Possible NFC clone protection

Forewarning, i feel this is long winded and that some info may not be important, most of it is just background. TLDR at the bottom

So I’m currently working on helping a coworker clone his home fob so he can give one to gf. I’ve been trying a bunch of different methods and so far no luck and unfortunately I can only test 3 things a day since I have to wait till the next day to see if anything worked (i only have 3 magic gen1 tags) and i cant keep his fob because its the only he can open his door. But it has been a great way to learn how to use both my Proxmark3 and flipperzero.

I noticed today that I had gotten a 1024 error while doing an “hf mf cload” to one of the fobs but kind of just waved it off. After getting home, I grabbed a magic gen4 card and a 4th gen1 tag I’ve been learning with and tried recreate the error, no luck, so I did an “hf mf cview” to see what it all looked like and noticed that a couple lines were ever so slightly different from what my flipper had told me when I first started this. This is what I found:




Of the 2 files from my flipper and the only file i have from my proxmark3, these two lines are different between all of them. My current working theory is that his door rewrites this sector as a form of clone protection (im going to test this theory tomorrow by reading his fob again, i only just learned what “hf mf autopwn” does and only the proxmark3 file has any data beyond sector 2). This sector and sector 2 are also the only two sectors that don’t require a key to read. All other sectors had to be autopwn-ed to see and the flipper just came back with “?” for everything.

Does anyone know if this a method of clone protection or possibly the tag being misread multiple times? Or experienced this at all and know whats going on

TLDR: helping a coworker clone fob, noticed that I have multiple files where 2 of the lines are different. Can a fob reader rewrite data as a form of clone protection?

2 Likes

Some readers WILL write 0s to a block as a test for magic cards (someone here will be able to expand on this and give a way better explanation than I)

With your Gen4, if you disable block0 writing the reader shouldn’t be able to see it.

What is your Gen4? Is it a UMC?

1 Like

Yeah it’s a gen 4 umc I got off of the flipper Etsy store. It’s only gen 1 tags I’ve been giving him though. I could try locking one and see if his reader is detecting that it’s magic

So I’ve confirmed my suspicions, his reader is actually re writing the entire fob every time he scanned it (or an extremely large amount, I cherry picked bytes at random from todays read and yesterday’s read and each byte was different). I’m hoping it’s just time stamps, so with one last attempt, I’ll find out tomorrow
I also can not lock gen 1 tags (this was probably known to everyone else already)

1 Like