Mifare Classic 1K > xM1 Clone help

Hey All,

I’m back! This time, as no doubt spoiled by the title, I’m looking for some help cloning an old hotel key, what I assume to be a MF Classic 1K to my xM1.

Here is the hf search of the hotel key

And here is the hf search of my xM1

Firstly, possibly incorrectly, I assumed this hotel key is compatible with the xM1 based on the obvious similarities of the search results. So I ran,

hf mf csetuid -u bdc7c7aa --atqa 0004 --sak 08

Based on the UID I’m trying to copy and the csetuid help examples and, no doubt spoiled by the title, this did not work.

Returning this result,

And many questions.

So I’m here to ask,

  1. Am I correct in assuming these are compatible for cloning and am I on the right track?
  2. Did the csetuid fail because I did not -w first (this was my first thought but I wanted to seek help before I commanded my pm3 to “wipe” anything)?
  3. Is the information listed under Tag Signature relevant to this undertaking and did I fail because neglected it?
  4. Is there a convenient place where I can further read up on the results of these searches and what the results (Ex. ATQA, SAK, RATS, wupC1) all mean?

I did poke around in the search results for xM1 and MF Classic 1k but didn’t seem to find what I was after. Sorry if I missed something and this kind of stuff has been covered elsewhere, please point me to it if I have.

Any and all help and replies are appreciated. I look forward to 'em.

-3RFIDdy

UPDATE

I followed this video (by the way, great video @amal :+1:),

Which yielded some interesting results,

hf mf autopwn

And then,

hf mf cload -f filename.eml

Resulted in a write block send command error, I should note at this point I’m cloning to a Proxgrind Gen1A S50 and whilst the UID, ATQA and SAK have all been cloned all of the ‘Tag Signature’ data was not.

Doesn’t take much of a leap to infer that the partial dump file is the reason that this information is missing but is that inference correct? Is it perhaps an incompatibility between the hotel key and the S50 card?

And how do you think I would go about making that partial dump file just a regular old complete dump file?

1 Like

I have the same problem:[

The magic ring is a gen 2 magic chip. As such you can just write to any part of the chip without first using the backdoor commands. The backdoor commands won’t work, so the gen 1 backdoor commands will fail. Try just copying the data without using any special “magic” commands.

ETA: My mistake I assumed that we were talking about the Magic Ring, not the XM1.

Still good info…

I have Next implant

I want to write door card into my Next implant, they have the same chip, hf.
Which comand i have to use?

Unfortunately you cannot write a mifare chip onto a NeXT. The NeXT contains a T5577 which is capable of emulating a bunch of low frequency chips, and an NTAG216 which is a very capable chip, but cannot have its UID modified. You would need a Magic chip to modify the UID in it.

Most door locks act on just the UID so you will probably have two options.

  1. Buy a Magic chip based implant and clone your door card onto that (assuming that your door card uses a mifare chip)
  2. Have whoever is in charge of the door system enroll your implant in it. For my front door I have the power to add my own chips, so this is the route that I go.
1 Like

Oh noo​:frowning::frowning:

The card you have is a Mifare Classic Ev1 which contains a hardened (but exploitable) PRNG and a signature from NXP to ensure its a genuine card. From my experience with Mifare, no manufacturers are checking the signature of Ev1 cards and there arent many manufacturers that know the signatures exist on Ev1 nor where they are located. This is partly due to this ‘feature’ not being documented on NXP datasheets (from what I recall)
Given the above about the lack of use for the signature of Ev1, there are no magic Mifare cards which support signature cloning; there is no need for it given no manufacturer checks that data.

From your first screenshot, after autopwn, there are some command errors when the command tries to write the found data to simulator memory. This is also most likely the reason why it shows the dump file is partially complete.
For what device did you compile the client and what version of the proxmark are you using?

Your second screenshot, showing cload, from my experience, bad magic card block writes are usually due to bad coupling from the tag antenna and the PM3 antenna. Try putting some air distance between the card and PM3 and run the command again.

General tip: since you know the card is a Mifare which is (closely compliant) with 14a, you can use the command hf 14a info rather than hf search to get basic card info faster.

1 Like