sending a backdoor wakeup command to the card, if it replies then the reader stops communicating. Reason why Gen2 cards are generally recommend to ‘bypass’ this detection.
Best idea would be to to get a 1k Gen1a magic card and clone your tag to it. However, you will need something like the Proxmark3 to utilise those backdoor commands. Once successfully cloned, present it to a reader. If the reader doesn’t process the tag it could have ‘clone detection’ or have an issue with it being a 4k. (I know there has been some issues with this already)
1 Like
Hi, so I´m back with 3 1k magic gen2 cards. I already bricked one 
(i think).
What is the best way to clone it ? mobile app like MIFARE Classic tool ?
I also have ACR122U-A9 card reader/writer. What would you guys choose to clone ? (and which app)
Thanks a lot for your help.
JZ
1 Like
I cloned mine using the Mifare Classic Tool (Android app), and it worked fine. Just read the card - make sure not to move it during the mapping, save the dump, and write it to your card (again, no moving). Of course this only works if there is less than 1k of data to clone.
So i had cloned my card using Mifare Classic tool(no advanced option) and it didn’t work.
so i tried to write manufactures data also. that failed and probably bricked my card.
Any idea ? thanks a lot for your replay.