Magic 1k 7-Byte UID Clone

Support
1

I recently moved into a new apartment building and they are using this snazzy Salto lock system (XS4 Lock) and readers (Design XS). The actual fobs they’ve given us didn’t look to be anything special, but upon further inspection seemed to be the elusive 7-Byte Magic 1K’s. I tried to find an official datasheet from the company confirming this, but no luck.

In my hands right now, I’ve got a FlexMN and FlexMT (along with a NeXT and some xSIIDs). Since the flexMN only handles 4-byte UID’s, I tried to clone the 7-byte UID (and rest of block 0) to the FlexMN, but the reader rejected them. While I could try to continue cloning the rest of the blocks, I am unsure if it’s worth the effort as the reader might be looking for some 1K specific stuff. I’ll definitely grab some 7-byte magic 1K’s from KSEC or Lab401, but I am wondering if anyone has any idea about possibly getting it working with one of the implants I already have?

If not, would @amal be open to me sending him a Magic 1k 7-byte (like this) for a custom conversion/implant?

Below you can find the proxmark hf 14a info output, as well as the hf mf dump and keys used:

[usb] pm3 --> hf 14a info

[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 57DCFA81E98AC4F031B3140DEB8563F9BE5830F6AC6EAE8742B9D264D2569528
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector  17 key type B -- using valid key [ 4B 79 1B EA 7B CC ] (used for nested / hardnested attack)
[+] loaded 45 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 5.3s | found 22/36 keys (45)
[=] running strategy 2
[=] ...
[=] Chunk 6.8s | found 22/36 keys (45)
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   6 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   7 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   8 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   9 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  10 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  11 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  12 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  13 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  14 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  15 key type A -- found valid key [ 6A1987C40A21 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX2 SIMD core               |                 |
[=]        0 |       0 | Brute force benchmark: 1038 million (2^30.0) keys/s     | 140737488355328 |    2d
[=]        3 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    2d
[#] AcquireEncryptedNonces finished
[=]        6 |     112 | Apply bit flip properties                               |    785005740032 | 13min
[#] AcquireEncryptedNonces finished
[=]        7 |     223 | Apply bit flip properties                               |    440950980608 |  7min
[#] AcquireEncryptedNonces finished
[=]        9 |     335 | Apply bit flip properties                               |    373315141632 |  6min
[#] AcquireEncryptedNonces finished
[=]       10 |     446 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       10 |     557 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       11 |     669 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       12 |     781 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       13 |     890 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       14 |    1001 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       15 |    1113 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       16 |    1224 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       17 |    1333 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       18 |    1445 | Apply bit flip properties                               |    372024573952 |  6min
[#] AcquireEncryptedNonces finished
[=]       20 |    1556 | Apply Sum property. Sum(a0) = 128                       |     34840657920 |   34s
[#] AcquireEncryptedNonces finished
[=]       20 |    1667 | Apply bit flip properties                               |     34840657920 |   34s
[#] AcquireEncryptedNonces finished
[=]       21 |    1775 | Apply bit flip properties                               |     17935394816 |   17s
[#] AcquireEncryptedNonces finished
[=]       22 |    1883 | Apply bit flip properties                               |     17273036800 |   17s
[#] AcquireEncryptedNonces finished
[=]       23 |    1992 | Apply bit flip properties                               |     17273036800 |   17s
[#] AcquireEncryptedNonces finished
[=]       24 |    2095 | Apply bit flip properties                               |     17273036800 |   17s
[#] AcquireEncryptedNonces finished
[=]       25 |    2095 | (1. guess: Sum(a8) = 0)                                 |     17273036800 |   17s
[=]       26 |    2095 | Apply Sum(a8) and all bytes bitflip properties          |     17011055616 |   16s
[=]       26 |    2095 | Brute force phase completed.  Key found: 7F33625BC129   |               0 |    0s
[+] target sector   5 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   6 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   7 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   8 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   9 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  10 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  11 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  12 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  13 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  14 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  15 key type B -- found valid key [ 7F33625BC129 ]
[#] Cmd Error 04
[#] Read block error
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX2 SIMD core               |                 |
[=]        0 |       0 | Brute force benchmark: 1159 million (2^30.1) keys/s     | 140737488355328 |   34h
[=]        3 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   34h
[#] AcquireEncryptedNonces finished
[=]        6 |     112 | Apply bit flip properties                               |     73401761792 |   63s
[#] AcquireEncryptedNonces finished
[=]        7 |     224 | Apply bit flip properties                               |      4014018816 |    3s
[#] AcquireEncryptedNonces finished
[=]        8 |     335 | Apply bit flip properties                               |      1031355072 |    1s
[#] AcquireEncryptedNonces finished
[=]        9 |     446 | Apply bit flip properties                               |       955377536 |    1s
[#] AcquireEncryptedNonces finished
[=]       10 |     557 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       11 |     669 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       12 |     780 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       13 |     891 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       14 |    1002 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       15 |    1111 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       16 |    1221 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       17 |    1331 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       18 |    1442 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       19 |    1552 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       20 |    1659 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       21 |    1766 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       22 |    1873 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       23 |    1982 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       24 |    2090 | Apply Sum property. Sum(a0) = 120                       |       119537600 |    0s
[#] AcquireEncryptedNonces finished
[=]       25 |    2090 | (Ignoring Sum(a8) properties)                           |       119537600 |    0s
[=]       26 |    2090 | Brute force phase completed.  Key found: D01AFEEB890A   |               0 |    0s
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | 6A1987C40A21 | D | 7F33625BC129 | H
[+]  006 | 027 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  007 | 031 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  008 | 035 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  009 | 039 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  010 | 043 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  011 | 047 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  012 | 051 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  013 | 055 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  014 | 059 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  015 | 063 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | H
[+]  017 | 071 | 5C8FF9990DA2 | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )


[=] FILE PATH:  hf-mf-044EEDD2747281-key.bin
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-044EEDD2747281-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A,  swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.bin
[+] saved 1024 bytes to binary file hf-mf-044EEDD2747281-dump.bin
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.eml
[+] saved 64 blocks to text file hf-mf-044EEDD2747281-dump.eml
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.json
[+] saved to json file hf-mf-044EEDD2747281-dump.json
[=] autopwn execution time: 73 seconds

[usb] pm3 --> hf mf view --file hf-mf-044EEDD2747281-dump.json
[+] loaded from JSON file hf-mf-044EEDD2747281-dump.json

[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | 04 4E ED D2 74 72 81 88 44 00 C8 20 00 00 00 00 | .N..tr..D.. ....
[=]      |   1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   3 | FF FF FF FF FF FF FF 07 80 69 5C 8F F9 99 0D A2 | .........i\.....
[=]    1 |   4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   7 | FF FF FF FF FF FF FF 07 80 69 5C 8F F9 99 0D A2 | .........i\.....
[=]    2 |   8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    3 |  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    4 |  16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]    5 |  20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  23 | 6A 19 87 C4 0A 21 F7 8F 00 5A FF FF FF FF FF FF | j....!...Z......
[=]    6 |  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  27 | 6A 19 87 C4 0A 21 F7 8F 00 5A FF FF FF FF FF FF | j....!...Z......
[=]    7 |  28 | B3 76 FE 17 21 97 F2 97 71 E9 14 25 49 45 C8 92 | .v..!...q..%IE..
[=]      |  29 | 75 47 DD 27 55 61 5E 5D 4B 42 46 24 6E D3 E0 C9 | uG.'Ua^]KBF$n...
[=]      |  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  31 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]    8 |  32 | 02 EE 5E A9 16 1E 85 69 47 F9 58 EA 39 BD B5 C2 | ..^....iG.X.9...
[=]      |  33 | 08 4C 78 D1 40 9F 38 F5 0A CA A0 D9 D8 2E 44 F4 | .Lx.@.8.......D.
[=]      |  34 | FC 85 4B 39 FB DF DE 0E 5B DA DA A6 AE 6F 3C FF | ..K9....[....o<.
[=]      |  35 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]    9 |  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  37 | 00 02 FD 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  38 | 4C 6E 50 EE C6 6C 96 5F 31 21 BF DB B8 61 4B 19 | LnP..l._1!...aK.
[=]      |  39 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]   10 |  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  43 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]   11 |  44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  47 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]   12 |  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  51 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]   13 |  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]      |  55 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]   14 |  56 | B4 90 00 E6 00 00 00 1A 00 00 00 00 EE 00 00 00 | ................
[=]      |  57 | 00 13 EC 4C C0 44 13 AC C4 00 FF AE CC 8B AF 20 | ...L.D.........
[=]      |  58 | E4 65 74 91 6D 63 BF 00 00 00 00 00 00 00 00 00 | .et.mc..........
[=]      |  59 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=]   15 |  60 | E0 FF 00 00 00 48 EF 48 1F 00 FF FF FF B7 10 B7 | .....H.H........
[=]      |  61 | FF 81 96 00 10 02 00 2B 00 00 00 00 00 00 00 00 | .......+........
[=]      |  62 | FF FF 0E F1 81 3E 28 E0 94 76 A6 1D E9 F4 2D D7 | .....>(..v....-.
[=]      |  63 | 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29 | j....!...Z.3b[.)
[=] -----+-----+-------------------------------------------------+-----------------
[?] cyan = value block with decoded value
2

Im pretty sure he would.

I think your best bet is to buy one, test that it works and ask him about conversion.

3

Yeah we could take a stab at it. The question is what capacitance the chip is… might require some testing. Get two cards?

1 Like
4

Since we’re already looking at the classic, have you done any testing with the Gen4 magic cards? I’d be intrigued to see if they work because if they do, then you’ve basically got a one-stop-shop chip for almost every MiFare card.

5

People have been talking about exploring it.

6

Sure, I’d also be open to shipping some Gen4’s if you’d wanna try those as well.

1 Like
7

Why are there no implants available that allows 7-byte UID change? Hasn’t that been available for several years in card form already?

8

the flexMN is/was an implant that could do 7b uid changing.

what chipset are you looking for specifically tho? i would think it would be difficult for DT to source Mifare Classic 4K 7B UID Gen1/2 in a small enough form factor to fit in an xseries

9

Got some cards that’ll do it?