I want to write door card into my Next implant, they have the same chip, hf.
Which comand i have to use?
Unfortunately you cannot write a mifare chip onto a NeXT. The NeXT contains a T5577 which is capable of emulating a bunch of low frequency chips, and an NTAG216 which is a very capable chip, but cannot have its UID modified. You would need a Magic chip to modify the UID in it.
Most door locks act on just the UID so you will probably have two options.
- Buy a Magic chip based implant and clone your door card onto that (assuming that your door card uses a mifare chip)
- Have whoever is in charge of the door system enroll your implant in it. For my front door I have the power to add my own chips, so this is the route that I go.
1 Like
Oh noo:frowning:
The card you have is a Mifare Classic Ev1 which contains a hardened (but exploitable) PRNG and a signature from NXP to ensure its a genuine card. From my experience with Mifare, no manufacturers are checking the signature of Ev1 cards and there arent many manufacturers that know the signatures exist on Ev1 nor where they are located. This is partly due to this ‘feature’ not being documented on NXP datasheets (from what I recall)
Given the above about the lack of use for the signature of Ev1, there are no magic Mifare cards which support signature cloning; there is no need for it given no manufacturer checks that data.
From your first screenshot, after autopwn, there are some command errors when the command tries to write the found data to simulator memory. This is also most likely the reason why it shows the dump file is partially complete.
For what device did you compile the client and what version of the proxmark are you using?
Your second screenshot, showing cload, from my experience, bad magic card block writes are usually due to bad coupling from the tag antenna and the PM3 antenna. Try putting some air distance between the card and PM3 and run the command again.
General tip: since you know the card is a Mifare which is (closely compliant) with 14a, you can use the command hf 14a info rather than hf search to get basic card info faster.
1 Like
I have the same error. Would you please let me know if I am understanding you correctly. If I can copy the other data correctly the signature should be immaterial for the time being because it is not being checked.
Also cmd error 04… Should I try to update. Last update was Dec. 29th. I set up in proxspace on a windows machine. I set up following dangerous things video and written directions. Is there a work around to dump the file?
Any help or guidance would be greatly appreciated.
Thank you!
Hello Dangerousthings Community!
I have had an xM1 gen2 Mifare Classic implant since last week. I am very satisfied so far.
Today I wanted to clone my Gym card
to the xM1 gen2 Mifare Classic (image2).
First I created the dump file, which is also possible (Image 3).
Then I wanted to load the dump file onto the xM1 gen2 Mifare Classic. But then the following message appears (Image 4)
If I take a Mifare Classic gen1 card (picture 5)
I can copy the dump file to this card.
What am I doing wrong?
Or is it not possible to clone a Mifare classic gen1 to a Mifare Classic gen2?
Please help me 
cload is to write a dump to a backdoor (gen1a) card. You’re just using the wrong command. Because the gen2 card operates just like any normal mifare chip (but with sector 0 unlocked for writing), you just use the normal write commands used for any mifare card. In this case, I believe you want to just use the restore command instead of cload.
Be sure to check your firmware version’s help section, but this is mine;
Amal gave you the Proxmark3 answer.
That will sort you out.
I personally use and MCT app for convenience and ease of use
If nothing else, it will give you another tool in your arsenal.
Sing out if you need a hand driving it
1 Like
Amal!
Thanks a lot!! It works.
I’ll test it out in the gym this evening if I find the motivation to exercise 
@Pilgrimsmaster I will try this also today!
2 Likes
Hey Amal I have another questions.
Waht is the the keyfile exactly?
The first thing I did was create a dump file using the “hf mf autopwn” command. Three files were then stored in my directory. “dump.bin”, “key.bin” and “dump.json”.
Then I placed my implant on the PM3 and executed the following command:
“hf mf restore -f C:\Users\khageney\working\ProxSpace\pm3\hf-mf-C25CFAEB-dump.bin”
Then the following message came:
I then went to my directory and changed “hf-mf-C25CFAEB-key.bin” to “hf-mf-12345678-key.bin”. (example number) Then my gym card could be copied.
Is the process correct?
Sorry, I’m still pretty new and still learning.
Maybe you could describe the process for my application again in more detail.
Thanks in advance
Klaas
ChatGPT says…
Memory Structure
-
Memory Size: MIFARE Classic cards come in two main variations - 1K and 4K. The 1K version has 1024 bytes of memory, while the 4K version has 4096 bytes.
-
Sectors and Blocks:
- 1K Version: Divided into 16 sectors, each with 4 blocks.
- 4K Version: Divided into 40 sectors, where the first 32 sectors contain 4 blocks each, and the last 8 sectors are “extended” sectors, containing 16 blocks each.
- Each block is 16 bytes long.
-
Data Storage: User data is stored in the blocks, but not all blocks are available for data storage because one block in each sector is used as a “sector trailer”.
Sector Trailer
- Location: The last block of each sector is the sector trailer.
- Contents:
- Key A: 6 bytes. Used for various access control purposes.
- Access Bits: 4 bytes. Define the access conditions for each block in the sector, including the sector trailer itself.
- Key B: 6 bytes. Optional and can also be used for access control or can be used to store other data if not used for security purposes.
Access Control in Sector Trailer
- The access bits in the sector trailer determine how the blocks in the sector can be accessed (read, write, increment, decrement, etc.).
- The keys (Key A and Key B) and the access bits work together to define the security for each block.
- The configuration of the access bits is critical because if they are set incorrectly, they can render the sector permanently inaccessible.
Ok well, it got the important stuff about how the memory is structured. The dump data file contains only the memory blocks from each sector and not the keys stored in the sector trailer. Those are kept in the separate key file because reasons.
1 Like
Hello Amal,
I understand more and more how the whole NFC world goes. But I’m not a professional yet and I need your help again…
Ultimately I just want to copy my gym card to a Mifare Classic 1k Magic gen2 Card / xM1gen2. I proceeded as follows:
I read in the tag/implant to be written on:
hf mf info
Then I scanned my gym card:
hf mf info
Now I have created the dump and key files for the gym card:
hf mf autopwn
Now I have created the dump and key files for the Mifare Classic 1k Magic gen2:
hf mf autopwn
Now I have with the help of the command
hf mf restore -f C:\Users\khageney\working\ProxSpace\pm3\hf-mf-C25CFAEB-dump.bin
tried to play the dump file from the gym card on the Mifare Classic 1k Magic gen2.
But that didn’t work. The UID remains the same and the dump files are also different.
What I’ve done now is definitely not the right way, but I haven’t found any other solution. I only changed the name of the key file from the gym card (UID Gym card) with the UID of the Mifare Classic 1k Magic gen2
Now I started the command again:
C:\Users\khageney\working\ProxSpace\pm3\hf-mf-C25CFAEB-dump.bin
Now the UID has also changed and the DUMP files are matching!
BUT my big problem is I can only do this process once. Now I can no longer describe the Mifare Classic 1k Magic gen2 in a my way.
How is it possible for me to write the chip again?
Or could you show me another (correct) way to clone Mifare Classic to Mifare Classic 1k Magic gen2 over and over again?
Here is also a one drove link with the Dump and Key Files:
I hope you understand what I mean…
Thank you very very much
Klaas
1 Like
Hello everyone,
Does anyone here have an answer for my approach?
I suspect that I’ve done it wrong here and I can no longer describe the xM1 gen2 Mifare Classic…
Is there a way to undo what I did?
Thank you for your help…
Hi Pilgrimsmaster!
I don’t have an Android phone but I did it with MWT (same program for Windows). I ordered a brand new Miface Classic 1k magic 2nd gen fob and managed to describe it with my Gym Card (Same with my xM1 gen2 Mifare Classic Implantat)
But now comes the most important question for me:
If I have described a Mifare Calssik 1k magic 2nd gen, can I NOT rewrite it or change UID etc.? Am I correct that I can only describe this ONCE?
For Example I want to clone my hotel card for a week and after my stay I want to clone back my Gym card…
If that is not the case, could you please explain to me how I can re-describe an already described Mifare Calssik 1k magic 2nd gen or reset it to the factory settings?
Thankss!!!
I am not going to be near a PM3 for a number of hours to test it for you, I also haven’t fully read through your outputs.
NORMALLY
you would just overwrite it with your new data and it’s done.
If you ae having problems doing that
@Concorde has done some great work,
https://forum.dangerousthings.com/t/handy-dandy-tips-and-tricks/13041/17
and @autom8 has used that with an example here
Once you get yours recovered, In the future remember to use restore rather than cloadfor your gen2
Hey Thanks for your fast answer…
When I write this:
hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip
nothings happend…
My Main Issue that my xM1 gen2 Mifare Classic looks like this after cloning my Gym Card:
He no longer recognizes that it is a magic mifare gen2
Before I cloned my gym card, my implant looked like this
(Just an example because I do not have a screenshot from this)
So cloning is working but just one time, I cant clone again.
Thats my issue. I bought this implant to clone diffrent Mifare Classic Cards time for time on my implant.
Hope you know what I mean…
nothing is supposed to happen really… you are simply setting configuration flags telling the proxmark3 how to behave when dealing with iso14443 transponders. It might be nice though if it said something like “Configuration updated” or something… but this is normal.
Did you actually run the recovery command after this as mentioned in the threads @Pilgrimsmaster linked above? You need to tell the exact and complete story of what you did… otherwise we have to play detective, and that only makes things harder for you.
From what you posted above, I assume maybe you have simply set the configuration part, got no response, then did not proceed with the rest of the recovery commands? First do those things.
how gen2 tags work
Let me briefly explain how gen2 tags work… they work just like a normal Mifare S50 1k chip works, except you can change sector 0… but other than that, they work exactly like a legitimate Mifare S50 1k chip. That means if you change the keys or access bits for any sector (including sector 0) in such a way that the sector is locked, or even protected from reading without first authenticating, then after cloning you will need those keys to access / change / read that sector… even sector 0.
You can see in this screenshot under “Keys information” that there is a key loaded (supplied by user) which is the factory default FF FF FF FF FF FF and a set of 59 “default” keys… but chances are your gym card’s keys are not included in that list of default keys… and it’s probably not the factory default FF FF FF FF FF FF key either… so at this point you can’t change sector 0 without those keys.
Because a gen2 chip works EXACTLY like a legit Mifare S50 1k chip, there is no way for the proxmark3 to really “know” if it’s a gen2 chip or a legit Mifare chip without some way to probe or test sector 0 … and that’s only really possible if the keys are the factory default keys, or known to the proxmark3 in the default key array. Since it appears something cloned successfully to the chip, chances are sector 0 keys and access bits got changed so the proxmark3 could no longer probe it successfully, hence the missing “magic capabilities” line.
@iceman, this sounding correct so far?
Luckily you can get those keys because you should be able to run autopwn on the gym card again and get the keys from that, then assuming the clone to your chip was exact and complete, use those keys to unlock sector 0… or you may be able to autopwn your implant as well and get the keys directly.
Once you have the keys, you should be able to wipe sector 0 using those keys. Exactly how to do that I’m not sure but I know you should be able to specify them in the command line or reference a key file that autopwn generates.
1 Like
Good morning guys,
I have now analyzed everything again in detail.
First I took a NEW Mifarce Classic 1k Magic 2gen fob and tested the following commands on this fob:
hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip
hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 --force
and its working:
Then I tested the whole thing on my implant:
The result: Write fail
Now I have executed a hf mf autopwn on my implant:
That worked too. I have made the dump and key file available to you at the following link:
You are my last chance. If I no longer have the implant described, it will be worthless to me because described the gym card doesn’t even work.
Then I’ll probably be forced to remove it … 
Guys! F**ck I solved it!!! 
I took a new (empty) Mifare classic 1k Gen2 fob and start it with:
hf mf autopwn
With the dump.json I see exactly what an original Gen2 fob should look like.
Thhen read in my implant:
hf mf autopwn
I compared both dump.json and saw exactly which sector looked different.
I was also able to look at keys a and b there. Or I can see further down in the dump file which key I need for which sectors
With the following commands I have now described sector by sector that my implant looks like the original fob
hf mf wrbl -b --blk 0 -k 8627C10A7014 -d EE96D8ED4D08040003AC9384788DD91D --force
hf mf wrbl -b --blk 1 -k 8627C10A7014 -d
00000000000000000000000000000000 --force
hf mf wrbl -b --blk 3 -k 8627C10A7014 -d FFFFFFFFFFFFFF078069FFFFFFFFFFFF --force
hf mf wrbl -b --blk 16 -k 6428C34EF27A -d 00000000000000000000000000000000 --force
and so on…
It works perfectly!!!
Thanks a lot for your help!
3 Likes